Add attic

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-03 12:47:39 +00:00
parent dd34a05ee8
commit 4a0edcffef
21 changed files with 636 additions and 18 deletions
--- a/hosts/jupiter/users/storm/configs/console/podman/attic/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/attic/default.nix
@@ -0,0 +1,127 @@
+{ user, home }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
+let
+  hmConfig = config.home-manager.users.${user};
+  inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
+in
+{
+  home-manager.users.${user} = {
+    sops = {
+      secrets = {
+        "attic/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "attic/rs256".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "attic/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+      };
+
+      templates = {
+        attic-postgresql-env.content = ''
+          POSTGRES_PASSWORD=${hmConfig.sops.placeholder."attic/postgresql"}
+        '';
+
+        attic-env.content = ''
+          ATTIC_TOKEN=${hmConfig.sops.placeholder."attic/admin"}
+        '';
+
+        attic.content = builtins.readFile (
+          (pkgs.formats.toml { }).generate "server.toml" {
+            listen = "[::]:8080";
+
+            allowed-hosts = [ "nix.karaolidis.com" ];
+            api-endpoint = "https://nix.karaolidis.com/";
+
+            database.url = "postgres://attic:${
+              hmConfig.sops.placeholder."attic/postgresql"
+            }@attic-postgresql:5432/attic";
+
+            storage = {
+              type = "local";
+              path = "/var/lib/attic";
+            };
+
+            chunking = {
+              nar-size-threshold = 65536;
+              min-size = 16384;
+              avg-size = 65536;
+              max-size = 262144;
+            };
+
+            compression = {
+              type = "zstd";
+              level = 8;
+            };
+
+            garbage-collection = {
+              interval = "12 hours";
+              default-retention-period = "1 month";
+            };
+
+            jwt.signing.token-rs256-secret-base64 = hmConfig.sops.placeholder."attic/rs256";
+          }
+        );
+      };
+    };
+
+    systemd.user.tmpfiles.rules = [
+      "d /mnt/storage/private/storm/containers/storage/volumes/attic/_data 700 storm storm"
+    ];
+
+    virtualisation.quadlet = {
+      networks.attic = { };
+
+      volumes.attic-postgresql = { };
+
+      containers = {
+        attic = {
+          containerConfig = {
+            image = "docker-archive:${pkgs.dockerImages.attic}";
+            networks = [
+              networks.attic.ref
+              networks.traefik.ref
+            ];
+            volumes = [
+              "/mnt/storage/private/storm/containers/storage/volumes/attic/_data:/var/lib/attic"
+              "${hmConfig.sops.templates.attic.path}:/etc/attic/server.toml"
+            ];
+            environmentFiles = [ hmConfig.sops.templates.attic-env.path ];
+            exec = [
+              "--config"
+              "/etc/attic/server.toml"
+            ];
+            labels = [
+              "traefik.enable=true"
+              "traefik.http.routers.attic.rule=Host(`nix.karaolidis.com`)"
+            ];
+          };
+
+          unitConfig = {
+            After = [
+              "${containers.attic-postgresql._serviceName}.service"
+              "sops-nix.service"
+            ];
+            Requires = [ "${containers.attic-postgresql._serviceName}.service" ];
+          };
+        };
+
+        attic-postgresql = {
+          containerConfig = {
+            image = "docker-archive:${pkgs.dockerImages.postgresql}";
+            networks = [ networks.attic.ref ];
+            volumes = [ "${volumes.attic-postgresql.ref}:/var/lib/postgresql/data" ];
+            environments = {
+              POSTGRES_DB = "attic";
+              POSTGRES_USER = "attic";
+            };
+            environmentFiles = [ hmConfig.sops.templates.attic-postgresql-env.path ];
+          };
+
+          unitConfig.After = [ "sops-nix.service" ];
+        };
+      };
+    };
+  };
+}
--- a/hosts/jupiter/users/storm/configs/console/podman/attic/post-start.sh
+++ b/hosts/jupiter/users/storm/configs/console/podman/attic/post-start.sh
@@ -0,0 +1,22 @@
+# shellcheck shell=sh
+
+attic login main https://nix.karaolidis.com/ "$ATTIC_TOKEN"
+
+CACHE_NAME="main"
+
+while true; do
+  out=$(attic cache info "$CACHE_NAME" 2>&1)
+  status=$?
+
+  if [ $status -eq 0 ]; then
+    break
+  elif echo "$out" | grep -q "NoSuchCache"; then
+    attic cache create "$CACHE_NAME"
+  elif echo "$out" | grep -q "404"; then
+    sleep 0.1
+  else
+    echo "Unexpected error:"
+    echo "$out"
+    break
+  fi
+done
--- a/hosts/jupiter/users/storm/configs/console/podman/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/default.nix
@@ -10,6 +10,7 @@ let
 in
 {
  imports = [
+    (import ./attic { inherit user home; })
    (import ./authelia { inherit user home; })
    (import ./gitea { inherit user home; })
    (import ./grafana { inherit user home; })