diff --git a/systems/palatine-hill/attic.nix b/systems/palatine-hill/attic.nix new file mode 100644 index 0000000..0819134 --- /dev/null +++ b/systems/palatine-hill/attic.nix @@ -0,0 +1,139 @@ +{ + config, + lib, + pkgs, + ... +}: + +{ + environment.systemPackages = with pkgs; [ + attic-client + attic + ]; + + services = { + postgres = { + enable = true; + ensureDatabases = [ "atticd" ]; + ensureUsers = [ + { + name = "atticd"; + ensureDBOwnership = true; + } + ]; + upgrade = { + enable = true; + stopServices = [ "atticd" ]; + }; + }; + + atticd = { + enable = true; + + credentialsFile = config.sops.secrets."attic/secret-key".path; + + settings = { + listen = "[::]:8183"; + allowed-hosts = [ "attic.alicehuston.xyz" ]; + api-endpoint = "https://attic.alicehuston.xyz"; + compression.type = "none"; # let ZFS do the compressing + database = { + url = "postgres://atticd?host=/run/postgresql"; + # disable postgres, using SOPS fails at below :( + # https://github.com/zhaofengli/attic/blob/main/nixos/atticd.nix#L57 + # url = "sqlite:///ZFS/ZFS-primary/attic/server.db?mode=rwc"; + heartbeat = true; + }; + storage = { + type = "local"; + path = "/ZFS/ZFS-primary/attic/storage"; + }; + + # Warning: If you change any of the values here, it will be + # difficult to reuse existing chunks for newly-uploaded NARs + # since the cutpoints will be different. As a result, the + # deduplication ratio will suffer for a while after the change. + chunking = { + # The minimum NAR size to trigger chunking + # + # If 0, chunking is disabled entirely for newly-uploaded NARs. + # If 1, all NARs are chunked. + nar-size-threshold = 64 * 1024; # 64 KiB + + # The preferred minimum size of a chunk, in bytes + min-size = 16 * 1024; # 16 KiB + + # The preferred average size of a chunk, in bytes + avg-size = 64 * 1024; # 64 KiB + + # The preferred maximum size of a chunk, in bytes + max-size = 256 * 1024; # 256 KiB + }; + }; + }; + + }; + + # borrowing from https://github.com/Shawn8901/nix-configuration/blob/4b8d1d44f47aec60feb58ca7b7ab5ed000506e90/modules/nixos/private/hydra.nix + # configured default webstore for this on root user separately + systemd = { + services = { + attic-watch-store = { + wantedBy = [ "multi-user.target" ]; + after = [ + "network-online.target" + "docker.service" + "atticd.service" + ]; + requires = [ + "network-online.target" + "docker.service" + "atticd.service" + ]; + description = "Upload all store content to binary cache"; + serviceConfig = { + User = "root"; + Restart = "always"; + ExecStart = "${pkgs.attic}/bin/attic watch-store cache-nix-dot"; + }; + }; + attic-sync-hydra = { + after = [ + "network-online.target" + "docker.service" + "atticd.service" + ]; + requires = [ + "network-online.target" + "docker.service" + "atticd.service" + ]; + description = "Force resync of hydra derivations with attic"; + serviceConfig = { + User = "root"; + Restart = "always"; + ExecStart = "${config.nix.package}/bin/nix ${./attic/sync-attic.bash}"; + }; + }; + }; + + timers = { + attic-sync-hydra = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = 600; + OnUnitActiveSec = 86400; + Unit = "attic-sync-hydra.service"; + }; + }; + }; + }; + + sops = { + defaultSopsFile = ./secrets.yaml; + secrets = { + "attic/secret-key".owner = "root"; + "attic/database-url".owner = "root"; + }; + }; +} diff --git a/systems/palatine-hill/attic/sync-attic.bash b/systems/palatine-hill/attic/sync-attic.bash new file mode 100644 index 0000000..1081846 --- /dev/null +++ b/systems/palatine-hill/attic/sync-attic.bash @@ -0,0 +1,4 @@ +#!/usr/bin/env nix +#! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash + +find . -regex ".*\.drv$" -exec attic push cache-nix-dot '/ZFS/ZFS-primary/hydra/{}' \; diff --git a/systems/palatine-hill/configuration.nix b/systems/palatine-hill/configuration.nix index c9d1720..a82db32 100644 --- a/systems/palatine-hill/configuration.nix +++ b/systems/palatine-hill/configuration.nix @@ -49,8 +49,6 @@ }; environment.systemPackages = with pkgs; [ - attic-client - attic docker-compose intel-gpu-tools jellyfin-ffmpeg @@ -74,14 +72,6 @@ superuser_map /^(.*)$ \1 ''; - ensureDatabases = [ "atticd" ]; - ensureUsers = [ - { - name = "atticd"; - ensureDBOwnership = true; - } - ]; - # initialScript = config.sops.secrets."postgres/init".path; upgrade = { @@ -93,7 +83,6 @@ "hydra-queue-runner" "hydra-send-stats" "hydra-server" - "atticd" ]; }; }; diff --git a/systems/palatine-hill/hydra.nix b/systems/palatine-hill/hydra.nix index de06263..7ecdde2 100644 --- a/systems/palatine-hill/hydra.nix +++ b/systems/palatine-hill/hydra.nix @@ -60,73 +60,6 @@ enable = true; secretKeyFile = config.sops.secrets."nix-serve/secret-key".path; }; - - atticd = { - enable = true; - - credentialsFile = config.sops.secrets."attic/secret-key".path; - - settings = { - listen = "[::]:8183"; - allowed-hosts = [ "attic.alicehuston.xyz" ]; - api-endpoint = "https://attic.alicehuston.xyz"; - compression.type = "none"; # let ZFS do the compressing - database = { - url = "postgres://atticd?host=/run/postgresql"; - # disable postgres, using SOPS fails at below :( - # https://github.com/zhaofengli/attic/blob/main/nixos/atticd.nix#L57 - # url = "sqlite:///ZFS/ZFS-primary/attic/server.db?mode=rwc"; - heartbeat = true; - }; - storage = { - type = "local"; - path = "/ZFS/ZFS-primary/attic/storage"; - }; - - # Warning: If you change any of the values here, it will be - # difficult to reuse existing chunks for newly-uploaded NARs - # since the cutpoints will be different. As a result, the - # deduplication ratio will suffer for a while after the change. - chunking = { - # The minimum NAR size to trigger chunking - # - # If 0, chunking is disabled entirely for newly-uploaded NARs. - # If 1, all NARs are chunked. - nar-size-threshold = 64 * 1024; # 64 KiB - - # The preferred minimum size of a chunk, in bytes - min-size = 16 * 1024; # 16 KiB - - # The preferred average size of a chunk, in bytes - avg-size = 64 * 1024; # 64 KiB - - # The preferred maximum size of a chunk, in bytes - max-size = 256 * 1024; # 256 KiB - }; - }; - }; - }; - - # borrowing from https://github.com/Shawn8901/nix-configuration/blob/4b8d1d44f47aec60feb58ca7b7ab5ed000506e90/modules/nixos/private/hydra.nix - # configured default webstore for this on root user separately - systemd.services.attic-watch-store = { - wantedBy = [ "multi-user.target" ]; - after = [ - "network-online.target" - "docker.service" - "atticd.service" - ]; - requires = [ - "network-online.target" - "docker.service" - "atticd.service" - ]; - description = "Upload all store content to binary cache"; - serviceConfig = { - User = "root"; - Restart = "always"; - ExecStart = "${pkgs.attic}/bin/attic watch-store cache-nix-dot"; - }; }; users.users.root.openssh.authorizedKeys.keys = [ @@ -143,8 +76,6 @@ secrets = { "hydra/environment".owner = "hydra"; "nix-serve/secret-key".owner = "root"; - "attic/secret-key".owner = "root"; - "attic/database-url".owner = "root"; "alice/gha-hydra-token" = { sopsFile = ../../users/alice/secrets.yaml; owner = "hydra";