move attic to infra - TODO garage wiring, which may need #309

2025-08-19 14:19:11 +02:00 · 2025-08-19 14:19:11 +02:00 · b694895be6
commit b694895be6
parent 57eaae6bed
12 changed files with 308 additions and 403 deletions
--- a/deployment/check/cli/constants.nix
+++ b/deployment/check/cli/constants.nix
@ -4,7 +4,6 @@
    "mastodon"
    "peertube"
    "pixelfed"
    "attic"
  ];
  pathToRoot = ../../..;
  pathFromRoot = ./.;
--- a/deployment/check/cli/nixosTest.nix
+++ b/deployment/check/cli/nixosTest.nix
@ -70,11 +70,6 @@ in
            s3AccessKeyFile = dummyFile;
            s3SecretKeyFile = dummyFile;
          };
          attic = {
            enable = true;
            s3AccessKeyFile = dummyFile;
            s3SecretKeyFile = dummyFile;
          };
          temp.cores = 1;
          temp.initialUser = {
            username = "dummy";
@ -99,7 +94,6 @@ in
  nodes.mastodon.virtualisation.memorySize = 4 * 1024;
  nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
  nodes.peertube.virtualisation.memorySize = 5 * 1024;
  nodes.attic.virtualisation.memorySize = 2 * 1024;
  ## FIXME: The test of presence of the services are very simple: we only
  ## check that there is a systemd service of the expected name on the
@ -114,7 +108,6 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
      attic.fail("systemctl status atticd.service")
    with subtest("Run deployment with no services enabled"):
      deployer.succeed("nixops4 apply check-deployment-cli-nothing --show-trace --no-interactive 1>&2")
@ -124,7 +117,6 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
      attic.fail("systemctl status atticd.service")
    with subtest("Run deployment with Mastodon and Pixelfed enabled"):
      deployer.succeed("nixops4 apply check-deployment-cli-mastodon-pixelfed --show-trace --no-interactive 1>&2")
@ -134,7 +126,6 @@ in
      mastodon.succeed("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.succeed("systemctl status phpfpm-pixelfed.service")
      attic.fail("systemctl status atticd.service")
    with subtest("Run deployment with only Peertube enabled"):
      deployer.succeed("nixops4 apply check-deployment-cli-peertube --show-trace --no-interactive 1>&2")
@ -144,6 +135,5 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.succeed("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
      attic.fail("systemctl status atticd.service")
  '';
 }
--- a/deployment/check/panel/constants.nix
+++ b/deployment/check/panel/constants.nix
@ -4,7 +4,6 @@
    "mastodon"
    "peertube"
    "pixelfed"
    "attic"
  ];
  pathToRoot = ../../..;
  pathFromRoot = ./.;
--- a/deployment/check/panel/nixosTest.nix
+++ b/deployment/check/panel/nixosTest.nix
@ -33,7 +33,6 @@ let
      enableMastodon,
      enablePeertube,
      enablePixelfed,
      enableAttic,
    }:
    hostPkgs.writers.writePython3Bin "interact-with-panel"
      {
@ -95,7 +94,6 @@ let
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'mastodon.enable']"), ${toPythonBool enableMastodon})
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'peertube.enable']"), ${toPythonBool enablePeertube})
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'pixelfed.enable']"), ${toPythonBool enablePixelfed})
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'attic.enable']"), ${toPythonBool enableAttic})
        print("Start deployment...")
        driver.find_element(By.XPATH, "//button[@id = 'deploy-button']").click()
@ -210,11 +208,6 @@ in
            s3AccessKeyFile = dummyFile;
            s3SecretKeyFile = dummyFile;
          };
          attic = {
            enable = true;
            s3AccessKeyFile = dummyFile;
            s3SecretKeyFile = dummyFile;
          };
          temp.cores = 1;
          temp.initialUser = {
            username = "dummy";
@ -260,7 +253,6 @@ in
  nodes.mastodon.virtualisation.memorySize = 4 * 1024;
  nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
  nodes.peertube.virtualisation.memorySize = 5 * 1024;
  nodes.attic.virtualisation.memorySize = 4 * 1024;
  ## FIXME: The test of presence of the services are very simple: we only
  ## check that there is a systemd service of the expected name on the
@ -333,7 +325,6 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
      attic.fail("systemctl status atticd.service")
    with subtest("Run deployment with no services enabled"):
      client.succeed("${
@ -342,7 +333,6 @@ in
          enableMastodon = false;
          enablePeertube = false;
          enablePixelfed = false;
          enableAttic = false;
        }
      }/bin/interact-with-panel >&2")
@ -351,7 +341,6 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
      attic.fail("systemctl status atticd.service")
    with subtest("Run deployment with Mastodon and Pixelfed enabled"):
      client.succeed("${
@ -360,7 +349,6 @@ in
          enableMastodon = true;
          enablePeertube = false;
          enablePixelfed = true;
          enableAttic = false;
        }
      }/bin/interact-with-panel >&2")
@ -369,7 +357,6 @@ in
      mastodon.succeed("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.succeed("systemctl status phpfpm-pixelfed.service")
      attic.fail("systemctl status atticd.service")
    with subtest("Run deployment with only Peertube enabled"):
      client.succeed("${
@ -378,7 +365,6 @@ in
          enableMastodon = false;
          enablePeertube = true;
          enablePixelfed = false;
          enableAttic = false;
        }
      }/bin/interact-with-panel >&2")
@ -387,6 +373,5 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.succeed("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
      attic.fail("systemctl status atticd.service")
  '';
 }
--- a/deployment/configuration.sample.json
+++ b/deployment/configuration.sample.json
@ -3,7 +3,6 @@
  "mastodon": { "enable": false },
  "peertube": { "enable": false },
  "pixelfed": { "enable": false },
  "attic": { "enable": false },
  "initialUser": {
    "displayName": "Testy McTestface",
    "username": "test",
--- a/deployment/default.nix
+++ b/deployment/default.nix
@ -24,7 +24,6 @@
  mastodonConfigurationResource,
  peertubeConfigurationResource,
  pixelfedConfigurationResource,
  atticConfigurationResource,
 }:
 ## From the hosting provider's perspective, the function is meant to be
@ -56,7 +55,6 @@ let
    mastodon = nonNull panelConfigNullable.mastodon { enable = false; };
    peertube = nonNull panelConfigNullable.peertube { enable = false; };
    pixelfed = nonNull panelConfigNullable.pixelfed { enable = false; };
    attic = nonNull panelConfigNullable.attic { enable = false; };
  };
 in
@ -109,13 +107,6 @@ in
            s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
            s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
          };
        atticS3KeyConfig =
          { pkgs, ... }:
          {
            # REVIEW: how were these generated above? how do i add one?
            s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKaaaaaaaaaaaaaaaaaaaaaaaa";
            s3SecretKeyFile = pkgs.writeText "s3SecretKey" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
          };
        makeConfigurationResource = resourceModule: config: {
          type = providers.local.exec;
@ -149,14 +140,13 @@ in
      {
        garage-configuration = makeConfigurationResource garageConfigurationResource (
          { pkgs, ... }:
-          mkIf (cfg.mastodon.enable || cfg.peertube.enable || cfg.pixelfed.enable || cfg.attic.enable) {
+          mkIf (cfg.mastodon.enable || cfg.peertube.enable || cfg.pixelfed.enable) {
            fediversity = {
              inherit (cfg) domain;
              garage.enable = true;
              pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
              mastodon = mastodonS3KeyConfig { inherit pkgs; };
              peertube = peertubeS3KeyConfig { inherit pkgs; };
              attic = atticS3KeyConfig { inherit pkgs; };
            };
          }
        );
@ -223,25 +213,6 @@ in
            };
          }
        );
        attic-configuration = makeConfigurationResource atticConfigurationResource (
          { pkgs, ... }:
          mkIf cfg.attic.enable {
            fediversity = {
              inherit (cfg) domain;
              temp.initialUser = {
                inherit (cfg.initialUser) username email displayName;
                # FIXME: disgusting, but nvm, this is going to be replaced by
                # proper central authentication at some point
                passwordFile = pkgs.writeText "password" cfg.initialUser.password;
              };
              attic = atticS3KeyConfig { inherit pkgs; } // {
                enable = true;
              };
            };
          }
        );
      };
  };
 }
--- a/deployment/options.nix
+++ b/deployment/options.nix
@ -71,19 +71,6 @@ in
        });
      default = null;
    };
    attic = mkOption {
      description = ''
        Configuration for the Attic service
      '';
      type =
        with types;
        nullOr (submodule {
          options = {
            enable = lib.mkEnableOption "Attic";
          };
        });
      default = null;
    };
    initialUser = mkOption {
      description = ''
        Some services require an initial user to access them.
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -103,12 +103,6 @@ let
            ../machines/operator/test04
          ];
        };
        atticConfigurationResource = {
          imports = [
            commonResourceModule
            ../machines/operator/test12
          ];
        };
      };
  nixops4ResourceNixosMockOptions = {
--- a/machines/dev/fedi200/default.nix
+++ b/machines/dev/fedi200/default.nix
@ -17,4 +17,10 @@
      gateway = "2a00:51c0:13:1305::1";
    };
  };
  nixos.module = {
    imports = [
      ../../../services/fediversity/attic
    ];
  };
 }
--- a/services/fediversity/attic/default.nix
+++ b/services/fediversity/attic/default.nix
@ -5,54 +5,46 @@
  ...
 }:
 let
  inherit (lib) mkIf mkMerge;
  sources = import ../../../npins;
  inherit (import "${sources.nix-templating}/lib.nix" { inherit pkgs; }) fileContents template_text;
  s3 = {
    # REVIEW: how were these generated above? how do i add one?
    s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKaaaaaaaaaaaaaaaaaaaaaaaa";
    s3SecretKeyFile = pkgs.writeText "s3SecretKey" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
  };
 in
 {
  imports = with sources; [
    ./options.nix
    "${vars}/options.nix"
    "${vars}/backends/on-machine.nix"
  ];
-  config = mkMerge [
+  # fediversity.garage = {
-    (mkIf
+  #   ensureBuckets = {
-      (
+  #     attic = {
-        config.fediversity.garage.enable
+  #       website = true;
-        && config.fediversity.attic.s3AccessKeyFile != null
+  #       # TODO: these are too broad, after getting everything to work narrow it down to the domain we actually want
-        && config.fediversity.attic.s3SecretKeyFile != null
+  #       corsRules = {
-      )
+  #         enable = true;
-      {
+  #         allowedHeaders = [ "*" ];
-        fediversity.garage = {
+  #         allowedMethods = [ "GET" ];
-          ensureBuckets = {
+  #         allowedOrigins = [ "*" ];
-            attic = {
+  #       };
-              website = true;
+  #     };
-              # TODO: these are too broad, after getting everything to work narrow it down to the domain we actually want
+  #   };
-              corsRules = {
+  #   ensureKeys = {
-                enable = true;
+  #     attic = {
-                allowedHeaders = [ "*" ];
+  #       inherit (s3) s3AccessKeyFile s3SecretKeyFile;
-                allowedMethods = [ "GET" ];
+  #       ensureAccess = {
-                allowedOrigins = [ "*" ];
+  #         attic = {
-              };
+  #           read = true;
-            };
+  #           write = true;
-          };
+  #           owner = true;
-          ensureKeys = {
+  #         };
-            attic = {
+  #       };
-              inherit (config.fediversity.attic) s3AccessKeyFile s3SecretKeyFile;
+  #     };
-              ensureAccess = {
+  #   };
-                attic = {
+  # };
                  read = true;
                  write = true;
                  owner = true;
                };
              };
            };
          };
        };
      }
    )
    (mkIf config.fediversity.attic.enable {
  services.postgresql = {
    enable = true;
@ -83,7 +75,7 @@ in
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
-        virtualHosts."attic.${config.fediversity.domain}" = {
+    virtualHosts."attic.fediversity.net" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
@ -123,8 +115,8 @@ in
        outPath = "/tmp/attic.env";
        text = ''
          ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="${fileContents config.vars.generators.attic.files.token.path}"
-              AWS_ACCESS_KEY_ID="${fileContents config.fediversity.attic.s3AccessKeyFile}"
+          AWS_ACCESS_KEY_ID="${fileContents s3.s3AccessKeyFile}"
-              AWS_SECRET_ACCESS_KEY="${fileContents config.fediversity.attic.s3SecretKeyFile}"
+          AWS_SECRET_ACCESS_KEY="${fileContents s3.s3SecretKeyFile}"
        '';
        name = "write";
      }
@ -158,7 +150,7 @@ in
      #
      # The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
      # not `https://domain.tld/attic`).
-          api-endpoint = "https://${config.fediversity.attic.domain}/";
+      api-endpoint = "https://attic.fediversity.net/";
      # Whether to soft-delete caches
      #
@ -212,7 +204,7 @@ in
        # Custom S3 endpoint
        #
        # Set this if you are using an S3-compatible object storage (e.g., Minio).
-            endpoint = config.fediversity.garage.api.url;
+        endpoint = "http://s3.garage.fediversity.net:3900";
        # Credentials
        #
@ -327,6 +319,4 @@ in
      # };
    };
  };
    })
  ];
 }
--- a/services/fediversity/attic/options.nix
+++ b/services/fediversity/attic/options.nix
@ -1,14 +0,0 @@
 { config, lib, ... }:
 {
  options.fediversity.attic =
    (import ../sharedOptions.nix {
      inherit config lib;
      serviceName = "attic";
      serviceDocName = "Attic Nix Cache server";
    })
    //
    {
    };
 }
--- a/services/fediversity/default.nix
+++ b/services/fediversity/default.nix
@ -13,7 +13,6 @@ in
    ./mastodon
    ./pixelfed
    ./peertube
    ./attic
  ];
  options = {