.png)
1 day ago
2
Virby is a module for nix-darwin that configures a lightweight linux VM as a remote build machine for nix, allowing linux packages to be built on macOS. This project is modeled after nix-rosetta-builder, which provides a similar service, using lima to manage the VM. Some parts of the code in this repository are directly borrowed and adapted from that project, such as the SSH key generation logic.
- On-Demand Activation: Optional socket activation for starting the VM only when needed
- Rosetta Support: Build x86_64-linux packages on Apple Silicon using Rosetta translation
- Secure by Default: VM is exposed only on the loopback interface (i.e. 127.0.0.1) and only accessible via key-based authentication
- Configurable Resources: Configurable VM parameters and arbitrary NixOS modules
Virby consists of three main components:
- nix-darwin Module (modules/virby) - Provides system integration and configuration
- VM Image (pkgs/vm-image) - A minimal NixOS image, configured for use as a remote builder.
- VM Runner (pkgs/vm-runner) - Python package that wraps vfkit and manages the VM lifecycle and SSH proxying.
Add Virby to your flake inputs:
Enable on-demand VM activation with automatic SSH port forwarding:
When onDemand.enable is true, Virby implements socket activation with TCP port forwarding:
- On-demand VM Startup: The VM starts only when an SSH connection is received on the configured host port (31222 by default)
- TCP Proxy: All traffic is transparently forwarded between the host port and the VM's SSH service
- Resource Efficiency: VM consumes no resources when not in use
- Automatic VM Shutdown: VM shuts down after the specified idle timeout (onDemand.ttl)
Note
This option is only available on aarch64-darwin systems.
Enable x86_64-linux builds using Rosetta:
Note
This option allows you to specify additional arbitrary NixOS module configuration. Any changes to this option's value will cause the VM's disk image and SSH keys to be recreated.
| enable | bool | false | Enable the Virby service |
| cores | int | 8 | Number of CPU cores |
| memory | int | string | 6144 | Memory in MiB or string like "6GiB" |
| diskSize | string | "100GiB" | VM disk size |
| port | int | 31222 | SSH port for VM access |
| speedFactor | int | 1 | Build speed factor for Nix |
| allowUserSsh | bool | false | Allow SSH access to the VM for non-root users on the host system. (for debugging only, insecure) |
| debug | bool | false | Enable VM serial and daemon output logging. (for debugging only, insecure) |
| onDemand.enable | bool | false | Enable on-demand VM activation |
| onDemand.ttl | int | 180 | VM idle timeout in minutes |
| rosetta.enable | bool | false | Enable Rosetta support (aarch64-darwin only) |
| extraConfig | attrs | {} | Additional NixOS configuration for VM |
- Image Creation: Nix builds a minimal raw-efi NixOS disk image
- Key Generation: SSH keys are automatically generated and copied to the VM on first boot
- VM Startup: The Launchd daemon starts the VM (either at load or on-demand)
- IP Discovery: VM's IP address is discovered via DHCP lease parsing
- Port Forwarding: In on-demand mode, launchd socket activation triggers VM startup and TCP proxy
- Build Integration: The Nix-darwin module configures the VM as a build machine, routing Linux builds to the VM
- Lifecycle Management: VM can be kept running or managed on-demand with automatic shutdown after a period of inactivity
Virby is designed with security in mind:
- VM is only accessible from the host via the loopback interface (i.e. 127.0.0.1)
- SSH uses ED25519 key-based authentication
- VM user has minimal privileges for building only
- Host keys are protected using virtiofs mount/unmount on first boot
- VM is isolated from the host filesystem
MIT License - see LICENSE file for details.
- Heavily inspired by nix-rosetta-builder.
- Uses vfkit for native macOS virtualization
