extra substituters

add harmonia as trusted user
try harmonia instead of attic
2025-01-05 18:28:05 -05:00 · 2025-01-05 18:27:08 -05:00 · 2025-01-05 18:21:20 -05:00
12 changed files with 65 additions and 156 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -98,3 +98,8 @@ creation_rules:
      - age:
          - *chunk
          - *cy
+  - path_regex: secrets/services/harmonia.yaml
+    key_groups:
+      - age:
+          - *chunk
+          - *cy
--- a/flake.lock
+++ b/flake.lock
@ -1,52 +1,6 @@
 {
  "nodes": {
-    "attic": {
-      "inputs": {
-        "crane": "crane",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1731270564,
-        "narHash": "sha256-6KMC/NH/VWP5Eb+hA56hz0urel3jP6Y6cF2PX6xaTkk=",
-        "owner": "zhaofengli",
-        "repo": "attic",
-        "rev": "47752427561f1c34debb16728a210d378f0ece36",
-        "type": "github"
-      },
-      "original": {
-        "owner": "zhaofengli",
-        "repo": "attic",
-        "type": "github"
-      }
-    },
    "crane": {
-      "inputs": {
-        "nixpkgs": [
-          "attic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1722960479,
-        "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
-        "owner": "ipetkov",
-        "repo": "crane",
-        "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ipetkov",
-        "repo": "crane",
-        "type": "github"
-      }
-    },
-    "crane_2": {
      "inputs": {
        "nixpkgs": [
          "lanzaboote",
@ -104,44 +58,7 @@
        "type": "github"
      }
    },
-    "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "attic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1722555600,
-        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "lanzaboote",
@ -224,9 +141,9 @@
    },
    "lanzaboote": {
      "inputs": {
-        "crane": "crane_2",
-        "flake-compat": "flake-compat_2",
-        "flake-parts": "flake-parts_2",
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
@ -249,27 +166,6 @@
        "type": "github"
      }
    },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "attic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1729742964,
-        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1735834308,
@ -319,22 +215,6 @@
      }
    },
    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1724316499,
-        "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable_2": {
      "locked": {
        "lastModified": 1710695816,
        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
@ -361,7 +241,7 @@
          "lanzaboote",
          "nixpkgs"
        ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
+        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
        "lastModified": 1717664902,
@ -379,7 +259,6 @@
    },
    "root": {
      "inputs": {
-        "attic": "attic",
        "disko": "disko",
        "home-manager": "home-manager",
        "lanzaboote": "lanzaboote",
--- a/flake.nix
+++ b/flake.nix
@ -23,10 +23,6 @@
      url = "github:nix-community/lanzaboote/v0.4.1";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    attic = {
-      url = "github:zhaofengli/attic";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };

    nixpkgs-borg.url = "github:cything/nixpkgs/borg"; # unmerged PR
    nixpkgs-btrbk.url = "github:cything/nixpkgs/btrbk"; # unmerged PR
@ -34,10 +30,10 @@

  nixConfig = {
    extra-substituters = [
-      "https://cache.cything.io/central"
+      "https://cache.cything.io/"
    ];
    extra-trusted-public-keys = [
-      "central:cuiJMi+5BFUGeBPNMNWiKO6dlVTOHbHizFY+t7UW12w="
+      "cache.cything.io:4NhyCpZuroY7+JP18m1wkAgJGb6WL0jrtx2Bgrvdtow="
    ];
    builders-use-substitutes = true;
  };
@ -135,12 +131,10 @@
            modules = [
              {
                nixpkgs = { inherit pkgs; };
-                disabledModules = [ "services/networking/atticd.nix" ];
              }
              ./hosts/chunk
              inputs.sops-nix.nixosModules.sops
              ./modules
-              inputs.attic.nixosModules.atticd
            ];
          };

--- a/home/yt/chunk.nix
+++ b/home/yt/chunk.nix
@ -17,6 +17,5 @@

  home.packages = with pkgs; [
    foot.terminfo
-    attic-server
  ];
 }
--- a/home/yt/common.nix
+++ b/home/yt/common.nix
@ -18,7 +18,6 @@
    man-pages-posix
    man
    man-db
-    attic-client
    bottom
    btop
  ];
--- a/hosts/chunk/Caddyfile
+++ b/hosts/chunk/Caddyfile
@ -63,5 +63,5 @@ element.cything.io {

 cache.cything.io {
  import common
-  reverse_proxy localhost:8090
+  reverse_proxy localhost:5000
 }
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@ -24,7 +24,7 @@
    ./conduwuit.nix
    ./immich.nix
    ./element.nix
-    ./attic.nix
+    ./harmonia.nix
  ];

  sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@ -82,8 +82,8 @@
    "rsyncnet/id_ed25519" = {
      sopsFile = ../../secrets/de3911/chunk.yaml;
    };
-    "attic/env" = {
-      sopsFile = ../../secrets/services/attic.yaml;
+    "harmonia/key" = {
+      sopsFile = ../../secrets/services/harmonia.yaml;
    };
  };

--- a/hosts/chunk/harmonia.nix
+++ b/hosts/chunk/harmonia.nix
@ -0,0 +1,9 @@
+{ config, ... }: {
+  services.harmonia = {
+    enable = true;
+    signKeyPaths = [ config.sops.secrets."harmonia/key".path ];
+    settings = {
+      real_nix_store = "/mnt/harmonia";
+    };
+  };
+}
--- a/hosts/chunk/postgres.nix
+++ b/hosts/chunk/postgres.nix
@ -10,13 +10,6 @@
    enableTCPIP = true;
    ensureDatabases = [
      "hedgedoc"
-      "atticd"
-    ];
-    ensureUsers = [
-      {
-        name = "atticd";
-        ensureDBOwnership = true;
-      }
    ];
  };
  services.postgresqlBackup = {
--- a/hosts/chunk/rclone.nix
+++ b/hosts/chunk/rclone.nix
@ -22,20 +22,20 @@
    };
  };

-  systemd.services.attic-mount = {
+  systemd.services.harmonia-mount = {
    enable = true;
-    description = "Mount the attic data remote";
+    description = "Mount the harmonia data remote";
    requires = [ "network-online.target" ];
    after = [ "network-online.target" ];
-    requiredBy = [ "atticd.service" ];
-    before = [ "atticd.service" ];
+    requiredBy = [ "harmonia.service" ];
+    before = [ "harmonia.service" ];
    serviceConfig = {
      Type = "notify";
-      ExecStartPre = "/usr/bin/env mkdir -p /mnt/attic";
+      ExecStartPre = "/usr/bin/env mkdir -p /mnt/harmonia";
      ExecStart = "${lib.getExe pkgs.rclone} mount --config ${
        config.sops.secrets."rclone/config".path
-      } --cache-dir /var/cache/rclone --transfers=32 --allow-other rsyncnet:attic /mnt/attic ";
-      ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/photos";
+      } --cache-dir /var/cache/rclone --transfers=32 --allow-other rsyncnet:harmonia /mnt/harmonia ";
+      ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/harmonia";
    };
  };
  programs.fuse.userAllowOther = true;
--- a/hosts/common.nix
+++ b/hosts/common.nix
@ -5,9 +5,9 @@
      experimental-features = "nix-command flakes";
      auto-optimise-store = true;
      flake-registry = "";
-      trusted-users = [ "root" "@wheel" ];
-      trusted-public-keys = [ "central:cuiJMi+5BFUGeBPNMNWiKO6dlVTOHbHizFY+t7UW12w=" ];
-      substituters = [ "https://cache.cything.io/central" ];
+      trusted-users = [ "root" "@wheel" "harmonia" ];
+      trusted-public-keys = [ "cache.cything.io:4NhyCpZuroY7+JP18m1wkAgJGb6WL0jrtx2Bgrvdtow=" ];
+      substituters = [ "https://cache.cything.io/" ];
    };
    channel.enable = false;
    optimise = {
--- a/secrets/services/harmonia.yaml
+++ b/secrets/services/harmonia.yaml
@ -0,0 +1,31 @@
+harmonia:
+    key: ENC[AES256_GCM,data:dNyjPTLXrCASX2Fm/qhhZC5Plo1bNuF3HuDfiIWJTf3gjB3vekgtu1/QQ6z6Fh/V964vtSs9H5vAU3gNN0vcuFE7T7RafNDVYWBJzFhv9iBgB87bVpmQkzywC+jCDFKiMATNoRwyh6Gj,iv:xaDl6ihUkrYNNPy1Eyw/cdahkVSHJ7r/taGyo0BREG4=,tag:hZlWZ/7sC7EIKP0TSCkO4A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcm5VWkVMcUs3UTVCZWtN
+            dVR5WTFwUUo5WmV2UkJJQWZ4MlY4cDlmOW1RCnNFb01GRlZNVDBYcm43ak9VN2lB
+            eTc5K2pna3lkQ09OckVPVGx1QUhOcHMKLS0tIG9JemxVVEdlR3dXWkpkWjNIYUla
+            SW43RDVOOVM1MkhlZC9wbE9mdk82ZU0KTloZlP16doAkgDx3aiDAd/7zrpImJNiJ
+            hgaffc+04c0w5FGSfWFkel+xFXtBcJ3zLfezDF6FfeUzezyWo35blA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzbFJkTWxEZUozd1R2Zk83
+            VWtzZnl2OExyZzMyNnBpa29IbVpFSEpRNEZjClRid0tRc3B2c2tFWFhYV2cxNDhu
+            R2tRS0ZLMy9tVU1XcGdtZGZWOEdwWVkKLS0tIFlxNzJsY01FSkgrbndQRXFxa21E
+            WWxJR09hWWpDalNKL28wazlxUnpUUGcKt3CtF9hRl+FYglm/mjMMhtR1w8Ivb04k
+            eYpjKTTuujIru/6i7gS1bGw3QBSqgdCuaBMYHYmVsSzh1IH6sZgiHw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-05T22:50:01Z"
+    mac: ENC[AES256_GCM,data:paV6ipnt6BIEAf1/fOpvvSxrFNOU8yGseIsMac4beymoeQvIpqyq9R0KH1gLBIyHf2QUA1NANgXF9IKhakskA8/HXaMkPkRFXFxdPT4ah9Ml4yp13I/mEafXtdzbru7tu5NrPDwYjfiym9fMpNcDbb7A/mB2zv2mld+s+qVxyp8=,iv:s6I1m9HnyQsZbyKaJoNKQZs9DvuQ6fKiJPEf7niIVWM=,tag:n6Wx/MfBi+vOzM0u//vAzg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
Author	SHA1	Message	Date
cy	1e0bf9dad9	extra substituters	2025-01-05 18:28:05 -05:00
cy	02c0b2332f	add harmonia as trusted user	2025-01-05 18:27:08 -05:00
cy	f72e9c511d	try harmonia instead of attic	2025-01-05 18:21:20 -05:00