feat(tf): prox

devShell.nix

@@ -22,6 +22,9 @@
   nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
     exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-deploy" -- "$@"
   '';
+  nf-setup-reisen = pkgs.writeShellScriptBin "nf-setup-reisen" ''
+    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-setup-reisen" -- "$@"
+  '';
   nf-tf = pkgs.writeShellScriptBin "nf-tf" ''
     cd "$NF_CONFIG_ROOT/tf"
     if [[ $# -eq 0 ]]; then
@@ -73,6 +76,7 @@ in
       nf-actions-test
       nf-update
       nf-deploy
+      nf-setup-reisen
       nf-tf
       nf-lint-tf
       nf-lint-nix

packages/default.nix

@@ -17,6 +17,16 @@
     nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
       exec ${pkgs.runtimeShell} ${../ci/deploy.sh} "$@"
     '';
+    nf-setup-reisen = let
+      bin = ../../systems/reisen/bin;
+    in pkgs.writeShellScriptBin "nf-setup-reisen" ''
+      ssh root@reisen env \
+        INPUT_INFRA_SETUP="$(base64 -w0 < ${bin + "/setup.sh"})" \
+        INPUT_INFRA_PUTFILE64="$(base64 -w0 < ${bin + "/putfile64.sh"})" \
+        INPUT_INFRA_PVE="$(base64 -w0 < ${bin + "/pve.sh"})" \
+        INPUT_INFRA_LXC_CONFIG="$(base64 -w0 < ${bin + "/lxc-config.sh"})" \
+        "bash -c \"eval \\\"\\\$(base64 -d <<<\\\$INPUT_INFRA_SETUP)\\\"\""
+    '';
     nf-statix = pkgs.writeShellScriptBin "nf-statix" ''
       if [[ $# -eq 0 ]]; then
         set -- check

systems/default.nix

@@ -31,7 +31,7 @@
       };
       type = mkOption {
         description = "Operating system type of the host";
-        type = str;
+        type = nullOr str;
         default = "NixOS";
       };
       folder = mkOption {
@@ -141,7 +141,7 @@
   (set.map (_: c: c) tree.systems);
   processHost = name: cfg: let
     host = cfg.config;
-  in {
+  in set.optional (host.type != null) {
     deploy.nodes.${name} = host.deploy;
 
     "${host.folder}Configurations".${name} = host.builder {

systems/reisen/bin/lxc-config.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+set -eu
+shopt -s extglob
+
+ARG_VMID=$1
+shift
+
+case "$ARG_VMID" in
+	+([0-9]))
+		;;
+	*)
+		echo unknown vmid "$ARG_VMID" >&2
+		exit 1
+		;;
+esac
+
+LXC_CONF_PATH="/etc/pve/lxc/$ARG_VMID.conf"
+
+if [[ ! -e $LXC_CONF_PATH ]]; then
+	echo missing vmid "$ARG_VMID" >&2
+	exit 1
+fi
+
+ARG_VARS=("$@")
+
+EXCLUDE_KEYS=(
+	-e "^lxc\\."
+)
+
+while [[ $# -gt 0 ]]; do
+	ARG_VAR="$1"
+	ARG_VALUE="$2"
+	shift 2
+	EXCLUDE_KEYS+=(
+		-e "^${ARG_VAR//./\\.}:"
+	)
+done
+set -- "${ARG_VARS[@]}"
+
+LXC_CONF=$(grep -v "${EXCLUDE_KEYS[@]}" "$LXC_CONF_PATH")
+
+cat > "$LXC_CONF_PATH" <<<"$LXC_CONF"
+while [[ $# -gt 0 ]]; do
+	ARG_VAR="$1"
+	ARG_VALUE="$2"
+	shift 2
+	echo "$ARG_VAR: $ARG_VALUE"
+done >> "$LXC_CONF_PATH"

systems/reisen/bin/putfile64.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+set -eu
+
+ARG_DEST=$1
+ARG_INPUT_BASE64=$2
+
+case "$ARG_DEST" in
+	*..*)
+		echo ugh >&2
+		exit 1
+		;;
+	/etc/sysctl.d/*.conf)
+		ARG_IS_SYSCTL=1
+		;;
+	/etc/udev/rules.d/*.rules)
+		ARG_IS_UDEV=1
+		;;
+	*)
+		echo unsupported destination >&2
+		exit 1
+		;;
+esac
+
+base64 -d <<<"$ARG_INPUT_BASE64" \
+	> "$ARG_DEST"
+
+if [[ -n ${ARG_IS_SYSCTL-} ]]; then
+	sysctl -f "$ARG_DEST"
+fi
+
+if [[ -n ${ARG_IS_UDEV-} ]]; then
+	udevadm control --reload-rules
+	udevadm trigger
+fi

systems/reisen/bin/pve.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -eu
+
+ARG_CMD=$1
+shift
+
+case "$ARG_CMD" in
+	qm|pct|pveum)
+		;;
+	*)
+		echo unsupported pve command "$ARG_CMD" >&2
+		exit 1
+		;;
+esac
+
+exec "$ARG_CMD" "$@"

systems/reisen/bin/setup.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -eu
+
+if [[ ! -d /home/tf ]]; then
+	echo setting up pve terraform user... >&2
+	groupadd -g 1001 tf
+	useradd -u 1001 -g 1001 -d /home/tf -s /bin/bash tf
+	passwd tf
+	pveum user add tf@pam --firstname Terraform --lastname Cloud
+	pveum acl modify / --users tf@pam --roles PVEVMAdmin
+	mkdir -p /home/tf/.ssh
+	cat > /home/tf/.ssh/authorized_keys <<<"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFobUpp90cBjtqBfHlw49WohhLFeExAmOmHOnCentx+ hakurei-tf-proxmox"
+	chown -R tf:tf /home/tf
+	chmod -R og= /home/tf/.ssh
+fi
+
+mkdir -p /opt/infra/bin
+base64 -d > /opt/infra/bin/putfile64 <<<"$INPUT_INFRA_PUTFILE64"
+base64 -d > /opt/infra/bin/pve <<<"$INPUT_INFRA_PVE"
+base64 -d > /opt/infra/bin/lxc-config <<<"$INPUT_INFRA_LXC_CONFIG"
+chmod u+x /opt/infra/bin/*
+chmod og-rwx /opt/infra/bin/*
+
+cat > /etc/sudoers.d/tf <<EOF
+tf ALL=(root:root) NOPASSWD: NOSETENV: /opt/infra/bin/putfile64, /opt/infra/bin/pve, /opt/infra/bin/lxc-config
+EOF

systems/reisen/default.nix

@@ -0,0 +1,3 @@
+_: {
+  type = null;
+}

systems/reisen/sysctl.50-net.conf

@@ -0,0 +1,3 @@
+net.ipv6.conf.vmbr0.disable_ipv6=0
+net.ipv6.conf.vmbr0.use_tempaddr=1
+net.ipv6.conf.vmbr0.accept_ra_rt_info_max_plen=128

systems/reisen/udev.90-dri.rules

@@ -0,0 +1 @@
+SUBSYSTEM=="drm", KERNEL=="renderD128", OWNER="100193"

systems/reisen/udev.90-z2m.rules

@@ -0,0 +1 @@
+SUBSYSTEM=="tty", ATTRS{interface}=="Sonoff Zigbee 3.0 USB Dongle Plus", OWNER="100317", SYMLINK+="ttyZigbee"

tf/.terraform.lock.hcl

@@ -46,6 +46,25 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.6.0"
+  hashes = [
+    "h1:R5Ucn26riKIEijcsiOMBR3uOAjuOMfI1x7XvH4P6B1w=",
+    "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d",
+    "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211",
+    "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829",
+    "zh:30ffb297ffd1633175d6545d37c2217e2cef9545a6e03946e514c59c0859b77d",
+    "zh:454ce4b3dbc73e6775f2f6605d45cee6e16c3872a2e66a2c97993d6e5cbd7055",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:91df0a9fab329aff2ff4cf26797592eb7a3a90b4a0c04d64ce186654e0cc6e17",
+    "zh:aa57384b85622a9f7bfb5d4512ca88e61f22a9cea9f30febaa4c98c68ff0dc21",
+    "zh:c4a3e329ba786ffb6f2b694e1fd41d413a7010f3a53c20b432325a94fa71e839",
+    "zh:e2699bc9116447f96c53d55f2a00570f982e6f9935038c3810603572693712d0",
+    "zh:e747c0fd5d7684e5bfad8aa0ca441903f15ae7a98a737ff6aca24ba223207e2c",
+    "zh:f1ca75f417ce490368f047b63ec09fd003711ae48487fba90b4aba2ccf71920e",
+  ]
+}
+
 provider "registry.terraform.io/hashicorp/tls" {
   version = "4.0.5"
   hashes = [

tf/proxmox_provider.tf

@@ -36,3 +36,84 @@ provider "proxmox" {
     }
   }
 }
+
+data "proxmox_virtual_environment_role" "vm_admin" {
+  role_id = "PVEVMAdmin"
+}
+
+data "proxmox_virtual_environment_role" "administrator" {
+  role_id = "Administrator"
+}
+
+resource "proxmox_virtual_environment_group" "admin" {
+  group_id = "admin"
+  comment  = "System Administrators"
+
+  acl {
+    path      = "/"
+    propagate = true
+    role_id   = data.proxmox_virtual_environment_role.administrator.id
+  }
+}
+
+resource "random_password" "proxmox_initial" {
+  length  = 32
+  special = false
+}
+
+variable "proxmox_user_arc_email" {
+  type = string
+}
+
+variable "proxmox_user_arc_first_name" {
+  type = string
+}
+
+variable "proxmox_user_arc_last_name" {
+  type = string
+}
+
+resource "proxmox_virtual_environment_user" "arc" {
+  user_id    = "arc@pve"
+  email      = var.proxmox_user_arc_email
+  first_name = var.proxmox_user_arc_first_name
+  last_name  = var.proxmox_user_arc_last_name
+  password   = random_password.proxmox_initial.result
+  groups     = [proxmox_virtual_environment_group.admin.id]
+
+  lifecycle {
+    ignore_changes = [password]
+  }
+}
+
+variable "proxmox_user_kat_email" {
+  type = string
+}
+
+resource "proxmox_virtual_environment_user" "kat" {
+  user_id    = "kat@pve"
+  email      = var.proxmox_user_kat_email
+  first_name = "Kat"
+  last_name  = "Inskip"
+  password   = random_password.proxmox_initial.result
+  groups     = [proxmox_virtual_environment_group.admin.id]
+
+  lifecycle {
+    ignore_changes = [password]
+  }
+}
+
+variable "proxmox_user_liz_last_name" {
+  type = string
+}
+
+resource "proxmox_virtual_environment_user" "liz" {
+  user_id    = "liz@pve"
+  first_name = "Elizabeth"
+  last_name  = var.proxmox_user_liz_last_name
+  password   = random_password.proxmox_initial.result
+
+  lifecycle {
+    ignore_changes = [password]
+  }
+}

tf/proxmox_reisen.tf

@@ -0,0 +1,29 @@
+locals {
+  proxmox_reisen_sysctl_net = file("${path.root}/../systems/reisen/sysctl.50-net.conf")
+  proxmox_reisen_udev_dri   = file("${path.root}/../systems/reisen/udev.90-dri.rules")
+  proxmox_reisen_udev_z2m   = file("${path.root}/../systems/reisen/udev.90-z2m.rules")
+}
+
+resource "terraform_data" "proxmox_reisen_etc" {
+  triggers_replace = [
+    local.proxmox_reisen_sysctl_net,
+    local.proxmox_reisen_udev_dri,
+    local.proxmox_reisen_udev_z2m,
+  ]
+
+  connection {
+    type     = "ssh"
+    user     = var.proxmox_reisen_ssh_username
+    password = var.proxmox_reisen_password
+    host     = var.proxmox_reisen_ssh_host
+    port     = var.proxmox_reisen_ssh_port
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "sudo /opt/infra/bin/putfile64 /etc/sysctl.d/50-net.conf ${base64encode(local.proxmox_reisen_sysctl_net)}",
+      "sudo /opt/infra/bin/putfile64 /etc/udev/rules.d/90-dri.rules ${base64encode(local.proxmox_reisen_udev_dri)}",
+      "sudo /opt/infra/bin/putfile64 /etc/udev/rules.d/90-z2m.rules ${base64encode(local.proxmox_reisen_udev_z2m)}",
+    ]
+  }
+}

tf/terraform.tf

@@ -10,14 +10,18 @@ terraform {
       source  = "cloudflare/cloudflare"
       version = ">= 4.22.0"
     }
-    tls = {
-      source  = "hashicorp/tls"
-      version = ">= 4.0.5"
-    }
     proxmox = {
       source  = "bpg/proxmox"
       version = ">= 0.42.1"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 4.0.5"
+    }
   }
 
   cloud {

tf/terraform.tfvars.sops

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:4Ncjr/OCBYgIibScDOtonfQ1mX24OalkeQYzzdmyNnOsU1bC0fX4q7UdBnK8LwnAVxsAIzvqPq7GTqevb6rYTxj0xyDUo4pS+WwAJPakyJDZXznznzmNNmFgAJa8XTO3yiXmV2kpprLaqJIVshCbwFWmrF1gPC091mZjfrrwnE8+z7I+ehEtef75nkqktRxBqFJjHhjdWRh2yscFAZDfMlITlAOTXgO/zFNKkHiuhrBrcTeNZyNm8w+6AtZECipxAtm56YfA5H2gDmzzb6Dnl3nTHdTPTrVl8Jx05620OE6CQu3zZUsdr8PKT45uKbI9Z24JooudEZoR9dj/CXzQxaDF2ef2Vqwjxb8nd72aYjEY8wFv4J9azzFo4QTk8sUi3FM8bKDFrFmZcu0jCh4tzar7KctXiobeiWQKmeEfNb5YtgA/zyid3vLtJyxOtWaPU11fPNDPTAVc/eBlhzZT3stcydcZRyqHydJUQf37o5TyGt7vVPQhi8zE5Uan11R46yAMiVKuE4IpW8JP/mEpBAf21+yZu6mtQnf4K5k1l//lRTLwIgzBUWdnaylhHjCDo5JqrbQslROPIjWtFEMLcUikL56vEJpeaP05gQkGGn3tmsYiGWI176dKY9xYXeg2OARENToztgnKPsE20gXzTQbziJV9oL8j5kauY8Zs96HMBdMhPyph78P2wLlgnGbrDhZSLW1lL8t1FU5fg2QSjyMeulowxtasjmbhStUNUgNGRFNMxYm1Vo+CeBXVvBbPUfd3VZiGCnHFfSbfeV5sGuDU49MkuweuQS3K+KOZ3qZmnyp9pMMHTgtA/rRlKQ+klT/7g/p0+o9P4jK0n0IxK0fnjBJPpi8sekLE6VL/Yl12BBxu5+Gm280GeY2zwQ6keEARTXt+NLEZ5+LfQXXwH+A8bIH2er9aQYuxHXk9HvbgM8ie2n3QSMb3nKbfG05NWY+30OwyEzPG/v9RJ8sjyBbFBOU0zmZfqrd/koUpL15b24wliXYF42KNwb/IMWpC+uxuLgmrD315P1ehsf6omYe9EjJPtfXBDQ7FGvyQ30zr8m2GrVhFPFzBtl1uOxiqgFZkkiQnnPdtQctvwDZ8ip7GKP/YpFrhK8vgTBVlI0z/xPhQBV/KI3VTEmHsanorIVkvLgzj5x/8jcwwTmbRIJEwgxBs+YwAc4BFo3fZCXg3sMSQiisUQDWBvC+xHf/FtBhkP7k4BW1hUG8B9R2Z0sMsSN+LuUh37sanPGqV95/9W+HhNBKVmmaBBcehykY0YiRp7aOSLNp2JJMrZTCQPy1LssMpXpGyMxdoTuPIHXdsAUD/F3fL6NS1NL8v9zMmy1w0XYFxWWS3+JKtGzYLXhxAIdIHVm3KRl2phsZhWOmcZZ3TLJ4fR5yLRiDj,iv:M1Rvi7SvPUouCfJ2hccBokPj2j/iArEdbT5bU2cvFxQ=,tag:EUNy2oSSTKwuR9S7/Y/zXw==,type:str]",
+	"data": "ENC[AES256_GCM,data:LLzklOKNkbqIa9C50BODDA06COkVWgmzH+nqU9rDDt/ZGzUWyrcrr4vsxPoqTr9EaKpaB4VfCe+2phXSGuNpoPrsRuWvLm2UUL8zujLMpR/MIm6cKSANy2Sm5vxLFNXmVoOU4YMmMclyuAvwGM/v22V39luIKN1ZqWJo2P0+FsrzSHAScx1NHp4xqw9AH1jwdGvy+jWRTsGPPqDc5vG+PQpbsh6ZQvTe77PAcBjHjSl6jc1Da73nKb7Sag/GeaDek84aB6De/lXuSv9gAfZF1mEoi5X1GSM8SOrDoZEHGLLJ6H+TVTens0UyW1VfMkb6Vw6E54V4qSfigheUORapl2nhvD/wRCgMadBpPgyQLdT8jOfryKlupObgSu2e3QowSBvo2wJ+51bE+LEhWZKXiv2Ogh27K4dCpuwlhpLjyblb+cUS0q76kHL4ALGcjm8AOb2bwPwvAwXmCCbzegLNbGHbisGwWRpBPnw2PBA7oCrbAmei1ThiBFD9L9RvydSFLbsVNDSTo/U7E63b8WbQ6EI7EUj4St9u7Mt3Fy7sbpxSRjawfdEhKiHrlvFfB/a45aOyRK6MjObxy0rjtmiX6+STnC2ICNmV+lNbIg7iCuI0s+lryGpxZdDOHCjfk3rawzUfZxsTVcELqjr7WmAORyBZ6STYVG9S06vFn51wcJb4NLzXa6hMG2V92PGzf90Vd7TVyPbgQj/1KxIz0Nz/cQxB9I96EwnmS2Ovfxi50G5Q5gU09jpXtpAUOlxpVRSHx5qs4u0uEZhtk+WmtIo8Kip+V0Z98n4eGQT/pxPBAZQcrIlzlauvKIFEQAoIrl9iebVfYQhzUGPAw+KmOuxEfpjhQp0zHjIgHE1TaGjOnOyHje8LmnQnuW787ovqdZFKcmU0UHFmv3fNi9cIdlPdayF1qyOW2Tq+3Pq917QMDv8R5FxV/MzJsPbLwTliPMfv5AMSXPVCuijcVfL1nOQRGlxRAHdLc82vJ0yzB9s8MPKjTqetM1cPT6omgCoH0u07c8//iQwZT4tYKmy13z6GdR62FRjm/kt2cE9jhcSl72TKmvBlB7FeePZ07TzaUW6kmvBnjxsGYMzpjbcO7GEFwHBfMIctLvhKG6hopZ8N7rPByKKZd53lApcNrBm2kQGPcEr9UBlGwJUC09qdYkg0uTTBVpixqPUDytNdgupy7mx48SlcJhXQi+NwNGf6Mjcx8jUhT/l63EBKdV6wNI59LM0davt9sgKIxBorOGjAxrETC7xwh9ER7WrVQwYmIdOsvtw+ozvTEwzI+GPYRY1PQDsaAvbca5m6FAu9SepRtbIshvTqJxPGkEW2+YWELVdico6rA3x0zG3nJ9ahXECap3wUW63d1X3W/vQ8s1hKzJdzKB67iwfj6c1kwma0nNXcBw1iWwht7bkS13JzJLAdWWGxtyYJjREAlsPZaqh1BCnTwrPuB7U+EI4A0/Hn1bl5qzalMjzeX8K9VUOEQgc5pqKuhKcbCcUc9Rck3STbyrODdrvcfIc8FChJc9HMF0Rj/PuwDGZy+Bc52IF7iLAD6vcYVht2QoaM2m9sjScVJsyDBaxn8br6I/Mx66ANUY7dkh4L51uFRO5wL3EJxF10hZzX1sYvkPZ6XoNwjcHPgS9Zlk9OPRmpOaTbEWmOhsn7avYWFpeaqCU=,iv:ZtdTd0Hyg3MeBC6rquwilcROlfOu99+Ti/DtgXsk3fg=,tag:rKDfuKNyH9bBeprtGtmY6w==,type:str]",
 	"sops": {
 		"shamir_threshold": 1,
 		"kms": null,
@@ -7,8 +7,8 @@
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": null,
-		"lastmodified": "2024-01-26T22:11:12Z",
-		"mac": "ENC[AES256_GCM,data:ZREia1Dq/74eK6Xs5lfvoFHPM8gBWeAJfNwA1Owk7Uhw95TwmZjDHOhqwPd8L7a0nXkZDzG8wwol4BdXwJ+ad9Qbceha+k29ACc8gQkIGEtmRbd/03ZU5OVzN2cqyK7p8nO9zS+4D0q6HXTboqWn2yc7yJbAXPmmEQY71tl5EGg=,iv:YRYmVj5awWxHgP0cS1q/09p+Al1Xt9yEH3sh8bSopx4=,tag:QbbPY+O1qJN/kT0m8Q/0qg==,type:str]",
+		"lastmodified": "2024-01-28T05:17:30Z",
+		"mac": "ENC[AES256_GCM,data:EbKeIgTkJgItseG5sXE4HBJYS4Kf+/7JhmJbFTxZzHXx7NwTzSjowMruhCQvHZ4r2QPohnSkmcVq6YnNod5jAtPOoTvyVq6FZE6EZ4943WF8IUy1Vu8R4mzFP6FSa+/CD+Mb8mN+nQwUXd5vz1XQZcMo2uEmvWB/ZYgEqCJ5suA=,iv:AEYxEokcU2/2+P5IopuaDKbs69I7TtSzXcBPQ05TeN4=,tag:3zf3yDVQOLaxbSbvCuWJ9Q==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-01-14T19:49:29Z",