NixOS Pentest VM Generator
86a522e6 — poptart 8 months ago
Added ZFS template from proof-of-concept for reference
1f2100a8 — poptart 11 months ago
Added external ready generator


browse  log 



You can also use your local clone with git send-email.

#NixOS Testing VM

Managing environments, per-client isolation, and retention can be hard in the pentesting world and historically has been a pretty manual or scripted process that is prone to error. This project attempts to create reproducible virtual machine environments for testing, but also generating a single-use set of home directories belonging to each engagement. This creates a single encrypted location where specific client data could resign and allows for much easier management of environments and maintanence of client retention.

Additionally, the tooling provides integration into libvirt to automatically create a test environment and even fully maintain the domains.


  • Generates a seperate disk image for the testing user for easy deletion of client data
    • nixos.qcow2 - The OS disk image containing all the tooling needed for testing
    • user.qcow2 - User home directory utilizing disk encryption
    • keydrive.qcow2 - Key drive file. Thin wrapper that contains the decryption data for the user drive.
  • Has a majority of the important kali packages
  • Replaces a couple of crusty packages with their replacements:
    • responder -> pretender
    • ecryptfs -> gocryptfs
  • Profile driven, allowing customization by creating a new profile and importing it. An example one is provided with a complex configuration in profiles/hosaka.nix.


  • Interchange-able user disks to allow for swapping between different OS image builds quickly
  • Move from generative to declarative and then allow generative by import
  • Support other rootfs (ie zfs)
  • Allow for FDE on the rootfs if necessary
  • Better dynamic snapshots focusing only on user data
  • Automatic retention enforcement
  • Generate automatically based on scoping profiles, including creating on host autocompletion
  • Support for non-QEMU based hypervisors
  • TPM support


Currently this is just a beta project and is proven to successfully build quick images when I need them for a test:


# edit variables in genimg
$ ./genimg "$PASSWORD"
$ export ID=62VFY65RNHPZ6
$ virt-install --name nixos-${ID} --memory 10240 --vcpus=2 --disk path=./${ID}/nixos.qcow2,format=qcow2,boot.order=1  --disk path=./${ID}/user.qcow2,format=qcow2  --disk path=./${ID}/keydrive.qcow2,format=qcow2 --os-type=nixos-unstable --video virtio --print-xml | virsh define /dev/stdin
Domain 'nixos-62VFY65RNHPZ6' defined from /dev/stdin

#How it works

The main components generated by the tooling is:

  • machines - Entire virtual machines created from NixOS to create reproducible environments. Theoretically you could hand a client or other tester your build and yourtests are reproducible without fuss.
  • homes - An encrypted volume that is generated and represents an dataset to be used for an engagement or set of engagements.
  • keydrive- A very thin disk image that contains the decryption information for a home environment.

The way this is structured allows interchangable host OS environments for whatever the needs are. It also allows for whole VM upgrades without changing the home environment. Just swap in and out keydrives and machines.

Additionally, this creates a interesting profile based structure that allows for more deep customization per-test need. Sometimes you don't need cross compiling, sometimes you do need wireless tools, sometimes you just miss your old desktop environment. All just knobs.


  • libvirtd - Optional

#Dev Notes

virt-install --name nixos-3AP5YK3PPKQVI --memory 10240 --vcpus=2 --disk path=./3AP5YK3PPKQVI/nixos.qcow2,format=qcow2,boot.order=1 --disk path=./3AP5YK3PPKQVI/user.qcow2,format=qcow2 -v --os-type=nixos-unstable --boot hd