 gram: `pool`

`pool`

Relaxing Nix process-pooling, based on microvm.nix. In progress.

Supply-side package exploits are a serious problem, causing coders to look again at local-machine process isolation, such as recommended and produced by the Qubes OS group for many years.

Here is one approach able to reproduce many of the functions of Qubes; ergonomic (by some measure), on-demand VMs, scoped to specific disc volumes or network schemas, managed using Nix flakes, running in parallel to any bare-metal operations.

Properly scoped, pool can be used to manage production processes also, and uses simple per-codebase flake.nix functions to compose a secure machine image for local or production use.

Dip in.

Using a NixOS machine as your base layer, clone this codebase to /pool.

Include pool modules in your /etc/nixos/flake.nix:

{ inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
    pool = { url = "/pool"; inputs.nixpkgs.follows = "nixpkgs"; };
  };

  outputs = { microvm, pool, nixpkgs, ... }: let
    arch = "x86_64-linux";
  in {
    nixosConfigurations.local = nixpkgs.lib.nixosSystem {
      modules = [
        # machine's primary outbound internet connection.
        ((pool.outputs.current arch).channel "wlan0")
        sources.microvm.nixosModules.host
      ];
      # ... remaining local config.
    };
  };
}

Splash around.

In each code base you'd like to isolate, include (and modify) this minimal flake.nix:

{ inputs = {
    # nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
    pool = { url = "/pool"; }; # inputs.nixpkgs.follows = "nixpkgs";
    flake-utils.url = "github:numtide/flake-utils";
  };

  outputs = { self, pool, flake-utils }:
    flake-utils.lib.eachDefaultSystem (arch: let
      current = pool.outputs.current arch;
    in {
      packages.machine = (
      current.condense "machine" "10.0.0.2" "enp0s4" {
        users.users.root = current.role "root" {};
      }).config.microvm.declaredRunner;
  });
}

Rinse up.

sudo nix run .#machine

(network-patching requires super-user permissions)

You should see a machine spin up;
the login is root, no passcode required.
The normal shell is nushell.
Ensure DHCP assigned an IP addres, using ip a.
Close the machine, using shutdown now as a superuser.

Dry off.

Please recognize that there is a small issue in mapping network interfaces. You may need to keep an eye on the third argument to current.condense, the network interface such as "enp0s4"; this should mirror the label you see in ip a, as seen from inside the vm.

Example: `users.users`.

root only, no-pass:

{ users.users.root = role local "root" {}; }

root only, pass:

{ users.users.root = role local "root" { pass = "abcd1234"; }; }

normal user only, ssh login

{ users.users.access = role "access" { keys = [
  "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"
]; }; }

Clouds on the Horizon?

Properly (reliably) map network interfaces.
Include a Nebula mesh-VPN management module.

Logged Changes:

2026-06-03

11:13:21 | a0631b0 [disc] place discs in `/root/pool/`.
2026-02-11

13:05:01 | 694a580 [readme] upgrade examples and consideracions.

10:38:06 | cce215c [upgrade] drop `flake-utils`, pass in `arch`.

10:03:35 | 26cfc67 [rearrange] clean up module params.

10:01:58 | c3cba3b [drop] erase `surreal` drop.

09:54:52 | a443d31 [condense] rearrange module forms.

09:38:25 | 654f54d [ignore] `control.socket`

09:38:16 | f1b7f0a [role] simplify call scheme.
2026-01-28

04:55:43 | 3135b19 [upgrade][rearrange] add `surreal` and make repairs.
2025-11-26

21:32:27 | c5d83e9 [drop][op] replace `rsync`, use `git clone`.
2025-11-17

23:01:02 | fedab43 [addr][share] rephrase `op` using simpler norms.

11:38:16 | 6cf186a [nix][upgrade] add `nixpkgs` dependency.

11:37:51 | 99faf31 [disc] bump `/var` disc size to 6gb.

11:36:58 | 4f19594 [drop][elixir] deploy `op` codebase locally.
2025-10-31

10:27:19 | 00011ed [permission] use mode 755.

10:26:10 | 43d1019 [arrange] add spacing around basic `a` drop.

00:01:08 | 563b5da [drop][neo4j] enable neo4j browser.
2025-10-30

23:59:59 | 86e9e0a [drop][pod] launch `dockge` as `pod`.

23:59:05 | dbb933e [basis] expand `/var`, add ideas.

23:55:57 | a9222a6 [signal] repair online access when assigning ip.
2025-10-16

03:59:07 | c12d217 [address] organize and assign a reliable neo4j address.
2025-10-13

17:39:15 | dd466f3 [README] ensure flake recipe uses `nixpkgs.follows`.

10:54:45 | cdfc1c9 [condense] add a `neo4j` drop.

00:27:08 | b57789e [README] Use `/pool` as canonical clone address.
2025-10-12

23:42:59 | f6366d4 [README] publish usage guidance.

23:13:37 | ae60753 [channel] include machine-signalling module.

22:13:19 | 4dd1048 [role] model basic roles.

21:36:43 | f6726f0 [basis] include an `access` module.

21:35:32 | 22c42b2 [basis] include a `signal` module.

21:31:49 | 1c34079 [basis] include `label` in module params.

20:25:33 | 5aa5fac [basis] place essence pkgs in a module.

20:22:10 | d5d99ae [basis] `condense` each drop using label & module.

20:05:16 | ed08aed [basis] place disc binding (`var`) in a module.

19:57:05 | becfd71 [basis] place engine in a module.

19:53:20 | cf1058f [basis] place `/nix/store` cache in a module.

16:43:10 | 1eb3a56 [run]> nix run .#drop.a

16:41:26 | eed9c82 [rename] `my-microvm` -> `a`

16:18:46 | 7e07c79 [flake-utils] run on any processor arch.

16:15:02 | 3c2f7cc [base]> nix flake init -t github:microvm-nix/microvm.nix

Operand

 gram: `pool`

`pool`

Dip in.

Splash around.

Rinse up.

Dry off.

Example: `users.users`.

Clouds on the Horizon?

Logged Changes:

2026-06-03

2026-02-11

2026-01-28

2025-11-26

2025-11-17

2025-10-31

2025-10-30

2025-10-16

2025-10-13

2025-10-12

Code Pages:

 gram: pool

pool

Dip in.

Splash around.

Rinse up.

Dry off.

Example: users.users.

Clouds on the Horizon?

Logged Changes:

2026-06-03

2026-02-11

2026-01-28

2025-11-26

2025-11-17

2025-10-31

2025-10-30

2025-10-16

2025-10-13

2025-10-12

Code Pages:

 gram: `pool`

`pool`

Example: `users.users`.