mirror of
https://github.com/daylinmorgan/oizys.git
synced 2024-12-22 06:00:45 -06:00
setup attic on algiz
This commit is contained in:
parent
d55a6dc72c
commit
718b2d6f75
3 changed files with 74 additions and 12 deletions
|
@ -27,4 +27,20 @@ To point gitea/forgejo to the shim gitea binary for SSH I symlink the current sy
|
|||
ln -s /run/current-system/sw/bin/gitea /usr/local/bin/gitea
|
||||
```
|
||||
|
||||
## Setting up Attic
|
||||
|
||||
Generated a key using command provided in attic docs:
|
||||
```sh
|
||||
nix run nixpkgs#openssl -- genrsa -traditional 4096 | base64 -w0
|
||||
```
|
||||
And wrote `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="output from above"` to `/etc/attic.env`
|
||||
|
||||
I generated a token to configure the caches using the following command:
|
||||
|
||||
```
|
||||
atticd-atticadm make-token --sub daylin --push "*" --pull "*" --validity '1y' --create-cache "*" --configure-cache "*" --configure-cache-retention "*" --destroy-cache "*" --delete "*"
|
||||
```
|
||||
|
||||
If I handled secrets via `sops` or `agenix` I think this could be stored directly in the repo.
|
||||
I also had to modify the firewall so that docker would forward along the requests by caddy to `host.docker.internal` correctly.
|
||||
|
||||
|
|
58
hosts/algiz/services.nix
Normal file
58
hosts/algiz/services.nix
Normal file
|
@ -0,0 +1,58 @@
|
|||
{ pkgs, enabled, ... }:
|
||||
let
|
||||
atticPort = "5656";
|
||||
in
|
||||
{
|
||||
|
||||
services.resolved = enabled;
|
||||
|
||||
services.fail2ban = enabled // {
|
||||
maxretry = 5;
|
||||
bantime = "24h";
|
||||
};
|
||||
|
||||
services.openssh = enabled // {
|
||||
settings.PasswordAuthentication = false;
|
||||
};
|
||||
|
||||
security.polkit = enabled; # attic was looking for this...
|
||||
environment.systemPackages = [ pkgs.attic-client ];
|
||||
|
||||
# allow docker to forward the request to the host running attic
|
||||
# https://discourse.nixos.org/t/docker-container-not-resolving-to-host/30259/6
|
||||
networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port ${atticPort} -s 172.16.0.0/12 -j ACCEPT";
|
||||
services.atticd = enabled // {
|
||||
|
||||
# Replace with absolute path to your credentials file
|
||||
environmentFile = "/etc/atticd.env";
|
||||
|
||||
settings = {
|
||||
listen = "[::]:${atticPort}";
|
||||
|
||||
jwt = { };
|
||||
|
||||
# Data chunking
|
||||
#
|
||||
# Warning: If you change any of the values here, it will be
|
||||
# difficult to reuse existing chunks for newly-uploaded NARs
|
||||
# since the cutpoints will be different. As a result, the
|
||||
# deduplication ratio will suffer for a while after the change.
|
||||
chunking = {
|
||||
# The minimum NAR size to trigger chunking
|
||||
#
|
||||
# If 0, chunking is disabled entirely for newly-uploaded NARs.
|
||||
# If 1, all NARs are chunked.
|
||||
nar-size-threshold = 64 * 1024; # 64 KiB
|
||||
|
||||
# The preferred minimum size of a chunk, in bytes
|
||||
min-size = 16 * 1024; # 16 KiB
|
||||
|
||||
# The preferred average size of a chunk, in bytes
|
||||
avg-size = 64 * 1024; # 64 KiB
|
||||
|
||||
# The preferred maximum size of a chunk, in bytes
|
||||
max-size = 256 * 1024; # 256 KiB
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -2,12 +2,6 @@
|
|||
{
|
||||
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
services.resolved = enabled;
|
||||
|
||||
services.fail2ban = enabled // {
|
||||
maxretry = 5;
|
||||
bantime = "24h";
|
||||
};
|
||||
|
||||
# # added to make using `pip install` work in docker build
|
||||
# networking.nameservers = [ "8.8.8.8"];
|
||||
|
@ -20,12 +14,6 @@
|
|||
];
|
||||
};
|
||||
|
||||
services.openssh = enabled // {
|
||||
settings.PasswordAuthentication = false;
|
||||
};
|
||||
|
||||
# users.mutableUsers = false;
|
||||
|
||||
# Use the GRUB 2 boot loader.
|
||||
boot.loader.grub = enabled // {
|
||||
device = "/dev/sda"; # or "nodev" for efi only
|
||||
|
|
Loading…
Reference in a new issue