diff --git a/hosts/algiz/README.md b/hosts/algiz/README.md index e6817a8..20233bc 100644 --- a/hosts/algiz/README.md +++ b/hosts/algiz/README.md @@ -27,4 +27,20 @@ To point gitea/forgejo to the shim gitea binary for SSH I symlink the current sy ln -s /run/current-system/sw/bin/gitea /usr/local/bin/gitea ``` +## Setting up Attic + +Generated a key using command provided in attic docs: +```sh +nix run nixpkgs#openssl -- genrsa -traditional 4096 | base64 -w0 +``` +And wrote `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="output from above"` to `/etc/attic.env` + +I generated a token to configure the caches using the following command: + +``` +atticd-atticadm make-token --sub daylin --push "*" --pull "*" --validity '1y' --create-cache "*" --configure-cache "*" --configure-cache-retention "*" --destroy-cache "*" --delete "*" +``` + +If I handled secrets via `sops` or `agenix` I think this could be stored directly in the repo. +I also had to modify the firewall so that docker would forward along the requests by caddy to `host.docker.internal` correctly. diff --git a/hosts/algiz/services.nix b/hosts/algiz/services.nix new file mode 100644 index 0000000..1abf3e2 --- /dev/null +++ b/hosts/algiz/services.nix @@ -0,0 +1,58 @@ +{ pkgs, enabled, ... }: +let + atticPort = "5656"; +in +{ + + services.resolved = enabled; + + services.fail2ban = enabled // { + maxretry = 5; + bantime = "24h"; + }; + + services.openssh = enabled // { + settings.PasswordAuthentication = false; + }; + + security.polkit = enabled; # attic was looking for this... + environment.systemPackages = [ pkgs.attic-client ]; + + # allow docker to forward the request to the host running attic + # https://discourse.nixos.org/t/docker-container-not-resolving-to-host/30259/6 + networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port ${atticPort} -s 172.16.0.0/12 -j ACCEPT"; + services.atticd = enabled // { + + # Replace with absolute path to your credentials file + environmentFile = "/etc/atticd.env"; + + settings = { + listen = "[::]:${atticPort}"; + + jwt = { }; + + # Data chunking + # + # Warning: If you change any of the values here, it will be + # difficult to reuse existing chunks for newly-uploaded NARs + # since the cutpoints will be different. As a result, the + # deduplication ratio will suffer for a while after the change. + chunking = { + # The minimum NAR size to trigger chunking + # + # If 0, chunking is disabled entirely for newly-uploaded NARs. + # If 1, all NARs are chunked. + nar-size-threshold = 64 * 1024; # 64 KiB + + # The preferred minimum size of a chunk, in bytes + min-size = 16 * 1024; # 16 KiB + + # The preferred average size of a chunk, in bytes + avg-size = 64 * 1024; # 64 KiB + + # The preferred maximum size of a chunk, in bytes + max-size = 256 * 1024; # 256 KiB + }; + }; + }; +} diff --git a/hosts/algiz/system.nix b/hosts/algiz/system.nix index a20877a..dd74ef6 100644 --- a/hosts/algiz/system.nix +++ b/hosts/algiz/system.nix @@ -2,12 +2,6 @@ { security.sudo.wheelNeedsPassword = false; - services.resolved = enabled; - - services.fail2ban = enabled // { - maxretry = 5; - bantime = "24h"; - }; # # added to make using `pip install` work in docker build # networking.nameservers = [ "8.8.8.8"]; @@ -20,12 +14,6 @@ ]; }; - services.openssh = enabled // { - settings.PasswordAuthentication = false; - }; - - # users.mutableUsers = false; - # Use the GRUB 2 boot loader. boot.loader.grub = enabled // { device = "/dev/sda"; # or "nodev" for efi only