From f72e9c511d5f8f7dd1b8e1934d5e7d3aa84195ba Mon Sep 17 00:00:00 2001 From: cy Date: Sun, 5 Jan 2025 18:21:20 -0500 Subject: [PATCH] try harmonia instead of attic --- .sops.yaml | 5 ++ flake.lock | 129 +-------------------------------- flake.nix | 13 ++-- home/yt/chunk.nix | 1 - home/yt/common.nix | 1 - hosts/chunk/Caddyfile | 2 +- hosts/chunk/default.nix | 6 +- hosts/chunk/harmonia.nix | 9 +++ hosts/chunk/postgres.nix | 7 -- hosts/chunk/rclone.nix | 14 ++-- hosts/common.nix | 4 +- secrets/services/harmonia.yaml | 31 ++++++++ 12 files changed, 67 insertions(+), 155 deletions(-) create mode 100644 hosts/chunk/harmonia.nix create mode 100644 secrets/services/harmonia.yaml diff --git a/.sops.yaml b/.sops.yaml index 4966beb..1125606 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -98,3 +98,8 @@ creation_rules: - age: - *chunk - *cy + - path_regex: secrets/services/harmonia.yaml + key_groups: + - age: + - *chunk + - *cy diff --git a/flake.lock b/flake.lock index 1d45c9a..fe5b79e 100644 --- a/flake.lock +++ b/flake.lock @@ -1,52 +1,6 @@ { "nodes": { - "attic": { - "inputs": { - "crane": "crane", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1731270564, - "narHash": "sha256-6KMC/NH/VWP5Eb+hA56hz0urel3jP6Y6cF2PX6xaTkk=", - "owner": "zhaofengli", - "repo": "attic", - "rev": "47752427561f1c34debb16728a210d378f0ece36", - "type": "github" - }, - "original": { - "owner": "zhaofengli", - "repo": "attic", - "type": "github" - } - }, "crane": { - "inputs": { - "nixpkgs": [ - "attic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1722960479, - "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=", - "owner": "ipetkov", - "repo": "crane", - "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "crane_2": { "inputs": { "nixpkgs": [ "lanzaboote", @@ -104,44 +58,7 @@ "type": "github" } }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "attic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -224,9 +141,9 @@ }, "lanzaboote": { "inputs": { - "crane": "crane_2", - "flake-compat": "flake-compat_2", - "flake-parts": "flake-parts_2", + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" @@ -249,27 +166,6 @@ "type": "github" } }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "attic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1735834308, @@ -319,22 +215,6 @@ } }, "nixpkgs-stable": { - "locked": { - "lastModified": 1724316499, - "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_2": { "locked": { "lastModified": 1710695816, "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", @@ -361,7 +241,7 @@ "lanzaboote", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable_2" + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { "lastModified": 1717664902, @@ -379,7 +259,6 @@ }, "root": { "inputs": { - "attic": "attic", "disko": "disko", "home-manager": "home-manager", "lanzaboote": "lanzaboote", diff --git a/flake.nix b/flake.nix index 63ef18c..a3a6726 100644 --- a/flake.nix +++ b/flake.nix @@ -23,10 +23,6 @@ url = "github:nix-community/lanzaboote/v0.4.1"; inputs.nixpkgs.follows = "nixpkgs"; }; - attic = { - url = "github:zhaofengli/attic"; - inputs.nixpkgs.follows = "nixpkgs"; - }; nixpkgs-borg.url = "github:cything/nixpkgs/borg"; # unmerged PR nixpkgs-btrbk.url = "github:cything/nixpkgs/btrbk"; # unmerged PR @@ -34,10 +30,13 @@ nixConfig = { extra-substituters = [ - "https://cache.cything.io/central" + # "https://cache.cything.io/" + "https://nix-community.cachix.org" + "https://cache.nixos.org/" ]; extra-trusted-public-keys = [ - "central:cuiJMi+5BFUGeBPNMNWiKO6dlVTOHbHizFY+t7UW12w=" + "cache.cything.io:4NhyCpZuroY7+JP18m1wkAgJGb6WL0jrtx2Bgrvdtow=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; builders-use-substitutes = true; }; @@ -135,12 +134,10 @@ modules = [ { nixpkgs = { inherit pkgs; }; - disabledModules = [ "services/networking/atticd.nix" ]; } ./hosts/chunk inputs.sops-nix.nixosModules.sops ./modules - inputs.attic.nixosModules.atticd ]; }; diff --git a/home/yt/chunk.nix b/home/yt/chunk.nix index 3285421..6dc7441 100644 --- a/home/yt/chunk.nix +++ b/home/yt/chunk.nix @@ -17,6 +17,5 @@ home.packages = with pkgs; [ foot.terminfo - attic-server ]; } diff --git a/home/yt/common.nix b/home/yt/common.nix index f14fc37..5574b42 100644 --- a/home/yt/common.nix +++ b/home/yt/common.nix @@ -18,7 +18,6 @@ man-pages-posix man man-db - attic-client bottom btop ]; diff --git a/hosts/chunk/Caddyfile b/hosts/chunk/Caddyfile index a42032c..e186f29 100644 --- a/hosts/chunk/Caddyfile +++ b/hosts/chunk/Caddyfile @@ -63,5 +63,5 @@ element.cything.io { cache.cything.io { import common - reverse_proxy localhost:8090 + reverse_proxy localhost:5000 } diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index f0d214e..c296a8e 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -24,7 +24,7 @@ ./conduwuit.nix ./immich.nix ./element.nix - ./attic.nix + ./harmonia.nix ]; sops.age.keyFile = "/root/.config/sops/age/keys.txt"; @@ -82,8 +82,8 @@ "rsyncnet/id_ed25519" = { sopsFile = ../../secrets/de3911/chunk.yaml; }; - "attic/env" = { - sopsFile = ../../secrets/services/attic.yaml; + "harmonia/key" = { + sopsFile = ../../secrets/services/harmonia.yaml; }; }; diff --git a/hosts/chunk/harmonia.nix b/hosts/chunk/harmonia.nix new file mode 100644 index 0000000..d07277e --- /dev/null +++ b/hosts/chunk/harmonia.nix @@ -0,0 +1,9 @@ +{ config, ... }: { + services.harmonia = { + enable = true; + signKeyPaths = [ config.sops.secrets."harmonia/key".path ]; + settings = { + real_nix_store = "/mnt/harmonia"; + }; + }; +} diff --git a/hosts/chunk/postgres.nix b/hosts/chunk/postgres.nix index 07a3125..c733ffb 100644 --- a/hosts/chunk/postgres.nix +++ b/hosts/chunk/postgres.nix @@ -10,13 +10,6 @@ enableTCPIP = true; ensureDatabases = [ "hedgedoc" - "atticd" - ]; - ensureUsers = [ - { - name = "atticd"; - ensureDBOwnership = true; - } ]; }; services.postgresqlBackup = { diff --git a/hosts/chunk/rclone.nix b/hosts/chunk/rclone.nix index e283559..d19db20 100644 --- a/hosts/chunk/rclone.nix +++ b/hosts/chunk/rclone.nix @@ -22,20 +22,20 @@ }; }; - systemd.services.attic-mount = { + systemd.services.harmonia-mount = { enable = true; - description = "Mount the attic data remote"; + description = "Mount the harmonia data remote"; requires = [ "network-online.target" ]; after = [ "network-online.target" ]; - requiredBy = [ "atticd.service" ]; - before = [ "atticd.service" ]; + requiredBy = [ "harmonia.service" ]; + before = [ "harmonia.service" ]; serviceConfig = { Type = "notify"; - ExecStartPre = "/usr/bin/env mkdir -p /mnt/attic"; + ExecStartPre = "/usr/bin/env mkdir -p /mnt/harmonia"; ExecStart = "${lib.getExe pkgs.rclone} mount --config ${ config.sops.secrets."rclone/config".path - } --cache-dir /var/cache/rclone --transfers=32 --allow-other rsyncnet:attic /mnt/attic "; - ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/photos"; + } --cache-dir /var/cache/rclone --transfers=32 --allow-other rsyncnet:harmonia /mnt/harmonia "; + ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/harmonia"; }; }; programs.fuse.userAllowOther = true; diff --git a/hosts/common.nix b/hosts/common.nix index 64722ad..d0140b5 100644 --- a/hosts/common.nix +++ b/hosts/common.nix @@ -6,8 +6,8 @@ auto-optimise-store = true; flake-registry = ""; trusted-users = [ "root" "@wheel" ]; - trusted-public-keys = [ "central:cuiJMi+5BFUGeBPNMNWiKO6dlVTOHbHizFY+t7UW12w=" ]; - substituters = [ "https://cache.cything.io/central" ]; + trusted-public-keys = [ "cache.cything.io:4NhyCpZuroY7+JP18m1wkAgJGb6WL0jrtx2Bgrvdtow=" ]; + substituters = [ "https://cache.cything.io/" ]; }; channel.enable = false; optimise = { diff --git a/secrets/services/harmonia.yaml b/secrets/services/harmonia.yaml new file mode 100644 index 0000000..89ca9c1 --- /dev/null +++ b/secrets/services/harmonia.yaml @@ -0,0 +1,31 @@ +harmonia: + key: ENC[AES256_GCM,data:dNyjPTLXrCASX2Fm/qhhZC5Plo1bNuF3HuDfiIWJTf3gjB3vekgtu1/QQ6z6Fh/V964vtSs9H5vAU3gNN0vcuFE7T7RafNDVYWBJzFhv9iBgB87bVpmQkzywC+jCDFKiMATNoRwyh6Gj,iv:xaDl6ihUkrYNNPy1Eyw/cdahkVSHJ7r/taGyo0BREG4=,tag:hZlWZ/7sC7EIKP0TSCkO4A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcm5VWkVMcUs3UTVCZWtN + dVR5WTFwUUo5WmV2UkJJQWZ4MlY4cDlmOW1RCnNFb01GRlZNVDBYcm43ak9VN2lB + eTc5K2pna3lkQ09OckVPVGx1QUhOcHMKLS0tIG9JemxVVEdlR3dXWkpkWjNIYUla + SW43RDVOOVM1MkhlZC9wbE9mdk82ZU0KTloZlP16doAkgDx3aiDAd/7zrpImJNiJ + hgaffc+04c0w5FGSfWFkel+xFXtBcJ3zLfezDF6FfeUzezyWo35blA== + -----END AGE ENCRYPTED FILE----- + - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzbFJkTWxEZUozd1R2Zk83 + VWtzZnl2OExyZzMyNnBpa29IbVpFSEpRNEZjClRid0tRc3B2c2tFWFhYV2cxNDhu + R2tRS0ZLMy9tVU1XcGdtZGZWOEdwWVkKLS0tIFlxNzJsY01FSkgrbndQRXFxa21E + WWxJR09hWWpDalNKL28wazlxUnpUUGcKt3CtF9hRl+FYglm/mjMMhtR1w8Ivb04k + eYpjKTTuujIru/6i7gS1bGw3QBSqgdCuaBMYHYmVsSzh1IH6sZgiHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-05T22:50:01Z" + mac: ENC[AES256_GCM,data:paV6ipnt6BIEAf1/fOpvvSxrFNOU8yGseIsMac4beymoeQvIpqyq9R0KH1gLBIyHf2QUA1NANgXF9IKhakskA8/HXaMkPkRFXFxdPT4ah9Ml4yp13I/mEafXtdzbru7tu5NrPDwYjfiym9fMpNcDbb7A/mB2zv2mld+s+qVxyp8=,iv:s6I1m9HnyQsZbyKaJoNKQZs9DvuQ6fKiJPEf7niIVWM=,tag:n6Wx/MfBi+vOzM0u//vAzg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2