add attic and rm tor

.sops.yaml

@@ -93,3 +93,9 @@ creation_rules:
       - age:
           - *yt
           - *cy
+  - path_regex: secrets/services/attic.yaml
+    key_groups:
+      - age:
+          - *chunk
+          - *cy
+          - *yt

flake.lock

@@ -1,6 +1,52 @@
 {
   "nodes": {
+    "attic": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731270564,
+        "narHash": "sha256-6KMC/NH/VWP5Eb+hA56hz0urel3jP6Y6cF2PX6xaTkk=",
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "rev": "47752427561f1c34debb16728a210d378f0ece36",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "type": "github"
+      }
+    },
     "crane": {
+      "inputs": {
+        "nixpkgs": [
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722960479,
+        "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "crane_2": {
       "inputs": {
         "nixpkgs": [
           "lanzaboote",
@@ -58,7 +104,44 @@
         "type": "github"
       }
     },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722555600,
+        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": [
           "lanzaboote",
@@ -126,11 +209,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736013363,
+        "lastModified": 1736066484,
-        "narHash": "sha256-P4lsS2Y5GzBfC8OfXtD/xWEucX6oHGTjOzjEjEJbXfc=",
+        "narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0d7908bd09165db6699908b7e3970f137327cbf0",
+        "rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0",
         "type": "github"
       },
       "original": {
@@ -141,9 +224,9 @@
     },
     "lanzaboote": {
       "inputs": {
-        "crane": "crane",
+        "crane": "crane_2",
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
-        "flake-parts": "flake-parts",
+        "flake-parts": "flake-parts_2",
         "flake-utils": "flake-utils",
         "nixpkgs": [
           "nixpkgs"
@@ -166,6 +249,27 @@
         "type": "github"
       }
     },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729742964,
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1735834308,
@@ -215,6 +319,22 @@
       }
     },
     "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1724316499,
+        "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_2": {
       "locked": {
         "lastModified": 1710695816,
         "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
@@ -241,7 +361,7 @@
           "lanzaboote",
           "nixpkgs"
         ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
         "lastModified": 1717664902,
@@ -259,6 +379,7 @@
     },
     "root": {
       "inputs": {
+        "attic": "attic",
         "disko": "disko",
         "home-manager": "home-manager",
         "lanzaboote": "lanzaboote",
@@ -301,11 +422,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1735844895,
+        "lastModified": 1736064798,
-        "narHash": "sha256-CIRlqX9tBK2awJkmVu2cKuap/0QziDXStQZ/u/+e8Z4=",
+        "narHash": "sha256-xJRN0FmX9QJ6+w8eIIIxzBU1AyQcLKJ1M/Gp6lnSD20=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "24d89184adf76d7ccc99e659dc5f3838efb5ee32",
+        "rev": "5dc08f9cc77f03b43aacffdfbc8316807773c930",
         "type": "github"
       },
       "original": {

flake.nix

@@ -23,6 +23,10 @@
       url = "github:nix-community/lanzaboote/v0.4.1";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    attic = {
+      url = "github:zhaofengli/attic";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     nixpkgs-borg.url = "github:cything/nixpkgs/borg"; # unmerged PR
     nixpkgs-btrbk.url = "github:cything/nixpkgs/btrbk"; # unmerged PR
@@ -138,10 +142,12 @@
             modules = [
               {
                 nixpkgs = { inherit pkgs; };
+                disabledModules = [ "services/networking/atticd.nix" ];
               }
               ./hosts/chunk
               inputs.sops-nix.nixosModules.sops
               ./modules
+              inputs.attic.nixosModules.atticd
             ];
           };
 

hosts/chunk/Caddyfile

@@ -60,3 +60,8 @@ element.cything.io {
   import common
   reverse_proxy localhost:8089
 }
+
+cache.cything.io {
+  import common
+  reverse_proxy localhost:8090
+}

hosts/chunk/attic.nix

@@ -0,0 +1,32 @@
+{config, ...}:
+{
+  services.atticd = {
+    enable = true;
+
+    environmentFile = config.sops.secrets."attic/env".path;
+
+    settings = {
+      listen = "[::]:8090";
+      api-endpoint = "https://cache.cything.io/";
+      allowed-hosts = [ "cache.cything.io" ];
+
+      jwt = { };
+
+      compression.type = "zstd";
+      storage = {
+        type = "s3";
+        region = "default";
+        bucket = "cy7";
+        endpoint = "https://e3e97aac307d106a7becea43cef8fcbd.r2.cloudflarestorage.com";
+      };
+      database.url = "postgresql://localhost/atticd";
+
+      chunking = {
+        nar-size-threshold = 64 * 1024; # 64 KiB
+        min-size = 16 * 1024; # 16 KiB
+        avg-size = 64 * 1024; # 64 KiB
+        max-size = 256 * 1024; # 256 KiB
+      };
+    };
+  };
+}

hosts/chunk/default.nix

@@ -21,10 +21,10 @@
     ./vaultwarden.nix
     ./wireguard.nix
     ./grafana.nix
-    ./tor.nix
     ./conduwuit.nix
     ./immich.nix
     ./element.nix
+    ./attic.nix
   ];
 
   sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@@ -82,6 +82,9 @@
     "rsyncnet/id_ed25519" = {
       sopsFile = ../../secrets/de3911/chunk.yaml;
     };
+    "attic/env" = {
+      sopsFile = ../../secrets/services/attic.yaml;
+    };
   };
 
   boot.loader.grub.enable = true;

hosts/chunk/postgres.nix

@@ -1,6 +1,5 @@
 {
   pkgs,
-  lib,
   ...
 }:
 {
@@ -11,13 +10,15 @@
     enableTCPIP = true;
     ensureDatabases = [
       "hedgedoc"
+      "atticd"
     ];
-    authentication = lib.mkForce ''
+    ensureUsers = [
-      local all all trust
+      {
-      host  all all 127.0.0.1/32 trust
+        name = "atticd";
-      host  all all ::1/128 trust
+        ensureDBOwnership = true;
-      host  all all 172.18.0.0/16 trust
+      }
-    '';
+    ]
+    ;
   };
   services.postgresqlBackup = {
     enable = true;

secrets/services/attic.yaml

@@ -0,0 +1,40 @@
+attic:
+    env: ENC[AES256_GCM,data:ytja+z0aidJcC4LoEIf8SiH2TwGgoPMxxLsBxkIT545BcG1axW9yKYWUEryGiHKVYBXv+oFwTA1cXZ22nutWuZQC08G8RI1zvrA/nDTGuCtS4dv8w8XA7nR5IxwFzT6Ss3dsWaRVVPQ/2ik9OkqCVPiBjjVnePZxt8Hp0GS0uiHDw9Vhxu8qeT/O,iv:FUpv79AAubveP6kiMPL+Vs+d1ULZ0PdJsOW5VIHvfPU=,tag:AoReDpnGlJ5dqCRtE10Kug==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6UVhaVWl5UVk5ZXRVNFZw
+            dGxGQmRNa0JKemlNUGZRVHVFcXpMam1KOVF3CkFOOVNGeWxVS2ltc1JuK3ptdVNz
+            MU1vU2FXMTlPSk4raW14WkNZK0VBMUkKLS0tIFdlRURkTFY2S3R3Y3FLMnhMN0kz
+            Tjk4dytPZHp1aUlvTW9kaFpITWFEb28Krb4mkHrWTylz6IQvnUU2UI+fZ9MffLE8
+            A4U8tXyRbwcEmEEmihS8wxUBpWdkb5+0+oryrSt8I79EKcMS7H8WtA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMa0pvaWRWS0JkdDJxYy9W
+            SHE3QnFnblNxOW5OWERlM2N4bnZYMWJnRFJZCjdobmlsSUNjakJtdEd6TkRZVktu
+            Q0xFaEF3bG92MzY4WVViK3Exc0JaRW8KLS0tIGJNd0FHbHF6WEJHdGF5bjNyTExn
+            MExyYlBQUFd2KzdQeHFRSTNpMUdtRFUKwqZCfN0JStIjLA7Fqjws/c5+WeVdtL6F
+            VNYzgbqg73hKOGJ8GoDsMLIkiz7LchyIUXP/vOgU45cMGfeut4tcJg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UmhKMEZrcVlhcEZwdHd5
+            VG5NQmtxR0RKN0dLSlFndGt4emFLcEdhNGxjCktMYWlaaUppbStSRUhuMWgzS0Vm
+            Tzh3bitISldacms5UkcvRVVnSWs4YTAKLS0tIHA3S1NoMW4yK01EU2NlMGI4OFNq
+            ekFwNFp4dm9UeDU5WFU5SmJyY25lMEEKZquSaE2A4ZTSp8sNB5bjgUzdp8RtAHIH
+            xmbtfiMcLUv7J3FdGNwmSn9P9lYgzCVEZBjI0BCj/9JEm0eGFL8Vbw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-05T10:08:04Z"
+    mac: ENC[AES256_GCM,data:tLhSxXsNEh/q1IQqIQuwj2ols3QdwRSE/VBMXuNBkTDkuWQpShoq+qScGZPrDSWIYQujYLroLHv0jpc0r6n0q+SSuLRNJHZboKG/o08gMjmh5EGCoI0yDfxiUGehHjYJsoyeaDjjJozRgDP0qsAsAUNnW/Ny0lg2BF36jPJPu1E=,iv:eZtGrZbtkBr4NFGGn4ohrSjgeRi47WKxsNSu4H34YdI=,tag:3fp5L6COgy3j5PIMtkmxrw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2