From 4d3287535bfd1fb54e158733f62bed4537ac8cb6 Mon Sep 17 00:00:00 2001
From: Kat Inskip <kat@inskip.me>
Date: Tue, 18 Jul 2023 10:31:11 -0700
Subject: [PATCH] Move to orbstack

---
 kat/shell/ssh.nix     |  6 ---
 nixos/common/docs.nix |  6 ++-
 systems/default.nix   | 14 +++++--
 systems/renko.nix     | 85 ++++++++++++++++++++++++++++++++++++++-----
 systems/sumireko.nix  | 40 +++++++++++++++-----
 5 files changed, 121 insertions(+), 30 deletions(-)

diff --git a/kat/shell/ssh.nix b/kat/shell/ssh.nix
index 8ae3f646..9cba5804 100644
--- a/kat/shell/ssh.nix
+++ b/kat/shell/ssh.nix
@@ -5,11 +5,5 @@ _: {
     controlPersist = "10m";
     hashKnownHosts = true;
     compression = true;
-    extraConfig = ''
-      Host renko
-        HostName 192.168.64.3
-        Port 62954
-        User root
-    '';
   };
 }
diff --git a/nixos/common/docs.nix b/nixos/common/docs.nix
index bfd41388..9cd04ce1 100644
--- a/nixos/common/docs.nix
+++ b/nixos/common/docs.nix
@@ -1,3 +1,5 @@
-_: {
-  documentation.nixos.enable = false;
+{lib, ...}: let
+  inherit (lib.modules) mkForce;
+in {
+  documentation.nixos.enable = mkForce false;
 }
diff --git a/systems/default.nix b/systems/default.nix
index cc5f0102..8392f647 100644
--- a/systems/default.nix
+++ b/systems/default.nix
@@ -138,14 +138,20 @@
             user = "root";
             path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.${name};
           };
-          hostname = "${name}.inskip.me";
-          sshOpts = ["-p" "${builtins.toString (builtins.head inputs.self.nixosConfigurations.${name}.config.services.openssh.ports)}"];
-          sshUser = "root";
-          user = "root";
+          #hostname = "${name}.inskip.me";
+          #sshOpts = ["-p" "${builtins.toString (builtins.head inputs.self.nixosConfigurations.${name}.config.services.openssh.ports)}"];
+          hostname = "localhost";
+          sshOpts = ["-p" "32222"];
+          sshUser = "kat";
           autoRollback = true;
           magicRollback = true;
         };
       })
+      (set.optional (host.folder == "nixos" && host.arch == "x86_64") {
+        ${name} = {
+          remoteBuild = true;
+        };
+      })
     ];
 
     "${host.folder}Configurations".${name} = host.builder {
diff --git a/systems/renko.nix b/systems/renko.nix
index 44c3ab00..8c8ce54f 100644
--- a/systems/renko.nix
+++ b/systems/renko.nix
@@ -2,19 +2,16 @@ _: let
   hostConfig = {
     lib,
     tree,
+    pkgs,
+    inputs,
     ...
   }: let
-    inherit (lib.modules) mkDefault;
+    inherit (lib.modules) mkDefault mkForce;
   in {
-    imports = with tree.nixos.roles; [
-      bootable
+    imports = [
+      "${inputs.nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
     ];
 
-    boot = {
-      loader.systemd-boot.enable = true;
-      initrd.availableKernelModules = ["virtio_pci" "xhci_pci" "usb_storage" "usbhid"];
-    };
-
     virtualisation.rosetta.enable = true;
 
     fileSystems = {
@@ -37,11 +34,81 @@ _: let
       {device = "/dev/disk/by-uuid/fd7d113e-7fed-44fc-8ad7-82080f27cd07";}
     ];
 
-    networking.interfaces.enp0s1.useDHCP = mkDefault true;
+    environment.systemPackages = [
+      pkgs.btop
+    ];
+
+    networking.nftables.enable = mkForce false;
+
+    networking.useDHCP = false;
+    networking.interfaces.eth0.useDHCP = true;
 
     nixpkgs.hostPlatform = mkDefault "aarch64-linux";
 
     system.stateVersion = "22.11";
+
+    security.sudo.extraRules = [
+      {
+        users = ["kat"];
+        commands = [
+          {
+            command = "ALL";
+            options = ["NOPASSWD"];
+          }
+        ];
+      }
+    ];
+
+    # add OrbStack CLI tools to PATH
+    environment.shellInit = ''
+      . /opt/orbstack-guest/etc/profile-early
+
+      # add your customizations here
+
+      . /opt/orbstack-guest/etc/profile-late
+    '';
+
+    # faster DHCP - OrbStack uses SLAAC exclusively
+    networking.dhcpcd.extraConfig = ''
+      noarp
+      noipv6
+    '';
+
+    # disable sshd
+    services.openssh.enable = true;
+
+    # systemd
+    systemd.services."systemd-oomd".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-resolved".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-userdbd".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-udevd".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-timesyncd".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-timedated".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-portabled".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-nspawn@".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-networkd".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-machined".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-localed".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-logind".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-journald@".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-journald".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-journal-remote".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-journal-upload".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-importd".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-hostnamed".serviceConfig.WatchdogSec = 0;
+    systemd.services."systemd-homed".serviceConfig.WatchdogSec = 0;
+
+    # package installation: not needed
+
+    # ssh config
+    programs.ssh.extraConfig = ''
+      Include /opt/orbstack-guest/etc/ssh_config
+    '';
+
+    # extra certificates
+    security.pki.certificateFiles = [
+      "/opt/orbstack-guest/run/extra-certs.crt"
+    ];
   };
 in {
   arch = "aarch64";
diff --git a/systems/sumireko.nix b/systems/sumireko.nix
index baa253bf..a4730e9b 100644
--- a/systems/sumireko.nix
+++ b/systems/sumireko.nix
@@ -3,8 +3,11 @@ _: let
     tree,
     pkgs,
     inputs,
+    lib,
     ...
-  }: {
+  }: let
+    inherit (lib.strings) concatStringsSep;
+  in {
     imports = with tree; [
       kat.work
     ];
@@ -15,9 +18,10 @@ _: let
       enable = true;
       extraConfig = ''
         Host renko
-          HostName 192.168.64.5
-          User root
-         IdentityFile /Users/kat/.ssh/id_rsa
+          HostName 127.0.0.1
+          Port 32222
+          User kat
+          IdentityFile /Users/kat/.orbstack/ssh/id_ed25519
       '';
     };
 
@@ -56,10 +60,28 @@ _: let
     ];
 
     home-manager.users.kat = {
-      programs.zsh = {
-        initExtra = ''
-          source <(kubectl completion zsh)
+      home.file.".orbstack/ssh/authorized_keys".text =
+        (concatStringsSep "\n" tree.kat.user.data.keys)
+        + ''
+
+          ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILW2V8yL2vC/KDmIQdxhEeevKo1vGG18bvMNj9mLL/On
         '';
+      programs = {
+        zsh = {
+          initExtra = ''
+            source <(kubectl completion zsh)
+          '';
+        };
+        ssh = {
+          enable = true;
+          extraConfig = ''
+            Host renko
+              HostName 127.0.0.1
+              Port 32222
+              User kat
+              IdentityFile /Users/kat/.orbstack/ssh/id_ed25519
+          '';
+        };
       };
     };
 
@@ -72,7 +94,6 @@ _: let
         "pandoc"
       ];
       casks = [
-        "utm"
         "barrier"
         "bitwarden"
         "firefox"
@@ -80,9 +101,9 @@ _: let
         "dozer"
         "devtoys"
         "cyberduck"
-        "docker"
         "spotify"
         "pycharm-ce"
+        "element"
         "slack"
         "boop"
         "obsidian"
@@ -96,6 +117,7 @@ _: let
         "anki"
         "firefox"
         "google-chrome"
+        "orbstack"
       ];
       taps = [
         "pulumi/tap"