feat: meiling

.github/workflows/nodes.yml

@@ -79,8 +79,8 @@ jobs:
         args: -u .github/workflows/nodes.yml .ci/workflow.yml
         attrs: nixpkgs.diffutils
         command: diff
-  ct:
+  ct-meiling:
-    name: nodes-ct
+    name: nodes-ct-meiling
     runs-on: ubuntu-latest
     steps:
     - id: checkout
@@ -95,7 +95,7 @@ jobs:
       name: nix test dirty
       uses: arcnmx/ci/actions/nix/run@v0.7
       with:
-        attrs: ci.job.ct.run.test
+        attrs: ci.job.ct-meiling.run.test
         command: ci-build-dirty
         quiet: false
         stdout: ${{ runner.temp }}/ci.build.dirty
@@ -103,7 +103,7 @@ jobs:
       name: nix test build
       uses: arcnmx/ci/actions/nix/run@v0.7
       with:
-        attrs: ci.job.ct.run.test
+        attrs: ci.job.ct-meiling.run.test
         command: ci-build-realise
         ignore-exit-code: true
         quiet: false
@@ -114,7 +114,7 @@ jobs:
       name: nix test results
       uses: arcnmx/ci/actions/nix/run@v0.7
       with:
-        attrs: ci.job.ct.run.test
+        attrs: ci.job.ct-meiling.run.test
         command: ci-build-summarise
         quiet: false
         stdin: ${{ runner.temp }}/ci.build.dirty
@@ -126,7 +126,58 @@ jobs:
       name: nix test cache
       uses: arcnmx/ci/actions/nix/run@v0.7
       with:
-        attrs: ci.job.ct.run.test
+        attrs: ci.job.ct-meiling.run.test
+        command: ci-build-cache
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.cache
+  ct-reisen:
+    name: nodes-ct-reisen
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - id: ci-dirty
+      name: nix test dirty
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.ct-reisen.run.test
+        command: ci-build-dirty
+        quiet: false
+        stdout: ${{ runner.temp }}/ci.build.dirty
+    - id: ci-test
+      name: nix test build
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.ct-reisen.run.test
+        command: ci-build-realise
+        ignore-exit-code: true
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+    - env:
+        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
+      id: ci-summary
+      name: nix test results
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.ct-reisen.run.test
+        command: ci-build-summarise
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+        stdout: ${{ runner.temp }}/ci.build.cache
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+      id: ci-cache
+      if: always()
+      name: nix test cache
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.ct-reisen.run.test
         command: ci-build-cache
         quiet: false
         stdin: ${{ runner.temp }}/ci.build.cache

ci/generate.sh

@@ -32,7 +32,8 @@ nf-eval() {
 
 }
 
-for node in reisen; do
+NF_NODES=$(nix eval --json "${NF_CONFIG_ROOT}#lib.generate.nodeNames")
+for node in $(jq -r '.[]' <<<"$NF_NODES"); do
 	nf-eval --json "lib.generate.nodes.$node.users" "systems/$node/users.json"
 	nf-eval --json "lib.generate.nodes.$node.systems" "systems/$node/systems.json"
 	nf-eval --json "lib.generate.nodes.$node.extern" "systems/$node/extern.json"

ci/systems.json

@@ -37,9 +37,24 @@
       }
     }
   },
-  "ct": {
+  "ct-meiling": {
     "network": {
-      "hostName": "ct",
+      "hostName": "ct-meiling",
+      "networks": {
+        "global": null,
+        "int": null,
+        "local": {
+          "address4": null,
+          "address6": null,
+          "macAddress": null
+        },
+        "tail": null
+      }
+    }
+  },
+  "ct-reisen": {
+    "network": {
+      "hostName": "ct-reisen",
       "networks": {
         "global": null,
         "int": null,
@@ -328,6 +343,29 @@
       }
     }
   },
+  "meiling": {
+    "network": {
+      "hostName": "meiling",
+      "networks": {
+        "global": {
+          "address4": "49.12.128.117",
+          "address6": null,
+          "macAddress": null
+        },
+        "int": {
+          "address4": "10.9.1.4",
+          "address6": "fd0c::4",
+          "macAddress": null
+        },
+        "local": null,
+        "tail": {
+          "address4": "100.67.99.30",
+          "address6": "fd7a:115c:a1e0::dc34:631e",
+          "macAddress": null
+        }
+      }
+    }
+  },
   "minecraft": {
     "network": {
       "hostName": "minecraft",
@@ -419,7 +457,11 @@
           "address6": null,
           "macAddress": null
         },
-        "tail": null
+        "tail": {
+          "address4": "100.101.208.19",
+          "address6": "fd7a:115c:a1e0::3034:d013",
+          "macAddress": null
+        }
       }
     }
   },

ci/tarball.sh

@@ -4,7 +4,7 @@ if [[ $# -gt 0 ]]; then
 	ARG_NODE=$1
 	shift
 else
-	ARG_NODE=ct
+	ARG_NODE=ct-reisen
 fi
 
 ARG_CONFIG_PATH=nixosConfigurations.$ARG_NODE.config
@@ -12,16 +12,16 @@ RESULT=$(nix build --no-link --print-out-paths \
 	"${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.system.build.tarball" \
 	--show-trace "$@")
 
-if [[ $ARG_NODE = ct ]]; then
+IMAGEPATH="$(nix eval --raw "${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.image.filePath")"
-	DATESTAMP=$(nix eval --raw "${NF_CONFIG_ROOT}#lib.inputs.nixpkgs.sourceInfo.lastModifiedDate")
+if [[ $ARG_NODE = ct-* ]]; then
-	DATENAME=${DATESTAMP:0:4}${DATESTAMP:4:2}${DATESTAMP:6:2}
+	#DATESTAMP=$(nix eval --raw "${NF_CONFIG_ROOT}#lib.inputs.nixpkgs.sourceInfo.lastModifiedDate")
-	SYSARCH=$(nix eval --raw "${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.nixpkgs.system")
+	#DATENAME=${DATESTAMP:0:4}${DATESTAMP:4:2}${DATESTAMP:6:2}
-	TAREXT=$(nix eval --raw "${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.system.build.tarball.extension")
+	#IMAGEEXT="$(nix eval --raw "${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.image.extension")"
-	TARNAME=nixos-system-$SYSARCH.tar$TAREXT
+	#OUTNAME="$ARG_NODE-$DATENAME-nixos-image.${IMAGEEXT}"
-	OUTNAME="ct-$DATENAME-$TARNAME"
+	OUTNAME=$(basename "$IMAGEPATH")
-	ln -sf "$RESULT/tarball/$TARNAME" "$OUTNAME"
+	ln -sf "$RESULT/$IMAGEPATH" "./$OUTNAME"
 	echo $OUTNAME
-	ls -l $OUTNAME
+	ls -l $OUTNAME >&2
 else
-	echo $RESULT
+	echo "$RESULT/$IMAGEPATH"
 fi

generate.nix

@@ -3,7 +3,7 @@
   tree,
 }: let
   nixlib = inputs.nixpkgs.lib;
-  inherit (nixlib.attrsets) mapAttrs mapAttrs' nameValuePair filterAttrs mapAttrsToList;
+  inherit (nixlib.attrsets) attrNames mapAttrs mapAttrs' nameValuePair filterAttrs mapAttrsToList;
   inherit (nixlib.lists) sortOn;
   inherit (inputs.self.lib.lib) userIs;
   inherit (inputs.self.lib.gensokyo-zone) systems;
@@ -91,5 +91,6 @@ in {
     nodes = filterAttrs (_: node: node.proxmox.node.enable) systems;
   in
     mapAttrs (_: mkNode) nodes;
+  nodeNames = attrNames inputs.self.lib.generate.nodes;
   systems = mapAttrs mkSystem systems;
 }

nixos/access/proxmox.nix

@@ -7,7 +7,8 @@
   inherit (lib.modules) mkDefault;
   inherit (lib.strings) escapeRegex;
   inherit (config.services) nginx tailscale;
-  proxyPass = access.proxyUrlFor {serviceName = "proxmox";} + "/";
+  # TODO: submodule/instancing or options
+  proxyPass = access.proxyUrlFor {serviceName = "proxmox"; serviceId = "proxmox-reisen"; } + "/";
 in {
   config.services.nginx.virtualHosts = let
     locations."/" = {

nixos/ct/meiling/proxmox.nix

@@ -0,0 +1,16 @@
+{
+  lib,
+  meta,
+  ...
+}: let
+  inherit (lib.modules) mkDefault;
+in {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.ct.proxmox
+    nixos.avahi
+  ];
+
+  services.kanidm.serverSettings.db_fs_type = mkDefault "zfs";
+}

nixos/ct/proxmox/filesystem.nix

@@ -1,7 +1,4 @@
-{lib, ...}: let
+_: {
-  inherit (lib) mkDefault;
-in {
-  services.kanidm.serverSettings.db_fs_type = mkDefault "zfs";
   # work around a filesystem issue when migrating an unprivileged container to privileged
   boot.postBootCommands = ''
     if [[ $(stat -c '%u' /) != 0 ]]; then

nixos/ct/proxmox/network.nix

@@ -0,0 +1,26 @@
+{
+  lib,
+  gensokyo-zone,
+  config,
+  options,
+  ...
+}: let
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+  inherit (lib.modules) mkIf;
+in {
+  systemd.services.avahi-daemon = mkIf (options ? proxmoxLXC && config.services.avahi.enable) {
+    serviceConfig.ExecStartPre = mkIf config.services.resolved.enable [
+      "+-${config.systemd.package}/bin/resolvectl mdns ${config.systemd.network.networks._00-local.name or "eth0"} yes"
+    ];
+  };
+  systemd.network.networks._00-local = mkIf (! options ? proxmoxLXC) {
+    name = mkAlmostOptionDefault "ens18";
+    linkConfig.Multicast = true;
+    networkConfig.MulticastDNS = true;
+  };
+
+  boot.kernel.sysctl = {
+    # not sure how to get it to overlap with subgid/idmap...
+    "net.ipv4.ping_group_range" = "0 7999";
+  };
+}

nixos/ct/proxmox/system.nix

@@ -1,31 +1,22 @@
 {
+  config,
   systemConfig,
   gensokyo-zone,
   lib,
-  modulesPath,
   meta,
   ...
 }: let
   inherit (gensokyo-zone.lib) unmerged;
-  inherit (lib.modules) mkIf mkMerge mkDefault;
+  inherit (lib.modules) mkIf mkMerge;
   inherit (lib.attrsets) mapAttrsToList;
   inherit (systemConfig) proxmox;
 in {
   imports = let
     inherit (meta) nixos;
   in [
-    nixos.hw.headless
+    nixos.hw.proxmox
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
   ];
 
-  environment.variables = {
-    # nix default is way too big
-    GC_INITIAL_HEAP_SIZE = mkDefault "8M";
-  };
-  # XXX: this might be okay if the nix daemon's tmp is overridden
-  # (but still avoid since containers are usually low on provisioned memory)
-  boot.tmp.useTmpfs = mkDefault false;
-
   proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true;
 
   systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface:
@@ -42,4 +33,6 @@ in {
       lan.nftables.conditions = intConditions;
       local.nftables.conditions = intConditions;
     };
+
+  image.baseName = "${systemConfig.name}-${config.system.nixos.label}-proxmox";
 }

nixos/ct/reisen/dns.nix

@@ -1,13 +1,10 @@
 {
   lib,
-  gensokyo-zone,
   config,
-  options,
   meta,
   access,
   ...
 }: let
-  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
   inherit (lib.modules) mkIf mkBefore mkOrder;
   enableDns = !config.services.dnsmasq.enable && config.networking.hostName != "utsuho";
 in {
@@ -17,17 +14,6 @@ in {
     nixos.avahi
   ];
 
-  #services.resolved.enable = mkIf enableDns false;
-  systemd.services.avahi-daemon = mkIf (options ? proxmoxLXC && config.services.avahi.enable) {
-    serviceConfig.ExecStartPre = mkIf config.services.resolved.enable [
-      "+-${config.systemd.package}/bin/resolvectl mdns ${config.systemd.network.networks._00-local.name or "eth0"} yes"
-    ];
-  };
-  systemd.network.networks._00-local = mkIf (! options ? proxmoxLXC) {
-    name = mkAlmostOptionDefault "ens18";
-    linkConfig.Multicast = true;
-    networkConfig.MulticastDNS = true;
-  };
   networking.nameservers' = mkIf enableDns (mkBefore [
     {address = access.getAddressFor (access.systemForService "dnsmasq").name "lan";}
   ]);
@@ -39,9 +25,4 @@ in {
   services.resolved.extraConfig = mkIf enableDns ''
     DNSStubListener=no
   '';
-
-  boot.kernel.sysctl = {
-    # not sure how to get it to overlap with subgid/idmap...
-    "net.ipv4.ping_group_range" = "0 7999";
-  };
 }

nixos/ct/reisen/proxmox.nix

@@ -0,0 +1,15 @@
+{
+  lib,
+  meta,
+  ...
+}: let
+  inherit (lib.modules) mkDefault;
+in {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.ct.proxmox
+  ];
+
+  services.kanidm.serverSettings.db_fs_type = mkDefault "zfs";
+}

nixos/hw/proxmox.nix

@@ -0,0 +1,23 @@
+{
+  lib,
+  modulesPath,
+  meta,
+  ...
+}: let
+  inherit (lib.modules) mkDefault;
+in {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.hw.headless
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+  ];
+
+  environment.variables = {
+    # nix default is way too big
+    GC_INITIAL_HEAP_SIZE = mkDefault "8M";
+  };
+  # XXX: this might be okay if the nix daemon's tmp is overridden
+  # (but still avoid since containers are usually low on provisioned memory)
+  boot.tmp.useTmpfs = mkDefault false;
+}

nixos/reisen-ct.nix

@@ -0,0 +1,4 @@
+{ meta, ... }: {
+  # deprecated alias
+  imports = [ meta.nixos.ct.reisen ];
+}

packages/default.nix

@@ -67,6 +67,11 @@
           nodeType = "proxmox";
           userReferenceSystem = "hakurei";
         };
+        meiling = {
+          root = ../systems/meiling;
+          nodeType = "proxmox";
+          userReferenceSystem = "ct-meiling";
+        };
       };
       inherit (inputs.self.lib.lib) userIs;
       INPUT_INFRABINS = string.escapeShellArg [ "putfile64" "pve" "mkpam" "ct-config" ];

readme.md

@@ -28,7 +28,7 @@ deploy -s .#<hostname>
 # with trace
 deploy -s .#<hostname> -- --show-trace
 # deploy a fresh container
-deploy -s .#<hostname> --hostname ct.local
+deploy -s .#<hostname> --hostname ct-reisen.local
 ```
 
 ## Editing Secrets
@@ -42,7 +42,7 @@ sops nixos/systems/tewi/secrets.yaml
 ```shell
 nf-sops-keyscan <hostname>
 # or on a fresh container...
-nf-sops-keyscan ct.local
+nf-sops-keyscan ct-reisen.local
 vim .sops.yaml
 for nfsecret in access nix; do sops updatekeys nixos/secrets/$nfsecret.yaml; done
 ```
@@ -60,7 +60,7 @@ nf-tf init -upgrade
 ### Template
 
 ```shell
-nf-tarball ct
+nf-tarball ct-reisen
 ```
 
 [docs-badge]: https://img.shields.io/badge/API-docs-blue.svg?style=flat-square

systems/ct-meiling/nixos.nix

@@ -0,0 +1,35 @@
+{meta, lib, ...}: {
+  imports = with meta; [
+    nixos.ct.meiling
+  ];
+
+  # allow proxmox to provide us with our hostname
+  environment.etc.hostname.enable = false;
+  services.avahi.hostName = "";
+
+  system = {
+    stateVersion = "25.05";
+    nixos.tags = lib.mkForce [ "template" ];
+  };
+  environment.etc."systemd/network/eth9.network.d/int.conf".text = ''
+    [Match]
+    Name=eth9
+    Type=ether
+
+    [Link]
+    RequiredForOnline=false
+
+    [Network]
+    IPv6AcceptRA=true
+    IPv6SendRA=false
+    DHCP=no
+
+    [IPv6Prefix]
+    AddressAutoconfiguration=false
+    Prefix=fd0c::/64
+    Assign=true
+
+    [IPv6AcceptRA]
+    DHCPv6Client=false
+  '';
+}

systems/ct-reisen/default.nix

@@ -0,0 +1,15 @@
+_: {
+  arch = "x86_64";
+  type = "NixOS";
+  modules = [
+    ./nixos.nix
+  ];
+  access.online.enable = false;
+  network.networks = {
+    local = {
+      fqdn = null;
+      address4 = null;
+      address6 = null;
+    };
+  };
+}

systems/ct-reisen/nixos.nix

@@ -1,13 +1,16 @@
-{meta, ...}: {
+{meta, lib, ...}: {
   imports = with meta; [
-    nixos.reisen-ct
+    nixos.ct.reisen
   ];
 
   # allow proxmox to provide us with our hostname
   environment.etc.hostname.enable = false;
   services.avahi.hostName = "";
 
-  system.stateVersion = "23.11";
+  system = {
+    stateVersion = "23.11";
+    nixos.tags = lib.mkForce [ "template" ];
+  };
   environment.etc."systemd/network/eth9.network.d/int.conf".text = ''
     [Match]
     Name=eth9

systems/meiling/default.nix

@@ -0,0 +1,49 @@
+{lib, config, ...}: {
+  type = "Linux";
+  proxmox.node = {
+    enable = true;
+  };
+  access = {
+    online.available = true;
+    global.enable = true;
+  };
+  extern.files = {
+    "/etc/sysctl.d/50-net.conf" = {
+      source = ./sysctl.50-net.conf;
+    };
+  };
+  network.networks = {
+    global = {
+      address4 = "49.12.128.117";
+      address6 = null;
+    };
+    local = {
+      inherit (config.network.networks.global) address4;
+      address6 = null;
+    };
+    int = {
+      address4 = "10.9.1.4";
+      address6 = "fd0c::4";
+    };
+    tail = {
+      address4 = "100.67.99.30";
+      address6 = "fd7a:115c:a1e0::dc34:631e";
+    };
+  };
+  exports = {
+    services = {
+      tailscale.enable = true;
+      sshd = {
+        enable = true;
+        ports = {
+          public.enable = false;
+          standard.listen = "wan";
+        };
+      };
+      proxmox = {
+        enable = true;
+        id = "proxmox-meiling";
+      };
+    };
+  };
+}

systems/meiling/extern.json

@@ -0,0 +1,10 @@
+{
+  "files": {
+    "/etc/sysctl.d/50-net.conf": {
+      "group": "root",
+      "mode": "0644",
+      "owner": "root",
+      "source": "systems/meiling/sysctl.50-net.conf"
+    }
+  }
+}

systems/meiling/root.authorized_keys

@@ -0,0 +1,7 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIC3RkyoQ74bb4NGv1H1bZAz5ROO0Zr6FT8TYpowgGUp kat@chen
+

systems/meiling/setup.sh

@@ -0,0 +1,14 @@
+mkshared-nix() {
+	mkshared nix 0 0 0755
+	if [[ ! -d /rpool/shared/nix/store ]]; then
+		zfs create -o compression=zstd rpool/shared/nix/store
+	fi
+	if [[ ! -d /rpool/shared/nix/var ]]; then
+		mkdir /rpool/shared/nix/var
+	fi
+	chown 100000:30000 /rpool/shared/nix/store
+	chmod 1775 /rpool/shared/nix/store
+	chown 100000:100000 /rpool/shared/nix/var
+}
+
+#mkshared-nix

systems/meiling/sysctl.50-net.conf

@@ -0,0 +1,4 @@
+net.ipv4.ping_group_range=0 2147483647
+# https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
+net.core.rmem_max=2500000
+net.core.wmem_max=2500000

systems/meiling/systems.json

@@ -0,0 +1 @@
+{}

systems/meiling/users.json

@@ -0,0 +1,30 @@
+[
+  {
+    "authorizedKeys": [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5",
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454",
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath",
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi",
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIC3RkyoQ74bb4NGv1H1bZAz5ROO0Zr6FT8TYpowgGUp kat@chen"
+    ],
+    "name": "kat",
+    "uid": 8000
+  },
+  {
+    "authorizedKeys": [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp"
+    ],
+    "name": "arc",
+    "uid": 8001
+  },
+  {
+    "authorizedKeys": [],
+    "name": "kaosubaloo",
+    "uid": 8002
+  },
+  {
+    "authorizedKeys": [],
+    "name": "connieallure",
+    "uid": 8003
+  }
+]

systems/reisen/default.nix

@@ -34,14 +34,22 @@ _: {
       address4 = "10.9.1.2";
       address6 = "fd0c::2";
     };
+    tail = {
+      address4 = "100.101.208.19";
+      address6 = "fd7a:115c:a1e0::3034:d013";
+    };
   };
   exports = {
     services = {
+      tailscale.enable = true;
       sshd = {
         enable = true;
         ports.public.enable = false;
       };
-      proxmox.enable = true;
+      proxmox = {
+        enable = true;
+        id = "proxmox-reisen";
+      };
     };
   };
 }

tf/cloudflare_records.tf

@@ -247,3 +247,10 @@ module "koishi_system_records" {
   zone_zone = cloudflare_zone.gensokyo-zone_zone.zone
   net_data  = local.systems.koishi.network
 }
+
+module "meiling_system_records" {
+  source    = "./system/records"
+  zone_id   = cloudflare_zone.gensokyo-zone_zone.id
+  zone_zone = cloudflare_zone.gensokyo-zone_zone.zone
+  net_data  = local.systems.meiling.network
+}

tf/tailscale_devices.tf

@@ -2,6 +2,7 @@ locals {
   tailscale_tag_infra     = "tag:infrastructure"
   tailscale_tag_genso     = "tag:gensokyo"
   tailscale_tag_reisen    = "tag:reisen"
+  tailscale_tag_meiling   = "tag:meiling"
   tailscale_tag_minecraft = "tag:minecraft"
   tailscale_tag_rtl       = "tag:rtl"
 
@@ -18,6 +19,7 @@ locals {
 
   tailscale_tags_genso   = [local.tailscale_tag_infra, local.tailscale_tag_genso]
   tailscale_tags_reisen  = concat(local.tailscale_tags_genso, [local.tailscale_tag_reisen])
+  tailscale_tags_meiling = concat(local.tailscale_tags_genso, [local.tailscale_tag_meiling])
   tailscale_tags_arc     = [local.tailscale_user_arc, local.tailscale_tag_arc]
   tailscale_tags_kat     = [local.tailscale_user_kat, local.tailscale_tag_kat]
   tailscale_tags_peeps   = concat(local.tailscale_tags_arc, local.tailscale_tags_kat)
@@ -28,6 +30,7 @@ resource "tailscale_acl" "tailnet" {
     tagOwners = {
       "${local.tailscale_tag_infra}" : [local.tailscale_group_admin],
       "${local.tailscale_tag_reisen}" : [local.tailscale_group_admin, local.tailscale_tag_infra],
+      "${local.tailscale_tag_meiling}" : [local.tailscale_group_admin, local.tailscale_tag_infra],
       "${local.tailscale_tag_genso}" : [local.tailscale_group_admin, local.tailscale_tag_arc_deploy, local.tailscale_tag_kat_deploy],
       "${local.tailscale_tag_minecraft}" : [local.tailscale_group_admin, local.tailscale_tag_infra],
       "${local.tailscale_tag_rtl}" : [local.tailscale_group_admin, local.tailscale_tag_infra],
@@ -47,6 +50,11 @@ resource "tailscale_acl" "tailnet" {
         src    = [local.tailscale_tag_reisen]
         dst    = ["${local.tailscale_tag_reisen}:*"]
       },
+      {
+        action = "accept"
+        src    = [local.tailscale_tag_meiling]
+        dst    = ["${local.tailscale_tag_meiling}:*"]
+      },
       {
         action = "accept"
         src    = concat([local.tailscale_tag_genso], local.tailscale_tags_peeps)
@@ -98,6 +106,15 @@ resource "tailscale_tailnet_key" "reisen" {
   depends_on    = [tailscale_acl.tailnet]
 }
 
+resource "tailscale_tailnet_key" "meiling" {
+  reusable      = true
+  ephemeral     = false
+  preauthorized = true
+  description   = "Meiling VM"
+  tags          = local.tailscale_tags_meiling
+  depends_on    = [tailscale_acl.tailnet]
+}
+
 resource "tailscale_tailnet_key" "gensokyo" {
   reusable      = true
   ephemeral     = false
@@ -112,6 +129,11 @@ output "tailscale_key_reisen" {
   sensitive = true
 }
 
+output "tailscale_key_meiling" {
+  value     = tailscale_tailnet_key.meiling.key
+  sensitive = true
+}
+
 output "tailscale_key_gensokyo" {
   value     = tailscale_tailnet_key.gensokyo.key
   sensitive = true