# Agent sandbox VM configuration for Tart # Designed for LLM agents with full sudo access in an isolated environment { config, pkgs, lib, ... }: { imports = [ ./hardware-configuration.nix ]; # Bootloader boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "tart-agent-sandbox"; # Enable sway desktop roles.desktop = { enable = true; wayland = true; }; # Auto-login to sway (no display manager) services.greetd = { enable = true; settings = { default_session = { command = "${pkgs.sway}/bin/sway"; user = "agent"; }; }; }; # SSH access from host services.openssh = { enable = true; settings = { PermitRootLogin = "yes"; PasswordAuthentication = true; }; }; # Agent user - full sudo, no password required users.users.agent = { isNormalUser = true; description = "Agent sandbox user"; extraGroups = [ "wheel" "docker" "video" "input" ]; initialPassword = "agent"; openssh.authorizedKeys.keys = [ # Add your SSH public key here for passwordless access # "ssh-ed25519 AAAA... your-key" ]; }; # Passwordless sudo for wheel group security.sudo.wheelNeedsPassword = false; # Dev tools for agents environment.systemPackages = with pkgs; [ # Core git curl wget vim htop tmux # Build tools gnumake gcc binutils # Languages (add what your agents need) python3 nodejs # Utilities jq ripgrep fd tree unzip zip # Networking openssh rsync ]; # Docker for containerized workloads virtualisation.docker.enable = true; # Increase file descriptor limits for large operations security.pam.loginLimits = [ { domain = "*"; type = "soft"; item = "nofile"; value = "65536"; } { domain = "*"; type = "hard"; item = "nofile"; value = "65536"; } ]; # Git config for large repos programs.git = { enable = true; config = { core.compression = 0; http.postBuffer = 524288000; # 500MB pack.windowMemory = "100m"; }; }; # Nix settings nix.settings = { experimental-features = [ "nix-command" "flakes" ]; auto-optimise-store = true; }; system.stateVersion = "25.11"; }