commit 288ea09e91594ec9c5504156b4aea116fef6244d Author: illustris Date: Sun Mar 1 13:05:07 2026 +0530 init diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a89285e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.img diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..026e255 --- /dev/null +++ b/flake.lock @@ -0,0 +1,186 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "microvm": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "spectrum": "spectrum" + }, + "locked": { + "lastModified": 1772338235, + "narHash": "sha256-9XcwtSIL/c+pkC3SBNuxCJuSktFOBV1TLvvkhekyB8I=", + "owner": "microvm-nix", + "repo": "microvm.nix", + "rev": "9d1ff9b53532908a5eba7707931c9093508b6b92", + "type": "github" + }, + "original": { + "owner": "microvm-nix", + "repo": "microvm.nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1772198003, + "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1770107345, + "narHash": "sha256-tbS0Ebx2PiA1FRW8mt8oejR0qMXmziJmPaU1d4kYY9g=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "4533d9293756b63904b7238acb84ac8fe4c8c2c4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1771724586, + "narHash": "sha256-The//BXCIdGDkYK23LZOZKDt7xGrUogp8jxbyIlX6Bg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b01ac67ad9de0d487c707657640ef3a0bfab2b90", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "type": "github" + } + }, + "nullclaw": { + "inputs": { + "treefmt-nix": "treefmt-nix", + "zig2nix": "zig2nix" + }, + "locked": { + "lastModified": 1772328825, + "narHash": "sha256-xAez0hPWyChoOTTjOt/OHCJsmqEa+DdS4+0g/drjV2Q=", + "owner": "nullclaw", + "repo": "nullclaw", + "rev": "9a64fd94c65ee409a1c523653463ef43e1961aac", + "type": "github" + }, + "original": { + "owner": "nullclaw", + "repo": "nullclaw", + "type": "github" + } + }, + "root": { + "inputs": { + "microvm": "microvm", + "nixpkgs": "nixpkgs", + "nullclaw": "nullclaw" + } + }, + "spectrum": { + "flake": false, + "locked": { + "lastModified": 1759482047, + "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=", + "ref": "refs/heads/main", + "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9", + "revCount": 996, + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + }, + "original": { + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1770228511, + "narHash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "337a4fe074be1042a35086f15481d763b8ddc0e7", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "zig2nix": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1771727470, + "narHash": "sha256-R+FuYNEJE8G4aaN8lsS+llSuvST2F2nsWdJX28MDDLw=", + "owner": "Cloudef", + "repo": "zig2nix", + "rev": "e37fbb9bfa82c7f284bf59191db44d6deea7782a", + "type": "github" + }, + "original": { + "owner": "Cloudef", + "repo": "zig2nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..15d6e1b --- /dev/null +++ b/flake.nix @@ -0,0 +1,152 @@ +{ + description = "Sandboxed MicroVMs"; + + nixConfig = { + extra-substituters = [ "https://microvm.cachix.org" ]; + extra-trusted-public-keys = [ "microvm.cachix.org-1:oXnBc6hRE3eX5rSYdRyMYXnfzcCxC7yKPTbZXALsqys=" ]; + }; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; + microvm = { + url = "github:microvm-nix/microvm.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nullclaw.url = "github:nullclaw/nullclaw"; + }; + + outputs = { self, nixpkgs, microvm, nullclaw }: let + system = "x86_64-linux"; + in { + packages.${system} = { + cc-sandbox = self.nixosConfigurations.claude-code.config.microvm.declaredRunner; + nullclaw = self.nixosConfigurations.nullclaw.config.microvm.declaredRunner; + }; + + nixosConfigurations.claude-code = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + microvm.nixosModules.microvm + ({ pkgs, ... }: { + nixpkgs.config.allowUnfree = true; + + networking.hostName = "claude-code"; + users.users.root.password = ""; + services.getty.autologinUser = "root"; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + environment.systemPackages = with pkgs; [ + claude-code-bin + git + curl + vim + ]; + + microvm = { + hypervisor = "qemu"; + vcpu = 4; + mem = 4096; + socket = "claude-code.socket"; + + writableStoreOverlay = "/nix/.rw-store"; + + interfaces = [{ + type = "user"; + id = "usernet"; + mac = "02:00:00:00:00:01"; + }]; + + shares = [ + { + proto = "9p"; + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + { + proto = "9p"; + tag = "claude-config"; + source = "/home/illustris/.claude"; + mountPoint = "/var/lib/claude-lower"; + readOnly = true; + } + ]; + + volumes = [{ + image = "claude-code-data.img"; + mountPoint = "/var/lib/claude-code"; + size = 1024; + label = "claude-code-data"; + }]; + }; + + # tmpfs backing for the writable nix store overlay + fileSystems."/nix/.rw-store" = { + fsType = "tmpfs"; + options = [ "size=2G" "mode=0755" ]; + neededForBoot = true; + }; + + # Claude config: persistent overlay on top of host's ~/.claude + fileSystems."/root/.claude" = { + overlay = { + lowerdir = [ "/var/lib/claude-lower" ]; + upperdir = "/var/lib/claude-code/claude-upper"; + workdir = "/var/lib/claude-code/claude-work"; + }; + }; + + system.stateVersion = "24.11"; + }) + ]; + }; + + nixosConfigurations.nullclaw = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + microvm.nixosModules.microvm + ({ pkgs, ... }: { + networking.hostName = "nullclaw"; + users.users.root.password = ""; + services.getty.autologinUser = "root"; + + environment.systemPackages = [ + nullclaw.packages.${system}.default + pkgs.curl + pkgs.vim + ]; + + microvm = { + hypervisor = "qemu"; + vcpu = 2; + mem = 2048; + socket = "nullclaw.socket"; + + interfaces = [{ + type = "user"; + id = "usernet"; + mac = "02:00:00:00:00:02"; + }]; + + shares = [{ + proto = "9p"; + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + }]; + + volumes = [{ + image = "nullclaw-data.img"; + mountPoint = "/var/lib/nullclaw"; + size = 512; + label = "nullclaw-data"; + }]; + }; + + system.stateVersion = "24.11"; + }) + ]; + }; + }; +}