allow accessing the attic cache from the CI runner

still go thru shell to actually load it
pull attic-client into shell as CI is missing <nixpkgs> for nix-shell
2025-07-05 21:47:35 +02:00 · 2025-07-05 21:29:41 +02:00 · 2025-07-05 21:29:41 +02:00 · 2025-07-05 21:29:41 +02:00 · 2025-07-05 21:29:41 +02:00 · 2025-07-05 21:29:41 +02:00
24 changed files with 552 additions and 19 deletions
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@ -25,7 +25,7 @@ jobs:
    runs-on: native
    steps:
      - uses: actions/checkout@v4
-      - run: nix-build services -A tests.peertube
+      - run: nix-shell --run attic push demo $(nix-build services -A tests.peertube)

  check-panel:
    runs-on: native
--- a/default.nix
+++ b/default.nix
@ -58,12 +58,14 @@ in
      in
      [
        pkgs.npins
+        pkgs.attic-client
        pkgs.nil
        (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
        pkgs.openssh
        pkgs.httpie
        pkgs.jq
        pkgs.nix-unit
+        pkgs.attic-client
        test-loop
        nixops4.packages.${system}.default
      ];
--- a/deployment/check/cli/flake-part.nix
+++ b/deployment/check/cli/flake-part.nix
@ -14,6 +14,7 @@ let
    "mastodon"
    "peertube"
    "pixelfed"
+    "attic"
  ];
  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
  pathFromRoot = ./.;
--- a/deployment/check/cli/nixosTest.nix
+++ b/deployment/check/cli/nixosTest.nix
@ -25,6 +25,8 @@ in
        peertube.inputDerivation
        gixy
        gixy.inputDerivation
+        shellcheck
+        shellcheck.inputDerivation
      ];

      system.extraDependenciesFromModule = {
@ -48,6 +50,11 @@ in
            s3AccessKeyFile = dummyFile;
            s3SecretKeyFile = dummyFile;
          };
+          attic = {
+            enable = true;
+            s3AccessKeyFile = dummyFile;
+            s3SecretKeyFile = dummyFile;
+          };
          temp.cores = 1;
          temp.initialUser = {
            username = "dummy";
@ -72,6 +79,7 @@ in
  nodes.mastodon.virtualisation.memorySize = 4 * 1024;
  nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
  nodes.peertube.virtualisation.memorySize = 5 * 1024;
+  nodes.attic.virtualisation.memorySize = 2 * 1024;

  ## FIXME: The test of presence of the services are very simple: we only
  ## check that there is a systemd service of the expected name on the
@ -86,6 +94,7 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with no services enabled"):
      deployer.succeed("nixops4 apply check-deployment-cli-nothing --show-trace --no-interactive 1>&2")
@ -95,6 +104,7 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with Mastodon and Pixelfed enabled"):
      deployer.succeed("nixops4 apply check-deployment-cli-mastodon-pixelfed --show-trace --no-interactive 1>&2")
@ -104,6 +114,7 @@ in
      mastodon.succeed("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.succeed("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with only Peertube enabled"):
      deployer.succeed("nixops4 apply check-deployment-cli-peertube --show-trace --no-interactive 1>&2")
@ -113,5 +124,6 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.succeed("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
  '';
 }
--- a/deployment/check/common/deployerNode.nix
+++ b/deployment/check/common/deployerNode.nix
@ -40,7 +40,7 @@ in
      ## default. These values have been trimmed down to the gigabyte.
      ## Memory use is expected to be dominated by the NixOS evaluation,
      ## which happens on the deployer.
-      memorySize = 4 * 1024;
+      memorySize = 5 * 1024;
      diskSize = 4 * 1024;
      cores = 2;
    };
@ -59,7 +59,10 @@ in
        inputs.nixops4
        inputs.nixops4-nixos
        inputs.nixpkgs
+
+        sources.nixpkgs
        sources.flake-inputs
+        sources.vars

        pkgs.stdenv
        pkgs.stdenvNoCC
--- a/deployment/check/panel/flake-part.nix
+++ b/deployment/check/panel/flake-part.nix
@ -17,6 +17,7 @@ let
    "mastodon"
    "peertube"
    "pixelfed"
+    "attic"
  ];
  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
  pathFromRoot = ./.;
--- a/deployment/check/panel/nixosTest.nix
+++ b/deployment/check/panel/nixosTest.nix
@ -33,6 +33,7 @@ let
      enableMastodon,
      enablePeertube,
      enablePixelfed,
+      enableAttic,
    }:
    hostPkgs.writers.writePython3Bin "interact-with-panel"
      {
@ -94,6 +95,7 @@ let
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'mastodon.enable']"), ${toPythonBool enableMastodon})
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'peertube.enable']"), ${toPythonBool enablePeertube})
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'pixelfed.enable']"), ${toPythonBool enablePixelfed})
+        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'attic.enable']"), ${toPythonBool enableAttic})

        print("Start deployment...")
        driver.find_element(By.XPATH, "//button[@id = 'deploy-button']").click()
@ -194,6 +196,11 @@ in
            s3AccessKeyFile = dummyFile;
            s3SecretKeyFile = dummyFile;
          };
+          attic = {
+            enable = true;
+            s3AccessKeyFile = dummyFile;
+            s3SecretKeyFile = dummyFile;
+          };
          temp.cores = 1;
          temp.initialUser = {
            username = "dummy";
@ -239,6 +246,7 @@ in
  nodes.mastodon.virtualisation.memorySize = 4 * 1024;
  nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
  nodes.peertube.virtualisation.memorySize = 5 * 1024;
+  nodes.attic.virtualisation.memorySize = 4 * 1024;

  ## FIXME: The test of presence of the services are very simple: we only
  ## check that there is a systemd service of the expected name on the
@ -311,6 +319,7 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with no services enabled"):
      client.succeed("${
@ -319,6 +328,7 @@ in
          enableMastodon = false;
          enablePeertube = false;
          enablePixelfed = false;
+          enableAttic = false;
        }
      }/bin/interact-with-panel >&2")

@ -327,6 +337,7 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with Mastodon and Pixelfed enabled"):
      client.succeed("${
@ -335,6 +346,7 @@ in
          enableMastodon = true;
          enablePeertube = false;
          enablePixelfed = true;
+          enableAttic = false;
        }
      }/bin/interact-with-panel >&2")

@ -343,6 +355,7 @@ in
      mastodon.succeed("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.succeed("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with only Peertube enabled"):
      client.succeed("${
@ -351,6 +364,7 @@ in
          enableMastodon = false;
          enablePeertube = true;
          enablePixelfed = false;
+          enableAttic = false;
        }
      }/bin/interact-with-panel >&2")

@ -359,5 +373,6 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.succeed("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
  '';
 }
--- a/deployment/configuration.sample.json
+++ b/deployment/configuration.sample.json
@ -3,6 +3,7 @@
  "mastodon": { "enable": false },
  "peertube": { "enable": false },
  "pixelfed": { "enable": false },
+  "attic": { "enable": false },
  "initialUser": {
    "displayName": "Testy McTestface",
    "username": "test",
--- a/deployment/default.nix
+++ b/deployment/default.nix
@ -24,6 +24,7 @@
  mastodonConfigurationResource,
  peertubeConfigurationResource,
  pixelfedConfigurationResource,
+  atticConfigurationResource,
 }:

 ## From the hosting provider's perspective, the function is meant to be
@ -55,6 +56,7 @@ let
    mastodon = nonNull panelConfigNullable.mastodon { enable = false; };
    peertube = nonNull panelConfigNullable.peertube { enable = false; };
    pixelfed = nonNull panelConfigNullable.pixelfed { enable = false; };
+    attic = nonNull panelConfigNullable.attic { enable = false; };
  };
 in

@ -107,6 +109,13 @@ in
            s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
            s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
          };
+        atticS3KeyConfig =
+          { pkgs, ... }:
+          {
+            # REVIEW: how were these generated above? how do i add one?
+            s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKaaaaaaaaaaaaaaaaaaaaaaaa";
+            s3SecretKeyFile = pkgs.writeText "s3SecretKey" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+          };

        makeConfigurationResource = resourceModule: config: {
          type = providers.local.exec;
@ -140,13 +149,14 @@ in
      {
        garage-configuration = makeConfigurationResource garageConfigurationResource (
          { pkgs, ... }:
-          mkIf (cfg.mastodon.enable || cfg.peertube.enable || cfg.pixelfed.enable) {
+          mkIf (cfg.mastodon.enable || cfg.peertube.enable || cfg.pixelfed.enable || cfg.attic.enable) {
            fediversity = {
              inherit (cfg) domain;
              garage.enable = true;
              pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
              mastodon = mastodonS3KeyConfig { inherit pkgs; };
              peertube = peertubeS3KeyConfig { inherit pkgs; };
+              attic = atticS3KeyConfig { inherit pkgs; };
            };
          }
        );
@ -213,6 +223,25 @@ in
            };
          }
        );
+
+        attic-configuration = makeConfigurationResource atticConfigurationResource (
+          { pkgs, ... }:
+          mkIf cfg.attic.enable {
+            fediversity = {
+              inherit (cfg) domain;
+              temp.initialUser = {
+                inherit (cfg.initialUser) username email displayName;
+                # FIXME: disgusting, but nvm, this is going to be replaced by
+                # proper central authentication at some point
+                passwordFile = pkgs.writeText "password" cfg.initialUser.password;
+              };
+
+              attic = atticS3KeyConfig { inherit pkgs; } // {
+                enable = true;
+              };
+            };
+          }
+        );
      };
  };
 }
--- a/deployment/options.nix
+++ b/deployment/options.nix
@ -71,6 +71,19 @@ in
        });
      default = null;
    };
+    attic = mkOption {
+      description = ''
+        Configuration for the Attic service
+      '';
+      type =
+        with types;
+        nullOr (submodule {
+          options = {
+            enable = lib.mkEnableOption "Attic";
+          };
+        });
+      default = null;
+    };
    initialUser = mkOption {
      description = ''
        Some services require an initial user to access them.
--- a/infra/common/nixos/default.nix
+++ b/infra/common/nixos/default.nix
@ -24,6 +24,14 @@ in
    experimental-features = nix-command flakes
  '';

+  nix.settings = {
+    substituters = [
+      "https://attic.fediversity.net/demo"
+    ];
+    trusted-public-keys = [
+      "demo:N3CAZ049SeBVqBM+OnhLMrxWJ9altbD/aoJtHrY19KM="
+    ];
+  };
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
--- a/infra/common/proxmox-qemu-vm.nix
+++ b/infra/common/proxmox-qemu-vm.nix
@ -1,9 +1,13 @@
-{ modulesPath, ... }:
-
+let
+  # pulling this in manually over from module args resolves an infinite recursion
+  sources = import ../../npins;
+in
 {
  _class = "nixos";

-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  imports = [
+    "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+  ];

  boot = {
    initrd = {
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -32,9 +32,11 @@ in
  ## options that really need to be injected from the resource. Everything else
  ## should go into the `./nixos` subdirectory.
  nixos.module = {
-    imports = [
-      "${sources.agenix}/modules/age.nix"
-      "${sources.disko}/module.nix"
+    imports = with sources; [
+      "${agenix}/modules/age.nix"
+      "${disko}/module.nix"
+      "${vars}/options.nix"
+      "${vars}/backends/on-machine.nix"
      ./options.nix
      ./nixos
    ];
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -33,6 +33,10 @@ let
          ;
      };

+      nixos.module.imports = [
+        ./common/proxmox-qemu-vm.nix
+      ];
+
      imports =
        [
          ./common/resource.nix
@ -40,7 +44,6 @@ let
        ++ (
          if isTestVm then
            [
-              ./common/proxmox-qemu-vm.nix
              ../machines/operator/${vmName}
              {
                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
@ -104,6 +107,10 @@ let
          vmName = "test04";
          isTestVm = true;
        };
+        atticConfigurationResource = makeResourceModule {
+          vmName = "test12";
+          isTestVm = true;
+        };
      };

  nixops4ResourceNixosMockOptions = {
--- a/machines/dev/fedi200/default.nix
+++ b/machines/dev/fedi200/default.nix
@ -16,10 +16,4 @@
      gateway = "2a00:51c0:13:1305::1";
    };
  };
-
-  nixos.module = {
-    imports = [
-      ../../../infra/common/proxmox-qemu-vm.nix
-    ];
-  };
 }
--- a/machines/dev/forgejo-ci/default.nix
+++ b/machines/dev/forgejo-ci/default.nix
@ -48,7 +48,7 @@ in
      };

      ## NOTE: This is a physical machine, so is not covered by disko
-      fileSystems."/" = {
+      fileSystems."/" = lib.mkForce {
        device = "rpool/root";
        fsType = "zfs";
      };
@ -58,7 +58,7 @@ in
        fsType = "zfs";
      };

-      fileSystems."/boot" = {
+      fileSystems."/boot" = lib.mkForce {
        device = "/dev/disk/by-uuid/50B2-DD3F";
        fsType = "vfat";
        options = [
--- a/machines/dev/forgejo-ci/forgejo-actions-runner.nix
+++ b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
@ -1,8 +1,24 @@
-{ pkgs, config, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  sources = import ../../../npins;
+  user = "gitea-runner";
+  hm_strings = import "${sources.home-manager}/modules/lib/strings.nix" { inherit lib; };
+in

 {
  _class = "nixos";

+  imports = with sources; [
+    "${home-manager}/nixos"
+    "${vars}/options.nix"
+    "${vars}/backends/on-machine.nix"
+  ];
+
  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;

@ -44,4 +60,56 @@

  ## For the Docker mode of the runner.
  virtualisation.docker.enable = true;
+
+  vars.settings.on-machine.enable = true;
+  vars.generators."attic" = {
+    runtimeInputs = [ pkgs.coreutils ];
+    files."token".secret = true;
+    script = ''
+      cp "${config.age.secrets.attic-ci-token.path}" "$out/${"token"}"
+    '';
+  };
+  vars.generators."templates" = rec {
+    dependencies = [ "attic" ];
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.gnused
+    ];
+    script = lib.concatStringsSep "\n" (
+      lib.mapAttrsToList (template: _: ''
+        cp "$templates/${template}" "$out/${template}"
+        echo "filling placeholders in template ${template}..."
+        sed -i "s/${config.vars.generators."attic".files."token".placeholder}/$(cat "${
+          config.vars.generators."attic".files."token".path
+        }")/g" "$out/${template}"
+      '') files
+    );
+
+    files."attic.toml" = {
+      secret = true;
+      owner = user;
+      template = pkgs.writeText "attic.toml" ''
+        default-server = "fediversity"
+
+        [servers.fediversity]
+        endpoint = "http://localhost:8080"
+        token = "${config.vars.generators.attic.files.token.placeholder}"
+      '';
+    };
+  };
+
+  # needed to place a config file with home-manager
+  users.users.${user}.isNormalUser = true;
+
+  home-manager = {
+    users.${user}.home = {
+      stateVersion = "25.05";
+      file.".config/attic/config.toml".source =
+        let
+          pathStr = config.vars.generators."templates".files."attic.toml".path;
+          name = hm_strings.storeFileName (baseNameOf pathStr);
+        in
+        pkgs.runCommandLocal name { } ''ln -s ${lib.escapeShellArg pathStr} $out'';
+    };
+  };
 }
--- a/machines/operator/test12/default.nix
+++ b/machines/operator/test12/default.nix
@ -18,4 +18,11 @@
      gateway = "2a00:51c0:13:1305::1";
    };
  };
+
+  nixos.module = {
+    imports = [
+      ../../../infra/common/proxmox-qemu-vm.nix
+      ../../../services/fediversity/attic
+    ];
+  };
 }
--- a/npins/sources.json
+++ b/npins/sources.json
@ -150,6 +150,19 @@
      "revision": "f33a4d26226c05d501b9d4d3e5e60a3a59991921",
      "url": "https://github.com/nixos/nixpkgs/archive/f33a4d26226c05d501b9d4d3e5e60a3a59991921.tar.gz",
      "hash": "1b6dm1sn0bdpcsmxna0zzspjaixa2dald08005fry5jrbjvwafdj"
+    },
+    "vars": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "kiaragrouwstra",
+        "repo": "vars"
+      },
+      "branch": "templates",
+      "submodules": false,
+      "revision": "2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b",
+      "url": "https://github.com/kiaragrouwstra/vars/archive/2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b.tar.gz",
+      "hash": "0rpxh85fizmmh7v2qvhp9jzrvcyv1yhl58zd1dk0hx33s77da84x"
    }
  },
  "version": 5
--- a/secrets/attic-ci-token.age
+++ b/secrets/attic-ci-token.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -24,6 +24,7 @@ concatMapAttrs
    ## are able to decrypt them.

    {
+      attic-ci-token = [ forgejo-ci ];
      forgejo-database-password = [ vm02116 ];
      forgejo-email-password = [ vm02116 ];
      forgejo-runner-token = [ forgejo-ci ];
--- a/services/fediversity/attic/default.nix
+++ b/services/fediversity/attic/default.nix
@ -0,0 +1,325 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkIf mkMerge;
+  sources = import ../../../npins;
+in
+{
+  imports = with sources; [
+    ./options.nix
+    "${vars}/options.nix"
+    "${vars}/backends/on-machine.nix"
+  ];
+
+  config = mkMerge [
+    (mkIf
+      (
+        config.fediversity.garage.enable
+        && config.fediversity.attic.s3AccessKeyFile != null
+        && config.fediversity.attic.s3SecretKeyFile != null
+      )
+      {
+        fediversity.garage = {
+          ensureBuckets = {
+            attic = {
+              website = true;
+              # TODO: these are too broad, after getting everything to work narrow it down to the domain we actually want
+              corsRules = {
+                enable = true;
+                allowedHeaders = [ "*" ];
+                allowedMethods = [ "GET" ];
+                allowedOrigins = [ "*" ];
+              };
+            };
+          };
+          ensureKeys = {
+            attic = {
+              inherit (config.fediversity.attic) s3AccessKeyFile s3SecretKeyFile;
+              ensureAccess = {
+                attic = {
+                  read = true;
+                  write = true;
+                  owner = true;
+                };
+              };
+            };
+          };
+        };
+      }
+    )
+    (mkIf config.fediversity.attic.enable {
+
+      services.postgresql = {
+        enable = true;
+        authentication = lib.mkForce ''
+          local all all trust
+        '';
+        ensureDatabases = [
+          "atticd"
+        ];
+        ensureUsers = [
+          {
+            name = "atticd";
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+
+      # open up access to the mastodon web interface. 80 is necessary if only for ACME
+      networking.firewall.allowedTCPPorts = [
+        80
+        443
+        8080
+      ];
+
+      vars.settings.on-machine.enable = true;
+      vars.generators."templates" = rec {
+        dependencies = [ "attic" ];
+        runtimeInputs = [
+          pkgs.coreutils
+          pkgs.gnused
+        ];
+        script = lib.concatStringsSep "\n" (
+          lib.mapAttrsToList (template: _: ''
+            cp "$templates/${template}" "$out/${template}"
+            echo "filling placeholders in template ${template}..."
+            ${lib.concatStringsSep "\n" (
+              lib.mapAttrsToList (
+                parent:
+                { placeholder, ... }:
+                ''
+                  sed -i "s/${placeholder}/$(cat "$in/attic/${parent}")/g" "$out/${template}"
+                  echo "- substituted ${parent}"
+                ''
+              ) config.vars.generators."attic".files
+            )}
+          '') files
+        );
+
+        files."attic.env" = {
+          secret = true;
+          template = pkgs.writeText "attic.env" ''
+            ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="${config.vars.generators.attic.files.token.placeholder}"
+            AWS_ACCESS_KEY_ID="$(cat ${config.fediversity.attic.s3AccessKeyFile})"
+            AWS_SECRET_ACCESS_KEY="$(cat ${config.fediversity.attic.s3SecretKeyFile})"
+          '';
+        };
+      };
+
+      vars.generators.attic = {
+        runtimeInputs = [
+          pkgs.coreutils
+          pkgs.openssl
+        ];
+        files.token.secret = true;
+        script = ''
+          openssl genrsa -traditional 4096 | base64 -w0 > "$out"/token
+        '';
+      };
+
+      services.atticd = {
+        enable = true;
+        # one `monolithic` and any number of `api-server` nodes
+        mode = "monolithic";
+
+        environmentFile = config.vars.generators."templates".files."attic.env".path;
+
+        # https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
+        settings = {
+          # Socket address to listen on
+          # listen = "[::]:8080";
+          listen = "0.0.0.0:8080";
+          # listen = "127.0.0.1:8080";
+
+          # Allowed `Host` headers
+          #
+          # This _must_ be configured for production use. If unconfigured or the
+          # list is empty, all `Host` headers are allowed.
+          allowed-hosts = [ ];
+
+          # The canonical API endpoint of this server
+          #
+          # This is the endpoint exposed to clients in `cache-config` responses.
+          #
+          # This _must_ be configured for production use. If not configured, the
+          # API endpoint is synthesized from the client's `Host` header which may
+          # be insecure.
+          #
+          # The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
+          # not `https://domain.tld/attic`).
+          api-endpoint = "https://${config.fediversity.attic.domain}/";
+
+          # Whether to soft-delete caches
+          #
+          # If this is enabled, caches are soft-deleted instead of actually
+          # removed from the database. Note that soft-deleted caches cannot
+          # have their names reused as long as the original database records
+          # are there.
+          #soft-delete-caches = false;
+
+          # Whether to require fully uploading a NAR if it exists in the global cache.
+          #
+          # If set to false, simply knowing the NAR hash is enough for
+          # an uploader to gain access to an existing NAR in the global
+          # cache.
+          #require-proof-of-possession = true;
+
+          # Database connection
+          database = {
+            # Connection URL
+            #
+            # For production use it's recommended to use PostgreSQL.
+            # url = "postgresql:///atticd:password@127.0.0.1:5432/atticd";
+            url = "postgresql:///atticd?host=/run/postgresql";
+
+            # Whether to enable sending on periodic heartbeat queries
+            #
+            # If enabled, a heartbeat query will be sent every minute
+            #heartbeat = false;
+          };
+
+          # File storage configuration
+          storage = {
+            # Storage type
+            #
+            # Can be "local" or "s3".
+            type = "s3";
+
+            # ## Local storage
+
+            # The directory to store all files under
+            # path = "%storage_path%";
+
+            # ## S3 Storage (set type to "s3" and uncomment below)
+
+            # The AWS region
+            region = "garage";
+
+            # The name of the bucket
+            bucket = "attic";
+
+            # Custom S3 endpoint
+            #
+            # Set this if you are using an S3-compatible object storage (e.g., Minio).
+            endpoint = config.fediversity.garage.api.url;
+
+            # Credentials
+            #
+            # If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
+            # `AWS_SECRET_ACCESS_KEY` environment variables.
+            # storage.credentials = {
+            #   access_key_id = "";
+            #   secret_access_key = "";
+            # };
+          };
+
+          # Data chunking
+          #
+          # Warning: If you change any of the values here, it will be
+          # difficult to reuse existing chunks for newly-uploaded NARs
+          # since the cutpoints will be different. As a result, the
+          # deduplication ratio will suffer for a while after the change.
+          chunking = {
+            # The minimum NAR size to trigger chunking
+            #
+            # If 0, chunking is disabled entirely for newly-uploaded NARs.
+            # If 1, all NARs are chunked.
+            nar-size-threshold = 65536; # chunk files that are 64 KiB or larger
+
+            # The preferred minimum size of a chunk, in bytes
+            min-size = 16384; # 16 KiB
+
+            # The preferred average size of a chunk, in bytes
+            avg-size = 65536; # 64 KiB
+
+            # The preferred maximum size of a chunk, in bytes
+            max-size = 262144; # 256 KiB
+          };
+
+          # Compression
+          compression = {
+            # Compression type
+            #
+            # Can be "none", "brotli", "zstd", or "xz"
+            type = "zstd";
+
+            # Compression level
+            #level = 8;
+          };
+
+          # Garbage collection
+          garbage-collection = {
+            # The frequency to run garbage collection at
+            #
+            # By default it's 12 hours. You can use natural language
+            # to specify the interval, like "1 day".
+            #
+            # If zero, automatic garbage collection is disabled, but
+            # it can still be run manually with `atticd --mode garbage-collector-once`.
+            interval = "12 hours";
+
+            # Default retention period
+            #
+            # Zero (default) means time-based garbage-collection is
+            # disabled by default. You can enable it on a per-cache basis.
+            #default-retention-period = "6 months";
+          };
+
+          # jwt = {
+          # WARNING: Changing _anything_ in this section will break any existing
+          # tokens. If you need to regenerate them, ensure that you use the the
+          # correct secret and include the `iss` and `aud` claims.
+
+          # JWT `iss` claim
+          #
+          # Set this to the JWT issuer that you want to validate.
+          # If this is set, all received JWTs will validate that the `iss` claim
+          # matches this value.
+          #token-bound-issuer = "some-issuer";
+
+          # JWT `aud` claim
+          #
+          # Set this to the JWT audience(s) that you want to validate.
+          # If this is set, all received JWTs will validate that the `aud` claim
+          # contains at least one of these values.
+          #token-bound-audiences = ["some-audience1", "some-audience2"];
+          # };
+
+          # jwt.signing = {
+          # You must configure JWT signing and verification inside your TOML configuration by setting one of the following options in the [jwt.signing] block:
+          # * token-rs256-pubkey-base64
+          # * token-rs256-secret-base64
+          # * token-hs256-secret-base64
+          # or by setting one of the following environment variables:
+          # * ATTIC_SERVER_TOKEN_RS256_PUBKEY_BASE64
+          # * ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64
+          # * ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64
+          # Options will be tried in that same order (configuration options first, then environment options if none of the configuration options were set, starting with the respective RSA pubkey option, the RSA secret option, and finally the HMAC secret option). The first option that is found will be used.
+          # If an RS256 pubkey (asymmetric RSA PEM PKCS1 public key) is provided, it will only be possible to verify received JWTs, and not sign new JWTs.
+          # If an RS256 secret (asymmetric RSA PEM PKCS1 private key) is provided, it will be used for both signing new JWTs and verifying received JWTs.
+          # If an HS256 secret (symmetric HMAC secret) is provided, it will be used for both signing new JWTs and verifying received JWTs.
+
+          # JWT RS256 secret key
+          #
+          # Set this to the base64-encoded private half of an RSA PEM PKCS1 key.
+          # TODO
+          # You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64`
+          # environment variable.
+          # token-rs256-secret-base64 = "%token_rs256_secret_base64%";
+
+          # JWT HS256 secret key
+          #
+          # Set this to the base64-encoded HMAC secret key.
+          # You can also set it via the `ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64`
+          # environment variable.
+          #token-hs256-secret-base64 = "";
+          # };
+        };
+      };
+    })
+  ];
+}
--- a/services/fediversity/attic/options.nix
+++ b/services/fediversity/attic/options.nix
@ -0,0 +1,14 @@
+{ config, lib, ... }:
+
+{
+  options.fediversity.attic =
+    (import ../sharedOptions.nix {
+      inherit config lib;
+      serviceName = "attic";
+      serviceDocName = "Attic Nix Cache server";
+    })
+    //
+
+    {
+    };
+}
--- a/services/fediversity/default.nix
+++ b/services/fediversity/default.nix
@ -13,6 +13,7 @@ in
    ./mastodon
    ./pixelfed
    ./peertube
+    ./attic
  ];

  options = {
@ -65,4 +66,16 @@ in
      };
    };
  };
+
+  config = {
+    ## FIXME: This should clearly go somewhere else; and we should have a
+    ## `staging` vs. `production` setting somewhere.
+    # use a priority higher than mkDefault for panel deployment to work,
+    # yet lower than default so this will not clash with the setting in tests.
+    security.acme = lib.modules.defaultOverridePriority {
+      acceptTerms = true;
+      defaults.email = "something@fediversity.net";
+      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    };
+  };
 }
Author	SHA1	Message	Date
Kiara Grouwstra	65b909cf5b	allow accessing the attic cache from the CI runner	2025-07-05 21:47:35 +02:00
Kiara Grouwstra	5282bb1b7e	still go thru shell to actually load it	2025-07-05 21:29:41 +02:00
Kiara Grouwstra	726336c081	pull `attic-client` into shell as CI is missing `<nixpkgs>` for `nix-shell`	2025-07-05 21:29:41 +02:00
Kiara Grouwstra	d55b2ad2c5	collapse caching ci test, given it seems to not carry over variables between steps	2025-07-05 21:29:41 +02:00
Kiara Grouwstra	565a69bc15	test attic cache from ci	2025-07-05 21:29:41 +02:00
Kiara Grouwstra	c8b1091548	allow consuming attic cache from ci runner	2025-07-05 21:29:41 +02:00
Kiara Grouwstra	eaf8ef0de5	enquote attic env values for use in `source attic.env`	2025-07-05 21:29:41 +02:00
Kiara Grouwstra	ff62e11374	add generator dependency	2025-07-05 21:29:41 +02:00
Nicolas “Niols” Jeannerod	77403bb3db	moar extraDependencies	2025-07-05 21:29:41 +02:00
Kiara Grouwstra	7a5bf158f6	[wip] handling env file (still fails) rm unused dep nix-templating fix imports	2025-07-05 21:29:41 +02:00
Kiara Grouwstra	c7f4f8fc8f	use templating fork	2025-07-05 21:29:41 +02:00
Kiara Grouwstra	c943409354	add tests, fix some things upgrade memory to resolve oom	2025-07-05 21:29:41 +02:00
Kiara Grouwstra	b0543ebfd8	move from dev to operator revert add qemu import	2025-07-05 21:29:41 +02:00
Kiara Grouwstra	f2546ef1a7	WIP: add attic cache, see #92 flesh out attic TODO keys nginx-port testing fix key fix key	2025-07-05 21:29:41 +02:00
Kiara Grouwstra	9b5de67b8e	ensure bare-metal `fileSystems` override default, resolves definition conflict on `nixops4 apply forgejo-ci`	2025-07-05 21:29:23 +02:00
Kiara Grouwstra	d9f2d942b2	resolve regressions from recent qemu files - move import to match module classes - manually import sources to resolve infinite recursion	2025-07-05 21:29:23 +02:00
Kiara Grouwstra	baaa990513	use defaultOverridePriority over mkDefault to fix acme error without cashing with settings from tests	2025-07-05 21:29:12 +02:00
Kiara Grouwstra	433d0dc278	use mkDefault to prevent acme clash in tests	2025-07-04 19:30:18 +02:00
Kiara Grouwstra	fb376b4684	reinstate acme settings needed by applications	2025-07-04 15:45:17 +02:00