Opt-in host dotfiles snapshot sync. (#1)

Author: eshlox

README.md

@@ -79,17 +79,25 @@ DVM_DISK="80GiB"
 
 DVM_PACKAGES="git openssh-clients gpg helix ripgrep fd-find jq"
 DVM_SETUP_SCRIPTS="$DVM_CONFIG/setup.d/fedora.sh"
+DVM_DOTFILES_DIR="$HOME/.dotfiles"
 ```
 
-Put package-independent setup, public dotfiles, shell config, and tool config in
-`setup.d/fedora.sh`. User setup scripts run inside the VM as the guest user with:
+Put package-independent setup, shell config, and tool config in `setup.d/fedora.sh`.
+If `DVM_DOTFILES_DIR` is set, DVM copies a snapshot of that host directory into the VM
+before user setup scripts run. It does not mount the host directory live. User setup
+scripts run inside the VM as the guest user with:
 
 ```text
 DVM_NAME
 DVM_VM_NAME
 DVM_CODE_DIR
+DVM_DOTFILES_TARGET
 ```
 
+Dotfiles sync is opt-in. By default DVM excludes `.git`, `.ssh`, `.gnupg`, `.env`, and
+`secrets`, refuses dangerous source paths such as `/`, `$HOME`, `~/.ssh`, and
+`~/.gnupg`, and keeps the target under the guest home directory.
+
 The default workflow keeps source code inside the VM under `~/code`. No host project
 directory is mounted.
 
@@ -137,8 +145,9 @@ dvm setup myapp
 dvm setup-all
 ```
 
-This is the intended way to add packages everywhere or refresh dotfiles. The script
-does not try to remove packages automatically; removals should be explicit and manual.
+This is the intended way to add packages everywhere or refresh dotfiles snapshots. The
+script does not try to remove packages automatically; removals should be explicit and
+manual.
 
 ## Delete Safety
 

SECURITY.md

@@ -39,6 +39,10 @@ User setup scripts, dotfiles, packages installed inside a VM, downloaded models,
 services configured by users are user-controlled and out of scope unless DVM itself
 handles them insecurely.
 
+DVM does not mount host dotfiles into VMs by default. If dotfiles sync is enabled, DVM
+copies a filtered snapshot during setup so project code in the VM does not retain a
+persistent read path back to the host.
+
 ## Safe Installation
 
 Install from a signed release tag, not from an arbitrary branch. Before running

defaults/config.sh

@@ -21,4 +21,12 @@ DVM_PACKAGES="${DVM_PACKAGES:-git openssh-clients gpg}"
 # guest user with DVM_NAME, DVM_VM_NAME, and DVM_CODE_DIR set.
 DVM_SETUP_SCRIPTS="${DVM_SETUP_SCRIPTS:-$DVM_CONFIG/setup.d/fedora.sh}"
 
+# Optional host dotfiles snapshot copied into the VM during `dvm setup`.
+# Keep this opt-in. DVM copies a snapshot before user setup scripts run; it does
+# not mount a live host directory into the VM.
+# DVM_DOTFILES_DIR="${HOME}/.dotfiles"
+DVM_DOTFILES_DIR="${DVM_DOTFILES_DIR:-}"
+DVM_DOTFILES_TARGET="${DVM_DOTFILES_TARGET:-$DVM_GUEST_HOME/.dotfiles}"
+DVM_DOTFILES_EXCLUDES="${DVM_DOTFILES_EXCLUDES:-.git .ssh .gnupg .env secrets}"
+
 DVM_GPG_DIR="${DVM_GPG_DIR:-$DVM_STATE/gpg}"

defaults/setup-fedora.sh

@@ -12,7 +12,6 @@ mkdir -p "$DVM_CODE_DIR"
 #   sudo dnf5 install -y helix ripgrep fd-find jq
 # fi
 #
-# if [ ! -d "$HOME/.dotfiles" ]; then
-#   git clone https://github.com/example/dotfiles.git "$HOME/.dotfiles"
+# if [ -x "$DVM_DOTFILES_TARGET/install.sh" ]; then
+#   "$DVM_DOTFILES_TARGET/install.sh"
 # fi
-# "$HOME/.dotfiles/install.sh"

lib/config.sh

@@ -21,6 +21,9 @@ dvm_load_config() {
 	DVM_CODE_DIR="${DVM_CODE_DIR:-$DVM_GUEST_HOME/code}"
 	DVM_PACKAGES="${DVM_PACKAGES:-git openssh-clients gpg}"
 	DVM_SETUP_SCRIPTS="${DVM_SETUP_SCRIPTS:-$DVM_CONFIG/setup.d/fedora.sh}"
+	DVM_DOTFILES_DIR="${DVM_DOTFILES_DIR:-}"
+	DVM_DOTFILES_TARGET="${DVM_DOTFILES_TARGET:-$DVM_GUEST_HOME/.dotfiles}"
+	DVM_DOTFILES_EXCLUDES="${DVM_DOTFILES_EXCLUDES:-.git .ssh .gnupg .env secrets}"
 	DVM_GPG_DIR="${DVM_GPG_DIR:-$DVM_STATE/gpg}"
 }
 

lib/vm.sh

@@ -110,6 +110,90 @@ fi
 REMOTE
 }
 
+dvm_resolve_host_dir() {
+	local dir
+	dir="$1"
+	(
+		cd "$dir" 2>/dev/null &&
+			pwd -P
+	) || dvm_die "directory not found: $dir"
+}
+
+dvm_validate_dotfiles_source() {
+	local source_real home_real
+	source_real="$1"
+	home_real="$(dvm_resolve_host_dir "$HOME")"
+
+	case "$source_real" in
+	/ | "$home_real" | "$home_real/.ssh" | "$home_real/.ssh/"* | "$home_real/.gnupg" | "$home_real/.gnupg/"*)
+		dvm_die "refusing dangerous DVM_DOTFILES_DIR: $source_real"
+		;;
+	esac
+}
+
+dvm_validate_dotfiles_target() {
+	local target
+	target="$1"
+
+	case "$target" in
+	/*) ;;
+	*) dvm_die "DVM_DOTFILES_TARGET must be an absolute path: $target" ;;
+	esac
+
+	case "$target" in
+	"$DVM_GUEST_HOME")
+		dvm_die "refusing unsafe DVM_DOTFILES_TARGET: $target"
+		;;
+	"$DVM_GUEST_HOME/.ssh" | "$DVM_GUEST_HOME/.ssh/"* | \
+		"$DVM_GUEST_HOME/.gnupg" | "$DVM_GUEST_HOME/.gnupg/"*)
+		dvm_die "refusing unsafe DVM_DOTFILES_TARGET: $target"
+		;;
+	"$DVM_GUEST_HOME"/*) ;;
+	*) dvm_die "DVM_DOTFILES_TARGET must stay under DVM_GUEST_HOME: $target" ;;
+	esac
+}
+
+dvm_sync_dotfiles_remote() {
+	cat <<'REMOTE'
+set -euo pipefail
+target="$1"
+parent="$(dirname "$target")"
+
+mkdir -p "$parent"
+rm -rf "$target"
+mkdir -p "$target"
+tar -C "$target" -xf -
+REMOTE
+}
+
+dvm_sync_dotfiles() {
+	local vm source_real target remote exclude
+	vm="$1"
+	[ -n "$DVM_DOTFILES_DIR" ] || return 0
+
+	[ -d "$DVM_DOTFILES_DIR" ] || dvm_die "dotfiles directory not found: $DVM_DOTFILES_DIR"
+	dvm_require tar
+
+	source_real="$(dvm_resolve_host_dir "$DVM_DOTFILES_DIR")"
+	dvm_validate_dotfiles_source "$source_real"
+
+	target="$DVM_DOTFILES_TARGET"
+	dvm_validate_dotfiles_target "$target"
+
+	remote="$(dvm_sync_dotfiles_remote)"
+
+	dvm_log "syncing dotfiles into $vm: $source_real -> $target"
+	(
+		cd "$source_real" || exit 1
+		set -- tar -cf -
+		for exclude in $DVM_DOTFILES_EXCLUDES; do
+			set -- "$@" --exclude "$exclude"
+		done
+		set -- "$@" .
+		"$@"
+	) | limactl shell "$vm" bash -c "$remote" dvm-dotfiles "$target"
+}
+
 dvm_setup() {
 	local name vm remote script
 	[ "$#" -eq 1 ] || dvm_die "usage: dvm setup <name>"
@@ -123,6 +207,7 @@ dvm_setup() {
 	limactl start "$vm"
 	dvm_log "running core setup in $vm"
 	limactl shell "$vm" bash -c "$remote" dvm-setup "$name" "$DVM_CODE_DIR" "$DVM_PACKAGES"
+	dvm_sync_dotfiles "$vm"
 
 	for script in $DVM_SETUP_SCRIPTS; do
 		[ -n "$script" ] || continue
@@ -132,6 +217,7 @@ dvm_setup() {
 			"DVM_NAME=$name" \
 			"DVM_VM_NAME=$vm" \
 			"DVM_CODE_DIR=$DVM_CODE_DIR" \
+			"DVM_DOTFILES_TARGET=$DVM_DOTFILES_TARGET" \
 			bash -s <"$script"
 	done
 }

tests/smoke.sh

@@ -118,7 +118,16 @@ export PATH="$MOCK_BIN:$PATH"
 export HOME="$TMP/home"
 export DVM_CONFIG="$TMP/config"
 export DVM_STATE="$TMP/state"
+export HOST_DOTFILES="$TMP/host-dotfiles"
 mkdir -p "$HOME"
+mkdir -p "$HOST_DOTFILES/.git" "$HOST_DOTFILES/.ssh" "$HOST_DOTFILES/.gnupg"
+printf 'set -o vi\n' >"$HOST_DOTFILES/bashrc"
+printf '#!/usr/bin/env bash\n' >"$HOST_DOTFILES/install.sh"
+printf 'git metadata\n' >"$HOST_DOTFILES/.git/config"
+printf 'secret key\n' >"$HOST_DOTFILES/.ssh/id_ed25519"
+printf 'gpg material\n' >"$HOST_DOTFILES/.gnupg/private-keys-v1.d"
+printf 'token=1\n' >"$HOST_DOTFILES/.env"
+printf 'do not copy\n' >"$HOST_DOTFILES/secrets"
 
 "$ROOT/install.sh" --prefix "$TMP/local-bin" --name dvm-test --init >/dev/null
 [ -L "$TMP/local-bin/dvm-test" ]
@@ -127,33 +136,66 @@ mkdir -p "$HOME"
 
 cat >"$DVM_CONFIG/config.sh" <<CONFIG
 DVM_PREFIX="testvm"
+DVM_GUEST_HOME="$VM_HOME_ROOT/testvm-app"
 DVM_CODE_DIR="$VM_HOME_ROOT/testvm-app/code"
 DVM_PACKAGES="git openssh-clients gpg helix"
 DVM_SETUP_SCRIPTS="$DVM_CONFIG/setup.d/fedora.sh"
+DVM_DOTFILES_DIR="$HOST_DOTFILES"
+DVM_DOTFILES_TARGET="$VM_HOME_ROOT/testvm-app/.dotfiles"
 DVM_GPG_DIR="$DVM_STATE/gpg"
 CONFIG
 
 cat >"$DVM_CONFIG/setup.d/fedora.sh" <<'SCRIPT'
 #!/usr/bin/env bash
 set -euo pipefail
 printf '%s\n' "$DVM_NAME" >>"$HOME/setup-ran"
+[ -f "$DVM_DOTFILES_TARGET/install.sh" ]
 SCRIPT
 
 "$TMP/local-bin/dvm-test" new app >"$TMP/new.out"
 grep -Fq 'public key for app' "$TMP/new.out"
 grep -Fq 'create testvm-app' "$LOG"
 grep -Fq 'helix' "$LOG"
 grep -Fq 'app' "$VM_HOME_ROOT/testvm-app/setup-ran"
+[ -f "$VM_HOME_ROOT/testvm-app/.dotfiles/bashrc" ]
+[ -f "$VM_HOME_ROOT/testvm-app/.dotfiles/install.sh" ]
+[ ! -e "$VM_HOME_ROOT/testvm-app/.dotfiles/.git" ]
+[ ! -e "$VM_HOME_ROOT/testvm-app/.dotfiles/.ssh" ]
+[ ! -e "$VM_HOME_ROOT/testvm-app/.dotfiles/.gnupg" ]
+[ ! -e "$VM_HOME_ROOT/testvm-app/.dotfiles/.env" ]
+[ ! -e "$VM_HOME_ROOT/testvm-app/.dotfiles/secrets" ]
 
 "$TMP/local-bin/dvm-test" list >"$TMP/list.out"
 grep -Fxq app "$TMP/list.out"
+rm -f "$HOST_DOTFILES/bashrc"
+printf 'export EDITOR=hx\n' >"$HOST_DOTFILES/zshrc"
 "$TMP/local-bin/dvm-test" setup-all >/dev/null
 [ "$(grep -Fc 'app' "$VM_HOME_ROOT/testvm-app/setup-ran")" -ge 2 ]
+[ ! -e "$VM_HOME_ROOT/testvm-app/.dotfiles/bashrc" ]
+[ -f "$VM_HOME_ROOT/testvm-app/.dotfiles/zshrc" ]
 "$TMP/local-bin/dvm-test" key app >"$TMP/key.out"
 grep -Fq 'ssh-ed25519' "$TMP/key.out"
 "$TMP/local-bin/dvm-test" doctor >"$TMP/doctor.out"
 grep -Fq "prefix: testvm" "$TMP/doctor.out"
 
+cp "$DVM_CONFIG/config.sh" "$DVM_CONFIG/config.safe.sh"
+cat >"$DVM_CONFIG/config.sh" <<CONFIG
+DVM_PREFIX="testvm"
+DVM_GUEST_HOME="$VM_HOME_ROOT/testvm-app"
+DVM_CODE_DIR="$VM_HOME_ROOT/testvm-app/code"
+DVM_PACKAGES="git openssh-clients gpg helix"
+DVM_SETUP_SCRIPTS="$DVM_CONFIG/setup.d/fedora.sh"
+DVM_DOTFILES_DIR="$HOME"
+DVM_DOTFILES_TARGET="$VM_HOME_ROOT/testvm-app/.dotfiles"
+DVM_GPG_DIR="$DVM_STATE/gpg"
+CONFIG
+if "$TMP/local-bin/dvm-test" setup app >"$TMP/dangerous.out" 2>"$TMP/dangerous.err"; then
+	echo "setup unexpectedly succeeded with dangerous dotfiles dir" >&2
+	exit 1
+fi
+grep -Fq 'refusing dangerous DVM_DOTFILES_DIR' "$TMP/dangerous.err"
+mv "$DVM_CONFIG/config.safe.sh" "$DVM_CONFIG/config.sh"
+
 mkdir -p "$VM_HOME_ROOT/testvm-app/code/repo"
 git -C "$VM_HOME_ROOT/testvm-app/code/repo" init -q
 printf 'dirty\n' >"$VM_HOME_ROOT/testvm-app/code/repo/file.txt"