From f56d51181216d280ce095bfc1ba6e87d1266ba1a Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Mon, 12 Feb 2024 11:52:57 -0800
Subject: [PATCH] feat(aya): build box

---
 .github/workflows/nodes.yml | 62 ++++++++++++++++++++++++++++++
 .sops.yaml                  |  8 ++++
 ci/flake-cron.nix           |  2 +-
 ci/nodes.nix                |  2 +-
 devShells.nix               |  2 +-
 systems/aya/default.nix     |  7 ++++
 systems/aya/lxc.json        | 25 ++++++++++++
 systems/aya/nixos.nix       | 29 ++++++++++++++
 systems/aya/secrets.yaml    | 57 ++++++++++++++++++++++++++++
 systems/reimu/nixos.nix     |  2 +
 systems/reisen/setup.sh     | 18 +++++++++
 systems/reisen/subgid       |  1 +
 systems/reisen/subuid       |  1 +
 tf/cloudflare_records.tf    | 11 ++++++
 tf/proxmox_vms.tf           | 76 ++++++++++++++++++++++++++++++++++++-
 15 files changed, 299 insertions(+), 4 deletions(-)
 create mode 100644 systems/aya/default.nix
 create mode 100644 systems/aya/lxc.json
 create mode 100644 systems/aya/nixos.nix
 create mode 100644 systems/aya/secrets.yaml

diff --git a/.github/workflows/nodes.yml b/.github/workflows/nodes.yml
index 4b31b657..0df41145 100644
--- a/.github/workflows/nodes.yml
+++ b/.github/workflows/nodes.yml
@@ -3,6 +3,68 @@ env:
   CI_CONFIG: ./ci/nodes.nix
   CI_PLATFORM: gh-actions
 jobs:
+  aya:
+    name: nodes-aya
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v3
+      with:
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.6
+    - id: ci-setup
+      name: nix setup
+      uses: arcnmx/ci/actions/nix/run@v0.6
+      with:
+        attrs: ci.job.aya.run.bootstrap
+        quiet: false
+    - id: architectures
+      name: prepare for emulated builds
+      run: 'sudo $(which archbinfmt)
+
+        '
+    - id: ci-dirty
+      name: nix test dirty
+      uses: arcnmx/ci/actions/nix/run@v0.6
+      with:
+        attrs: ci.job.aya.run.test
+        command: ci-build-dirty
+        quiet: false
+        stdout: ${{ runner.temp }}/ci.build.dirty
+    - id: ci-test
+      name: nix test build
+      uses: arcnmx/ci/actions/nix/run@v0.6
+      with:
+        attrs: ci.job.aya.run.test
+        command: ci-build-realise
+        ignore-exit-code: true
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+    - env:
+        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
+      id: ci-summary
+      name: nix test results
+      uses: arcnmx/ci/actions/nix/run@v0.6
+      with:
+        attrs: ci.job.aya.run.test
+        command: ci-build-summarise
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+        stdout: ${{ runner.temp }}/ci.build.cache
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+      id: ci-cache
+      if: always()
+      name: nix test cache
+      uses: arcnmx/ci/actions/nix/run@v0.6
+      with:
+        attrs: ci.job.aya.run.test
+        command: ci-build-cache
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.cache
   ci-check:
     name: nodes check
     runs-on: ubuntu-latest
diff --git a/.sops.yaml b/.sops.yaml
index 557dcab8..6aacff65 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -3,6 +3,7 @@ keys:
 - &mew 65BD3044771CB6FB
 - &hakurei_osh age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
 - &reimu_osh age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057
+- &aya_osh age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes
 - &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf
 - &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt
 - &tei_osh age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
@@ -19,6 +20,7 @@ creation_rules:
     age: &reisen_common
     - *hakurei_osh
     - *reimu_osh
+    - *aya_osh
     - *tei_osh
     - *mediabox_osh
 - path_regex: 'systems/hakurei/secrets\.yaml$'
@@ -33,6 +35,12 @@ creation_rules:
   - pgp: *pgp_common
     age:
     - *reimu_osh
+- path_regex: 'systems/aya/secrets\.yaml$'
+  shamir_threshold: 1
+  key_groups:
+  - pgp: *pgp_common
+    age:
+    - *aya_osh
 - path_regex: 'systems/tewi/secrets\.yaml$'
   shamir_threshold: 1
   key_groups:
diff --git a/ci/flake-cron.nix b/ci/flake-cron.nix
index a5ea57f3..93238ab2 100644
--- a/ci/flake-cron.nix
+++ b/ci/flake-cron.nix
@@ -96,7 +96,7 @@ in {
         displayName = "flake update build";
         environment = ["CACHIX_SIGNING_KEY" "GITHUB_REF"];
         command = let
-          filteredHosts = [ "hakurei" "reimu" "tei" "mediabox" ];
+          filteredHosts = [ "hakurei" "reimu" "aya" "tei" "mediabox" ];
           gcBetweenHosts = false;
           nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . nixosConfigurations.${node}.config.system.build.toplevel -o result-${node}" + optionalString gcBetweenHosts " && nix-collect-garbage -d") filteredHosts;
         in ''
diff --git a/ci/nodes.nix b/ci/nodes.nix
index 7a9a6c82..a9dce17d 100644
--- a/ci/nodes.nix
+++ b/ci/nodes.nix
@@ -60,7 +60,7 @@ with lib; {
   };
 
   jobs = let
-    enabledHosts = ["hakurei" "reimu" "tei" "mediabox" "ct"];
+    enabledHosts = ["hakurei" "reimu" "aya" "tei" "mediabox" "ct"];
   in
     mapAttrs' (k: nameValuePair "${k}") (genAttrs enabledHosts (host: {
       tasks.${host}.inputs = channels.nixfiles.nixosConfigurations.${host}.config.system.build.toplevel;
diff --git a/devShells.nix b/devShells.nix
index 836978c3..a8ec10e6 100644
--- a/devShells.nix
+++ b/devShells.nix
@@ -25,7 +25,7 @@
   '';
   nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" ''
     set -eu
-    for host in hakurei reimu tei mediabox ct; do
+    for host in hakurei reimu aya tei mediabox ct; do
       nix run --argstr config "$NF_CONFIG_ROOT/ci/nodes.nix" -f '${inputs.ci}' job.$host.test
     done
   '';
diff --git a/systems/aya/default.nix b/systems/aya/default.nix
new file mode 100644
index 00000000..ea396fa3
--- /dev/null
+++ b/systems/aya/default.nix
@@ -0,0 +1,7 @@
+_: {
+  arch = "x86_64";
+  type = "NixOS";
+  modules = [
+    ./nixos.nix
+  ];
+}
diff --git a/systems/aya/lxc.json b/systems/aya/lxc.json
new file mode 100644
index 00000000..4a81eb72
--- /dev/null
+++ b/systems/aya/lxc.json
@@ -0,0 +1,25 @@
+{
+	"lxc": {
+		"lxc.mount.entry": [
+			"/rpool/shared/nix/store nix/store none bind,create=dir",
+			"/rpool/shared/nix/var nix/var none bind,create=dir",
+			"/dev/net/tun dev/net/tun none bind,optional,create=file"
+		],
+		"lxc.idmap": [
+			"u 0 100000 8000",
+			"g 0 100000 8000",
+			"u 8000 8000 128",
+			"g 8000 8000 256",
+			"u 8128 108128 21872",
+			"g 8256 108256 21744",
+			"u 30000 30000 256",
+			"g 30000 30000 256",
+			"u 30256 130256 35278",
+			"g 30256 130256 35278",
+			"u 65534 65534 1",
+			"g 65534 65534 1",
+			"u 65535 165535 1",
+			"g 65535 165535 1"
+		]
+	}
+}
diff --git a/systems/aya/nixos.nix b/systems/aya/nixos.nix
new file mode 100644
index 00000000..d6602bb9
--- /dev/null
+++ b/systems/aya/nixos.nix
@@ -0,0 +1,29 @@
+{
+  config,
+  meta,
+  lib,
+  access,
+  ...
+}: {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    nixos.sops
+    nixos.base
+    nixos.reisen-ct
+    nixos.tailscale
+  ];
+
+  systemd.network.networks.eth0 = {
+    name = "eth0";
+    matchConfig = {
+      MACAddress = "BC:24:11:C4:66:A9";
+      Type = "ether";
+    };
+    DHCP = "no";
+  };
+
+  sops.defaultSopsFile = ./secrets.yaml;
+
+  system.stateVersion = "23.11";
+}
diff --git a/systems/aya/secrets.yaml b/systems/aya/secrets.yaml
new file mode 100644
index 00000000..82293ca5
--- /dev/null
+++ b/systems/aya/secrets.yaml
@@ -0,0 +1,57 @@
+tailscale-key: ENC[AES256_GCM,data:xPRB5YqJxDEcesHB3og1Gw0g8y1pgILN/BPt4Wxzznw8l+zSgbIt9HIUVxyCjFHqUEGt3FmUAhk=,iv:8FA7r5GhsYuG0dNDkm7O+jHtxNxTdA4lLQrOHUxoSNk=,tag:hWgMBmQAq8mi4775K/wgfA==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaUQrQUt2d2M1UCtUVjFr
+            SHFzTWJrNjdrSDFOY3RFOVRpSGtBZm5yS0NjCm1kc0dIbTZGc3Y0VUw0d1Yycllu
+            V0JYZUhwMzhIa1NYTG0vemNwalVUbHcKLS0tIE9TOC9FVzNONFFCY1ZnUEY5bFhk
+            dDdDUVNiS3JQakxYelBkYUJuYlpUNGMKKPwnEeeuk7duE8X6fyuPCEyFJjnwgcXb
+            1yW0OY0sLOIjSBAacDg4z+nTG4G0rqmwokS9MF3nHv0KCRF6Iv1f1Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-12T19:30:41Z"
+    mac: ENC[AES256_GCM,data:WG2588t0RzQ4jYULy/IyRMCrjDgApAHgZL0GEMV0t7ZVtcXgu+v6uUAC7u3VdctBE+tNKmO9qybeUHkRrNko/zm/v32f0bad435EVcBdMM3H+AkuctOYaXKOjUC1n7ySLlTREjR1JPT3RhSnt+pTqR8r4EFC73PquZcqi1kBOQw=,iv:CN+X6HaChq9s94JaP6YMBGcrg6fXqHHTK2i666chhLI=,tag:vNuAWQ20G/t95d8Yn3YPGQ==,type:str]
+    pgp:
+        - created_at: "2024-02-12T20:14:27Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UAQ/+Pv9+nknTSs0d1LLMKY+4R0gTgCvQ452aGgSZIfRVHmr5
+            HPIhuW/BCSJ4uIU2TECr76sF5UzJcr36tnhjrEWaHV5jUQ16qJeRKRkbhwpOxxlo
+            rQkSQEwXJ9A3BPo+cXsyXXfME8Ui7tlmZIzF2eEvWKGyaB4IggAOO3t0TexuCrft
+            EfhcLIFrGgsdf/g29lB+iGE8C0Y8wWh6VVSfv5j9O+vr/oLz7ssW5bYAw/Nn7Hhu
+            PKbE4MgZy1cw73ytfDrUjAEtDSG5RWFXutD6DXc5/hjoDfsqyiHt9eVdqhjGgxKM
+            Z21fRNpG8hMDCiFssnHU0SbDR0cszx2qlI0P5XdZJsr3aabsvtwcWiwqdNj571JJ
+            esbVAZy7Yh5mtXTWmc22+w4QjcMJx6t8w/GFbJV/jccU1vNCGgzAJLcAlBVRoTXX
+            PqoV+4PlU21+M2IwpsIgtifVfagETesgK/XL7mw28GS2vwSomUAOpwQlyBFd2ve6
+            XZA8eGTt8yjf8c8DiubKv8xeQb6um3db3SCcrOfoF58E/H2lqsabwqHwORf28v3M
+            d9bek9MD0aqEb/k8ZK1KTVTEY6nFYiJqgkmGKVglttcdekgosDhVPuoHai+fsuzY
+            R6A/uAzX1Nw9KLasy3DebNpK7dm8gz9t4KHkyUcyq52L+A1A8M8E5uMaRKy4FzzS
+            XAFelxSF50zY1toDz4wRUBkyxnKyipbxQwvYYJiWjJDSNtYuqT/15tgCSATPNp52
+            omUYhtiTEdRDBUst+QC+FBmypMEJbUAO8a9QK0ZJm7quL120Mz4NrDpFBcwy
+            =l6Ld
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+        - created_at: "2024-02-12T20:14:27Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA2W9MER3HLb7AQgA2M8VEeirAQ/f/qlEG+nZNMxQA/x0dN5WRYU5SZj5LHDd
+            xsTqDUOTRd+yiVuq9J6nisOgHepdBM31QVrRe+OXb44dxF15nm4Ojjj+DobXQDOf
+            dEUMUStnj6BzPCxNfqkcMfAdG3a0KPPPJIw40yhBr2KYHHFMjMVCS0T1Z+f1JrY8
+            K58NQsj2luc+iRhppcBK71IYEwT186TOCHraf8MRQWM7lyMMQygp/YEDWNBkgC/r
+            mteqq13+/oQWQmGuy/+zrJyPi+h7/pbidZTGGXjL39L/tI+SqwolXDj1GrnpTd8p
+            nRf3yJ3m7E9lBN1k5yTEQofcZH7mBkGB/jS5g5x3o9JcAfdJMY0s+wGHGISabagt
+            eRk2FigKgqkRyMXTU183ZBiCeXxzvUhraHK2NcPce2CemR5G0SbonY0jTDLc9Aki
+            zTliOhBy7KEPEC7nYvfs3Gt5jausamcSgwtLWZ0=
+            =TvDY
+            -----END PGP MESSAGE-----
+          fp: 65BD3044771CB6FB
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/systems/reimu/nixos.nix b/systems/reimu/nixos.nix
index 99374b8b..76ee5fe3 100644
--- a/systems/reimu/nixos.nix
+++ b/systems/reimu/nixos.nix
@@ -23,6 +23,8 @@
       MACAddress = "BC:24:11:C4:66:A8";
       Type = "ether";
     };
+    address = ["10.1.1.45/24"];
+    gateway = ["10.1.1.1"];
     DHCP = "no";
   };
 
diff --git a/systems/reisen/setup.sh b/systems/reisen/setup.sh
index dd1c9e4b..7945a698 100644
--- a/systems/reisen/setup.sh
+++ b/systems/reisen/setup.sh
@@ -91,3 +91,21 @@ chown tf:tf /home/tf/.bash{rc,_profile}
 cat > /etc/sudoers.d/tf <<EOF
 tf ALL=(root:root) NOPASSWD: NOSETENV: $SUDOERS_WRAPPERS, $SUDOERS_TF
 EOF
+
+if [[ ! -d /rpool/shared ]]; then
+	zfs create rpool/shared
+fi
+if [[ ! -d /rpool/shared/nix ]]; then
+	zfs create rpool/shared/nix
+fi
+
+if [[ ! -d /rpool/shared/nix/store ]]; then
+	zfs create -o compression=zstd rpool/shared/nix/store
+fi
+chown 100000:30000 /rpool/shared/nix/store
+chmod 1775 /rpool/shared/nix/store
+
+if [[ ! -d /rpool/shared/nix/var ]]; then
+	mkdir /rpool/shared/nix/var
+fi
+chown 100000:100000 /rpool/shared/nix/var
diff --git a/systems/reisen/subgid b/systems/reisen/subgid
index 5c6317e8..b350235f 100644
--- a/systems/reisen/subgid
+++ b/systems/reisen/subgid
@@ -1,3 +1,4 @@
 root:100000:65536
 root:65534:1
+root:30000:256
 root:8000:256
diff --git a/systems/reisen/subuid b/systems/reisen/subuid
index 17110dfa..895ed71e 100644
--- a/systems/reisen/subuid
+++ b/systems/reisen/subuid
@@ -1,3 +1,4 @@
 root:100000:65536
 root:65534:1
+root:30000:256
 root:8000:128
diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf
index fcc60528..65f8b142 100644
--- a/tf/cloudflare_records.tf
+++ b/tf/cloudflare_records.tf
@@ -45,6 +45,17 @@ module "reimu_system_records" {
   ]
 }
 
+module "aya_system_records" {
+  source    = "./system/records"
+  name      = "aya"
+  zone_id   = cloudflare_zone.gensokyo-zone_zone.id
+  zone_zone = cloudflare_zone.gensokyo-zone_zone.zone
+  local_v6  = "fd0a::be24:11ff:fec4:66a9"
+  local_subdomains = [
+    "nixbld",
+  ]
+}
+
 module "tewi_system_records" {
   source       = "./system/records"
   name         = "tei"
diff --git a/tf/proxmox_vms.tf b/tf/proxmox_vms.tf
index 892ab5f1..02eccf8e 100644
--- a/tf/proxmox_vms.tf
+++ b/tf/proxmox_vms.tf
@@ -4,6 +4,8 @@ variable "proxmox_container_template" {
 }
 
 locals {
+  proxmox_aya_vm_id        = 105
+  proxmox_aya_config       = jsondecode(file("${path.root}/../systems/aya/lxc.json"))
   proxmox_reimu_vm_id      = 104
   proxmox_reimu_config     = jsondecode(file("${path.root}/../systems/reimu/lxc.json"))
   proxmox_hakurei_vm_id    = 103
@@ -64,6 +66,10 @@ resource "proxmox_virtual_environment_container" "reimu" {
       ipv6 {
         address = "auto"
       }
+      ipv4 {
+        address = "10.1.1.45/24"
+        gateway = "10.1.1.1"
+      }
     }
   }
 
@@ -94,7 +100,7 @@ resource "proxmox_virtual_environment_container" "reimu" {
   started = false
 
   lifecycle {
-    ignore_changes = [started, description, operating_system[0].template_file_id]
+    ignore_changes = [started, unprivileged, description, operating_system[0].template_file_id]
   }
 }
 
@@ -105,6 +111,74 @@ module "reimu_config" {
   config     = local.proxmox_reimu_config.lxc
 }
 
+resource "proxmox_virtual_environment_container" "aya" {
+  node_name   = "reisen"
+  vm_id       = local.proxmox_aya_vm_id
+  tags        = ["tf"]
+  description = "zoomzoom"
+
+  memory {
+    dedicated = 16384
+    swap      = 8192
+  }
+
+  cpu {
+    cores = 12
+    units = 768
+  }
+
+  disk {
+    datastore_id = "local-zfs"
+    size         = 32
+  }
+
+  initialization {
+    hostname = "aya"
+    ip_config {
+      ipv6 {
+        address = "auto"
+      }
+    }
+  }
+
+  startup {
+    order      = 4
+    up_delay   = 0
+    down_delay = 0
+  }
+
+  network_interface {
+    name        = "eth0"
+    mac_address = "BC:24:11:C4:66:A9"
+  }
+
+  operating_system {
+    template_file_id = var.proxmox_container_template
+    type             = "nixos"
+  }
+
+  unprivileged = true
+  features {
+    nesting = true
+  }
+
+  console {
+    type = "console"
+  }
+  started = false
+
+  lifecycle {
+    ignore_changes = [started, description, operating_system[0].template_file_id]
+  }
+}
+
+module "aya_config" {
+  source     = "./system/proxmox/lxc/config"
+  connection = local.proxmox_reisen_connection
+  container  = proxmox_virtual_environment_container.aya
+  config     = local.proxmox_aya_config.lxc
+}
+
 resource "proxmox_virtual_environment_vm" "freeipa" {
   name        = "freeipa"
   description = "FreeIPA, our identity management system"