From 2dc55d2a941117f0b390e4fdd62543fde9f9b20d Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Mon, 2 Sep 2024 16:42:35 +0200 Subject: [PATCH] feat: setup arkheon --- deps/sources.json | 12 +++++++++++ lib/mkmachine.nix | 1 + machines/akhaten/default.nix | 5 ++--- machines/core-data/default.nix | 5 ++++- machines/core-security/default.nix | 5 ++++- machines/gustave/default.nix | 10 ++++++++-- machines/lambda/arkheon.nix | 32 ++++++++++++++++++++++++++++++ machines/lambda/default.nix | 9 ++++++++- machines/nuage/default.nix | 5 ++++- machines/tower/default.nix | 5 ++++- profiles/server.nix | 15 ++++++++++++++ secrets/arkheon-env.age | 7 +++++++ secrets/arkheon-token.age | 19 ++++++++++++++++++ secrets/secrets.nix | 5 +++++ 14 files changed, 125 insertions(+), 10 deletions(-) create mode 100644 machines/lambda/arkheon.nix create mode 100644 profiles/server.nix create mode 100644 secrets/arkheon-env.age create mode 100644 secrets/arkheon-token.age diff --git a/deps/sources.json b/deps/sources.json index 970589e..67cd52e 100644 --- a/deps/sources.json +++ b/deps/sources.json @@ -12,6 +12,18 @@ "url": "https://github.com/ryantm/agenix/archive/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41.tar.gz", "hash": "1x8nd8hvsq6mvzig122vprwigsr3z2skanig65haqswn7z7amsvg" }, + "arkheon": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "raitobezarius", + "repo": "arkheon" + }, + "branch": "main", + "revision": "113724a1a206905e68319676f73d095fcc043a42", + "url": "https://github.com/raitobezarius/arkheon/archive/113724a1a206905e68319676f73d095fcc043a42.tar.gz", + "hash": "0yh8g020d7z67iqpg7xywk4dxxa64dxa1igd45nb8w653c82w6gq" + }, "buildbot-nix": { "type": "Git", "repository": { diff --git a/lib/mkmachine.nix b/lib/mkmachine.nix index 4b9fca1..1d90c5b 100644 --- a/lib/mkmachine.nix +++ b/lib/mkmachine.nix @@ -38,6 +38,7 @@ import "${nixpkgs}/nixos/lib/eval-config.nix" { (import "${inputs.impermanence}/nixos.nix") (import inputs.lanzaboote).nixosModules.lanzaboote (import inputs.lila).nixosModules.hash-collection + (import "${inputs.arkheon}/module.nix") { home-manager.useGlobalPkgs = true; nixpkgs.system = system; diff --git a/machines/akhaten/default.nix b/machines/akhaten/default.nix index 4285a21..a600824 100644 --- a/machines/akhaten/default.nix +++ b/machines/akhaten/default.nix @@ -1,4 +1,4 @@ -{ inputs, ... }: +{ inputs, profiles, ... }: { imports = [ ./hardware.nix @@ -16,10 +16,9 @@ public.ipv6 = "2001:0bc8:3d24::45"; vpn.ipv4 = "100.100.45.33"; }; + profiles = with profiles; [ server ]; }; - deployment.tags = [ "server" ]; - disko = import ./disko.nix; environment.persistence."/persistent" = { diff --git a/machines/core-data/default.nix b/machines/core-data/default.nix index ee4f9b2..ea3eeaa 100644 --- a/machines/core-data/default.nix +++ b/machines/core-data/default.nix @@ -16,7 +16,10 @@ arch = "x86_64-linux"; nixpkgs_version = inputs.nixpkgs; hm_version = inputs.home-manager; - profiles = with profiles; [ vm-simple-network ]; + profiles = with profiles; [ + vm-simple-network + server + ]; ips = { public.ipv4 = "82.67.34.230"; local.ipv4 = "192.168.0.66"; diff --git a/machines/core-security/default.nix b/machines/core-security/default.nix index 91e75a3..d396826 100644 --- a/machines/core-security/default.nix +++ b/machines/core-security/default.nix @@ -17,7 +17,10 @@ arch = "x86_64-linux"; nixpkgs_version = inputs.nixpkgs; hm_version = inputs.home-manager; - profiles = with profiles; [ vm-simple-network ]; + profiles = with profiles; [ + vm-simple-network + server + ]; ips = { public.ipv4 = "82.67.34.230"; local.ipv4 = "192.168.0.175"; diff --git a/machines/gustave/default.nix b/machines/gustave/default.nix index b2fb224..c0e61c5 100644 --- a/machines/gustave/default.nix +++ b/machines/gustave/default.nix @@ -15,7 +15,10 @@ arch = "x86_64-linux"; nixpkgs_version = inputs.nixpkgs; hm_version = inputs.home-manager; - profiles = with profiles; [ vm-simple-network ]; + profiles = with profiles; [ + vm-simple-network + server + ]; ips = { public.ipv4 = "82.67.34.230"; local.ipv4 = "192.168.0.90"; @@ -118,7 +121,10 @@ fileSystems."/srv".neededForBoot = true; - environment.systemPackages = [ pkgs.tailscale ]; + environment.systemPackages = [ + pkgs.tailscale + pkgs.bottom + ]; services.tailscale.enable = true; diff --git a/machines/lambda/arkheon.nix b/machines/lambda/arkheon.nix new file mode 100644 index 0000000..2293113 --- /dev/null +++ b/machines/lambda/arkheon.nix @@ -0,0 +1,32 @@ +{ + config, + inputs, + pkgs, + ... +}: + +{ + age.secrets."arkheon-env".file = ../../secrets/arkheon-env.age; + + nixpkgs.overlays = [ (import (inputs.arkheon.outPath + "/overlay.nix")) ]; + + services.arkheon = { + enable = true; + + pythonEnv = pkgs.python3.withPackages (ps: [ + ps.arkheon + ps.daphne + ps.psycopg2 + ]); + + domain = "arkheon.luj.fr"; + + nginx = { + enableACME = true; + forceSSL = true; + }; + + envFile = config.age.secrets."arkheon-env".path; + + }; +} diff --git a/machines/lambda/default.nix b/machines/lambda/default.nix index b16fc4f..c032072 100644 --- a/machines/lambda/default.nix +++ b/machines/lambda/default.nix @@ -1,15 +1,22 @@ -{ pkgs, inputs, ... }: +{ + pkgs, + inputs, + profiles, + ... +}: { imports = [ ./hardware.nix ./home-julien.nix + ./arkheon.nix ]; machine.meta = { arch = "aarch64-linux"; nixpkgs_version = inputs.nixpkgs; hm_version = inputs.home-manager; + profiles = with profiles; [ server ]; ips = { public.ipv4 = "141.145.197.219"; vpn.ipv4 = "100.100.45.13"; diff --git a/machines/nuage/default.nix b/machines/nuage/default.nix index ab93c09..3e5f58f 100644 --- a/machines/nuage/default.nix +++ b/machines/nuage/default.nix @@ -16,7 +16,10 @@ arch = "x86_64-linux"; nixpkgs_version = inputs.nixpkgs; hm_version = inputs.home-manager; - profiles = with profiles; [ vm-simple-network ]; + profiles = with profiles; [ + vm-simple-network + server + ]; ips = { public.ipv4 = "82.67.34.230"; local.ipv4 = "192.168.0.101"; diff --git a/machines/tower/default.nix b/machines/tower/default.nix index e8e536c..e45151c 100644 --- a/machines/tower/default.nix +++ b/machines/tower/default.nix @@ -16,7 +16,10 @@ arch = "x86_64-linux"; nixpkgs_version = inputs.nixpkgs; hm_version = inputs.home-manager; - profiles = with profiles; [ vm-simple-network ]; + profiles = with profiles; [ + vm-simple-network + server + ]; ips = { public.ipv4 = "82.67.34.230"; local.ipv4 = "192.168.0.103"; diff --git a/profiles/server.nix b/profiles/server.nix new file mode 100644 index 0000000..6c07f47 --- /dev/null +++ b/profiles/server.nix @@ -0,0 +1,15 @@ +{ config, ... }: +{ + deployment.tags = [ "server" ]; + + # Enable arkheon + age.secrets."arkheon-token".file = ../secrets/arkheon-token.age; + services.arkheon.record = { + enable = true; + + tokenFile = config.age.secrets."arkheon-token".path; + + url = "https://arkheon.luj.fr"; + }; + +} diff --git a/secrets/arkheon-env.age b/secrets/arkheon-env.age new file mode 100644 index 0000000..04bb994 --- /dev/null +++ b/secrets/arkheon-env.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 xaddyw ZvIIOcc3v95ivUkaaQmM9eXig+vgtAOLkZi+1kCLHiY +Mnw5zjdLf9TwoGXhMVKIm7TmLNC7rZm9HBQJ0mJNokw +-> ssh-ed25519 AqX2tg DVSj5eSO/9vc6gUatXbC/Pt6uwM1it1T8xiE7GaCeC8 +HCs7MiXldWUVGyLJCrBVBscPRH37VhfNCgs8pUxWf1E +--- HbWcy3CgZKQA7estdLCHKJ0a95hMbelxsXgrpX6mmqw +BTK~ؖC01" QpXqókԃ%Q%4/}~}l- \ No newline at end of file diff --git a/secrets/arkheon-token.age b/secrets/arkheon-token.age new file mode 100644 index 0000000..c3934f1 --- /dev/null +++ b/secrets/arkheon-token.age @@ -0,0 +1,19 @@ +age-encryption.org/v1 +-> ssh-ed25519 IRHAkA ZDIIf7vkWc/k0Zw2IdAH48bLelKC3dBdmexNyjWwcRo +ciyoA+JmjBlcH8jLbBEcuXJ1QIyGoElyOUxmAyEF/d4 +-> ssh-ed25519 AqX2tg kuQVjo/FrDzH9H1PEaR8wkVdATQTK2c8P3k4d33TcA4 +j9pRxEFt1tPXaW8+a8tc4w6183I4v+0t4YQ+02Y5eoQ +-> ssh-ed25519 bD9h7A FcJcItxDXCSkZUdbQYSEtTgeovBaLZ2DpGZ/oa45ozI +PE71hq6shAv0j0rRw29XOuUZQSVQZU5w3SfVR2SJpZ0 +-> ssh-ed25519 2Wt2Kw Bc7w+3+nJ8S21LvXTwQfnDqvZOWJqKM/HdkvCy5qvXc +gxqZ3zWbLWSvePBrvKm4DUF5xkpm3qJpJMCmeUSmBoQ +-> ssh-ed25519 xaddyw a5x5Wb5hRH0UwPMCvQHAbfbYERNKjD4kB9WswzY/ng4 +CPARmPO1Jbs6BVFMgjD4uXn4GdgFx57h46eCXDWRrEQ +-> ssh-ed25519 6rkyTg w6tpomaTIcrE5wOCy4+5jCF/R6v5ncCDT6CXyADnjmg +dGwwoXPj4CGmbravQl0M1umUO7u7+01rggplavFmtc8 +-> ssh-ed25519 d3M2Dw o86nsTjni4Ic6ZF2WPuqTlGU5yA/MnBy5Gy9U6nqTnM +B4mXfVPhr+qsvDatzgnfP49hGvCkWcnCDXBVyH6QucU +-> ssh-ed25519 81O5Zw qEc+B241+0nX/n41crMc7HtKes1L5a088Q2idprrqjw +01aUvolF+mXno/ie3KuHPKDEbAbVtXlc6VlarQHSvJw +--- XVLJes18b88bFv7PL8TOONNAiLT3FU/hHwcr0f60KRw +Op@C+O^iU=Vta-5ec_nZWV:MPRbcX \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 59debc7..25ee09c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -76,4 +76,9 @@ in tower akhaten ]; + "arkheon-env.age".publicKeys = [ + lambda + tower + ]; + "arkheon-token.age".publicKeys = servers; }