From 5766bdda99d4cb3b3663d54b3656258b14923b28 Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Fri, 17 Nov 2023 22:14:19 +0000 Subject: [PATCH] nixos/object: Use local storage instead of s3 --- lib/constants.nix | 2 ++ nixos/boxes/colony/vms/default.nix | 1 + .../colony/vms/shill/containers/object.nix | 34 +++++++++++++++---- nixos/boxes/colony/vms/shill/default.nix | 6 ++++ secrets/object/atticd.env.age | 29 +++++++--------- 5 files changed, 49 insertions(+), 23 deletions(-) diff --git a/lib/constants.nix b/lib/constants.nix index d024b7e..24e7751 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -5,11 +5,13 @@ matrix-syncv3 = 400; gitea-runner = 401; jellyseerr = 402; + atticd = 403; }; gids = { matrix-syncv3 = 400; gitea-runner = 401; jellyseerr = 402; + atticd = 403; }; }; diff --git a/nixos/boxes/colony/vms/default.nix b/nixos/boxes/colony/vms/default.nix index a1a3c5a..684b296 100644 --- a/nixos/boxes/colony/vms/default.nix +++ b/nixos/boxes/colony/vms/default.nix @@ -145,6 +145,7 @@ (lvmDisk "media") (lvmDisk "minio") + (lvmDisk "nix-atticd") (lvmDisk "git") ]); }; diff --git a/nixos/boxes/colony/vms/shill/containers/object.nix b/nixos/boxes/colony/vms/shill/containers/object.nix index 887bfe2..7d6e0fc 100644 --- a/nixos/boxes/colony/vms/shill/containers/object.nix +++ b/nixos/boxes/colony/vms/shill/containers/object.nix @@ -60,9 +60,23 @@ in }; }; + users = with lib.my.c.ids; let inherit (config.services.atticd) user group; in { + users."${user}" = { + isSystemUser = true; + uid = uids.atticd; + group = group; + }; + groups."${user}".gid = gids.atticd; + }; + systemd = { network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal; - services = { + + services = + let + awaitPostgres = systemdAwaitPostgres pkgs.postgresql "colony-psql"; + in + { minio = { environment = { MINIO_ROOT_USER = "minioadmin"; @@ -71,7 +85,17 @@ in MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie"; }; }; - sharry = systemdAwaitPostgres pkgs.postgresql "colony-psql"; + sharry = awaitPostgres; + atticd = mkMerge [ + awaitPostgres + { + serviceConfig = { + # Needs to be able to access its data + DynamicUser = mkForce false; + BindPaths = [ "/mnt/atticd:/var/lib/atticd/storage" ]; + }; + } + ]; }; }; @@ -159,10 +183,8 @@ in api-endpoint = "https://nix-cache.${pubDomain}/"; database = mkForce {}; # blank to pull from env storage = { - type = "s3"; - region = "eu-central-1"; - bucket = "nix-attic"; - endpoint = "https://s3.nul.ie"; + type = "local"; + path = "/var/lib/atticd/storage"; }; chunking = { nar-size-threshold = 65536; diff --git a/nixos/boxes/colony/vms/shill/default.nix b/nixos/boxes/colony/vms/shill/default.nix index 408ba39..52c0496 100644 --- a/nixos/boxes/colony/vms/shill/default.nix +++ b/nixos/boxes/colony/vms/shill/default.nix @@ -81,6 +81,7 @@ in fsType = "ext4"; neededForBoot = true; }; + "/mnt/media" = { device = "/dev/disk/by-label/media"; fsType = "ext4"; @@ -89,6 +90,10 @@ in device = "/dev/disk/by-label/minio"; fsType = "xfs"; }; + "/mnt/atticd" = { + device = "/dev/disk/by-label/atticd"; + fsType = "ext4"; + }; }; nix.settings = { @@ -175,6 +180,7 @@ in object = { bindMounts = { "/mnt/minio".readOnly = false; + "/mnt/atticd".readOnly = false; }; }; toot = {}; diff --git a/secrets/object/atticd.env.age b/secrets/object/atticd.env.age index 5a16b8d..d55f29c 100644 --- a/secrets/object/atticd.env.age +++ b/secrets/object/atticd.env.age @@ -1,19 +1,14 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhrYnR2ZyBFZGRt -cjlNMnY4eDJ6enMzbjRrYk9rdk5aUlpjUFhWUXhrL0N1RFhOVnp3CmJWNzJXV3RW -RGEzRTJxT01nZlIyTE84Y1poblUwa3VUUkxvK2ZUdHVFWlUKLT4gWDI1NTE5IEJn -NFVUNk9mZXpUUCtRc1E2WjFhY2k1K1RpTFBLSTZpZzkrRjZEMC9nRzgKRXQvR1ZY -d2gwOENSN283TlpBQlU3K2pndk5vZldqUmxQczloTEhFZFlFNAotPiBYMjU1MTkg -cURjVytMNU1xUFdWcVVVL2pweXE3VUFHdkZvcVk1eUFpcEVWQkk4NkFYbwpUZkJv -QnlXRFZmMi8wMUFOVHhIRVUxOG9VaENrbGwwUHI5YTBzbE5oMnVJCi0+IHMtZ3Jl -YXNlClp4NmpRSTlOUjF2MnZnZVFaYUltNVdEZmdxSFpYK1NDVUY4TGFXRTB6KzlW -dzBHVEs2TVdyNEpZTVU5ZktoMSsKNEtjUyttSVA5VTJoazg0ay9BCi0tLSBQbGx4 -T3BVUmo2KzNzdFd2MmlVWHM3OUtvRTV5dm9Hc1ZtdW9KT1UrYmNRCleCUn5rMaT3 -1eZtb7kLC2CATBgghXRv/ao9RAal9IrqEUiaeFk6H2IS5VL2ew97Chz2Rq48NQFG -WpVxdM/Uhc2mVHXhHA7tUcMkICPwRSZ/B++1CvYBfzpGq+B2rPmMKAGeIk+yGFgt -hWpssoaSMnaI58wBfT1SpNDPMm5ukQqcqb5LON/UZ4ExajNeTVEXZUJE6+cEfgrG -/1n4Jp86A0jI45/IF+kxzP8MMgQs6aZ4/iiynMubJE8D7dB51QhTfx8RMQ4zOPyT -Ak46cl7tZB+4sww7DE5sz5VXWMoEHig6qlLu0j/AonQCOMqoQj3dRiU0gfRJacu9 -4TMeDiY3GS0AjIIO6ENgnsk6gCn8tZ8HOZ85a9EbOT+LVjnL3EVVSup81uquGoJf -Q6/0JkjFOWZuVJIaI2s6NFbfyA3vC1ig +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhrYnR2ZyBWd2Fx +WlJJV2NYZkpnbUNmM1BIK241MUtNczhtbjhzNTJBb2plTG14ZFc4CnlESmNHMEJH +NTR0Q3ZXWTRtdlc4a1lyOHF3WHlLVlhCRnBsSG1TUzNMNnMKLT4gWDI1NTE5IFhQ +eGF0MEdkQXBnTFVxbDRwOHQ3Nm5OTG90czRXaE8vcTdWSzM1SnlGM1kKUVA3Z1Y3 +cld6MSt2dk5qMVpDd1NGWUtrd2w0OForUjlObHJKNCtiekZwVQotPiB6fS8tZ3Jl +YXNlCmkwK2dDbkVNVmxlZXBxV2wKLS0tIEFJSHl5SGFIQUtqczRBakJlMU8vQWRM +T2dQZUtpbkJrai9aVlJUNWkxaFUKvYcEdjxs2G+ATNCJ6mbxdyQQW11h++QLFoBg +EwAP1m3k5mxMTyfGhv7L0QNSAmisy8nUDm8dYkmiiN7QOnXSAUVr7Li+aNDji81f +0Nz3PI1rpmj5AIJ49CN91c+iynzBIXVEeoHgap5SGAmD/SaG+MwChW96KEX9Vpsx +1g98+ciETPBlhF0hKtJsxSRAbjbioU6x0TwIAHAW9zmunEMSINV6MdVH+HslQpcr +/cMlE/cAuOhDzSajGu8uGfoiaQ87gAs4TXsSoFtPDvHKx9xlUImW5DjPv7Fn/Avg +CJNO7/NfzfE4bdAf8QkwDoWyLMYnlfBZyGA/ryW0YUkT -----END AGE ENCRYPTED FILE-----