nixos/colony: Add qclk management container

nixos/boxes/colony/default.nix

@@ -264,10 +264,12 @@ in
                       Destination = prefixes.ctrs.v6;
                       Gateway = allAssignments.shill.internal.ipv6.address;
                     }
+
                     {
                       Destination = allAssignments.shill.internal.ipv4.address;
                       Gateway = allAssignments.shill.routing.ipv4.address;
                     }
+
                     {
                       Destination = lib.my.c.tailscale.prefix.v4;
                       Gateway = allAssignments.shill.routing.ipv4.address;
@@ -276,6 +278,11 @@ in
                       Destination = lib.my.c.tailscale.prefix.v6;
                       Gateway = allAssignments.shill.internal.ipv6.address;
                     }
+                    {
+                      Destination = prefixes.qclk.v4;
+                      Gateway = allAssignments.shill.routing.ipv4.address;
+                    }
+
                     {
                       Destination = prefixes.jam.v6;
                       Gateway = allAssignments.shill.internal.ipv6.address;

nixos/boxes/colony/vms/estuary/default.nix

@@ -308,6 +308,11 @@ in
                           Destination = lib.my.c.tailscale.prefix.v6;
                           Gateway = allAssignments.colony.internal.ipv6.address;
                         }
+
+                        {
+                          Destination = prefixes.qclk.v4;
+                          Gateway = allAssignments.colony.routing.ipv4.address;
+                        }
                       ] ++
                       (map (pName: [
                         {

nixos/boxes/colony/vms/shill/containers/default.nix

@@ -8,5 +8,6 @@
     ./object.nix
     ./toot.nix
     ./waffletail.nix
+    ./qclk
   ];
 }

nixos/boxes/colony/vms/shill/containers/qclk/default.nix

@@ -0,0 +1,115 @@
+{ lib, ... }:
+let
+  inherit (lib.my) net;
+  inherit (lib.my.c.colony) domain prefixes qclk;
+in
+{
+  nixos.systems.qclk = { config, ... }: {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+    rendered = config.configuration.config.my.asContainer;
+
+    assignments = {
+      internal = {
+        name = "qclk-ctr";
+        inherit domain;
+        ipv4.address = net.cidr.host 10 prefixes.ctrs.v4;
+        ipv6 = {
+          iid = "::a";
+          address = net.cidr.host 10 prefixes.ctrs.v6;
+        };
+      };
+      qclk = {
+        ipv4 = {
+          address = net.cidr.host 1 prefixes.qclk.v4;
+          gateway = null;
+        };
+      };
+    };
+
+    configuration = { lib, pkgs, config, assignments, ... }:
+    let
+      inherit (lib) concatStringsSep mkMerge mkIf mkForce;
+      inherit (lib.my) networkdAssignment;
+
+      apiPort = 8080;
+
+      instances = [
+        {
+          host = 2;
+          wgKey = "D7z1FhcdxpnrGCE0wBW5PZb5BKuhCu6tcZ/5ZaYxdwQ=";
+        }
+      ];
+      ipFor = i: net.cidr.host i.host prefixes.qclk.v4;
+    in
+    {
+      config = {
+        environment = {
+          systemPackages = with pkgs; [
+            wireguard-tools
+          ];
+        };
+
+        my = {
+          deploy.enable = false;
+          server.enable = true;
+
+          secrets = {
+            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1kcfvahYmSk8IJKaUIcGkhxf/8Yse2XnU7Qqgcglyq";
+            files = {
+              "qclk/wg.key" = {
+                group = "systemd-network";
+                mode = "440";
+              };
+            };
+          };
+
+          firewall = {
+            udp.allowed = [ qclk.wgPort ];
+            extraRules = ''
+              table inet filter {
+                chain input {
+                  iifname management tcp dport ${toString apiPort} accept
+                }
+                chain forward {
+                  iifname host0 oifname management ip saddr { ${concatStringsSep ", " lib.my.c.as211024.trusted.v4} } accept
+                }
+              }
+              table inet nat {
+                chain postrouting {
+                  iifname host0 oifname management snat ip to ${assignments.qclk.ipv4.address}
+                }
+              }
+            '';
+          };
+        };
+
+        systemd = {
+          network = {
+            netdevs."30-management" = {
+              netdevConfig = {
+                Name = "management";
+                Kind = "wireguard";
+              };
+              wireguardConfig = {
+                PrivateKeyFile = config.age.secrets."qclk/wg.key".path;
+                ListenPort = qclk.wgPort;
+              };
+              wireguardPeers = map (i: {
+                PublicKey = i.wgKey;
+                AllowedIPs = [ (ipFor i) ];
+              }) instances;
+            };
+            networks = {
+              "30-container-host0" = networkdAssignment "host0" assignments.internal;
+
+              "30-management" = networkdAssignment "management" assignments.qclk;
+            };
+          };
+        };
+
+        services = { };
+      };
+    };
+  };
+}

nixos/boxes/colony/vms/shill/default.nix

@@ -152,6 +152,11 @@ in
                         Destination = lib.my.c.tailscale.prefix.v6;
                         Gateway = allAssignments.waffletail.internal.ipv6.address;
                       }
+
+                      {
+                        Destination = prefixes.qclk.v4;
+                        Gateway = allAssignments.qclk.internal.ipv4.address;
+                      }
                     ];
                   }
                 ];
@@ -211,6 +216,7 @@ in
                   };
                   toot = {};
                   waffletail = {};
+                  qclk = {};
                 };
               in
               mkMerge [