Skip to content
Snippets Groups Projects
Normal view Permalink
vagrant-guest.nix 2.68 KiB
Newer Older
  • Learn to ignore specific revisions
    • Florian Sesser's avatar
    Add local development network morph configuration
    Florian Sesser committed
    1 2 
    # Minimal configuration that vagrant depends on
    Florian Sesser's avatar
    Only include extra Wireguard module on old Kernels  
    Florian Sesser committed
    3 
    { config, pkgs, lib, ... }:
    Florian Sesser's avatar
    Add local development network morph configuration
    Florian Sesser committed
    4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 
    let
  # Vagrant uses an insecure shared private key by default, but we
  # don't use the authorizedKeys attribute under users because it should be
  # removed on first boot and replaced with a random one. This script sets
  # the correct permissions and installs the temporary key if no
  # ~/.ssh/authorized_keys exists.
  install-vagrant-ssh-key = pkgs.writeScriptBin "install-vagrant-ssh-key" ''
    #!${pkgs.runtimeShell}
    if [ ! -e ~/.ssh/authorized_keys ]; then
      mkdir -m 0700 -p ~/.ssh
      echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" >> ~/.ssh/authorized_keys
      chmod 0600 ~/.ssh/authorized_keys
    fi
  '';
in
{
  # Services to enable:

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

  # Enable DBus
  services.dbus.enable    = true;

  # Replace ntpd by timesyncd
  services.timesyncd.enable = true;

  # Packages for Vagrant
  environment.systemPackages = with pkgs; [
    findutils
    gnumake
    iputils
    jq
    nettools
    netcat
    nfs-utils
    rsync
  ];

  users.users.root = { password = "vagrant"; };

  # Creates a "vagrant" group & user with password-less sudo access
  users.groups.vagrant = {
    name = "vagrant";
    members = [ "vagrant" ];
  };
  users.extraUsers.vagrant = {
    isNormalUser    = true;
    createHome      = true;
    group           = "vagrant";
    extraGroups     = [ "users" "wheel" ];
    password        = "vagrant";
    home            = "/home/vagrant";
    useDefaultShell = true;
  };

  systemd.services.install-vagrant-ssh-key = {
    description = "Vagrant SSH key install (if needed)";
    after = [ "fs.target" ];
    wants = [ "fs.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      ExecStart = "${install-vagrant-ssh-key}/bin/install-vagrant-ssh-key";
      User = "vagrant";
      # So it won't be (needlessly) restarted:
      RemainAfterExit = true;
    };
  };

  security.sudo.wheelNeedsPassword = false;

  security.sudo.extraConfig =
    ''
      Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE
      Defaults:root,%wheel env_keep+=NIX_PATH
      Defaults:root,%wheel env_keep+=TERMINFO_DIRS
      Defaults env_keep+=SSH_AUTH_SOCK
      Defaults lecture = never
      root   ALL=(ALL) SETENV: ALL
      %wheel ALL=(ALL) NOPASSWD: ALL, SETENV: ALL
    '';
}