diff --git a/flake.nix b/flake.nix index c159ed7..3238412 100644 --- a/flake.nix +++ b/flake.nix @@ -214,6 +214,14 @@ ]; }; + # Agent sandbox VM for Tart (aarch64-linux on Apple Silicon) + nixosConfigurations.tart-agent-sandbox = nixpkgs.lib.nixosSystem rec { + system = "aarch64-linux"; + modules = nixosModules ++ [ + ./machines/tart-agent-sandbox/configuration.nix + ]; + }; + # Darwin/macOS configurations darwinConfigurations."blkfv4yf49kt7" = inputs.nix-darwin.lib.darwinSystem rec { system = "aarch64-darwin"; diff --git a/machines/tart-agent-sandbox/configuration.nix b/machines/tart-agent-sandbox/configuration.nix new file mode 100644 index 0000000..04ab5dd --- /dev/null +++ b/machines/tart-agent-sandbox/configuration.nix @@ -0,0 +1,98 @@ +# Agent sandbox VM configuration for Tart +# Designed for LLM agents with full sudo access in an isolated environment +{ config, pkgs, lib, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ]; + + # Bootloader + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "tart-agent-sandbox"; + + # SSH access from host + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "yes"; + PasswordAuthentication = true; + }; + }; + + # Agent user - full sudo, no password required + users.users.agent = { + isNormalUser = true; + description = "Agent sandbox user"; + extraGroups = [ "wheel" "docker" ]; + initialPassword = "agent"; + openssh.authorizedKeys.keys = [ + # Add your SSH public key here for passwordless access + # "ssh-ed25519 AAAA... your-key" + ]; + }; + + # Passwordless sudo for wheel group + security.sudo.wheelNeedsPassword = false; + + # Dev tools for agents + environment.systemPackages = with pkgs; [ + # Core + git + curl + wget + vim + htop + tmux + + # Build tools + gnumake + gcc + binutils + + # Languages (add what your agents need) + python3 + nodejs + + # Utilities + jq + ripgrep + fd + tree + unzip + zip + + # Networking + openssh + rsync + ]; + + # Docker for containerized workloads + virtualisation.docker.enable = true; + + # Increase file descriptor limits for large operations + security.pam.loginLimits = [ + { domain = "*"; type = "soft"; item = "nofile"; value = "65536"; } + { domain = "*"; type = "hard"; item = "nofile"; value = "65536"; } + ]; + + # Git config for large repos + programs.git = { + enable = true; + config = { + core.compression = 0; + http.postBuffer = 524288000; # 500MB + pack.windowMemory = "100m"; + }; + }; + + # Nix settings + nix.settings = { + experimental-features = [ "nix-command" "flakes" ]; + auto-optimise-store = true; + }; + + system.stateVersion = "25.11"; +} diff --git a/machines/tart-agent-sandbox/hardware-configuration.nix b/machines/tart-agent-sandbox/hardware-configuration.nix new file mode 100644 index 0000000..7df5629 --- /dev/null +++ b/machines/tart-agent-sandbox/hardware-configuration.nix @@ -0,0 +1,30 @@ +# Hardware configuration for Tart VM (Apple Virtualization.framework) +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Root filesystem (will be /dev/vda1 after partitioning) + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + + # EFI boot partition + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +}