Add deployment for attic

2024-04-07 11:45:56 +02:00 · 2024-04-07 11:45:56 +02:00 · 8518832b7d
parent 094030f4d5
commit 8518832b7d
7 changed files with 189 additions and 12 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,8 +1,51 @@
 {
  "nodes": {
+    "attic": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1711742460,
+        "narHash": "sha256-0O4v6e4a1toxXZ2gf5INhg4WPE5C5T+SVvsBt+45Mcc=",
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "rev": "4dbdbee45728d8ce5788db6461aaaa89d98081f0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "type": "github"
+      }
+    },
+    "crane": {
+      "inputs": {
+        "nixpkgs": [
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1702918879,
+        "narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
    "deploy-rs": {
      "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
        "nixpkgs": [
          "nixpkgs"
        ],
@ -23,6 +66,22 @@
      }
    },
    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@ -38,23 +97,54 @@
        "type": "github"
      }
    },
-    "nixpkgs": {
+    "flake-utils": {
      "locked": {
-        "lastModified": 1712439257,
-        "narHash": "sha256-aSpiNepFOMk9932HOax0XwNxbA38GOUVOiXfUVPOrck=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "ff0dbd94265ac470dda06a657d5fe49de93b4599",
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1711401922,
+        "narHash": "sha256-QoQqXoj8ClGo0sqD/qWKFWezgEwUL0SUh37/vY2jNhc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "07262b18b97000d16a4bdb003418bd2fb067a932",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1711460390,
+        "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_2": {
      "locked": {
        "lastModified": 1712437997,
        "narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=",
@ -70,10 +160,27 @@
        "type": "github"
      }
    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1712439257,
+        "narHash": "sha256-aSpiNepFOMk9932HOax0XwNxbA38GOUVOiXfUVPOrck=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "ff0dbd94265ac470dda06a657d5fe49de93b4599",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
+        "attic": "attic",
        "deploy-rs": "deploy-rs",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
        "sops-nix": "sops-nix",
        "utils": "utils_2"
      }
@ -83,7 +190,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
        "lastModified": 1712458908,
--- a/flake.nix
+++ b/flake.nix
@ -1,12 +1,13 @@
 {
  inputs = {
+    attic = { url = "github:zhaofengli/attic"; };
    nixpkgs = { url = "github:nixos/nixpkgs/nixos-unstable"; };
    deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; };
    utils = { url = "github:numtide/flake-utils"; };
    sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
  };

-  outputs = { self, nixpkgs, deploy-rs, utils, sops-nix, ... }@inputs:
+  outputs = { self, attic, nixpkgs, deploy-rs, utils, sops-nix, ... }@inputs:
    {
      nixosConfigurations = {
        "phoenix.lewd.wtf" = nixpkgs.lib.nixosSystem {
@ -16,6 +17,7 @@
            sops-nix.nixosModules.sops
            ./default.nix
            ./hosts/phoenix.lewd.wtf/configuration.nix
+            attic.nixosModules.atticd
          ];
        };

--- a/hosts/phoenix.lewd.wtf/containers/test.nix
+++ b/hosts/phoenix.lewd.wtf/containers/test.nix
@ -13,6 +13,12 @@
    }
  ];

+  fileSystems."/mnt/zbigdata/seedbox_test" = {
+    device = "zbigdata/seedbox_test";
+    fsType = "zfs";
+  };
+
+
  containers.seedbox-test = {
    autoStart = true;
    privateNetwork = true;
--- a/hosts/phoenix.lewd.wtf/hardware-configuration.nix
+++ b/hosts/phoenix.lewd.wtf/hardware-configuration.nix
@ -35,6 +35,11 @@
    fsType = "zfs";
  };

+  fileSystems."/var/lib/attic/storage" = {
+    device = "zbigdata/attic";
+    fsType = "zfs";
+  };
+
  swapDevices = [ ];

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
--- a/hosts/phoenix.lewd.wtf/secrets.nix
+++ b/hosts/phoenix.lewd.wtf/secrets.nix
@ -12,6 +12,15 @@
    format = "dotenv";
  };

+  # Attic
+  sops.secrets."services/attic/creds.env" = {
+    mode = "0400";
+    owner = config.users.users.root.name;
+    group = config.users.users.root.group;
+    sopsFile = ./secrets/attic.env;
+    format = "dotenv";
+  };
+
  # MSMTP
  sops.secrets."services/msmtp/password" = {
    mode = "0777";
--- a/hosts/phoenix.lewd.wtf/secrets/attic.env
+++ b/hosts/phoenix.lewd.wtf/secrets/attic.env
@ -0,0 +1,9 @@
+ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64=ENC[AES256_GCM,data:VPOq3Ipu7fnpi14mbdFG01MJiZvMuK1FHlQbO+AQi3Xh8ZCScr+wedGekvtqrOkNXk8PBsXpXhXhQ7j7dJkUyfBnE1RAEIxaxwhuWyS2e2ZyTKNjL427hb/9,iv:xgc74cUXxO5dGTRGsl4u3HDRg1f3pOtHdekYoz/mDO8=,tag:j1c0Axfa/oBMgccPtrm5GQ==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MVRwaEJaa21ENi9RbGJn\nQXk2QXN1QW1ZbGFUaXdsaThEM0FJNTNKYjNNCmtDMXM3THQxazJTY2tjZ1JnTHF3\nOHVqZkdXOHdYUnQ4UGVXZGxwaDJGMG8KLS0tIHVNSWdReG9kY3lqa2xnRzVnVTZn\nemJmejIrSnd3amdUNm1TRE1OTTRSVG8Ktzanb6rbmFRE02N9vt+QyuwIpJN+EXCM\ncJRgxdUovzt/4CU6oJDNLrdV0FfCPUHMfg6f6CgEGu0RhvzKAh77Dg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbmZsV0ZINVN4QytybDRz\nb2pQVTNoVFVNb3A3QmlYUG9BRnBQVEFxYXk4CnVpZHQrd090WUF0TkVqNk1OM1JN\nS21hdHJ6MkEvUXlwYkFoTmdEeDZPcDgKLS0tIFFMdkhBRVVxelpDUFdxWWNKbEU4\nZkc2d3lEZC9FVHpBZlQ5K1lDK3ZwbFUKFshCxKov4sjuHOokHmoxa+IeOT2ttg7o\nNL75mlP+u6IKETvQNQ4HlHcVF1Zask1JUeJU13xI3b26laIKr0ZBYw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
+sops_lastmodified=2024-04-07T09:41:32Z
+sops_mac=ENC[AES256_GCM,data:lDQABnYzFbMNT09grDE9y++VWDzbw4wlrIXpXL2WMBK6LnJhtzsWHyUuZ8fxIjCihtxUW5LbeY5YjV53NubAGK+Aw3JysR90iVQ7Mo7Dn5E7Hv3MUx1+1R/HqIZegZ5lY64u58dFKqUV46lOqTCE3nfVSGZ65CiBLtHOOOYs8L4=,iv:4CvbTGLSzDC7IM7mt+V4tL+Js0sX4Z8nnJapC1BwrOk=,tag:PlkagmUsAmZ8FRsZy5x0Dw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1
--- a/hosts/phoenix.lewd.wtf/services/atticd.nix
+++ b/hosts/phoenix.lewd.wtf/services/atticd.nix
@ -0,0 +1,39 @@
+{ config, pkgs, ... }:
+{
+  services.atticd = {
+    enable = true;
+    package = ${pkgs.attic-server};
+
+    credentialsFile = "/run/secrets/services/attic/creds.env";
+
+    settings = {
+      listen = "0.0.0.0:28842";
+
+      chunking = {
+        nar-size-threshold = 64 * 1024; # 64 KiB
+        min-size = 16 * 1024; # 16 KiB
+        avg-size = 64 * 1024; # 64 KiB
+        max-size = 256 * 1024; # 256 KiB
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."attic.lewd.wtf" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:28842";
+      extraConfig =
+        "proxy_set_header        Host $host;" +
+        "proxy_set_header        X-Real-IP $remote_addr;" +
+        "proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;" +
+        "proxy_set_header        X-Forwarded-Proto $scheme;" +
+        "proxy_connect_timeout   1800;" +
+        "proxy_send_timeout      1800;" +
+        "proxy_read_timeout      1800;" +
+        "send_timeout            1800;" +
+        "client_max_body_size    5G;"
+        ;
+    };
+  };
+}