add attic

Bootstrap-Academy · Jan 25, 2025 · dea2ae3 · dea2ae3
1 parent a6b565d
commit dea2ae3
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 4 deletions.
diff --git a/hosts/prod/attic.nix b/hosts/prod/attic.nix
@@ -0,0 +1,62 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  domain = "cache.bootstrap.academy";
+  port = 8007;
+in {
+  services.atticd = {
+    enable = true;
+    environmentFile = config.sops.templates."attic/env".path;
+    settings = {
+      listen = "127.0.0.1:${toString port}";
+      allowed-hosts = [domain];
+      api-endpoint = "https://${domain}/";
+
+      soft-delete-caches = false;
+      require-proof-of-possession = true;
+
+      database.url = "postgres://atticd@_/atticd?host=/run/postgresql";
+
+      compression = {
+        type = "zstd";
+        level = 8;
+      };
+
+      garbage-collection = {
+        interval = "12 hours";
+        default-retention-period = "1 month";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      client_max_body_size 0;
+    '';
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = ["atticd"];
+  };
+
+  environment.systemPackages = [pkgs.attic-client];
+
+  environment.persistence."/persistent/cache".directories = ["/var/lib/private/atticd"];
+
+  sops = {
+    # nix run nixpkgs#openssl -- genrsa -traditional 4096 | base64 -w0
+    secrets."attic/jwt-secret".sopsFile = ./secrets.yml;
+    templates."attic/env".content = ''
+      ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${config.sops.placeholder."attic/jwt-secret"}
+    '';
+  };
+}
diff --git a/hosts/prod/default.nix b/hosts/prod/default.nix
@@ -1,5 +1,6 @@
 {config, ...}: {
   imports = [
+    ./attic.nix
     ./backend
     ./dns.nix
     ./docker-images.nix

diff --git a/hosts/prod/secrets.yml b/hosts/prod/secrets.yml
@@ -48,6 +48,8 @@ backup:
 restic:
     prod: ENC[AES256_GCM,data:bzpgsMVfTkKAsnSiq2udHA/V1TELSN3ykMRefAk+DB77nox6PIvB7iFUuD1h8B/Tg6gtWDbWkl/jUNTj+TbY0GfLSAMzmSHlmCpQodRMYSiVVQkXYI5KAh+e4B+f9N8QrejcyjdwhQfVG+/fEyLwU+I502yRbrhLIndOjO+glng=,iv:UC89D2KRnbRRw7qEPVZ9R5/vP7i+jYcV4i29PlD0geU=,tag:xV0uoK93Dkh1sPW/GqfbCw==,type:str]
     test: ENC[AES256_GCM,data:sFzaPY0JG8Ur9iIo1NflCId74ArBJ44ajNntEL7tMNX1VieOlkHz3rOUEUMrzR5uSuvAWYDXncBiCZ074ecaNV4YSUCaOex3gY53J/6mlbFqwCm7ao+adE7Sawgm62j5oN0LPSdC0PyDfEuWxAez+4U/1DjmCHbgyDFmKDSLfBg=,iv:PZq60NRg1EngL4VcXisbTVoi7dN08lKkCbCnv9Bjcv8=,tag:5BwkeNBLrMEfcN5VsYOGAA==,type:str]
+attic:
+    jwt-secret: ENC[AES256_GCM,data:VZrzn/fVJeAgTgIC4Rb1gz91SRqVDIXTAIOG/2p8DQj5B1GZCb8SuHIAhDuynAzp4le5dwklQV7P4HWhAz+pnMXyrkqyjL7Yhb8RoQSLgVrCvuQ9NZH5jKo2xyTlnxFcb7oHySIvVmR2dgM9YKy+zWN62NUqlKq2TqrKSp1lcWE3SmziRwylIObyD9fdHshaG9jLsxgltNzOTZ/GZYAtNY4TRrKky8JDIFiGVLl1I49jN258K/88QeR5qr9mlo565Iu+05ruOKHvoQXBLxg3GccVlmzKWiKm43NliKKsr7HsDQF0ZvRT/+UnesSPyVtm21zzd/xTFZCL47sr3BIZtVAhmJmgR54IFjvU5LsQrufBm8LDPKvs7Wn8ufzuVPpcKm+Be904ZzDskC2EMIQ778fgyi1Wvl7sRJRAwwBhtRNoz3LBZqfQVdoRJVL6QDAMvdCqMmS6beWq3+NdbjaCrSvf953YRyaC5OR5cVJOdncjqqbpOFTbW5flq5JNTwXw1aoE14C7F6eXVWruHICePw/FNH44v0Tz90WEfmWknWR26PJhGX1PByMDjgm+PuTtNdg4QNVEQVwLQlOGaTAJSNPzQOfeVzAByWVHC+PTQu5n0d3C4hxJAmVjc5qI1el1g6+pCPZyyfWe8eM3qYiEvS5Ka3F1DjqTL0nBUjHJZz/xKhycFKm21GxhoQg3JgnJch2QJb5ezj776IXcDFoGitrO8Jfh4YmJAmSiex9aWS5yvXEOI8PfH1lEAFrEOnd1FmwLaVIRdlL+I8fSk1AZFYUJ9JXCh/6kTkdAfyetJzE3L237zM9VexK9fnhIR6Sqyous094HvryajjkT2hHxwKwwWDLChqsX4hzg0GEvEguzaWUfvaCVQQ4DrsML6wOL1KgrK1KgH5zBSp9KwEVKWCbvmOxWiRN4bwYOCIwa3zPaJSJKi7+WWoQmiukIMGt7UM/PwzBD0OkE3gZwDdSUB1FCOTl9hXSgQCxp3FSk9pzBADTZfnImxd8HS5GVmFYIaK36AgPJStj+Dkk5nKjwUtQ4EMBCj1A6e/nejfrbrLAgeMMv+sZ61ylcFnGGdawK1j+dVWOHMJRT92RwTWs4anDjrWuX/rDIoVjSnnh6TvZuJOsJWInLYARItFqBdwKefNhgpVj2Zft/1N165rICnUx3ssy06s1DBD06ZMNvJLOQeWzadlYSEwDrtsGOpxHnYI18Iwkistst3pHCNHMNnLpdzbNEbSyF9IbKM+HKQTHUHG6im8To5ApU72A/3pTqVYenpTbWR9Q3xhH6qDqauuHaXK4VTpVPU5HB3U6rz5E9uJpV/CVN7GD1ioiIFYusv8AV/RNuq6+yDtglHjr4YygZsP1D/OkQtzKgo36yMhMDg+27Xa5xtd0TWOqkfQ1qv+vtDdJI9KVpHTrqd9QM2Cy/GbbAcHwIjreJiZZLwzaD72q4H6SyjW59OvyEyADvpbzBdOP/CiKFCSTQYujZGNP1NysLnRBJ2Ca4T4pzklEFQkrtEtJt6EfAn7ukyQooS906iVpWszvkjekpwsWqkHfvmD96vmdOUSzqU7t1ua17m9avfBFNL1Ep9GUl2geOdEcYnSY9YgMEFNf8u3Ax1+xwkIJWzDY21pM+agC5+tb8atn8hnD2ep0FYEhqk8b671bQ0nBDD79yYO/F8qzjdCNnmJR+/ajj7koSLWF3ojxFxczopRNXZQ9EpygbCsqxS3trdSUjEaiSWpgFuBD1VgUizVS9YpqZ45IRlzzP2qd/OjHvHwJzGRfj2bei/7YvKWENUOdwqoX49kKCTgw6EEQRSWCVqGjyT7O1IHAziu4IauXYU/wdggEXURpiSzWVhi7M3dXt3XACb3M51Qi2qDtntwyqtdpptRQuLlGwijvp7La+JyoJRqjt8Ipe5VX5wyL7zkHafMygnQEMCBR59ZP91Z+2hI3vEFzEWf9Rjdb0IxkjDAQITGNAZfMUTe6+QilehgzW/6fNXR1IjSGB4u/narmxk1aztu0CJ6PzXC685Xu9xClgFJpbBn3DWWUfQGcOdOjABHlMJmnLvSN8P3YW3OtClHo32Vy4pVgDUAyQPDPG3YSLCUgTOInDu9FeJ+jc/o4iaXuG2hrboNvsxOKwikd3Jkvjbbu76p1gkIx9Pr60RnGxnKeVYTZFPtzvHuzOenBkztL10Ow358+vgT6tuoc8k68AHNg9vTweKe9QaSQEXBhF4XB82oW9Dg781nPQvMKIpGdNPKAlOPw02iDU4vp2BTdtS3UMzHCqB2Db+goMY1tXtzrXHmxVigOvXf6k0H4F4F/IE3X72wEIW518R2XdltFBPyxcFelMVm2GIkajUDJ7OZXRyFLNaQ6lbGGLoP8DVtmhWiXqBzHmjjoyeG981r2kr57DWWTZ6flk+od9A+vAJ24vJOi2tfXqQuvvhQl/khSJyhBuptWxYRe1x2K/xhAzvVGZHsk5CLIj5/McMJtZGcLc1GimlZPEWLsGeVim5zwkvcRznP74FyhN2y9B5M8WpoS7LXAwQ1EsDoA702w48rDBM+n5VVn0ngkAKcL0AWdMC2dgEyJcU41CwQFyLvEBej8y6SOsdPkOodnKLnZiL2AmAxuHvaJHkvg95ScrdV6QQm75iPv3E7iiGkAG4l3JQyEGL3GnkDfamf729VhtgPDggfAa9Vc4PoNHwU9yWykC5Fjqrrr383JPqRLT39klBknG7RHJTX9ik3mqbo9KKWdCIV+jkTKcPJ05hXi4ZfMSW1vwRMQ2MRvMLYyZ6I15dSX/Pl5qYTeUb3clGsv14fKHIbfEUDIjo1UXAXksHNlm1ioGDXW+X2HZGQQDjcGfRd2Zg0eOQ5M08zY7X3ixuhoNOrrkGvqRFqvuVI50DVlWRiwEcVlzC5NdoIA0t/PWzsPqPRg9YthFf0KA26QBAuNL4Rl0vUJTB553tTNDXJgr8Wgzikl6/dbXMLrvKwJjbPtfudHHLVknLjf4c/mlroVJ2nbIsHmubuwO3NPl/eykJ9h/5juY0VT5EKZkwma+c1ElF1leTA5VbhK0EWH7EMX1fphxbCBcYnXVoA256g98Wgqe3Cc0ISFSYIYr085ERQO2E57DX2nLmm40XF5nWvuykkwDOdlIUEjyNNxGXmmG0T+EhZANq7lw2Ht3tBwQR980Zk1Ga5hwR3E4gF/7xM2hcp13N5q7q/g7noSNw/FgSAQveQiX9P6INiXeJErbs1jpD1xrmhttKPTAedNpwgwRVgkPUrIHeTds4jRyhEbWPNzd9rVKmUwrr6QVeETKpBzCmnh5UUwsJ1D3A4kKz2lN7TXOlQZXCAF4LVamcmFu4OGUZiKfEGAV1swhdY/ZZm/qRXq9DRvLF+Lo2fjrFiBCrkYPl4NeLFNHkGf271jWWi9Stzt06pYch5vb2AHusLq6y/EVadFKyryHutrzTpw6lq6JwONQM6Hkhth0pMRAyZxVFrWf1zIg+7uz2FiucYrZ8sgjsji4jIz4wgdKgntZVhCMIcwrht5q1+ceNO8qKWRaFCe1VPTLbEy00XPufgfvisENL+NR0LztgfhdPOvUoI+t211KKUnjJCqzzhIZKdj719WKCZhffzLFvvMg3tS5+FzBGL0PuojGNu2yfzL3J25IND0wnC4yOKJZW8vIMVcLT0zdVYj0lQfnkug8LH5NN1z25EZ+/NZWKTy10if2ShJhCOAXmYJBFrjpYhHpIhe1VdHQcmIkyN4PJNO0JLiSwoik9H4LQiGohTJUuTaMuJub07hiDNn6vdDpyUWlJnoP7+4gaDndtaaC8Dnm1ZVXuA87+M9y0lV6cj6or+q3oVgpY/AfVnBYCd0JA3B0fwqmFDpL6IlcNXiVbZt1CoOqhPj+E2h6JmjBeNqkULLRLeHrk8eHedjfTpZcSJyky/yef25SgYjQl/WSDG3oYkEsJr5gFe/yYt1fTW1UFIaP6DvahG9T+s5V98Fpj7OcmdVZTWdovlQqVE74TKoN5pLReTtx6+f2ZUbZB9PimTB6Oua7y6j6I6rz8d7/N/+/BGgqPODF0elxbfwR+sL+0dnRk2o5WzsYutwbmzg3BXMPT1lRuf6+PJ+1GDugFbtWu3i2i7Xivn9yHeesLNJH34Jl3ckjp3TMeZnzxBhjTP2kStOc/DFYCE8g8Xx43GMhWe48GUD3vGFNvGDBldeRjQaqkgtnDJqIvOdwjGLkZWYT8bG7pzONLFcoqg4tUYShi7s7OEgaraD3Cte4zYN1Zzt+CIma8G7TKN4EG00fTQPgg28l+BvYVLIOaXxANS/hW5XUF3DkkPfErdJwzPdXkBTBIkU3r+w4LfSvIWcf9E3qI3g82LDGsCBMGz5ehCvkSu1X5PZR34fOB3DU7zrRqscKl796x/uANGWdbOwSs1wmFqPxkVJAFnFAgQGw3LMQ5BDT7uYe8RKQqJAl0MyMfWJ/8NATN6DNfVcbU0zRmebfnn3r4SLI63OHOs2ETMo4rVLjyy7bxUmfWlJsmfu8fmkXB7LKccUIyMtySu0oXYhleWlbGkhWaH7PjlAjj1Xcnip6nG8OVVFiurb8YCP42suDUiuk+N6zNrJI9mAiZYkT/2kFpOQex5yOfeA6/f6rMDKJI5F5ytEUnZI3HWJMaM78cHDiF3ERCyJLU6QNkAvN3jikmJ/5OwJheg6lGEZk/Az7NlasZxAkqNMImcQzgOAkGRIPBxFTs4ClUdqNmuiuTakKsvkFMKPjHCqwTJS8ZBTNpnrF79T4SrkP8CrHJqLqEo8w2rbAie84QVK8dZnlJK1g0BqU3RKCPCK2CiRfgqEaauA8UvoZqqFis501RBXrT5WAE6YoD4ZkmTfvw0sdvKZQchquuEG4JPpTMYFhlLWyUhXU4J52iZUh9dZJhxZZ3OnhVTTIu2cWqjVha68FbviBcMnBLEXjGvXvR76ofAsyUcW5qcRObteZ18MT+jIbsJiA1D6E8tFmUQMz1xwNkQjXj9BkDwri015M9ccWGF5xgvMUkM/AzYBR4SV6V3bVWYY9FJ3kiJJIMNYDbbXi1oP2ATeHaJ/wTN1pVS1mrFKzmZ17w5kUg0WJZXH3dvF89zRBl2WnUUyelEJsjOwtSQNaBfnneJJGKbvCyDoZPfkTvXpry4gpVg1IP4YY+miGi19RX4I22NJPjR96Z2ve5/wlhnk+aqrdDmSd8SitSO1xm5uwPY8iNVYK+URc3cLVMN9QXz3TkCLjAjSM36mLt7GivhU5wXyx2Hs6B/iWHoXXKjDhOY9Y5yELXDVpXYwPwV2yzaXyNNqQVgeSMKA7J86N+gaoQQIZVW1Z+aB8C8WWAvkNbaIBXxc/Wrowxnoo+ZPkibSXAiqRL8Q/g3gRdMwqIUOxWVm5md/RH9XfBRv5tr/c5rKDlKdgedbQItKpvjj12W4JILIZ5G4Tdzojb5IDSKJjBX/e2fX9lIeNOj1kyr7G0LGs4F7WzzLcLDYNHhDBensVbxj/iyCJzKw57zg7igV8IHqAKnTb2bPTn5sbERwHcHFmzQfYtFh3rvsuPgKjC6w+HOZXfR5tc6o6266Y3xAWE5hy1n+LAletewBUCiMaL4xLsMoBflAJl+qTW2U4ARrzJSfoL8PnQcH5Uy0JFZ98SlZpu0e/LY+mPsWikwDxr4hjrXUM2mGziZ0YXeEimkqLlEswevpiPoURDNltuqgWSTLuxnqB944ihXio9ufKTCN/P7iNSjGqPD02OqIqFST6WFB4WeBVn82suiEWoEcKdFHqgA==,iv:nnrMZ6pihxxKjBu7wtPZpVd7EyXO/FimOVHmzaqJ4/k=,tag:kY1W1Gx2vWf+QOv9buH34g==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -63,8 +65,8 @@ sops:
             Tk96anAyOEFGd1plUlp4SU5LbE5TT1UK6SPKztdzU5K1FjQ5sFjUnF4HK8cAFqh1
             YR7o5tur1y/bLMESGS7/j7ofST96NuyU+EVgs/lt0Rd0Voh1Q8aKKQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-25T20:15:18Z"
-    mac: ENC[AES256_GCM,data:cl5Ic7soU8Pkb65cu7mBCq2hWbz5SbKNIhNZkR1a+wukqAv+DE44vqt/6FG4euC0YzDPkmFamJEwwvDAz1uNsqTjptnRQvgdamc7QIxWL5A12Hx2M7h8Wlsh3ciqrwLY4BAfdfmpumYKxzfjCogVSBmdszSDI8jQZAw62dSBta8=,iv:AFWJxtRHWjK47UX6Y1KH7Xl6m44chGUWYqB1hG9xpVQ=,tag:Z2uEEX+beNklzLJsMSStdA==,type:str]
+    lastmodified: "2025-01-25T20:19:41Z"
+    mac: ENC[AES256_GCM,data:Gl/KgH/kLnNp/oTK0kFGR7dwnifLEtDs6ClHrif6qWNl5jBjEDvVVwCi19ZyRz1ZNcHUaJ9sGhHui6VZPnB5wsTrA1C/jCa6mYGSmrGl9bWO5eRPczoseuR3F5Ozv2wnl1i19UKiL6h+LZNGyqx66GCn6w3l3D/MhW1HAafkcGM=,iv:WWAA6rleBqcixeN9uh/Yvbjy6an1s29PoIfRDO2xjbY=,tag:32qm2WyxtXPL57mc4o1H+g==,type:str]
     pgp:
         - created_at: "2024-09-09T14:34:26Z"
           enc: |-

diff --git a/modules/nix.nix b/modules/nix.nix
@@ -17,12 +17,12 @@
       substituters = [
         "https://bootstrap-academy.cachix.org"
         "https://sandkasten.cachix.org"
-        "https://academy-backend.cachix.org"
+        "https://cache.bootstrap.academy/academy"
       ];
       trusted-public-keys = [
         "bootstrap-academy.cachix.org-1:QoTxaO9Xw868/oefU7MrrkzrbFH9sUCJwWbIqsLCjxs="
         "sandkasten.cachix.org-1:Pa7qfdlx7bZkko+ojaaEG9pyziZkaru9v4TfcioqNZw="
-        "academy-backend.cachix.org-1:MxmjN6hjaiGdi42M6evdALWj5hHOyUAQTEgKvm+J0Ow="
+        "academy:JU67oyd32Kzh7XFkUD/rZ6I3wVT8xMtgghwBvEINGus="
       ];
     };
     registry = {