feat: setup arkheon

2025-03-28 14:50:55 +01:00 · 2024-09-02 16:42:35 +02:00 · 2024-09-02 16:42:35 +02:00 · 2dc55d2a94
commit 2dc55d2a94
parent 0ae1917081
14 changed files with 125 additions and 10 deletions
--- a/deps/sources.json
+++ b/deps/sources.json
@ -12,6 +12,18 @@
      "url": "https://github.com/ryantm/agenix/archive/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41.tar.gz",
      "hash": "1x8nd8hvsq6mvzig122vprwigsr3z2skanig65haqswn7z7amsvg"
    },
    "arkheon": {
      "type": "Git",
      "repository": {
        "type": "GitHub",
        "owner": "raitobezarius",
        "repo": "arkheon"
      },
      "branch": "main",
      "revision": "113724a1a206905e68319676f73d095fcc043a42",
      "url": "https://github.com/raitobezarius/arkheon/archive/113724a1a206905e68319676f73d095fcc043a42.tar.gz",
      "hash": "0yh8g020d7z67iqpg7xywk4dxxa64dxa1igd45nb8w653c82w6gq"
    },
    "buildbot-nix": {
      "type": "Git",
      "repository": {
--- a/lib/mkmachine.nix
+++ b/lib/mkmachine.nix
@ -38,6 +38,7 @@ import "${nixpkgs}/nixos/lib/eval-config.nix" {
    (import "${inputs.impermanence}/nixos.nix")
    (import inputs.lanzaboote).nixosModules.lanzaboote
    (import inputs.lila).nixosModules.hash-collection
    (import "${inputs.arkheon}/module.nix")
    {
      home-manager.useGlobalPkgs = true;
      nixpkgs.system = system;
--- a/machines/akhaten/default.nix
+++ b/machines/akhaten/default.nix
@ -1,4 +1,4 @@
-{ inputs, ... }:
+{ inputs, profiles, ... }:
 {
  imports = [
    ./hardware.nix
@ -16,10 +16,9 @@
      public.ipv6 = "2001:0bc8:3d24::45";
      vpn.ipv4 = "100.100.45.33";
    };
    profiles = with profiles; [ server ];
  };
  deployment.tags = [ "server" ];
  disko = import ./disko.nix;
  environment.persistence."/persistent" = {
--- a/machines/core-data/default.nix
+++ b/machines/core-data/default.nix
@ -16,7 +16,10 @@
    arch = "x86_64-linux";
    nixpkgs_version = inputs.nixpkgs;
    hm_version = inputs.home-manager;
-    profiles = with profiles; [ vm-simple-network ];
+    profiles = with profiles; [
      vm-simple-network
      server
    ];
    ips = {
      public.ipv4 = "82.67.34.230";
      local.ipv4 = "192.168.0.66";
--- a/machines/core-security/default.nix
+++ b/machines/core-security/default.nix
@ -17,7 +17,10 @@
    arch = "x86_64-linux";
    nixpkgs_version = inputs.nixpkgs;
    hm_version = inputs.home-manager;
-    profiles = with profiles; [ vm-simple-network ];
+    profiles = with profiles; [
      vm-simple-network
      server
    ];
    ips = {
      public.ipv4 = "82.67.34.230";
      local.ipv4 = "192.168.0.175";
--- a/machines/gustave/default.nix
+++ b/machines/gustave/default.nix
@ -15,7 +15,10 @@
    arch = "x86_64-linux";
    nixpkgs_version = inputs.nixpkgs;
    hm_version = inputs.home-manager;
-    profiles = with profiles; [ vm-simple-network ];
+    profiles = with profiles; [
      vm-simple-network
      server
    ];
    ips = {
      public.ipv4 = "82.67.34.230";
      local.ipv4 = "192.168.0.90";
@ -118,7 +121,10 @@
  fileSystems."/srv".neededForBoot = true;
-  environment.systemPackages = [ pkgs.tailscale ];
+  environment.systemPackages = [
    pkgs.tailscale
    pkgs.bottom
  ];
  services.tailscale.enable = true;
--- a/machines/lambda/arkheon.nix
+++ b/machines/lambda/arkheon.nix
@ -0,0 +1,32 @@
 {
  config,
  inputs,
  pkgs,
  ...
 }:
 {
  age.secrets."arkheon-env".file = ../../secrets/arkheon-env.age;
  nixpkgs.overlays = [ (import (inputs.arkheon.outPath + "/overlay.nix")) ];
  services.arkheon = {
    enable = true;
    pythonEnv = pkgs.python3.withPackages (ps: [
      ps.arkheon
      ps.daphne
      ps.psycopg2
    ]);
    domain = "arkheon.luj.fr";
    nginx = {
      enableACME = true;
      forceSSL = true;
    };
    envFile = config.age.secrets."arkheon-env".path;
  };
 }
--- a/machines/lambda/default.nix
+++ b/machines/lambda/default.nix
@ -1,15 +1,22 @@
-{ pkgs, inputs, ... }:
+{
  pkgs,
  inputs,
  profiles,
  ...
 }:
 {
  imports = [
    ./hardware.nix
    ./home-julien.nix
    ./arkheon.nix
  ];
  machine.meta = {
    arch = "aarch64-linux";
    nixpkgs_version = inputs.nixpkgs;
    hm_version = inputs.home-manager;
    profiles = with profiles; [ server ];
    ips = {
      public.ipv4 = "141.145.197.219";
      vpn.ipv4 = "100.100.45.13";
--- a/machines/nuage/default.nix
+++ b/machines/nuage/default.nix
@ -16,7 +16,10 @@
    arch = "x86_64-linux";
    nixpkgs_version = inputs.nixpkgs;
    hm_version = inputs.home-manager;
-    profiles = with profiles; [ vm-simple-network ];
+    profiles = with profiles; [
      vm-simple-network
      server
    ];
    ips = {
      public.ipv4 = "82.67.34.230";
      local.ipv4 = "192.168.0.101";
--- a/machines/tower/default.nix
+++ b/machines/tower/default.nix
@ -16,7 +16,10 @@
    arch = "x86_64-linux";
    nixpkgs_version = inputs.nixpkgs;
    hm_version = inputs.home-manager;
-    profiles = with profiles; [ vm-simple-network ];
+    profiles = with profiles; [
      vm-simple-network
      server
    ];
    ips = {
      public.ipv4 = "82.67.34.230";
      local.ipv4 = "192.168.0.103";
--- a/profiles/server.nix
+++ b/profiles/server.nix
@ -0,0 +1,15 @@
 { config, ... }:
 {
  deployment.tags = [ "server" ];
  # Enable arkheon
  age.secrets."arkheon-token".file = ../secrets/arkheon-token.age;
  services.arkheon.record = {
    enable = true;
    tokenFile = config.age.secrets."arkheon-token".path;
    url = "https://arkheon.luj.fr";
  };
 }
--- a/secrets/arkheon-env.age
+++ b/secrets/arkheon-env.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 xaddyw ZvIIOcc3v95ivUkaaQmM9eXig+vgtAOLkZi+1kCLHiY
 Mnw5zjdLf9TwoGXhMVKIm7TmLNC7rZm9HBQJ0mJNokw
 -> ssh-ed25519 AqX2tg DVSj5eSO/9vc6gUatXbC/Pt6uwM1it1T8xiE7GaCeC8
 HCs7MiXldWUVGyLJCrBVBscPRH37VhfNCgs8pUxWf1E
 --- HbWcy3CgZKQA7estdLCHKJ0a95hMbelxsXgrpX6mmqw
 ÏÁîB±’T¢æK~ ˜Ø–ÞC01é"ÈË QÁÁpXç„ÔúñqÃ³kÔƒ‹œ‰ž%½¥£QËé%4ƒ/Ô}~<7E>„Ú}Ël-
--- a/secrets/arkheon-token.age
+++ b/secrets/arkheon-token.age
@ -0,0 +1,19 @@
 age-encryption.org/v1
 -> ssh-ed25519 IRHAkA ZDIIf7vkWc/k0Zw2IdAH48bLelKC3dBdmexNyjWwcRo
 ciyoA+JmjBlcH8jLbBEcuXJ1QIyGoElyOUxmAyEF/d4
 -> ssh-ed25519 AqX2tg kuQVjo/FrDzH9H1PEaR8wkVdATQTK2c8P3k4d33TcA4
 j9pRxEFt1tPXaW8+a8tc4w6183I4v+0t4YQ+02Y5eoQ
 -> ssh-ed25519 bD9h7A FcJcItxDXCSkZUdbQYSEtTgeovBaLZ2DpGZ/oa45ozI
 PE71hq6shAv0j0rRw29XOuUZQSVQZU5w3SfVR2SJpZ0
 -> ssh-ed25519 2Wt2Kw Bc7w+3+nJ8S21LvXTwQfnDqvZOWJqKM/HdkvCy5qvXc
 gxqZ3zWbLWSvePBrvKm4DUF5xkpm3qJpJMCmeUSmBoQ
 -> ssh-ed25519 xaddyw a5x5Wb5hRH0UwPMCvQHAbfbYERNKjD4kB9WswzY/ng4
 CPARmPO1Jbs6BVFMgjD4uXn4GdgFx57h46eCXDWRrEQ
 -> ssh-ed25519 6rkyTg w6tpomaTIcrE5wOCy4+5jCF/R6v5ncCDT6CXyADnjmg
 dGwwoXPj4CGmbravQl0M1umUO7u7+01rggplavFmtc8
 -> ssh-ed25519 d3M2Dw o86nsTjni4Ic6ZF2WPuqTlGU5yA/MnBy5Gy9U6nqTnM
 B4mXfVPhr+qsvDatzgnfP49hGvCkWcnCDXBVyH6QucU
 -> ssh-ed25519 81O5Zw qEc+B241+0nX/n41crMc7HtKes1L5a088Q2idprrqjw
 01aUvolF+mXno/ie3KuHPKDEbAbVtXlc6VlarQHSvJw
 --- XVLJes18b88bFv7PL8TOONNAiLT3FU/hHwcr0f60KRw
 O§ó•¨Ï÷üp“@„CÄ+O^i«˜U=Vü¼ta-5e‘c_ƒnZWVÀ:MPR½„ÏbcèX
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -76,4 +76,9 @@ in
    tower
    akhaten
  ];
  "arkheon-env.age".publicKeys = [
    lambda
    tower
  ];
  "arkheon-token.age".publicKeys = servers;
 }