From 69c2b81e3d5c20e3602d8d370c5c7b17cf03aad3 Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Tue, 6 Feb 2024 10:52:12 -0800
Subject: [PATCH] feat(tf): ct-config

---
 systems/hakurei/lxc.json                  |  7 +++
 systems/mediabox/lxc.json                 |  9 +++
 systems/reimu/lxc.json                    | 13 +++++
 systems/tei/lxc.json                      |  8 +++
 tf/proxmox_reisen.tf                      | 24 +++++---
 tf/proxmox_vms.tf                         | 71 +++++++++++++++--------
 tf/system/proxmox/lxc/config/config.tf    | 51 ++++++++++++++++
 tf/system/proxmox/lxc/config/terraform.tf |  3 +
 8 files changed, 153 insertions(+), 33 deletions(-)
 create mode 100644 systems/hakurei/lxc.json
 create mode 100644 systems/mediabox/lxc.json
 create mode 100644 systems/reimu/lxc.json
 create mode 100644 systems/tei/lxc.json
 create mode 100644 tf/system/proxmox/lxc/config/config.tf
 create mode 100644 tf/system/proxmox/lxc/config/terraform.tf

diff --git a/systems/hakurei/lxc.json b/systems/hakurei/lxc.json
new file mode 100644
index 00000000..1e80a3a3
--- /dev/null
+++ b/systems/hakurei/lxc.json
@@ -0,0 +1,7 @@
+{
+	"lxc": {
+		"lxc.mount.entry": [
+			"/dev/net/tun dev/net/tun none bind,optional,create=file"
+		]
+	}
+}
diff --git a/systems/mediabox/lxc.json b/systems/mediabox/lxc.json
new file mode 100644
index 00000000..6098aae5
--- /dev/null
+++ b/systems/mediabox/lxc.json
@@ -0,0 +1,9 @@
+{
+	"lxc": {
+		"lxc.mount.entry": [
+			"/mnt/kyuuto-media/library mnt/kyuuto-media/library none bind,optional,create=dir",
+			"/mnt/kyuuto-media/downloads/deluge mnt/kyuuto-media/downloads/deluge none bind,optional,create=dir",
+			"/dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file"
+		]
+	}
+}
diff --git a/systems/reimu/lxc.json b/systems/reimu/lxc.json
new file mode 100644
index 00000000..d967e169
--- /dev/null
+++ b/systems/reimu/lxc.json
@@ -0,0 +1,13 @@
+{
+	"lxc": {
+		"lxc.mount.entry": [
+			"/mnt/kyuuto-media mnt/kyuuto-media none bind,optional,create=dir",
+			"/dev/net/tun dev/net/tun none bind,optional,create=file"
+		],
+		"lxc.cgroup2.devices.allow": [
+			"c 10:200 rwm"
+		],
+		"features": ["nesting=1,mount=nfs,mknod=1"],
+		"unprivileged": ["0"]
+	}
+}
diff --git a/systems/tei/lxc.json b/systems/tei/lxc.json
new file mode 100644
index 00000000..98a06943
--- /dev/null
+++ b/systems/tei/lxc.json
@@ -0,0 +1,8 @@
+{
+	"lxc": {
+		"lxc.mount.entry": [
+			"/dev/ttyZigbee dev/ttyZigbee none bind,optional,create=file",
+			"/dev/net/tun dev/net/tun none bind,optional,create=file"
+		]
+	}
+}
diff --git a/tf/proxmox_reisen.tf b/tf/proxmox_reisen.tf
index d9368c6d..f1378e90 100644
--- a/tf/proxmox_reisen.tf
+++ b/tf/proxmox_reisen.tf
@@ -1,4 +1,12 @@
 locals {
+  proxmox_reisen_connection = {
+    type     = "ssh"
+    user     = var.proxmox_reisen_ssh_username
+    password = var.proxmox_reisen_password
+    host     = var.proxmox_reisen_ssh_host
+    port     = var.proxmox_reisen_ssh_port
+  }
+
   proxmox_reisen_sysctl_net = file("${path.root}/../systems/reisen/sysctl.50-net.conf")
   proxmox_reisen_udev_dri   = file("${path.root}/../systems/reisen/udev.90-dri.rules")
   proxmox_reisen_udev_z2m   = file("${path.root}/../systems/reisen/udev.90-z2m.rules")
@@ -12,18 +20,18 @@ resource "terraform_data" "proxmox_reisen_etc" {
   ]
 
   connection {
-    type     = "ssh"
-    user     = var.proxmox_reisen_ssh_username
-    password = var.proxmox_reisen_password
-    host     = var.proxmox_reisen_ssh_host
-    port     = var.proxmox_reisen_ssh_port
+    type     = local.proxmox_reisen_connection.type
+    user     = local.proxmox_reisen_connection.user
+    password = local.proxmox_reisen_connection.password
+    host     = local.proxmox_reisen_connection.host
+    port     = local.proxmox_reisen_connection.port
   }
 
   provisioner "remote-exec" {
     inline = [
-      "sudo /opt/infra/bin/putfile64 /etc/sysctl.d/50-net.conf ${base64encode(local.proxmox_reisen_sysctl_net)}",
-      "sudo /opt/infra/bin/putfile64 /etc/udev/rules.d/90-dri.rules ${base64encode(local.proxmox_reisen_udev_dri)}",
-      "sudo /opt/infra/bin/putfile64 /etc/udev/rules.d/90-z2m.rules ${base64encode(local.proxmox_reisen_udev_z2m)}",
+      "putfile64 /etc/sysctl.d/50-net.conf ${base64encode(local.proxmox_reisen_sysctl_net)}",
+      "putfile64 /etc/udev/rules.d/90-dri.rules ${base64encode(local.proxmox_reisen_udev_dri)}",
+      "putfile64 /etc/udev/rules.d/90-z2m.rules ${base64encode(local.proxmox_reisen_udev_z2m)}",
     ]
   }
 }
diff --git a/tf/proxmox_vms.tf b/tf/proxmox_vms.tf
index 4e245a88..3de887f4 100644
--- a/tf/proxmox_vms.tf
+++ b/tf/proxmox_vms.tf
@@ -3,14 +3,48 @@ variable "proxmox_container_template" {
   default = "local:vztmpl/ct-20240127-nixos-system-x86_64-linux.tar.xz"
 }
 
+locals {
+  proxmox_reimu_vm_id      = 104
+  proxmox_reimu_config     = jsondecode(file("${path.root}/../systems/reimu/lxc.json"))
+  proxmox_hakurei_vm_id    = 103
+  proxmox_hakurei_config   = jsondecode(file("${path.root}/../systems/hakurei/lxc.json"))
+  proxmox_tei_vm_id        = 101
+  proxmox_tei_config       = jsondecode(file("${path.root}/../systems/tei/lxc.json"))
+  proxmox_mediabox_vm_id   = 102
+  proxmox_mediabox_config  = jsondecode(file("${path.root}/../systems/mediabox/lxc.json"))
+  proxmox_kubernetes_vm_id = 201
+  proxmox_freeipa_vm_id    = 202
+}
+
 data "proxmox_virtual_environment_vm" "kubernetes" {
   node_name = "reisen"
-  vm_id     = 201
+  vm_id     = local.proxmox_kubernetes_vm_id
+}
+
+module "hakurei_config" {
+  source     = "./system/proxmox/lxc/config"
+  connection = local.proxmox_reisen_connection
+  vm_id      = local.proxmox_hakurei_vm_id
+  config     = local.proxmox_hakurei_config.lxc
+}
+
+module "tei_config" {
+  source     = "./system/proxmox/lxc/config"
+  connection = local.proxmox_reisen_connection
+  vm_id      = local.proxmox_tei_vm_id
+  config     = local.proxmox_tei_config.lxc
+}
+
+module "mediabox_config" {
+  source     = "./system/proxmox/lxc/config"
+  connection = local.proxmox_reisen_connection
+  vm_id      = local.proxmox_mediabox_vm_id
+  config     = local.proxmox_mediabox_config.lxc
 }
 
 resource "proxmox_virtual_environment_container" "reimu" {
   node_name   = "reisen"
-  vm_id       = 104
+  vm_id       = local.proxmox_reimu_vm_id
   tags        = ["tf"]
   description = "big hakurei"
 
@@ -58,28 +92,11 @@ resource "proxmox_virtual_environment_container" "reimu" {
   }
 }
 
-resource "terraform_data" "proxmox_reimu_config" {
-  depends_on = [
-    proxmox_virtual_environment_container.reimu
-  ]
-
-  triggers_replace = [
-    proxmox_virtual_environment_container.reimu.id
-  ]
-
-  connection {
-    type     = "ssh"
-    user     = var.proxmox_reisen_ssh_username
-    password = var.proxmox_reisen_password
-    host     = var.proxmox_reisen_ssh_host
-    port     = var.proxmox_reisen_ssh_port
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "ct-config ${proxmox_virtual_environment_container.reimu.vm_id} unprivileged 0 features 'nesting=1,mount=nfs,mknod=1' lxc.mount.entry '/dev/net/tun dev/net/tun none bind,optional,create=file' lxc.mount.entry '/mnt/kyuuto-media mnt/kyuuto-media none bind,optional,create=dir' lxc.cgroup2.devices.allow 'c 10:200 rwm'",
-    ]
-  }
+module "reimu_config" {
+  source     = "./system/proxmox/lxc/config"
+  connection = local.proxmox_reisen_connection
+  container  = proxmox_virtual_environment_container.reimu
+  config     = local.proxmox_reimu_config.lxc
 }
 
 resource "proxmox_virtual_environment_vm" "freeipa" {
@@ -88,7 +105,7 @@ resource "proxmox_virtual_environment_vm" "freeipa" {
   tags        = ["tf"]
 
   node_name = "reisen"
-  vm_id     = 202
+  vm_id     = local.proxmox_freeipa_vm_id
 
   agent {
     # read 'Qemu guest agent' section, change to true only when ready
@@ -131,4 +148,8 @@ resource "proxmox_virtual_environment_vm" "freeipa" {
   }
 
   serial_device {}
+
+  lifecycle {
+    ignore_changes = [started, operating_system[0], cdrom[0].enabled, cdrom[0].file_id]
+  }
 }
diff --git a/tf/system/proxmox/lxc/config/config.tf b/tf/system/proxmox/lxc/config/config.tf
new file mode 100644
index 00000000..064a7406
--- /dev/null
+++ b/tf/system/proxmox/lxc/config/config.tf
@@ -0,0 +1,51 @@
+variable "connection" {
+  type      = map(any)
+  sensitive = true
+}
+
+variable "vm_id" {
+  type    = number
+  default = null
+}
+
+variable "container" {
+  type    = any
+  default = null
+}
+
+variable "config" {
+  type = map(list(string))
+}
+
+locals {
+  vm_id             = var.vm_id != null ? var.vm_id : var.container.vm_id
+  depends_container = var.container != null ? [var.container] : []
+  config = flatten([for key, values in var.config :
+    [for value in values : "${key} '${value}'"]
+  ])
+}
+
+resource "terraform_data" "config" {
+  depends_on = [
+    local.depends_container,
+  ]
+
+  triggers_replace = {
+    container = var.container != null ? var.container.id : tostring(local.vm_id)
+    config    = var.config
+  }
+
+  connection {
+    type     = coalesce(var.connection["type"], "ssh")
+    user     = coalesce(var.connection["user"], "root")
+    password = var.connection["password"]
+    host     = var.connection["host"]
+    port     = coalesce(var.connection["port"], 22)
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "ct-config ${local.vm_id} ${join(" ", local.config)}",
+    ]
+  }
+}
diff --git a/tf/system/proxmox/lxc/config/terraform.tf b/tf/system/proxmox/lxc/config/terraform.tf
new file mode 100644
index 00000000..40dc0a1b
--- /dev/null
+++ b/tf/system/proxmox/lxc/config/terraform.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 1.6.0"
+}