cluster/services/attic: move to garage

cluster/services/attic/attic-s3-credentials.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A 3SvVm3IFNyWuwWy04WUiBHWmKTK+uELWMLKye3/aqCI
+YgZozWM4OeWGVc5yipwEDn5fsl8DR6AWlxNnzRcb7s4
+-> ssh-ed25519 5/zT0w YQgFx5F7dni3/jDQaYCvmd2+BHmrVyzG3wEwqH65n3w
+0NyMq8w2A6FWjUkuTcjV4cIffJu3RZlUgV0NlduKnT0
+-> ssh-ed25519 d3WGuA NdixQTXEP2uGMYtsB58lFfoEDO1etyAfvWvzfEDBMCk
+gdr8WQ3cECdDXe3xY+xhQ9TqRSLngTUdaey+X+K5XSw
+-> 0?L-grease 8
+0v6X/IW+hrk2fB2sfHyh+V+EreFFvrmufO5/lvgwhmQ9rMnm6fmgP3w/hAPqeNhE
+ZvhLZVYwrN6Jb1NKkGjO5hRIb0KJgLiryzCn
+--- t9Dn/AFK4vFvNzptBbpGP5LGt/oMr/lPrDdBZwGruhQ
+ñ: £Š`:ÿæÉh¦•ì,´ƒA«&w@Xz_ç
ƲÙ<C2B2> Pk¯@ž9O<07>JÂcm_ΟXžC¸œøU"É	:X7‰Ì¼ÕqI—íÝÃÀÞä¡ìM¸×]¹5'XÏ¢O	&&Tµw§Di^ÂŽk@¹œ:ÀÃ…LG0f÷™"4º
+HþoÙ«\ÃóÝ`q"<22>¯ÔJˆ=I¬#÷îˆF±ã©i=Ï]ï|ÒjÓÀ¿m

cluster/services/attic/default.nix

@@ -11,4 +11,11 @@
       ];
     };
   };
+
+  garage = {
+    keys.attic = { };
+    buckets.attic = {
+      allow.attic = [ "read" "write" ];
+    };
+  };
 }

cluster/services/attic/server.nix

@@ -1,7 +1,7 @@
-{ config, depot, lib, ... }:
+{ cluster, config, depot, lib, ... }:
 
 let
-  dataDir = "/srv/storage/private/attic";
+  inherit (config.networking) hostName;
 in
 
 {
@@ -9,7 +9,19 @@ in
     depot.inputs.attic.nixosModules.atticd
   ];
 
-  age.secrets.atticServerToken.file = ./attic-server-token.age;
+  age.secrets = {
+    atticServerToken.file = ./attic-server-token.age;
+
+    atticDBCredentials = {
+      file = ./attic-db-credentials.age;
+      owner = "atticd";
+    };
+
+    atticS3Credentials = {
+      file = ./attic-s3-credentials.age;
+      owner = "atticd";
+    };
+  };
 
   links.atticServer.protocol = "http";
 
@@ -22,17 +34,21 @@ in
       listen = config.links.atticServer.tuple;
 
       chunking = {
-        nar-size-threshold = 512 * 1024;
+        nar-size-threshold = 0;
-        min-size = 64 * 1024;
+        min-size = 0;
-        avg-size = 512 * 1024;
+        avg-size = 0;
-        max-size = 1024 * 1024;
+        max-size = 0;
       };
 
-      database.url = "sqlite://${dataDir}/server.db?mode=rwc";
+      compression.type = "none";
+
+      database.url = "postgresql://attic@${cluster.config.links.patroni-pg-access.tuple}/attic";
 
       storage = {
-        type = "local";
+        type = "s3";
-        path = "${dataDir}/chunks";
+        region = "us-east-1";
+        endpoint = cluster.config.hostLinks.${hostName}.garageS3.url;
+        bucket = "attic";
       };
     };
   };
@@ -41,15 +57,20 @@ in
     users.atticd = {
       isSystemUser = true;
       group = "atticd";
-      home = dataDir;
+      home = "/var/lib/atticd";
       createHome = true;
     };
     groups.atticd = {};
   };
 
-  systemd.services.atticd.serviceConfig = {
+  systemd.services.atticd = {
-    DynamicUser = lib.mkForce false;
+    serviceConfig = {
-    ReadWritePaths = [ dataDir ];
+      DynamicUser = lib.mkForce false;
+    };
+    environment = {
+      AWS_SHARED_CREDENTIALS_FILE = config.age.secrets.atticS3Credentials.path;
+      PGPASSFILE = config.age.secrets.atticDBCredentials.path;
+    };
   };
 
   services.nginx.virtualHosts."cache-api.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy config.links.atticServer.url // {

secrets.nix

@@ -5,6 +5,8 @@ let
   systemKeys = x: x.ssh.id.publicKey or null;
 in with hosts;
 {
+  "cluster/services/attic/attic-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "cluster/services/attic/attic-s3-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/attic/attic-server-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/cachix-deploy-agent/credentials/checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
   "cluster/services/cachix-deploy-agent/credentials/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];