infra: Arch Linux servers automation infrastructure for cjprods.org
The goal is to automate the configuration of Arch Linux servers at cjprods.org.
- Utilize
systemd
to its full potential.- Socket activation
- Generators (dynamic unit files and drop-ins)
- Compartmentization (security sandboxing,
DynamicUser
, etc.) - Only requires a Stateless System
- Utilize
pacman
(alpm
, Arch Linux Package Manager) to its full potential.- alpm hooks
- Use GitHub Release as an Arch Linux repository.
- Support for hiding secrets for certain situations (like passwords and keys).
- Reusable: Everyone can setup their own automation based on this project.
- Keep as most things in plaintext as possible. Only sensitive parts (passwords, open ports, etc.) are encrypted.
- Every encrypted file
secret-*
has a corresponding example plaintext fileexample-secret-*
.
# /etc/pacman.conf
[infra]
SigLevel = Optional TrustAll
Server = https://cjprods.org/infra-repo
# /etc/pacman.conf
[infra]
SigLevel = Optional TrustAll
Server = https://github.com/cjxgm/infra/releases/download/latest
Put the private key as secret.pem
, then package the private key:
make makepkg-private-key
Upload and install the private key package build/repo/infra-private-key-*.pkg.tar.xz
manually.
Now, pacman -Syu
, then install any wanted packages.
All packages provided by this repo has a prefix of infra-
.
- Put the private key in
secret.pem
. - Run
make setup
. - After editing
secret-*
files, it's better (for now) to runmake unsetup
to cancel the effect so that rebasing won't conflict that much.
- The private key is used for encrypting the decryption key.
- The encrypted decryption key is
secret.key
. - The decryption key (with the private key) is used to decrypting secrets.