From 0c57b2deae09c968781e609a2fabd7e8bf632d81 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sat, 27 Apr 2024 20:53:32 +0200
Subject: [PATCH] persist attic data

---
 kubenix-modules/atticd.nix     | 101 ++++++++++++++++++++++++++-------
 kubenix-modules/blog.nix       |   2 +-
 nixos-modules/data-sharing.nix |   2 +
 secrets/sops.yaml              |   7 ++-
 4 files changed, 90 insertions(+), 22 deletions(-)

diff --git a/kubenix-modules/atticd.nix b/kubenix-modules/atticd.nix
index c3ab624..9cea734 100644
--- a/kubenix-modules/atticd.nix
+++ b/kubenix-modules/atticd.nix
@@ -1,33 +1,94 @@
-{
-  kubernetes.resources = {
-    deployments.atticd = {
-      metadata.labels.app = "atticd";
+{ pkgs, ... }: {
+  kubernetes.resources =
+    let
+      atticdSettings = {
+        database.url = "ref+sops://secrets/sops.yaml#atticd/databaseURL";
 
-      spec = {
-        selector.matchLabels.app = "atticd";
+        storage = {
+          type = "local";
+          path = "/var/lib/atticd/storage";
+        };
 
-        template = {
-          metadata.labels.app = "atticd";
+        listen = "[::]:8080";
 
-          spec = {
-            containers.atticd = {
-              image = "git.kun.is/pim/atticd-nix-image:test";
-              ports.web.containerPort = 8080;
+        # Data chunking
+        #
+        # Warning: If you change any of the values here, it will be
+        # difficult to reuse existing chunks for newly-uploaded NARs
+        # since the cutpoints will be different. As a result, the
+        # deduplication ratio will suffer for a while after the change.
+        chunking = {
+          # The minimum NAR size to trigger chunking
+          #
+          # If 0, chunking is disabled entirely for newly-uploaded NARs.
+          # If 1, all NARs are chunked.
+          nar-size-threshold = 64 * 1024; # 64 KiB
+
+          # The preferred minimum size of a chunk, in bytes
+          min-size = 16 * 1024; # 16 KiB
+
+          # The preferred average size of a chunk, in bytes
+          avg-size = 64 * 1024; # 64 KiB
+
+          # The preferred maximum size of a chunk, in bytes
+          max-size = 256 * 1024; # 256 KiB
+        };
+      };
+      generatedConfig = (pkgs.formats.toml { }).generate "atticd.toml" atticdSettings;
+    in
+    {
+      configMaps = {
+        atticd-env.data.ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 = "ref+sops://secrets/sops.yaml#atticd/jwtToken";
+        atticd-config.data.config = builtins.readFile generatedConfig;
+      };
+
+      deployments.atticd = {
+        metadata.labels.app = "atticd";
+
+        spec = {
+          selector.matchLabels.app = "atticd";
+
+          template = {
+            metadata.labels.app = "atticd";
+
+            spec = {
+              containers.atticd = {
+                image = "git.kun.is/home/atticd:fd910d91c2143295e959d2c903e9ea25cf94ba27";
+                envFrom = [{ configMapRef.name = "atticd-env"; }];
+                ports.web.containerPort = 8080;
+                args = [ "-f" "/etc/atticd/config.toml" ];
+
+                volumeMounts = [
+                  {
+                    name = "data";
+                    mountPath = "/var/lib/atticd/storage";
+                  }
+                  {
+                    name = "config";
+                    mountPath = "/etc/atticd/config.toml";
+                    subPath = "config";
+                  }
+                ];
+              };
+
+              volumes = {
+                data.persistentVolumeClaim.claimName = "atticd";
+                config.configMap.name = "atticd-config";
+              };
             };
           };
         };
       };
-    };
 
-    services.atticd.spec = {
-      selector.app = "atticd";
+      services.atticd.spec = {
+        selector.app = "atticd";
 
-      ports.web = {
-        port = 80;
-        targetPort = "web";
+        ports.web = {
+          port = 80;
+          targetPort = "web";
+        };
       };
     };
-  };
 
   lab = {
     ingresses.atticd = {
@@ -38,5 +99,7 @@
         portName = "web";
       };
     };
+
+    nfsVolumes.atticd.path = "atticd";
   };
 }
diff --git a/kubenix-modules/blog.nix b/kubenix-modules/blog.nix
index 06d3e77..aaef092 100644
--- a/kubenix-modules/blog.nix
+++ b/kubenix-modules/blog.nix
@@ -11,7 +11,7 @@
 
           spec = {
             containers.blog = {
-              image = "git.kun.is/home/blog-pim:5a7cb47dd4a8b6286f6987781683b174cd280b95";
+              image = "git.kun.is/home/blog-pim:fd910d91c2143295e959d2c903e9ea25cf94ba27";
               ports.web.containerPort = 80;
             };
           };
diff --git a/nixos-modules/data-sharing.nix b/nixos-modules/data-sharing.nix
index 771438e..0db03b4 100644
--- a/nixos-modules/data-sharing.nix
+++ b/nixos-modules/data-sharing.nix
@@ -31,6 +31,7 @@ let
     "/sonarr/config"
     "/bazarr/config"
     "/minecraft"
+    "/atticd"
   ];
 
   nfsExports = lib.strings.concatLines (
@@ -93,6 +94,7 @@ in
           host	nextcloud	nextcloud	all	      md5
           host	hedgedoc	hedgedoc	all	      md5
           host	paperless	paperless	all	      md5
+          host  attic           attic           all           md5
         '';
       };
     };
diff --git a/secrets/sops.yaml b/secrets/sops.yaml
index af0c8bf..be1861a 100644
--- a/secrets/sops.yaml
+++ b/secrets/sops.yaml
@@ -16,6 +16,9 @@ forgejo:
     lfsJwtSecret: ENC[AES256_GCM,data:TZaptdiX/3HT2Q5lHqAOEQBkT3gV49dD6+RIludIcJVA6AevijgDonuVQA==,iv:hwU0K4JjFs8LaSNe5Dqmsj5Vz/w3sOWgSrnEW22bM/M=,tag:RJTDtYqRQdGVQ6PO2V+31g==,type:str]
     internalToken: ENC[AES256_GCM,data:28sIm0OW2G48ZECjCf5WM9/O5kbo54S96aD20MYfGrK0pbxgAwLjL8jXO/dNobSQ+26vet2WKfLbC9MPdBjhsQ5zC/keGHUFw6TPqnuhFchTLnP+JvMoqNZzcRo2kHi/EM93luG6xQvy,iv:Iy+1EVS7lvLust4MPkxyFonna/q1NVzRyMcTSJ3F5oM=,tag:v075jl/jtqcjSkEhRZVO2g==,type:str]
     runnerToken: ENC[AES256_GCM,data:F6PsbkhT1epKfi9MpLpMqDosloVkhIiq/olBi/bbt8k88qxfw0vwvg==,iv:I/LH8V0Um+PCpjSrcjiZAN71nXcqv1m84wBUPLWT33Q=,tag:Y3qhbt7OqkRbHOCXRKLUeg==,type:str]
+atticd:
+    jwtToken: ENC[AES256_GCM,data:DTiREnIdZxsewzLXeZgERBJKorUuqI71TgmUyKyc8iH6ioJLciU/9wfLiO+ltUA+3eEnuyuJHTpFwtLS0Wrjh5G4kYNkiX6Mw1bEJZnR+x2xJAJmfa4sJw==,iv:8jJfPosy02vezJOA0oKSphUItWqQ0Pr1cc8rBSuSawE=,tag:p+dZBP5+EYHjtTH9EkdYsw==,type:str]
+    databaseURL: ENC[AES256_GCM,data:beyFNmbapw9asGHZN52taNx6klO3IQJ7wXbYTvo1NMaFyvo5qk2osocrwkeVv3w8bUWGgbQ/LKLuvg==,iv:qGFwhuLj0ApY9EpclM0x1nVBqXjv8XZC58cy6AE3AtQ=,tag:an+slq4Wlh7/sunX44yxOQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -31,8 +34,8 @@ sops:
             dVBPbkRib1M1cmVKZzl4TWpoSml2WDQK45jJDXpPXIBoaANhjZSWYVZ8mI51LAin
             EqgBj7VKY+CQbw1gMd1Fdh8iDYraowwcLyd/ZhZ/M0kIdkCc5E1a5g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-17T21:16:56Z"
-    mac: ENC[AES256_GCM,data:ICOsWZ7F7boyYhkFGgqJZOCY9aPXI5YvQfqcKkj4Pt/LoU9+PDi2iSDN47VTTloqIXap4PhEMEi7He6AV3r9DTHKT5PxQcWxESGffLlUlK7Q3a/H1V63Sdy9Ct1PycKupjEEWylYXWTWG5/dGe9qh6u1ZS7adz5fHxA3Y8MT6Dg=,iv:61IexBQQse6iShry10toUAjc3gLf588PKJFK+aJWCbY=,tag:wrSM4ipHBMXIEfLLLGe/Tw==,type:str]
+    lastmodified: "2024-04-27T18:37:27Z"
+    mac: ENC[AES256_GCM,data:LP0gbW3AI0hKE3dfVdDC0+BMtz2fRbtgfxVF7zPZ6cg09cXaOlNPExAxEIzp0pBtTN7114hL3MNzczov64ES9YvP8XIXDcEZzQxVqUgkacgrCIfm1Zd2o1sIT9ORreK04+S4gnvMgbXq9TAEnxnK2SVhvthwmLVw3MXjBb2+/wc=,iv:Nf7c+AdaU8yCnhHYKwERdMzFw0qY0y0c8VMxa/Hcg50=,tag:SRvJ0YqimkswD8Ljp69jog==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1