From 7723bc0df1570164574de3fedb3bbd73f422976b Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sat, 17 Feb 2024 15:14:16 +0100 Subject: [PATCH] Add attic server --- flake.lock | 74 +++++++++++++++++++++++++++++-- flake.nix | 12 ++++- nixos/machines/frumar/cache.nix | 56 +++++++++++++++++++++++ nixos/machines/frumar/default.nix | 1 + nixos/modules/lumi-cache.nix | 2 +- nixos/roles/default.nix | 12 ++++- nixos/roles/workstation.nix | 23 +++++----- secrets/attic.env.age | 7 +++ secrets/nix-netrc-yorick.age | 15 +++++++ secrets/nix-netrc.age | 21 ++++----- secrets/secrets.nix | 2 + 11 files changed, 195 insertions(+), 30 deletions(-) create mode 100644 nixos/machines/frumar/cache.nix create mode 100644 secrets/attic.env.age create mode 100644 secrets/nix-netrc-yorick.age diff --git a/flake.lock b/flake.lock index 3d5d40f..c7fe07f 100644 --- a/flake.lock +++ b/flake.lock @@ -23,6 +23,34 @@ "type": "github" } }, + "attic": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1707922053, + "narHash": "sha256-wSZjK+rOXn+UQiP1NbdNn5/UW6UcBxjvlqr2wh++MbM=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "6eabc3f02fae3683bffab483e614bebfcd476b21", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "attic", + "type": "github" + } + }, "blobs": { "flake": false, "locked": { @@ -39,6 +67,27 @@ "type": "gitlab" } }, + "crane": { + "inputs": { + "nixpkgs": [ + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1702918879, + "narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=", + "owner": "ipetkov", + "repo": "crane", + "rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -80,7 +129,7 @@ "dream2nix": { "inputs": { "devshell": "devshell", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-parts": "flake-parts", "nix-unit": "nix-unit", "nixpkgs": "nixpkgs", @@ -138,6 +187,22 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1668681692, @@ -153,7 +218,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "locked": { "lastModified": 1688025799, "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", @@ -537,7 +602,7 @@ "nixos-mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "nixpkgs": [ "nixpkgs" ], @@ -653,7 +718,7 @@ }, "nixpkgs-wayland": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "lib-aggregate": "lib-aggregate", "nix-eval-jobs": "nix-eval-jobs", "nixpkgs": [ @@ -732,6 +797,7 @@ "root": { "inputs": { "agenix": "agenix", + "attic": "attic", "emacs-overlay": "emacs-overlay", "flake-utils": "flake-utils_2", "fooocus": "fooocus", diff --git a/flake.nix b/flake.nix index edb079f..2abcd97 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,14 @@ nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; nix-npm-buildpackage.url = "github:serokell/nix-npm-buildpackage"; nix-npm-buildpackage.inputs.nixpkgs.follows = "nixpkgs"; + attic = { + url = "github:zhaofengli/attic"; + inputs = { + nixpkgs-stable.follows = "nixpkgs"; + nixpkgs.follows = "nixpkgs"; + flake-utils.follows = "flake-utils"; + }; + }; timesync = { url = "github:datakami/timesync"; inputs.nixpkgs.follows = "nixpkgs"; @@ -24,7 +32,8 @@ }; outputs = inputs@{ nixpkgs, home-manager, nixpkgs-mozilla, emacs-overlay , nixpkgs-wayland, nixos-hardware, agenix, flake-utils - , nix-index-database, nix-npm-buildpackage, timesync + , nix-index-database, nix-npm-buildpackage, timesync + , attic , self , ... }: (flake-utils.lib.eachSystem [ "x86_64-linux" ] (system: @@ -102,6 +111,7 @@ nixpkgs-mozilla.overlay emacs-overlay.overlay agenix.overlays.default + attic.overlays.default (import ./fixups.nix) (import ./pkgs) (import ./pkgs/mdr.nix) diff --git a/nixos/machines/frumar/cache.nix b/nixos/machines/frumar/cache.nix new file mode 100644 index 0000000..48ef100 --- /dev/null +++ b/nixos/machines/frumar/cache.nix @@ -0,0 +1,56 @@ +{ config, pkgs, lib, inputs, ... }: { + imports = [ + inputs.attic.nixosModules.atticd + ]; + age.secrets.attic.file = ../../../secrets/attic.env.age; + + services.nginx.virtualHosts."cache.yori.cc" = { + onlySSL = true; + useACMEHost = "wildcard.yori.cc"; + locations."/" = { + proxyPass = "http://[::]:8091"; + recommendedProxySettings = true; + }; + extraConfig = '' + client_max_body_size 8000M; + proxy_request_buffering off; + proxy_read_timeout 600s; + ''; + }; + services.atticd = { + enable = true; + credentialsFile = config.age.secrets.attic.path; + settings = { + storage = { + type = "local"; + path = "/attic"; + }; + database.url = "postgresql:///atticd"; + listen = "[::]:8091"; + chunking = { + nar-size-threshold = 128 * 1024; + min-size = 32 * 1024; + avg-size = 128 * 1024; + max-size = 512 * 1024; + }; + }; + }; + systemd.tmpfiles.rules = with config.services.atticd; [ + "d /attic 0770 ${user} ${group}" + ]; + users.users.${config.services.atticd.user} = { + isSystemUser = true; + createHome = false; + group = config.services.atticd.group; + }; + users.groups.${config.services.atticd.group} = {}; + services.postgresql = { + enable = true; + package = pkgs.postgresql_15; + ensureDatabases = [ "atticd" ]; + ensureUsers = [ { + name = "atticd"; + ensureDBOwnership = true; + } ]; + }; +} diff --git a/nixos/machines/frumar/default.nix b/nixos/machines/frumar/default.nix index 51d0d1b..0868a23 100644 --- a/nixos/machines/frumar/default.nix +++ b/nixos/machines/frumar/default.nix @@ -6,6 +6,7 @@ ./paperless.nix ./media.nix ./home-automation.nix + ./cache.nix ]; system.stateVersion = "15.09"; diff --git a/nixos/modules/lumi-cache.nix b/nixos/modules/lumi-cache.nix index bff6b44..f4a3594 100644 --- a/nixos/modules/lumi-cache.nix +++ b/nixos/modules/lumi-cache.nix @@ -9,7 +9,7 @@ in { age.secrets.nix-netrc.file = ../../secrets/nix-netrc.age; nix.settings = { substituters = [ "https://cache.lumi.guide/?priority=50" ]; - netrc-file = config.age.secrets.nix-netrc.path; + netrc-file = lib.mkForce config.age.secrets.nix-netrc.path; trusted-public-keys = [ "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE=" ]; diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 788175c..a6d7e04 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -18,6 +18,7 @@ in { age.secrets = { root-user-pass.file = ../../secrets/root-user-pass.age; yorick-user-pass.file = ../../secrets/yorick-user-pass.age; + nix-netrc-yorick.file = ../../secrets/nix-netrc-yorick.age; }; nix.nixPath = [];# "nixpkgs=${pkgs.path}" ]; @@ -81,6 +82,7 @@ in { hdparm lm_sensors ncdu + attic # utils file @@ -128,8 +130,6 @@ in { }; security.acme.defaults.email = "acme@yori.cc"; security.acme.acceptTerms = true; - nix.settings.trusted-public-keys = - [ "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ]; nix.settings.trusted-users = [ "@wheel" ]; services.prometheus.exporters.node = { @@ -139,4 +139,12 @@ in { }; networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9100 ]; xdg.autostart.enable = false; + + nix.settings = { + substituters = [ "https://cache.yori.cc/yorick" ]; + netrc-file = config.age.secrets.nix-netrc-yorick.path; + trusted-public-keys = [ + "yorick:sWqvIllvDhMS9vcWyk4+zSk9L6zq8UgcLPEEQJsAdW4=" + ]; + }; } diff --git a/nixos/roles/workstation.nix b/nixos/roles/workstation.nix index 47de026..5f7726b 100644 --- a/nixos/roles/workstation.nix +++ b/nixos/roles/workstation.nix @@ -18,15 +18,7 @@ "${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}" # emacs? ]; - nix = { - gc.automatic = pkgs.lib.mkOverride 30 false; - settings.substituters = [ - #"s3://yori-nix?endpoint=s3.eu-central-003.backblazeb2.com&profile=backblaze-read" - ]; - settings.trusted-public-keys = [ - "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" - ]; - }; + nix.gc.automatic = lib.mkOverride 30 false; virtualisation.libvirtd.enable = true; # fix glasgow, fomu, backlight services.udev.extraRules = '' @@ -87,7 +79,18 @@ source-code-pro ubuntu_font_family # Ubuntu fonts source-han-sans - nerdfonts + (nerdfonts.override { + fonts = [ + "DejaVuSansMono" + "Inconsolata" + "Noto" + "SourceCodePro" + "Ubuntu" + "UbuntuMono" + "Iosevka" + "IosevkaTerm" + ]; + }) iosevka emojione font-awesome diff --git a/secrets/attic.env.age b/secrets/attic.env.age new file mode 100644 index 0000000..42b5492 --- /dev/null +++ b/secrets/attic.env.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> X25519 K+KXUwQaKH32nHAM3MlnddgKsW3whn3VIFTEWGHslTo ++kb40pON4phWdiyeA62WUtO+ObaxJB7sc/voiEE2b5Y +-> ssh-ed25519 n7yA6g Q6U3CQc6TInYL+91d/H+AedrTpDJviiW26aRJNfm4n8 +pAJXRVjlH+yxeVfQFjhpXGKe1WtiUQerDyAj3Ca2738 +--- nV6YlcU1voUcYqI/fAnxYssj0eD28PG59Otl04fS6eM +J3Wf22hr@H%Mu=p{(i}!r._qSO ٫.#({ɲ""q0]5OKaqYPwkLz%8 {ݶlqG'>@ \ No newline at end of file diff --git a/secrets/nix-netrc-yorick.age b/secrets/nix-netrc-yorick.age new file mode 100644 index 0000000..9e1063b --- /dev/null +++ b/secrets/nix-netrc-yorick.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> X25519 pUJv2+UeKmgR9dliN8CM3ZhIcAFkZVtoVinNKqz/xjc +TInJdQwvyXGlzJUB4gFV7C5eVwdcKHMKEKCBI+/t7RQ +-> ssh-ed25519 4Ui0LA t2S/srNSxkzJ5vGcBMjAvV2u3RRiVNw4jEioTAamqAo +8vdC4WFCfrtlKVlM4RGcDHCEbmomK41OLEPqLflbTRE +-> ssh-ed25519 ZzuO9Q q2k3YYQI6/OoKZDziMKsm/n1rv8FPMhOvNDorK7WUWE +mE0qF9sh8k3bPDE7/YXqpY33ZqSLxXwTvenTsm6/oPs +-> ssh-ed25519 n7yA6g eDPdacOl+/2woXcahFUI6S4nX6O6tCcMJYA9dR8nlzo +5IZcYzMh9pVrMZcvOIT2m8MTthant6fS6nLKZtFicyQ +-> ssh-ed25519 dY0yIg ip9px5ApISPT2NCzTyboyl8gUZytGTYKPsZGB0kgsh4 +dPE8NP9vgwtncOLKGgM1b1oZHheg7JMiricqXGSLQxY +-> ssh-ed25519 6AxuSw jqxAt3SJOwHAje8nHw5bHSmmkzpZgtmATwN1l12MbU0 +dherf7BN9ewR3OqKUScpQo4Mgz/ZA2d+TsdleDvG3X8 +--- 8cl5MX/Jcp42H4KUwgRO3JiMCP1oVIpwYpLuLvHp7mU +1̤[ࢹR<gI=9J:CKrQ"lcc @,'Ld޾L"=b@dvcOh!9ikXTҔIbStJH;mo>#@<>Z7W0lb*0˜y+3(lj,o(%ye"eSM>mUzH>u3=WwDN}o~diyc?}N]d \ No newline at end of file diff --git a/secrets/nix-netrc.age b/secrets/nix-netrc.age index 624a68a..d15616e 100644 --- a/secrets/nix-netrc.age +++ b/secrets/nix-netrc.age @@ -1,13 +1,10 @@ age-encryption.org/v1 --> X25519 +dxETfWakpKvSaQVTxeLHDBXdayqBlr7yJq0dWMSFGY -g77c7eeyzIJ6bAOrNHmzgY7QrpqZDxdMpCJpMF42n2o --> ssh-ed25519 4Ui0LA mVr6KkM+LLHSOvf4BdGC3MtWAAMSYM3mmTH+bcjVr0s -SHIPWWVswelNngbyzo2R7KlaroWia7DvnQDy7Fs33ww --> ssh-ed25519 6AxuSw Tid/WYFqrd1JYcaUWvm2OvVgyL4P02YsMAOQxMCM9RI -LYvHorxmfFvR0sFSx4E+3wA7sP/L2+uz96deY4avjic --> AQJmE-grease S -EgTtZe6JEBT1FbX9anwRzQ+3Rid4/9b+xmYZqA ---- tekC1o0eun9AxkJbUZBJAB4mhlCOIZtXdQfwNf4Oy2M -?tPQ; $zuq;UTot5i׍ 2 -ϸx# -Lq_h}K$Jd'#CɀGTMKCp~5ԈYm \ No newline at end of file +-> X25519 pjYYJugYHVeVRqF7r8RA3vtj70SIC7zbOpWI1QGjvBM +Db+MzMeH5/Q8C+LYHQ3/WLTuVG3ueC8ChAcrjGu4YGo +-> ssh-ed25519 4Ui0LA ZYBLcDrtdz98JrYfuvz8TLlg+C51ugW+98M26TeP63g +PZNlTouthAuqws99czOWkGuKDgvNTZHHZEiOglHoE8Y +-> ssh-ed25519 6AxuSw MWafEpm7oKbYA2xpwzAlATk5lH2p/vHBGfFIjTOGAGE +SMyNjb+Nt60U4tVez+xWgovjXlKZnf1A04PtAGz09j8 +--- j7pZRyi3Gy3uWkAGpVpqOr6GdBvEG7nSRSoMaXEhcdM +UF(٧2cl@6ii&?#6UL^/Sw7~޺A=Hl\OgLۈ_:~s^t/sZe}?mR-fu&#XJĶ2)ypd}jè ?\ +<]ݍP_X9=1Ó|a'TE @fFTǠb 8Ծ!GhMy_(x%v͐#G} f͠3fYLZ3@dL`2F]\> |6 ;X%ng0>%| v"@՗%(cGX&̮VU_,ݭ_ ;u \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 15e869d..2a1306c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,6 +17,7 @@ in "grafana.env.age".publicKeys = [ yorick frumar ]; "http.muflax.age".publicKeys = [ yorick pennyworth ]; "nix-netrc.age".publicKeys = [ yorick blackadder jarvis ]; + "nix-netrc-yorick.age".publicKeys = [ yorick blackadder pennyworth frumar smithers jarvis ]; "pennyworth_borg_repo.age".publicKeys = [ yorick pennyworth ]; "pennyworth_borg_ssh.age".publicKeys = [ yorick pennyworth ]; "transip-key.age".publicKeys = [ yorick frumar ]; @@ -28,4 +29,5 @@ in "zigbee2mqtt.env.age".publicKeys = [ yorick frumar ]; "marvin-tracker.env.age".publicKeys = [ yorick frumar ]; "oauth2-proxy.age".publicKeys = [ yorick frumar ]; + "attic.env.age".publicKeys = [ yorick frumar ]; }