# Migration — build-machines → ext.vm-packer

Maps `the-custodian/infra/build-machines/` to sand-boxer `profile.vm-haskell-build`.

## What moved

| Legacy (build-machines) | sand-boxer v0 |
|-------------------------|---------------|
| Packer OVA build | **Unchanged** — operator runs Packer in the-custodian |
| VM boot + build-agent registration | **Unchanged** — systemd agent on VM |
| `make remote-build PROJECT=` | `sandboxer create --profile profile.vm-haskell-build` + SSH build (shim in build-machines Makefile) |
| `packer build` in `haskell/` | `sandboxer create --profile profile.vm-packer-build` |
| Isolated workspace `/build/<project>` | `/build/sbx-<sandbox_id>/` per create |
| `make bridge-status` | `ssh -p 12222 build@localhost` or `sandboxer inspect` (future) |

## v0 attach workflow

1. Build/import VM per [build-machines README](~/the-custodian/infra/build-machines/README.md).
2. Ensure tunnel is up (`make bridge-status` in build-machines).
3. Create sand-boxer workspace:

```bash
export SANDBOXER_VM_TUNNEL_PORT=12222   # or use SSH alias

sandboxer create \
  --profile profile.vm-haskell-build \
  --input vm=haskell-build \
  --input repo=~/projects/my-haskell-app \
  --host localhost
```

4. Run builds on VM:

```bash
ssh haskell-build "cd <remote_dir> && source ~/.ghcup/env && cabal build all"
```

5. Destroy workspace (VM stays running):

```bash
sandboxer destroy <sandbox_id>
```

## Inputs

| Input | Purpose |
|-------|---------|
| `vm` | SSH config alias (e.g. `haskell-build`) |
| `ssh_target` | Alias for `vm` |
| `tunnel_port` | Local reverse-tunnel port (default via `SANDBOXER_VM_TUNNEL_PORT`) |
| `repo` | Optional rsync source to workspace |
| `workspace_dir` | Override workspace path on VM |

## Packer build mode (SAND-WP-0012)

```bash
sandboxer create \
  --profile profile.vm-packer-build \
  --input packer_template=~/the-custodian/infra/build-machines/haskell \
  --input vm_name=haskell-build \
  --host localhost
```

| Input | Purpose |
|-------|---------|
| `mode` | `build` (default for profile.vm-packer-build) or `attach` |
| `packer_template` | Directory containing `*.pkr.hcl` |
| `vm_name` / `vm` | Packer `vm_name` variable |
| `packer_var_*` | Extra Packer `-var` flags (suffix → variable name) |

Runbook: `docs/runbooks/profile-vm-packer-build.md`

## Port registry (read-only pointer)

`the-custodian/infra/build-machines/port-registry.yml` maps tunnel ports
12221–12230 to VM slots. When attaching via tunnel, set
`SANDBOXER_VM_TUNNEL_PORT` or `--input tunnel_port=` to a registered port.
Full ops-bridge automation is deferred — operators bring tunnels up manually.

## Not migrated yet

- State Hub capability-catalog sync from build-agent (agent unchanged)
- Automated port-registry → ops-bridge config generation

## Runbook

`docs/runbooks/profile-vm-haskell-build.md`