Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: atticd server

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2025-10-14 22:24:35 +02:00
parent 5ea3bac570
commit c9900e4314
2 changed files with 49 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
hosts/web-arm/modules/atticd.nix
View File

@@ -27,29 +27,25 @@ in {
# API endpoint configuration # API endpoint configuration
api-endpoint = "https://${atticHost}/"; api-endpoint = "https://${atticHost}/";
# Allow automatic registration (set to false for production if you want to control access)
allow-registration = false;
# Require tokens for all operations # Require tokens for all operations
require-proof-of-possession = true; require-proof-of-possession = true;
# Chunking settings for large uploads # Chunking settings for large uploads
chunking = { chunking = {
# Minimum chunk size: 16 MiB nar-size-threshold = 65536;
min-size = 16 * 1024 * 1024; min-size = 16384;
# Average chunk size: 64 MiB avg-size = 65536;
avg-size = 64 * 1024 * 1024; max-size = 262144;
# Maximum chunk size: 256 MiB
max-size = 256 * 1024 * 1024;
}; };
# Garbage collection # Garbage collection
garbage-collection = { garbage-collection = {
# GC interval in seconds (12 hours) # GC interval in seconds (12 hours)
interval = 12 * 60 * 60; interval = "12 hours";
# Delete unreferenced chunks after 7 days # Delete unreferenced chunks after 7 days
default-retention-period = 7 * 24 * 60 * 60; default-retention-period = "6 months";
}; };
# Storage configuration # Storage configuration
@@ -57,7 +53,7 @@ in {
# Use local filesystem storage # Use local filesystem storage
type = "local"; type = "local";
# Store in /var/lib/atticd # Store in /var/lib/atticd
path = "/var/lib/atticd/storage"; path = "/var/lib/atticd-storage";
}; };
# Optional: S3-compatible storage (commented out) # Optional: S3-compatible storage (commented out)
@@ -70,7 +66,8 @@ in {
# Database configuration # Database configuration
database = { database = {
url = "postgresql://atticd@/atticd?host=/run/postgresql"; # url = "postgresql://atticd@/atticd?host=/run/postgresql";
url = "postgresql:///atticd?host=/run/postgresql&user=atticd";
}; };
# Compression # Compression
@@ -82,33 +79,34 @@ in {
}; };
}; };
# Create state directory with proper permissions # Create state directory with proper permissions
systemd.services.atticd = { # systemd.services.atticd = {
serviceConfig = { # serviceConfig = {
StateDirectory = "atticd"; # StateDirectory = "atticd";
StateDirectoryMode = "0750"; # StateDirectoryMode = "0750";
# Security hardening # # Security hardening
PrivateTmp = true; # PrivateTmp = true;
ProtectSystem = "strict"; # ProtectSystem = "strict";
ProtectHome = true; # ProtectHome = true;
NoNewPrivileges = true; # NoNewPrivileges = true;
RestrictNamespaces = true; # RestrictNamespaces = true;
RestrictRealtime = true; # RestrictRealtime = true;
RestrictSUIDSGID = true; # RestrictSUIDSGID = true;
LockPersonality = true; # LockPersonality = true;
ProtectProc = "invisible"; # ProtectProc = "invisible";
ProtectClock = true; # ProtectClock = true;
ProtectKernelLogs = true; # ProtectKernelLogs = true;
ProtectControlGroups = true; # ProtectControlGroups = true;
ProtectKernelModules = true; # ProtectKernelModules = true;
ProtectKernelTunables = true; # ProtectKernelTunables = true;
ProtectHostname = true; # ProtectHostname = true;
SystemCallFilter = "@system-service"; # SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM"; # SystemCallErrorNumber = "EPERM";
# Resource limits # # Resource limits
LimitNOFILE = 65536; # LimitNOFILE = 65536;
}; # };
}; # };
# Nginx reverse proxy configuration # Nginx reverse proxy configuration
services.nginx.virtualHosts."${atticHost}" = { services.nginx.virtualHosts."${atticHost}" = {
@@ -193,11 +191,18 @@ in {
services.postgresql.ensureDatabases = [ "atticd" ]; services.postgresql.ensureDatabases = [ "atticd" ];
services.postgresqlBackup.databases = [ "atticd" ]; services.postgresqlBackup.databases = [ "atticd" ];
services.borgbackup.jobs.default.exclude = [ services.borgbackup.jobs.default.exclude = [
"/var/lib/atticd" "/var/lib/atticd-storage"
]; ];
fileSystems."/var/lib/atticd/storage" = { systemd.tmpfiles.rules = [
"d /var/lib/atticd-storage 0755 atticd atticd -"
];
environment.systemPackages = [ pkgs.cifs-utils ];
fileSystems."/var/lib/atticd-storage" = {
device = "//u149513.your-backup.de/u149513-sub9/"; device = "//u149513.your-backup.de/u149513-sub9/";
fsType = "cifs"; fsType = "cifs";
options = let options = let

6
hosts/web-arm/secrets.yaml
View File

File diff suppressed because one or more lines are too long