Refactor attic configuration as module

2024-12-08 17:45:54 +02:00 · 2024-12-08 17:45:54 +02:00 · 752bed060b
commit 752bed060b
parent cf86743d68
6 changed files with 102 additions and 89 deletions
--- a/nixos-modules/qois/attic/default.nix
+++ b/nixos-modules/qois/attic/default.nix
@ -0,0 +1,98 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.qois.attic;
+in
+{
+
+  options.qois.attic = {
+    enable = mkEnableOption "Enable attic service";
+    domain = mkOption {
+      description = "Domain for attic server";
+      type = types.str;
+      default = "attic.qo.is";
+    };
+    port = mkOption {
+      description = "Server Port";
+      type = types.numbers.between 1 65536;
+      default = 8080;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets."attic/server_token".restartUnits = [ "atticd.service" ];
+
+    services.atticd = {
+      enable = true;
+
+      # Replace with absolute path to your credentials file
+      # generate secret with
+      # nix run system#openssl rand 64 | base64 -w0
+      # ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
+      environmentFile = config.sops.secrets."attic/server_token".path;
+
+      settings = {
+        listen = "127.0.0.1:${toString cfg.port}";
+        allowed-hosts = [ cfg.domain ];
+        api-endpoint = "https://${cfg.domain}/";
+
+        # Data chunking
+        #
+        # Warning: If you change any of the values here, it will be
+        # difficult to reuse existing chunks for newly-uploaded NARs
+        # since the cutpoints will be different. As a result, the
+        # deduplication ratio will suffer for a while after the change.
+        chunking = {
+          # The minimum NAR size to trigger chunking
+          #
+          # If 0, chunking is disabled entirely for newly-uploaded NARs.
+          # If 1, all NARs are chunked.
+          nar-size-threshold = 64 * 1024; # 64 KiB
+
+          # The preferred minimum size of a chunk, in bytes
+          min-size = 16 * 1024; # 16 KiB
+
+          # The preferred average size of a chunk, in bytes
+          avg-size = 64 * 1024; # 64 KiB
+
+          # The preferred maximum size of a chunk, in bytes
+          max-size = 256 * 1024; # 256 KiB
+        };
+
+        garbage-collection.default-retention-period = "6 months";
+
+        database.url = "postgresql:///atticd?host=/run/postgresql";
+      };
+    };
+
+    # Note: Attic cache availability is "best effort", so no artifacts are backed up.
+
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "atticd" ];
+      ensureUsers = [
+        {
+          name = "atticd";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    services.nginx = {
+      enable = true;
+      clientMaxBodySize = "1g";
+      virtualHosts.${cfg.domain} = {
+        kTLS = true;
+        forceSSL = true;
+        enableACME = true;
+
+        locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+  };
+}
--- a/nixos-modules/qois/nginx/default.nix
+++ b/nixos-modules/qois/nginx/default.nix
@ -0,0 +1,15 @@
+{
+  ...
+}:
+
+{
+  config.services.nginx = {
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
+    logError = "stderr warn";
+    proxyResolveWhileRunning = true;
+  };
+}