NixOS rootfs configuration for Firecracker dev VMs

[agentydragon]

Summary

NixOS configuration for the Firecracker guest rootfs (fc_dev):

• default.nix: NixOS system config importing bazel-dev.nix module (Bazel 8, Python 3.13, GCC, Clang, JDK 21, Git, nix-ld, envfs, openssh)
• make-rootfs.nix: ext4 image via make-ext4-fs with system profile symlink and /etc/NIXOS marker. NixOS activation creates /etc, /tmp, etc. when systemd starts.
• Flake outputs: fc-dev-rootfs (ext4 image), fc-dev-kernel (vmlinux)

Provisioned on wyrm2 via provision-rootfs.sh (in #1165): nix build + dd to LVM thin LV.

Split from #1159.

Test plan

• nix build .#fc-dev-rootfs produces ext4 image
• nix build .#fc-dev-kernel produces vmlinux

https://claude.ai/code/session_01GemRyThW5cmqXS5zYN5YLn

[Copilot]

Pull request overview

Adds a new NixOS configuration target (fc-dev) to produce a Firecracker-compatible development VM rootfs (ext4) and a corresponding kernel build output, integrating it into the repository flake outputs.

Changes:

• Introduces nix/nixos/hosts/fc_dev NixOS configuration for a Firecracker guest (systemd + sshd + Bazel dev tooling).
• Adds an ext4 rootfs image builder via make-ext4-fs and exposes it as system.build.ext4.
• Exposes new flake outputs: fc-dev-rootfs and fc-dev-kernel, plus a nixosConfigurations.fc-dev entry.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
nix/nixos/hosts/fc_dev/make-rootfs.nix	Adds an ext4 image build (system.build.ext4) and minimal filesystem population for NixOS activation.
nix/nixos/hosts/fc_dev/default.nix	Defines the fc-dev NixOS system configuration for the Firecracker guest (networking, ssh, packages, kernel params).
flake.nix	Wires fc-dev into nixosConfigurations and exposes rootfs/kernel as flake packages.

[Copilot]

bazel-dev.nix already adds python3 to environment.systemPackages; adding python313 here will pull two Python versions into the rootfs and can make python3 resolution ambiguous (and increases image size). Consider choosing a single Python (e.g., override python3 in bazel-dev.nix via an option/overlay, or remove one of the entries here).

Suggested change

python313

[Copilot]

The placeholder authorized_keys entry is not a valid public key and will be written into the image. Even if it’s intended to be replaced at runtime, leaving an invalid key can cause confusing auth failures and log noise. Prefer leaving the list empty by default (and rely entirely on runtime injection) or using a clearly-valid test key gated behind a dev-only flag.

Suggested change

	# Placeholder key — real key injected via process_api CreateProcess or
	# written to ~/.ssh/authorized_keys via WS command after boot.
	users.users.root.openssh.authorizedKeys.keys = [
	"ssh-ed25519 AAAA-placeholder-replaced-at-runtime"
	];
	# No baked-in SSH key — real key is injected via process_api CreateProcess
	# or written to ~/.ssh/authorized_keys via WS command after boot.
	users.users.root.openssh.authorizedKeys.keys = [ ];

[Copilot]

fc-dev-kernel is set to config.boot.kernelPackages.kernel, which builds a kernel package output directory (containing multiple artifacts). The comment and PR description imply this output is a single vmlinux file; consider either adjusting the documentation to reflect the directory output, or exposing a flake output that points directly at the intended kernel artifact path (e.g., the vmlinux/bzImage file) to avoid ambiguity for provisioning scripts.

Suggested change

	# Firecracker dev VM rootfs (ext4) and kernel (vmlinux).
	# Build: nix build .#fc-dev-rootfs / nix build .#fc-dev-kernel
	# Firecracker dev VM rootfs (ext4) and kernel package output directory.
	# Build: nix build .#fc-dev-rootfs / nix build .#fc-dev-kernel
	# Note: fc-dev-kernel is the built kernel package output, not a single vmlinux file;
	# consumers should reference the desired kernel artifact path within that output.