feat(attic): extract attic to service module, add cache host, configure reverse proxy/DNS

modules/apps/bind9/db.depeuter.dev

@@ -1,6 +1,6 @@
 $TTL    604800
 @               IN      SOA     ns1 admin (
-                                 15 ; Serial
+                                 16 ; Serial
                              604800 ; Refresh
                               86400 ; Retry
                             2419200 ; Expire
@@ -40,6 +40,9 @@ sonarr          IN      A       192.168.0.33
 ; Development VM
 plex            IN      A       192.168.0.91
 
+; Binary Cache (via Binnenpost proxy)
+nix-cache       IN      A       192.168.0.89
+
 ; Catchalls
 *.production    IN      A        192.168.0.31
 *.development   IN      A        192.168.0.91

modules/common/default.nix

@@ -1,12 +1,14 @@
 {
   imports = [
     ./secrets.nix
+    ./substituters.nix
   ];
 
   config = {
     homelab = {
       services.openssh.enable = true;
       users.admin.enable = true;
+      common.substituters.enable = true;
     };
 
     nix.settings.experimental-features = [

modules/common/substituters.nix

@@ -0,0 +1,28 @@
+{ config, lib, pkgs, inputs, ... }:
+
+let
+  cfg = config.homelab.common.substituters;
+in {
+  options.homelab.common.substituters = {
+    enable = lib.mkEnableOption "Binary cache substituters";
+    domain = lib.mkOption {
+      type = lib.types.str;
+      default = inputs.self.nixosConfigurations.BinaryCache.config.homelab.services.attic.domain;
+      description = "The domain name of the binary cache.";
+    };
+    publicKey = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "The public key of the Attic cache (e.g., 'homelab:...')";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    nix.settings = {
+      substituters = [
+        "https://${cfg.domain}"
+      ];
+      trusted-public-keys = lib.optional (cfg.publicKey != null) cfg.publicKey;
+    };
+  };
+}

modules/services/attic/default.nix

@@ -0,0 +1,119 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.homelab.services.attic;
+in {
+  options.homelab.services.attic = {
+    enable = lib.mkEnableOption "Attic binary cache server";
+    domain = lib.mkOption {
+      type = lib.types.str;
+      default = "nix-cache.depeuter.dev";
+      description = "The domain name for the Attic server.";
+    };
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 8080;
+      description = "The port Attic server listens on.";
+    };
+    databaseName = lib.mkOption {
+      type = lib.types.str;
+      default = "attic";
+      description = "The name of the PostgreSQL database.";
+    };
+    dbContainerName = lib.mkOption {
+      type = lib.types.str;
+      default = "attic-db";
+      description = "The name of the PostgreSQL container.";
+    };
+    storagePath = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/atticd/storage";
+      description = "The path where Attic store's its blobs.";
+    };
+    openFirewall = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Whether to open the firewall port for Attic.";
+    };
+    enableRemoteBuilder = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Whether to enable remote build capabilities on this host.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    sops.secrets = {
+      "attic/db-password" = { };
+      "attic/server-token-secret" = { };
+    };
+
+    services.atticd = {
+      enable = true;
+      environmentFile = config.sops.secrets."attic/server-token-secret".path;
+
+      settings = {
+        listen = "[::]:${toString cfg.port}";
+        allowed-hosts = [ cfg.domain ];
+        api-endpoint = "https://${cfg.domain}/";
+
+        database.url = "postgresql://${cfg.databaseName}@${cfg.dbContainerName}:5432/${cfg.databaseName}";
+
+        storage = {
+          type = "local";
+          path = cfg.storagePath;
+        };
+
+        chunking = {
+          min-size = 16384; # 16 KiB
+          avg-size = 65536; # 64 KiB
+          max-size = 262144; # 256 KiB
+        };
+      };
+    };
+
+    homelab.virtualisation.containers.enable = true;
+
+    virtualisation.oci-containers.containers."${cfg.dbContainerName}" = {
+      image = "postgres:15-alpine";
+      autoStart = true;
+      # We still map it to host for Attic (running on host) to connect to it via bridge IP or name
+      # if we set up networking/DNS correctly. 
+      ports = [
+        "5432:5432/tcp"
+      ];
+      environment = {
+        POSTGRES_USER = cfg.databaseName;
+        POSTGRES_PASSWORD_FILE = config.sops.secrets."attic/db-password".path;
+        POSTGRES_DB = cfg.databaseName;
+      };
+      volumes = [
+        "attic-db:/var/lib/postgresql/data"
+      ];
+    };
+
+    # Map the container name to localhost if Attic is on the host
+    networking.extraHosts = ''
+      127.0.0.1 ${cfg.dbContainerName}
+    '';
+
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.port ];
+
+    # Remote build host configuration
+    nix.settings.trusted-users = lib.mkIf cfg.enableRemoteBuilder [ "root" "@wheel" "builder" ];
+    
+    users.users.builder = lib.mkIf cfg.enableRemoteBuilder {
+      isNormalUser = true;
+      group = "builder";
+      openssh.authorizedKeys.keys = [
+        # Placeholders - user should provide actual keys
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrp6aM62Bf7bj1YM5AlAWuNrANU3N5e8+LtbbpmZPKS"
+      ];
+    };
+    users.groups.builder = lib.mkIf cfg.enableRemoteBuilder {};
+
+    # Only open SSH if remote builder is enabled
+    services.openssh.ports = lib.mkIf cfg.enableRemoteBuilder [ 22 ];
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.enableRemoteBuilder [ 22 ];
+  };
+}

modules/services/default.nix

@@ -1,6 +1,7 @@
 {
   imports = [
     ./actions
+    ./attic
     ./openssh
   ];
 }