atticd wip

2025-01-22 10:01:41 +01:00 · 2025-01-22 10:01:41 +01:00 · 92270f099f
commit 92270f099f
parent 1739e583e3
5 changed files with 99 additions and 3 deletions
--- a/hosts/nixos/noximilien/configuration.nix
+++ b/hosts/nixos/noximilien/configuration.nix
@ -27,6 +27,7 @@

    ../../../profiles/http # enables nginx+acme, defines mkDomain
    ../../../profiles/http/index
+    /* ../../../profiles/http/services/attic.nix */
    ../../../profiles/http/services/cinny.nix
    ../../../profiles/http/services/element.nix
    ../../../profiles/http/services/flexget.nix
@ -107,6 +108,7 @@
  #networking.wireguard.interfaces."wg0".ips = [ "172.22.48.3/24" ]; # fyrkat

  sops.secrets.flexget.sopsFile = ./secrets.yaml;
+  sops.secrets.atticd.sopsFile = ./secrets.yaml;

  # TODO: remove? Move to where relevant?
  nixpkgs.overlays = [
--- a/hosts/nixos/noximilien/secrets.yaml
+++ b/hosts/nixos/noximilien/secrets.yaml
--- a/profiles/http/default.nix
+++ b/profiles/http/default.nix
@ -3,6 +3,7 @@ let
  mkDomain = subname: "${subname}.${config.networking.fqdn}";
 in
 {
+  # TODO: make these into nixos options
  _module.args.mkDomain = mkDomain;
  _module.args.allSubdomains = lib.pipe config.services.nginx.virtualHosts [
    #(lib.mapAttrsToList (domain: vhost: [ domain ] ++ vhost.serverAliases))
@ -32,6 +33,26 @@ in
  services.nginx.enable = true;
  networking.firewall.allowedTCPPorts = [ 80 443 ];

+  # TODO:
+  #services.nginx.commonHttpConfig = ''
+  #  proxy_hide_header X-Frame-Options;
+  #'';
+  # TODO: Somehow distribute and add this to all location."/".extraConfig
+  #default = {
+  #  #useACMEHost = config.networking.fqdn;
+  #  forceSSL = true; # addSSL = true;
+  #  enableACME = true; #useACMEHost = acmeDomain;
+  #}
+  # TODO: Somehow distribute and add this to all location."/".extraConfig
+  #commonProxySettings = ''
+  #  proxy_set_header Host $host;
+  #  proxy_set_header X-Real-IP $remote_addr;
+  #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  #  proxy_set_header X-Forwarded-Proto $scheme;
+  #  proxy_set_header X-Forwarded-Host $host;
+  #  proxy_set_header X-Forwarded-Server $host;
+  #'';
+
  services.nginx.recommendedGzipSettings = true;
  services.nginx.recommendedOptimisation = true;
  services.nginx.recommendedProxySettings = true;
--- a/profiles/http/services/attic.nix
+++ b/profiles/http/services/attic.nix
@ -0,0 +1,67 @@
+{ config, pkgs, lib, mkDomain, ... }:
+
+# attic - multi-tenant nix binary cache
+# https://docs.attic.rs/tutorial.html
+# https://discourse.nixos.org/t/introducing-attic-a-self-hostable-nix-binary-cache-server/24343
+
+{
+  sops.secrets.atticd = {
+    restartUnits = [ "atticd.service" ];
+    owner = config.services.atticd.user;
+    group = config.services.atticd.group;
+  };
+
+  services.atticd = {
+    enable = lib.mkDefault (!config.virtualisation.isVmVariant);
+    environmentFile = config.sops.secrets.atticd.path;
+    settings = {
+      # https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
+      # https://github.com/AtaraxiaSjel/nixos-config/blob/master/profiles/servers/atticd.nix
+      listen = "127.0.0.1:8083";
+      api-endpoint = "https://${mkDomain "attic"}";
+      allowed-hosts = [ (mkDomain "attic") ];
+
+      # set in e.g. profiles/mounts/meconium-zfs.nix
+      # TODO: turn a non-config into an eval failure
+      /*
+      #database.url = "postgresql:///atticd?host=/run/postgresql";
+      database.url = "sqlite:///mnt/meconium/blob/attic/server.db?mode=rwc";
+      storage.type = "local";
+      storage.path = "/mnt/meconium/blob/attic/storage";
+      */
+
+      require-proof-of-possession = false;
+      garbage-collection = {
+        # can manually be run with `atticd --mode garbage-collector-once`
+        interval = "3 days"; # how often
+        #default-retention-period = "1 month"; # 0 by default, can be enabled on a per-cache basis
+      };
+    };
+  };
+
+  # disable DynamicUser
+  systemd.services.atticd.serviceConfig.DynamicUser = lib.mkForce false;
+  users.users.atticd.isSystemUser = true;
+  users.users.atticd.group = "atticd";
+  users.users.atticd.uid = 3001;
+  users.groups.atticd.gid = 3001;
+
+  services.nginx.virtualHosts.${mkDomain "plex"} = lib.mkIf config.services.attic.enable {
+    forceSSL = true; # addSSL = true;
+    enableACME = true; #useACMEHost = acmeDomain;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8083";
+      extraConfig = ''
+        client_max_body_size 0;
+        send_timeout 15m;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+      '';
+    };
+  };
+}
--- a/profiles/mounts/meconium-zfs.nix
+++ b/profiles/mounts/meconium-zfs.nix
@ -10,5 +10,10 @@
    systemd.services.zfs-mount.enable = true;
    boot.zfs.extraPools = [ "Meconium" ]; # import on boot

+    # attic
+    database.url = "sqlite:///mnt/meconium/blob/attic/server.db?mode=rwc";
+    storage.type = "local";
+    storage.path = "/mnt/meconium/blob/attic/storage";
+
  };
 }