kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

WIP: add attic cache, see #92

Browse source 
flesh out attic

TODO keys nginx-port testing

fix key

fix key
This commit is contained in:
Kiara Grouwstra 2025-06-05 19:01:14 +02:00
parent 5140fe5935
commit b6eebd577f
Signed by: kiara
SSH key fingerprint: SHA256:COspvLoLJ5WC5rFb9ZDe5urVCkK4LJZOsjfF4duRJFU
4 changed files with 326 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
machines/dev/fedi200/default.nix
View file

@ -20,6 +20,7 @@
nixos.module = { nixos.module = {
imports = [ imports = [
../../../infra/common/proxmox-qemu-vm.nix ../../../infra/common/proxmox-qemu-vm.nix
../../../services/fediversity/attic
]; ];
}; };
} }

29
npins/sources.json
View file

@ -125,22 +125,6 @@
"url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4", "url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4",
"hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2" "hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2"
}, },
"nix": {
"type": "GitRelease",
"repository": {
"type": "GitHub",
"owner": "nixos",
"repo": "nix"
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"submodules": false,
"version": "2.29.1",
"revision": "82debf3b591578eb2e7b151d2589626fad1679a2",
"url": "https://api.github.com/repos/nixos/nix/tarball/2.29.1",
"hash": "1xj5wawjw99qsyqfm3x02aydcg39rjksphnqg163plknifbzf8mc"
},
"nix-unit": { "nix-unit": {
"type": "Git", "type": "Git",
"repository": { "repository": {
@ -166,6 +150,19 @@
"revision": "f33a4d26226c05d501b9d4d3e5e60a3a59991921", "revision": "f33a4d26226c05d501b9d4d3e5e60a3a59991921",
"url": "https://github.com/nixos/nixpkgs/archive/f33a4d26226c05d501b9d4d3e5e60a3a59991921.tar.gz", "url": "https://github.com/nixos/nixpkgs/archive/f33a4d26226c05d501b9d4d3e5e60a3a59991921.tar.gz",
"hash": "1b6dm1sn0bdpcsmxna0zzspjaixa2dald08005fry5jrbjvwafdj" "hash": "1b6dm1sn0bdpcsmxna0zzspjaixa2dald08005fry5jrbjvwafdj"
},
"vars": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "lassulus",
"repo": "vars"
},
"branch": "main",
"submodules": false,
"revision": "856c18f0e7b95e262ac88ba9ddebf506a16fd4a5",
"url": "https://github.com/lassulus/vars/archive/856c18f0e7b95e262ac88ba9ddebf506a16fd4a5.tar.gz",
"hash": "095dmc67pf5idj4pgnibjbgfxpkm73px3sc6hylc9j0sqh3379q7"
} }
}, },
"version": 5 "version": 5

298
services/fediversity/attic/default.nix Normal file
View file

@ -0,0 +1,298 @@
{
lib,
pkgs,
config,
...
}:
let
inherit (lib) mkIf mkMerge;
sources = import ../../../npins;
inherit
(import "${sources.nix-templating}/lib.nix" {
inherit pkgs lib;
nix_templater = pkgs.callPackage "${sources.nix-templating}/pkgs/nix_templater" { };
})
fileContents
template
;
in
{
imports = with sources; [
./options.nix
"${vars}/options.nix"
"${vars}/backends/on-machine.nix"
];
config = mkMerge [
(mkIf
(
config.fediversity.garage.enable
&& config.fediversity.attic.s3AccessKeyFile != null
&& config.fediversity.attic.s3SecretKeyFile != null
)
{
fediversity.garage = {
ensureBuckets = {
attic = {
website = true;
# TODO: these are too broad, after getting everything to work narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
attic = {
inherit (config.fediversity.attic) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
peertube-videos = {
read = true;
write = true;
owner = true;
};
peertube-playlists = {
read = true;
write = true;
owner = true;
};
};
};
};
};
}
)
(mkIf config.fediversity.attic.enable {
services.postgresql = {
enable = true;
authentication = lib.mkForce ''
local all all trust
'';
ensureDatabases = [
"atticd"
];
ensureUsers = [
{
name = "atticd";
ensureDBOwnership = true;
}
];
};
# open up access to the mastodon web interface. 80 is necessary if only for ACME
networking.firewall.allowedTCPPorts = [
80
443
8080
];
vars.generators.attic = {
runtimeInputs = [ pkgs.openssl ];
files.token.secret = true;
script = ''
genrsa -traditional 4096 | base64 -w0 > $out/token
'';
};
services.atticd = {
enable = true;
# one `monolithic` and any number of `api-server` nodes
mode = "monolithic";
environmentFile = "${
template {
name = "attic.env";
outPath = "./attic.env";
text = ''
ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${fileContents config.vars.generators.attic.files.token.path}
AWS_ACCESS_KEY_ID=$(cat ${config.fediversity.peertube.s3AccessKeyFile})
AWS_SECRET_ACCESS_KEY=$(cat ${config.fediversity.peertube.s3SecretKeyFile})
'';
}
}/bin/attic.env";
# https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
settings = {
# Socket address to listen on
# listen = "[::]:8080";
listen = "0.0.0.0:8080";
# listen = "127.0.0.1:8080";
# Allowed `Host` headers
#
# This _must_ be configured for production use. If unconfigured or the
# list is empty, all `Host` headers are allowed.
allowed-hosts = [ ];
# The canonical API endpoint of this server
#
# This is the endpoint exposed to clients in `cache-config` responses.
#
# This _must_ be configured for production use. If not configured, the
# API endpoint is synthesized from the client's `Host` header which may
# be insecure.
#
# The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
# not `https://domain.tld/attic`).
api-endpoint = "https://${config.fediversity.attic.domain}/";
# Whether to soft-delete caches
#
# If this is enabled, caches are soft-deleted instead of actually
# removed from the database. Note that soft-deleted caches cannot
# have their names reused as long as the original database records
# are there.
#soft-delete-caches = false;
# Whether to require fully uploading a NAR if it exists in the global cache.
#
# If set to false, simply knowing the NAR hash is enough for
# an uploader to gain access to an existing NAR in the global
# cache.
#require-proof-of-possession = true;
# Database connection
database = {
# Connection URL
#
# For production use it's recommended to use PostgreSQL.
# url = "postgresql:///atticd:password@127.0.0.1:5432/atticd";
url = "postgresql:///atticd?host=/run/postgresql";
# Whether to enable sending on periodic heartbeat queries
#
# If enabled, a heartbeat query will be sent every minute
#heartbeat = false;
};
# File storage configuration
storage = {
# Storage type
#
# Can be "local" or "s3".
type = "s3";
# ## Local storage
# The directory to store all files under
# path = "%storage_path%";
# ## S3 Storage (set type to "s3" and uncomment below)
# The AWS region
region = "garage";
# The name of the bucket
bucket = "attic";
# Custom S3 endpoint
#
# Set this if you are using an S3-compatible object storage (e.g., Minio).
endpoint = config.fediversity.garage.api.url;
# Credentials
#
# If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
# `AWS_SECRET_ACCESS_KEY` environment variables.
# storage.credentials = {
# access_key_id = "";
# secret_access_key = "";
# };
};
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 65536; # chunk files that are 64 KiB or larger
# The preferred minimum size of a chunk, in bytes
min-size = 16384; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 65536; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 262144; # 256 KiB
};
# Compression
compression = {
# Compression type
#
# Can be "none", "brotli", "zstd", or "xz"
type = "zstd";
# Compression level
#level = 8;
};
# Garbage collection
garbage-collection = {
# The frequency to run garbage collection at
#
# By default it's 12 hours. You can use natural language
# to specify the interval, like "1 day".
#
# If zero, automatic garbage collection is disabled, but
# it can still be run manually with `atticd --mode garbage-collector-once`.
interval = "12 hours";
# Default retention period
#
# Zero (default) means time-based garbage-collection is
# disabled by default. You can enable it on a per-cache basis.
#default-retention-period = "6 months";
};
jwt = {
# WARNING: Changing _anything_ in this section will break any existing
# tokens. If you need to regenerate them, ensure that you use the the
# correct secret and include the `iss` and `aud` claims.
# JWT `iss` claim
#
# Set this to the JWT issuer that you want to validate.
# If this is set, all received JWTs will validate that the `iss` claim
# matches this value.
#token-bound-issuer = "some-issuer";
# JWT `aud` claim
#
# Set this to the JWT audience(s) that you want to validate.
# If this is set, all received JWTs will validate that the `aud` claim
# contains at least one of these values.
#token-bound-audiences = ["some-audience1", "some-audience2"];
};
# jwt.signing = {
# # JWT RS256 secret key
# #
# # Set this to the base64-encoded private half of an RSA PEM PKCS1 key.
# # TODO
# # You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64`
# # environment variable.
# token-rs256-secret-base64 = "%token_rs256_secret_base64%";
# # JWT HS256 secret key
# #
# # Set this to the base64-encoded HMAC secret key.
# # You can also set it via the `ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64`
# # environment variable.
# #token-hs256-secret-base64 = "";
# };
};
};
})
];
}

14
services/fediversity/attic/options.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, ... }:
{
options.fediversity.attic =
(import ../sharedOptions.nix {
inherit config lib;
serviceName = "attic";
serviceDocName = "Attic Nix Cache server";
})
//
{
};
}