From 64354376c77ceeddbc36ce1aa8a555f3750fae9d Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Thu, 21 Mar 2024 08:19:43 -0700
Subject: [PATCH] feat(utsuho): new host

---
 ci/nix.nix                 |  1 +
 docs/network.adoc          |  1 +
 systems/utsuho/default.nix |  7 ++++
 systems/utsuho/lxc.json    | 21 +++++++++++
 systems/utsuho/nixos.nix   | 21 +++++++++++
 tf/cloudflare_records.tf   |  9 +++++
 tf/cloudflare_tunnels.tf   | 28 ++++++++++++++
 tf/proxmox_vms.tf          | 77 +++++++++++++++++++++++++++++++++++++-
 tf/terraform.tfvars.sops   |  6 +--
 9 files changed, 167 insertions(+), 4 deletions(-)
 create mode 100644 systems/utsuho/default.nix
 create mode 100644 systems/utsuho/lxc.json
 create mode 100644 systems/utsuho/nixos.nix

diff --git a/ci/nix.nix b/ci/nix.nix
index 86e73e19..e0b75f01 100644
--- a/ci/nix.nix
+++ b/ci/nix.nix
@@ -8,6 +8,7 @@
       "hakurei"
       "reimu"
       "aya"
+      "utsuho"
       "tei"
       "litterbox"
       "keycloak"
diff --git a/docs/network.adoc b/docs/network.adoc
index 1412a039..29797bd5 100644
--- a/docs/network.adoc
+++ b/docs/network.adoc
@@ -19,6 +19,7 @@ shanghai:: `10.1.1.32`
 
 hourai:: `10.1.1.36`
 
+utsuho:: `10.1.1.38`
 tei:: `10.1.1.39`
 reisen:: `10.1.1.40`
 hakurei:: `10.1.1.41`
diff --git a/systems/utsuho/default.nix b/systems/utsuho/default.nix
new file mode 100644
index 00000000..ea396fa3
--- /dev/null
+++ b/systems/utsuho/default.nix
@@ -0,0 +1,7 @@
+_: {
+  arch = "x86_64";
+  type = "NixOS";
+  modules = [
+    ./nixos.nix
+  ];
+}
diff --git a/systems/utsuho/lxc.json b/systems/utsuho/lxc.json
new file mode 100644
index 00000000..85c5e6c9
--- /dev/null
+++ b/systems/utsuho/lxc.json
@@ -0,0 +1,21 @@
+{
+	"lxc": {
+		"lxc.mount.entry": [
+			"/rpool/shared/unifi mnt/shared/unifi none bind,optional,create=dir",
+			"/rpool/shared/postgresql mnt/shared/postgresql none bind,optional,create=dir",
+			"/dev/net/tun dev/net/tun none bind,optional,create=file"
+		],
+		"lxc.idmap": [
+			"u 0 100000 8000",
+			"g 0 100000 8000",
+			"u 8000 8000 128",
+			"g 8000 8000 256",
+			"u 8128 108128 57406",
+			"g 8256 108256 57278",
+			"u 65534 65534 1",
+			"g 65534 65534 1",
+			"u 65535 165535 1",
+			"g 65535 165535 1"
+		]
+	}
+}
diff --git a/systems/utsuho/nixos.nix b/systems/utsuho/nixos.nix
new file mode 100644
index 00000000..1dd3ec1f
--- /dev/null
+++ b/systems/utsuho/nixos.nix
@@ -0,0 +1,21 @@
+{meta, config, ...}: {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.base
+    nixos.reisen-ct
+  ];
+
+  systemd.network.networks.eth0 = {
+    name = "eth0";
+    matchConfig = {
+      MACAddress = "BC:24:11:C4:66:A6";
+      Type = "ether";
+    };
+    address = ["10.1.1.38/24"];
+    gateway = ["10.1.1.1"];
+    DHCP = "no";
+  };
+
+  system.stateVersion = "23.11";
+}
diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf
index 8ebc91ff..081b2a22 100644
--- a/tf/cloudflare_records.tf
+++ b/tf/cloudflare_records.tf
@@ -65,6 +65,15 @@ module "keycloak_system_records" {
   local_v6  = "fd0a::be24:11ff:fec4:66ac"
 }
 
+module "utsuho_system_records" {
+  source    = "./system/records"
+  name      = "utsuho"
+  zone_id   = cloudflare_zone.gensokyo-zone_zone.id
+  zone_zone = cloudflare_zone.gensokyo-zone_zone.zone
+  local_v4  = "10.1.1.38"
+  local_v6  = "fd0a::be24:11ff:fec4:66a6"
+}
+
 module "aya_system_records" {
   source       = "./system/records"
   name         = "aya"
diff --git a/tf/cloudflare_tunnels.tf b/tf/cloudflare_tunnels.tf
index a0b40596..f5b5eb21 100644
--- a/tf/cloudflare_tunnels.tf
+++ b/tf/cloudflare_tunnels.tf
@@ -58,6 +58,34 @@ output "cloudflare_tunnel_cname_keycloak" {
   value = module.keycloak.cname
 }
 
+variable "cloudflare_tunnel_secret_utsuho" {
+  type      = string
+  sensitive = true
+}
+
+module "utsuho" {
+  source     = "./tunnel"
+  name       = "utsuho"
+  secret     = var.cloudflare_tunnel_secret_utsuho
+  account_id = var.cloudflare_account_id
+  zone_id    = cloudflare_zone.gensokyo-zone_zone.id
+  subdomains = [
+  ]
+}
+
+output "cloudflare_tunnel_id_utsuho" {
+  value = module.utsuho.id
+}
+
+output "cloudflare_tunnel_token_utsuho" {
+  value     = module.utsuho.token
+  sensitive = true
+}
+
+output "cloudflare_tunnel_cname_utsuho" {
+  value = module.utsuho.cname
+}
+
 variable "cloudflare_tunnel_secret_tewi" {
   type      = string
   sensitive = true
diff --git a/tf/proxmox_vms.tf b/tf/proxmox_vms.tf
index 29fb9828..30372d14 100644
--- a/tf/proxmox_vms.tf
+++ b/tf/proxmox_vms.tf
@@ -1,9 +1,11 @@
 variable "proxmox_container_template" {
   type    = string
-  default = "local:vztmpl/ct-20240211-nixos-system-x86_64-linux.tar.xz"
+  default = "local:vztmpl/ct-20240319-nixos-system-x86_64-linux.tar.xz"
 }
 
 locals {
+  proxmox_utsuho_vm_id     = 108
+  proxmox_utsuho_config    = jsondecode(file("${path.root}/../systems/utsuho/lxc.json"))
   proxmox_keycloak_vm_id   = 107
   proxmox_keycloak_config  = jsondecode(file("${path.root}/../systems/keycloak/lxc.json"))
   proxmox_litterbox_vm_id  = 106
@@ -330,6 +332,79 @@ module "aya_config" {
   config     = local.proxmox_aya_config.lxc
 }
 
+resource "proxmox_virtual_environment_container" "utsuho" {
+  node_name   = "reisen"
+  vm_id       = local.proxmox_utsuho_vm_id
+  tags        = ["tf"]
+  description = <<EOT
+zoomzoom
+EOT
+
+  memory {
+    dedicated = 2048
+    swap      = 4096
+  }
+
+  cpu {
+    cores = 2
+  }
+
+  disk {
+    datastore_id = "local-zfs"
+    size         = 32
+  }
+
+  initialization {
+    hostname = "utsuho"
+    ip_config {
+      ipv6 {
+        address = "auto"
+      }
+      ipv4 {
+        address = "10.1.1.38/24"
+        gateway = "10.1.1.1"
+      }
+    }
+  }
+
+  startup {
+    order      = 4
+    up_delay   = 0
+    down_delay = 2
+  }
+
+  network_interface {
+    name        = "eth0"
+    mac_address = "BC:24:11:C4:66:A6"
+  }
+
+  operating_system {
+    template_file_id = var.proxmox_container_template
+    type             = "nixos"
+  }
+
+  unprivileged = true
+  features {
+    nesting = true
+  }
+
+  console {
+    type = "console"
+  }
+  started = false
+
+  lifecycle {
+    ignore_changes = [started, initialization[0].dns, operating_system[0].template_file_id]
+  }
+}
+
+module "utsuho_config" {
+  source     = "./system/proxmox/lxc/config"
+  connection = local.proxmox_reisen_connection
+  container  = proxmox_virtual_environment_container.utsuho
+  config     = local.proxmox_utsuho_config.lxc
+}
+
 resource "proxmox_virtual_environment_vm" "freeipa" {
   name        = "freeipa"
   tags        = ["tf"]
diff --git a/tf/terraform.tfvars.sops b/tf/terraform.tfvars.sops
index e4f95839..5d73bd09 100644
--- a/tf/terraform.tfvars.sops
+++ b/tf/terraform.tfvars.sops
@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:xhV1so+M7nd5ZlBcCHDp3mIJCCshTi7Tljw2m/Fy9wWuvqOFSthm+J8q8aOm7JaReU0NlGq2aUg0SlEDF/MQ7UU36P30OkL1AdEOeAKeOL6LUfJGNIwaBNrykGTorP/uUAUwueXfGOJ6Btxu/BNa6w+L+GpKPjwTxUaLLnij06suUtDduWszEFLrbhoBiLbbI1RUoa9EbPfgKd364QIvwCR7hT+w0LPg+ArrAgsMXnWtyrWHfieCgPL1gBxfbFBUFalt5BnlPVzmML2KcJ5GLvgoMfWV+scp4m1Y/kxkm0azRBeuHPFO3g0pLZfk57fmvoedFod+e/mttaRi+KSc5kipMKrmirFUR0fjf5GFpM2oH3UsyoQp8tD/Sn85jT84k6JSDsY5XYNwqT5N1mJ08olsHvep/mZXVnmY3iPo3IkqGcI6HHxpgB57INll3lrAD1X8Lc9zYY/qgCzYsULX6lejUNprg/IP/felMGe74dRm+40/4ZbObD9aKSAhXJHUBTjite9jksTrsaCzF1EafvYPaVIW40ci6SoK1+zsA1Nvuz2GB8kGw50xVuCmJcsgR+Pv1IcfjkXXoGbikBMbcy2DNzOA6DOhrkGW2h17Cx06ZE4MgwaTcXgqA2nAF+xC9s3um8WsZiWdZLKCEfaELtrXqb8LlSeJ9aCwvNzLELAbwq3AzgTNGzR/tDhV8FYKeNa94/Uh2rdFhVZCgZZ4Wllg4P6yNmuc/meYqyw3U1VmYjiuGWLmE5x8JxvN0Ro1tEGzpXJyuGGzN5rqDxfval0JaWXaCRKN7i5yQZWJ+9hzFg95GRtb6hS7yFfTh7ZmKH8Z0rpKr0l6vPWrcdMHP+AEXtymw+degwBM88VgXuhRxtz3Yid+Bqz7MeQVQyBAJeqVWc5VHX+lpXJnPg08f6WyInEiXC4w+sUDcH7M1zAZVF7BFdfrlSabobv3rikX6rG8tvp0Cr1PdjIE8RZ4+o6OSkO3VdxuEP3O4c6xuGqbvVzKqsb4vPtLpz8mYgs8jEt5z+mVaQFJfYris+yLUE3zMcpFFKGA9pGq+60/EKtdvWpXruCmdG/XuXMN0LRkDh2Pq91oXeUkEKgFRZJYcEhf3gQ8NYt2nWdG6nhtT6PqJT/WA0Z3t/YN4fx08xc77QdV4qeD3u2wdOCHSbyctllmLO2IPtRsJGgEzxD3/sM1Zc9T0YI3JgNblMQIG3nch3V7FQ3tdIOS8i3Y46pyOlh69ncS9Ifja12DLrjlebGbAJHVuVwGzddsjZ+6TAFlgbkC3l4tpfYnKHNz7TgP8B7djwejFCqpOE8pRC800pxMDgIqwhd+zJDQvjZDcSbtrdTGh1giABCu/yauSEDi3B53Rp9xp9WOgApm0g2cdH29cPQVSlnevD5hk2lS8+DCfFtct7AAVQsIsECvMInOxMKBXQuRWhbUvatk5gJProgdWDts3w9tueChjNermhihSlf3tLyoYwNPkculWkhQmqhY4Gf3562putVkTb/di+or/VPf3l330rn9OGse//koJGZM7v2LbbxTle9LbytFJ+gKAcr9gcW9Dg2We3ZXuZUKkzCzcPt0ghvOc40g1BuziULLIClO8aKKt88BSyUwmbLE6+ZV0by17h/hYd0t4sUnYF94sff2a5Lh7Joay07J8HvV7M1uWhC/vt7ua+m5dVcrUNXzJV8iuw9W0u2V6kWiyeT3UpBdhPq6/k99gQ7+VItSJmN2GOKot8ndG5M9x+ZGY68LVxXkW8+eZUiWJAqdDHDdzPGca6Nm5WZmDtck8WjldoOaaMzijzQ+Jt41bpJiP1Yq+9s0ORR5Q6Af/4wgfAwZAaTF57soLhrCAPgv5vmx2bN0uNjEth7tikvyp7HnmHmv0eYRkuWyJkdI6nw+fqFK+Drqq/FbraYL53B6FIMpCdX9FjmNg1rO0eBxPmOHKyOU9Hzes+aBztYoqPPbcGXp8zEyN5JmjD9Xz6HB7EnYuzNMcJUEeH6eZSzBMx8+pJLbYJB11DysgdN4tYTHddKgOtTLGkD0teru+tsJBKP1i5buq+S7zWa8EVnYbbK5BR8mQK69meXRwZpTwQgHvyPUwGZjuWnLU3D9T0+QE478XsCiQWy34paGfl9hsljlHtp/KQUL2bwhtU/0Eyqy6DOqOePZV0Y58wrJpDmafP+w2raDZ9FboD8zXANWFPGh0Glo2E4=,iv:6vdvCs0371Zr1d/C6KHZkATVLFJRyyWuwtqEP8SkouU=,tag:QYh+Ufu8YIvvziHGLt/FZw==,type:str]",
+	"data": "ENC[AES256_GCM,data:iYpHoTiF+5qNkJ/ZHU37H3fqSIYgaqJnz+LVqcUhbmDpfKLngXeXV3dBqwk6ilBxVyRJ33v+ZbfeatLByk9v6JL3YmfKe/f/w+EBWEbKVy0qXb2lOHOCGMm3PFe+FP7DLb9deAWTi8S4FMGAa41xufbVIM+kOjQXwL3JH35dbgyyaqhmXknX4p800rt/T4TWo4NTfkRrR9G1/J+EaqeO0qRIJk2Vu/mqeXtbtyY13MrFCri1qw7FcvNwseFKWjzCCclfI2X+juNCxfYdXqjACmXyFMq0J3oYKHofMrts64+B4E5RjQb3j2FoCMNIAsKAGOoMEHQtWhiDEMPG3/yRIBoQ7TFFte5C6rN5O6fDTMel3q1vUHsazdrDX6nZ9HoV7H9GHlGApOqQ3AF4Zh7SMT6cN7hQ1G846o3igJ4UvX2J+q0Y8y3+Kl7JHo7axvRxEQ3h0jrj8KP8F4RpZqf07kDgfPyd2sZW1f1BMc3zHbyupWOfp7iGd2mRSdp5LRd7QCsryaX1e/P63NhqKfckScG85GEEGIsPRymeEmBLrhyUkTRr0t8I5fACdURbsRYYMVdd2Sy12DXJ8WfJQYunVJmIBkC2D8ZLy1+BGyuUpHFcOMEYmg6zHor32ghnEYVntp/XrwjOxBdeo7T8ntExbRNqAHqhFE1HT72cwCDWHt6EUtArOL4/BEzmkq43lgo1VuKrW2QjZDmFTTd8WlaAoVoZtJphY4RWkvJjjNmaGv+UiProVYFGRyg7hIHiwj+jP49WGEq5enONR6mnws3cog9pkRjH6IZrUIqcU4Aqmee1NU78KjM4G9q03/T+0P3YqP1VxGe39SBK6z7L6VQFVKU7Tl4kK4A6lWu4o1Q/HxBMFGZ/zVrx+kuPPVirHXy7F7TXFT4LghTi75Ve4ZCYdUrFvphVojS+XraUKEHWpO0urxR+4Gpd5BwBmbB+llLoOBkwbAwcdx+oi/qYm22entZsqLNi9oq6FvWc/AJIQ+Aya1ejMP1Ec2UYbIPDCR9RnGCQO4dOw3Mp+H6yByFvBWJuukvnv09mJQVLALrD35kJwdYfWPo5G14+ASDZIrvpWlm0Dk9LhWF/LPqPLvik0srtEoT+pZkLU9qE+i0bgvTXJqgYkyn/Exgi6XOy3zhVQ9zHDO/jiUa50KwxE+/g9WedfB00YRx2rndTs455K2eCUtxRJObl/eBkbyBes9bU6zIu3GuQshgt6h9UxgwK+73ofF293zKFpgHLgFATqMN/8rLH5rODxcPNY3VwTLIlmYtDo4otvKRWm0MPxBflbBun3fe6D6uoYqVJetjEypmU6XpqT89WUxah4NFpvEjXf5FTyoDPrb8O1oDGPMgbwbFh2W22z34A6T52lUg5nJzatlUPXweGY1NMGcPO8Z7Pv7yJMdcBidaxFRsLzKePkoOmUk1zW/cdtrjugURuy2958pp2CRfOQs0/XnPu+WWWwaSoWzI8ZgBMxuCWxtoJRusIHi1hfDw7T9gnvr9+TQsD4/nXeB4td1aFvggUAqsf/2Ahe7UvcJPM7nfgcymnpqwbfWHtWqkqjI4sJnKEAlxaDe2Xx/dC3eI8VWsZFJnepDSeA8TufJObK5TtYaCe+htLM5/4mCphRsb73DHdnlQ7PIG872kdrCapnA54SnDKBC8Z+t1W7LoWUTrQ752Nr3M0DRu5RfqTigyJ5zMMuOfXjVSJ1dy0xUp7Tn4JhkjpNX9DAOPMmvB19mA0lLF9hunfpT96lBf1grxo6x2oagqvg4N9a7+Bha8aQ5QtLB7maBLTOGbCI9zL0SYU+8qI+BHGZIndKSkLWc6XmcLMWyvypDC7XcjRVqFXMiYAFhPaFgPEjz31xycYYFvGa7mC0sV4OISEvdxoXE34IMfeI+Wf5wjURsWSkJ8Kub4pH3LjifX2gkWazQjsB9Ry0uLuCJbH+j9oOfrfz0xmFFVikkQSalLdWFqPg8UOJZMt/heO7w3MUE1RNXlV8k1m5d4lKTsLfcCgGF+NE3rC9oTIJgA0gTjOb/DImkE7MTFsMqJ+TesaFeYNx1Ll8T3P5zAuK+YGN2BNKOMD4oM5Qt3zfnDraL7i3ITJ39WvArjobBVKcMUg+h0uwD7NFo0up4fo7pOmy1KTYEjNZcOGKPHMZ8pli/ZM2+yiJ928Kdu7Bwe/MnmVA6xBFyjNRXcNWcDt6p6M+6NY9gr8sANVOj6Eb905ExC6XmgxOOW06K8Y81zYt+ggEna9QG1WwPpSxRQgtMlgada5DGy0ivHyrIuvSYCgtwiX3tc67ZCjQ0/7S2F7FxqQztfpO8x3FRMvr6DxCTSZmtyySClCqa+JZET5xO8bxkHGPnh/Pm97qy5085t6ablBKw==,iv:r/r8/D765tpIYa+qltuLohs/GtU3I6/P3qslXkbnCgE=,tag:ump5hDeTECGJWYkuPENAvQ==,type:str]",
 	"sops": {
 		"shamir_threshold": 1,
 		"kms": null,
@@ -7,8 +7,8 @@
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": null,
-		"lastmodified": "2024-03-19T01:44:48Z",
-		"mac": "ENC[AES256_GCM,data:c+4WUmXEs1r6C1riHHsMAwRyjf5Z58l1/f03Jc8L+komJevGpbSNTxBad3GOHnvFHB4M7ONZehlkEmaXEmTMJUN2LUs4ULU3wsRe/tD1BXs06Ktx8zuW3ym8ND/kfsu17/O5v951iZpDWWuk+ACsu4dnEDeIg27yXviUg4k3BVw=,iv:cVUlvEsXv8AAeDkw+B7aPNo+TQtNzUjO4lZHKge7pg8=,tag:WSRAk1xlVw8TaCxToAYr1g==,type:str]",
+		"lastmodified": "2024-03-21T15:14:28Z",
+		"mac": "ENC[AES256_GCM,data:kFloPwB/TeHMMk1VYcQkHf2wDFrUr0zcvP8u39wNcXFDWilMqzW9W+/vlpfvR3qbSWwlN7tpippwBNY+pu6/ZaA2JZP7DUczA3xpFn+BUljiX4JV/+YAz1KwZT4VA4EimAMWr90sHSMKKxp7AjqiNqhirajxjfgspBluQkKCH8Q=,iv:sY35Kef/MGwl9SrZs+pdXziQCHX27MsBaRt4q7Cb9Fg=,tag:pPWqSaZlzOro1P1fmUSVxw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-01-14T19:49:29Z",