sora: init attic w/ minio

2024-01-04 14:41:38 -05:00 · 2024-01-04 14:41:38 -05:00 · 322aaad770
parent febe5c7671
commit 322aaad770
6 changed files with 123 additions and 0 deletions
--- a/hosts/sora/hardware.nix
+++ b/hosts/sora/hardware.nix
@ -5,10 +5,12 @@
    efiInstallAsRemovable = true;
    device = "nodev";
  };
+
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/B793-1B2C";
    fsType = "vfat";
  };
+
  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
  boot.initrd.kernelModules = ["nvme"];
  fileSystems."/" = {
--- a/hosts/sora/services/attic.nix
+++ b/hosts/sora/services/attic.nix
@ -0,0 +1,44 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  sops.secrets.attic = {};
+
+  environment.systemPackages = [pkgs.attic];
+
+  services.atticd = {
+    enable = true;
+    credentialsFile = config.sops.secrets.attic.path;
+    settings = {
+      listen = "[::]:8200";
+      allowed-hosts = ["cache.flake.sh"];
+      database.url = "postgres://attic:attic@100.94.214.100:5432/attic";
+      api-endpoint = "https://cache.flake.sh";
+      require-proof-of-possession = false;
+      chunking = {
+        nar-size-threshold = 0;
+
+        min-size = 16 * 1024; # 16 KiB
+
+        avg-size = 64 * 1024; # 64 KiB
+
+        max-size = 256 * 1024; # 256 KiB
+      };
+      garbage-collection = {
+        interval = "12 hours";
+        default-retention-period = "4 weeks";
+      };
+      compression = {
+        type = "zstd";
+        level = 9;
+      };
+      storage = {
+        type = "s3";
+        region = "us-east-1";
+        bucket = "flakesh-binary-cache";
+        endpoint = "https://s3.flake.sh/";
+      };
+    };
+  };
+}
--- a/hosts/sora/services/davfs.nix
+++ b/hosts/sora/services/davfs.nix
@ -0,0 +1,20 @@
+{pkgs, ...}: {
+  environment.systemPackages = [pkgs.davfs2];
+  users.users.davfs2 = {
+    group = "davfs2";
+    isSystemUser = true;
+  };
+  users.groups.davfs2 = {};
+  sops.secrets.davfs2 = {
+    owner = "root";
+    group = "root";
+    mode = "0600";
+    path = "/etc/davfs2/secrets";
+  };
+
+  fileSystems."/var/lib/mounted" = {
+    device = "https://u384391.your-storagebox.de";
+    fsType = "davfs";
+    options = ["rw,file_mode=0660,dir_mode=0755" "0" "0"];
+  };
+}
--- a/hosts/sora/services/default.nix
+++ b/hosts/sora/services/default.nix
@ -5,6 +5,8 @@
    ./uptimekuma.nix
    ./ntfy-sh.nix
    ./tailscale.nix
+    ./attic.nix
+    ./minio.nix
    ./factorio.nix
    # ./minecraft.nix
    # ./foundryvtt.nix
--- a/hosts/sora/services/minio.nix
+++ b/hosts/sora/services/minio.nix
@ -0,0 +1,25 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./davfs.nix
+  ];
+  environment.systemPackages = [pkgs.minio-client];
+  sops.secrets.minio = {
+    owner = "minio";
+    group = "minio";
+    mode = "0600";
+    restartUnits = ["minio.service"];
+  };
+  services.minio = {
+    enable = true;
+    region = "us-east-1";
+    consoleAddress = "100.104.42.96:9006";
+    listenAddress = "100.104.42.96:9005";
+    rootCredentialsFile = config.sops.secrets.minio.path;
+    dataDir = ["/var/lib/mounted/minio/data"];
+    configDir = "/var/lib/mounted/minio/config";
+  };
+}
--- a/hosts/sora/services/traefik.nix
+++ b/hosts/sora/services/traefik.nix
@ -41,6 +41,11 @@
              accessControlAllowOriginList = "https://daphbot.notohh.dev";
            };
          };
+          cors-allow-all = {
+            headers = {
+              accessControlAllowOriginList = "*";
+            };
+          };
        };
        routers = {
          api = {
@ -133,6 +138,28 @@
            tls.domains = [{main = "*.flake.sh";}];
            tls.certresolver = "production";
          };
+          attic = {
+            rule = "Host(`cache.flake.sh`)";
+            entrypoints = ["websecure"];
+            service = "attic";
+            tls.domains = [{main = "*.flake.sh";}];
+            tls.certresolver = "production";
+          };
+          minio = {
+            rule = "Host(`s3.flake.sh`)";
+            entrypoints = ["websecure"];
+            service = "minio";
+            tls.domains = [{main = "*.flake.sh";}];
+            tls.certresolver = "production";
+            middlewares = "cors-allow-all";
+          };
+          minio-web = {
+            rule = "Host(`minio.flake.sh`)";
+            entrypoints = ["websecure"];
+            service = "minioadmin";
+            tls.domains = [{main = "*.flake.sh";}];
+            tls.certresolver = "production";
+          };
        };
        services = {
          forgejo.loadBalancer = {
@ -151,6 +178,9 @@
          neko.loadBalancer.servers = [{url = "http://100.104.42.96:8085";}];
          justlog.loadBalancer.servers = [{url = "http://100.121.201.47:8025";}];
          ntfy-sh.loadBalancer.servers = [{url = "http://100.104.42.96:8090";}];
+          attic.loadBalancer.servers = [{url = "http://100.104.42.96:8200";}];
+          minio.loadBalancer.servers = [{url = "http://100.104.42.96:9005";}];
+          minio-web.loadBalancer.servers = [{url = "http://100.104.42.96:9006";}];
        };
      };
    };