# Stateful/mutable container used for Bagel (tm) related infra (mostly
# rebuilding nixpkgs a lot).
#
# System image is stored at /var/lib/machines/bagel.
{
  systemd.nspawn.bagel = {
    execConfig = {
      Boot = true;
      Ephemeral = false;
      PrivateUsers = true;
      NotifyReady = true;
      LinkJournal = "try-guest";
    };

    networkConfig = {
      Bridge = "wan-br";
      VirtualEthernetExtra = "vb-bagel-v4:host1";
    };
  };

  systemd.services."systemd-nspawn@bagel" = {
    wantedBy = [ "machines.target" ];
    wants = [ "network.target" ];
    after = [ "network.target" ];
    overrideStrategy = "asDropin";
  };

  systemd.network.networks."20-vb-bagel-v4" = {
    matchConfig.Name = "vb-bagel-v4";
    networkConfig.Address = [ "172.16.100.1/24" ];
    networkConfig.IPMasquerade = true;
  };

  # Configure a local Nix builder account, since getting sandboxing and KVM
  # working inside the container will be tricky.
  users.users.bagel-builder = {
    isSystemUser = true;
    group = "nogroup";
    home = "/var/empty";
    shell = "/bin/sh";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
    ];
  };
  nix.settings.trusted-users = [ "bagel-builder" ];
}