From 47ca22ff4789542c3c09d7e44a9bc5ec2fc9671d Mon Sep 17 00:00:00 2001 From: arcnmx Date: Wed, 3 Sep 2025 23:18:59 -0700 Subject: [PATCH] feat: meiling --- .github/workflows/nodes.yml | 63 +++++++++++++++++-- ci/generate.sh | 3 +- ci/systems.json | 48 +++++++++++++- ci/tarball.sh | 22 +++---- generate.nix | 3 +- nixos/access/proxmox.nix | 3 +- nixos/ct/meiling/proxmox.nix | 16 +++++ .../{reisen-ct => ct/proxmox}/filesystem.nix | 5 +- nixos/ct/proxmox/network.nix | 26 ++++++++ .../proxmox.nix => ct/proxmox/system.nix} | 17 ++--- .../network.nix => ct/reisen/dns.nix} | 19 ------ nixos/ct/reisen/proxmox.nix | 15 +++++ nixos/hw/proxmox.nix | 23 +++++++ nixos/reisen-ct.nix | 4 ++ packages/default.nix | 5 ++ readme.md | 6 +- systems/{ct => ct-meiling}/default.nix | 0 systems/ct-meiling/nixos.nix | 35 +++++++++++ systems/ct-reisen/default.nix | 15 +++++ systems/{ct => ct-reisen}/nixos.nix | 9 ++- systems/meiling/default.nix | 49 +++++++++++++++ systems/meiling/extern.json | 10 +++ systems/meiling/root.authorized_keys | 7 +++ systems/meiling/setup.sh | 14 +++++ systems/meiling/sysctl.50-net.conf | 4 ++ systems/meiling/systems.json | 1 + systems/meiling/users.json | 30 +++++++++ systems/reisen/default.nix | 10 ++- tf/cloudflare_records.tf | 7 +++ tf/tailscale_devices.tf | 32 ++++++++-- 30 files changed, 431 insertions(+), 70 deletions(-) create mode 100644 nixos/ct/meiling/proxmox.nix rename nixos/{reisen-ct => ct/proxmox}/filesystem.nix (63%) create mode 100644 nixos/ct/proxmox/network.nix rename nixos/{reisen-ct/proxmox.nix => ct/proxmox/system.nix} (67%) rename nixos/{reisen-ct/network.nix => ct/reisen/dns.nix} (51%) create mode 100644 nixos/ct/reisen/proxmox.nix create mode 100644 nixos/hw/proxmox.nix create mode 100644 nixos/reisen-ct.nix rename systems/{ct => ct-meiling}/default.nix (100%) create mode 100644 systems/ct-meiling/nixos.nix create mode 100644 systems/ct-reisen/default.nix rename systems/{ct => ct-reisen}/nixos.nix (79%) create mode 100644 systems/meiling/default.nix create mode 100644 systems/meiling/extern.json create mode 100644 systems/meiling/root.authorized_keys create mode 100644 systems/meiling/setup.sh create mode 100644 systems/meiling/sysctl.50-net.conf create mode 100644 systems/meiling/systems.json create mode 100644 systems/meiling/users.json diff --git a/.github/workflows/nodes.yml b/.github/workflows/nodes.yml index 98ed24b4..89e336b2 100644 --- a/.github/workflows/nodes.yml +++ b/.github/workflows/nodes.yml @@ -79,8 +79,8 @@ jobs: args: -u .github/workflows/nodes.yml .ci/workflow.yml attrs: nixpkgs.diffutils command: diff - ct: - name: nodes-ct + ct-meiling: + name: nodes-ct-meiling runs-on: ubuntu-latest steps: - id: checkout @@ -95,7 +95,7 @@ jobs: name: nix test dirty uses: arcnmx/ci/actions/nix/run@v0.7 with: - attrs: ci.job.ct.run.test + attrs: ci.job.ct-meiling.run.test command: ci-build-dirty quiet: false stdout: ${{ runner.temp }}/ci.build.dirty @@ -103,7 +103,7 @@ jobs: name: nix test build uses: arcnmx/ci/actions/nix/run@v0.7 with: - attrs: ci.job.ct.run.test + attrs: ci.job.ct-meiling.run.test command: ci-build-realise ignore-exit-code: true quiet: false @@ -114,7 +114,7 @@ jobs: name: nix test results uses: arcnmx/ci/actions/nix/run@v0.7 with: - attrs: ci.job.ct.run.test + attrs: ci.job.ct-meiling.run.test command: ci-build-summarise quiet: false stdin: ${{ runner.temp }}/ci.build.dirty @@ -126,7 +126,58 @@ jobs: name: nix test cache uses: arcnmx/ci/actions/nix/run@v0.7 with: - attrs: ci.job.ct.run.test + attrs: ci.job.ct-meiling.run.test + command: ci-build-cache + quiet: false + stdin: ${{ runner.temp }}/ci.build.cache + ct-reisen: + name: nodes-ct-reisen + runs-on: ubuntu-latest + steps: + - id: checkout + name: git clone + uses: actions/checkout@v4 + with: + submodules: false + - id: nix-install + name: nix install + uses: arcnmx/ci/actions/nix/install@v0.7 + - id: ci-dirty + name: nix test dirty + uses: arcnmx/ci/actions/nix/run@v0.7 + with: + attrs: ci.job.ct-reisen.run.test + command: ci-build-dirty + quiet: false + stdout: ${{ runner.temp }}/ci.build.dirty + - id: ci-test + name: nix test build + uses: arcnmx/ci/actions/nix/run@v0.7 + with: + attrs: ci.job.ct-reisen.run.test + command: ci-build-realise + ignore-exit-code: true + quiet: false + stdin: ${{ runner.temp }}/ci.build.dirty + - env: + CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }} + id: ci-summary + name: nix test results + uses: arcnmx/ci/actions/nix/run@v0.7 + with: + attrs: ci.job.ct-reisen.run.test + command: ci-build-summarise + quiet: false + stdin: ${{ runner.temp }}/ci.build.dirty + stdout: ${{ runner.temp }}/ci.build.cache + - env: + CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }} + id: ci-cache + if: always() + name: nix test cache + uses: arcnmx/ci/actions/nix/run@v0.7 + with: + attrs: ci.job.ct-reisen.run.test command: ci-build-cache quiet: false stdin: ${{ runner.temp }}/ci.build.cache diff --git a/ci/generate.sh b/ci/generate.sh index 564075f8..7f7cb496 100644 --- a/ci/generate.sh +++ b/ci/generate.sh @@ -32,7 +32,8 @@ nf-eval() { } -for node in reisen; do +NF_NODES=$(nix eval --json "${NF_CONFIG_ROOT}#lib.generate.nodeNames") +for node in $(jq -r '.[]' <<<"$NF_NODES"); do nf-eval --json "lib.generate.nodes.$node.users" "systems/$node/users.json" nf-eval --json "lib.generate.nodes.$node.systems" "systems/$node/systems.json" nf-eval --json "lib.generate.nodes.$node.extern" "systems/$node/extern.json" diff --git a/ci/systems.json b/ci/systems.json index 72aacbf7..b0e1ce0f 100644 --- a/ci/systems.json +++ b/ci/systems.json @@ -37,9 +37,24 @@ } } }, - "ct": { + "ct-meiling": { "network": { - "hostName": "ct", + "hostName": "ct-meiling", + "networks": { + "global": null, + "int": null, + "local": { + "address4": null, + "address6": null, + "macAddress": null + }, + "tail": null + } + } + }, + "ct-reisen": { + "network": { + "hostName": "ct-reisen", "networks": { "global": null, "int": null, @@ -328,6 +343,29 @@ } } }, + "meiling": { + "network": { + "hostName": "meiling", + "networks": { + "global": { + "address4": "49.12.128.117", + "address6": null, + "macAddress": null + }, + "int": { + "address4": "10.9.1.4", + "address6": "fd0c::4", + "macAddress": null + }, + "local": null, + "tail": { + "address4": "100.67.99.30", + "address6": "fd7a:115c:a1e0::dc34:631e", + "macAddress": null + } + } + } + }, "minecraft": { "network": { "hostName": "minecraft", @@ -419,7 +457,11 @@ "address6": null, "macAddress": null }, - "tail": null + "tail": { + "address4": "100.101.208.19", + "address6": "fd7a:115c:a1e0::3034:d013", + "macAddress": null + } } } }, diff --git a/ci/tarball.sh b/ci/tarball.sh index 5eeab8d8..448982e9 100644 --- a/ci/tarball.sh +++ b/ci/tarball.sh @@ -4,7 +4,7 @@ if [[ $# -gt 0 ]]; then ARG_NODE=$1 shift else - ARG_NODE=ct + ARG_NODE=ct-reisen fi ARG_CONFIG_PATH=nixosConfigurations.$ARG_NODE.config @@ -12,16 +12,16 @@ RESULT=$(nix build --no-link --print-out-paths \ "${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.system.build.tarball" \ --show-trace "$@") -if [[ $ARG_NODE = ct ]]; then - DATESTAMP=$(nix eval --raw "${NF_CONFIG_ROOT}#lib.inputs.nixpkgs.sourceInfo.lastModifiedDate") - DATENAME=${DATESTAMP:0:4}${DATESTAMP:4:2}${DATESTAMP:6:2} - SYSARCH=$(nix eval --raw "${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.nixpkgs.system") - TAREXT=$(nix eval --raw "${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.system.build.tarball.extension") - TARNAME=nixos-system-$SYSARCH.tar$TAREXT - OUTNAME="ct-$DATENAME-$TARNAME" - ln -sf "$RESULT/tarball/$TARNAME" "$OUTNAME" +IMAGEPATH="$(nix eval --raw "${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.image.filePath")" +if [[ $ARG_NODE = ct-* ]]; then + #DATESTAMP=$(nix eval --raw "${NF_CONFIG_ROOT}#lib.inputs.nixpkgs.sourceInfo.lastModifiedDate") + #DATENAME=${DATESTAMP:0:4}${DATESTAMP:4:2}${DATESTAMP:6:2} + #IMAGEEXT="$(nix eval --raw "${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.image.extension")" + #OUTNAME="$ARG_NODE-$DATENAME-nixos-image.${IMAGEEXT}" + OUTNAME=$(basename "$IMAGEPATH") + ln -sf "$RESULT/$IMAGEPATH" "./$OUTNAME" echo $OUTNAME - ls -l $OUTNAME + ls -l $OUTNAME >&2 else - echo $RESULT + echo "$RESULT/$IMAGEPATH" fi diff --git a/generate.nix b/generate.nix index 9b67ffed..3fc23c0d 100644 --- a/generate.nix +++ b/generate.nix @@ -3,7 +3,7 @@ tree, }: let nixlib = inputs.nixpkgs.lib; - inherit (nixlib.attrsets) mapAttrs mapAttrs' nameValuePair filterAttrs mapAttrsToList; + inherit (nixlib.attrsets) attrNames mapAttrs mapAttrs' nameValuePair filterAttrs mapAttrsToList; inherit (nixlib.lists) sortOn; inherit (inputs.self.lib.lib) userIs; inherit (inputs.self.lib.gensokyo-zone) systems; @@ -91,5 +91,6 @@ in { nodes = filterAttrs (_: node: node.proxmox.node.enable) systems; in mapAttrs (_: mkNode) nodes; + nodeNames = attrNames inputs.self.lib.generate.nodes; systems = mapAttrs mkSystem systems; } diff --git a/nixos/access/proxmox.nix b/nixos/access/proxmox.nix index 4dd33358..25a36596 100644 --- a/nixos/access/proxmox.nix +++ b/nixos/access/proxmox.nix @@ -7,7 +7,8 @@ inherit (lib.modules) mkDefault; inherit (lib.strings) escapeRegex; inherit (config.services) nginx tailscale; - proxyPass = access.proxyUrlFor {serviceName = "proxmox";} + "/"; + # TODO: submodule/instancing or options + proxyPass = access.proxyUrlFor {serviceName = "proxmox"; serviceId = "proxmox-reisen"; } + "/"; in { config.services.nginx.virtualHosts = let locations."/" = { diff --git a/nixos/ct/meiling/proxmox.nix b/nixos/ct/meiling/proxmox.nix new file mode 100644 index 00000000..35e48124 --- /dev/null +++ b/nixos/ct/meiling/proxmox.nix @@ -0,0 +1,16 @@ +{ + lib, + meta, + ... +}: let + inherit (lib.modules) mkDefault; +in { + imports = let + inherit (meta) nixos; + in [ + nixos.ct.proxmox + nixos.avahi + ]; + + services.kanidm.serverSettings.db_fs_type = mkDefault "zfs"; +} diff --git a/nixos/reisen-ct/filesystem.nix b/nixos/ct/proxmox/filesystem.nix similarity index 63% rename from nixos/reisen-ct/filesystem.nix rename to nixos/ct/proxmox/filesystem.nix index 33b3997a..4d51c59f 100644 --- a/nixos/reisen-ct/filesystem.nix +++ b/nixos/ct/proxmox/filesystem.nix @@ -1,7 +1,4 @@ -{lib, ...}: let - inherit (lib) mkDefault; -in { - services.kanidm.serverSettings.db_fs_type = mkDefault "zfs"; +_: { # work around a filesystem issue when migrating an unprivileged container to privileged boot.postBootCommands = '' if [[ $(stat -c '%u' /) != 0 ]]; then diff --git a/nixos/ct/proxmox/network.nix b/nixos/ct/proxmox/network.nix new file mode 100644 index 00000000..b2f4080e --- /dev/null +++ b/nixos/ct/proxmox/network.nix @@ -0,0 +1,26 @@ +{ + lib, + gensokyo-zone, + config, + options, + ... +}: let + inherit (gensokyo-zone.lib) mkAlmostOptionDefault; + inherit (lib.modules) mkIf; +in { + systemd.services.avahi-daemon = mkIf (options ? proxmoxLXC && config.services.avahi.enable) { + serviceConfig.ExecStartPre = mkIf config.services.resolved.enable [ + "+-${config.systemd.package}/bin/resolvectl mdns ${config.systemd.network.networks._00-local.name or "eth0"} yes" + ]; + }; + systemd.network.networks._00-local = mkIf (! options ? proxmoxLXC) { + name = mkAlmostOptionDefault "ens18"; + linkConfig.Multicast = true; + networkConfig.MulticastDNS = true; + }; + + boot.kernel.sysctl = { + # not sure how to get it to overlap with subgid/idmap... + "net.ipv4.ping_group_range" = "0 7999"; + }; +} diff --git a/nixos/reisen-ct/proxmox.nix b/nixos/ct/proxmox/system.nix similarity index 67% rename from nixos/reisen-ct/proxmox.nix rename to nixos/ct/proxmox/system.nix index 5938ed52..9d2f788a 100644 --- a/nixos/reisen-ct/proxmox.nix +++ b/nixos/ct/proxmox/system.nix @@ -1,31 +1,22 @@ { + config, systemConfig, gensokyo-zone, lib, - modulesPath, meta, ... }: let inherit (gensokyo-zone.lib) unmerged; - inherit (lib.modules) mkIf mkMerge mkDefault; + inherit (lib.modules) mkIf mkMerge; inherit (lib.attrsets) mapAttrsToList; inherit (systemConfig) proxmox; in { imports = let inherit (meta) nixos; in [ - nixos.hw.headless - (modulesPath + "/virtualisation/proxmox-lxc.nix") + nixos.hw.proxmox ]; - environment.variables = { - # nix default is way too big - GC_INITIAL_HEAP_SIZE = mkDefault "8M"; - }; - # XXX: this might be okay if the nix daemon's tmp is overridden - # (but still avoid since containers are usually low on provisioned memory) - boot.tmp.useTmpfs = mkDefault false; - proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true; systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface: @@ -42,4 +33,6 @@ in { lan.nftables.conditions = intConditions; local.nftables.conditions = intConditions; }; + + image.baseName = "${systemConfig.name}-${config.system.nixos.label}-proxmox"; } diff --git a/nixos/reisen-ct/network.nix b/nixos/ct/reisen/dns.nix similarity index 51% rename from nixos/reisen-ct/network.nix rename to nixos/ct/reisen/dns.nix index 1f1f758a..4a950fc0 100644 --- a/nixos/reisen-ct/network.nix +++ b/nixos/ct/reisen/dns.nix @@ -1,13 +1,10 @@ { lib, - gensokyo-zone, config, - options, meta, access, ... }: let - inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (lib.modules) mkIf mkBefore mkOrder; enableDns = !config.services.dnsmasq.enable && config.networking.hostName != "utsuho"; in { @@ -17,17 +14,6 @@ in { nixos.avahi ]; - #services.resolved.enable = mkIf enableDns false; - systemd.services.avahi-daemon = mkIf (options ? proxmoxLXC && config.services.avahi.enable) { - serviceConfig.ExecStartPre = mkIf config.services.resolved.enable [ - "+-${config.systemd.package}/bin/resolvectl mdns ${config.systemd.network.networks._00-local.name or "eth0"} yes" - ]; - }; - systemd.network.networks._00-local = mkIf (! options ? proxmoxLXC) { - name = mkAlmostOptionDefault "ens18"; - linkConfig.Multicast = true; - networkConfig.MulticastDNS = true; - }; networking.nameservers' = mkIf enableDns (mkBefore [ {address = access.getAddressFor (access.systemForService "dnsmasq").name "lan";} ]); @@ -39,9 +25,4 @@ in { services.resolved.extraConfig = mkIf enableDns '' DNSStubListener=no ''; - - boot.kernel.sysctl = { - # not sure how to get it to overlap with subgid/idmap... - "net.ipv4.ping_group_range" = "0 7999"; - }; } diff --git a/nixos/ct/reisen/proxmox.nix b/nixos/ct/reisen/proxmox.nix new file mode 100644 index 00000000..6ec01320 --- /dev/null +++ b/nixos/ct/reisen/proxmox.nix @@ -0,0 +1,15 @@ +{ + lib, + meta, + ... +}: let + inherit (lib.modules) mkDefault; +in { + imports = let + inherit (meta) nixos; + in [ + nixos.ct.proxmox + ]; + + services.kanidm.serverSettings.db_fs_type = mkDefault "zfs"; +} diff --git a/nixos/hw/proxmox.nix b/nixos/hw/proxmox.nix new file mode 100644 index 00000000..85660202 --- /dev/null +++ b/nixos/hw/proxmox.nix @@ -0,0 +1,23 @@ +{ + lib, + modulesPath, + meta, + ... +}: let + inherit (lib.modules) mkDefault; +in { + imports = let + inherit (meta) nixos; + in [ + nixos.hw.headless + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ]; + + environment.variables = { + # nix default is way too big + GC_INITIAL_HEAP_SIZE = mkDefault "8M"; + }; + # XXX: this might be okay if the nix daemon's tmp is overridden + # (but still avoid since containers are usually low on provisioned memory) + boot.tmp.useTmpfs = mkDefault false; +} diff --git a/nixos/reisen-ct.nix b/nixos/reisen-ct.nix new file mode 100644 index 00000000..02a3df1c --- /dev/null +++ b/nixos/reisen-ct.nix @@ -0,0 +1,4 @@ +{ meta, ... }: { + # deprecated alias + imports = [ meta.nixos.ct.reisen ]; +} diff --git a/packages/default.nix b/packages/default.nix index 125853b6..0e4d4dfe 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -67,6 +67,11 @@ nodeType = "proxmox"; userReferenceSystem = "hakurei"; }; + meiling = { + root = ../systems/meiling; + nodeType = "proxmox"; + userReferenceSystem = "ct-meiling"; + }; }; inherit (inputs.self.lib.lib) userIs; INPUT_INFRABINS = string.escapeShellArg [ "putfile64" "pve" "mkpam" "ct-config" ]; diff --git a/readme.md b/readme.md index 54b264a7..46327cb6 100644 --- a/readme.md +++ b/readme.md @@ -28,7 +28,7 @@ deploy -s .# # with trace deploy -s .# -- --show-trace # deploy a fresh container -deploy -s .# --hostname ct.local +deploy -s .# --hostname ct-reisen.local ``` ## Editing Secrets @@ -42,7 +42,7 @@ sops nixos/systems/tewi/secrets.yaml ```shell nf-sops-keyscan # or on a fresh container... -nf-sops-keyscan ct.local +nf-sops-keyscan ct-reisen.local vim .sops.yaml for nfsecret in access nix; do sops updatekeys nixos/secrets/$nfsecret.yaml; done ``` @@ -60,7 +60,7 @@ nf-tf init -upgrade ### Template ```shell -nf-tarball ct +nf-tarball ct-reisen ``` [docs-badge]: https://img.shields.io/badge/API-docs-blue.svg?style=flat-square diff --git a/systems/ct/default.nix b/systems/ct-meiling/default.nix similarity index 100% rename from systems/ct/default.nix rename to systems/ct-meiling/default.nix diff --git a/systems/ct-meiling/nixos.nix b/systems/ct-meiling/nixos.nix new file mode 100644 index 00000000..7c7341d2 --- /dev/null +++ b/systems/ct-meiling/nixos.nix @@ -0,0 +1,35 @@ +{meta, lib, ...}: { + imports = with meta; [ + nixos.ct.meiling + ]; + + # allow proxmox to provide us with our hostname + environment.etc.hostname.enable = false; + services.avahi.hostName = ""; + + system = { + stateVersion = "25.05"; + nixos.tags = lib.mkForce [ "template" ]; + }; + environment.etc."systemd/network/eth9.network.d/int.conf".text = '' + [Match] + Name=eth9 + Type=ether + + [Link] + RequiredForOnline=false + + [Network] + IPv6AcceptRA=true + IPv6SendRA=false + DHCP=no + + [IPv6Prefix] + AddressAutoconfiguration=false + Prefix=fd0c::/64 + Assign=true + + [IPv6AcceptRA] + DHCPv6Client=false + ''; +} diff --git a/systems/ct-reisen/default.nix b/systems/ct-reisen/default.nix new file mode 100644 index 00000000..c48a418a --- /dev/null +++ b/systems/ct-reisen/default.nix @@ -0,0 +1,15 @@ +_: { + arch = "x86_64"; + type = "NixOS"; + modules = [ + ./nixos.nix + ]; + access.online.enable = false; + network.networks = { + local = { + fqdn = null; + address4 = null; + address6 = null; + }; + }; +} diff --git a/systems/ct/nixos.nix b/systems/ct-reisen/nixos.nix similarity index 79% rename from systems/ct/nixos.nix rename to systems/ct-reisen/nixos.nix index c42432d2..073fabb3 100644 --- a/systems/ct/nixos.nix +++ b/systems/ct-reisen/nixos.nix @@ -1,13 +1,16 @@ -{meta, ...}: { +{meta, lib, ...}: { imports = with meta; [ - nixos.reisen-ct + nixos.ct.reisen ]; # allow proxmox to provide us with our hostname environment.etc.hostname.enable = false; services.avahi.hostName = ""; - system.stateVersion = "23.11"; + system = { + stateVersion = "23.11"; + nixos.tags = lib.mkForce [ "template" ]; + }; environment.etc."systemd/network/eth9.network.d/int.conf".text = '' [Match] Name=eth9 diff --git a/systems/meiling/default.nix b/systems/meiling/default.nix new file mode 100644 index 00000000..0ba67aea --- /dev/null +++ b/systems/meiling/default.nix @@ -0,0 +1,49 @@ +{lib, config, ...}: { + type = "Linux"; + proxmox.node = { + enable = true; + }; + access = { + online.available = true; + global.enable = true; + }; + extern.files = { + "/etc/sysctl.d/50-net.conf" = { + source = ./sysctl.50-net.conf; + }; + }; + network.networks = { + global = { + address4 = "49.12.128.117"; + address6 = null; + }; + local = { + inherit (config.network.networks.global) address4; + address6 = null; + }; + int = { + address4 = "10.9.1.4"; + address6 = "fd0c::4"; + }; + tail = { + address4 = "100.67.99.30"; + address6 = "fd7a:115c:a1e0::dc34:631e"; + }; + }; + exports = { + services = { + tailscale.enable = true; + sshd = { + enable = true; + ports = { + public.enable = false; + standard.listen = "wan"; + }; + }; + proxmox = { + enable = true; + id = "proxmox-meiling"; + }; + }; + }; +} diff --git a/systems/meiling/extern.json b/systems/meiling/extern.json new file mode 100644 index 00000000..9a67f4dd --- /dev/null +++ b/systems/meiling/extern.json @@ -0,0 +1,10 @@ +{ + "files": { + "/etc/sysctl.d/50-net.conf": { + "group": "root", + "mode": "0644", + "owner": "root", + "source": "systems/meiling/sysctl.50-net.conf" + } + } +} diff --git a/systems/meiling/root.authorized_keys b/systems/meiling/root.authorized_keys new file mode 100644 index 00000000..4338ba0e --- /dev/null +++ b/systems/meiling/root.authorized_keys @@ -0,0 +1,7 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5 +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIC3RkyoQ74bb4NGv1H1bZAz5ROO0Zr6FT8TYpowgGUp kat@chen + diff --git a/systems/meiling/setup.sh b/systems/meiling/setup.sh new file mode 100644 index 00000000..50e90d4e --- /dev/null +++ b/systems/meiling/setup.sh @@ -0,0 +1,14 @@ +mkshared-nix() { + mkshared nix 0 0 0755 + if [[ ! -d /rpool/shared/nix/store ]]; then + zfs create -o compression=zstd rpool/shared/nix/store + fi + if [[ ! -d /rpool/shared/nix/var ]]; then + mkdir /rpool/shared/nix/var + fi + chown 100000:30000 /rpool/shared/nix/store + chmod 1775 /rpool/shared/nix/store + chown 100000:100000 /rpool/shared/nix/var +} + +#mkshared-nix diff --git a/systems/meiling/sysctl.50-net.conf b/systems/meiling/sysctl.50-net.conf new file mode 100644 index 00000000..4064f6db --- /dev/null +++ b/systems/meiling/sysctl.50-net.conf @@ -0,0 +1,4 @@ +net.ipv4.ping_group_range=0 2147483647 +# https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes +net.core.rmem_max=2500000 +net.core.wmem_max=2500000 diff --git a/systems/meiling/systems.json b/systems/meiling/systems.json new file mode 100644 index 00000000..0967ef42 --- /dev/null +++ b/systems/meiling/systems.json @@ -0,0 +1 @@ +{} diff --git a/systems/meiling/users.json b/systems/meiling/users.json new file mode 100644 index 00000000..97dd1082 --- /dev/null +++ b/systems/meiling/users.json @@ -0,0 +1,30 @@ +[ + { + "authorizedKeys": [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5", + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454", + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath", + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi", + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIC3RkyoQ74bb4NGv1H1bZAz5ROO0Zr6FT8TYpowgGUp kat@chen" + ], + "name": "kat", + "uid": 8000 + }, + { + "authorizedKeys": [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp" + ], + "name": "arc", + "uid": 8001 + }, + { + "authorizedKeys": [], + "name": "kaosubaloo", + "uid": 8002 + }, + { + "authorizedKeys": [], + "name": "connieallure", + "uid": 8003 + } +] diff --git a/systems/reisen/default.nix b/systems/reisen/default.nix index 24b6a3f1..9ca6dd40 100644 --- a/systems/reisen/default.nix +++ b/systems/reisen/default.nix @@ -34,14 +34,22 @@ _: { address4 = "10.9.1.2"; address6 = "fd0c::2"; }; + tail = { + address4 = "100.101.208.19"; + address6 = "fd7a:115c:a1e0::3034:d013"; + }; }; exports = { services = { + tailscale.enable = true; sshd = { enable = true; ports.public.enable = false; }; - proxmox.enable = true; + proxmox = { + enable = true; + id = "proxmox-reisen"; + }; }; }; } diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf index 17c9ce92..e78a569e 100644 --- a/tf/cloudflare_records.tf +++ b/tf/cloudflare_records.tf @@ -247,3 +247,10 @@ module "koishi_system_records" { zone_zone = cloudflare_zone.gensokyo-zone_zone.zone net_data = local.systems.koishi.network } + +module "meiling_system_records" { + source = "./system/records" + zone_id = cloudflare_zone.gensokyo-zone_zone.id + zone_zone = cloudflare_zone.gensokyo-zone_zone.zone + net_data = local.systems.meiling.network +} diff --git a/tf/tailscale_devices.tf b/tf/tailscale_devices.tf index 8f36046a..fa3a93fd 100644 --- a/tf/tailscale_devices.tf +++ b/tf/tailscale_devices.tf @@ -2,6 +2,7 @@ locals { tailscale_tag_infra = "tag:infrastructure" tailscale_tag_genso = "tag:gensokyo" tailscale_tag_reisen = "tag:reisen" + tailscale_tag_meiling = "tag:meiling" tailscale_tag_minecraft = "tag:minecraft" tailscale_tag_rtl = "tag:rtl" @@ -16,11 +17,12 @@ locals { tailscale_group_member = "autogroup:member" tailscale_group_admin = "autogroup:admin" - tailscale_tags_genso = [local.tailscale_tag_infra, local.tailscale_tag_genso] - tailscale_tags_reisen = concat(local.tailscale_tags_genso, [local.tailscale_tag_reisen]) - tailscale_tags_arc = [local.tailscale_user_arc, local.tailscale_tag_arc] - tailscale_tags_kat = [local.tailscale_user_kat, local.tailscale_tag_kat] - tailscale_tags_peeps = concat(local.tailscale_tags_arc, local.tailscale_tags_kat) + tailscale_tags_genso = [local.tailscale_tag_infra, local.tailscale_tag_genso] + tailscale_tags_reisen = concat(local.tailscale_tags_genso, [local.tailscale_tag_reisen]) + tailscale_tags_meiling = concat(local.tailscale_tags_genso, [local.tailscale_tag_meiling]) + tailscale_tags_arc = [local.tailscale_user_arc, local.tailscale_tag_arc] + tailscale_tags_kat = [local.tailscale_user_kat, local.tailscale_tag_kat] + tailscale_tags_peeps = concat(local.tailscale_tags_arc, local.tailscale_tags_kat) } resource "tailscale_acl" "tailnet" { @@ -28,6 +30,7 @@ resource "tailscale_acl" "tailnet" { tagOwners = { "${local.tailscale_tag_infra}" : [local.tailscale_group_admin], "${local.tailscale_tag_reisen}" : [local.tailscale_group_admin, local.tailscale_tag_infra], + "${local.tailscale_tag_meiling}" : [local.tailscale_group_admin, local.tailscale_tag_infra], "${local.tailscale_tag_genso}" : [local.tailscale_group_admin, local.tailscale_tag_arc_deploy, local.tailscale_tag_kat_deploy], "${local.tailscale_tag_minecraft}" : [local.tailscale_group_admin, local.tailscale_tag_infra], "${local.tailscale_tag_rtl}" : [local.tailscale_group_admin, local.tailscale_tag_infra], @@ -47,6 +50,11 @@ resource "tailscale_acl" "tailnet" { src = [local.tailscale_tag_reisen] dst = ["${local.tailscale_tag_reisen}:*"] }, + { + action = "accept" + src = [local.tailscale_tag_meiling] + dst = ["${local.tailscale_tag_meiling}:*"] + }, { action = "accept" src = concat([local.tailscale_tag_genso], local.tailscale_tags_peeps) @@ -98,6 +106,15 @@ resource "tailscale_tailnet_key" "reisen" { depends_on = [tailscale_acl.tailnet] } +resource "tailscale_tailnet_key" "meiling" { + reusable = true + ephemeral = false + preauthorized = true + description = "Meiling VM" + tags = local.tailscale_tags_meiling + depends_on = [tailscale_acl.tailnet] +} + resource "tailscale_tailnet_key" "gensokyo" { reusable = true ephemeral = false @@ -112,6 +129,11 @@ output "tailscale_key_reisen" { sensitive = true } +output "tailscale_key_meiling" { + value = tailscale_tailnet_key.meiling.key + sensitive = true +} + output "tailscale_key_gensokyo" { value = tailscale_tailnet_key.gensokyo.key sensitive = true