From 4c1ccd22ff93415c0c1c7786e9a4c6182090ca82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Madeleine=20Sydney=20=C5=9Alaga?= Date: Wed, 4 Mar 2026 14:48:35 -0700 Subject: [PATCH] wip: attic --- hosts/deertopia/configuration.nix | 1 + modules/nixos/deertopia/atticd.nix | 40 ++++++++++++++++++++++++++++++ modules/nixos/impermanence.nix | 11 ++++++++ secrets.yaml | 5 ++-- 4 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 modules/nixos/deertopia/atticd.nix diff --git a/hosts/deertopia/configuration.nix b/hosts/deertopia/configuration.nix index 13103ef..2c0bd1f 100644 --- a/hosts/deertopia/configuration.nix +++ b/hosts/deertopia/configuration.nix @@ -49,6 +49,7 @@ deertopia = { authelia.enable = true; + atticd.enable = true; gitea.enable = true; quiver.enable = true; www.enable = true; diff --git a/modules/nixos/deertopia/atticd.nix b/modules/nixos/deertopia/atticd.nix new file mode 100644 index 0000000..9223c87 --- /dev/null +++ b/modules/nixos/deertopia/atticd.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.sydnix.deertopia.atticd; +in { + options.sydnix.deertopia.atticd = { + enable = lib.mkEnableOption "Atticd"; + port = lib.mkOption { + default = 8012; + type = lib.types.port; + }; + }; + + # sudo atticd-atticadm make-token --sub msyds --validity '1 year' --pull 'msyds-*' --push 'msyds-*' --create-cache 'msyds-*' --configure-cache 'msyds-*' + config = lib.mkIf cfg.enable { + sydnix.sops.secrets.atticd-environment-file = { + # owner = config.services.atticd.user; + # group = config.services.atticd.group; + }; + + services.atticd = { + enable = true; + environmentFile = + config.sops.secrets.atticd-environment-file.path; + settings = { + api-endpoint = "https://attic.deertopia.net/"; + listen = "[::]:${toString cfg.port}"; + garbage-collection = { + default-retention-period = "3 months"; + }; + }; + }; + + sydnix.deertopia.nginx.vhosts."attic".vhost = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = + "http://127.0.0.1:${toString cfg.port}"; + }; + }; +} diff --git a/modules/nixos/impermanence.nix b/modules/nixos/impermanence.nix index 254b2d8..6c33360 100644 --- a/modules/nixos/impermanence.nix +++ b/modules/nixos/impermanence.nix @@ -70,6 +70,10 @@ in { }; # O_O what the fuck did i write this for.... CONCERNING. + # + # oh because of these types of errors: + # Directory "/var/lib/private" already exists, but has mode 0755 + # that is too permissive (0700 was requested), refusing. systemd.tmpfiles.settings."10-varlibprivate" = { "/var/lib/private" = { z.group = "root"; @@ -78,6 +82,13 @@ in { }; }; + # Workaround for https://github.com/nix-community/impermanence/issues/254. + systemd.services."systemd-tmpfiles-resetup" = { + serviceConfig = { + RemainAfterExit = lib.mkForce false; + }; + }; + # Permit members of `cfg.persistGroupName` to read, write, and execute # /persist. systemd.tmpfiles.settings."10-persist" = { diff --git a/secrets.yaml b/secrets.yaml index d34b43e..3641abd 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -30,6 +30,7 @@ anki-username: ENC[AES256_GCM,data:584uxjwyodM=,iv:/6HLSLzHgc77U1iN5JDLR9F+o8Nfe anki-password: ENC[AES256_GCM,data:plSKMTeeilKt6weAnzw/jMo65A==,iv:lzuPUt1+2Iwi9sHbaFj0OuBLd1p+Do2N5aCYXd45MFQ=,tag:WIABFp1T6NuIGpqqQFHmrg==,type:str] anki-sync-key: ENC[AES256_GCM,data:Ka4sPghPwmWQvdXw40ZRLogoMVTBjLnaSyHT9lTfn2XWHHqFAkANAg==,iv:bFkb/k7UUL8t26LjmQwiDYJpvq93NWuqUU/jNYkr7GQ=,tag:Mx5JdqjI3MDk7hsvOlPYIw==,type:str] gitea-actions-runner-token: ENC[AES256_GCM,data:JglbJ2hgXl1wV2bCkcged+D3UrpWMMBuX+ri6YeIqwLIlscvK/wVCdsxQZtDGw==,iv:BYhgfoIa/wHQkd4c7kU8AWAJQfpTfUvSamFXDBqQXTE=,tag:sIK1XxVPIU+uBGaJY3AmTQ==,type:str] +atticd-environment-file: ENC[AES256_GCM,data:oDiidUqXeZs/5mFy9q8DtKzOg1yRdkonIZSCamB44L9GflYLEGRt3nRm6omtnt6/WDS2ujkGJtJ0heKdKWF8rIbqxAv3ju7qMZ+iKviy0l2/IgJ3y2+h3hMEYKlkQYGweB3h3bej4Bi/4nZyi4MYInMkLXxdJxg2cd2oR5AOL8ewP3U/sXzwex+vh/UXPE7NYt7INcDe/7yxJQaEAl2R3A83d4Oj19yYUjLrMcoqsQd0xAf2lyv627oA7z3GCIZfg5Uxyf83Pw4e9xBB6/KBws5kLVYlqJcUZQ9TEnEHFLU2fd++PWoiXI3arSS4nNjGjSFccRDe0Z5lNvlxIh2Zx83e1fSDXaqE2iSoHWPiBKEPvrnoGe9TXafsbWQErp4tmYbA37S6OpELXKFVx+Js6ub9ldxqUqZc4UD/wHVTzJt1FdfZUpA/dX14rlqe4aDzlJyUPZNjR+8oITAzAe/vBO3XFn3pX02unJ3j8APClDfrh2V+wC7D6w1cWippxT9hCLXczce9McJdoivuZWx4f8rVZ+25EWKr7lNXTyvO1UhvQwSTnoBDohG2okB5UipJeLc4X60fin3bjXU+MVhL8csoSSGsYdkQOxDxt37AZt+8/20N005/5RZr6/ED/UCzmvD+MFJ7mQ2e+WudytY1tFS26+VQTqOnfinFhizRnJIvYQxNp8664x87dzCUm2WzIE5nKgMMHPmiieR3FO1D76nT/9ZpSjoqaEIKxsoAr9eFzWY2AyAOTDcIfrnnzx7vgjKmYpauA4SQOY0kJvO5Vbz+gIF1ogsgspnfyiiprV3jk9Cz1wYlGoh5kRUHJECrUsZaJC9s8kX/wmK7cHyeC2t2cO8OrMGxNhhEp2uwyh85jFl9Y+1wZInHOa1B05Hw45M1jyexEZq/4LRmAuH5eu4zBLu+/Ui1OzM3IrurXdC7zuGUl9RVElRbQRTTMwiLg8dkzhIOFPxCk4GlB5J/cTIU5oVt6t6TY8yd71zUPfTMILf0CUDMJslDuuFccit8HxaucfnQrage83/qEX9jxRjUz4YE5hoz+idM0ndgzKbsuTpzCuzb6JgxidmHSExp2blODkNZmjw2tKetbHBlhzCRMAkjZum3Uar3nv+2ZiZrLpLRXgSO7wCjjHVs+6pvZwMD7xxMbD8KnOdR0B8qVtpQ+8UWGLPEYeEeJX5DVU92wyKBJ5jAK1zXlRbYgPMns6VWoJW3IPNVoG2Zs7jBVr0BXMvlZtjrPbpfemoZzD3KqVZLhjzrptV/voT/PkknKtzbOmKIGf1Ih9yGbDQD2h/lIjbsNoH7wB/s5cNDhpRIA2ypmshmzTP+1gU5zocEDMy3ZnKIiPN9RAC2buDCli5jItGEoLQNUBfSPIt70O1O++NTT+PEnJc9ShQDz19c31bTNB5alIdtIjSNPBwt+aK327fybixeAMQlUtfv+FvrfjqOdmf/aXb8VceW+wBu84ZPkl7TlP4hv8EqHpLEOiJ1WvVPN1WdI8z2OWQpIrw3aJ3aCQNY1QtGHOCee1com0vo/O2jfwSQnz7mIUR3mP38eVq8aOpbwd5zDUfbGzyFXDZesWrH0Lmu35942R10Uyo5a5vhrmTz+GRZbVF/lx2y1ArVq1TiMXn/npOIGK2tZ1J6q7GEYTm+SwkIVmrjzMZKW0XuukOipRyGpM9WbMXNb51sylRTY3bGBwhm+iouODV7H24Di4O41So3ejXBJghfTZ4M9TrFwNgbktXlDFyiXcstpT5vtKWMGxMwAL3fDdCe27o/VbokiKLpYSiWJIvPEhE1J/JTW0kjihO3OHCtla9kudAdpbkQdqblpXReBwRs14HUVdRxyV/FdbAddpI3MBik3guBJrLEgXdh9aTK3OcaGeJ/MXM2cmw/7TduaVdKs3EtBs1TPvfZtts1u/Sha0nt/E5hBPUKR6NnqcSd03xTq6wC0N2YgO1VkrKA0GvjVKcCsZc8dspyYZylsFaUfWkSQrO5vdm93nRzKNPio0yZieTqYNh+ISTHUqUXHO3ylz6X8JUU4g7Kpd6/rZitkploh2CbkxZl/45ya/cetkCpjLlYvWFvlbzQpzj+VwGztnR0lt6yB22d2jtreTECnkTEUIdaz2doD+31TbJNcQsXxPRtJ/W/vplckE8tiICMYsSEIUImOJZJ3lDbIqGaNccxemU79q4s7drCUiIDn9YV/OwoJ4SKt4OsflPfzPr3ahphT0v8+ySE9QsbP8mQ/c3IG2SvkGDr4VnCDyNQmIYG15MrC7sRUwhiNl7CIQVvH/798CA5f0aXxZRhVEbFwkC6TXSd8E1MleBdPxqnp0SN0UORqEhPs25PlerGd9LSMjqm0tWN6f9askoC9EvIz+JQ+017nkEEO/dtQgSkz1LavllCmqOXurPqoqfcGJ4cX7kb3IrLvUhJAiUv0WvrGfWIM2H1ygAjbGibRD+zszbEEqWpZlulICcBWlFZJz0rF0i8p0b13/oH6SzQYVSMoO+8dKCN2iupRf26O4Q9xdaTkoC8I8cdbDxqP6nzf89sMGEG6dGfN10n8zjuxXg4hKDGTWtgmbk2jIO0XE74d07csGJHCCiO87PKKJhw7zRK48e9ewekrpcwSFZg+loyL6fFzluIhcjaw5+ZCV3Dt3H8vUJtD0IREPV+1m5m49gBlqXY8AVrHF7dc4suiLgQlcUi4wtjplDGAwitO3GDCEEwW/txYe/PsTbk5UVO6PYZ01sbI4WUXolIzHvP3yYthc3PxbVsnFK+OEhW8t7BNRIgVCrFl8E7DTZtOS3ePkJobVg/KUGyPW0eILgylQj1/oRrvercY9q0WRkS0j9/pebLzmYTfDdMjtr6rk9K8wo4gYUFlOoiQBQEkY6uugT9dR5hC8i9xbeLxt0Shplbwl9jTi7/onSat8LD3te8p3SmIFIAzPobUz67QG5ZtVjxsyi/jBUjoDLutbyg/P7kuKMR6VFhdXGUbe9uik81KctTBZdpA/jqRsHvKk0u3un8YUTs3AEWJkwm6GYjVkZtyM8eJCnavfu5vzGduabTknogW8yAwoj84kk9ylDu0iDjJBJHdeuy6bCoRWF52AzYrSF8G4AdIwi+69eyKTGCp1svXXh6HLJ2qllgyxqWWziTXla7PV37TZN2NrzeqUpTvgQ7WZDqhUpQdKx0fe5b63CUvyxncR5g30ojjn3khKtg0Ya4HqhXh3OqzRKxgK8+Ylegg/gncxsBq7FULLyWWFAPNdELmXpYFcj0QHchO/A/zDMJZq+Ypj8HaPG72QegdhQr0STUH1f/WEliattBqedPt3WNWMLGdcfDDX/dBKXn0ForqTu5DeldjiHKReujYsfDefN6qb2jqN2JM1NOGbK3ANlvL5OBYad0ZH2WLRF6cO3xuDyCRe3Iubs8hSXGe3682JLqAWwuQqB/rMekW7j9/Lzz0yWgddtjJKpCbeFG92gv3dNqBtaz94juUqeRuBYNbS7ltKrti6Y+F99EuwDzOrI+PoAZ9hW1ae569I+vyCB0IYXhKC+uE1+5LZnc3XLgyt9LOwHeDQZuljhAkLZjVM0+gUAAXbk5ROQmkx1vWc+9yYSmni9rxy2nVlqn/WXeST2NBMweDV0ZsS0J5FsYG7RwJF714D+AcpidH41FdmtWy2WEwmOsKPwLS19OQ2likylBLhoycoYpUuZvO3BXo10+VNZAs9WnIQrlG/8sYrbglclebanbqOorZpqxv3Ov99TrJlzYrkpVhCGGQTPpzHf68CYsxfCwm79wycDDIuAOXwKsNyllnXH4ydFgJ3udiJF5tkkdMjfWKRcm1Ol+oSZ/R2If0r9qdPkM8X1bPJSJaJ+LfYi7dgHS3WIcdpnNTSkFUJkl600aOF915f9z6lraQGrWY5A3E0FetgWZLfD6DDaiIVKehecbi+e7M187XuBl1RxtEmI6uS4CLA3Uk7NV3VWBo6kDP1bsDMJYCa1Kbodvn2gHCxJ8foTl1bnXH6WOhUecdLCgw/M4v6fk4ojzZU3UH6YMnsjsvPa39Gx1QNrsKQTJPujn8yhQRXUSWlj9/h3EnpRbTpdExHl378fr6pIG6zKX3OVn4KLFcJKmO35AwrZSuuTE8s6L0Va3H5e14dPzCoA34oCm0dNaqKI135Tjfwo6iw4ielkWi8MCgjpb2W6OHy14N5FnEy5fEHHy5qqWd90Pf3er+YagX/Hjip8BCyS21WJHIeW30YG508FxdOd9d//vWUkbJWZyLO2rVlQgTEP88IhfD+BCn77oBqLMutMuPqskWLHjhfui6Dxsiqb+Qzs9Upxfpq/lzaWbN92WxjVphxnE+5Op65sM34iy1jD+cZG6B4MceYeRJqxhi+15t4vCpx8ozvBh7G4+jvbp4DnsdKNEVtQi/4bvKy9fl0KYFC1y/C14kw2DLAWgqgtgWxBoFHtAt0iUCyQqeBChkUDdYDJkYfD3IcEqDuDdQZ3GpMysyvgH2xTNhSndBLkJWBIpyp8O8kIOV6iG3YHbS4ZLbSWGZG1y6eDpxiH2w3jWU/+JqKJU0QGz5OT4CgSoRvm/SKX9oPp4oRUxA6VVJNCzS6QhG41S1gm77NjU8xRbB5AXy1yxKBctATQpvJaebrPoidX/K/8L7uqFeGn/RV9CIyW69NOiEyjIG9PN3OFbsyigSVvVPrDuQH6vsH+w0HKAKcVlpGKSEd3FCs1YYZ1l5pVa57/ujw9mFiI1/3Js1I35srPt4UO6RCRAeHqI0zbPPYSi21iO8Q69N0u8az2Rsko6FD8VG1AFdBeWMjwr5XRrerKjzjh3hc9+K2wi0P7EaNrvNeuFXqoWDwEXIm+hSDpvNlAXmoZwWOQ8dcMbGjJlBYnA81A95acHct/965ILlEEdQh4qMsil8eJTmm2I7zCHLd4ynqasatK4Bt02YwTml1B8aVXSdukB8ZSo79z1BDIpsjNny6xYda4F/AIk66tssn9I6+0lktQ10GXgIIAq330s/iSXcdD8BhhTw1aVoKRL7WBEEbeRrFFh8b4OWMkTGF6HdpkD+ivdGmtMpJwRMc5RNrLiatCqrU4d99GUREOUNY1WgsTaXbqcnjdrXHPNDdyCVcx38QhU/H7yiZMuIjMCmVkVpcKlbtKhSvz8Ro2UqgOBhSlfpezIJ2ngK+/vaIJThoXuuzPu4OWLdL15bVbXJ9Y44pbMNlx11IxBlDm+hbZNcjG7sHpPQPy0jlD83aJdjhs+rroafaNiwSh/BPL4RsAB/a9GBySNuTwwbWBnsvfahaQqB4GSTEaPvfE7MozysrdtGKa5Ft/UoxghO+scAcLhg7o0YJ33eNvOiHVCxKo9yAHDxMPwN5sCic+q6COOjANTJnFrTKiS/UKyHfd9XXTGh+bYRTaH7LLLAL34YSkVcTJBCxFBnaXklcfgToL2r5FEwSMOJpzpaRxalrHn/oMxaWFtzGYrXi3pO0LjPs3pdgO/kPJ5IIUt9friBuBgMMDy8icTJhT9WsWAPhjWGy9J3FajmGGmM9Dpsl9CvQUdVNn4qMsxV3g5+uODljhQeymmXIxT2PYZr9JG6AZ0qHcvO5Jxm9eZelMJ72pzvStNDTMM1O8/7gzmMRsU/zzsOwgfSVqHh28q8UIkPJ71EdxJohAhWiOPyrYYHNsrvQAO95VeCuBBziCIac/JdZGMH3QBrdnFBGg7nQnRNysrdRMukzBj2lpUpnbJ3wNNkzPtKVTbzISPE4/h73xsUjJ61JG4qehR+CujLqfUpePqY4WfrGzbXZNGkeMMlw4utY8RvR6cATmGqxeu4VVKrds0dxYP4oUnQTg=,iv:aM+lvNhM2dvU/L5R0ALVqKXvsb/xXfxfmn9eeDYZaO8=,tag:GVLw5mF2gqiJtU1sDsZpeg==,type:str] sops: age: - recipient: age10fqh0td67alzpyjyhdex5ncj9thvaty506r0t63vs2nz4ldafgaqadl8mg @@ -50,7 +51,7 @@ sops: TXFLY2l0UHJ3Z0NGZjVpbTQ2UC8yaTQKA7wTmW9Ha6T2KmCr/nkXdizgv8+V6SAp ZhDO+uDQ1evIh2wLWMOXNJ3d/zplLCOTzR2xkqBIUp5V7MXj45RUIA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-01T08:57:03Z" - mac: ENC[AES256_GCM,data:uNqk+x+nLgDUdHI5flUuXF/vGnkMpUUhdFfkOULm+bebkPL6PI5kJHV78GPs+aA9BPCmTvomgGe51zvyJFRcH3gBJ2bF5YfdC0ROrRbZS4KYIuZwrELf77zq73MbIFt//BTpDYK4cUC8CPRoAEwtoTG6lyHbxcAk4+B5w2NFfN8=,iv:rFaEaav1LHrhtKtiRfIqHTj5+cOBv3lC1UyqEvOoUsg=,tag:x/4n+rcQxd+neQGLcXa66g==,type:str] + lastmodified: "2026-03-05T17:41:38Z" + mac: ENC[AES256_GCM,data:RPX20ntdN4NoJURlG0ByPamVic0dLnLgP0UGgCwt25u3P4ssrYFV5EYBWLx8o/wERcWdTj2f82zBuPPQhz79cJf/O0Mplpnmm+LDSD8kmEPBLx1hKH9ru7hmQNOL/KS0jWQi9CxbJWX2OEaqaInjkDv/YkVJ4l2CmsoqbJDfvuM=,iv:rTU+iMp68IGaC/g3wuJ54EqCIg0I+eZqxuvVGPZngrQ=,tag:OHjoHVUgxQ3m93tid8PEwA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 -- 2.53.0