From 2f46224f4abe7395b012659b158ba6162c80bf19 Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Thu, 7 Aug 2025 19:51:00 +0200 Subject: [PATCH] add attic cache --- .forgejo/workflows/cache.yaml | 25 ++ default.nix | 1 + deployment/check/cli/constants.nix | 1 + deployment/check/cli/nixosTest.nix | 12 + deployment/check/common/deployerNode.nix | 4 +- deployment/check/panel/constants.nix | 1 + deployment/check/panel/nixosTest.nix | 15 + deployment/configuration.sample.json | 1 + deployment/default.nix | 31 +- deployment/options.nix | 13 + infra/common/nixos/default.nix | 8 + infra/flake-part.nix | 8 + machines/operator/test12/default.nix | 6 + npins/sources.json | 13 + secrets/attic-ci-token.age | Bin 0 -> 1745 bytes secrets/secrets.nix | 1 + services/fediversity/attic/default.nix | 345 +++++++++++++++++++++++ services/fediversity/attic/options.nix | 14 + services/fediversity/default.nix | 1 + 19 files changed, 498 insertions(+), 2 deletions(-) create mode 100644 .forgejo/workflows/cache.yaml create mode 100644 secrets/attic-ci-token.age create mode 100644 services/fediversity/attic/default.nix create mode 100644 services/fediversity/attic/options.nix diff --git a/.forgejo/workflows/cache.yaml b/.forgejo/workflows/cache.yaml new file mode 100644 index 00000000..f3b93937 --- /dev/null +++ b/.forgejo/workflows/cache.yaml @@ -0,0 +1,25 @@ +name: cache-build + +on: + workflow_dispatch: # allows manual triggering + push: + branches: + # - main + +jobs: + deploy: + runs-on: native + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - run: attic login fediversity https://attic.fediversity.net ${{ secrets.ATTIC_PUSH_KEY }} && attic use demo + + - name: Set up SSH key to access age secrets + run: | + env + mkdir -p ~/.ssh + echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + + - name: Cache + - run: attic push demo $(nix-build) diff --git a/default.nix b/default.nix index 24b73cd2..aceafc75 100644 --- a/default.nix +++ b/default.nix @@ -65,6 +65,7 @@ in pkgs.httpie pkgs.jq pkgs.nix-unit + pkgs.attic-client test-loop nixops4.packages.${system}.default ]; diff --git a/deployment/check/cli/constants.nix b/deployment/check/cli/constants.nix index ce3b5e4d..3e23d9e9 100644 --- a/deployment/check/cli/constants.nix +++ b/deployment/check/cli/constants.nix @@ -4,6 +4,7 @@ "mastodon" "peertube" "pixelfed" + "attic" ]; pathToRoot = ../../..; pathFromRoot = ./.; diff --git a/deployment/check/cli/nixosTest.nix b/deployment/check/cli/nixosTest.nix index d171a182..00f72475 100644 --- a/deployment/check/cli/nixosTest.nix +++ b/deployment/check/cli/nixosTest.nix @@ -45,6 +45,8 @@ in peertube.inputDerivation gixy gixy.inputDerivation + shellcheck + shellcheck.inputDerivation ]; system.extraDependenciesFromModule = { @@ -68,6 +70,11 @@ in s3AccessKeyFile = dummyFile; s3SecretKeyFile = dummyFile; }; + attic = { + enable = true; + s3AccessKeyFile = dummyFile; + s3SecretKeyFile = dummyFile; + }; temp.cores = 1; temp.initialUser = { username = "dummy"; @@ -92,6 +99,7 @@ in nodes.mastodon.virtualisation.memorySize = 4 * 1024; nodes.pixelfed.virtualisation.memorySize = 4 * 1024; nodes.peertube.virtualisation.memorySize = 5 * 1024; + nodes.attic.virtualisation.memorySize = 2 * 1024; ## FIXME: The test of presence of the services are very simple: we only ## check that there is a systemd service of the expected name on the @@ -106,6 +114,7 @@ in mastodon.fail("systemctl status mastodon-web.service") peertube.fail("systemctl status peertube.service") pixelfed.fail("systemctl status phpfpm-pixelfed.service") + attic.fail("systemctl status atticd.service") with subtest("Run deployment with no services enabled"): deployer.succeed("nixops4 apply check-deployment-cli-nothing --show-trace --no-interactive 1>&2") @@ -115,6 +124,7 @@ in mastodon.fail("systemctl status mastodon-web.service") peertube.fail("systemctl status peertube.service") pixelfed.fail("systemctl status phpfpm-pixelfed.service") + attic.fail("systemctl status atticd.service") with subtest("Run deployment with Mastodon and Pixelfed enabled"): deployer.succeed("nixops4 apply check-deployment-cli-mastodon-pixelfed --show-trace --no-interactive 1>&2") @@ -124,6 +134,7 @@ in mastodon.succeed("systemctl status mastodon-web.service") peertube.fail("systemctl status peertube.service") pixelfed.succeed("systemctl status phpfpm-pixelfed.service") + attic.fail("systemctl status atticd.service") with subtest("Run deployment with only Peertube enabled"): deployer.succeed("nixops4 apply check-deployment-cli-peertube --show-trace --no-interactive 1>&2") @@ -133,5 +144,6 @@ in mastodon.fail("systemctl status mastodon-web.service") peertube.succeed("systemctl status peertube.service") pixelfed.fail("systemctl status phpfpm-pixelfed.service") + attic.fail("systemctl status atticd.service") ''; } diff --git a/deployment/check/common/deployerNode.nix b/deployment/check/common/deployerNode.nix index 987a0a7c..77762811 100644 --- a/deployment/check/common/deployerNode.nix +++ b/deployment/check/common/deployerNode.nix @@ -40,7 +40,7 @@ in ## default. These values have been trimmed down to the gigabyte. ## Memory use is expected to be dominated by the NixOS evaluation, ## which happens on the deployer. - memorySize = 4 * 1024; + memorySize = 5 * 1024; diskSize = 4 * 1024; cores = 2; }; @@ -59,8 +59,10 @@ in inputs.nixpkgs sources.flake-parts + sources.nixpkgs sources.flake-inputs sources.git-hooks + sources.vars pkgs.stdenv pkgs.stdenvNoCC diff --git a/deployment/check/panel/constants.nix b/deployment/check/panel/constants.nix index ce3b5e4d..3e23d9e9 100644 --- a/deployment/check/panel/constants.nix +++ b/deployment/check/panel/constants.nix @@ -4,6 +4,7 @@ "mastodon" "peertube" "pixelfed" + "attic" ]; pathToRoot = ../../..; pathFromRoot = ./.; diff --git a/deployment/check/panel/nixosTest.nix b/deployment/check/panel/nixosTest.nix index ffcb8e53..a7de8ed8 100644 --- a/deployment/check/panel/nixosTest.nix +++ b/deployment/check/panel/nixosTest.nix @@ -33,6 +33,7 @@ let enableMastodon, enablePeertube, enablePixelfed, + enableAttic, }: hostPkgs.writers.writePython3Bin "interact-with-panel" { @@ -94,6 +95,7 @@ let checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'mastodon.enable']"), ${toPythonBool enableMastodon}) checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'peertube.enable']"), ${toPythonBool enablePeertube}) checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'pixelfed.enable']"), ${toPythonBool enablePixelfed}) + checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'attic.enable']"), ${toPythonBool enableAttic}) print("Start deployment...") driver.find_element(By.XPATH, "//button[@id = 'deploy-button']").click() @@ -208,6 +210,11 @@ in s3AccessKeyFile = dummyFile; s3SecretKeyFile = dummyFile; }; + attic = { + enable = true; + s3AccessKeyFile = dummyFile; + s3SecretKeyFile = dummyFile; + }; temp.cores = 1; temp.initialUser = { username = "dummy"; @@ -253,6 +260,7 @@ in nodes.mastodon.virtualisation.memorySize = 4 * 1024; nodes.pixelfed.virtualisation.memorySize = 4 * 1024; nodes.peertube.virtualisation.memorySize = 5 * 1024; + nodes.attic.virtualisation.memorySize = 4 * 1024; ## FIXME: The test of presence of the services are very simple: we only ## check that there is a systemd service of the expected name on the @@ -325,6 +333,7 @@ in mastodon.fail("systemctl status mastodon-web.service") peertube.fail("systemctl status peertube.service") pixelfed.fail("systemctl status phpfpm-pixelfed.service") + attic.fail("systemctl status atticd.service") with subtest("Run deployment with no services enabled"): client.succeed("${ @@ -333,6 +342,7 @@ in enableMastodon = false; enablePeertube = false; enablePixelfed = false; + enableAttic = false; } }/bin/interact-with-panel >&2") @@ -341,6 +351,7 @@ in mastodon.fail("systemctl status mastodon-web.service") peertube.fail("systemctl status peertube.service") pixelfed.fail("systemctl status phpfpm-pixelfed.service") + attic.fail("systemctl status atticd.service") with subtest("Run deployment with Mastodon and Pixelfed enabled"): client.succeed("${ @@ -349,6 +360,7 @@ in enableMastodon = true; enablePeertube = false; enablePixelfed = true; + enableAttic = false; } }/bin/interact-with-panel >&2") @@ -357,6 +369,7 @@ in mastodon.succeed("systemctl status mastodon-web.service") peertube.fail("systemctl status peertube.service") pixelfed.succeed("systemctl status phpfpm-pixelfed.service") + attic.fail("systemctl status atticd.service") with subtest("Run deployment with only Peertube enabled"): client.succeed("${ @@ -365,6 +378,7 @@ in enableMastodon = false; enablePeertube = true; enablePixelfed = false; + enableAttic = false; } }/bin/interact-with-panel >&2") @@ -373,5 +387,6 @@ in mastodon.fail("systemctl status mastodon-web.service") peertube.succeed("systemctl status peertube.service") pixelfed.fail("systemctl status phpfpm-pixelfed.service") + attic.fail("systemctl status atticd.service") ''; } diff --git a/deployment/configuration.sample.json b/deployment/configuration.sample.json index d444a842..efe73459 100644 --- a/deployment/configuration.sample.json +++ b/deployment/configuration.sample.json @@ -3,6 +3,7 @@ "mastodon": { "enable": false }, "peertube": { "enable": false }, "pixelfed": { "enable": false }, + "attic": { "enable": false }, "initialUser": { "displayName": "Testy McTestface", "username": "test", diff --git a/deployment/default.nix b/deployment/default.nix index c76489bd..4024cce9 100644 --- a/deployment/default.nix +++ b/deployment/default.nix @@ -24,6 +24,7 @@ mastodonConfigurationResource, peertubeConfigurationResource, pixelfedConfigurationResource, + atticConfigurationResource, }: ## From the hosting provider's perspective, the function is meant to be @@ -55,6 +56,7 @@ let mastodon = nonNull panelConfigNullable.mastodon { enable = false; }; peertube = nonNull panelConfigNullable.peertube { enable = false; }; pixelfed = nonNull panelConfigNullable.pixelfed { enable = false; }; + attic = nonNull panelConfigNullable.attic { enable = false; }; }; in @@ -107,6 +109,13 @@ in s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b"; s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; }; + atticS3KeyConfig = + { pkgs, ... }: + { + # REVIEW: how were these generated above? how do i add one? + s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKaaaaaaaaaaaaaaaaaaaaaaaa"; + s3SecretKeyFile = pkgs.writeText "s3SecretKey" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; + }; makeConfigurationResource = resourceModule: config: { type = providers.local.exec; @@ -140,13 +149,14 @@ in { garage-configuration = makeConfigurationResource garageConfigurationResource ( { pkgs, ... }: - mkIf (cfg.mastodon.enable || cfg.peertube.enable || cfg.pixelfed.enable) { + mkIf (cfg.mastodon.enable || cfg.peertube.enable || cfg.pixelfed.enable || cfg.attic.enable) { fediversity = { inherit (cfg) domain; garage.enable = true; pixelfed = pixelfedS3KeyConfig { inherit pkgs; }; mastodon = mastodonS3KeyConfig { inherit pkgs; }; peertube = peertubeS3KeyConfig { inherit pkgs; }; + attic = atticS3KeyConfig { inherit pkgs; }; }; } ); @@ -213,6 +223,25 @@ in }; } ); + + attic-configuration = makeConfigurationResource atticConfigurationResource ( + { pkgs, ... }: + mkIf cfg.attic.enable { + fediversity = { + inherit (cfg) domain; + temp.initialUser = { + inherit (cfg.initialUser) username email displayName; + # FIXME: disgusting, but nvm, this is going to be replaced by + # proper central authentication at some point + passwordFile = pkgs.writeText "password" cfg.initialUser.password; + }; + + attic = atticS3KeyConfig { inherit pkgs; } // { + enable = true; + }; + }; + } + ); }; }; } diff --git a/deployment/options.nix b/deployment/options.nix index c0a5e8d7..3e48208c 100644 --- a/deployment/options.nix +++ b/deployment/options.nix @@ -71,6 +71,19 @@ in }); default = null; }; + attic = mkOption { + description = '' + Configuration for the Attic service + ''; + type = + with types; + nullOr (submodule { + options = { + enable = lib.mkEnableOption "Attic"; + }; + }); + default = null; + }; initialUser = mkOption { description = '' Some services require an initial user to access them. diff --git a/infra/common/nixos/default.nix b/infra/common/nixos/default.nix index 71b08426..9d9f994d 100644 --- a/infra/common/nixos/default.nix +++ b/infra/common/nixos/default.nix @@ -24,6 +24,14 @@ in experimental-features = nix-command flakes ''; + nix.settings = { + substituters = [ + "https://attic.fediversity.net/demo" + ]; + trusted-public-keys = [ + "demo:N3CAZ049SeBVqBM+OnhLMrxWJ9altbD/aoJtHrY19KM=" + ]; + }; boot.loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 34bc6e50..ffdf7ec4 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -41,6 +41,8 @@ let "${sources.agenix}/modules/age.nix" "${sources.disko}/module.nix" "${sources.home-manager}/nixos" + "${sources.vars}/options.nix" + "${sources.vars}/backends/on-machine.nix" ]; imports = [ @@ -101,6 +103,12 @@ let ../machines/operator/test04 ]; }; + atticConfigurationResource = { + imports = [ + commonResourceModule + ../machines/operator/test12 + ]; + }; }; nixops4ResourceNixosMockOptions = { diff --git a/machines/operator/test12/default.nix b/machines/operator/test12/default.nix index 8f2d345f..87bfbf64 100644 --- a/machines/operator/test12/default.nix +++ b/machines/operator/test12/default.nix @@ -19,4 +19,10 @@ gateway = "2a00:51c0:13:1305::1"; }; }; + + nixos.module = { + imports = [ + ../../../services/fediversity/attic + ]; + }; } diff --git a/npins/sources.json b/npins/sources.json index ea9606bd..9e5d1e72 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -150,6 +150,19 @@ "revision": "f33a4d26226c05d501b9d4d3e5e60a3a59991921", "url": "https://github.com/nixos/nixpkgs/archive/f33a4d26226c05d501b9d4d3e5e60a3a59991921.tar.gz", "hash": "1b6dm1sn0bdpcsmxna0zzspjaixa2dald08005fry5jrbjvwafdj" + }, + "vars": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "kiaragrouwstra", + "repo": "vars" + }, + "branch": "templates", + "submodules": false, + "revision": "6ff942bf2b514edaa1022a92edb6552ac32a09d1", + "url": "https://github.com/kiaragrouwstra/vars/archive/6ff942bf2b514edaa1022a92edb6552ac32a09d1.tar.gz", + "hash": "1h1q3l1l1c1j4ak5lcj2yh85jwqww74ildiak2dkd4h1js9v6cvw" } }, "version": 5 diff --git a/secrets/attic-ci-token.age b/secrets/attic-ci-token.age new file mode 100644 index 0000000000000000000000000000000000000000..60fafd04c7b0552bb9f30c0a9902be92ab27e0ef GIT binary patch literal 1745 zcmZY6dr%Vx0>^PV?Fc!0rwBe;rWeI))f_IHY)ArL%aUx~A%twQn+#R++-#EF&4WDA z8PQf4N-bim#j8B(jUZ|ds#0r};-eyhR_hgNg;tc~#9AmKimk}q{mcFL`|mTq`C14^ zhJ&^RV!mRMq1Q110tkbwjMv%0pew^+=kocWh^_S5xFF27hxA;RGtaN!!BUS?sWftV z>JSp87;QY1>C})0#;A{YY(i~B!4msrsBx4qn+zhKT*FcsA#TuYHS$QF#wqff0zn|IfW%o+P!o{( z4ACIU3;1D!g?7NRHL*763&U*M56E~XZ#-XaiAMv>2GHM2D?9zcl*TQ4Au zQc4d2JgF)!E0Cx#N&=e#5TS-tK9f6cl!O&7(xEb9CKi?_lDlxZ3FX6PsSK5XPEuA_ zC@&UMf{@39dp(py&zGyU+}QtVmWa|JhuMK*59$HK1`z}c3JeZ`Cf^TvGUE`b^b3?= z!0Xf!8aWuii*bVGD8wl(9nfbXnJ{ERpiG8eNCLr7A*zAmb~Qh0=J;h%z;00oXMYn) z6$nqq&PNSajPh&apw?wkSv+Q0EZ}s-^oYn7;`7yUJTCC)g%lKz>R3|R?2WoapvNcE zA})IrR)#^5Mvu4(^Zh8`Af?5y2oOU8zWTr2GBVhCjFUs*AgObs1%4xqOEA)?q-flL zna%MCW|af-sF{KYEl0s(f7Y0}z`*pu6S!}J+;)F-*YMR*!b-o}woo`yy|}Aqc~jF3 zanbQb9VcFCzKv%uYM(o}1basSoO4RqM_^?aneh?KIWnO za>b!*Gn-Q6z|~m1(DtqUF)}gs>d;7O|M6r?>CSIkVey)C+Aj7n8~*kMF_V8;{n22~y*l}=l0n%`YsFumrtWxeB5Cu-uc%&b+&X?{dTQ1E z!SM3*25J??49zLE7j(C7{#|>kW=jj$@xpu0Ypc0WPF)B(%`MnDUeRM;^||D!(XL~u z>kmC@9~(U(`a}I^pC4P<*}JCVuB3nF%X!21)P{upC2NMWk&P>VP~{%(hEskzm@U2V zNrrGi)bEQ-t)AW>{p8;C_`D%(=wfng#oH?fm$Ysx$GSgH*W+b>-(LDwo~3R*pHu&2 z*xEaGvTrl8dgVVhypelk$)!wfLcApHhY{6Os$|Rj{nKy3@XZfvGd8^mq&!%X%N_W2 zUKQ`fOTXy9FWdDbxaq**!gj$6CS0@r60v9F9HhyWdY@%y#!3`h?=YA!I09V{ZI<$cSWHon>QPWy$sznx!}USxC=`8h*NbZH}D z691BNE3dYxapA(_BjpWyBsHP7^pmC;RDQhQqkSECTS+Cko>i^!9M2)^!U<-4PDxd9Py6Ez>#mYJjl9IU7b)r7iT7VNSBi7@pW4$6xK0n- z`*%c!m!^&!t$gWl!N;x9l*HWD>+7E0)o^}Jo8nFOcT^_KpYy?$Pq+Sym$=tj_1ZOL zWH0BpGxf%z@8LV1XXFO=9W-%1_v@~j*3r?TnU3!Ey0IVcz%^}Gj(umJJYVYEZ4f>j zPd*>M9l4x#T8(TWM^1i2Q@d(wWViZr%5KR!*Cw_W)2rLy1nbf!)9u>a?HjWV*E=eD zrC+|PTY>ExXg)3J>OAWm{HgKAitHo3+a}{ZMAE(fQ_w%JNqlV@*0vr3ZBFR> "$out"/token + ''; + }; + + services.atticd = { + enable = true; + # one `monolithic` and any number of `api-server` nodes + mode = "monolithic"; + + environmentFile = config.vars.generators."templates".files."attic.env".path; + + # https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml + settings = { + # Socket address to listen on + listen = "127.0.0.1:8080"; + + # Allowed `Host` headers + # + # This _must_ be configured for production use. If unconfigured or the + # list is empty, all `Host` headers are allowed. + allowed-hosts = [ ]; + + # The canonical API endpoint of this server + # + # This is the endpoint exposed to clients in `cache-config` responses. + # + # This _must_ be configured for production use. If not configured, the + # API endpoint is synthesized from the client's `Host` header which may + # be insecure. + # + # The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/` + # not `https://domain.tld/attic`). + api-endpoint = "https://${config.fediversity.attic.domain}/"; + + # Whether to soft-delete caches + # + # If this is enabled, caches are soft-deleted instead of actually + # removed from the database. Note that soft-deleted caches cannot + # have their names reused as long as the original database records + # are there. + #soft-delete-caches = false; + + # Whether to require fully uploading a NAR if it exists in the global cache. + # + # If set to false, simply knowing the NAR hash is enough for + # an uploader to gain access to an existing NAR in the global + # cache. + #require-proof-of-possession = true; + + # Database connection + database = { + # Connection URL + # + # For production use it's recommended to use PostgreSQL. + # url = "postgresql:///atticd:password@127.0.0.1:5432/atticd"; + url = "postgresql:///atticd?host=/run/postgresql"; + + # Whether to enable sending on periodic heartbeat queries + # + # If enabled, a heartbeat query will be sent every minute + #heartbeat = false; + }; + + # File storage configuration + storage = { + # Storage type + # + # Can be "local" or "s3". + type = "s3"; + + # ## Local storage + + # The directory to store all files under + # path = "%storage_path%"; + + # ## S3 Storage (set type to "s3" and uncomment below) + + # The AWS region + region = "garage"; + + # The name of the bucket + bucket = "attic"; + + # Custom S3 endpoint + # + # Set this if you are using an S3-compatible object storage (e.g., Minio). + endpoint = config.fediversity.garage.api.url; + + # Credentials + # + # If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and + # `AWS_SECRET_ACCESS_KEY` environment variables. + # storage.credentials = { + # access_key_id = ""; + # secret_access_key = ""; + # }; + }; + + # Data chunking + # + # Warning: If you change any of the values here, it will be + # difficult to reuse existing chunks for newly-uploaded NARs + # since the cutpoints will be different. As a result, the + # deduplication ratio will suffer for a while after the change. + chunking = { + # The minimum NAR size to trigger chunking + # + # If 0, chunking is disabled entirely for newly-uploaded NARs. + # If 1, all NARs are chunked. + nar-size-threshold = 65536; # chunk files that are 64 KiB or larger + + # The preferred minimum size of a chunk, in bytes + min-size = 16384; # 16 KiB + + # The preferred average size of a chunk, in bytes + avg-size = 65536; # 64 KiB + + # The preferred maximum size of a chunk, in bytes + max-size = 262144; # 256 KiB + }; + + # Compression + compression = { + # Compression type + # + # Can be "none", "brotli", "zstd", or "xz" + type = "zstd"; + + # Compression level + #level = 8; + }; + + # Garbage collection + garbage-collection = { + # The frequency to run garbage collection at + # + # By default it's 12 hours. You can use natural language + # to specify the interval, like "1 day". + # + # If zero, automatic garbage collection is disabled, but + # it can still be run manually with `atticd --mode garbage-collector-once`. + interval = "12 hours"; + + # Default retention period + # + # Zero (default) means time-based garbage-collection is + # disabled by default. You can enable it on a per-cache basis. + #default-retention-period = "6 months"; + }; + + # jwt = { + # WARNING: Changing _anything_ in this section will break any existing + # tokens. If you need to regenerate them, ensure that you use the the + # correct secret and include the `iss` and `aud` claims. + + # JWT `iss` claim + # + # Set this to the JWT issuer that you want to validate. + # If this is set, all received JWTs will validate that the `iss` claim + # matches this value. + #token-bound-issuer = "some-issuer"; + + # JWT `aud` claim + # + # Set this to the JWT audience(s) that you want to validate. + # If this is set, all received JWTs will validate that the `aud` claim + # contains at least one of these values. + #token-bound-audiences = ["some-audience1", "some-audience2"]; + # }; + + # jwt.signing = { + # You must configure JWT signing and verification inside your TOML configuration by setting one of the following options in the [jwt.signing] block: + # * token-rs256-pubkey-base64 + # * token-rs256-secret-base64 + # * token-hs256-secret-base64 + # or by setting one of the following environment variables: + # * ATTIC_SERVER_TOKEN_RS256_PUBKEY_BASE64 + # * ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64 + # * ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 + # Options will be tried in that same order (configuration options first, then environment options if none of the configuration options were set, starting with the respective RSA pubkey option, the RSA secret option, and finally the HMAC secret option). The first option that is found will be used. + # If an RS256 pubkey (asymmetric RSA PEM PKCS1 public key) is provided, it will only be possible to verify received JWTs, and not sign new JWTs. + # If an RS256 secret (asymmetric RSA PEM PKCS1 private key) is provided, it will be used for both signing new JWTs and verifying received JWTs. + # If an HS256 secret (symmetric HMAC secret) is provided, it will be used for both signing new JWTs and verifying received JWTs. + + # JWT RS256 secret key + # + # Set this to the base64-encoded private half of an RSA PEM PKCS1 key. + # TODO + # You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64` + # environment variable. + # token-rs256-secret-base64 = "%token_rs256_secret_base64%"; + + # JWT HS256 secret key + # + # Set this to the base64-encoded HMAC secret key. + # You can also set it via the `ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64` + # environment variable. + #token-hs256-secret-base64 = ""; + # }; + }; + }; + }) + ]; +} diff --git a/services/fediversity/attic/options.nix b/services/fediversity/attic/options.nix new file mode 100644 index 00000000..efb9c690 --- /dev/null +++ b/services/fediversity/attic/options.nix @@ -0,0 +1,14 @@ +{ config, lib, ... }: + +{ + options.fediversity.attic = + (import ../sharedOptions.nix { + inherit config lib; + serviceName = "attic"; + serviceDocName = "Attic Nix Cache server"; + }) + // + + { + }; +} diff --git a/services/fediversity/default.nix b/services/fediversity/default.nix index 184f7dba..a516eac4 100644 --- a/services/fediversity/default.nix +++ b/services/fediversity/default.nix @@ -13,6 +13,7 @@ in ./mastodon ./pixelfed ./peertube + ./attic ]; options = {