Lima Agent VM config generator

Build a simple lima.yaml for agent terminals — mounts, hardening, preinstalls.
Verify this VM yourself before trusting it

This generator is vibecoded and not production-tested. Read the generated YAML, inspect the provision script, and test the firewall, root access, and proxy behavior yourself. For a simpler, tested, and more managed solution, check out getbaton.dev.

Resources

GiB
GiB

Filesystem mounts

Host paths exposed inside the VM. The host path is also the VM path — ~/projects on host appears at ~/projects in VM. ~ expands to the host user's home. The default row is only an example.

Anything on a writable mount executes on the host the moment you run it there. Treat the VM as a sandbox you trust to read but not write to your real codebase unless you mean it.

Hardening

Defaults are conservative for agent VMs. The firewall rules only matter if the default user cannot become root; otherwise an agent can change the VM from inside. The generated firewall constrains the VM's default user. Root, tinyproxy, and system daemons bypass it.

Restrict sudo
Prevent agents from using sudo inside the VM. The default user has no password and NOPASSWD is stripped from sudoers, so sudo just fails. This keeps agents off /etc, /usr, and the firewall rules. You can still open a root shell from the host with the command shown beside the YAML.
SSH agent forwarding
Forward your SSH keys into the VM for git push/pull and remote access. Keys stay on your machine; only signing requests are forwarded. Anything running in the VM can ask the forwarded agent to sign while this is enabled.
Auto-forward VM ports to host localhost
Automatically forward VM ports to the host. Services started inside the VM, such as dev servers, become accessible on host localhost. Turn off to keep VM services private to the VM.
Block host machine (192.168.5.2)
Drop traffic from the VM to your host's localhost. Databases, dev servers, OAuth callbacks, and anything else listening there become unreachable from inside the VM. DNS and DHCP exemptions still pass so networking keeps working.
Block local networks (RFC 1918 + link-local + IPv6 ULA)
Drop traffic to private LAN ranges, IPv6 ULA, and link-local addresses including cloud metadata (169.254.169.254). Lima's own subnet is allowed first so DNS, DHCP, and Lima internals keep working. The host-machine toggle controls 192.168.5.2 specifically.

Outbound HTTP/HTTPS allowlist (tinyproxy)

Force the default user's HTTP/HTTPS through an in-VM proxy with a domain allowlist, then firewall everything else. Only HTTP(S) to allowlisted domains passes; unmatched outbound traffic is dropped.

Enable tinyproxy + allowlist
Installs tinyproxy, filters by hostname (CONNECT host for HTTPS, Host header for HTTP), and sets proxy env vars for the default user. The proxy runs under its own system uid so it can resolve and connect while direct agent egress is blocked. Patterns are anchored: api.example.com is exact, and *.example.com matches subdomains.

Managing this at runtime: the provision script writes the list to /etc/tinyproxy/allowlist.txt as ERE regex. To change it later, use the root command shown beside the YAML, edit the file, then run systemctl restart tinyproxy. You can also disable the proxy or firewall inside the VM if you decide you do not want this restriction.

A fuller version could look like Baton's Network sandboxing page: firewall toggles, recent blocked traffic, one-click allow actions, and a domain allowlist editor. Click the image to open it larger.

Preinstalled software

Selected items are installed once during VM creation. You can always apt install more later.

Git identity

Sets git config --system user.name / user.email inside the VM so commits made from the VM are attributed correctly.