feat: meiling

nixos/ct/meiling/proxmox.nix

@@ -0,0 +1,16 @@
+{
+  lib,
+  meta,
+  ...
+}: let
+  inherit (lib.modules) mkDefault;
+in {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.ct.proxmox
+    nixos.avahi
+  ];
+
+  services.kanidm.serverSettings.db_fs_type = mkDefault "zfs";
+}

nixos/ct/proxmox/filesystem.nix

@@ -0,0 +1,8 @@
+_: {
+  # work around a filesystem issue when migrating an unprivileged container to privileged
+  boot.postBootCommands = ''
+    if [[ $(stat -c '%u' /) != 0 ]]; then
+      chown 0:0 / /*
+    fi
+  '';
+}

nixos/ct/proxmox/network.nix

@@ -0,0 +1,26 @@
+{
+  lib,
+  gensokyo-zone,
+  config,
+  options,
+  ...
+}: let
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+  inherit (lib.modules) mkIf;
+in {
+  systemd.services.avahi-daemon = mkIf (options ? proxmoxLXC && config.services.avahi.enable) {
+    serviceConfig.ExecStartPre = mkIf config.services.resolved.enable [
+      "+-${config.systemd.package}/bin/resolvectl mdns ${config.systemd.network.networks._00-local.name or "eth0"} yes"
+    ];
+  };
+  systemd.network.networks._00-local = mkIf (! options ? proxmoxLXC) {
+    name = mkAlmostOptionDefault "ens18";
+    linkConfig.Multicast = true;
+    networkConfig.MulticastDNS = true;
+  };
+
+  boot.kernel.sysctl = {
+    # not sure how to get it to overlap with subgid/idmap...
+    "net.ipv4.ping_group_range" = "0 7999";
+  };
+}

nixos/ct/proxmox/system.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  systemConfig,
+  gensokyo-zone,
+  lib,
+  meta,
+  ...
+}: let
+  inherit (gensokyo-zone.lib) unmerged;
+  inherit (lib.modules) mkIf mkMerge;
+  inherit (lib.attrsets) mapAttrsToList;
+  inherit (systemConfig) proxmox;
+in {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.hw.proxmox
+  ];
+
+  proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true;
+
+  systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface:
+    mkIf (interface.enable && interface.networkd.enable) {
+      networks.${interface.networkd.name} = unmerged.mergeAttrs interface.networkd.networkSettings;
+    })
+  proxmox.network.interfaces));
+
+  networking.firewall.interfaces = let
+    inherit (proxmox.network) internal;
+    intConditions = ["iifname ${internal.interface.name}"];
+  in
+    mkIf (internal.interface != null) {
+      lan.nftables.conditions = intConditions;
+      local.nftables.conditions = intConditions;
+    };
+
+  image.baseName = "${systemConfig.name}-${config.system.nixos.label}-proxmox";
+}

nixos/ct/reisen/dns.nix

@@ -0,0 +1,28 @@
+{
+  lib,
+  config,
+  meta,
+  access,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkBefore mkOrder;
+  enableDns = !config.services.dnsmasq.enable && config.networking.hostName != "utsuho";
+in {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.avahi
+  ];
+
+  networking.nameservers' = mkIf enableDns (mkBefore [
+    {address = access.getAddressFor (access.systemForService "dnsmasq").name "lan";}
+  ]);
+  # prioritize our resolver over systemd-resolved!
+  system.nssDatabases.hosts = let
+    avahiResolverEnabled = config.services.avahi.enable && (config.services.avahi.nssmdns4 || config.services.avahi.nssmdns4);
+  in
+    mkIf (enableDns && (config.services.resolved.enable || avahiResolverEnabled)) (mkOrder 475 ["dns"]);
+  services.resolved.extraConfig = mkIf enableDns ''
+    DNSStubListener=no
+  '';
+}

nixos/ct/reisen/proxmox.nix

@@ -0,0 +1,15 @@
+{
+  lib,
+  meta,
+  ...
+}: let
+  inherit (lib.modules) mkDefault;
+in {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.ct.proxmox
+  ];
+
+  services.kanidm.serverSettings.db_fs_type = mkDefault "zfs";
+}