Laurent/infrastructure
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Compare commits

base: Laurent:3a25d68226261f18e7d8c8ae49c92f5245ed6a95
Branches Tags
Laurent:master
..
compare: Laurent:5895a66911100b5f997f78bb63729abcb44dda66
Branches Tags
Laurent:master

3 commits
3a25d68226 ... 5895a66911

Author SHA1 Message Date
Laureηt 5895a66911
🔐 (secrets) rekey secrets 2024-01-13 16:29:01 +01:00
Laureηt f918c1fec3
🔐 💥 (cesium/system/age) use ssh_host key 2024-01-13 16:28:30 +01:00
Laureηt 44803e51bb
🔒️ swap ragenix for agenix 2024-01-13 15:55:00 +01:00
7 changed files with 45 additions and 183 deletions
Show stats Expand all files Collapse all files

2
README.md
View file

@ -5,7 +5,7 @@
Laureηt's Infrastructure <br> Laureηt's Infrastructure <br>
<img src="https://raw.githubusercontent.com/catppuccin/catppuccin/main/assets/palette/macchiato.png" width="600px"> <img src="https://raw.githubusercontent.com/catppuccin/catppuccin/main/assets/palette/macchiato.png" width="600px">
<a href="https://github.com/yaxitech/ragenix/"> <a href="https://github.com/ryantm/agenix">
<img src="https://img.shields.io/static/v1.svg?style=for-the-badge&label=Secrets&message=age&color=ea999c&labelColor=303446"> <img src="https://img.shields.io/static/v1.svg?style=for-the-badge&label=Secrets&message=age&color=ea999c&labelColor=303446">
</a> </a>
<a href="https://git.fainsin.bzh/Laurent/infrastructure/src/branch/master/LICENSE"> <a href="https://git.fainsin.bzh/Laurent/infrastructure/src/branch/master/LICENSE">

178
flake.lock
View file

@ -54,42 +54,23 @@
}, },
"agenix": { "agenix": {
"inputs": { "inputs": {
"agenix": "agenix_2", "darwin": "darwin",
"crane": "crane", "home-manager": [
"flake-utils": "flake-utils", "home-manager"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"rust-overlay": "rust-overlay" "systems": [
}, "systems"
"locked": {
"lastModified": 1682237245,
"narHash": "sha256-xbBR7LNK+d5Yi/D6FXQGc1R6u2VV2nwr/Df5iaEbOEQ=",
"owner": "yaxitech",
"repo": "ragenix",
"rev": "281f68c3d477904f79ff1cd5807a8c226cd80a50",
"type": "github"
},
"original": {
"owner": "yaxitech",
"repo": "ragenix",
"type": "github"
}
},
"agenix_2": {
"inputs": {
"darwin": "darwin",
"nixpkgs": [
"agenix",
"nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1682101079, "lastModified": 1703433843,
"narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447", "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -163,36 +144,6 @@
} }
}, },
"crane": { "crane": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": [
"agenix",
"flake-utils"
],
"nixpkgs": [
"agenix",
"nixpkgs"
],
"rust-overlay": [
"agenix",
"rust-overlay"
]
},
"locked": {
"lastModified": 1681680516,
"narHash": "sha256-EB8Adaeg4zgcYDJn9sR6UMjN/OHdIiMMK19+3LmmXQY=",
"owner": "ipetkov",
"repo": "crane",
"rev": "54b63c8eae4c50172cb50b612946ff1d2bc1c75c",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"crane_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"lanzaboote", "lanzaboote",
@ -216,17 +167,16 @@
"darwin": { "darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"agenix",
"agenix", "agenix",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1673295039, "lastModified": 1700795494,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943", "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -243,11 +193,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1705017253, "lastModified": 1705075138,
"narHash": "sha256-/ysUOnF/dYJXDTxi/fi4MNN7uYKRji5CKp3EIamXB+0=", "narHash": "sha256-0slYsXoR1Sd5FwTfFZLYxAsI015+J4lvgvo55u4Gw1A=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "fa5db12d76f9e8ee11e572cdbe021230e48b6afa", "rev": "f78b6498f69e04514cb84393e5daba669198c1c1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -279,22 +229,6 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
@ -353,25 +287,7 @@
}, },
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems_2"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1694529238, "lastModified": 1694529238,
@ -432,11 +348,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1704980804, "lastModified": 1705104164,
"narHash": "sha256-lPNNKdPqIYcjhhYIVwlajNt/HqVWbMOoSdNnwCvOP04=", "narHash": "sha256-pllCu3Hcm1wP/B0SUxgUXvHeEd4w8s2aVrEQRdIL1yo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "93e804e7f8a1eb88bde6117cd5046501e66aa4bd", "rev": "0912d26b30332ae6a90e1b321ff88e80492127dd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -449,7 +365,7 @@
"inputs": { "inputs": {
"hyprland-protocols": "hyprland-protocols", "hyprland-protocols": "hyprland-protocols",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"systems": "systems_2", "systems": "systems",
"wlroots": "wlroots", "wlroots": "wlroots",
"xdph": "xdph" "xdph": "xdph"
}, },
@ -527,13 +443,13 @@
}, },
"lanzaboote": { "lanzaboote": {
"inputs": { "inputs": {
"crane": "crane_2", "crane": "crane",
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat",
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_2",
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
"pre-commit-hooks-nix": "pre-commit-hooks-nix", "pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay_2" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1704813398, "lastModified": 1704813398,
@ -951,37 +867,12 @@
"projet-oral-japonais": "projet-oral-japonais", "projet-oral-japonais": "projet-oral-japonais",
"projet-systemes-algorithmes-repartis": "projet-systemes-algorithmes-repartis", "projet-systemes-algorithmes-repartis": "projet-systemes-algorithmes-repartis",
"resume": "resume", "resume": "resume",
"systems": "systems_4", "systems": "systems_3",
"treefmt-nix": "treefmt-nix_2", "treefmt-nix": "treefmt-nix_2",
"wallpaper": "wallpaper" "wallpaper": "wallpaper"
} }
}, },
"rust-overlay": { "rust-overlay": {
"inputs": {
"flake-utils": [
"agenix",
"flake-utils"
],
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682129965,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": { "inputs": {
"flake-utils": [ "flake-utils": [
"lanzaboote", "lanzaboote",
@ -1007,21 +898,6 @@
} }
}, },
"systems": { "systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": { "locked": {
"lastModified": 1689347949, "lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@ -1036,7 +912,7 @@
"type": "github" "type": "github"
} }
}, },
"systems_3": { "systems_2": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -1051,7 +927,7 @@
"type": "github" "type": "github"
} }
}, },
"systems_4": { "systems_3": {
"locked": { "locked": {
"lastModified": 1689347949, "lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",

8
flake.nix
View file

@ -1,7 +1,6 @@
{ {
description = "Laureηt's infrastructure"; description = "Laureηt's infrastructure";
# TODO: rekey les secrets + changer la key de cesium
# TODO: luks encrypt cesium (dropbear ?) # TODO: luks encrypt cesium (dropbear ?)
# TODO: setup disko sur silicium # TODO: setup disko sur silicium
@ -25,9 +24,10 @@
inputs.nixpkgs-lib.follows = "nixpkgs"; inputs.nixpkgs-lib.follows = "nixpkgs";
}; };
agenix = { agenix = {
# TODO: replace by classic agenix url = "github:ryantm/agenix";
url = "github:yaxitech/ragenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
inputs.home-manager.follows = "home-manager";
inputs.systems.follows = "systems";
}; };
disko = { disko = {
url = "github:nix-community/disko"; url = "github:nix-community/disko";
@ -180,7 +180,7 @@
packages = [ packages = [
formatter # defined above formatter # defined above
pkgs.git # version control pkgs.git # version control
agenix.packages.${system}.ragenix # secrets agenix.packages.${system}.agenix # secrets
pkgs.sbctl # secure boot utils pkgs.sbctl # secure boot utils
]; ];
}; };

1
hosts/cesium/system/age/default.nix
View file

@ -4,5 +4,4 @@
owner = "gitea"; owner = "gitea";
group = "gitea"; group = "gitea";
}; };
age.identityPaths = ["/root/.ssh/id_ed25519"];
} }

17
secrets/borgbackup.age
View file

@ -1,12 +1,5 @@
-----BEGIN AGE ENCRYPTED FILE----- age-encryption.org/v1
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGtaRXBXdyBCSFps -> ssh-ed25519 kZEpWw GRcmqKupwo/EZ5c28pu4Te0ODGmWU0rL+3HIbg7qgFE
YjhJT3l2NVMwUlc1L3laWmRoaHRjZUpzbFZyMXA2K3diZ1VuZWdzCktYa0V5Ujk5 dfnJzw6kZGgZQFoXjCNAOTnoLf4TO7ZTNT0ob0Q0qO4
M2JndmxSMkZpZFZCN25uaVFDMk1aNDJhbmo4YlU1MVVMTkkKLT4gTGo+Ti1ncmVh --- G6vG/80pcxtFNhbMacVxv393O4U9cpQEA8t0b4KMUzk
c2UgWFVaL0cKTTJ6ZGpRNzVkQTdBL00rd1NIVFpwQkV5WmVPWWJLMWNlaE51cDVy bØeãÝ$Çc•`.k#Ç^ºýƒ:ª"Κüh8]·÷î­—d$j"òaŸM»Åu@i Zק^e½Ïi ¶ÉÝ¢eìáô&¥åÒe÷,åçú–-¶yäFŽ m,„¤åÁ"‰ÊC¨ã[™Ï*\ÈôŒ7Õƒù•(jcÇCVf
ajVJd3VOL1pUSkxJVGJiejFQR3UwWFdQQwpqN2tTZzhWem85TGhEYmtRM3lKNHpz
azlreEFvbFgwYWxJK0JxMGV1MUFlUHQ4dVppYUtScjZ5Vjl2N1VQa21hCgotLS0g
bXA2YUxBNEc4NThjKzNKSXlNcEE5TE1DbWxoVUcxZTRLYXZrY1Rrb2cyTQqFtX6u
I6xKT4GsVsZONMHURFyBrwC6f9nyDcZv7w7i+0WjpalP3k26D3pLbB4I3g5p3X8U
A60vagUy20vBPYYh9P2dGsLDieGq6GRxQfwIXHkxZ+d7akAi3n+p5ltfJ2h9Zuti
RRBKtnxVIaHp6TZjausCKVfvIXW540gQogiUjadPm7xt
-----END AGE ENCRYPTED FILE-----

20
secrets/gitea.age
View file

@ -1,13 +1,7 @@
-----BEGIN AGE ENCRYPTED FILE----- age-encryption.org/v1
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGtaRXBXdyBaTENK -> ssh-ed25519 kZEpWw wwRzGnuU1emv5/dIg1nmg6gsFIq+b/JBdML9nlZ54V8
NGt2K1pRRll2cStROFJDT0hMVzVSWEJQRmErUHpVVndyQzBDUmlvCnhlREd3YWc5 uw2/wrycilU5m0QH/JHVADH41mAqcl7udmfpKAwMQAY
c09LdldNeXZwMmg2SlNLRXhrelVwNnRua3BHN2JLYWlyZE0KLT4gc3NoLWVkMjU1 -> ssh-ed25519 mQMqbw OnupY43Uc/RGdHHUj9ItT5QBiASqwMpyih4Xnq1JSRU
MTkgdjhFOVV3IE1acEhiTElpTzVQc3ExdkNVaG41SlQ2TXUrcTZJVE9Oc1hqRVNt 1PEkalnMjdgObz6euu0PbuutOyly/F5AGYEzYWcWpgg
clhMMGsKZ1Z1THRhZzZ3MkNHODV3RWllbzJUSk4xTk1DcGl2MzV3UFlGZXdZRldz --- /KSY8DngUMetAF2hSb/scg2ZcV2I2bGu6B1JsdWHH+k
VQotPiA8ODZhZjAtZ3JlYXNlCjJidUIrVmZ3MHdYVUlzdDl2VHIzK3BUWUQxOGVG §ƒEêŠvR1/$~XJѹ Ì#õ¶<tÙbC¼ÎQ5(y¬¾BÁoüõ(ÁiÙÂg.ÉØyt{tJW¡™A¸c7D\tž#Û¥\§îR×p¥±Ÿ({"’¼¨864Å<34>Ó|úm}S÷§°ÚXPÇöªJ£¨~{>ÑWÈÅ0c%
OXFGMDNuY3VDTnNldEZjdlFQV2N2SUk1dkc2SnJ4b1ZXb3YKVzIrTVFxb1d0SE1X
Z3hSK0x2MWMKLS0tIHFwemhyYmxDSEhCUk90TW1nSmMxYVE2ajJYOUpNVG54SHBS
MWk2L01qMWcKhPYyts5zbaAtGuGVJpwReTxAj0iCR9Fqa3TwMzogeSEEZhyp3j3w
Vc+RiCM/ykf4DqFg/Xiulb2H+3TN0lT40UF2VEHbSnZFvJDDR9ltVwubI7fq8C5r
feA1+W0uQ7FDY4a+q1yjHcf47oirK6Q1+95hAn+Iq+koiEDP6TquTAWCaOIpMg==
-----END AGE ENCRYPTED FILE-----

2
secrets/secrets.nix
View file

@ -1,6 +1,6 @@
let let
silicium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@silicium"; silicium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@silicium";
cesium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxh42mMYqftTU7WtfktZbkdMI07VuH7mhUv3m2Ca3fV root@cesium"; cesium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVxpWbNJl+OXe6YImMpsJprfuTd+9UJVTiteiuyx6oP root@cesium";
in { in {
"borgbackup.age".publicKeys = [silicium]; "borgbackup.age".publicKeys = [silicium];
"gitea.age".publicKeys = [silicium cesium]; "gitea.age".publicKeys = [silicium cesium];