Refactor attic configuration as module

This commit is contained in:
Fabian Hauser 2024-12-08 17:45:54 +02:00
parent cf86743d68
commit 752bed060b
6 changed files with 102 additions and 89 deletions

View file

@ -1,79 +0,0 @@
{ config, pkgs, ... }:
let
atticPort = 8080;
atticHostname = "attic.qo.is";
in
{
services.atticd = {
enable = true;
# Replace with absolute path to your credentials file
# generate secret with
# nix run system#openssl rand 64 | base64 -w0
# ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
environmentFile = config.sops.secrets."attic/server_token".path;
settings = {
listen = "127.0.0.1:${builtins.toString atticPort}";
allowed-hosts = [ "attic.qo.is" ];
api-endpoint = "https://attic.qo.is/";
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
garbage-collection.default-retention-period = "6 months";
database.url = "postgresql:///atticd?host=/run/postgresql";
};
};
imports = [ ../../../defaults/webserver ];
# Note: Attic cache availability is "best effort", so no artifacts are backed up.
services.postgresql = {
enable = true;
ensureDatabases = [ "atticd" ];
ensureUsers = [
{
name = "atticd";
ensureDBOwnership = true;
}
];
};
services.nginx = {
enable = true;
clientMaxBodySize = "1g";
virtualHosts.${atticHostname} = {
kTLS = true;
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString atticPort}";
};
};
}

View file

@ -7,14 +7,15 @@
{ {
imports = [ imports = [
./attic.nix
./nixpkgs-cache.nix ./nixpkgs-cache.nix
]; ];
qois.git-ci-runner.enable = true; qois.git-ci-runner.enable = true;
qois.attic.enable = true;
qois.postgresql.package = pkgs.postgresql_15; qois.postgresql.package = pkgs.postgresql_15;
# Remove substituters that are hosted on this node, to prevent lockups. # Remove substituters that are hosted on this node, to prevent lockups
# since the current nix implementation is not forgiving with unavailable subsituters.
# The qois-infrastructure cache is not needed, # The qois-infrastructure cache is not needed,
# since the builds are done (and cached) on this host anyway. # since the builds are done (and cached) on this host anyway.
nix.settings.substituters = lib.mkForce [ nix.settings.substituters = lib.mkForce [

View file

@ -1,9 +1,6 @@
{ ... }: { ... }:
{ {
sops.secrets = { sops.secrets = {
"attic/server_token" = {
restartUnits = [ "atticd.service" ];
};
"gitlab-runner/default-registration" = { "gitlab-runner/default-registration" = {
restartUnits = [ "gitlab-runner.service" ]; restartUnits = [ "gitlab-runner.service" ];
}; };

View file

@ -5,7 +5,6 @@
../../defaults/backplane-net ../../defaults/backplane-net
../../defaults/base-vm ../../defaults/base-vm
../../defaults/meta ../../defaults/meta
../../defaults/webserver
./applications ./applications
./backup.nix ./backup.nix
./secrets.nix ./secrets.nix

View file

@ -0,0 +1,98 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.qois.attic;
in
{
options.qois.attic = {
enable = mkEnableOption "Enable attic service";
domain = mkOption {
description = "Domain for attic server";
type = types.str;
default = "attic.qo.is";
};
port = mkOption {
description = "Server Port";
type = types.numbers.between 1 65536;
default = 8080;
};
};
config = mkIf cfg.enable {
sops.secrets."attic/server_token".restartUnits = [ "atticd.service" ];
services.atticd = {
enable = true;
# Replace with absolute path to your credentials file
# generate secret with
# nix run system#openssl rand 64 | base64 -w0
# ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
environmentFile = config.sops.secrets."attic/server_token".path;
settings = {
listen = "127.0.0.1:${toString cfg.port}";
allowed-hosts = [ cfg.domain ];
api-endpoint = "https://${cfg.domain}/";
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
garbage-collection.default-retention-period = "6 months";
database.url = "postgresql:///atticd?host=/run/postgresql";
};
};
# Note: Attic cache availability is "best effort", so no artifacts are backed up.
services.postgresql = {
enable = true;
ensureDatabases = [ "atticd" ];
ensureUsers = [
{
name = "atticd";
ensureDBOwnership = true;
}
];
};
services.nginx = {
enable = true;
clientMaxBodySize = "1g";
virtualHosts.${cfg.domain} = {
kTLS = true;
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
};
}

View file

@ -1,12 +1,9 @@
{ {
config,
lib,
pkgs,
... ...
}: }:
{ {
services.nginx = { config.services.nginx = {
recommendedTlsSettings = true; recommendedTlsSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;