diff --git a/hosts/nixos/noximilien/configuration.nix b/hosts/nixos/noximilien/configuration.nix index 68ad380..a6afcde 100644 --- a/hosts/nixos/noximilien/configuration.nix +++ b/hosts/nixos/noximilien/configuration.nix @@ -27,6 +27,7 @@ ../../../profiles/http # enables nginx+acme, defines mkDomain ../../../profiles/http/index + /* ../../../profiles/http/services/attic.nix */ ../../../profiles/http/services/cinny.nix ../../../profiles/http/services/element.nix ../../../profiles/http/services/flexget.nix @@ -107,6 +108,7 @@ #networking.wireguard.interfaces."wg0".ips = [ "172.22.48.3/24" ]; # fyrkat sops.secrets.flexget.sopsFile = ./secrets.yaml; + sops.secrets.atticd.sopsFile = ./secrets.yaml; # TODO: remove? Move to where relevant? nixpkgs.overlays = [ diff --git a/hosts/nixos/noximilien/secrets.yaml b/hosts/nixos/noximilien/secrets.yaml index ba179c2..838d3f0 100644 --- a/hosts/nixos/noximilien/secrets.yaml +++ b/hosts/nixos/noximilien/secrets.yaml @@ -2,6 +2,7 @@ flexget: ENC[AES256_GCM,data:QT4eqhlP2G9bpy3LTgAIR4xrlIR2/GyOuMSjrNLHUihIsH2TpVk hedgedoc: env-file: ENC[AES256_GCM,data:evTDjmO3oBTBVUPArwlfZiDCsU7QMTFWw+LzpFedROBgGhElY/vhSM6qHXWjfyMopg9eFYgcPsXgxti0ZmpdTkoItNFzo/MpbI8msgclI20AxogfsT/jkMJaEPB7W3X4PyMqm6D/zRVwWGh3Vtqm3Ze1yf4=,iv:0XoqGvS/Y5O0n4zZ7mGBBJU6JZRm5g92McLwRnIXx/U=,tag:uqIwBAEFWVk4pFkZcCiEoQ==,type:str] htpasswd: ENC[AES256_GCM,data:qc1DDiJydPxxjPZQy2Rdh860ylZBrpbk1yj8BRd71yjPWpnxCY1869qZp4HFv4ptdyL4BRoYvJUikpb7RGVc6CbOb7l7I5ov8NA8hEEa3HB6lGjvVV4=,iv:NnXlJZ/LLhMmrAFA/efk6LHjm/1aexWFsAsA4GUgxsI=,tag:jL5ymk5CsZ3TPCfL39CDwQ==,type:str] +attic: ENC[AES256_GCM,data:sj3B0zIbgFTAqtpbgflvgIc2BnpekFSNO2IOiIpqrC/qOZ1Tj0yMxyfBWy2tWNbVA1ZwQnBwyZKV7rUaUk9Of5Hzue8PFHdayj9ayeo0ZxwA7SKziqsx38HhB5m9YyL+klA96Sw/vp8hjOw++jObdnfnSZDggJw6w8R0d6oYAlt9/4E1qsLCMSVWyBq5TAYOC7GmZ2tkjwXR9vhxDOZormn5MlZnqfcPzjMLIy/NnXsubvvNQFtrFupp4GwekF0Vy/1EolRPHCIzD4tn0q5C+H2KyDcbuWQln+HV0aV+d0BnjxP5K4a2mA1DYQJlakr5Em/77tVOGJbfIzq2bN+pUvozoHmtgvYJVuPbEWxM0CXyqZ6+HViZ+eSRgI0ZBiioTBUklHM/oSxCmW3awb0FpLjuFt/89S7LDtLamO3PaTmLqynHk6IQxMPZDedI0+3qsyx7qA6zipBPsdMRsxf2aDPyELA/2WLCfjh7AdqU/qUG1b5dZkI8YnGeFQhEH4snjCcdCLz+5nNjdY7B34c4G57f6xjI3aaPXQdaCqrVyMtXa+0XcwK3ywPlEiriekZcGItJNaz5K1DS3Vuuxgep86kiGs6XOTqHdbaZsNs4n8yDZsWHGXNrm7f3V+YMfoSgShYoNVP6r6RCLeCsSw8RMpi1A/9MZOGcPgcBSguzVc4sUfpMAGYLhdRIiRrKGlRBeDTooxHpZtM0KxPJG62F9Nh6sfhE6+UC1FpLpZE5H/l4EF2DhHZGNIWdNELve2pK3Tr4CNskhlwRUUF7oDQmqpYGlDxn24jmC/9+v6Si6QBOF3dHIjmDB6VFth3It+5RTXgA2gYHeeDNPSD/7ctxEGW3T5N6bz70h/S7/k+ULck4Y0SX76bzjXZ0WXAt4xnKNsA+mrIhk++Ar/Tqc0NjYydGKnBjsTQmR+AhKBQ/VIZRlJ59LoGd7M73yXC2t3HvY6UqjYQSSWnBvVTTA1xMxSCuTiB1Qh+6p+RobgY7ctD+pPfZCX9m3xnwfkJhw3LMt+NqoDfsbOLLj1e8hz1Z7EYPgeFbJIZ+hAzAD666QugfvYUviZb3g90+DoftBC1rvuXQDLkNzwbrTyTfV+6x97HEuxSqQ6EztUpk0hixUmljjP0XzWjq6Uyae4+vrIKWXS0I0+w6dM6yBWYBvIG5dvPwGlKDXBrxH38qEIgBEoJmNMv9L4a/P/U0LVijtGk3sHH+3q+V6eZXUvMU/Cu8T7vUTWi7bMOfTaHcJMmNqVbz7UV+7kqFx+uF7PSYquLduMI4BduiHhjd67/dDPab6l7Mw/mVytsW83a1RGSlhY2vKKaXiQanMruy8EyNzN70/SAt/WAPzHUkXiNs9FZFeEP5WzO9uC42yI1xEQ/dXHYFC7K+2FY/TiSjkiWokWA4iz923LJV2hl2vzzTeqpMr/H5qLbPfcupE/iEBra2qXJdhbS0dZmfAH1Pwpxkd4RiM9Gf5tQW8D5oTtSpZvdW0oAKy+yTyl3q1t5/nOhSedOVxXWHXHiV+zc6OJFIPnMILOxuFdNc+tNGBni/n0hYnMQjl5AalgurwoP9jBEkiYqiza4lw9gV5rSBJbnppYD71fLWunb5Fa+LmvDJzdRsAsc9splS2ZUZbtIS3g8qbExZiiCm9E650IlXvpNErpCm2KC/9iNoC1Ln7rmcfYeE8G1QNxzm+nGsLf8vj9BNAg4O8AmDpG6wBdUsdRlx3H//zBXi3ZPIQwjq4HYokbuER8lS0MCGbfD6D10anu/8yo8O0XkPAEXnWtyHJxyxv2zg1YTfyVCkfByZdKA+hIRhu8yhoBdZNNKSJcJ853ZJ9eh1Y/DBVFgHkJ+H0cT3b2dh6NmHK8ByOdFAIOktWm9NSdU7E5WCnhcuoGvYCgL0tVMc85jew+CpuGrGAovzc680RpI7yldYir8eYFxwNkF4HX7ym9eJA7AV8ycQ/MwCzKSmoBbeX7WP3hD36oJnDfMPzjwFVdI+VOgpKE+Mb4wsW8kTcaLT18KGTe3m1ZqbrBBPIWUuoZWN83VkfDKSxZt2UrSH53AJNbW4kZLBlONRBjtAbIQXb2Hc7A+57Z27ApozxlLlCZeW8CGxBO4CF9VG2Xajm1R+c/GwOjrM9m+9Hzyl3r4PrHIMMA3Ugkvt56IQtNZrfsWqYCaBETHHZIShNiWBWjRnT11DZXR0vepmYE25HlCkQF/ei755IqVXiSDCmkzQDJsAOODLS7yEy6RJc4tx+fgfG6zq2FuXq7xHtNfvL5aP8dgYafVSwOlN9l4G+VvCnzKgK8f6VyCrNU5S1LBMJCqzKl07hotzs5/EhMwxGo5HzB3BDJWrQc6vtQJckZBA7zKGku8WQXcaWZjZEmysX3sS85WJF/ECtU7NVDin4FgFp4+/i6W4AXVWZrR++Sqx3pWSztzvTkSs4t7NSe8GvW705HVd9gH/ccrUy6FMF8qJX4hWuj27K9JykQiOSGHAmoPyx2rd0GC17WS20Vdp8KRByeIYs4aAkK6/FXR9ltwISwYkDd0NPnv8nU/M1Qm663ZGAexyXabcsV0vFDpRSC6A+2ZqJ/Taj4sKOI34gbblSrFrE1Fdo9ad4X6lwecG6Msug+s3t+QcZTA9Q7SxM9B/o3A+teQgyP+3EFb1BqUDivHIWeZPiiob9loukL9DbEmcJ2YdJxXhXKd7pT4t/V4A/o+n2REdDnSfqhk9wPYYwOaM6VxOkw2M8QZL9PgOf5/GUsZaKLcBZO4kHzzLFWHUCMVnZZzrHcVCLY+0Sp/RSFX+NalqQZiU6IlpdfHf0n9qYVL4BjkEI3tBaauP+wvmSknpk61lpkoF7sD/UrJiFn6HxTS7usgHMneaBzOsckj6JO8QG6wBq018pqQOcEssCq4u/4U+alqcJmwRopteYwJ7H3+axFSXRYrRQv7ZzvCLJcSCZWxbq8OP0V6mtHCSHCawFYxQOT6hIjblGHw5hNE2bMkvqB3Ymf9cyF+YpEQrhsz5z/K23iKnMxyc0pTjeN9bzPQiJlwD+i6o8pDVCZTtADVlEWQF+c75upbYtQc9FcQBIZ1DFSv3lJbXo/Qer7fQ11XycjzWyBThP6ijRa1knxbIDkQYJwvykA/VlaZNNOWBfbRD5tUzl1gZkHjXJzuPTDKtB5eSp6tb24hscT/hRjP2clKvFSnPiCqrnB8JRXs++yn3kJOQWuxPdxRH3yY3kDln58wVvcV8EYQ8i6WV8YzsQ3YZBht+89xqZRcvW9mNCeUDFF3IKxvnDT5D9R6BjLAgJJM8MNiMn7nhGBBY3dwH5qxVdBRBbdaHkmf2f1nsEze/z0bs63E3I117capvuns7aXawnLm5rwwYVJ4G/wDYkfqYn6OBsoxZ+7UyZ1EDUZLVk0foLsAs4FDHCGl4FAqitVfwDh2/Vt9p1VhBfzPyano0dODtXYNpa+vWj/qq/70SSwegzE6cWqfBfLJGfhpo8McNE1btGLyB4SKrAsGnLSPtDGcaIJgqGID14WA/L80OU1N9jUrZnK7F8dIUy7uurRmrot4cpBeLG+NUHVdMblX+uVOZRUo27xAorLXz2wewnnfYvPJS10gYS4XXE7H2DF+a5AaSfB/dnIb4P/ZMQGD+IJc595f5FVMcdqZkAyWZIBciwZXBGcgu7AcnsGDUKCBFrRI4FSvzzlLRNiXjVekHXlrDEUwaButHp8KJBWeNg7o6Z5y9JoIYPk796IFNEtkct6lklynGOwFtaHPTpo1DhMhXm+hUgP9o1f5QKm4Os0rqoGBvuUTcm2IOEEncDcTxeyTsIDUR03B0zri41yRx+Va6uBie11Jk6yHGfPrjdwXIMHoF5r9F/5riUqlmVIjMcefjTXKArZRhdhiSsbbuEJO5FgmVcwLZnWhc7NWD/moM1E1EmKz+PLP5cRKy8JBYN/euCcfhEtzG9iATZRQKHCe1XBCS1zRW7gp58S4dP1OKPf01m1g8n8nDczHhesX9WZvAXdHJnJMZzewSAGXMy5uSfd31cCV/6ylDVpg/kxxL3pk4BWIjgA2xEpjY3iZeglzvipbyHUGrwwWgC/A61Y0iWRnKAB/qQoRn2l+A3UYzYJauVAA3pH2LeXD/FlydNGC/GcwRuxrXoqCeF3Atv9KC7INQYc7ZeegiCttsRPtHYWe1frfLYjqXsJYBL/p57tE9XDsXH5eqtZzanO5UmRb2V3a9Fsnalma+lRr3MCD7E8oUyJ7jpUyvgASL8NYz45dmKnwyns0V8plPDuOg+SXyIy7cB9lZnjkDlTvXOj0yXqrIln2pljf4am/siUUaFfH5j7Zu3yTAR13E8TyJDuYkFly2niOWryob83QvSPWNiouyu4cryYwTwhkBrSU2n4jIXy8yR4r11IiSw0kwqV/Tq4gjMJxBWzqtkyxSGrP62kSDac4+TY3gG/0LGgXdWLUsEpDDK43wRswlhSG9t4oW/7KbV6nb7BElLlRIVotAvKzvcFjmMJOlQmRm87EvbnlBscUe77tmmQvXrQrTsZJp2xmYKPDZbiTTUH1hp77jQo6ltawvUvgS9cHk5pgeugwMWp1mxSShsqMmM6q15TvA+ueeu6Jf+EE/mGrW8pJFvSFcPrmCzjx0dSx3u90TJzMvG6yoHmPKPJ0ZwK1CBWV7Hjq+21JNfkaoxsmX9Idd85GpP8OASVHKjyv8YB2tsEIcgsVuQQwyq3mZDl4+V0Q5W4PAHgSHpLTBIVjJV9QjRnJNdEQGroKx5q+VK4/EbaPP1iUO9ImJyIvHTdZbDPNdBRc0YErmbDFUzGDrnOJDMN5hQLc2TPTzYkIa/54VkeQ5WCHeU3mbZSg63V9psT39WRMnPjO7mmIYu2CmcqtLMEt4FCNqsIQgrjXoI7ZIiX+vF1OL/G3/x4lqFvyEqIQQ7rcv7J3tvV9zSgCcQHQDA/Jm+JMjxAobbt1V3KgG195tdWsXtxg6MvfIvoVA1EGnr8fh2ScoZ90r2UisVGYe6l7I+Ner4bGM0YcIobvNj0qgfdvVvIns3Pz7LWHBQ79IoiWr3pyp27KZrKYvXDsWOf17YtSNVWus8h5L5io2iYfAw5dhqnXpIMMomNH4nHYQCvq7XwK3vfTfFBn68nOSyHs7Fm0tHa/dykWNkG2r92RY8aR+HC1t7FHS5g6rPsx3W3HQkPyTHENeLgMTly2zB+vRtQRqZBljyO5EB2/Oc+McbTs81g+YzT3iFWLBQWSQClNKINvvEBzI0ELUgZS9kqlPVuLrTwSAd0nXYim+PA3nDSvdNFGQscb8doODpD5858FQrZRhX7HpWDmBksu11xyE439CaU+NA6o3Ijt4K3KcBSAXy01MirceIKjXqWVRpQJpFCYUBfJpttuehg1e5IhEhPfEuslQDGhqPMxLB2UGB0b69u9h7IQyQM8EA1MpVkjoQnAmF6Hh238ZtK5m4oeY9rGscNvhZi/HKmgrrFMIBs5svBom851sSnRZBsc0s25UI28P+d9Sn/lGsWmivLU//7oEZnZdpfZCsWz+gKCfs8LeWTquyHxKa1A09Zdwf/8DJhsjk3n4IM1kr3dQ775dOGx+vT5AAA2zz5dNEyI+VWd2m+Wr7igpirxNlQpSAk+o9jFUJRf79phn6LsQDpoMFYsw8PLZJvD4Syj1B5QkpXKmeNzO26VjpaMRKGHwZpv9h+Vmih1TrXFX/eQUYlBWtk+GILAreDr0PVLlL1vIbp0963GNn48psR4zdD2Nw0cLbYRtUtJ/onJw7n095/OBRUikPRuvtLsCLBuH7equWeOyC2KJht+Rv+zK92aqZtINP7pvXecBnbO9CgrCzYg4paE8Cwpzos5mShdCV2I2Z2oxpUoWP00KzruJZWYJFRv00jyV,iv:+s656BBgqm/Rf+vZD0czKe0AZ2RETV969VK3+mbYPWA=,tag:U/Du/P0EJjrXdWTNqcalUA==,type:str] sops: kms: [] gcp_kms: [] @@ -44,8 +45,8 @@ sops: Yzlrb1NNNzYyMjZnYUgxeFFML0R3WUUKfWr9rtRHlICOHW+yYC2ViQk4ZwpgZ9/+ wy3ekkQ0qmnaNXDVfxHOakZC1/p2wHqp2f6xy/Epgj6RxDkikP4gAg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-19T01:06:25Z" - mac: ENC[AES256_GCM,data:NVh8KGeEE/MUMVcKJ/HN2KUldZ+xXKrk/L9Yr25IsKNQVlWzmkoIP9cHKSSkkjRUpEbaAOumlubhAKa0t3XY+h2OTBukHYOFujbNZSaXUQ6KTYSI2CHfbhDd/m/tW0MX+zwMGORAzIRi51gCQ/5aQ3Fhe+klxMyiSoLZQY6V830=,iv:geLqxopsTR2854do+/OrupUCvbo69jljPt1o0smzFc0=,tag:SpRajBQ9K7k/4Cca1dN51w==,type:str] + lastmodified: "2025-01-22T08:42:39Z" + mac: ENC[AES256_GCM,data:QDKhd3PcKHib7Of448AFNFDYODa5KPrtmYeA+aAtbcR6dh4PbeBIgKj3Ssi/INL0PMXTnFOwLzLIamxuf1CEIAtyaRLG9G/G1JbQBqP79s7J2K17PBs1Jf/1TztMBdnpmYQqBx+djlNeeQTBfYsTFyuk0iL2lNz3ihTSjn7zxC0=,iv:XMsOXdGVGciruwrFhOTh+w2mNX84ApYL4ZsieTl/LNs=,tag:BvJmo/52lsX7urc2bdKGcA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.3 diff --git a/profiles/http/default.nix b/profiles/http/default.nix index 0c2bdb3..9ae9c68 100644 --- a/profiles/http/default.nix +++ b/profiles/http/default.nix @@ -3,6 +3,7 @@ let mkDomain = subname: "${subname}.${config.networking.fqdn}"; in { + # TODO: make these into nixos options _module.args.mkDomain = mkDomain; _module.args.allSubdomains = lib.pipe config.services.nginx.virtualHosts [ #(lib.mapAttrsToList (domain: vhost: [ domain ] ++ vhost.serverAliases)) @@ -32,6 +33,26 @@ in services.nginx.enable = true; networking.firewall.allowedTCPPorts = [ 80 443 ]; + # TODO: + #services.nginx.commonHttpConfig = '' + # proxy_hide_header X-Frame-Options; + #''; + # TODO: Somehow distribute and add this to all location."/".extraConfig + #default = { + # #useACMEHost = config.networking.fqdn; + # forceSSL = true; # addSSL = true; + # enableACME = true; #useACMEHost = acmeDomain; + #} + # TODO: Somehow distribute and add this to all location."/".extraConfig + #commonProxySettings = '' + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_set_header X-Forwarded-Host $host; + # proxy_set_header X-Forwarded-Server $host; + #''; + services.nginx.recommendedGzipSettings = true; services.nginx.recommendedOptimisation = true; services.nginx.recommendedProxySettings = true; diff --git a/profiles/http/services/attic.nix b/profiles/http/services/attic.nix new file mode 100644 index 0000000..4b1ad21 --- /dev/null +++ b/profiles/http/services/attic.nix @@ -0,0 +1,67 @@ +{ config, pkgs, lib, mkDomain, ... }: + +# attic - multi-tenant nix binary cache +# https://docs.attic.rs/tutorial.html +# https://discourse.nixos.org/t/introducing-attic-a-self-hostable-nix-binary-cache-server/24343 + +{ + sops.secrets.atticd = { + restartUnits = [ "atticd.service" ]; + owner = config.services.atticd.user; + group = config.services.atticd.group; + }; + + services.atticd = { + enable = lib.mkDefault (!config.virtualisation.isVmVariant); + environmentFile = config.sops.secrets.atticd.path; + settings = { + # https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml + # https://github.com/AtaraxiaSjel/nixos-config/blob/master/profiles/servers/atticd.nix + listen = "127.0.0.1:8083"; + api-endpoint = "https://${mkDomain "attic"}"; + allowed-hosts = [ (mkDomain "attic") ]; + + # set in e.g. profiles/mounts/meconium-zfs.nix + # TODO: turn a non-config into an eval failure + /* + #database.url = "postgresql:///atticd?host=/run/postgresql"; + database.url = "sqlite:///mnt/meconium/blob/attic/server.db?mode=rwc"; + storage.type = "local"; + storage.path = "/mnt/meconium/blob/attic/storage"; + */ + + require-proof-of-possession = false; + garbage-collection = { + # can manually be run with `atticd --mode garbage-collector-once` + interval = "3 days"; # how often + #default-retention-period = "1 month"; # 0 by default, can be enabled on a per-cache basis + }; + }; + }; + + # disable DynamicUser + systemd.services.atticd.serviceConfig.DynamicUser = lib.mkForce false; + users.users.atticd.isSystemUser = true; + users.users.atticd.group = "atticd"; + users.users.atticd.uid = 3001; + users.groups.atticd.gid = 3001; + + services.nginx.virtualHosts.${mkDomain "plex"} = lib.mkIf config.services.attic.enable { + forceSSL = true; # addSSL = true; + enableACME = true; #useACMEHost = acmeDomain; + locations."/" = { + proxyPass = "http://127.0.0.1:8083"; + extraConfig = '' + client_max_body_size 0; + send_timeout 15m; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + ''; + }; + }; +} diff --git a/profiles/mounts/meconium-zfs.nix b/profiles/mounts/meconium-zfs.nix index e43333a..0fe98d3 100644 --- a/profiles/mounts/meconium-zfs.nix +++ b/profiles/mounts/meconium-zfs.nix @@ -10,5 +10,10 @@ systemd.services.zfs-mount.enable = true; boot.zfs.extraPools = [ "Meconium" ]; # import on boot + # attic + database.url = "sqlite:///mnt/meconium/blob/attic/server.db?mode=rwc"; + storage.type = "local"; + storage.path = "/mnt/meconium/blob/attic/storage"; + }; }