From 24201d0db61b54ab594216823c6a742919d65908 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Thu, 21 Nov 2024 10:09:26 +0100 Subject: [PATCH] Install `attic` on `sisko` --- hosts/default.nix | 2 + hosts/sisko/default.nix | 1 + modules/atticd/default.nix | 52 +++++++++++++++++++++++ secrets/secrets.nix | 5 +++ secrets/sisko-attic-environment-file.age | Bin 0 -> 5999 bytes 5 files changed, 60 insertions(+) create mode 100644 modules/atticd/default.nix create mode 100644 secrets/sisko-attic-environment-file.age diff --git a/hosts/default.nix b/hosts/default.nix index 5636017..f86454b 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -110,11 +110,13 @@ "cloudflare-dyndns-api-token" = { }; "restic-hetzner-password" = { }; "hass-ssh-key".owner = "hass"; + "sisko-attic-environment-file".owner = "atticd"; "autistici-password" = { # FIXME terrible, should create a third ad-hoc group owner = "grafana"; group = "forgejo"; }; + }; }; }; diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix index ba45c12..969f4e4 100644 --- a/hosts/sisko/default.nix +++ b/hosts/sisko/default.nix @@ -30,6 +30,7 @@ "immich" "paperless" "syncthing" + "atticd" ] ++ [ ./disko.nix diff --git a/modules/atticd/default.nix b/modules/atticd/default.nix new file mode 100644 index 0000000..507ba59 --- /dev/null +++ b/modules/atticd/default.nix @@ -0,0 +1,52 @@ +{ config, lib, ... }: +{ + services.atticd = { + enable = true; + settings = { + listen = "0.0.0.0:8081"; + allowed-hosts = [ ]; # Allow all hosts + # api-endpoint = "https://cache.staging.mlabs.city/"; + soft-delete-caches = false; + require-proof-of-possession = true; + + database.url = "sqlite://${config.services.atticd.settings.storage.path}/server.db?mode=rwc"; + + storage = { + type = "local"; + path = "/mnt/hd/atticd"; + }; + + compression = { + level = 8; + type = "zstd"; + }; + + chunking = { + nar-size-threshold = 64 * 1024; # 64 KiB + min-size = 16 * 1024; # 16 KiB + avg-size = 64 * 1024; # 64 KiB + max-size = 256 * 1024; # 256 KiB + }; + }; + environmentFile = config.age.secrets.sisko-attic-environment-file.path; + }; + + systemd.services.atticd = { + serviceConfig = { + DynamicUser = lib.mkForce false; + }; + }; + + systemd.tmpfiles.rules = [ + "d config.services.atticd.settings.storage.path 770 atticd atticd" + ]; + + users = { + groups.atticd = { }; + users.atticd = { + group = "atticd"; + home = config.services.atticd.settings.storage.path; + isSystemUser = true; + }; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e5e95f4..52a3217 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -161,6 +161,11 @@ with keys.users; ccr-gpg sisko ]; + "sisko-attic-environment-file.age".publicKeys = [ + ccr-ssh + ccr-gpg + sisko + ]; # WireGuard "picard-wireguard-private-key.age".publicKeys = [ diff --git a/secrets/sisko-attic-environment-file.age b/secrets/sisko-attic-environment-file.age new file mode 100644 index 0000000000000000000000000000000000000000..97274634192fa829b29883ed306a7d3b1f4fd675 GIT binary patch literal 5999 zcmYklq^YzC&g2!>^h}kh(sUk`u_K?KzfGSUb`*u6I zobMhZkFWzGBX~Y)07m2^iq;@yG8}|N<%dKIq64F)oM1tqcQBq$i`1wU0za5QMd!hg zOb8kwq`Q$3Kt3-}gi^Eo(Nrt|9^nR6u9-#BZdugJXGN}&l4HOHBa%QAwOf(HE z&?1FER1iIqMaTQo@j4$iD;VmFlgd~+x0oOx2BGA$0dkR;io$v-{h1J+f~93iNHnB4 zI*>{u$f-yc97yr=#mIpyB+m;dp-VzQM3qLPi3Gw>U>brgB$5HLkQl1JuNyUhjD!n< z)o#=X42TJ#z`dzr0-NsUtJQ`0YqZgLA0$rA!NOGtB2L8OMEM8F)I47fj|bq(F>)|E zNbTbtC8lBBK==Tbh^S@6pg4G)LKuUO>4U07~a!rA)AAGz+1|;{7EEv{)D8gADeE@w_lBh6oA^3}#3Apl~>v8ik_B z8E#&9hRRJ14*-F^F%m6+O9_%fxjG;{n#BXD30NVV;l-2k;eiMii7E|2h-4~(Cn_?C zgV6xdDwr4E*B>Q=BYfEi9@q_zK>#RfFBzWtpAv#j5fh9FVEK_1ArdZMtpl>5v>2r) z2Q8J*&{{l4D?*}FK{z)a9xKt2y|BJCKNd6!zyhH(NHo=pq84f3*eEp!M29dWS~3W& z)(}NVs?bl1hedNSYBu}-JEq`bynsjmj-iYoK`A(pAD-YD%P`x3n zNH9aHf-7Y>b}&K;Ls6Lo0WDDBtKx!1P>7!woJ9lEpaDV_My2sbOSOEO7Npb(0+j$r zFo^+Du>&E<2u`$4A&ZO&ief|{kiJYc5&qv0lz6R-s?n0T0w6?2K_Y#{1TsV`$M~pd zFdEU50$_4fA{x&Z%x9=&bh6A3$Rvs3YOnxDBKkpn6gWN^Oj9$M0-nE=C1xRr!C(>^ zOv6M*27&nz)EEu`N@dPFBzZ*{t zB5UE&XtoaX>J+cZ7f<#ADqMWSl2~0`L~l#8SML7K1=XLZc-F zEH@f1<@kX}coy`(IMxsE3zAT{47fn}e~vkkU?|iRVdtibq>7PtA{dTG!mC&sNq`Ed z)nSof9t%##M+ilD86Az|V*-&>3|52o7pMWK0ELVpl_7#7fkL++ECzwX$>eB%2~q&W zN6|SER20jTsSS|?1fc=$?(TLBG)$wW`Ou*x#(%~Io_H|SO9Vv0S!Dlc4%3^?3i1Og zBiNXrND5#SUaHE5tn4^;e0yF}=)e&J(a=@fOWp0N-Q2S+vBnqxw!KePHA!;s**7GQ;xnqy*|VB=&nz` zYu_DkbXieX7}B#gD?TB$b~nlg!>9zFchBy!g$J<$_`F_a0FT@BXW| zV?F-qOf5G3)r!P)jZ(uviwId88P8F1Q&Ay4W#=ldEYYBD4{5wiS00Tx^ud;w$-n1cu1r67ui;XB`vO&K1p0A*8GYYGj%)A5lBmF~1rHxHZud=Z z)1+^W|LW2!FLYVxlr|%1Il=7TaQ1Z08H)z@aUsiO+gl9l8sz1Hkr(l6or!u!u?04h z*DY1x(w2pKWeKryXGC>{m1$S@_x7whj9lOv9DCxf0~|j+SZ@~maMX6R`f12X(6_k( zO2gdSCy;L*`de5pvzpBou(uYjNIe=cdB91J2axuoq_67Na$$D^c%^oITJzHcsPevVbym(+R{OF1MWm9o;_JzhVDZotKz2C z>~lB%;_8H9dOQt!GHdf}@%5th5PB!@ldH$nVq^+wiwEdRqLtmP7J744%!0T7Y8rSQ zdtN;3xLrUjv0HmOvuZ_GkszXzJoDk`mv2=Qo_S-{tGF7&$^K=nBX-8uA^p_mEXo7b zO_4Qm_+!L5)tHg_>rcQphUv6;8~sm+b$4d}I-)%;IbVDEpy$)=Y`TrROKR1Q?6a)U zD=8i)${UAZ*7&iA1>dVH&u_Dkr7KSWVJw+wPf?2d&A0X6HzF&{H$IGTaMkNNedlqd zq%Z4<@#u%@H^<{$`rgf~cbd?b9QmSztx4VF-c{wwIC#oD?dE_9U}a+U2(mIc)Rb#> z<)pU(+*samWZwE1NJ7H3@-ugT13Qa%1F9$0pK67@76&U#tR17?_Vmqb z;`K)YzU_Eh1vwuZ)K;%QBQeJ-Ev@+0_n_g&ar~ubu_(cr+fw&t)u;y#yUO9kCF}eL zc^^tv-??a%6r%SU{Qd*5Vl$@lOl8TMl4URMG%o3S@O#es=BRO!nSUoTTyb1P4y%@^ z6Mu$`TPusa4vRhPXhs}U{k!>8@muw$hsg(RrnfYBTrjFgcF2wBg`KRikJOZh(-vDO zrqOHBaLbEYQBw2159 zM4&5;W^PFh1DCU24bY!%c7k3#(ShIRAc(!Ue7H*t51w$Xp>4tV?f?DPVYA39@>kQp z(QEaYdZrhaHRP+t>-@$n^8?`5*S;9NI4wy}3+o&~+JhRW1TF1#iq&6lH0y;WLVt;p zPxmg-nitC2(Wx&F+O~I|`gP;mxr)Hm^5&VRn`v8H z$XD;z^gijZ!lZec4)*-BPI;{ZwHaP38ptSjzP+s5xRWxwSrWwN0m~M?$|_+U=uq5o zPTSykA3v+Vc|M6>_I_(9cu<;l+d@A!sG=;>{hc%F{F>&KO{H(fbbm91HkbT*i}hY( zX~(uOdHuD01P1H#o*`(zv(>USTN*=`hK05@q?2<}R^pbV{rU^4w3x#@Opp{?u4L)(qdRVEcs5FCglhlP^WhoJ>8^f4q>s zJXd;!Q}FZ%b>k^%-bbhPy(f1%<|O7^eze;!y6x3E{pbsnCR^z1&EAVHJFZW8gMO!H z?K}JnyuQ4owR$XN)blm-K>m>kLDTCEi#|_G+HSJc8DvR5dh`A7nHLa+i?l; z2wMwYg6&%#Hobk)-Pz_1WeA)=3mseVk?8ME9IFLeB~m_WQkgR&Dp>rr_QmH&5<&<$3kv&Kl$qzf``m zz}r*iFv$me+n&RB+Nm#m3_D?6WU<2Z2&3xY#GS+@2>c|YE9~g&d_(!A?G)3Hrr3`?Q9>$C6bO- zebOUopA?;|u77dVk<{|o#{oZPM+P_p{v0U(e5t1Ax-D+ZeLCZ{FtVp31Ji=Y*|ul` z^_}YLY4ke$&J=s9?UCVMe&q%3B(cNF&|c>hSMH6X>>Mx3&Rps5Y{`9hFsJs>zn%8| zTW@`jYy#EX?JHmq()paHWbw-6<2m`Yz^nHh%u?SgluuUFTOgwQlYy4fC^p-Bnso3z>nW z8b*dUf8K9?eg1+|TicX+N8+1{Yr0MiHyyuKKe;ZKyyhM_`x9-D?cfYM_NS%xr!%){ z&UC;PHLT99x*ud`^!4w>>V2MbXDk-m6kbZsV{D$yg}Zo9EXbP{F87tJ*IhMCoQ=_c zZeAAR%<_p3lizdHY~F02KQz`h>z6j~KHr|*H*j@B3%B^|@rM0z{gU?mWMtuK#lUhy z&Hy_obhmfcnlDr6zU0R?mZ#_3&;=H;fmh36&kO^5Ovb<52PGX88^)(JrM@evu{Hkr zQXOIUyJu!wf%fLc*y6TFn>$vvz6Pu7WNWOhmAqe{I;ioe*K@I3@qO)fCw_p>ld7J4 zZaaJDcc(#jzl?v2*CqTa%}VO(Sv00SwlDSXD%llPiP7x3m?c|pzu?_~?Ypk`W)YdF zfHoOr%~Y&LEqZkS;5zebva|IEoAOtj`UL)-y3+Pt=A4~@BKDGSlbusz@yXDj_ci0i z$x#KN$@Hf_2S)HBWQ5gY=)YC&GK?+z$EN*xTfUu@tn12hsxL)yypwH`OcI~w)sYzk z_h0TA-f&7|9SaG|4{t;{{4`5FAUg?pP{l>w|= z=8RIm>_f_T{<*N#F%73;eYBUDPO$uzW}j6KZ*1StfbJr#H%Y5|fGGHN`O>QV@&!GO z<#?-@bhBT#3VqBWvsT^1&)Zg?=z^GUBQ|caEA<_EVtbL%)EQ5IiJvSO19SIgw@u3G zYkSH!H1AG3^H=NYZ;(L0n{T-P_3+{IVVCyLSm{~3YR%CRuW?pYlgqZ54JcYi*DlD} ziE{JEXZ{U2<_Qv-+;GE~qjYAT`;B(f96x3pPtway7h8!d68(P*Lf)Ub@gQ>sp4dDf zyVw-(*=BN&V&##CDTw}8x$J183~J^0Ae?N0 zmT`8T?RDB^f**yd*|hM3Read3bXWTvqdAbvHr(+zOY)<2Gi!@3h8(hbU0b(B{EnXx zdAEP)#)W%zSKPT#OGcRPn@e)+8$eL5%68%l$KB3dw?hnM z2e1@ym31@FC9xso0psxB!2V_}EjZs}QNk_ygVML-^YBUVurp!_&Z*PV0xxgtXxltA zZf0FHzWn^QHLL`mZo+lVv73HEQbYRl<5^L&;=^5!_tabe68Mc73Jr=}i?id0p8tRu zj;y`#D(mf{e+PGF+;qsX2=9JoxM;@YB!K92im)?)hvV!f_r)3!l=>s9^tvn7)c&!Ua>@8x=~4J{2&P836P#V(M& z!tjBhvNi8rTM@zfESrRPGZPa4zaOR*_7f{AQpSWG)7C(y`tFJVg$)k)v&DW>sA0H* zbJsO_!|}9{vnbQ+r;JzboS#i>9p^D8@sl<_qqUuf=z&<(hRflv$Oz&S!xvXBu&sol z^W_cT*4jT<(5n+~fA>`0sXZ;@UcRJOPjAO*KVjCD#t$E6aRVjm7LRXu zIM;61F?%!EEbhj?O<^C3)*NWs`?7QC`p}I>izrB)u$E~Qb78EFB5tTDzau&Mbz&|m zZU4jeeY+C|iH|i9E6BuHz`e`V@(W1-vlg9ia+eYUKha1j%RImFfa3g)PJIWs5ep${{bP-^+whL_)Z_E(vp|;`zZ!eewNNHTk;)!FsR}}_A?*wjxOZy zQZHRH1>1&Wb2Eo`R?dulF8=$~cyh>_hwB)KYePS_89f!&r`RJ zej+`W=Qh%xg_b0`^_OUWgJ%PSdfo0Pl}N49#2s8`AaPlp3fJ_125L#lyd#0JbJ%s< s;XQNNr@hJg)y5`ImZ{+H_9&?J;hrl^N|)A5Sdw?6NsGU)h#h