From bc31afe86a5f5afaee61b351587ebe19dc85e4ae Mon Sep 17 00:00:00 2001
From: Julien Malka <julien@malka.sh>
Date: Mon, 2 Sep 2024 16:42:35 +0200
Subject: [PATCH] feat: setup arkheon

---
 deps/sources.json                  | 12 +++++++++++
 lib/mkmachine.nix                  |  1 +
 machines/akhaten/default.nix       |  5 ++---
 machines/core-data/default.nix     |  5 ++++-
 machines/core-security/default.nix |  5 ++++-
 machines/gustave/default.nix       | 10 ++++++++--
 machines/lambda/arkheon.nix        | 32 ++++++++++++++++++++++++++++++
 machines/lambda/default.nix        |  9 ++++++++-
 machines/nuage/default.nix         |  5 ++++-
 machines/tower/default.nix         |  5 ++++-
 profiles/server.nix                | 15 ++++++++++++++
 11 files changed, 94 insertions(+), 10 deletions(-)
 create mode 100644 machines/lambda/arkheon.nix
 create mode 100644 profiles/server.nix

diff --git a/deps/sources.json b/deps/sources.json
index 970589e..67cd52e 100644
--- a/deps/sources.json
+++ b/deps/sources.json
@@ -12,6 +12,18 @@
       "url": "https://github.com/ryantm/agenix/archive/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41.tar.gz",
       "hash": "1x8nd8hvsq6mvzig122vprwigsr3z2skanig65haqswn7z7amsvg"
     },
+    "arkheon": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "raitobezarius",
+        "repo": "arkheon"
+      },
+      "branch": "main",
+      "revision": "113724a1a206905e68319676f73d095fcc043a42",
+      "url": "https://github.com/raitobezarius/arkheon/archive/113724a1a206905e68319676f73d095fcc043a42.tar.gz",
+      "hash": "0yh8g020d7z67iqpg7xywk4dxxa64dxa1igd45nb8w653c82w6gq"
+    },
     "buildbot-nix": {
       "type": "Git",
       "repository": {
diff --git a/lib/mkmachine.nix b/lib/mkmachine.nix
index 4b9fca1..1d90c5b 100644
--- a/lib/mkmachine.nix
+++ b/lib/mkmachine.nix
@@ -38,6 +38,7 @@ import "${nixpkgs}/nixos/lib/eval-config.nix" {
     (import "${inputs.impermanence}/nixos.nix")
     (import inputs.lanzaboote).nixosModules.lanzaboote
     (import inputs.lila).nixosModules.hash-collection
+    (import "${inputs.arkheon}/module.nix")
     {
       home-manager.useGlobalPkgs = true;
       nixpkgs.system = system;
diff --git a/machines/akhaten/default.nix b/machines/akhaten/default.nix
index 4285a21..a600824 100644
--- a/machines/akhaten/default.nix
+++ b/machines/akhaten/default.nix
@@ -1,4 +1,4 @@
-{ inputs, ... }:
+{ inputs, profiles, ... }:
 {
   imports = [
     ./hardware.nix
@@ -16,10 +16,9 @@
       public.ipv6 = "2001:0bc8:3d24::45";
       vpn.ipv4 = "100.100.45.33";
     };
+    profiles = with profiles; [ server ];
   };
 
-  deployment.tags = [ "server" ];
-
   disko = import ./disko.nix;
 
   environment.persistence."/persistent" = {
diff --git a/machines/core-data/default.nix b/machines/core-data/default.nix
index ee4f9b2..ea3eeaa 100644
--- a/machines/core-data/default.nix
+++ b/machines/core-data/default.nix
@@ -16,7 +16,10 @@
     arch = "x86_64-linux";
     nixpkgs_version = inputs.nixpkgs;
     hm_version = inputs.home-manager;
-    profiles = with profiles; [ vm-simple-network ];
+    profiles = with profiles; [
+      vm-simple-network
+      server
+    ];
     ips = {
       public.ipv4 = "82.67.34.230";
       local.ipv4 = "192.168.0.66";
diff --git a/machines/core-security/default.nix b/machines/core-security/default.nix
index 91e75a3..d396826 100644
--- a/machines/core-security/default.nix
+++ b/machines/core-security/default.nix
@@ -17,7 +17,10 @@
     arch = "x86_64-linux";
     nixpkgs_version = inputs.nixpkgs;
     hm_version = inputs.home-manager;
-    profiles = with profiles; [ vm-simple-network ];
+    profiles = with profiles; [
+      vm-simple-network
+      server
+    ];
     ips = {
       public.ipv4 = "82.67.34.230";
       local.ipv4 = "192.168.0.175";
diff --git a/machines/gustave/default.nix b/machines/gustave/default.nix
index b2fb224..c0e61c5 100644
--- a/machines/gustave/default.nix
+++ b/machines/gustave/default.nix
@@ -15,7 +15,10 @@
     arch = "x86_64-linux";
     nixpkgs_version = inputs.nixpkgs;
     hm_version = inputs.home-manager;
-    profiles = with profiles; [ vm-simple-network ];
+    profiles = with profiles; [
+      vm-simple-network
+      server
+    ];
     ips = {
       public.ipv4 = "82.67.34.230";
       local.ipv4 = "192.168.0.90";
@@ -118,7 +121,10 @@
 
   fileSystems."/srv".neededForBoot = true;
 
-  environment.systemPackages = [ pkgs.tailscale ];
+  environment.systemPackages = [
+    pkgs.tailscale
+    pkgs.bottom
+  ];
 
   services.tailscale.enable = true;
 
diff --git a/machines/lambda/arkheon.nix b/machines/lambda/arkheon.nix
new file mode 100644
index 0000000..2293113
--- /dev/null
+++ b/machines/lambda/arkheon.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
+
+{
+  age.secrets."arkheon-env".file = ../../secrets/arkheon-env.age;
+
+  nixpkgs.overlays = [ (import (inputs.arkheon.outPath + "/overlay.nix")) ];
+
+  services.arkheon = {
+    enable = true;
+
+    pythonEnv = pkgs.python3.withPackages (ps: [
+      ps.arkheon
+      ps.daphne
+      ps.psycopg2
+    ]);
+
+    domain = "arkheon.luj.fr";
+
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+    };
+
+    envFile = config.age.secrets."arkheon-env".path;
+
+  };
+}
diff --git a/machines/lambda/default.nix b/machines/lambda/default.nix
index b16fc4f..c032072 100644
--- a/machines/lambda/default.nix
+++ b/machines/lambda/default.nix
@@ -1,15 +1,22 @@
-{ pkgs, inputs, ... }:
+{
+  pkgs,
+  inputs,
+  profiles,
+  ...
+}:
 
 {
   imports = [
     ./hardware.nix
     ./home-julien.nix
+    ./arkheon.nix
   ];
 
   machine.meta = {
     arch = "aarch64-linux";
     nixpkgs_version = inputs.nixpkgs;
     hm_version = inputs.home-manager;
+    profiles = with profiles; [ server ];
     ips = {
       public.ipv4 = "141.145.197.219";
       vpn.ipv4 = "100.100.45.13";
diff --git a/machines/nuage/default.nix b/machines/nuage/default.nix
index ab93c09..3e5f58f 100644
--- a/machines/nuage/default.nix
+++ b/machines/nuage/default.nix
@@ -16,7 +16,10 @@
     arch = "x86_64-linux";
     nixpkgs_version = inputs.nixpkgs;
     hm_version = inputs.home-manager;
-    profiles = with profiles; [ vm-simple-network ];
+    profiles = with profiles; [
+      vm-simple-network
+      server
+    ];
     ips = {
       public.ipv4 = "82.67.34.230";
       local.ipv4 = "192.168.0.101";
diff --git a/machines/tower/default.nix b/machines/tower/default.nix
index e8e536c..e45151c 100644
--- a/machines/tower/default.nix
+++ b/machines/tower/default.nix
@@ -16,7 +16,10 @@
     arch = "x86_64-linux";
     nixpkgs_version = inputs.nixpkgs;
     hm_version = inputs.home-manager;
-    profiles = with profiles; [ vm-simple-network ];
+    profiles = with profiles; [
+      vm-simple-network
+      server
+    ];
     ips = {
       public.ipv4 = "82.67.34.230";
       local.ipv4 = "192.168.0.103";
diff --git a/profiles/server.nix b/profiles/server.nix
new file mode 100644
index 0000000..6c07f47
--- /dev/null
+++ b/profiles/server.nix
@@ -0,0 +1,15 @@
+{ config, ... }:
+{
+  deployment.tags = [ "server" ];
+
+  # Enable arkheon
+  age.secrets."arkheon-token".file = ../secrets/arkheon-token.age;
+  services.arkheon.record = {
+    enable = true;
+
+    tokenFile = config.age.secrets."arkheon-token".path;
+
+    url = "https://arkheon.luj.fr";
+  };
+
+}