aner/homey
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
homey/modules/services/attic.nix
T
Aner Zakobar 261cf892dd Everything changed - major rewrite
2026-06-07 00:59:22 +03:00

167 lines
6.0 KiB
Nix
Raw Permalink Blame History

{ config, lib, pkgs, homeyConfig, ... }:
# Attic — self-hosted Nix binary cache (cachix alternative).
#
# Auth model: JWT token-based. No Authelia forward_auth — Attic manages its
# own token issuance and verification. Use `attic make-token` to create tokens.
# Push requires a write-scoped token; pull visibility is per-cache (public or
# token-gated, configurable via `attic cache configure` after first deploy).
#
# Volume layout:
# <dataDir>/attic/ → /data (SQLite DB)
# <dataDir>/attic/cache/ → /data/cache (content-addressed NAR store)
#
# NOT backed up: NAR content is fully reproducible from source.
#
# Secrets consumed from sops:
# attic/jwt_secret (base64-encoded HS256 secret for JWT token signing)
# attic/pull_token (JWT with pull:* scope — used by the local Nix daemon)
#
# See attic-setup.md for post-deploy steps and token generation commands.
let
cfg = config.homey.attic;
dataDir = config.homey.storage.mountPoint;
domain = homeyConfig.domain;
in
{
options.homey.attic = {
enable = lib.mkEnableOption "Attic Nix binary cache";
image = lib.mkOption {
type = lib.types.str;
default = "ghcr.io/zhaofengli/attic:latest";
};
port = lib.mkOption {
type = lib.types.port;
default = 8200;
description = "Host port Attic listens on (bound to 127.0.0.1).";
};
};
config = lib.mkIf cfg.enable {
# -----------------------------------------------------------------------
# Secrets
# -----------------------------------------------------------------------
sops.secrets."attic/jwt_secret" = { owner = "root"; };
sops.secrets."attic/pull_token" = { owner = "root"; };
# -----------------------------------------------------------------------
# Container
# If the container fails to start, check the expected config path with:
# podman inspect ghcr.io/zhaofengli/attic:latest | jq '.[].Config.Cmd'
# and adjust `cmd` below accordingly.
# -----------------------------------------------------------------------
virtualisation.oci-containers.containers.attic = {
image = cfg.image;
ports = [ "127.0.0.1:${toString cfg.port}:8080" ];
cmd = [ "--config" "/etc/attic/server.toml" ];
volumes = [
"${dataDir}/attic:/data"
"/run/attic-config.toml:/etc/attic/server.toml:ro"
];
extraOptions = [ "--network=homey" ];
};
# -----------------------------------------------------------------------
# ExecStartPre: write ephemeral TOML config with JWT secret interpolated
# -----------------------------------------------------------------------
systemd.services."podman-attic" = {
serviceConfig = {
ExecStartPre = [
(pkgs.writeShellScript "attic-write-config" ''
set -euo pipefail
JWT=$(cat ${config.sops.secrets."attic/jwt_secret".path})
install -m 600 /dev/null /run/attic-config.toml
printf '%s\n' \
'listen = "0.0.0.0:8080"' \
"" \
'[jwt.signing]' \
"token-hs256-secret-base64 = \"$JWT\"" \
"" \
'[database]' \
'url = "sqlite:///data/server.db?mode=rwc"' \
"" \
'[storage]' \
'type = "local"' \
'path = "/data/cache"' \
"" \
'[chunking]' \
'nar-size-threshold = 65536' \
'min-size = 16384' \
'avg-size = 65536' \
'max-size = 262144' \
"" \
'[garbage-collection]' \
'default-retention-period = "90 days"' \
"" \
'[compression]' \
'type = "zstd"' \
'level = 8' \
>> /run/attic-config.toml
'')
];
};
postStop = "rm -f /run/attic-config.toml";
after = lib.mkAfter [ "mnt-data.mount" "podman-homey-network.service" ];
requires = lib.mkAfter [ "mnt-data.mount" "podman-homey-network.service" ];
};
# -----------------------------------------------------------------------
# Caddy virtual host — no forward_auth; Attic handles its own auth
# -----------------------------------------------------------------------
homey.caddy.virtualHosts = [{
subdomain = "attic";
port = cfg.port;
auth = false;
}];
# -----------------------------------------------------------------------
# Storage directories (not backed up — no backup.extraPaths entry)
# -----------------------------------------------------------------------
homey.storage.extraDirs = [
{ path = "attic"; }
{ path = "attic/cache"; mode = "0755"; }
];
# -----------------------------------------------------------------------
# Nix daemon pull auth
# Writes a netrc file from the pull token so the system Nix daemon (and
# anything using it, e.g. the Gitea runner) can fetch from the private cache.
# -----------------------------------------------------------------------
systemd.services.attic-nix-netrc = {
description = "Write Attic pull token to netrc for Nix daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "attic-write-netrc" ''
set -euo pipefail
TOKEN=$(cat ${config.sops.secrets."attic/pull_token".path})
install -m 600 /dev/null /run/attic-netrc
printf 'machine attic.${domain}\n login token\n password %s\n' "$TOKEN" \
> /run/attic-netrc
'';
};
postStop = "rm -f /run/attic-netrc";
};
nix.extraOptions = ''
netrc-file = /run/attic-netrc
'';
# -----------------------------------------------------------------------
# Uptime Kuma monitor
# -----------------------------------------------------------------------
homey.monitoring.monitors = [{
name = "Attic";
url = "https://attic.${domain}";
interval = 300;
}];
};
}
Reference in New Issue View Git Blame Copy Permalink