setup attic on algiz

hosts/algiz/README.md

@@ -27,4 +27,20 @@ To point gitea/forgejo to the shim gitea binary for SSH I symlink the current sy
 ln -s /run/current-system/sw/bin/gitea /usr/local/bin/gitea
 ```
 
+## Setting up Attic
+
+Generated a key using command provided in attic docs:
+```sh
+nix run nixpkgs#openssl -- genrsa -traditional 4096 | base64 -w0
+```
+And wrote `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="output from above"` to `/etc/attic.env`
+
+I generated a token to configure the caches using the following command:
+
+```
+atticd-atticadm make-token --sub daylin --push "*" --pull "*" --validity '1y' --create-cache "*" --configure-cache "*" --configure-cache-retention "*" --destroy-cache "*" --delete "*"
+```
+
+If I handled secrets via `sops` or `agenix` I think this could be stored directly in the repo.
+I also had to modify the firewall so that docker would forward along the requests by caddy to `host.docker.internal` correctly.
 

hosts/algiz/services.nix

@@ -0,0 +1,58 @@
+{ pkgs, enabled, ... }:
+let
+  atticPort = "5656";
+in
+{
+
+  services.resolved = enabled;
+
+  services.fail2ban = enabled // {
+    maxretry = 5;
+    bantime = "24h";
+  };
+
+  services.openssh = enabled // {
+    settings.PasswordAuthentication = false;
+  };
+
+  security.polkit = enabled; # attic was looking for this...
+  environment.systemPackages = [ pkgs.attic-client ];
+
+  # allow docker to forward the request to the host running attic
+  # https://discourse.nixos.org/t/docker-container-not-resolving-to-host/30259/6
+  networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port ${atticPort} -s 172.16.0.0/12 -j ACCEPT";
+  services.atticd = enabled // {
+
+    # Replace with absolute path to your credentials file
+    environmentFile = "/etc/atticd.env";
+
+    settings = {
+      listen = "[::]:${atticPort}";
+
+      jwt = { };
+
+      # Data chunking
+      #
+      # Warning: If you change any of the values here, it will be
+      # difficult to reuse existing chunks for newly-uploaded NARs
+      # since the cutpoints will be different. As a result, the
+      # deduplication ratio will suffer for a while after the change.
+      chunking = {
+        # The minimum NAR size to trigger chunking
+        #
+        # If 0, chunking is disabled entirely for newly-uploaded NARs.
+        # If 1, all NARs are chunked.
+        nar-size-threshold = 64 * 1024; # 64 KiB
+
+        # The preferred minimum size of a chunk, in bytes
+        min-size = 16 * 1024; # 16 KiB
+
+        # The preferred average size of a chunk, in bytes
+        avg-size = 64 * 1024; # 64 KiB
+
+        # The preferred maximum size of a chunk, in bytes
+        max-size = 256 * 1024; # 256 KiB
+      };
+    };
+  };
+}

hosts/algiz/system.nix

@@ -2,12 +2,6 @@
 {
 
   security.sudo.wheelNeedsPassword = false;
-  services.resolved = enabled;
-
-  services.fail2ban = enabled // {
-    maxretry = 5;
-    bantime = "24h";
-  };
 
   # # added to make using `pip install` work in docker build
   # networking.nameservers = [ "8.8.8.8"];
@@ -20,12 +14,6 @@
     ];
   };
 
-  services.openssh = enabled // {
-    settings.PasswordAuthentication = false;
-  };
-
-  # users.mutableUsers = false;
-
   # Use the GRUB 2 boot loader.
   boot.loader.grub = enabled // {
     device = "/dev/sda"; # or "nodev" for efi only