{ config, lib, pkgs, homeyConfig, ... }: # Attic — self-hosted Nix binary cache (cachix alternative). # # Auth model: JWT token-based. No Authelia forward_auth — Attic manages its # own token issuance and verification. Use `attic make-token` to create tokens. # Push requires a write-scoped token; pull visibility is per-cache (public or # token-gated, configurable via `attic cache configure` after first deploy). # # Volume layout: # /attic/ → /data (SQLite DB) # /attic/cache/ → /data/cache (content-addressed NAR store) # # NOT backed up: NAR content is fully reproducible from source. # # Secrets consumed from sops: # attic/jwt_secret (base64-encoded HS256 secret for JWT token signing) # attic/pull_token (JWT with pull:* scope — used by the local Nix daemon) # # See attic-setup.md for post-deploy steps and token generation commands. let cfg = config.homey.attic; dataDir = config.homey.storage.mountPoint; domain = homeyConfig.domain; in { options.homey.attic = { enable = lib.mkEnableOption "Attic Nix binary cache"; image = lib.mkOption { type = lib.types.str; default = "ghcr.io/zhaofengli/attic:latest"; }; port = lib.mkOption { type = lib.types.port; default = 8200; description = "Host port Attic listens on (bound to 127.0.0.1)."; }; }; config = lib.mkIf cfg.enable { # ----------------------------------------------------------------------- # Secrets # ----------------------------------------------------------------------- sops.secrets."attic/jwt_secret" = { owner = "root"; }; sops.secrets."attic/pull_token" = { owner = "root"; }; # ----------------------------------------------------------------------- # Container # If the container fails to start, check the expected config path with: # podman inspect ghcr.io/zhaofengli/attic:latest | jq '.[].Config.Cmd' # and adjust `cmd` below accordingly. # ----------------------------------------------------------------------- virtualisation.oci-containers.containers.attic = { image = cfg.image; ports = [ "127.0.0.1:${toString cfg.port}:8080" ]; cmd = [ "--config" "/etc/attic/server.toml" ]; volumes = [ "${dataDir}/attic:/data" "/run/attic-config.toml:/etc/attic/server.toml:ro" ]; extraOptions = [ "--network=homey" ]; }; # ----------------------------------------------------------------------- # ExecStartPre: write ephemeral TOML config with JWT secret interpolated # ----------------------------------------------------------------------- systemd.services."podman-attic" = { serviceConfig = { ExecStartPre = [ (pkgs.writeShellScript "attic-write-config" '' set -euo pipefail JWT=$(cat ${config.sops.secrets."attic/jwt_secret".path}) install -m 600 /dev/null /run/attic-config.toml printf '%s\n' \ 'listen = "0.0.0.0:8080"' \ "" \ '[jwt.signing]' \ "token-hs256-secret-base64 = \"$JWT\"" \ "" \ '[database]' \ 'url = "sqlite:///data/server.db?mode=rwc"' \ "" \ '[storage]' \ 'type = "local"' \ 'path = "/data/cache"' \ "" \ '[chunking]' \ 'nar-size-threshold = 65536' \ 'min-size = 16384' \ 'avg-size = 65536' \ 'max-size = 262144' \ "" \ '[garbage-collection]' \ 'default-retention-period = "90 days"' \ "" \ '[compression]' \ 'type = "zstd"' \ 'level = 8' \ >> /run/attic-config.toml '') ]; }; postStop = "rm -f /run/attic-config.toml"; after = lib.mkAfter [ "mnt-data.mount" "podman-homey-network.service" ]; requires = lib.mkAfter [ "mnt-data.mount" "podman-homey-network.service" ]; }; # ----------------------------------------------------------------------- # Caddy virtual host — no forward_auth; Attic handles its own auth # ----------------------------------------------------------------------- homey.caddy.virtualHosts = [{ subdomain = "attic"; port = cfg.port; auth = false; }]; # ----------------------------------------------------------------------- # Storage directories (not backed up — no backup.extraPaths entry) # ----------------------------------------------------------------------- homey.storage.extraDirs = [ { path = "attic"; } { path = "attic/cache"; mode = "0755"; } ]; # ----------------------------------------------------------------------- # Nix daemon pull auth # Writes a netrc file from the pull token so the system Nix daemon (and # anything using it, e.g. the Gitea runner) can fetch from the private cache. # ----------------------------------------------------------------------- systemd.services.attic-nix-netrc = { description = "Write Attic pull token to netrc for Nix daemon"; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; ExecStart = pkgs.writeShellScript "attic-write-netrc" '' set -euo pipefail TOKEN=$(cat ${config.sops.secrets."attic/pull_token".path}) install -m 600 /dev/null /run/attic-netrc printf 'machine attic.${domain}\n login token\n password %s\n' "$TOKEN" \ > /run/attic-netrc ''; }; postStop = "rm -f /run/attic-netrc"; }; nix.extraOptions = '' netrc-file = /run/attic-netrc ''; # ----------------------------------------------------------------------- # Uptime Kuma monitor # ----------------------------------------------------------------------- homey.monitoring.monitors = [{ name = "Attic"; url = "https://attic.${domain}"; interval = 300; }]; }; }