From 3a9c6f79501b3e3f979f005d80e569b11b4e8a03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Tue, 6 Feb 2024 17:29:48 +0100 Subject: [PATCH] hosts/kazuki: attic cache --- flake.lock | 76 +++++++++++++++++++++++++++++++++++- flake.nix | 5 +++ hosts/default.nix | 2 +- hosts/kazuki/attic.nix | 84 ++++++++++++++++++++++++++++++++++++++++ hosts/kazuki/default.nix | 1 + secrets/attic-creds.age | 8 ++++ secrets/nrab-lol-cf.age | 7 ++++ secrets/secrets.nix | 8 ++++ 8 files changed, 189 insertions(+), 2 deletions(-) create mode 100644 hosts/kazuki/attic.nix create mode 100644 secrets/attic-creds.age create mode 100644 secrets/nrab-lol-cf.age diff --git a/flake.lock b/flake.lock index e8364bc..8991e16 100644 --- a/flake.lock +++ b/flake.lock @@ -27,6 +27,32 @@ "type": "github" } }, + "attic": { + "inputs": { + "crane": [ + "crane" + ], + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1705617092, + "narHash": "sha256-n9PK4O4X4S1JkwpkMuYm1wHZYJzRqif8g3RuVIPD+rY=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "fbe252a5c21febbe920c025560cbd63b20e24f3b", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "attic", + "type": "github" + } + }, "blobs": { "flake": false, "locked": { @@ -178,6 +204,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1668681692, @@ -251,6 +293,21 @@ "type": "github" } }, + "flake-utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flakelib": { "inputs": { "fl-config": "fl-config", @@ -312,7 +369,7 @@ "mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "nixpkgs": [ "nixpkgs" ], @@ -432,6 +489,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1702780907, + "narHash": "sha256-blbrBBXjjZt6OKTcYX1jpe9SRof2P9ZYWPzq22tzXAA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1e2e384c5b7c50dbf8e9c441a9e58d85f408b01f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1690753480, @@ -525,6 +598,7 @@ "root": { "inputs": { "agenix": "agenix", + "attic": "attic", "conduit-src": "conduit-src", "crane": "crane", "darwin": "darwin", diff --git a/flake.nix b/flake.nix index 13b7aa1..61805db 100644 --- a/flake.nix +++ b/flake.nix @@ -113,6 +113,11 @@ niko-nur = { url = "github:nrabulinski/nur-packages"; }; + attic = { + url = "github:zhaofengli/attic"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.crane.follows = "crane"; + }; }; nixConfig = { diff --git a/hosts/default.nix b/hosts/default.nix index 1c07c58..7fb602c 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -2,7 +2,6 @@ config, self, inputs, - lib, ... }: { imports = [ @@ -32,6 +31,7 @@ inputs.mailserver.nixosModules.default inputs.home-manager.nixosModules.home-manager inputs.nvidia-patch.nixosModules.nvidia-patch + inputs.attic.nixosModules.atticd self.nixosModules.settei self.nixosModules.common sharedOptions diff --git a/hosts/kazuki/attic.nix b/hosts/kazuki/attic.nix new file mode 100644 index 0000000..57011f4 --- /dev/null +++ b/hosts/kazuki/attic.nix @@ -0,0 +1,84 @@ +{ + config, + lib, + ... +}: let + atticPort = 9476; +in { + age.secrets.attic-creds = { + file = ../../secrets/attic-creds.age; + owner = config.services.atticd.user; + }; + age.secrets.nrab-lol-cf = { + file = ../../secrets/nrab-lol-cf.age; + owner = config.services.nginx.user; + }; + + services.atticd = { + enable = true; + credentialsFile = config.age.secrets.attic-creds.path; + settings = { + listen = "[::]:${toString atticPort}"; + storage = { + type = "local"; + path = "/storage-box/attic"; + }; + compression.type = "zstd"; + chunking = { + nar-size-threshold = 64 * 1024; + min-size = 16 * 1024; + avg-size = 64 * 1024; + max-size = 256 * 1024; + }; + api-endpoint = "https://cache.nrab.lol/"; + allowed-hosts = ["cache.nrab.lol"]; + }; + }; + + users = { + users.atticd = { + isSystemUser = true; + group = "atticd"; + home = "/var/lib/atticd"; + createHome = true; + }; + groups.atticd = {}; + }; + + systemd.services.atticd = { + after = ["storage\\x2dbox.mount"]; + serviceConfig.DynamicUser = lib.mkForce false; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "nikodem@rabulinski.com"; + }; + + users.users.nginx.extraGroups = ["acme"]; + networking.firewall.allowedTCPPorts = [80 443]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { + "cache.nrab.lol" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://attic"; + }; + }; + }; + + upstreams."attic".servers = { + "localhost:${toString atticPort}" = {}; + }; + }; + + security.acme.certs."cache.nrab.lol" = { + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.nrab-lol-cf.path; + webroot = null; + }; +} diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix index 6a199ae..80f1423 100644 --- a/hosts/kazuki/default.nix +++ b/hosts/kazuki/default.nix @@ -13,6 +13,7 @@ ./mail.nix ./vault.nix ./storage.nix + ./attic.nix ]; nixpkgs.hostPlatform = "aarch64-linux"; diff --git a/secrets/attic-creds.age b/secrets/attic-creds.age new file mode 100644 index 0000000..49aa31d --- /dev/null +++ b/secrets/attic-creds.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 84j9mw L1Lee3U0LWtn6zx0M5pA+VpiRtx903AYyVPmeaciumA +dfEtGwEhEtBGnltkRFT2KMUl/tC1b8bYCLKtut0S75g +-> ssh-ed25519 GKhvwg Ybp7LvImp228BXqj9IfahYkdCZdO5NgPGol+GacnfQM +hSU9nhgpeOgRDQHDpO9mFPdu52R6y2/lfYCI01/3ypA +--- YnhUF2kfu+Va5YyMjZcySvd4dSbvz5CMIAkbX+2iUQ4 +'Q ~ ʲ"#~,T6!G~7S}-E +\ +),2f.|M9 zs' J"'6_[.rqݏ8|y>]c"wH ϛEcNij7 0  \ No newline at end of file diff --git a/secrets/nrab-lol-cf.age b/secrets/nrab-lol-cf.age new file mode 100644 index 0000000..bfa6272 --- /dev/null +++ b/secrets/nrab-lol-cf.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 84j9mw QEsw7uvxEdZ/2Bab/bGd9/Ap5psN7p5RudFZJFZQ3kM +UZCthc92ptbwxxe8nFnhvdedkpt6Y/nJf8GI0qdQRcc +-> ssh-ed25519 GKhvwg BIAW4Jad+tcsVXR6ibhWvvuvXCNQ1seZR1HGym11Mz8 +9NHhqlljWYoH8t1s4vvgzUjfL5lxVPVEY/pDiDP9h1I +--- dyefPpAwwsQ4xLsUBr3L5VYBhhdVKOYaCrabI042cCk +_ofV!ˀv^>'`qW'CE{j7_)|t6{}pһ#GS>Qϣ"C \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f68a627..a9c84d3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -47,4 +47,12 @@ in { keys.system.kazuki keys.other.bootstrap ]; + "nrab-lol-cf.age".publicKeys = [ + keys.system.kazuki + keys.other.bootstrap + ]; + "attic-creds.age".publicKeys = [ + keys.system.kazuki + keys.other.bootstrap + ]; }