cluster/services/attic: move to garage

This commit is contained in:
Max Headroom 2023-10-31 22:19:08 +01:00
parent 9edfe4f2de
commit 4d0d1d2254
5 changed files with 57 additions and 14 deletions

Binary file not shown.

View file

@ -0,0 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A 3SvVm3IFNyWuwWy04WUiBHWmKTK+uELWMLKye3/aqCI
YgZozWM4OeWGVc5yipwEDn5fsl8DR6AWlxNnzRcb7s4
-> ssh-ed25519 5/zT0w YQgFx5F7dni3/jDQaYCvmd2+BHmrVyzG3wEwqH65n3w
0NyMq8w2A6FWjUkuTcjV4cIffJu3RZlUgV0NlduKnT0
-> ssh-ed25519 d3WGuA NdixQTXEP2uGMYtsB58lFfoEDO1etyAfvWvzfEDBMCk
gdr8WQ3cECdDXe3xY+xhQ9TqRSLngTUdaey+X+K5XSw
-> 0?L-grease 8
0v6X/IW+hrk2fB2sfHyh+V+EreFFvrmufO5/lvgwhmQ9rMnm6fmgP3w/hAPqeNhE
ZvhLZVYwrN6Jb1NKkGjO5hRIb0KJgLiryzCn
--- t9Dn/AFK4vFvNzptBbpGP5LGt/oMr/lPrDdBZwGruhQ
ñ: £Š`:ÿæÉh¦•ì,´ƒA«&w@Xz_çƲÙ<C2B2> Pk¯@ž9O<07>JÂcm_ΟXžC¸œøU"É :X7‰Ì¼ÕqI—íÝÃÀÞä¡ìM¸×]¹5'XÏ¢O &&Tµw§Di^ÂŽk@¹œ:ÀÃ…LG0f÷™"4º
HþoÙ«\ÃóÝ`q"<22>¯ÔJˆ=I¬#÷îˆF±ã©i=Ï]ï|ÒjÓÀ¿m

View file

@ -11,4 +11,11 @@
];
};
};
garage = {
keys.attic = { };
buckets.attic = {
allow.attic = [ "read" "write" ];
};
};
}

View file

@ -1,7 +1,7 @@
{ config, depot, lib, ... }:
{ cluster, config, depot, lib, ... }:
let
dataDir = "/srv/storage/private/attic";
inherit (config.networking) hostName;
in
{
@ -9,7 +9,19 @@ in
depot.inputs.attic.nixosModules.atticd
];
age.secrets.atticServerToken.file = ./attic-server-token.age;
age.secrets = {
atticServerToken.file = ./attic-server-token.age;
atticDBCredentials = {
file = ./attic-db-credentials.age;
owner = "atticd";
};
atticS3Credentials = {
file = ./attic-s3-credentials.age;
owner = "atticd";
};
};
links.atticServer.protocol = "http";
@ -22,17 +34,21 @@ in
listen = config.links.atticServer.tuple;
chunking = {
nar-size-threshold = 512 * 1024;
min-size = 64 * 1024;
avg-size = 512 * 1024;
max-size = 1024 * 1024;
nar-size-threshold = 0;
min-size = 0;
avg-size = 0;
max-size = 0;
};
database.url = "sqlite://${dataDir}/server.db?mode=rwc";
compression.type = "none";
database.url = "postgresql://attic@${cluster.config.links.patroni-pg-access.tuple}/attic";
storage = {
type = "local";
path = "${dataDir}/chunks";
type = "s3";
region = "us-east-1";
endpoint = cluster.config.hostLinks.${hostName}.garageS3.url;
bucket = "attic";
};
};
};
@ -41,15 +57,20 @@ in
users.atticd = {
isSystemUser = true;
group = "atticd";
home = dataDir;
home = "/var/lib/atticd";
createHome = true;
};
groups.atticd = {};
};
systemd.services.atticd.serviceConfig = {
DynamicUser = lib.mkForce false;
ReadWritePaths = [ dataDir ];
systemd.services.atticd = {
serviceConfig = {
DynamicUser = lib.mkForce false;
};
environment = {
AWS_SHARED_CREDENTIALS_FILE = config.age.secrets.atticS3Credentials.path;
PGPASSFILE = config.age.secrets.atticDBCredentials.path;
};
};
services.nginx.virtualHosts."cache-api.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy config.links.atticServer.url // {

View file

@ -5,6 +5,8 @@ let
systemKeys = x: x.ssh.id.publicKey or null;
in with hosts;
{
"cluster/services/attic/attic-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/attic/attic-s3-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/attic/attic-server-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/cachix-deploy-agent/credentials/checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
"cluster/services/cachix-deploy-agent/credentials/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];