Merge pull request #153 from DarkKirb/attic-cache

Add attic
2023-01-15 21:26:06 +01:00 · 2023-01-15 21:26:06 +01:00 · b5660af9f6
commit b5660af9f6
parent 61fb98399e 1c7d50bdb8
9 changed files with 208 additions and 9 deletions
--- a/config/instance-20221213-1915.nix
+++ b/config/instance-20221213-1915.nix
@ -17,6 +17,7 @@
    ./services/shitalloverme.nix
    ./services/chir.rs
    ./users/remote-build.nix
+    ./services/atticd.nix
  ];

  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"];
--- a/config/nixos-8gb-fsn1-1.nix
+++ b/config/nixos-8gb-fsn1-1.nix
@ -32,6 +32,7 @@
    ./wireguard/public-server.nix
    ./services/shitalloverme.nix
    ./services/chir.rs
+    ./services/atticd.nix
  ];

  boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod"];
--- a/config/services/atticd.nix
+++ b/config/services/atticd.nix
@ -0,0 +1,58 @@
+{
+  attic,
+  config,
+  lib,
+  ...
+}: {
+  imports = [attic.nixosModules.atticd];
+  services.atticd = {
+    enable = true;
+    credentialsFile = config.sops.secrets."services/attic".path;
+    settings = {
+      listen = "[::1]:57448";
+      allowed-hosts = ["attic.chir.rs" "attic-nocdn.chir.rs"];
+      api-endpoint = "https://attic.chir.rs/";
+      database = lib.mkForce {};
+      storage = {
+        type = "s3";
+        region = "us-west-000";
+        bucket = "attic-chir-rs";
+        endpoint = "https://s3.us-west-000.backblazeb2.com";
+      };
+      compression = {
+        type = "zstd";
+        level = 12;
+      };
+      chunking = {
+        nar-size-threshold = 131072;
+        min-size = 65536;
+        avg-size = 131072;
+        max-size = 262144;
+      };
+      garbage-collection.default-retention-period = "3 months";
+    };
+  };
+  sops.secrets."services/attic" = {};
+  services.postgresql.ensureDatabases = [
+    "attic"
+  ];
+  services.postgresql.ensureUsers = [
+    {
+      name = "attic";
+      ensurePermissions = {
+        "DATABASE attic" = "ALL PRIVILEGES";
+      };
+    }
+  ];
+  services.caddy.virtualHosts."attic-nocdn.chir.rs" = {
+    useACMEHost = "chir.rs";
+    logFormat = lib.mkForce "";
+    extraConfig = ''
+      import baseConfig
+
+      reverse_proxy http://127.0.0.1:57448 {
+        trusted_proxies private_ranges
+      }
+    '';
+  };
+}
--- a/config/services/chir.rs/auth.nix
+++ b/config/services/chir.rs/auth.nix
@ -67,4 +67,15 @@ in {
    user = "auth_chir_rs";
  };
  networking.firewall.interfaces."wg0".allowedTCPPorts = [53538];
+  services.caddy.virtualHosts."auth.chir.rs" = {
+    useACMEHost = "chir.rs";
+    logFormat = pkgs.lib.mkForce "";
+    extraConfig = ''
+      import baseConfig
+
+      reverse_proxy http://127.0.0.1:7954 {
+        trusted_proxies private_ranges
+      }
+    '';
+  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -1,8 +1,36 @@
 {
  "nodes": {
+    "attic": {
+      "inputs": {
+        "crane": [
+          "crane"
+        ],
+        "flake-compat": "flake-compat",
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673804308,
+        "narHash": "sha256-e3zmDjZXJO6XA+r/Tg5uzXh4ASPwxSJz8BfpAfGfprY=",
+        "owner": "DarkKirb",
+        "repo": "attic",
+        "rev": "fb77c7eb2b3dbe652a60d7d11f3cfd72dbd9a0f0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "DarkKirb",
+        "ref": "env-config",
+        "repo": "attic",
+        "type": "github"
+      }
+    },
    "cargo2nix": {
      "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
        "flake-utils": [
          "flake-utils"
        ],
@ -69,6 +97,31 @@
        "type": "github"
      }
    },
+    "crane": {
+      "inputs": {
+        "flake-compat": "flake-compat_3",
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay_2"
+      },
+      "locked": {
+        "lastModified": 1673405853,
+        "narHash": "sha256-6Nq9DuOo+gE2I8z5UZaKuumykz2xxZ9JGYmUthOuwSA=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "b13963c8c18026aa694acd98d14f66d24666f70b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
    "dns": {
      "inputs": {
        "flake-utils": [
@ -147,6 +200,22 @@
      }
    },
    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1650374568,
@ -162,7 +231,23 @@
        "type": "github"
      }
    },
-    "flake-compat_2": {
+    "flake-compat_3": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_4": {
      "flake": false,
      "locked": {
        "lastModified": 1668681692,
@ -573,7 +658,7 @@
    },
    "prismmc": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat_4",
        "libnbtplusplus": "libnbtplusplus",
        "nixpkgs": [
          "nixpkgs"
@ -595,8 +680,10 @@
    },
    "root": {
      "inputs": {
+        "attic": "attic",
        "cargo2nix": "cargo2nix",
        "chir-rs": "chir-rs",
+        "crane": "crane",
        "dns": "dns",
        "ema": "ema",
        "emanote": "emanote",
@ -612,7 +699,7 @@
        "nixpkgs-noto-variable": "nixpkgs-noto-variable",
        "nur": "nur",
        "prismmc": "prismmc",
-        "rust-overlay": "rust-overlay_2",
+        "rust-overlay": "rust-overlay_3",
        "sops-nix": "sops-nix",
        "tomlplusplus": "tomlplusplus"
      }
@ -643,6 +730,31 @@
      }
    },
    "rust-overlay_2": {
+      "inputs": {
+        "flake-utils": [
+          "crane",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "crane",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1672712534,
+        "narHash": "sha256-8S0DdMPcbITnlOu0uA81mTo3hgX84wK8S9wS34HEFY4=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "69fb7bf0a8c40e6c4c197fa1816773774c8ac59f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_3": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
--- a/flake.nix
+++ b/flake.nix
@ -4,6 +4,13 @@ rec {
  # Use NixOS unstable
  inputs = {
    # Sorted by name
+    attic = {
+      #url = "github:zhaofengli/attic";
+      url = "github:DarkKirb/attic/env-config";
+      inputs.crane.follows = "crane";
+      inputs.flake-utils.follows = "flake-utils";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    cargo2nix = {
      url = "github:cargo2nix/cargo2nix";
      inputs.flake-utils.follows = "flake-utils";
@ -16,6 +23,11 @@ rec {
      inputs.flake-utils.follows = "flake-utils";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    crane = {
+      url = "github:ipetkov/crane";
+      inputs.flake-utils.follows = "flake-utils";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    dns = {
      url = "github:DarkKirb/dns.nix";
      inputs.flake-utils.follows = "flake-utils";
--- a/secrets/instance-20221213-1915.yaml
+++ b/secrets/instance-20221213-1915.yaml
@ -8,6 +8,7 @@ security:
    restic:
        password: ENC[AES256_GCM,data:80XNExfwBIG3aVNQBc8T2fdN9oA=,iv:JM/HU7vhx28VA9EppxpFc3xRVcAt+kp3JwTuHmFpL78=,tag:pC73+XCsFGTdA+MbTihD7Q==,type:str]
 services:
+    attic: ENC[AES256_GCM,data:smuE5oQwVhKd4z2Famu/Q3n2+tH4fBQ8oyWhROO4pxcsaF/tF+a8VkPQk7AYt4Y6foHjVQ9Wdip3NwDRPElm8iV0R3d636W1xAJf+mXz1GjIINpd5qChMLCqdLI+pF5AGC/CX637G8AwQOsyCdLdCMEC4zzWGS0p3hhzJsKPEi2vnvMXqiw9driilIVy7yHBHKKyYO9G5cx3dpLeWGrm5blV195LFBv7HqsjIW0jE6lC5GJJsr/gkyCW+DcX20+jb3LOSOWjLseD6aMQ6hWEqTubpVEcPqG7+sckj3MPG0FcWL8LTHoO8ckU8ObrcmB5yRNkt+44n2pYUVaaxSjUUWMxucoOvM0luep/8eHF0uimrqR9JJZm0f+q5nXieAlwvY68BbHKUaHjT5Wzh+NlJp1SKWyfFyoV3bkk2l+mKsphQLRNAwYcb5NQsHB0txtJngvW82l3SKCqaFpqUnsSQCgG+HfmG+4clpCuTx99uypVK4W1pV4=,iv:vO7Sr5uBK0DKbpSznYiIbwR+jGD/Tx6fIPmUbXW92i4=,tag:fcPGjMASxsBTp1AOyih2fA==,type:str]
    nix:
        cache-key: ENC[AES256_GCM,data:e9dQNADhH+8l1hTj+CdVu0gow/LmqrQf0HWiTTlFdY81t/8zWkdHdi0Rat5AKUS6x/oBCfTskIKcoRo0Jc0MYJhmOHtDLXlT+I91bSuxVzb9d+TwmhZ/Zce1yP1OXic+/A==,iv:DZ4yCi4YjsAulDyXl3CDCTXB21p2jZIYuDhHORpTE94=,tag:zXcgyBYgFv229seRDLGzsg==,type:str]
    ssh:
@ -39,8 +40,8 @@ sops:
            bVJUcDZLWTk3MiszOWp4enRRQmNsajQKF8QJs/Wb0SqnvsQEkRKlS1Ms9xLIdyvZ
            QCFAPclaOfaTLTiRJWXjDneBkMBduYKkRPiXCR+Bn7i4z8ixLXFmWw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-13T19:15:53Z"
-    mac: ENC[AES256_GCM,data:oZpSCWI29zEQAKe/PkeTVi8zZZwCDMoWQNXqTWP5Azyqze9/NHT/OmRhq6GtBl7X0y3P78x1Zu/3SziB935STCX0HhDN8JqJvo9vlkJ71gwBhn7pzhJwiByISlAN9WQCCJaNTrvr4QmNOAPHuJUqMhPwc5C5LUBaOvwdwwTXei0=,iv:Lo5NBanWkv0A3UC1C+iaNBMl/XsbPW8MIRc9RqPBWUQ=,tag:yA45fMs2x5MCuXspaL4MwA==,type:str]
+    lastmodified: "2023-01-15T10:59:40Z"
+    mac: ENC[AES256_GCM,data:CrF9H/JR5+okptMsnfZV2P8naufEcWYeg5s03pQgDc6bg5PWrWwxCkun+gg2xN8dqvH5Ix6JczWyzyDZ/VE/B306IjCCG1USQhIuZdLAUinoGNaSYMtrUIRgRuxNWJd9572jyeG2DBjfp/yQWQi7XZEAmUqTcBjVc2zPA1XjNJQ=,iv:hdjYsl66Gc3YfIFosjtNT3Ek3KKgoMuVOzwZPQ2h1ec=,tag:tKq4o/Ri2aiFlvJY3760oQ==,type:str]
    pgp:
        - created_at: "2022-12-14T15:34:13Z"
          enc: |
--- a/secrets/nixos-8gb-fsn1-1.yaml
+++ b/secrets/nixos-8gb-fsn1-1.yaml
@ -8,6 +8,7 @@ security:
    restic:
        password: ENC[AES256_GCM,data:8W1pEFt+1lW2/Y11OrJa+glMM1A=,iv:V0R7PlBMxl/oTJxE10MIDMtbqr98bE/po+/92MGMftY=,tag:juGYo8nQy7IJUX28f2ZznQ==,type:str]
 services:
+    attic: ENC[AES256_GCM,data:WI2d32HTky8U/dMx3f6Z2hZstshM+NuEYxljVbqjg1HVBMd5CYUh3DYd3c4X6JVwE1pKMbtDhTvBzhkiCS+5udf2nimsRHIzMATXOLDDie2Fy0XR8VVnN0YXizejKyec6czHXX+hju2ggoq07wJBetpEGdiHdq5Wq5hBc2BAcIzCPblwSIVYtu3f33U/buWeObNn9RYKZTZMz07tOMQvIJVvkCavT6KhRyavIdXSaxduBSTyIVtAr/1wEf+4/wFh5sRpl7YVwPJTU+7jNH/8+DYpEBhVMfp2CjGUIWhA4+krfZM8aRPHKzZnFLRQBDrAkQ8wmCwtUrHyGCDGmDSDx2AxDnP/ku+Vs0GSrORgRU8NMc46cqF8opbz7/QsLtEvHrZYZ//6qTz4otrjSXvnBTrS04YaDO17SJ4osFNP10Y6u6QXD/DMSLZeoiUsPFrYcwqteSF8zkjMzN8VqGGC74oAGF6z2QOblj2cRp9+R36PU9md0oM=,iv:B+iI8WFaiahkVrDOFNrTg+HCfQpi8zoR2n1NqkkF6Cs=,tag:FdmjfFUA32CKjwmyAueOeA==,type:str]
    rspamd:
        dkim:
            darkkirb.de: ENC[AES256_GCM,data:UZ53jxzBU8pV/64nCVCa54lJwJHng9xsCmvvf0031NaV+zB3LY2Tp1gBAYDkQdDAdJtLw4s6qmt5PoFjNpw4/WD0ZMaTBFMew4BNIQu6CD6CumtBafMPnUKRyRmPccoU/uoeXjsa09sLB/44l3BSqr4nR6wu8JLWD2dH38Tn3KWmT9MuoeHJJFJDpjhhhideFbbLx9R+NvLsIiPLHKNcJZ0/GbLbfDicFVehcqPHaPfVCt2bwKKBm3Qo4o3W56hJnzSKwcY4I9JxcKE9efdMBaYY0yqpSaotqDnuIMl5ZV23+CTsVt6hv8X+o3qEMLQjM3cFhEU1V+LrdTS9peBI+7cb5Sh2py4ICdzptm0BRnbG1HbYBzFWc/YQalffUHlP31Dl15dZkC8HBszNeZ05lb6f116Ehq3qE0aOs4thZeFBMrfPrrnqjrf/P7en4tg6reBmz5CHyQRyrJ2m9eRtw17BpWvf0mnMDBKZ6cKeimvJxXKIt8VNNYqj96aK96qkgGCmrvJ+O1EIgf/Zc1v1UfiZa4UqH8yqyqwulgtd961IKwsE0H5LElok3LX5dGJlhHHGMbAdAmLreXZb7EzKflqNex2lmW1r8rC7ZQ07f0aNpWRCSmUhQ29V77u4K679ODpTBg/zcHBovBHO2XabA3vPDr0tEJLfyD9EkVsrZvnh8ltYQFkDLWkUfgaQg8fa++CIg0iNAyjuoohbMV7JXyVvlYvWLrZslxGzY0nzeD8orpj67s+phUpDYKZgxQtULeyN75COqmABVqknk7DUrG7TlPmRLU+ixcorEjriNHzpXTA7peQ2Q0XCY5gSK6CpvHvYT4k3xSbPfFx0BTeRwMKjHmhG9sNsOtEjfnhleUvcKDDyRVtemF8guhyvJ8B4nY+yxI3kuRBrpkSUxvBSq66cyTEmEfoRtWOqIe7fmSZyu451TL02XJUU96c8QimGLkI8VO4k9PLNL8YUbzAbF/IIjpV362f4JMb9hSyf5bw9JBNhOZNXrFkRLDCgH66XQbYBGS3e4MfZJnLj2x5jzXMPYbrPMZFjtfMEzVDfI+E/nmlrfn3MoHqdiKbV1bYlqIl2F5ldnAvTsBk0fucg5OmckP32ZGA7QsNBbqD16typ8F+69V7JKxo9jH5uY8x2i+lNtNTll5sdh9cuna23zdGywdJDgP/M0hKLlIja5ZzWPyOD34Z40T9A39nHUAyl4AwNFw==,iv:Z1YILn9vpune1u6AvGTb8/5XPjj6hxhb0JJPD3J9CM4=,tag:+mYRcGJbLJQPUNO1Xq6Geg==,type:str]
@ -93,8 +94,8 @@ sops:
            N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP
            dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-13T19:16:14Z"
-    mac: ENC[AES256_GCM,data:syVA2n+ph+gtMcs/LS9zSfrUdXF6ccBz/cN4ERBt1TpIgrU762Z9Uuidh+vwY422OBNikz6UHV5T7R5pOZkh8VBhMj0WXR1pnrOGtOldamOQAfduuMUtwt75XY1rasT2Ye+Aju5WVCv+HuRg+wBY9O0+V6KyzIlL9/j9vTnPSYo=,iv:jgo2XOk2f/MHgeFkMNZ2TvT29Q0AA+aDNGZv2wHUxZM=,tag:1EkuDg6VbI47aSt6QCrymQ==,type:str]
+    lastmodified: "2023-01-15T10:59:48Z"
+    mac: ENC[AES256_GCM,data:3mteNZoAGCXOG27QEG2Tw1qex3HUQJNcDv65mn7GjqLwO1Hz3wWFouzARt+3c0mM5Zb92sOHORBbYPi8ylkZFgJ+tXTc8CBIqJOC8mI86oMcRjFSJH4OcM1gPSdfYNrdpg5VZ3by/xZbkW0QW44GCXKSjMHC556Ro9nri6DRfvU=,iv:PFEOwAITrKt1/68bu9fsCZkZYGy6zJMenGDrrVzh8/g=,tag:vk21RrC2j2gtmQGKyaM29w==,type:str]
    pgp:
        - created_at: "2022-02-02T17:50:42Z"
          enc: |
--- a/zones/chir.rs.nix
+++ b/zones/chir.rs.nix
@ -144,7 +144,7 @@ with dns.lib.combinators; let
    SOA = {
      nameServer = "ns1.chir.rs.";
      adminEmail = "lotte@chir.rs";
-      serial = 25;
+      serial = 26;
    };
    NS = [
      "ns1.chir.rs."
@ -243,6 +243,8 @@ with dns.lib.combinators; let
      peertube = createZone {};
      mediaproxy.CNAME = ["mediaproxy-chir-rs.b-cdn.net."];
      auth = createFullZone {};
+      attic-nocdn = createFullZone {};
+      attic.CNAME = ["attic-chir-rs.b-cdn.net."];

      int =
        delegateTo [