feat: reisen containers

nixos/base/access.nix

@@ -18,7 +18,6 @@
   imports = with meta; [
     nixos.kat
     nixos.arc
-    nixos.sops
   ];
 
   users.motd = ''

nixos/base/network.nix

@@ -1,6 +1,10 @@
-{ config, lib, ... }: with lib;
+{ config, name, lib, ... }: with lib;
 
 {
-  networking.nftables.enable = true;
-  networking.tempAddresses = "disabled";
+  networking = {
+    nftables.enable = true;
+    tempAddresses = "disabled";
+    domain = mkDefault "gensokyo.zone";
+    hostName = mkOverride 25 name;
+  };
 }

nixos/base/urxvt.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = [
+    pkgs.buildPackages.rxvt-unicode-unwrapped.terminfo
+  ];
+}

nixos/deploy.sh

@@ -5,19 +5,27 @@ NF_CONFIG_ROOT=${NF_CONFIG_ROOT-.}
 
 NF_HOST=${NF_HOST-tewi}
 NIXOS_TOPLEVEL=network.nodes.$NF_HOST.system.build.toplevel
+NF_ADDR=${NF_ADDR-${NF_HOST}}
+export NIX_SSHOPTS="${NIX_SSHOPTS--p62954}"
+
+if [[ $1 = tarball ]]; then
+	shift
+	set -- build "$@"
+	NIXOS_TOPLEVEL=network.nodes.$NF_HOST.system.build.tarball
+fi
 
 if [[ $1 = build ]]; then
 	shift
 	exec nix build --no-link --print-out-paths \
 		$NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL \
 		"$@"
-elif [[ $1 = switch ]] || [[ $1 = test ]] || [[ $1 = dry-* ]]; then
+elif [[ $1 = switch ]] || [[ $1 = boot ]] || [[ $1 = test ]] || [[ $1 = dry-* ]]; then
 	METHOD=$1
 	shift
 	exec nixos-rebuild $METHOD \
 		--flake $NF_CONFIG_ROOT\#$NF_HOST \
 		--no-build-nix \
-		--target-host $NF_HOST --use-remote-sudo \
+		--target-host $NF_ADDR --use-remote-sudo \
 		"$@"
 elif [[ $1 = check ]]; then
 	EXIT_CODE=0
@@ -31,6 +39,12 @@ elif [[ $1 = check ]]; then
 		echo untrusted ok: $FLAKE
 	fi
 	exit $EXIT_CODE
+elif [[ $1 = ssh ]]; then
+	shift
+	exec ssh $NIX_SSHOPTS $NF_ADDR "$@"
+elif [[ $1 = sops-keyscan ]]; then
+	shift
+	ssh-keyscan $NIX_SSHOPTS $NF_ADDR | nix run nixpkgs#ssh-to-age
 else
 	echo unknown cmd $1 >&2
 	exit 1

nixos/reisen-ct/network.nix

@@ -0,0 +1,9 @@
+{
+  lib,
+  name,
+  ...
+}: let
+  inherit (lib) mkDefault mkOverride;
+in {
+  services.resolved.enable = true;
+}

nixos/reisen-ct/proxmox.nix

@@ -0,0 +1,10 @@
+{
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+  ];
+
+  services.getty.autologinUser = "root";
+}

nixos/tailscale.nix

@@ -0,0 +1,58 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  config = {
+    networking.firewall = {
+      trustedInterfaces = [config.services.tailscale.interfaceName];
+      allowedUDPPorts = [config.services.tailscale.port];
+    };
+    systemd.network = {
+      wait-online.ignoredInterfaces = [config.services.tailscale.interfaceName];
+      networks."50-tailscale" = {
+        networkConfig = {
+          DNSDefaultRoute = false;
+          #DNS = "";
+        };
+      };
+    };
+
+    services.tailscale.enable = mkDefault true;
+
+    sops.secrets.tailscale-key = mkIf config.services.tailscale.enable { };
+    systemd.services.tailscale-autoconnect = mkIf config.services.tailscale.enable rec {
+      description = "Automatic connection to Tailscale";
+
+      # make sure tailscale is running before trying to connect to tailscale
+      after = wants ++ wantedBy;
+      wants = [ "network-pre.target" ];
+      wantedBy = [ "tailscaled.service" ];
+
+      # set this service as a oneshot job
+      serviceConfig = {
+        Type = "oneshot";
+      };
+
+      # have the job run this shell script
+      script = with pkgs; ''
+        # wait for tailscaled to settle
+        sleep 5
+
+        resolvectl revert ${config.services.tailscale.interfaceName} || false
+
+        # check if we are already authenticated to tailscale
+        status="$(${getExe tailscale} status -json | ${getExe jq} -r .BackendState)"
+        if [[ $status = Running ]]; then
+          # if so, then do nothing
+          exit 0
+        fi
+
+        # otherwise authenticate with tailscale
+        ${getExe tailscale} up --advertise-exit-node -authkey $(cat ${config.sops.secrets.tailscale-key.path})
+      '';
+    };
+  };
+}