diff --git a/modules/services/attic/default.nix b/modules/services/attic/default.nix new file mode 100644 index 0000000..6241748 --- /dev/null +++ b/modules/services/attic/default.nix @@ -0,0 +1,119 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.homelab.services.attic; +in { + options.homelab.services.attic = { + enable = lib.mkEnableOption "Attic binary cache server"; + domain = lib.mkOption { + type = lib.types.str; + default = "nix-cache.depeuter.dev"; + description = "The domain name for the Attic server."; + }; + port = lib.mkOption { + type = lib.types.port; + default = 8080; + description = "The port Attic server listens on."; + }; + databaseName = lib.mkOption { + type = lib.types.str; + default = "attic"; + description = "The name of the PostgreSQL database."; + }; + dbContainerName = lib.mkOption { + type = lib.types.str; + default = "attic-db"; + description = "The name of the PostgreSQL container."; + }; + storagePath = lib.mkOption { + type = lib.types.str; + default = "/var/lib/atticd/storage"; + description = "The path where Attic store's its blobs."; + }; + openFirewall = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether to open the firewall port for Attic."; + }; + enableRemoteBuilder = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether to enable remote build capabilities on this host."; + }; + }; + + config = lib.mkIf cfg.enable { + sops.secrets = { + "attic/db-password" = { }; + "attic/server-token-secret" = { }; + }; + + services.atticd = { + enable = true; + environmentFile = config.sops.secrets."attic/server-token-secret".path; + + settings = { + listen = "[::]:${toString cfg.port}"; + allowed-hosts = [ cfg.domain ]; + api-endpoint = "https://${cfg.domain}/"; + + database.url = "postgresql://${cfg.databaseName}@${cfg.dbContainerName}:5432/${cfg.databaseName}"; + + storage = { + type = "local"; + path = cfg.storagePath; + }; + + chunking = { + min-size = 16384; # 16 KiB + avg-size = 65536; # 64 KiB + max-size = 262144; # 256 KiB + }; + }; + }; + + homelab.virtualisation.containers.enable = true; + + virtualisation.oci-containers.containers."${cfg.dbContainerName}" = { + image = "postgres:15-alpine"; + autoStart = true; + # We still map it to host for Attic (running on host) to connect to it via bridge IP or name + # if we set up networking/DNS correctly. + ports = [ + "5432:5432/tcp" + ]; + environment = { + POSTGRES_USER = cfg.databaseName; + POSTGRES_PASSWORD_FILE = config.sops.secrets."attic/db-password".path; + POSTGRES_DB = cfg.databaseName; + }; + volumes = [ + "attic-db:/var/lib/postgresql/data" + ]; + }; + + # Map the container name to localhost if Attic is on the host + networking.extraHosts = '' + 127.0.0.1 ${cfg.dbContainerName} + ''; + + networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.port ]; + + # Remote build host configuration + nix.settings.trusted-users = lib.mkIf cfg.enableRemoteBuilder [ "root" "@wheel" "builder" ]; + + users.users.builder = lib.mkIf cfg.enableRemoteBuilder { + isNormalUser = true; + group = "builder"; + openssh.authorizedKeys.keys = [ + # Placeholders - user should provide actual keys + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrp6aM62Bf7bj1YM5AlAWuNrANU3N5e8+LtbbpmZPKS" + ]; + }; + users.groups.builder = lib.mkIf cfg.enableRemoteBuilder {}; + + # Only open SSH if remote builder is enabled + services.openssh.ports = lib.mkIf cfg.enableRemoteBuilder [ 22 ]; + networking.firewall.allowedTCPPorts = lib.mkIf cfg.enableRemoteBuilder [ 22 ]; + }; +} diff --git a/modules/services/default.nix b/modules/services/default.nix index f70bc54..81e0042 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -1,6 +1,7 @@ { imports = [ ./actions + ./attic ./openssh ]; }