diff --git a/flake.lock b/flake.lock index c508f58..52f6165 100644 --- a/flake.lock +++ b/flake.lock @@ -1,8 +1,51 @@ { "nodes": { + "attic": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1711742460, + "narHash": "sha256-0O4v6e4a1toxXZ2gf5INhg4WPE5C5T+SVvsBt+45Mcc=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "4dbdbee45728d8ce5788db6461aaaa89d98081f0", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "attic", + "type": "github" + } + }, + "crane": { + "inputs": { + "nixpkgs": [ + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1702918879, + "narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=", + "owner": "ipetkov", + "repo": "crane", + "rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "deploy-rs": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "nixpkgs": [ "nixpkgs" ], @@ -23,6 +66,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1696426674, @@ -38,23 +97,54 @@ "type": "github" } }, - "nixpkgs": { + "flake-utils": { "locked": { - "lastModified": 1712439257, - "narHash": "sha256-aSpiNepFOMk9932HOax0XwNxbA38GOUVOiXfUVPOrck=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "ff0dbd94265ac470dda06a657d5fe49de93b4599", + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1711401922, + "narHash": "sha256-QoQqXoj8ClGo0sqD/qWKFWezgEwUL0SUh37/vY2jNhc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "07262b18b97000d16a4bdb003418bd2fb067a932", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1711460390, + "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "44733514b72e732bd49f5511bd0203dea9b9a434", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1712437997, "narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=", @@ -70,10 +160,27 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1712439257, + "narHash": "sha256-aSpiNepFOMk9932HOax0XwNxbA38GOUVOiXfUVPOrck=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ff0dbd94265ac470dda06a657d5fe49de93b4599", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { + "attic": "attic", "deploy-rs": "deploy-rs", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "sops-nix": "sops-nix", "utils": "utils_2" } @@ -83,7 +190,7 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1712458908, diff --git a/flake.nix b/flake.nix index 0b135cd..52abb8b 100644 --- a/flake.nix +++ b/flake.nix @@ -1,12 +1,13 @@ { inputs = { + attic = { url = "github:zhaofengli/attic"; }; nixpkgs = { url = "github:nixos/nixpkgs/nixos-unstable"; }; deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; }; utils = { url = "github:numtide/flake-utils"; }; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { self, nixpkgs, deploy-rs, utils, sops-nix, ... }@inputs: + outputs = { self, attic, nixpkgs, deploy-rs, utils, sops-nix, ... }@inputs: { nixosConfigurations = { "phoenix.lewd.wtf" = nixpkgs.lib.nixosSystem { @@ -16,6 +17,7 @@ sops-nix.nixosModules.sops ./default.nix ./hosts/phoenix.lewd.wtf/configuration.nix + attic.nixosModules.atticd ]; }; diff --git a/hosts/phoenix.lewd.wtf/containers/test.nix b/hosts/phoenix.lewd.wtf/containers/test.nix index 50f7626..7362471 100644 --- a/hosts/phoenix.lewd.wtf/containers/test.nix +++ b/hosts/phoenix.lewd.wtf/containers/test.nix @@ -13,6 +13,12 @@ } ]; + fileSystems."/mnt/zbigdata/seedbox_test" = { + device = "zbigdata/seedbox_test"; + fsType = "zfs"; + }; + + containers.seedbox-test = { autoStart = true; privateNetwork = true; diff --git a/hosts/phoenix.lewd.wtf/hardware-configuration.nix b/hosts/phoenix.lewd.wtf/hardware-configuration.nix index 75c77a4..b5addda 100644 --- a/hosts/phoenix.lewd.wtf/hardware-configuration.nix +++ b/hosts/phoenix.lewd.wtf/hardware-configuration.nix @@ -35,6 +35,11 @@ fsType = "zfs"; }; + fileSystems."/var/lib/attic/storage" = { + device = "zbigdata/attic"; + fsType = "zfs"; + }; + swapDevices = [ ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/hosts/phoenix.lewd.wtf/secrets.nix b/hosts/phoenix.lewd.wtf/secrets.nix index f520222..523da30 100644 --- a/hosts/phoenix.lewd.wtf/secrets.nix +++ b/hosts/phoenix.lewd.wtf/secrets.nix @@ -12,6 +12,15 @@ format = "dotenv"; }; + # Attic + sops.secrets."services/attic/creds.env" = { + mode = "0400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + sopsFile = ./secrets/attic.env; + format = "dotenv"; + }; + # MSMTP sops.secrets."services/msmtp/password" = { mode = "0777"; diff --git a/hosts/phoenix.lewd.wtf/secrets/attic.env b/hosts/phoenix.lewd.wtf/secrets/attic.env new file mode 100644 index 0000000..394b356 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/secrets/attic.env @@ -0,0 +1,9 @@ +ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64=ENC[AES256_GCM,data:VPOq3Ipu7fnpi14mbdFG01MJiZvMuK1FHlQbO+AQi3Xh8ZCScr+wedGekvtqrOkNXk8PBsXpXhXhQ7j7dJkUyfBnE1RAEIxaxwhuWyS2e2ZyTKNjL427hb/9,iv:xgc74cUXxO5dGTRGsl4u3HDRg1f3pOtHdekYoz/mDO8=,tag:j1c0Axfa/oBMgccPtrm5GQ==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MVRwaEJaa21ENi9RbGJn\nQXk2QXN1QW1ZbGFUaXdsaThEM0FJNTNKYjNNCmtDMXM3THQxazJTY2tjZ1JnTHF3\nOHVqZkdXOHdYUnQ4UGVXZGxwaDJGMG8KLS0tIHVNSWdReG9kY3lqa2xnRzVnVTZn\nemJmejIrSnd3amdUNm1TRE1OTTRSVG8Ktzanb6rbmFRE02N9vt+QyuwIpJN+EXCM\ncJRgxdUovzt/4CU6oJDNLrdV0FfCPUHMfg6f6CgEGu0RhvzKAh77Dg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv +sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbmZsV0ZINVN4QytybDRz\nb2pQVTNoVFVNb3A3QmlYUG9BRnBQVEFxYXk4CnVpZHQrd090WUF0TkVqNk1OM1JN\nS21hdHJ6MkEvUXlwYkFoTmdEeDZPcDgKLS0tIFFMdkhBRVVxelpDUFdxWWNKbEU4\nZkc2d3lEZC9FVHpBZlQ5K1lDK3ZwbFUKFshCxKov4sjuHOokHmoxa+IeOT2ttg7o\nNL75mlP+u6IKETvQNQ4HlHcVF1Zask1JUeJU13xI3b26laIKr0ZBYw==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_1__map_recipient=age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh +sops_lastmodified=2024-04-07T09:41:32Z +sops_mac=ENC[AES256_GCM,data:lDQABnYzFbMNT09grDE9y++VWDzbw4wlrIXpXL2WMBK6LnJhtzsWHyUuZ8fxIjCihtxUW5LbeY5YjV53NubAGK+Aw3JysR90iVQ7Mo7Dn5E7Hv3MUx1+1R/HqIZegZ5lY64u58dFKqUV46lOqTCE3nfVSGZ65CiBLtHOOOYs8L4=,iv:4CvbTGLSzDC7IM7mt+V4tL+Js0sX4Z8nnJapC1BwrOk=,tag:PlkagmUsAmZ8FRsZy5x0Dw==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/hosts/phoenix.lewd.wtf/services/atticd.nix b/hosts/phoenix.lewd.wtf/services/atticd.nix new file mode 100644 index 0000000..0c7d1b8 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/services/atticd.nix @@ -0,0 +1,39 @@ +{ config, pkgs, ... }: +{ + services.atticd = { + enable = true; + package = ${pkgs.attic-server}; + + credentialsFile = "/run/secrets/services/attic/creds.env"; + + settings = { + listen = "0.0.0.0:28842"; + + chunking = { + nar-size-threshold = 64 * 1024; # 64 KiB + min-size = 16 * 1024; # 16 KiB + avg-size = 64 * 1024; # 64 KiB + max-size = 256 * 1024; # 256 KiB + }; + }; + }; + + services.nginx.virtualHosts."attic.lewd.wtf" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:28842"; + extraConfig = + "proxy_set_header Host $host;" + + "proxy_set_header X-Real-IP $remote_addr;" + + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + + "proxy_set_header X-Forwarded-Proto $scheme;" + + "proxy_connect_timeout 1800;" + + "proxy_send_timeout 1800;" + + "proxy_read_timeout 1800;" + + "send_timeout 1800;" + + "client_max_body_size 5G;" + ; + }; + }; +}