nrabulinski/settei
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

hosts/kazuki: move attic to services

Browse source
This commit is contained in:
Nikodem Rabuliński 2025-01-04 22:48:32 +01:00
parent 68445b2146
commit 93f89cfcdf
4 changed files with 123 additions and 117 deletions
Download patch file Download diff file Expand all files Collapse all files

115
hosts/kazuki/attic.nix
View file

@ -1,115 +0,0 @@
{ config, lib, ... }:
let
atticPort = 9476;
in
{
age.secrets.attic-creds = {
file = ../../secrets/attic-creds.age;
owner = config.services.atticd.user;
};
age.secrets.nrab-lol-cf = {
file = ../../secrets/nrab-lol-cf.age;
owner = config.services.nginx.user;
};
services.atticd = {
enable = true;
environmentFile = config.age.secrets.attic-creds.path;
settings = {
listen = "[::]:${toString atticPort}";
storage = {
type = "local";
path = "/storage-box";
};
compression.type = "none";
chunking = {
nar-size-threshold = 0;
min-size = 0;
avg-size = 0;
max-size = 0;
};
api-endpoint = "https://attic.nrab.lol/";
};
};
users = {
users.atticd = {
uid = 990;
isSystemUser = true;
group = "atticd";
home = "/var/lib/atticd";
createHome = true;
};
groups.atticd = {
gid = 988;
};
};
systemd.services.atticd = {
after = [ "storage\\x2dbox.mount" ];
serviceConfig.DynamicUser = lib.mkForce false;
};
security.acme = {
acceptTerms = true;
defaults.email = "nikodem@rabulinski.com";
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [
80
443
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts."attic.nrab.lol" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://attic";
};
extraConfig = ''
client_max_body_size 24G;
'';
};
virtualHosts."cache.nrab.lol" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://attic/public$request_uri";
};
extraConfig = ''
proxy_cache nixstore;
proxy_cache_use_stale error timeout http_500 http_502;
proxy_cache_lock on;
proxy_cache_key $request_uri;
proxy_cache_valid 200 24h;
'';
};
upstreams."attic".servers = {
"localhost:${toString atticPort}" = { };
};
appendHttpConfig = ''
proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off;
'';
};
security.acme.certs."attic.nrab.lol" = {
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.nrab-lol-cf.path;
};
security.acme.certs."cache.nrab.lol" = {
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.nrab-lol-cf.path;
};
}

1
hosts/kazuki/default.nix
View file

@ -13,7 +13,6 @@
./mail.nix ./mail.nix
./vault.nix ./vault.nix
./storage.nix ./storage.nix
./attic.nix
./ntfy.nix ./ntfy.nix
./zitadel.nix ./zitadel.nix
./forgejo.nix ./forgejo.nix

122
services/attic.nix Normal file
View file

@ -0,0 +1,122 @@
{
services.attic =
let
atticPort = 9476;
in
{
host = "kazuki";
ports = [ atticPort ];
config =
{ config, ... }:
{
age.secrets.attic-creds = {
file = ../secrets/attic-creds.age;
owner = config.services.atticd.user;
};
age.secrets.nrab-lol-cf = {
file = ../secrets/nrab-lol-cf.age;
owner = config.services.nginx.user;
};
services.atticd = {
enable = true;
environmentFile = config.age.secrets.attic-creds.path;
settings = {
listen = "[::]:${toString atticPort}";
storage = {
type = "local";
path = "/storage-box";
};
compression.type = "none";
chunking = {
nar-size-threshold = 0;
min-size = 0;
avg-size = 0;
max-size = 0;
};
api-endpoint = "https://attic.nrab.lol/";
};
};
users = {
users.atticd = {
uid = 990;
isSystemUser = true;
group = "atticd";
home = "/var/lib/atticd";
createHome = true;
};
groups.atticd = {
gid = 988;
};
};
systemd.services.atticd = {
after = [ "storage\\x2dbox.mount" ];
};
security.acme = {
acceptTerms = true;
defaults.email = "nikodem@rabulinski.com";
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [
80
443
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts."attic.nrab.lol" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://attic";
};
extraConfig = ''
client_max_body_size 24G;
'';
};
virtualHosts."cache.nrab.lol" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://attic/public$request_uri";
};
extraConfig = ''
proxy_cache nixstore;
proxy_cache_use_stale error timeout http_500 http_502;
proxy_cache_lock on;
proxy_cache_key $request_uri;
proxy_cache_valid 200 24h;
'';
};
upstreams."attic".servers = {
"localhost:${toString atticPort}" = { };
};
appendHttpConfig = ''
proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off;
'';
};
security.acme.certs."attic.nrab.lol" = {
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.nrab-lol-cf.path;
};
security.acme.certs."cache.nrab.lol" = {
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.nrab-lol-cf.path;
};
};
};
}

2
services/default.nix
View file

@ -1,5 +1,5 @@
{ {
imports = [ imports = [
./attic.nix
]; ];
} }