From 5765243596956d8489bedaafa6b4a4f8051a1c9c Mon Sep 17 00:00:00 2001 From: cy Date: Sun, 5 Jan 2025 05:42:52 -0500 Subject: [PATCH] add attic and rm tor --- .sops.yaml | 6 ++ flake.lock | 141 +++++++++++++++++++++++++++++++++--- flake.nix | 6 ++ hosts/chunk/Caddyfile | 5 ++ hosts/chunk/attic.nix | 32 ++++++++ hosts/chunk/default.nix | 5 +- hosts/chunk/postgres.nix | 15 ++-- secrets/services/attic.yaml | 40 ++++++++++ 8 files changed, 232 insertions(+), 18 deletions(-) create mode 100644 hosts/chunk/attic.nix create mode 100644 secrets/services/attic.yaml diff --git a/.sops.yaml b/.sops.yaml index 9d200e7..bcf6804 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -93,3 +93,9 @@ creation_rules: - age: - *yt - *cy + - path_regex: secrets/services/attic.yaml + key_groups: + - age: + - *chunk + - *cy + - *yt diff --git a/flake.lock b/flake.lock index 4700268..1d45c9a 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,52 @@ { "nodes": { + "attic": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1731270564, + "narHash": "sha256-6KMC/NH/VWP5Eb+hA56hz0urel3jP6Y6cF2PX6xaTkk=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "47752427561f1c34debb16728a210d378f0ece36", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "attic", + "type": "github" + } + }, "crane": { + "inputs": { + "nixpkgs": [ + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722960479, + "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=", + "owner": "ipetkov", + "repo": "crane", + "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { "inputs": { "nixpkgs": [ "lanzaboote", @@ -58,7 +104,44 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -126,11 +209,11 @@ ] }, "locked": { - "lastModified": 1736013363, - "narHash": "sha256-P4lsS2Y5GzBfC8OfXtD/xWEucX6oHGTjOzjEjEJbXfc=", + "lastModified": 1736066484, + "narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=", "owner": "nix-community", "repo": "home-manager", - "rev": "0d7908bd09165db6699908b7e3970f137327cbf0", + "rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0", "type": "github" }, "original": { @@ -141,9 +224,9 @@ }, "lanzaboote": { "inputs": { - "crane": "crane", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", + "crane": "crane_2", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" @@ -166,6 +249,27 @@ "type": "github" } }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1735834308, @@ -215,6 +319,22 @@ } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1724316499, + "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1710695816, "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", @@ -241,7 +361,7 @@ "lanzaboote", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1717664902, @@ -259,6 +379,7 @@ }, "root": { "inputs": { + "attic": "attic", "disko": "disko", "home-manager": "home-manager", "lanzaboote": "lanzaboote", @@ -301,11 +422,11 @@ ] }, "locked": { - "lastModified": 1735844895, - "narHash": "sha256-CIRlqX9tBK2awJkmVu2cKuap/0QziDXStQZ/u/+e8Z4=", + "lastModified": 1736064798, + "narHash": "sha256-xJRN0FmX9QJ6+w8eIIIxzBU1AyQcLKJ1M/Gp6lnSD20=", "owner": "Mic92", "repo": "sops-nix", - "rev": "24d89184adf76d7ccc99e659dc5f3838efb5ee32", + "rev": "5dc08f9cc77f03b43aacffdfbc8316807773c930", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 4dc2417..91cd712 100644 --- a/flake.nix +++ b/flake.nix @@ -23,6 +23,10 @@ url = "github:nix-community/lanzaboote/v0.4.1"; inputs.nixpkgs.follows = "nixpkgs"; }; + attic = { + url = "github:zhaofengli/attic"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nixpkgs-borg.url = "github:cything/nixpkgs/borg"; # unmerged PR nixpkgs-btrbk.url = "github:cything/nixpkgs/btrbk"; # unmerged PR @@ -138,10 +142,12 @@ modules = [ { nixpkgs = { inherit pkgs; }; + disabledModules = [ "services/networking/atticd.nix" ]; } ./hosts/chunk inputs.sops-nix.nixosModules.sops ./modules + inputs.attic.nixosModules.atticd ]; }; diff --git a/hosts/chunk/Caddyfile b/hosts/chunk/Caddyfile index 201116d..a42032c 100644 --- a/hosts/chunk/Caddyfile +++ b/hosts/chunk/Caddyfile @@ -60,3 +60,8 @@ element.cything.io { import common reverse_proxy localhost:8089 } + +cache.cything.io { + import common + reverse_proxy localhost:8090 +} diff --git a/hosts/chunk/attic.nix b/hosts/chunk/attic.nix new file mode 100644 index 0000000..7e466f7 --- /dev/null +++ b/hosts/chunk/attic.nix @@ -0,0 +1,32 @@ +{config, ...}: +{ + services.atticd = { + enable = true; + + environmentFile = config.sops.secrets."attic/env".path; + + settings = { + listen = "[::]:8090"; + api-endpoint = "https://cache.cything.io/"; + allowed-hosts = [ "cache.cything.io" ]; + + jwt = { }; + + compression.type = "zstd"; + storage = { + type = "s3"; + region = "default"; + bucket = "cy7"; + endpoint = "https://e3e97aac307d106a7becea43cef8fcbd.r2.cloudflarestorage.com"; + }; + database.url = "postgresql://localhost/atticd"; + + chunking = { + nar-size-threshold = 64 * 1024; # 64 KiB + min-size = 16 * 1024; # 16 KiB + avg-size = 64 * 1024; # 64 KiB + max-size = 256 * 1024; # 256 KiB + }; + }; + }; +} diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index bd22fe9..f0d214e 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -21,10 +21,10 @@ ./vaultwarden.nix ./wireguard.nix ./grafana.nix - ./tor.nix ./conduwuit.nix ./immich.nix ./element.nix + ./attic.nix ]; sops.age.keyFile = "/root/.config/sops/age/keys.txt"; @@ -82,6 +82,9 @@ "rsyncnet/id_ed25519" = { sopsFile = ../../secrets/de3911/chunk.yaml; }; + "attic/env" = { + sopsFile = ../../secrets/services/attic.yaml; + }; }; boot.loader.grub.enable = true; diff --git a/hosts/chunk/postgres.nix b/hosts/chunk/postgres.nix index 2448191..b0e48ac 100644 --- a/hosts/chunk/postgres.nix +++ b/hosts/chunk/postgres.nix @@ -1,6 +1,5 @@ { pkgs, - lib, ... }: { @@ -11,13 +10,15 @@ enableTCPIP = true; ensureDatabases = [ "hedgedoc" + "atticd" ]; - authentication = lib.mkForce '' - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - host all all 172.18.0.0/16 trust - ''; + ensureUsers = [ + { + name = "atticd"; + ensureDBOwnership = true; + } + ] + ; }; services.postgresqlBackup = { enable = true; diff --git a/secrets/services/attic.yaml b/secrets/services/attic.yaml new file mode 100644 index 0000000..3e0c980 --- /dev/null +++ b/secrets/services/attic.yaml @@ -0,0 +1,40 @@ +attic: + env: ENC[AES256_GCM,data:ytja+z0aidJcC4LoEIf8SiH2TwGgoPMxxLsBxkIT545BcG1axW9yKYWUEryGiHKVYBXv+oFwTA1cXZ22nutWuZQC08G8RI1zvrA/nDTGuCtS4dv8w8XA7nR5IxwFzT6Ss3dsWaRVVPQ/2ik9OkqCVPiBjjVnePZxt8Hp0GS0uiHDw9Vhxu8qeT/O,iv:FUpv79AAubveP6kiMPL+Vs+d1ULZ0PdJsOW5VIHvfPU=,tag:AoReDpnGlJ5dqCRtE10Kug==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6UVhaVWl5UVk5ZXRVNFZw + dGxGQmRNa0JKemlNUGZRVHVFcXpMam1KOVF3CkFOOVNGeWxVS2ltc1JuK3ptdVNz + MU1vU2FXMTlPSk4raW14WkNZK0VBMUkKLS0tIFdlRURkTFY2S3R3Y3FLMnhMN0kz + Tjk4dytPZHp1aUlvTW9kaFpITWFEb28Krb4mkHrWTylz6IQvnUU2UI+fZ9MffLE8 + A4U8tXyRbwcEmEEmihS8wxUBpWdkb5+0+oryrSt8I79EKcMS7H8WtA== + -----END AGE ENCRYPTED FILE----- + - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMa0pvaWRWS0JkdDJxYy9W + SHE3QnFnblNxOW5OWERlM2N4bnZYMWJnRFJZCjdobmlsSUNjakJtdEd6TkRZVktu + Q0xFaEF3bG92MzY4WVViK3Exc0JaRW8KLS0tIGJNd0FHbHF6WEJHdGF5bjNyTExn + MExyYlBQUFd2KzdQeHFRSTNpMUdtRFUKwqZCfN0JStIjLA7Fqjws/c5+WeVdtL6F + VNYzgbqg73hKOGJ8GoDsMLIkiz7LchyIUXP/vOgU45cMGfeut4tcJg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UmhKMEZrcVlhcEZwdHd5 + VG5NQmtxR0RKN0dLSlFndGt4emFLcEdhNGxjCktMYWlaaUppbStSRUhuMWgzS0Vm + Tzh3bitISldacms5UkcvRVVnSWs4YTAKLS0tIHA3S1NoMW4yK01EU2NlMGI4OFNq + ekFwNFp4dm9UeDU5WFU5SmJyY25lMEEKZquSaE2A4ZTSp8sNB5bjgUzdp8RtAHIH + xmbtfiMcLUv7J3FdGNwmSn9P9lYgzCVEZBjI0BCj/9JEm0eGFL8Vbw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-05T10:08:04Z" + mac: ENC[AES256_GCM,data:tLhSxXsNEh/q1IQqIQuwj2ols3QdwRSE/VBMXuNBkTDkuWQpShoq+qScGZPrDSWIYQujYLroLHv0jpc0r6n0q+SSuLRNJHZboKG/o08gMjmh5EGCoI0yDfxiUGehHjYJsoyeaDjjJozRgDP0qsAsAUNnW/Ny0lg2BF36jPJPu1E=,iv:eZtGrZbtkBr4NFGGn4ohrSjgeRi47WKxsNSu4H34YdI=,tag:3fp5L6COgy3j5PIMtkmxrw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2