feat(tf): prox

systems/default.nix

@@ -31,7 +31,7 @@
       };
       type = mkOption {
         description = "Operating system type of the host";
-        type = str;
+        type = nullOr str;
         default = "NixOS";
       };
       folder = mkOption {
@@ -141,7 +141,7 @@
   (set.map (_: c: c) tree.systems);
   processHost = name: cfg: let
     host = cfg.config;
-  in {
+  in set.optional (host.type != null) {
     deploy.nodes.${name} = host.deploy;
 
     "${host.folder}Configurations".${name} = host.builder {

systems/reisen/bin/lxc-config.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+set -eu
+shopt -s extglob
+
+ARG_VMID=$1
+shift
+
+case "$ARG_VMID" in
+	+([0-9]))
+		;;
+	*)
+		echo unknown vmid "$ARG_VMID" >&2
+		exit 1
+		;;
+esac
+
+LXC_CONF_PATH="/etc/pve/lxc/$ARG_VMID.conf"
+
+if [[ ! -e $LXC_CONF_PATH ]]; then
+	echo missing vmid "$ARG_VMID" >&2
+	exit 1
+fi
+
+ARG_VARS=("$@")
+
+EXCLUDE_KEYS=(
+	-e "^lxc\\."
+)
+
+while [[ $# -gt 0 ]]; do
+	ARG_VAR="$1"
+	ARG_VALUE="$2"
+	shift 2
+	EXCLUDE_KEYS+=(
+		-e "^${ARG_VAR//./\\.}:"
+	)
+done
+set -- "${ARG_VARS[@]}"
+
+LXC_CONF=$(grep -v "${EXCLUDE_KEYS[@]}" "$LXC_CONF_PATH")
+
+cat > "$LXC_CONF_PATH" <<<"$LXC_CONF"
+while [[ $# -gt 0 ]]; do
+	ARG_VAR="$1"
+	ARG_VALUE="$2"
+	shift 2
+	echo "$ARG_VAR: $ARG_VALUE"
+done >> "$LXC_CONF_PATH"

systems/reisen/bin/putfile64.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+set -eu
+
+ARG_DEST=$1
+ARG_INPUT_BASE64=$2
+
+case "$ARG_DEST" in
+	*..*)
+		echo ugh >&2
+		exit 1
+		;;
+	/etc/sysctl.d/*.conf)
+		ARG_IS_SYSCTL=1
+		;;
+	/etc/udev/rules.d/*.rules)
+		ARG_IS_UDEV=1
+		;;
+	*)
+		echo unsupported destination >&2
+		exit 1
+		;;
+esac
+
+base64 -d <<<"$ARG_INPUT_BASE64" \
+	> "$ARG_DEST"
+
+if [[ -n ${ARG_IS_SYSCTL-} ]]; then
+	sysctl -f "$ARG_DEST"
+fi
+
+if [[ -n ${ARG_IS_UDEV-} ]]; then
+	udevadm control --reload-rules
+	udevadm trigger
+fi

systems/reisen/bin/pve.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -eu
+
+ARG_CMD=$1
+shift
+
+case "$ARG_CMD" in
+	qm|pct|pveum)
+		;;
+	*)
+		echo unsupported pve command "$ARG_CMD" >&2
+		exit 1
+		;;
+esac
+
+exec "$ARG_CMD" "$@"

systems/reisen/bin/setup.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -eu
+
+if [[ ! -d /home/tf ]]; then
+	echo setting up pve terraform user... >&2
+	groupadd -g 1001 tf
+	useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf
+	passwd tf
+	pveum user add tf@pam --firstname Terraform --lastname Cloud
+	pveum acl modify / --users tf@pam --roles PVEVMAdmin
+	mkdir -p /home/tf/.ssh
+	cat > /home/tf/.ssh/authorized_keys <<<"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFobUpp90cBjtqBfHlw49WohhLFeExAmOmHOnCentx+ hakurei-tf-proxmox"
+	chown -R tf:tf /home/tf
+	chmod -R og= /home/tf/.ssh
+fi
+
+mkdir -p /opt/infra/bin
+base64 -d > /opt/infra/bin/putfile64 <<<"$INPUT_INFRA_PUTFILE64"
+base64 -d > /opt/infra/bin/pve <<<"$INPUT_INFRA_PVE"
+base64 -d > /opt/infra/bin/lxc-config <<<"$INPUT_INFRA_LXC_CONFIG"
+chmod u+x /opt/infra/bin/*
+chmod og-rwx /opt/infra/bin/*
+
+cat > /etc/sudoers.d/tf <<EOF
+tf ALL=(root:root) NOPASSWD: NOSETENV: /opt/infra/bin/putfile64, /opt/infra/bin/pve, /opt/infra/bin/lxc-config
+EOF

systems/reisen/default.nix

@@ -0,0 +1,3 @@
+_: {
+  type = null;
+}

systems/reisen/sysctl.50-net.conf

@@ -0,0 +1,3 @@
+net.ipv6.conf.vmbr0.disable_ipv6=0
+net.ipv6.conf.vmbr0.use_tempaddr=1
+net.ipv6.conf.vmbr0.accept_ra_rt_info_max_plen=128

systems/reisen/udev.90-dri.rules

@@ -0,0 +1 @@
+SUBSYSTEM=="drm", KERNEL=="renderD128", OWNER="100193"

systems/reisen/udev.90-z2m.rules

@@ -0,0 +1 @@
+SUBSYSTEM=="tty", ATTRS{interface}=="Sonoff Zigbee 3.0 USB Dongle Plus", OWNER="100317", SYMLINK+="ttyZigbee"