.github/workflows/update.yaml

@@ -15,7 +15,7 @@ jobs:
           nix_path: nixpkgs=channel:nixos-unstable
           extra_nix_config: |
             access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
-            substituters = https://cache.nixos.org/ https://attic.chir.rs/chir-rs/ https://hydra.chir.rs/
+            substituters = https://cache.nixos.org/ https://cache.chir.rs/ https://hydra.chir.rs/
             trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= chir-rs:/iTDNHmQw1HklELHTBAVDFVAFaJ3ACGu3eezVUtplKc=
             experimental-features = nix-command flakes
       - name: update flake lock

config/instance-20221213-1915.nix

@@ -15,7 +15,6 @@
     ./services/named-submissive.nix
     ./services/shitalloverme.nix
     ./users/remote-build.nix
-    ./services/atticd.nix
     ./services/minecraft.nix
     ./services/postgres.nix
     ./services/nextcloud.nix

config/nas.nix

@@ -119,7 +119,7 @@
   ];
   hardware.enableRedistributableFirmware = true;
   nix.settings.substituters = lib.mkForce [
-    "https://attic.chir.rs/chir-rs/"
+    "https://cache.chir.rs/"
     "https://cache.nixos.org/"
     "https://beam.attic.rs/riscv"
     "https://cache.ztier.in"

config/nix.nix

@@ -3,7 +3,6 @@
   lib,
   config,
   system,
-  attic,
   ...
 }: {
   imports = [
@@ -17,7 +16,7 @@
       require-sigs = true;
       builders-use-substitutes = true;
       substituters = [
-        "https://attic.chir.rs/chir-rs/"
+        "https://cache.chir.rs/"
         "https://hydra.int.chir.rs"
       ];
       trusted-public-keys = [

config/nixos-8gb-fsn1-1.nix

@@ -31,7 +31,6 @@
     ./services/rspamd.nix
     ./wireguard/public-server.nix
     ./services/shitalloverme.nix
-    ./services/atticd.nix
     ./services/wordpress.nix
     ./services/initrd-ssh.nix
     ./services/chir-rs.nix

config/services/atticd.nix

@@ -1,62 +0,0 @@
-{
-  attic,
-  config,
-  lib,
-  nix-packages,
-  system,
-  pkgs,
-  ...
-}: {
-  imports = [attic.nixosModules.atticd];
-  services.atticd = {
-    enable = true;
-    package = attic.packages.${system}.attic-server;
-    credentialsFile = config.sops.secrets."services/attic".path;
-    settings = {
-      listen = "[::1]:57448";
-      allowed-hosts = ["attic.chir.rs"];
-      api-endpoint = "https://attic.chir.rs/";
-      database = lib.mkForce {};
-      storage = {
-        type = "s3";
-        region = "us-east-1";
-        bucket = "attic-chir-rs";
-        endpoint = "https://ams1.vultrobjects.com/";
-      };
-      compression = {
-        type = "zstd";
-        level = 12;
-      };
-      chunking = {
-        nar-size-threshold = 131072;
-        min-size = 65536;
-        avg-size = 131072;
-        max-size = 262144;
-      };
-      garbage-collection.default-retention-period = "3 months";
-    };
-  };
-  sops.secrets."services/attic" = {};
-  services.postgresql.ensureDatabases = [
-    "attic"
-  ];
-  services.postgresql.ensureUsers = [
-    {
-      name = "attic";
-      ensurePermissions = {
-        "DATABASE attic" = "ALL PRIVILEGES";
-      };
-    }
-  ];
-  services.caddy.virtualHosts."attic.chir.rs" = {
-    useACMEHost = "chir.rs";
-    logFormat = lib.mkForce "";
-    extraConfig = ''
-      import baseConfig
-
-      reverse_proxy http://[::1]:57448 {
-        trusted_proxies private_ranges
-      }
-    '';
-  };
-}

config/services/hydra.nix

@@ -1,6 +1,5 @@
 {
   system,
-  attic,
   lib,
   config,
   pkgs,
@@ -77,6 +76,7 @@ in {
         </prometheus>
       </hydra_notify>
       binary_cache_secret_key_file = ${config.sops.secrets."services/hydra/cache-key".path}
+      store_uri = s3://cache-chir-rs?scheme=https&endpoint=ams1.vultrobjects.com&secret-key=${config.sops.secrets."services/hydra/cache-key".path}&multipart-upload=true&compression=zstd&compression-level=15
       <git-input>
         timeout = 3600
       </git-input>
@@ -115,7 +115,7 @@ in {
   sops.secrets."services/hydra/aws_credentials" = {
     owner = "hydra-queue-runner";
     path = "/var/lib/hydra/queue-runner/.aws/credentials";
-    restartUnits = ["hydra-notify.service"];
+    restartUnits = ["hydra-notify.service" "hydra-queue-runner.service"];
   };
   systemd.services.update-hydra-hosts = {
     description = "Update hydra hosts";
@@ -152,38 +152,25 @@ in {
     chown -Rv hydra-queue-runner /var/lib/hydra/queue-runner
     ln -svf ${sshConfig} /var/lib/hydra/queue-runner/.ssh/config
   '';
-  sops.secrets."attic/config.toml" = {
+  systemd.services.clean-s3-cache = let
-    owner = "hydra-queue-runner";
+    clean-cache = pkgs.callPackage ../../packages/clean-s3-cache.nix {};
-    key = "attic/config.toml";
+  in {
-    path = "/var/lib/hydra/queue-runner/.config/attic/config.toml";
+    enable = true;
-  };
+    description = "Clean up S3 cache";
-
-  systemd.services."upload-hydra-results" = {
-    description = "Upload hydra build results";
     serviceConfig = {
-      Type = "oneshot";
+      ExecStart = "${clean-cache}/bin/clean-s3-cache.py";
       User = "hydra-queue-runner";
       Group = "hydra";
     };
-    script = ''
-      set -ex
-      if [ -e /var/lib/hydra/queue-runner/uploading ]; then
-        cat /var/lib/hydra/queue-runner/uploading | xargs ${attic.packages.${system}.attic-client}/bin/attic push chir-rs
-        rm /var/lib/hydra/queue-runner/uploading
-      fi
-      mv /var/lib/hydra/queue-runner/upload-queue /var/lib/hydra/queue-runner/uploading
-      cat /var/lib/hydra/queue-runner/uploading | xargs ${attic.packages.${system}.attic-client}/bin/attic push chir-rs
-      rm /var/lib/hydra/queue-runner/uploading
-    '';
   };
-  systemd.timers.upload-hydra-results = {
+  systemd.timers.clean-s3-cache = {
     enable = true;
-    description = "Upload hydra build results";
+    description = "Clean up S3 cache";
-    requires = ["upload-hydra-results.service"];
+    requires = ["clean-s3-cache.service"];
     wantedBy = ["multi-user.target"];
     timerConfig = {
       OnBootSec = 300;
-      OnUnitActiveSec = 300;
+      OnUnitActiveSec = 604800;
     };
   };
 }

config/services/nextcloud.nix

@@ -65,7 +65,7 @@
     {
       name = "nextcloud";
       ensurePermissions = {
-        "DATABASE attic" = "ALL PRIVILEGES";
+        "DATABASE nextcloud" = "ALL PRIVILEGES";
       };
     }
   ];

flake.lock

@@ -1,41 +1,6 @@
 {
   "nodes": {
     "attic": {
-      "inputs": {
-        "cargo2nix": [
-          "cargo2nix"
-        ],
-        "crane": [
-          "crane"
-        ],
-        "flake-compat": [
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "rust-overlay": [
-          "rust-overlay"
-        ]
-      },
-      "locked": {
-        "lastModified": 1694160842,
-        "narHash": "sha256-KqzSSagAay+qBhXlDGHc05dpio9PZ/ZFVmQcuJum/qU=",
-        "owner": "DarkKirb",
-        "repo": "attic",
-        "rev": "9460d742caf366a1f999936dacd4d6e9274d956b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "DarkKirb",
-        "repo": "attic",
-        "type": "github"
-      }
-    },
-    "attic_2": {
       "inputs": {
         "crane": [
           "nixos-config-for-netboot",
@@ -70,36 +35,6 @@
       }
     },
     "cargo2nix": {
-      "inputs": {
-        "flake-compat": [
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "rust-overlay": [
-          "rust-overlay"
-        ]
-      },
-      "locked": {
-        "lastModified": 1691655399,
-        "narHash": "sha256-hVfFMu27OMaUPxpyovnxYNrzDYFCbQaFu+XCAIPeoAk=",
-        "owner": "DarkKirb",
-        "repo": "cargo2nix",
-        "rev": "1a37221e07295f7d5a8842717e94229af72f1c20",
-        "type": "github"
-      },
-      "original": {
-        "owner": "DarkKirb",
-        "ref": "release-0.11.0",
-        "repo": "cargo2nix",
-        "type": "github"
-      }
-    },
-    "cargo2nix_2": {
       "inputs": {
         "flake-compat": "flake-compat_3",
         "flake-utils": [
@@ -244,35 +179,6 @@
       }
     },
     "crane": {
-      "inputs": {
-        "flake-compat": [
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "rust-overlay": [
-          "rust-overlay"
-        ]
-      },
-      "locked": {
-        "lastModified": 1674934931,
-        "narHash": "sha256-TmGfRDBK7EkR0VY8Jr0WU4WdyzZxiXDGVGUzIXPFXRI=",
-        "owner": "DarkKirb",
-        "repo": "crane",
-        "rev": "42c3f329daa267857c6bc6d21c9eec468e97e2d7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "DarkKirb",
-        "repo": "crane",
-        "type": "github"
-      }
-    },
-    "crane_2": {
       "inputs": {
         "flake-compat": "flake-compat_4",
         "flake-utils": [
@@ -1154,11 +1060,11 @@
     },
     "nixos-config-for-netboot": {
       "inputs": {
-        "attic": "attic_2",
+        "attic": "attic",
-        "cargo2nix": "cargo2nix_2",
+        "cargo2nix": "cargo2nix",
         "chir-rs": "chir-rs_2",
         "colorpickle": "colorpickle",
-        "crane": "crane_2",
+        "crane": "crane",
         "dns": "dns_2",
         "emanote": "emanote",
         "flake-parts": "flake-parts_2",
@@ -1368,10 +1274,7 @@
     },
     "root": {
       "inputs": {
-        "attic": "attic",
-        "cargo2nix": "cargo2nix",
         "chir-rs": "chir-rs",
-        "crane": "crane",
         "dns": "dns",
         "firefox": "firefox",
         "flake-compat": "flake-compat",
@@ -1388,7 +1291,6 @@
         "nixos-hardware": "nixos-hardware_2",
         "nixpkgs": "nixpkgs_4",
         "nur": "nur_2",
-        "rust-overlay": "rust-overlay_2",
         "sops-nix": "sops-nix_2",
         "systems": "systems_2",
         "treefmt-nix": "treefmt-nix_2"
@@ -1419,29 +1321,6 @@
         "type": "github"
       }
     },
-    "rust-overlay_2": {
-      "inputs": {
-        "flake-utils": [
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1698891127,
-        "narHash": "sha256-HuhQGsvBX1CdD+wvyK7J8aANYxvABhkPsiY97aT4+/w=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "6bc508466396bc6e24a7e4236ece9cb95b72582e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
-      }
-    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [

flake.nix

@@ -4,22 +4,6 @@ rec {
   # Use NixOS unstable
   inputs = {
     # Sorted by name
-    attic = {
-      url = "github:DarkKirb/attic";
-      inputs.cargo2nix.follows = "cargo2nix";
-      inputs.crane.follows = "crane";
-      inputs.flake-compat.follows = "flake-compat";
-      inputs.flake-utils.follows = "flake-utils";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.rust-overlay.follows = "rust-overlay";
-    };
-    cargo2nix = {
-      url = "github:DarkKirb/cargo2nix/release-0.11.0";
-      inputs.flake-compat.follows = "flake-compat";
-      inputs.flake-utils.follows = "flake-utils";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.rust-overlay.follows = "rust-overlay";
-    };
     chir-rs = {
       url = "github:DarkKirb/chir.rs";
       inputs.flake-parts.follows = "flake-parts";
@@ -29,13 +13,6 @@ rec {
       inputs.systems.follows = "systems";
       inputs.treefmt-nix.follows = "treefmt-nix";
     };
-    crane = {
-      url = "github:DarkKirb/crane";
-      inputs.flake-compat.follows = "flake-compat";
-      inputs.flake-utils.follows = "flake-utils";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.rust-overlay.follows = "rust-overlay";
-    };
     dns = {
       url = "github:DarkKirb/dns.nix";
       inputs.flake-utils.follows = "flake-utils";
@@ -94,11 +71,6 @@ rec {
     nixos-hardware.url = "github:NixOS/nixos-hardware";
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     nur.url = "github:nix-community/NUR";
-    rust-overlay = {
-      url = "github:oxalica/rust-overlay";
-      inputs.flake-utils.follows = "flake-utils";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";

overlays/riscv.nix

@@ -9,7 +9,6 @@ args: self: prev: let
 in {
   pandoc = self.writeScriptBin "pandoc" "true";
   inherit (pkgsX86) nix;
-  inherit (args.attic.packages.x86_64-linux) attic-client;
   bind = prev.bind.overrideAttrs (_: {
     doCheck = false;
     doInstallCheck = false;

packages/clean-s3-cache.nix

@@ -0,0 +1,17 @@
+{
+  writeTextFile,
+  python3,
+  python3Packages,
+}: let
+  environment = python3.buildEnv.override {
+    extraLibs = with python3Packages; [
+      boto3
+    ];
+  };
+in
+  writeTextFile {
+    name = "clean-s3-cache.py";
+    executable = true;
+    destination = "/bin/clean-s3-cache.py";
+    text = builtins.replaceStrings ["#SHEBANG#"] ["${environment}/bin/python"] (builtins.readFile ./clean-s3-cache.py);
+  }

packages/clean-s3-cache.py

@@ -0,0 +1,180 @@
+#!#SHEBANG#
+import asyncio
+from concurrent.futures import ThreadPoolExecutor
+import functools
+from typing import Any, AsyncIterable, Awaitable, Callable, Optional, TypeVar, cast
+from os import path, listdir
+import json
+
+import boto3
+from botocore.response import StreamingBody
+
+ENDPOINT_URL: str = "https://ams1.vultrobjects.comk"
+BUCKET_NAME: str = "cache-chir-rs"
+
+executor: ThreadPoolExecutor = ThreadPoolExecutor()
+
+F = TypeVar('F', bound=Callable[..., Any])
+T = TypeVar('T')
+
+
+def with_backoff(
+        f: Callable[..., Awaitable[T]]) -> Callable[..., Awaitable[T]]:
+
+    async def with_backoff_wrapper(*args: Any, **kwargs: Any) -> T:
+        last_delay = 2
+        while True:
+            try:
+                return await f(*args, **kwargs)
+            except Exception as e:
+                print(f"{e}")
+                if last_delay >= 120:
+                    raise
+                await asyncio.sleep(last_delay)
+                last_delay *= last_delay
+
+    return with_backoff_wrapper
+
+
+def aio(f: Callable[..., T]) -> Callable[..., Awaitable[T]]:
+
+    async def aio_wrapper(*args: Any, **kwargs: Any) -> T:
+        f_bound: Callable[[], T] = functools.partial(f, *args, **kwargs)
+        loop: asyncio.AbstractEventLoop = asyncio.get_running_loop()
+        return await loop.run_in_executor(executor, f_bound)
+
+    return aio_wrapper
+
+
+@aio
+def exists_locally(store_path: str) -> bool:
+    return path.exists(store_path)
+
+
+class NarInfo(object):
+
+    def __init__(self, narinfo: str) -> None:
+        self.compression = "bzip2"
+        for narinfo_line in narinfo.splitlines():
+            key, value = narinfo_line.split(": ", 1)
+            if key == "StorePath":
+                self.store_path = value
+            elif key == "URL":
+                self.url = value
+            elif key == "Compression":
+                self.compression = value
+            elif key == "FileHash":
+                self.file_hash = value
+            elif key == "FileSize":
+                self.file_size = int(value)
+            elif key == "NarHash":
+                self.nar_hash = value
+            elif key == "NarSize":
+                self.nar_size = int(value)
+            elif key == "References":
+                self.references = value.split()
+            elif key == "Deriver":
+                self.deriver = value
+            elif key == "System":
+                self.system = value
+            elif key == "Sig":
+                self.sig = value
+            elif key == "CA":
+                self.ca = value
+
+    async def exists_locally(self) -> bool:
+        return await exists_locally(self.store_path)
+
+
+s3 = boto3.client("s3", endpoint_url=ENDPOINT_URL)
+
+
+@with_backoff
+@aio
+def get_object(Key: str) -> str:
+    obj = s3.get_object(Bucket=BUCKET_NAME, Key=Key)
+    if "Body" not in obj:
+        raise Exception("No Body")
+    if isinstance(obj["Body"], StreamingBody):
+        return obj["Body"].read().decode("utf-8")
+    raise Exception("Not StreamingBody")
+
+
+async def list_cache_objects() -> AsyncIterable[str]:
+
+    @with_backoff
+    @aio
+    def list_objects_v2(ContinuationToken: Optional[str]) -> dict[str, Any]:
+        if ContinuationToken != None:
+            return s3.list_objects_v2(Bucket=BUCKET_NAME,
+                                      ContinuationToken=ContinuationToken)
+        else:
+            return s3.list_objects_v2(Bucket=BUCKET_NAME)
+
+    cont_token = None
+    while True:
+        objs = await list_objects_v2(cont_token)
+        if "Contents" not in objs:
+            raise Exception("No Contents")
+        if isinstance(objs["Contents"], list):
+            for obj in cast(list[Any], objs["Contents"]):
+                if not isinstance(obj, dict):
+                    raise Exception("Not dict")
+                obj = cast(dict[str, Any], obj)
+                yield obj["Key"]
+
+        if "NextContinuationToken" not in objs:
+            break
+        cont_token = objs["NextContinuationToken"]
+
+
+@with_backoff
+@aio
+def delete_object(key: str) -> None:
+    s3.delete_object(Bucket=BUCKET_NAME, Key=key)
+
+
+def get_store_hashes() -> set[str]:
+    hashes = set()
+    for obj in listdir("/nix/store"):
+        hashes.add(obj.split("-")[0])
+    return hashes
+
+
+async def main() -> None:
+    store_hashes = get_store_hashes()
+    nars_to_delete = set()
+    nars_to_keep = set()
+    async for obj_key in list_cache_objects():
+        if obj_key.endswith(".narinfo"):
+            # check if we have the hash locally
+            narinfo = await get_object(obj_key)
+            narinfo = NarInfo(narinfo)
+            if not await narinfo.exists_locally():
+                print(f"Found unused NAR for {narinfo.store_path}")
+                await delete_object(obj_key)
+                nars_to_delete.add(narinfo.url)
+            else:
+                nars_to_keep.add(narinfo.url)
+        if obj_key.startswith("realisations/"):
+            realisation = await get_object(obj_key)
+            realisation = json.loads(realisation)
+            if not isinstance(realisation, dict):
+                continue
+            if "outPath" not in realisation:
+                continue
+            if not await exists_locally("/nix/store/" +
+                                        realisation["outPath"]):
+                print(f"Found unused realisation for {realisation['outPath']}")
+                await delete_object(obj_key)
+        if obj_key.startswith("nar/"):
+            nars_to_delete.add(obj_key)
+    for nar in nars_to_delete:
+        if nar in nars_to_keep:
+            continue
+        print(f"Deleting unused NAR {nar}")
+        await delete_object(nar)
+
+
+if __name__ == "__main__":
+    asyncio.get_event_loop().run_until_complete(main())

scripts/post-build-hook

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euf
-export IFS=' '
-export XDG_CONFIG_HOME=/home/runner/.config
-until /nix/var/nix/profiles/default/bin/nix run 'github:DarkKirb/nix-packages#attic-client' -- push chir-rs $OUT_PATHS; do
-    sleep 5
-    echo "Retrying..."
-done

secrets/instance-20221213-1915.yaml

@@ -15,7 +15,6 @@ services:
         private_key: ENC[AES256_GCM,data:E2BWj1/dBHJ47NhqUkEAbbkI3nPWmNM5XoD5ZBu40lBv9xvPxP9SCbLQdFMcxNY/Xew91OZL8NvlNxk=,iv:X6V0YFmkWA6C5j7REFijZt8/gNfB2wHT6U8/iSjLAFA=,tag:DF3ZyQlYLUXBxmnfqoNYnw==,type:str]
     ipfs:
         access_grant: ENC[AES256_GCM,data:WFWKgRf4VG0fViy9hSvRclwxQxICoV94eOpaVjGv6HJ/SeHLF2FaXG9PPNvU35JsNrWQhovYK33QPqE9IV6rgoo7xtH7FYlr91YYJ6a/x4SQnkIu5aUYIpsTk+I97T/5gfLJZK2Sr05lrnCBth5F2eu+ITILt8AUizrqLLW+KWpeCkzz6G8pJGwnOqp/CIDkTCybgnzM0piF4F0lVukAjnrUhYGR3szi8zpy6ZSQHFvXgz37DfEaTgcJlt/tx/xozkSor+KweXHDA71d1nugQ1p7DhLdP4rpm7PrdfZmwc56p2OkK15jdDPeOTBpOWvFt+wdPKR4PMfwYFHO5adE8ZNkdBafICtrdEV552qkTZ4LDYqY9qCi0tKU3TbuArxKoMPshoiaeqEuP2itPsZonqYVv9CXeOLSlA==,iv:NU4rJgOTg6SPOCiYvOqQH0w9i3aJR8IvfNcm+eykoVI=,tag:/LRTOtGRd/Y9QJlK0X1jvA==,type:str]
-    attic: ENC[AES256_GCM,data:rGWQ12Qbl4A7FYBOultw2lPQvmuH6FGF0FrOSZezLhWEaPE0HQcFZAtTRnp/mPDO2hdDWW8KQrbCYDgOvf62VO60CE7iuAy8b7VYsGyXs69fNrrKWyLkAaVR5pmMXXVq2eooqfxFh7FAtzr19BvRZO0nZndnw6SaDc1WZsJifdQG7YOXnUulKOHvbiSMaisc+QEOZJ8FmYN0524dd4fIFYWTNbf80i2SCyEudrgzPV0S+spFMQ0Cg/p2KL42ly3Lljm7yxNDYA3fEgp/8cEm91/VaHTp7YqaP+S+70JJfwpL8CdokpuG7Tp6hALwGpYiKYB+875fmGeiBF4qlTxdmC/dkMSCmxzVxNptYT3oOqpbWnB+K4W30g+dlFMyJiG1s0EIckG7tQidBo5pd/543qP2GvoN0JcQW9juxNqv51wa8TqC4GLGoz9V2GbAckxvephRtq2pcwxx/5MVrZCumGHin2hEwdCmKhsCVTXuEtFZwt+0kpSF,iv:eh5t4CENtUt5wkdIRQkwMCDcraBi6xHeIe/h8bDl1SY=,tag:2YAJMlBdI0DcK93F9m/QYg==,type:str]
     ssh:
         host-key: ENC[AES256_GCM,data:oiy1thPKRVgH0XltFQCKwGMdLZde8zp1Ag1dL/el/2jXp1be1Evtr+kkZv56nhlaJ6KpYi5VsfrfpFVnKUkcYGUMmqVf2lFDu2fPcWB+PW7nol9K+sVRhHgTPP1wz385o5bof4OnbMF9sUbV0PT/pd4yAvluKq9s2vBBb2GEZ+HDBwkurmgVrFqUb66AvCdncXTpK47qpWZQMDTMGKqv5d1hJOoCCIulX3iJ4ko2xDD7qRlFtcdLNFLw3q4R6eP+L0OqoQs8dnjpIQOLVItzHTHTTcQRVoFvD7OMYSyU5RIIxTIOoS9tWzQu/QpHpO4cgjQ/GX09uj+a6/Cy8Itavd88YeSoYEPGwBYEciYLakFpNQ8aFl0yEsEMdZbfHgOUAOlbv28Mv93+RFMs5HrdIup/lZr5PsCBSsrMVkwJNVQKTxbN34LCTGOeCkuzohAwmwEVB/Ysuh23WyFKcdkGWAwlnVvgaNT5/TsNTCCI8Hf6fJecD4imWrJAtlXG7o+mnE+f0LlixxsnMgSnlkX4,iv:mnW23zPiSDoluMjQJEUFHDkVO6IT/4+RgAlaKuie3Qw=,tag:F+KOH/MkjrF1wYCR9OzFkQ==,type:str]
     nextcloud:
@@ -52,8 +51,8 @@ sops:
             bVJUcDZLWTk3MiszOWp4enRRQmNsajQKF8QJs/Wb0SqnvsQEkRKlS1Ms9xLIdyvZ
             QCFAPclaOfaTLTiRJWXjDneBkMBduYKkRPiXCR+Bn7i4z8ixLXFmWw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-28T18:49:48Z"
+    lastmodified: "2023-11-03T13:29:07Z"
-    mac: ENC[AES256_GCM,data:aFZwrPUeO+6iDeJMSQRbzlQvtpSgINVped/ZSucbVrijTvKzetUtO1URZl6WreZxE/NSqAuJr5oOWOsAVmQHuARhbsqfVXLykc/m+L6a9e4mQbiTjAVZh9AmZNnrunIv5rpn1BVZSjYa31UQC/VWnuqsCCmeyQEfEu14sUVrH/U=,iv:jp5k+qmNwMAt29/kRACkhPwl3ISFvJjbHupsCVDyhZM=,tag:0ISIGuQ7BO63Mh6O+Wqvow==,type:str]
+    mac: ENC[AES256_GCM,data:cHdS1omrtgqyOECJtcuekU90i7zVeiyJIYLr7FZ88G2dRSn3UGhu8vFE3m/7M7kt5we9UU4lY158FOqF0BL9Sei61eOY8qCT7KiqX5jhKf1a6zAdzBG2rgipmG0dTopKthm+CtwX8FLF9tRnumUlQgMqUGymtgf3vcbrWwbkhsU=,iv:+qX3eWASW+MHReZbyr+W/yZfmGgW1k/7wCFVe/EH6AU=,tag:yH7nSk/xYCuVVHnB9nnm8A==,type:str]
     pgp:
         - created_at: "2022-12-14T15:34:13Z"
           enc: |
@@ -67,4 +66,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD
     unencrypted_suffix: _unencrypted
-    version: 3.8.0
+    version: 3.8.1

secrets/nas.yaml

@@ -8,7 +8,7 @@ services:
         cache-key: ENC[AES256_GCM,data:359HiOnMunY5vQowyl79OOYX7ELs1jGkyCMjvuUXUaVnPWu/Nui5UM51O4VKD6+cLvVKyy5QXJxxOVfPO5DHL7gb+rlcbcusdBs8iCLaqlxD7yHqDE6FsncFSB7OqqUKNw==,iv:/NBm6p/vpurdhFzrN7HA9Tu13g6FbWREbKh4yNPryB4=,tag:xTs/KwTOgAQwaukU8+ek0A==,type:str]
         gitea_token: ENC[AES256_GCM,data:v0Ej8841I1F/dK5ZplRzZlvngpueMQKspM5USzX9VkOEmpCs2NA3+Q==,iv:fZisAuyqk7ATFx6qHYkScUeS8SsikjiPzVovZjGnUYM=,tag:7+O+Sn7unPDy88a6T70Jmg==,type:str]
         github_token: ENC[AES256_GCM,data:AWMeX+P8YHGpSuH+5KqvE9zNxkEPKGvdRaQjNysO4/XE4csGjCvmjA==,iv:MCRtws/SM7lWS2/2pp5tbeX7+I5h4LVd9bJp//ln9hs=,tag:LMEGWFAaOqH0fqfNgc87AQ==,type:str]
-        aws_credentials: ENC[AES256_GCM,data:yxJU6d6BMi+LHUPimMkgr5h6accGXQXxFu9A0swdwKII/Xfo4ALAw4J4aEhpnNuK8JwmzuuDdTDGnilzuEATeaANa2cNXps6AWw8Hem8idw585xTcU1YBEOdbBSs/mKK6S+Da1OU5jC1atrCCWY7cg==,iv:tAEGsniZ7N/jBp7btLlD1pNcF4NvEmpO6zXji1H29t8=,tag:lmAB3QMfaT3ljDmr+8IBHA==,type:str]
+        aws_credentials: ENC[AES256_GCM,data:TqfAEFfDEIicrI/qNEpHYI/cXw5OZ4z31eq05WTIQWxuyD01UfduuJeHlPNuzp7+cGVSExBUccNvVpwz7ivESoMLqiP459GfXert/SZi56fMZdOsfFxbl5x/ks71bamj5/qIXxQW0hqSOG8TwQNIMNQgAcA=,iv:HDXc7F+3WXnIfRL8rYxMnQPlfNLMYJAjKKjWVzIhNQ0=,tag:u+D+/YY+60TAEmhHMGoUwg==,type:str]
     hostapd: ENC[AES256_GCM,data:KCOOPShBt6gs8TK0Ns6Kzw==,iv:haG+7w893r9w9XySav8n2MWIAOi8eehy61rQudpdjGU=,tag:yupv4fTLiOgTU7SKoAR3og==,type:str]
     rspamd:
         dkim:
@@ -30,8 +30,6 @@ email:
 password:
     root: ENC[AES256_GCM,data:edK/dud41KmbX6v8Mxn1vVcaCwG0x4YhGjqLTw3oAigmwixTovz+4yUDrkjTQLb3/eMClqQJnjcJsRBv4chSu+UuNorKIsPM0IX9mkTmVH2soGmdPB21HXOXmisGu33oOyhyojbvlaWlFw==,iv:GiXRuhJVPgkAAp7OYufzXtHusnSPOfAP0ztdAtn14GE=,tag:nIOus2VvzE6d+r/aJOLCBw==,type:str]
     darkkirb: ENC[AES256_GCM,data:vmI8B7PWeoKTwOywaGmJmD9gWb09eDcmchx241XrfNvT9QseuSElDTb3OajHornt/OFBPh7EtNi/y1BHF1+DZq0i1tmhYuJy24BLuCPH9VpCb5s5xZZCVtOC6w3qUGqIlLQHYN0Fp1Ap5A==,iv:KkcLQDJSDqeFr3gDByb66MOx8/PbpKpvM9Ym+KMB3jc=,tag:wLLOU4RhWnS+DDSOQLrLHA==,type:str]
-attic:
-    config.toml: ENC[AES256_GCM,data:060O5ICRHpkfTIdrkrLjlJSFKh7HCcMuETkRwf8zSaPQO7NTYnX6nQjd0mYcWZvBPQF3l8cVovja19nKMQAUGTzkBxkpvfylG+UMAfxEpuwTzypyzBwLXQOZPXqdXoEKPu0ghx1nojF08CLALDMlM8J/I7KrlofmSWGO+7142EAhrf1ov5IFmfHBn1vJvfa9aSVKnYDXmMpimO8zxc876YiBiHPe9srTpAlyOu/aOiev0fRmZfWGt7X7/lBap1AcDZFvoe/8Hs0Nb1GSE4ZW9WLPBMFigGK10fCgmlk8rTkaXTNCdZ/yJ24lugganFwssET6HBS/nmDLLMjPkZ0n+6U+JdDcRtXQXq9nwFG9TpMvX9i9K1z24F1/maQ2qUS0OB/YQ/pADLJt/xYfuzfB70FHpN2YYn2Lcmup3xKvbfAL9BFJCA==,iv:3wCOLgoqKoycuitBrQCccRRYulfrhI0a5K8vARU2MM4=,tag:/Zggqm+3CCcUwyc9ubhqcA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -47,8 +45,8 @@ sops:
             WnV3QWxtalIzWFdoQmpDTmJsNGdNOW8K++rFGXy0G6Gcu2gQwSP6xfXInQ/y5nh5
             2oGp8sfOLFWnNI4SWL0ChP47K3C/9ysUHwQnUYPbRafZ/4X6cN40ZQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-02T17:25:38Z"
+    lastmodified: "2023-11-03T13:33:44Z"
-    mac: ENC[AES256_GCM,data:iu4NhBQHLTuGAG70rSedcI2cwwDZpzLu18cIxO9JaVRWVanDoYTDXd9sDC7H8oBOmLnypYpXc4kOMCwsY9475W+Yi3HxHWlkcWAPWxAsJL5nIkC7Q9CwrwSCpwtsPyebsLzl299lYPjsNsLpQ6ft/GWnwAn5ISIkKV91k9hduz0=,iv:IB8YVkok7NrX2ayu2iQcwzsP/Tl+WXxjfvQ/1DkRUlk=,tag:z2tlvGWpEbXFrCmuKwUdbA==,type:str]
+    mac: ENC[AES256_GCM,data:CUi7/JEP6LerZ1SKYt4nEJQNbLs6iLK4U758qFXCpLkHBX2DA7wpu2HQ98SXkfQYHNOmoH/2LhCd+Am+UixnzmTZPXol7zntO3zSrjLQh208Cpp7lYO+sDFLOJqijjth1n6c4dri5yaXJwHLQn/iLZR0Ktespl38RotWnaQ597A=,iv:K6nhBEpagZSrTVfFiS1iGC/K691yxrdFP/sqoMZvWO0=,tag:7N10AC167RoG2qKUH11g5g==,type:str]
     pgp:
         - created_at: "2022-04-24T10:34:20Z"
           enc: |
@@ -62,4 +60,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

secrets/nixos-8gb-fsn1-1.yaml

@@ -11,7 +11,6 @@ services:
     chir-rs:
         database-password: ENC[AES256_GCM,data:6c8Ey39Lh/MoCJakEGpNFyueH+RAs//HXPKExrsiXiU=,iv:YmajjfpoaTHlbv5VhCk36jgfDetCKOTMqrmMGzXvitc=,tag:eQq7P92TR0txNk161gUUKA==,type:str]
         signup-secret: ENC[AES256_GCM,data:rLpC7HdhTSkDNeRau5iOvicDxeHJC9R3aRIVe65xysQ=,iv:Pm/+ZXWJCtN4Bq87hPaXco78C/cwD7cdCJmApDpS6iA=,tag:NL4T35lL+xauva72f8C+EQ==,type:str]
-    attic: ENC[AES256_GCM,data:q75ahgZD0O56SAXxKoUaVoxqbioreMDtxLXK6K6iTzGhZYabthxmm2RSgUIWuV/sSdDPuuld3eILypr0+G+ujtckyPb8Osc8OAAiZEVgyLac09250nM59Ypuaoqm1qrouD1T2kmPwocVqbWLNz+NzWKnOgX8Yi2lwSPZGXMfhi7THOgb+vyTwSE0PYWubCktynqUM/qw2XgThqp4OYg1V3+nMo3pP3wCtjFu3Vb5HURoUIXTewag08OI0ma6jTkJUARX1ihjuBqW+2/EJ6xVCzq4f1fiWtzjmFYrsFwmScP18modQAB/yHLc0RZOdb8ujSqkJYcHx5SayZ2tBQ+A6DimUbaUfdTLqKF4nPECzZPRfSw079t1t7u1iv95yveCCWmMS9Vslb+zvXETVzg8E33d2BdNQymgYnaavlZiC++hosg9WZw8YqBFxJ7rQqcxAA5kX3VgWg8SbCuHyc2dXVUVIwRaPlOC+QETsK6iDB8+gkt/HOLv,iv:K7zh3b9i9qBTCb6UUIwrFZl3K+td0vafUw/R2JAmckE=,tag:a44Skw4jhlkOfkkkSy5ltA==,type:str]
     rspamd:
         dkim:
             darkkirb.de: ENC[AES256_GCM,data:2Af4PsmTI07QzY/++VrrENe8wovHrUNElisfufyNt4RaiAB0Uq9Bp6BnpIEqLzfDs0z4mY5D05ncVa+K6oZWnAkhTBwIwO/iD6a4v5aOSdMp1BjbAQnJ9OD41+lLw1KZe98qAbjoO0yjtr4ySo5UzQUJ2wm2i7ZHtEBH06Gc1ZIPD64u2rC3/x9m65Xf+NFe7uSn0hBlaVTnuLkA0RwcopvtFXe63PXq93cHc+YCu9O6beppp7p0K5EkOW54l0UuGVbNtHKm+AKbsjzLWBnS3w0tP6mi1GkbBB0DMJrasA+cd8SbQ02kh5t8cvisviDaroeWTGElovqNOiSYZ9PkBAaADBYuR6bDJ9riIH8RrFfmS+lT0XW6OPPGdz9b5AI5A+Xze+36u2sv/Mys+Y+/G2C+uZYgDj1EKYX3DGKAl0ytNlSw7QRa1WoobvcIOfgN5cvmVV56QkSNteEdHGGod0aoiWTgGFwuKyjZL4UBjoDXcXxiCAKeQJ9Kkk0u9IG5JEhsa6W21s1Ea3hJdCaNPXk/vF7d3gM/jzrYNiioic4S/PckYf4u/4NNJhP5QS9ys68uPXZpSxZ7cZnB7ZS1uzvY4Hq/nNBBXmSjGz/G8EaeAfcXtBeRwLnv6HgeDfz03lu+JoZJH4UKUkU0emoP8du1RpMU8lMxuOsOirwVAU2SljZn/P2+reeFsV2hca6/AmXNO8Ez663AcQsxww/xY9tady3ch6k/rixLIYZuhURzFilEwqQAye0KvcnQrwhix/i1ujGv5G2SKHTlpYiQPDDwnF/gYHC4H1kqzRCcRP0CcYeZ3hhBC/fwgkXSxhrKjRmPU9hGsB4LfNnzdbezi4K4XGiOzEy6DD6r+KqHK782U95eaBxDPaD5PTY/jcy4mn5jtalmznPiZ3C68EVTcZQJf/o84fQWPG6I9BIy5PITacqzm8EQC93ZPPB+gdLaUWv56U2ruT/3RgC4eusgBtngydbRP7MaVojasX/NWEV4uhQ6zH7ErEFQDpqwaTNBDhXQUS2DJznQH+xk9M+VxInN1tUvc7UXQ1SBdARFLPzNubRvnyhd05bx1TEGHIqKNaJN6khYOt0ES+wZPjYtx3ctdhzNjajMIjv8rjmEmNoRyyH66GMHEfDbuCkv+VoBkPPWhl5QGbF8NRmN6LxR/GokQgCitfDqBAvuCYhRahurVZmGelcXh3X/eV+aFWnC9TC8aA==,iv:LhtgzfLhkBUsZcEF5oBrUQJLeMkdSN97H9rp8fRdG2g=,tag:vTyG6L9n9LwNe94UNkLyhA==,type:str]
@@ -86,8 +85,8 @@ sops:
             UDRmejBFNTVxeTF6aVFta09OS25uNXcKizOsV9EUukinCAwvpZVrk9x0aXTKQckd
             gGfdCEU0HZXhZg+ikDFzy52+vPo8+gInjscXiXr/gGn6dJoctLqQXA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-29T12:29:47Z"
+    lastmodified: "2023-11-03T13:29:28Z"
-    mac: ENC[AES256_GCM,data:Rap4mZqwBEGJ3rOuMV7yGmRoERedw5hUEOF/jm34qQGIqXnkuQ0TgEK0lXEo+2W1UY0xZYlN/CPz7oej4Tl4iRL3JhVngMotSuV6gNTt5PE67fac2WOlQFQrJynZV9eD4IZahb4aOSO+Vw04RoIFgOZmle5af8vkXVflJmEJhXU=,iv:ovBe3BhEDX3V9X6kQaplYbnoGMseIuDMfX+O+keSgRc=,tag:06V+VODklrJA3VUT+Q1b4A==,type:str]
+    mac: ENC[AES256_GCM,data:r1peL6D9MIP2UAuQzaX+Tj0wnVZq8ompReOuwMtVEM8yRi5tmF4X5brHOHFURyyPk8AuPVM+Bc3mMw5zoshn/eAFredhAMegA86H0HVri34mxoY8wkVeWWHTqi7QtnudeZMlXn+SPjgsC+d6WYvHEYmI7/VS1XV3cNtVaCmWqd4=,iv:2lQqsryjhMnA7sH1DPRBBYYWrxZeO9QBzRLuob/U0r0=,tag:bsVJh6FH64FoP7GWKpanDA==,type:str]
     pgp:
         - created_at: "2023-02-18T08:54:32Z"
           enc: |
@@ -101,4 +100,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD
     unencrypted_suffix: _unencrypted
-    version: 3.8.0
+    version: 3.8.1

zones/chir.rs.nix

@@ -144,7 +144,7 @@ with dns.lib.combinators; let
     SOA = {
       nameServer = "ns1.chir.rs.";
       adminEmail = "lotte@chir.rs";
-      serial = 39;
+      serial = 40;
     };
     NS = [
       "ns1.chir.rs."
@@ -239,7 +239,7 @@ with dns.lib.combinators; let
       akko = createZone {};
       peertube = createZone {};
       mediaproxy.CNAME = ["mediaproxy-chir-rs.b-cdn.net."];
-      attic = createFullZone {};
+      attic.CNAME = ["cache-chir-rs.b-cdn.net."];
       cloud = createZone oracleBase;
       lotte.CNAME = ["lotte-chir-rs.b-cdn.net."];
       lotte-nocdn = createZone {};