feat(buckets): hackens-website ingestion

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>

.credentials/admin-environment.age

@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZIo4kw 6xMgrgLbQXr4v1nZhGaBWJYKYkeg/dmIbOEhn/W/2QE
+xsgzuXuD4xU1sNzXEoMgnZiM0gvBGJBrSokqrwiI7Pc
+-> ssh-ed25519 9/PCvA ZIe1CLYptpBCGgHvo5gly3nZKyAzOO+KOZkaSmHcoyw
+gWXroKjWPIdyveq3cS9TbhT9uQxZkbttnrKgriUSgXs
+-> ssh-ed25519 prNEsA tOui4LZWREPK9+nevBXP7ZnSxmn7p/QObBzXUzBYJW8
+VaXjGbuMIhFMWenjVuPHFtc8cQ+FVe5BZJ0Tam2ZU9w
+-> ssh-ed25519 jIXfPA RIP2EDQy6U1zHEsIy0QjW20p3q+Zo9ZO8TrN/43Q6X8
+m4HOj/YqwwnAStAgT7JU/6cupMDyTViAIKNxTyYHtP0
+-> ssh-ed25519 QlRB9Q iQbuAgQkchVq75bHPYHepeLyP53UILuBbt0Y5i0iTW8
+fO2ZgPDV9AuvWpTqphW9Tbc77r8ab76hdj6QcdjbrQQ
+-> ssh-ed25519 r+nK/Q xyMZnO8lWctN/3cWWvXhSlrSFt32yvK6hbk64QcK4g8
+AlMKoNBHWO6mEx11k8GU9JGa6OyKFUoVrRvBiHME0gA
+-> ssh-rsa krWCLQ
+tXXCCMCEI06/W2JRpLmH8G7sKnpKJtB8RHlmoPpwL1PTScfDejYTDWtJ8AEOf4MD
+e/gq2YcMRGKU89HRK2T0TKh23e/oyirEAKX7zarH3CrM48AJVq7U0/EKbIhgl6BE
+6lVKGKkGCzxIWSE6pzASvbIyoGYu2y6CPXVDjJibrapz8sBmT3a+RJa6pwHPEYmC
++NOvT0xs2q8edOrbt1KWapqapIVjgWmcU0usikiC5d1lzDa0NQctCLWSB1tClXtY
+TL0cp6ySxRBLwapOkW4ix7GbnsvynJCgMmcIKV+vjrlwzGJNLd4cZWCSyUMfq8LI
+V2gzF6af2lpEVk3b+130Lg
+-> ssh-ed25519 /vwQcQ gQVZLKnibsMquHUkY7QcMY641Bkjd0l1yNCV0cHPPFA
+QpgGgBbX3M8TjYXtCQCJCGHVHLBj/xj0K8oEx1VV2o8
+-> ssh-ed25519 0R97PA kjGeNwgs5oQJfuErWSAc71DXQCzaoysqUcHWyOp/jFo
+MQ+RvrAfv9TGtUR+4n7q0Itm0y1GvZPwNwRIqzWkyWk
+-> ssh-ed25519 JGx7Ng SyaXVJSNkm+bJkvv0ayFlpOTSil2CUwnyoF2tM6Rphk
+dZCU7LETIOl+0J+zIc/M5Ee+NLUCHQsVZtcmtLK3P2s
+-> ssh-ed25519 bUjjig 1bPCNng6DMPmTeqOuxU8SkWrekouu6fs19zU58aJk3A
+OP9qmtMpiI/OnQ2cjgUaOxccs96/+KdC4Kjna1DN3kQ
+--- LNv4IEC3BPCaS2XlK8FR1uki2TQPN0Wd3G3HJKfkqKM
+Ú`QEÏ4ƒÖÅòMX ÔB†Ž#Ìa&™¨Ï~
óÖJ<C396>ç Ý6¾G@ûÚ±áR/P\Òÿ…öd”Þø­YÁ£Ãc€—ÿ²A#Œ	Ö_®Ê5Ë‘Nk^qŠ
+gÜs%~ž˜»šnO˜ÄÛÉM:£jô!<21>`w

.credentials/secrets.nix

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <contact@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+(import ../keys.nix).mkRootSecrets [
+  "admin-environment.age"
+]

.gitignore

@@ -9,3 +9,9 @@ result-*
 *.qcow2
 .gcroots
 .pre-commit-config.yaml
+
+# Ignore Terraform configuration file
+config.tf.json
+
+# Ignore Terraform stuff
+.terraform

.terraform.lock.hcl

@@ -0,0 +1,38 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/numtide/secret" {
+  version     = "1.2.1"
+  constraints = "~> 1.2.1"
+  hashes = [
+    "h1:t2z3CjxVsXjKb3g59WGkLtvDIR4NzLU7UFEcyAgF2C0=",
+    "zh:17cbc7f3b90ee2b3ae5adfc3bd9cb70166a5ffbd8e642e64afa7cb0e32a34bae",
+    "zh:5d66ce2aea25fc3c12cec6fc569b8ff314df6d773b9c3449983a4e9cde8347c7",
+    "zh:67d02e96bf0d07f2fcf16ce9427a7a26f53e695676405d0c2b815808f950411d",
+    "zh:77c3c05681ce199e6b0e2e5a2dfe418f61ae8863d527e7a7d47a9699d912683b",
+    "zh:7f37e633b4f94ba9f347cfe68d44f80fe066188feb954b13ee0f621caae4121d",
+    "zh:ea16bbe494c6ddd0af7bbea9554474c387517db4e7f0d15513bb29ff893871bc",
+  ]
+}
+
+provider "registry.opentofu.org/raitobezarius/garage" {
+  version     = "1.0.3"
+  constraints = "~> 1.0.3"
+  hashes = [
+    "h1:QKbZcU7u9OG1t/h4S3+pXS3sOUfVMmfLTiYh5L5j1rE=",
+    "zh:04f220a2baf4bd1bae07888a1c311cacd6076c209de83adbe573525fc50f2ea4",
+    "zh:078938d5fa07e024d779c664823427af28935bbeb77e0ff940bac3e7bc41f1e8",
+    "zh:2dd58a2d82094a1b07ff1b6de57e4a0d96e1f20abecd4f70a6469079b46b76d9",
+    "zh:325da7a74b1c84f934b38134d7c419253292aeed6f6836a2fb37f42d13a8ff67",
+    "zh:3ca9230ef87e70691b24fd83d40bb5b6a08f0b91ab26cbb2e692f92155b6d179",
+    "zh:45ef683a18a5053c93c691d08f3903fd4918467dfa056b1c274207de8a6aeb74",
+    "zh:4c9ee6c34b07c209c5daf1e9ff182f828667e54a90a683bc11cdcea86e4f8ef7",
+    "zh:5f0bb6524b2fffa606e0e3585af93dfc31b611c7abf55e4371ae5fc36e85972c",
+    "zh:7a3495dc211164c7d4042769c20d7111c767d0fd5908742e0766281c70d7d184",
+    "zh:7ce79867cdd4b1f7028da811cd5cb271a46820c79c0328a1221dd3bb6215c631",
+    "zh:93278861ee6bcb64e23bd1268f79b02035fba4fca0a98607a98f46abf8dfdf83",
+    "zh:937e681beea8b0dd899557f2a194c8128bd8810417ff04954bc9958ff826e980",
+    "zh:cae6e1598dd32f23f3900c41e50a6ece7d9456dbd033d855bb238ac21539d67b",
+    "zh:f6f7556ba7d5578604290170a709e00140be6d7f8a510a20bce49a9a23d75e5f",
+  ]
+}

REUSE.toml

@@ -8,13 +8,13 @@ precedence = "closest"
 [[annotations]]
 SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
 SPDX-License-Identifier = "EUPL-1.2"
-path = [".forgejo/workflows/*"]
+path = [".forgejo/workflows/*", ".terraform.lock.hcl"]
 precedence = "closest"
 
 [[annotations]]
 SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
 SPDX-License-Identifier = "CC-BY-NC-ND-4.0"
-path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-notify/ntfy-sh-systemd_passwd", "modules/nixos/dgn-forgejo-runners/forgejo_runners-token_file", "modules/nixos/dgn-records/__arkheon-token_file", "modules/nixos/dgn-s3/garage-*_file"]
+path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-notify/ntfy-sh-systemd_passwd", "modules/nixos/dgn-forgejo-runners/forgejo_runners-token_file", "modules/nixos/dgn-records/__arkheon-token_file", "modules/nixos/dgn-s3/garage-*_file", ".credentials/admin-environment.age"]
 precedence = "closest"
 
 [[annotations]]

cz.toml

@@ -1,6 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
-#
-# SPDX-License-Identifier: EUPL-1.2
-
-[tool.commitizen]
-allowed_prefixes = [ "lon", "Merge", "Revert", "Pull request", "fixup!", "squash!" ]

default.nix

@@ -92,8 +92,13 @@ let
     ];
 
     annotations = [
-      # Auto-generated workflow files using nix-actions
+      # Auto-generated files
-      { path = [ ".forgejo/workflows/*" ]; }
+      {
+        path = [
+          ".forgejo/workflows/*"
+          ".terraform.lock.hcl"
+        ];
+      }
 
       # Secrets
       {
@@ -106,6 +111,7 @@ let
           "modules/nixos/dgn-forgejo-runners/forgejo_runners-token_file"
           "modules/nixos/dgn-records/__arkheon-token_file"
           "modules/nixos/dgn-s3/garage-*_file"
+          ".credentials/admin-environment.age"
         ];
         license = "CC-BY-NC-ND-4.0";
       }
@@ -235,9 +241,18 @@ let
   };
 
   scripts = import ./scripts { inherit pkgs sources; };
+
+  terranixConfig = import "${sources.terranix}/core" {
+    inherit pkgs;
+    strip_nulls = true;
+    terranix_config.imports = [ ./terranix ];
+  };
+  terranixConfigFile = (pkgs.formats.json { }).generate "config.tf.json" terranixConfig.config;
 in
 
 {
+  inherit terranixConfigFile terranixConfig;
+
   nodes = builtins.mapAttrs (
     host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
   ) (import ./meta/nodes/nixos.nix).nodes;
@@ -255,6 +270,15 @@ in
       [
         pkgs.lon
 
+        (pkgs.writeShellScriptBin "tf" ''
+          set -eo pipefail
+          source ${pkgs.lib.getExe scripts.decryptAndSourceEnvironment}
+          TF_CONFIG=$(nix-build -A terranixConfigFile --no-out-link)
+          ln -snf $TF_CONFIG config.tf.json
+          exec ${pkgs.lib.getExe pkgs.opentofu} "$@"
+        '')
+        pkgs.rage
+
         # SSO testing
         pkgs.kanidm
         pkgs.freeradius

lon.lock

@@ -17,9 +17,9 @@
       "owner": "RaitoBezarius",
       "repo": "arkheon",
       "branch": "main",
-      "revision": "a30fa6f0b3ed4becef7696df82d77bc53fa3d46b",
+      "revision": "3eea876b29217d01cf2ef03ea9fdd8779d28ad04",
-      "url": "https://github.com/RaitoBezarius/arkheon/archive/a30fa6f0b3ed4becef7696df82d77bc53fa3d46b.tar.gz",
+      "url": "https://github.com/RaitoBezarius/arkheon/archive/3eea876b29217d01cf2ef03ea9fdd8779d28ad04.tar.gz",
-      "hash": "sha256-C0EgAyC90A6wqCwiRUNFcn8YnwleNjXFRTMe/dZ9EWE="
+      "hash": "sha256-+R6MhTXuSzNeGQiL4DQwlP5yNhmnhbf7pQWPUWgcZSM="
     },
     "cas-eleves": {
       "type": "Git",
@@ -55,10 +55,10 @@
       "type": "Git",
       "fetchType": "git",
       "branch": "main",
-      "revision": "6bf964daac1ab1695b884f6cc920084000137c2b",
+      "revision": "fbf6385e65400802a3f9f75f7cd91d5c01373d1b",
       "url": "https://git.dgnum.eu/DGNum/dgsi.git",
-      "hash": "sha256-oPNaE45eHuXMWwGKUa003Db2TPAm29CaafLNkIxI+cA=",
+      "hash": "sha256-aOUI69wbMm9+KVWwcMw5TgVnk3DfjOzE4OEyYTD8XPU=",
-      "lastModified": 1750699899,
+      "lastModified": 1748894673,
       "submodules": false
     },
     "disko": {
@@ -67,9 +67,9 @@
       "owner": "nix-community",
       "repo": "disko",
       "branch": "master",
-      "revision": "83c4da299c1d7d300f8c6fd3a72ac46cb0d59aae",
+      "revision": "dfa4d1b9c39c0342ef133795127a3af14598017a",
-      "url": "https://github.com/nix-community/disko/archive/83c4da299c1d7d300f8c6fd3a72ac46cb0d59aae.tar.gz",
+      "url": "https://github.com/nix-community/disko/archive/dfa4d1b9c39c0342ef133795127a3af14598017a.tar.gz",
-      "hash": "sha256-Ng9+f0H5/dW+mq/XOKvB9uwvGbsuiiO6HrPdAcVglCs="
+      "hash": "sha256-CqmqU5FRg5AadtIkxwu8ulDSOSoIisUMZRLlcED3Q5w="
     },
     "dns.nix": {
       "type": "GitHub",
@@ -87,9 +87,9 @@
       "owner": "cachix",
       "repo": "git-hooks.nix",
       "branch": "master",
-      "revision": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+      "revision": "623c56286de5a3193aa38891a6991b28f9bab056",
-      "url": "https://github.com/cachix/git-hooks.nix/archive/16ec914f6fb6f599ce988427d9d94efddf25fe6d.tar.gz",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/623c56286de5a3193aa38891a6991b28f9bab056.tar.gz",
-      "hash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg="
+      "hash": "sha256-WUaIlOlPLyPgz9be7fqWJA5iG6rHcGRtLERSCfUDne4="
     },
     "kadenios": {
       "type": "Git",
@@ -135,10 +135,10 @@
       "type": "Git",
       "fetchType": "git",
       "branch": "main",
-      "revision": "9a59106c172b7d5963e3dc2cf07ff5b19f8119d6",
+      "revision": "20fed838a622e48128827278db91312f580f9214",
       "url": "https://git.lix.systems/lix-project/lix.git",
-      "hash": "sha256-A9EwWUNC+8Fnsafi3Lcks2jNm6wjNoxfPS5TJXzpTk0=",
+      "hash": "sha256-Swcajzm+JPDd32kKXdg25im9CeATuY8qji9EPVU2rVo=",
-      "lastModified": 1750863598,
+      "lastModified": 1750232556,
       "submodules": false
     },
     "lix-module": {
@@ -301,6 +301,16 @@
       "lastModified": 1734436346,
       "submodules": false
     },
+    "terranix": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "terranix",
+      "repo": "terranix",
+      "branch": "main",
+      "revision": "9d2370279d595be9e728b68d29ff0b546d88e619",
+      "url": "https://github.com/terranix/terranix/archive/9d2370279d595be9e728b68d29ff0b546d88e619.tar.gz",
+      "hash": "sha256-16z7tXZch12SAd3d8tbAiEOamyq3zFbw1oUq/ipmTkM="
+    },
     "wp4nix": {
       "type": "Git",
       "fetchType": "git",

machines/nixos/build01/nix-builder.nix

@@ -66,6 +66,7 @@
         fsync-metadata = true;
         experimental-features = [
           "auto-allocate-uids"
+          # "ca-derivations" this feature is really extremely broken.
           "cgroups"
           "fetch-closure"
         ];

machines/nixos/compute01/arkheon.nix

@@ -3,22 +3,20 @@
 # SPDX-License-Identifier: EUPL-1.2
 
 { config, sources, ... }:
-let
+
-  domain = "arkheon.dgnum.eu";
-in
 {
-  nixpkgs.overlays = [ (import (sources.arkheon + "/nix/overlay.nix")) ];
+  nixpkgs.overlays = [ (import (sources.arkheon + "/overlay.nix")) ];
 
   services.arkheon = {
     enable = true;
 
-    inherit domain;
+    domain = "arkheon.dgnum.eu";
 
-    secrets.TOKEN = config.age.secrets."arkheon-token_file".path;
+    nginx = {
-  };
+      enableACME = true;
+      forceSSL = true;
+    };
 
-  services.nginx.virtualHosts.${domain} = {
+    envFile = config.age.secrets."arkheon-env_file".path;
-    enableACME = true;
-    forceSSL = true;
   };
 }

machines/nixos/compute01/extranix/default.nix

@@ -60,7 +60,7 @@ in
             ];
             ignored-modules = (import "${infra-modulesPath}/module-list.nix") ++ [
               "${sources.agenix}/modules/age.nix"
-              "${sources.arkheon}/nix/module.nix"
+              "${sources.arkheon}/module.nix"
               "${sources."microvm.nix"}/nixos-modules/host"
               "${sources.cgroup-exporter}/nix/module.nix"
               { system.stateVersion = "25.05"; }

machines/nixos/compute01/kanidm/default.nix

@@ -84,7 +84,6 @@ in
         {
           grp_active.members = catAttrs "username" (attrValues meta.organization.members);
           grp-ext_cri.memberless = true;
-          grp-ext_lasuite.memberless = true;
         }
         // (mapAttrs' (
           name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
@@ -204,19 +203,11 @@ in
           preferShortUsername = true;
           allowInsecureClientDisablePkce = true;
 
-          scopeMaps = {
+          scopeMaps.grp_active = [
-            grp-ext_lasuite = [
+            "openid"
-              "openid"
+            "profile"
-              "profile"
+            "email"
-              "email"
+          ];
-            ];
-
-            grp_active = [
-              "openid"
-              "profile"
-              "email"
-            ];
-          };
         };
 
         dgn_drive = {
@@ -226,19 +217,11 @@ in
           preferShortUsername = true;
           allowInsecureClientDisablePkce = true;
 
-          scopeMaps = {
+          scopeMaps.grp_active = [
-            grp-ext_lasuite = [
+            "openid"
-              "openid"
+            "profile"
-              "profile"
+            "email"
-              "email"
+          ];
-            ];
-
-            grp_active = [
-              "openid"
-              "profile"
-              "email"
-            ];
-          };
         };
 
         dgn_visio = {
@@ -248,19 +231,11 @@ in
           preferShortUsername = true;
           allowInsecureClientDisablePkce = true;
 
-          scopeMaps = {
+          scopeMaps.grp_active = [
-            grp-ext_lasuite = [
+            "openid"
-              "openid"
+            "profile"
-              "profile"
+            "email"
-              "email"
+          ];
-            ];
-
-            grp_active = [
-              "openid"
-              "profile"
-              "email"
-            ];
-          };
         };
 
         dgn_zulip = {

machines/nixos/compute01/secrets/arkheon-token_file

@@ -1,32 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 ZIo4kw HMfqvTOsOagWqo5ZRDLmAYwq/F4YvHypNuz7fAudIDI
-rZxCU8gA4dcfw8VvR+oYisGlAFSBXNCD7+qhm3G4iNk
--> ssh-ed25519 9/PCvA mewq7D1W/YaJBPr1edrRN1dhnVH7WCBvKdfr2b0BtF4
-fln/kdeW+v5Lob5u9hJDVxpRzF8h8rUjdI9ampM+1O0
--> ssh-ed25519 prNEsA d1nZZsQhEIVRVxBdYDq/dWjUNRrPwQH1KXWMWVMGt1M
-XqqJBfA2O0v1TNegHZ8+YW/UoPmWxbcbD/NXFnOmAM8
--> ssh-ed25519 jIXfPA VHqFpJoc27TxFkEPfloBer3+lbbpVXSudUPf7+Yg1Xs
-HwjhzZi/UCTAeCvuhoqmzrLHrs9Txvw7c1SsojUeGbo
--> ssh-ed25519 QlRB9Q jZ7INT6Yom/uRW8EdrPS2Dp5jAL0dLC7J8H731QNHWQ
-cPIAcvHncO6J2NzR6HyV+TZDaFTj27pv1/h31xatR8M
--> ssh-ed25519 r+nK/Q bUGnJI+lXFvGFKNBjZK04iUrJ8nmDZ3BtAAuQ9bAmmE
-DE+GuBKxdIv9Up8MwLCHwkO9r5zHqTIrU/OHzMFrhXs
--> ssh-rsa krWCLQ
-Zx6vsxrJ62/HHAdKr6Yo5xSYdjAjFKsLJZWNU/khwrvRrFl/a3bbScVG1PiSnMCm
-YscuhQyCtn6NqPHDVO8taP1FJNk5ZRvI8X7cEKh/tT3nNZbIv0hdYuCQMDpDaO3s
-lJ3ArY+fV3Jf89pk6MgQVUTZR/KbCZ3HTnp6L+brsHbabh7ZERBirWcWH16IyiBZ
-qBrinlFWx+vWBWf1kvJwUWSnm//X5zl49lee7WfwOwAZherzLznppaTYCstNRB5F
-WLtujL/XhC9eorJEVjw+xa7Xtz5fjs5+reaD4pW7zndUmU8FAlj+U+AjBBtK1WiX
-GYvGTR4GrfekbqL3d4+pLg
--> ssh-ed25519 /vwQcQ efTtWtxISCDmfCyD60EGa39+uGuJx1mY2DdZNhUOfWo
-Mf28puZVuDwIEuwbHTzhOfROjDA6shZP7H0/Lo0kSb4
--> ssh-ed25519 0R97PA i1I0xb/oq0sx/eker0v99lUVzszvBdYV5MbHXegDXRM
-jA8CATy/zz3VdtKOUGyDAhU3XzThFKrDeQ/z9e8vEU4
--> ssh-ed25519 JGx7Ng 25sOy5x2ms4N0su1KvAEyvmRe7uAiZFk42AtGiUzxX0
-LTIh7meaSbeTpVyoLIwFkD0N/9XgdvQIitt4MvLe39Y
--> ssh-ed25519 bUjjig 4AoxNBLyU1sNM4ERZ+TzByERqMYA1RA1mxKLFvtq7Sc
-ygurddlDyR5kXWh8LlRYvD6tPFXEeaxizl2MAckiH+U
--> ssh-ed25519 tDqJRg xGMNc1SrtKzDCOyYR6Ytk7e4iUQDVjzGVv9c5/0y/1A
-HdN/RgYMnUuHuOz97Faz3wBbVfBSg3NT5zP8h03vPzg
---- ICK3ufhA3g2IY3t5t02HFCHJNh8bukBGyNRrAtzVwY8
-<¬‘òÍ–Ÿ²e/ŸšA5?Ü<> Ö¬‡þ<E280A1>«üvÓ*À1~0<>ºÇ•øu½¸,±Kÿ’&Õ<>2<EFBFBD>Z/AÀú¬

machines/nixos/compute01/secrets/secrets.nix

@@ -6,7 +6,7 @@
   [ "compute01" ]
   [
     # List of secrets for compute01
-    "arkheon-token_file"
+    "arkheon-env_file"
     "bupstash-put_key"
     "dgsi-email_host_password_file"
     "dgsi-kanidm_auth_token_file"

machines/nixos/web01/_hardware-configuration.nix

@@ -1,88 +1,12 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ modulesPath, ... }:
+{ modulesPath, sources, ... }:
+
 {
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  imports = [
-
+    "${modulesPath}/profiles/qemu-guest.nix"
-  boot = {
+    "${sources.disko}/module.nix"
-    initrd = {
+    ./disko.nix
-      availableKernelModules = [
-        "ata_piix"
-        "uhci_hcd"
-        "ehci_pci"
-        "virtio_pci"
-        "ahci"
-        "virtio_blk"
-      ];
-      kernelModules = [ ];
-      luks.devices."mainfs" = {
-        device = "/dev/disk/by-uuid/0de6ce5a-c5b6-41e3-96d0-c0381e06f94e";
-        keyFile = "/dev/zero";
-        keyFileSize = 1;
-      };
-    };
-    extraModulePackages = [ ];
-  };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/cf7f8271-c1c7-46d9-b960-281d9271c576";
-      fsType = "btrfs";
-      options = [
-        "subvol=rootfs"
-        "compress=zstd"
-      ];
-    };
-
-    "/nix" = {
-      device = "/dev/disk/by-uuid/cf7f8271-c1c7-46d9-b960-281d9271c576";
-      fsType = "btrfs";
-      options = [
-        "subvol=nix"
-        "compress=zstd"
-        "noatime"
-      ];
-    };
-
-    "/var/log" = {
-      device = "/dev/disk/by-uuid/cf7f8271-c1c7-46d9-b960-281d9271c576";
-      fsType = "btrfs";
-      options = [
-        "subvol=var-log"
-        "compress=zstd"
-      ];
-    };
-
-    "/mnt/btrfs-root" = {
-      device = "/dev/disk/by-uuid/cf7f8271-c1c7-46d9-b960-281d9271c576";
-      fsType = "btrfs";
-      options = [ "compress=zstd" ];
-    };
-
-    "/home" = {
-      device = "/dev/disk/by-uuid/cf7f8271-c1c7-46d9-b960-281d9271c576";
-      fsType = "btrfs";
-      options = [
-        "subvol=home"
-        "compress=zstd"
-      ];
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/2A58-A5B0";
-      fsType = "vfat";
-      options = [
-        "fmask=0022"
-        "dmask=0022"
-      ];
-    };
-  };
-
-  swapDevices = [
-    {
-      device = "/dev/disk/by-partuuid/08952593-4b42-40ad-93a2-8f3595e13d5e";
-      randomEncryption.enable = true;
-    }
   ];
 }

machines/nixos/web01/disko.nix

@@ -0,0 +1,86 @@
+# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+_:
+
+let
+  luksName = "mainfs";
+in
+{
+  boot.initrd.luks.devices.${luksName} = {
+    keyFile = "/dev/zero";
+    keyFileSize = 1;
+  };
+  disko.devices = {
+    disk = {
+      vdb = {
+        device = "/dev/vdb";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              start = "1MiB";
+              label = "ESP";
+              end = "512MiB";
+              type = "EF00";
+              priority = 1;
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            luks = {
+              start = "512MiB";
+              end = "-4GiB";
+              content = rec {
+                type = "luks";
+                name = luksName;
+                extraOpenArgs = [ "--keyfile-size=1" ];
+                extraFormatArgs = extraOpenArgs;
+                settings.keyFile = "/dev/zero";
+                content = {
+                  type = "btrfs";
+                  mountpoint = "/mnt/btrfs-root";
+                  subvolumes = {
+                    "/rootfs" = {
+                      mountpoint = "/";
+                      mountOptions = [ "compress=zstd" ];
+                    };
+                    "/home" = {
+                      mountOptions = [ "compress=zstd" ];
+                      mountpoint = "/home";
+                    };
+                    "/var-log" = {
+                      mountOptions = [ "compress=zstd" ];
+                      mountpoint = "/var/log";
+                    };
+                    "/nix" = {
+                      mountOptions = [
+                        "noatime"
+                        "compress=zstd"
+                      ];
+                      mountpoint = "/nix";
+                    };
+                  };
+                };
+              };
+            };
+            swap = {
+              label = "swap";
+              start = "-4GiB";
+              end = "100%";
+              priority = 3;
+              content = {
+                type = "swap";
+                randomEncryption = true;
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

machines/nixos/zulip01/_hardware-configuration.nix

@@ -1,10 +1,17 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ modulesPath, ... }:
+{ modulesPath, sources, ... }:
+
 {
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
+    (sources.disko + "/module.nix")
+    ./disko.nix
   ];
 
   boot = {
@@ -12,8 +19,8 @@
       availableKernelModules = [
         "ata_piix"
         "uhci_hcd"
+        "ehci_pci"
         "virtio_pci"
-        "virtio_scsi"
         "sr_mod"
         "virtio_blk"
       ];
@@ -23,22 +30,4 @@
     kernelModules = [ "kvm-intel" ];
     extraModulePackages = [ ];
   };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/179ba756-b0f0-42ec-b0b5-ab3daca97d3d";
-      fsType = "ext4";
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/0DB8-F2E0";
-      fsType = "vfat";
-      options = [
-        "fmask=0077"
-        "dmask=0077"
-      ];
-    };
-  };
-
-  swapDevices = [ ];
 }

machines/nixos/zulip01/disko.nix

@@ -0,0 +1,37 @@
+# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+_: {
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "1G";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

meta/dns.nix

@@ -178,7 +178,7 @@ let
           "apps-webhook"
         ];
 
-        zulip01.dual = [
+        zulip01.proxied = [
           "zulip"
           "z"
         ];

meta/network.nix

@@ -432,11 +432,6 @@
           ipv6 = [
             {
               address = "2a0e:e701:1120:1000::dead:beef";
-
-              prefixLength = 64;
-            }
-            {
-              address = "2a0e:e701:1120:1000:ffff::45.13.104.30";
               prefixLength = 64;
             }
           ];
@@ -446,8 +441,6 @@
         };
       };
 
-      addresses.ipv4 = [ "45.13.104.30" ];
-
       hostId = "b551861d";
       netbirdIp = null; # zulip01 is not to be connected on the VPN for now
 

meta/organization/members.nix

@@ -57,10 +57,7 @@
       ecoppens = {
         name = "Elias Coppens";
         email = "ecoppens@dgnum.eu";
-        sshKeys = [
+        sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDz9zePZXeH96RotT+xl4ux2kOh3qIp94txtcMjsf3vx"
-        ];
       };
 
       jemagius = {

modules/nixos/default.nix

@@ -44,7 +44,7 @@
     ])
     ++ [
       "${sources.agenix}/modules/age.nix"
-      "${sources.arkheon}/nix/module.nix"
+      "${sources.arkheon}/module.nix"
       "${sources."microvm.nix"}/nixos-modules/host"
     ]
     ++ ((import sources.nix-modules { inherit lib; }).importModules (

modules/nixos/dgn-records/default.nix

@@ -2,12 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-{
+{ config, lib, ... }:
-  config,
-  lib,
-  name,
-  ...
-}:
 
 let
   inherit (lib) mkEnableOption mkIf;
@@ -23,7 +18,6 @@ in
   config = mkIf cfg.enable {
     services.arkheon.record = {
       enable = true;
-      identifier = name;
 
       tokenFile = config.age.secrets."__arkheon-token_file".path;
 

modules/nixos/forgejo-multiuser-nix-runners/default.nix

@@ -365,7 +365,6 @@ in
 
           socketConfig = {
             ListenStream = "${cfg.storePath}/nix/var/nix/daemon-socket/socket";
-            BindPaths = [ "${cfg.storePath}/builds:/nix/var/nix/builds" ];
           };
         };
 
@@ -377,11 +376,6 @@ in
           group = "nixrootuser";
           user = "nixrootuser";
         };
-        "${cfg.storePath}/builds".d = {
-          mode = "0755";
-          group = "nixrootuser";
-          user = "nixrootuser";
-        };
         "${cfg.storePath}/nix".d = {
           mode = "0755";
           group = "nixrootuser";
@@ -448,8 +442,6 @@ in
                 cfg.storePath
               ];
 
-              BindPaths = [ "${cfg.storePath}/builds:/nix/var/nix/builds" ];
-
               #FIXME Harden
             };
 
@@ -578,7 +570,7 @@ in
               [
                 "-e PAGER=cat"
                 "-e PATH=${runnerPath}"
-                "-e NIX_PATH=nixpkgs=${builtins.storePath pkgs.path}"
+                "-e NIX_PATH=nixpkgs=${pkgs.path}"
                 "-e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
                 "-v ${cfg.storePath}/nix:/nix:ro"
                 "-v ${pkgs.cacert}/etc/ssl:/etc/ssl:ro"

scripts/decryptAndSourceEnvironment.sh

@@ -0,0 +1,36 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+set -eo pipefail
+
+# TODO: don't hardcode me.
+SECRET_FILE=".credentials/admin-environment.age"
+IDENTITIES=()
+for identity in [ "$HOME/.ssh/id_ed25519" "$HOME/.ssh/id_rsa" ]; do
+  test -r "$identity" || continue
+  IDENTITIES+=(-i)
+  IDENTITIES+=("$identity")
+done
+
+if test "${#IDENTITIES[@]}" -eq 0; then
+  echo "[agenix-shell] WARNING: no readable identities found!"
+  exit
+fi
+
+if ! test -f "$SECRET_FILE"; then
+  echo "[agenix-shell] WARNING: encrypted environment file $SECRET_FILE not found!"
+  exit
+fi
+
+envrc=$(mktemp)
+
+if rage --decrypt "${IDENTITIES[@]}" -o "$envrc" $SECRET_FILE 2> /dev/null; then
+  export eval "$(cat "$envrc")"
+  export DGN_ADMIN_SECRET_LOADED=1
+  echo "[agenix-shell] Repository-wide secrets loaded in the environment."
+else
+  echo "[agenix-shell] ERROR: failed to read encrypted environment file $SECRET_FILE!"
+fi
+
+rm "$envrc"

scripts/default.nix

@@ -17,6 +17,7 @@ let
     writeShellApplication
     jq
     nvd
+    rage
     ;
 
   scripts = {
@@ -39,6 +40,7 @@ let
       colmena
       jq
     ];
+    decryptAndSourceEnvironment = [ rage ];
   };
 
   self = mapAttrs (

terranix/common.nix

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  # Until we get some kind of KMS operational, store secrets in the state file.
+  terraform.required_providers.secret = {
+    version = "~> 1.2.1";
+    source = "numtide/secret";
+  };
+}

terranix/default.nix

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  imports = [
+    ./common.nix
+    ./state.nix
+    ./s3
+  ];
+}

terranix/s3/default.nix

@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, ... }:
+let
+  inherit (lib) tf;
+in
+{
+  imports = [ ./module.nix ];
+  resource.secret_resource.admin-s3-token.lifecycle.prevent_destroy = true;
+  s3 = {
+    provider = {
+      host = "s3-admin.dgnum.eu";
+      scheme = "https";
+      token = tf.ref "resource.secret_resource.admin-s3-token.value";
+    };
+    buckets = {
+      monorepo-terraform-state = { };
+      impress-raito-demo.keys.raito-dinum-test.owner = true;
+      nimbolus-dgnum.keys.nimbolus-dgnum.owner = true;
+      hackens-website = {
+        website_access_enabled = true;
+        website_config_index_document = "index.html";
+        keys.hackens-key = { };
+      };
+    };
+  };
+}

terranix/s3/module.nix

@@ -0,0 +1,176 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, lib, ... }:
+let
+  inherit (lib)
+    concatMapAttrs
+    filterAttrs
+    genAttrs
+    mapAttrs
+    mapAttrs'
+    mkOption
+    nameValuePair
+    tf
+    ;
+  inherit (lib.types)
+    attrs
+    attrsOf
+    bool
+    ints
+    listOf
+    nullOr
+    str
+    submodule
+    ;
+
+  cfg = config.s3;
+in
+{
+  options.s3 = {
+    provider = mkOption {
+      type = attrs;
+      description = ''
+        Garage provider configuration.
+      '';
+    };
+    buckets = mkOption {
+      type = attrsOf (
+        submodule (
+          { name, ... }:
+          {
+            options = {
+              aliases = mkOption {
+                type = listOf str;
+                default = [ name ];
+                description = ''
+                  Global aliases for this bucket.
+                '';
+              };
+              keys = mkOption {
+                type = attrsOf (submodule {
+                  options = {
+                    read = mkOption {
+                      type = bool;
+                      description = ''
+                        Whether this key can read the bucket.
+                      '';
+                      default = true;
+                    };
+                    write = mkOption {
+                      type = bool;
+                      description = ''
+                        Whether this key can write on the bucket.
+                      '';
+                      default = true;
+                    };
+                    owner = mkOption {
+                      type = bool;
+                      description = ''
+                        Whether this key own the bucket.
+                      '';
+                      default = false;
+                    };
+                  };
+                });
+                description = ''
+                  List of keys for this bucket.
+                '';
+                default = { };
+              };
+              quota_max_objects = mkOption {
+                type = nullOr ints.unsigned;
+                default = null;
+                description = ''quota_max_objects'';
+              };
+              quota_max_size = mkOption {
+                type = nullOr ints.unsigned;
+                default = null;
+                description = ''quota_max_size'';
+              };
+              website_access_enabled = mkOption {
+                type = bool;
+                default = false;
+                description = ''website_access_enabled'';
+              };
+              website_config_index_document = mkOption {
+                type = nullOr str;
+                default = null;
+                description = ''website_config_index_document'';
+              };
+              website_config_error_document = mkOption {
+                type = nullOr str;
+                default = null;
+                description = ''website_config_error_document'';
+              };
+            };
+          }
+        )
+      );
+      description = ''
+        Buckets to manage.
+      '';
+      default = { };
+    };
+    keys = mkOption {
+      type = attrsOf (submodule {
+        options.create_buckets = mkOption {
+          type = bool;
+          description = ''
+            Whether this key can create buckets.
+          '';
+          default = false;
+        };
+      });
+    };
+  };
+  config = {
+    s3.keys = concatMapAttrs (_: cfg: mapAttrs (_: _: { }) cfg.keys) cfg.buckets;
+
+    terraform.required_providers.garage = {
+      version = "~> 1.0.3";
+      source = "registry.opentofu.org/RaitoBezarius/garage";
+    };
+    provider.garage = cfg.provider;
+    resource = {
+      garage_bucket = mapAttrs (
+        _: cfg:
+        filterAttrs (_: v: v != null) {
+          inherit (cfg)
+            quota_max_objects
+            quota_max_size
+            website_access_enabled
+            website_config_index_document
+            website_config_error_document
+            ;
+        }
+      ) cfg.buckets;
+
+      garage_bucket_global_alias = concatMapAttrs (
+        bucket: cfg:
+        genAttrs cfg.aliases (alias: {
+          inherit alias;
+          bucket_id = tf.ref "resource.garage_bucket.${bucket}.id";
+        })
+      ) cfg.buckets;
+
+      garage_key = mapAttrs (name: cfg: {
+        inherit name;
+        permissions.create_bucket = cfg.create_buckets;
+      }) cfg.keys;
+
+      garage_bucket_key = concatMapAttrs (
+        bucket: cfg:
+        mapAttrs' (
+          key: cfg:
+          nameValuePair (bucket + "_____" + key) {
+            bucket_id = tf.ref "resource.garage_bucket.${bucket}.id";
+            access_key_id = tf.ref "resource.garage_key.${key}.access_key_id";
+            inherit (cfg) read write owner;
+          }
+        ) cfg.keys
+      ) cfg.buckets;
+    };
+  };
+}

terranix/state.nix

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  terraform.backend.http = rec {
+    address = "https://nimbolus.dgnum.eu/state/core-infra/s3";
+    lock_address = address;
+    unlock_address = address;
+    username = "basic";
+  };
+}