Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: atticd server

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2025-10-14 22:24:35 +02:00
parent 5ea3bac570
commit c9900e4314
2 changed files with 49 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
hosts/web-arm/modules/atticd.nix
View File

@@ -27,29 +27,25 @@ in {
# API endpoint configuration
api-endpoint = "https://${atticHost}/";
# Allow automatic registration (set to false for production if you want to control access)
allow-registration = false;
# Require tokens for all operations
require-proof-of-possession = true;
# Chunking settings for large uploads
chunking = {
# Minimum chunk size: 16 MiB
min-size = 16 * 1024 * 1024;
# Average chunk size: 64 MiB
avg-size = 64 * 1024 * 1024;
# Maximum chunk size: 256 MiB
max-size = 256 * 1024 * 1024;
nar-size-threshold = 65536;
min-size = 16384;
avg-size = 65536;
max-size = 262144;
};
# Garbage collection
garbage-collection = {
# GC interval in seconds (12 hours)
interval = 12 * 60 * 60;
interval = "12 hours";
# Delete unreferenced chunks after 7 days
default-retention-period = 7 * 24 * 60 * 60;
default-retention-period = "6 months";
};
# Storage configuration
@@ -57,7 +53,7 @@ in {
# Use local filesystem storage
type = "local";
# Store in /var/lib/atticd
path = "/var/lib/atticd/storage";
path = "/var/lib/atticd-storage";
};
# Optional: S3-compatible storage (commented out)
@@ -70,7 +66,8 @@ in {
# Database configuration
database = {
url = "postgresql://atticd@/atticd?host=/run/postgresql";
# url = "postgresql://atticd@/atticd?host=/run/postgresql";
url = "postgresql:///atticd?host=/run/postgresql&user=atticd";
};
# Compression
@@ -82,33 +79,34 @@ in {
};
};
# Create state directory with proper permissions
systemd.services.atticd = {
serviceConfig = {
StateDirectory = "atticd";
StateDirectoryMode = "0750";
# Security hardening
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
NoNewPrivileges = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
LockPersonality = true;
ProtectProc = "invisible";
ProtectClock = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectHostname = true;
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
# Resource limits
LimitNOFILE = 65536;
};
};
# systemd.services.atticd = {
# serviceConfig = {
# StateDirectory = "atticd";
# StateDirectoryMode = "0750";
# # Security hardening
# PrivateTmp = true;
# ProtectSystem = "strict";
# ProtectHome = true;
# NoNewPrivileges = true;
# RestrictNamespaces = true;
# RestrictRealtime = true;
# RestrictSUIDSGID = true;
# LockPersonality = true;
# ProtectProc = "invisible";
# ProtectClock = true;
# ProtectKernelLogs = true;
# ProtectControlGroups = true;
# ProtectKernelModules = true;
# ProtectKernelTunables = true;
# ProtectHostname = true;
# SystemCallFilter = "@system-service";
# SystemCallErrorNumber = "EPERM";
# # Resource limits
# LimitNOFILE = 65536;
# };
# };
# Nginx reverse proxy configuration
services.nginx.virtualHosts."${atticHost}" = {
@@ -193,11 +191,18 @@ in {
services.postgresql.ensureDatabases = [ "atticd" ];
services.postgresqlBackup.databases = [ "atticd" ];
services.borgbackup.jobs.default.exclude = [
"/var/lib/atticd"
"/var/lib/atticd-storage"
];
fileSystems."/var/lib/atticd/storage" = {
systemd.tmpfiles.rules = [
"d /var/lib/atticd-storage 0755 atticd atticd -"
];
environment.systemPackages = [ pkgs.cifs-utils ];
fileSystems."/var/lib/atticd-storage" = {
device = "//u149513.your-backup.de/u149513-sub9/";
fsType = "cifs";
options = let

6
hosts/web-arm/secrets.yaml
View File

File diff suppressed because one or more lines are too long