I'm happy to see this, and I have lots of thoughts about this. Building declarative services on Nix is a far superior way of distributing Linux to VMs than most any other way I've tried. I am working [1] on very similar things, but I've been leaning more on the self-hosted path, my VM template targets libvirt and Proxmox VE with a single CLI api. I even have an experimental branch that targets DigitalOcean. For VMs especially, I want my OS to be immutable. My VMs should contain no state other than my application state. Upgrades should be a full image replacement and reboot.<p>So in my template, I have created the VMs with two disks: first one is for NixOS and is built from an image, and it is read-only. The second is mounted to /var and is used for all system configuration as well as application state. If I have multiple VMs, they can all share the same base image (thin provisioned). That's the mode that I want for my deployments of services, immutable and as stateless as possible. For agent use, its different, you actually want a mutable NixOS root so that the agent can do what it wants.<p>I built three modes: immutable, semi-mutable, and mutable. mutable removes the read-only lock on the root, and just lets you manage the VM as a pet. semi-mutable adds an ephemeral overlayfs that gets wiped the next time you upgrade the base image. So that gives you kind of the best of both worlds: an immutable read-only base image and the ability to "nix profile add" whatever you (or your agent) wants, but with the contract that these imperatively installed things will disappear the next time you upgrade. Are you planning on adding a LICENSE to your machine0-nixos repo?<p>[1] <a href="https://github.com/EnigmaCurry/nixos-vm-template" rel="nofollow">https://github.com/EnigmaCurry/nixos-vm-template</a>