niks3: Add nix binary cache

2026-06-09 13:27:27 +02:00
parent 5df05acd46
commit 2aed9ead11
17 changed files with 227 additions and 326 deletions
@@ -0,0 +1,27 @@
 bases:
 - ../envs/environments.yaml.gotmpl
 commonLabels:
  tier: system
 releases:
 - name: manifests
  namespace: niks3
  chart: manifests
  condition: niks3.enabled
  missingFileHandler: Info
  values:
  - ../values/env.yaml
  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
  - ../values/niks3/env.yaml.gotmpl
  - ../values/niks3/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
  hooks:
  - events: [ prepare, cleanup ]
    showlogs: true
    command: ../bin/helmify
    args:
    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
    - '{{`{{ .Release.Chart }}`}}'
    - '{{`{{ .Environment.Name }}`}}'
    - ../values/niks3/manifests
    - manifests
@@ -1,2 +0,0 @@
 attic:
  enabled: false
@@ -1,27 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: attic
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
    namespace: attic
    server: "https://kubernetes.default.svc"
  sources:
    - repoURL: https://git.oceanbox.io/oceanbox/manifests.git
      targetRevision: HEAD
      path: values/attic/manifests
  project: aux
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        component: aux
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
      # - ServerSideApply=true
    automated:
      prune: true
      # selfHeal: false
@@ -1,167 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  labels:
    app.kubernetes.io/name: attic
  name: attic-config
  namespace: attic
 data:
  config.toml: |
    # src: https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
    # Socket address to listen on
    listen = "[::]:8080"
    # Allowed `Host` headers
    #
    # This _must_ be configured for production use. If unconfigured or the
    # list is empty, all `Host` headers are allowed.
    allowed-hosts = []
    # The canonical API endpoint of this server
    #
    # This is the endpoint exposed to clients in `cache-config` responses.
    #
    # This _must_ be configured for production use. If not configured, the
    # API endpoint is synthesized from the client's `Host` header which may
    # be insecure.
    #
    # The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
    # not `https://domain.tld/attic`).
    api-endpoint = "https://attic.srv.oceanbox.io/"
    # Whether to soft-delete caches
    #
    # If this is enabled, caches are soft-deleted instead of actually
    # removed from the database. Note that soft-deleted caches cannot
    # have their names reused as long as the original database records
    # are there.
    #soft-delete-caches = false
    # Whether to require fully uploading a NAR if it exists in the global cache.
    #
    # If set to false, simply knowing the NAR hash is enough for
    # an uploader to gain access to an existing NAR in the global
    # cache.
    #require-proof-of-possession = true
    # Database connection
    [database]
    # Connection URL
    #
    # For production use it's recommended to use PostgreSQL.
    url = "postgresql://app:mZP1BnmnpDU33B7UZvomYKOSS1laRJ4bvUR7jNDZ1AJqPdNxH2rLXykghczg7Bgy@attic-db-rw:5432/app"
    # Whether to enable sending on periodic heartbeat queries
    #
    # If enabled, a heartbeat query will be sent every minute
    #heartbeat = false
    # File storage configuration
    [storage]
    # Storage type
    #
    # Can be "local" or "s3".
    type = "local"
    # ## Local storage
    # The directory to store all files under
    path = "/attic"
    # ## S3 Storage (set type to "s3" and uncomment below)
    # The AWS region
    #region = "us-east-1"
    # The name of the bucket
    #bucket = "some-bucket"
    # Custom S3 endpoint
    #
    # Set this if you are using an S3-compatible object storage (e.g., Minio).
    #endpoint = "https://xxx.r2.cloudflarestorage.com"
    # Credentials
    #
    # If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
    # `AWS_SECRET_ACCESS_KEY` environment variables.
    #[storage.credentials]
    #  access_key_id = ""
    #  secret_access_key = ""
    # Data chunking
    #
    # Warning: If you change any of the values here, it will be
    # difficult to reuse existing chunks for newly-uploaded NARs
    # since the cutpoints will be different. As a result, the
    # deduplication ratio will suffer for a while after the change.
    [chunking]
    # The minimum NAR size to trigger chunking
    #
    # If 0, chunking is disabled entirely for newly-uploaded NARs.
    # If 1, all NARs are chunked.
    nar-size-threshold = 65536 # chunk files that are 64 KiB or larger
    # The preferred minimum size of a chunk, in bytes
    min-size = 16384            # 16 KiB
    # The preferred average size of a chunk, in bytes
    avg-size = 65536            # 64 KiB
    # The preferred maximum size of a chunk, in bytes
    max-size = 262144           # 256 KiB
    # Compression
    [compression]
    # Compression type
    #
    # Can be "none", "brotli", "zstd", or "xz"
    type = "zstd"
    # Compression level
    #level = 8
    # Garbage collection
    [garbage-collection]
    # The frequency to run garbage collection at
    #
    # By default it's 12 hours. You can use natural language
    # to specify the interval, like "1 day".
    #
    # If zero, automatic garbage collection is disabled, but
    # it can still be run manually with `atticd --mode garbage-collector-once`.
    interval = "1 week"
    # Default retention period
    #
    # Zero (default) means time-based garbage-collection is
    # disabled by default. You can enable it on a per-cache basis.
    default-retention-period = "6 months"
    [jwt]
    # WARNING: Changing _anything_ in this section will break any existing
    # tokens. If you need to regenerate them, ensure that you use the the
    # correct secret and include the `iss` and `aud` claims.
    # JWT `iss` claim
    #
    # Set this to the JWT issuer that you want to validate.
    # If this is set, all received JWTs will validate that the `iss` claim
    # matches this value.
    #token-bound-issuer = "some-issuer"
    # JWT `aud` claim
    #
    # Set this to the JWT audience(s) that you want to validate.
    # If this is set, all received JWTs will validate that the `aud` claim
    # contains at least one of these values.
    #token-bound-audiences = ["some-audience1", "some-audience2"]
    [jwt.signing]
    # JWT RS256 secret key
    #
    # Set this to the base64-encoded private half of an RSA PEM PKCS1 key.
    # You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64`
    # environment variable.
    token-rs256-secret-base64 = "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS2dJQkFBS0NBZ0VBdlZrMHQyZUtvdjhpV3prVFFtQzJtRklvd0gxc2liNlVpUFhUaGVwcURiWHMyaERFCnFYa1pKUXRjTnY0T2RtcldmZ2tsbjVyblJNQk5yL1B5dE05OFFMVVJnbzFSU2VTeUVjcmxSU1N4MElVRlhkM3YKV0U0aTJJTktsSzgxblJoY0o4czRUM09iYUpvSUQweEpqS2IzMkhxZmpOSU1vcVdBRk1ES2YyMUM5OWxQeTRXSgpVUUVnYTRzbHo5RzZHVi8wZW5qbFNMa2RRNjEvdEwyRE1ISHgvV2VRUEtpWkF4c2Fwczd3ZVJiNVBrS3J0MVlGClRxa1lJSjY3eDFiNDR1N0NmdWdVbHhMM2JCQ1lqVXVXNnoxdGU3T2ZQUUhoM1FPU2lFZTczQ3I4dU1lSkplV0wKN2VKc1hWSG9uVzBMZWl0aDk5WmJTUTF3YlhieDVPZzNTQ3ZWYnkyZE90Y3Rud2Y2aDN5YlJ3SUNoc24xbk4zMwowRkMyOXlFY0ExQ2VFVzRsMVVHNmxoMGw5cEpiWEhRNlFJS1paempaTlgxZTRGRW5TdytGNGhXd3R1Z2JtKzZnCnVPdEE5QVJxYndJOTFLeEtoT204Q0RJQlRwWThSZG1SaElicWUrc3czT3p3dGk0eTVkU3FMREsrT3Y5b05ucngKQW9TN21TaXNQeDVJS3JwaFhMT3JvVmI2L1puSmNOK3ljaExuenptMDY2Zk5RaTBLNHhzaitvWkphaXVjZnBacAphSElHZGpaY1U3aE5FUzdJNVliVEFqUDdkaDRzdXJnMk1xTUtxbUxsa2ZPcGFoRTlMQTZVVFZRZHZLVFVGNWZwCkdYSnhaT1RKWlpiOGNQTFYxZFdXbnBMaEZNV2h2OUZQTCtDVGZQVUFvQmtmOTE3TzFLdkE3bGsvcTJzQ0F3RUEKQVFLQ0FnQU9WZ3k1dmlzdkFDWTN4ZkNCWEJVM0h6RmFzYVJnSVgvWmh0TkhGbUtGT3pyOW43dGtJWGtYNXU1SwpjNTNndFdJY0ZORTJibUlJUUk4aFBWVW8vM1NtNlk2ejFjTkwxdmJzaGZJcDlBZEtoR2ZOblpvYmszN3I2YlRoCjRRb3NKTVlGZFV1RUtIcWh4dGZKWUx0STNQTnkvb1hLQWJWWE16U3BYWmQzWW14cG01aUJEbEZCUXRhVGpldUUKK3BvZWhiZGE5b0JWcXo1ZCsycnA0bGRtZVpvYTE1YUNJVG5FbEc3R0puRHFtaVN3NUJkZ1FERVNyWmJZRVd5aQpRU0dDL1JUWXl2V1VJcWw5RXh5WnhobGRJaitCMkMyOFRzSXRHN0lpZzF2ajVaVlE0RHF3RmRzc1hiSmF0bkxvClNITlFBcXplT09xY2Mxb0p6N0dzNVRBYVZNZEtEQXZCZm1JMFBMcDNqNmVFOFFIYlduMHk2NzVYbnlqWllLUUcKaWx5R0pUNVRzMWZHWHlPSXBrNG4yQjM1V3dHcjIyTkxnYUd5cnZjRkgxN3JoZGVnaGlrZFJRd1FOcXRsZjBIZApMWDVRQWVwcUt3SE9uR1BGVy9XU2xGU0lEdkt1VFZSVGtvQmFSMTA3OFpiS2JXckZBbEdqYTFvbnNXQUh1YW5UClh5dFE4dWoxUEFFeWFMZUJEaUJxRVJ2am1VVFQ1ZktCOTdaVnRJenVBZ0lyWWZ6YjIyVEk2VFJ6OVZiQ2VyWG8KdTc0cnoxMjM2TXMrbmg5Y2xYd3VtQlBOU1d1eE9OdldOWEZ6VWdIOURzdlFRMWRsMFRJWEFQMGhFYkRHRkNBQwowUlg2M0lpcXFzUG1ZZUZNTGR5K2tVWjViNzI1TlhXWFRHbDRnQ1Y3NFVRU01ya0xrUUtDQVFFQStobXIwYjdnClVYcWRKaGtLRXVsa29IVzVuYzZ4QmhobCtuTkFucVFSTm5tQWpiaDlCeDVpLzQ2WUwxcHFYQUY5cTNIRlowSDIKZEJRZXN2Q0pxbmtSTHVwTi95VE1KSlo0ZE5kMHZqRzZ0UGhMUjZuRmRabHU0TFBRMXRKcU5XZkhZeCtwQ3N2SQo4Wkx3VG8rRGFxSjArZDk3WWF0b0dWNUZHOWtUSjhBYWFXb0Q1R1AyOGtOd0djKzI0b2VNYnJtU0ppQ2I2UlJoCjA5WWJaMGpXdkFHaXJyMzFOTW5nR0dtVmRPMThoOXVMUStLNzFUQWt1eFEzZEhpUzh6UVd6YythRnM1THgyUnIKeXppcEJhR3VySmFJQ05XNklFQm5ndFcvZEZaYXpMbjhQcDVrQlJzQ1NyN1JpQkNFSFZmeHBYVFNoS3cwVWp4NQo2a0gwc01YZnFoOFpMUUtDQVFFQXdkQ3BPUXBRa1RhK0t6Z0VrWGdMVnk2QmZJKzRWdC9BYjRtK2pFSm85aUIzCnN4dEtKNU5tNXltNldXcmFWS25zekxNZy85Mi9vSVZreUlNSklrOWNYdEpuaEU5ak1aVzc2ZjhYbW5CUnJIMnAKVHVmNWtYWWdVUHZLQ2g1U1g5Q2w0UHJENHNSb3cwNHJjbHVxSE1MT2g1MncxUmJPalRrb05tNXBHWlFoVkhxeApaUzh3aVk3bzhLNFZJQXZOVlZOdGlIZFNOY2Y0cDMxL0F6SU5aQjJWdlczeWJHTWNIdDByekQ5TkpZLzhTekc3CktEME5mRTgzeng2OWxHTlhUcURGSnBTV2ZNVlFwSGVCM0FTRTV1YVhVM1c5S3EwN2NDOEJWSHRaK3B5a1B0RTYKOHgrZE9NYWh6UElaMjRqbkIzZkVsaWc0Rk5zd01LZm9aeDdKYUJLRjl3S0NBUUVBdWJUTUgwOWpVenovYVdXWQpWRmlYVG9wN3pGRElvNlVFUEFiT1NiMjd4ajVNRlcrUzd2RkNRMDZIZEVubnhlK1pkKzlmeS85djE5dUV2QXZkCnZRWnVtdTZDQWQwNTlFVUNwb2ZCZU9TR0paQmtuWTdUUHpJeDRZbkRuVy9hUzFPRyt2UnNXY2JkcTNzWEVzNS8KbjNPSDltNWFPRGpGY0dqT1doSkNwZlovNWh4QlRacG9xSlVvclJIT1U4Q2dweXNGK1dlblBWZlVHQzdZWkVYeQpwT0YyQWRpdE5ZaGM3T09oaFpRK0xzYjNUdTRSMlFnSmpoeEIzU3NXdXAzSC9RU1UvekFwbHFIYlpLZnE0WEtmCnVDbUNVMFVZRXBDZ0M4ZFpoVElGOUJSNTE2bFd6Vyt6c1BxbHJTbk9YOWVJWi9vcHd6ZjNGY1V3SmFEWjUxVFcKY29UcTlRS0NBUUVBckhtVTdpYkl0Y0Zpa0RGa2wxT2R1L0t0MW54TFRqd0dFdndnYnM3MmV2ay9yRXEvdmVKRgpzN2NGbDJjb2JpbGRpbmhxQ0doOGpFdkkrVXJxeVBhWXUrVS9xNVcrTHpVUnFkV1JXcVZUZVUzR2FtcXpSQWc4CkQvVlJ3WmxrTXRJSm0rRnNpcFBBcXZVWVlzZEI1aUJTREl0Ky90SXg4NmtHcVJHdVE4MzNyeWNVVUhnakdIYnQKd3FrWU1aRnZJOXgvWCs3WFlQYll4Nnc5YUVtVmN4K0V6ck5XQmJCWktQb25iTFowWDlYM2JhOE8zMnNkWWg5WgpDZDlRVkFubmV4aEUrZVZHMmpmNVlMTGRCRCtkU2FHd3p0dTdBSXh5bFkydkFGQlpMVlZTTUhpZm5oWG5Jc3hZCjFub29HcDZGQWJkS1lWbmZObWdzUlZCVzE5V2s1QkYvMXdLQ0FRRUFqVnR1RXdYZzU5NERIaVN4UjlWbGRBaHYKcXF5dlpieVhPT2pnNHNKZjFLUlpxZkkzV28yL05IQWN0MlZlREE1bnlEM001YndHWEwrdVZGaUlMVk1ZMUp0WQp6MmlHWHgwZVdlbFJya2tRZHFncTI1TE9BQ2dxYTFMNW9tQS9tMGcwQWljWVdYa1FYSXpXRkhwb0ZqcU9KZHpTCnZ0MHhLV2lpWHUxVk5YeDJibFR1dXBCa1JUZUlQNTVxdWdyOUh0ZmY1MHc5MHhwTllaMFR3d0lDMG1neVVMMWEKRkdVdHlPUTlqVFBUUUdGM3h6REJCQ2U2MW5uZUV0TThRMEJ1MXh3Rm90aWFYSE9NaGhiMFBndVkzNHhiekNHYgpHcTlsWjVaN2lRVXByUWNNYjhrUzZ1WFk3VHBDTmUzaDBiTTM5dVlKeHNYNXUzcmVNRWsyZlBNT3dnTlFjdz09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="
@@ -1,63 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: attic
 spec:
  selector:
    matchLabels:
      app: attic
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: attic
    spec:
      containers:
        - name: attic
          image: ghcr.io/zhaofengli/attic:latest
          args:
           - -f
           - /config.toml
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /
              port: http
          readinessProbe:
            httpGet:
              path: /
              port: http
          env:
            - name: ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64
              value: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS2dJQkFBS0NBZ0VBdlZrMHQyZUtvdjhpV3prVFFtQzJtRklvd0gxc2liNlVpUFhUaGVwcURiWHMyaERFCnFYa1pKUXRjTnY0T2RtcldmZ2tsbjVyblJNQk5yL1B5dE05OFFMVVJnbzFSU2VTeUVjcmxSU1N4MElVRlhkM3YKV0U0aTJJTktsSzgxblJoY0o4czRUM09iYUpvSUQweEpqS2IzMkhxZmpOSU1vcVdBRk1ES2YyMUM5OWxQeTRXSgpVUUVnYTRzbHo5RzZHVi8wZW5qbFNMa2RRNjEvdEwyRE1ISHgvV2VRUEtpWkF4c2Fwczd3ZVJiNVBrS3J0MVlGClRxa1lJSjY3eDFiNDR1N0NmdWdVbHhMM2JCQ1lqVXVXNnoxdGU3T2ZQUUhoM1FPU2lFZTczQ3I4dU1lSkplV0wKN2VKc1hWSG9uVzBMZWl0aDk5WmJTUTF3YlhieDVPZzNTQ3ZWYnkyZE90Y3Rud2Y2aDN5YlJ3SUNoc24xbk4zMwowRkMyOXlFY0ExQ2VFVzRsMVVHNmxoMGw5cEpiWEhRNlFJS1paempaTlgxZTRGRW5TdytGNGhXd3R1Z2JtKzZnCnVPdEE5QVJxYndJOTFLeEtoT204Q0RJQlRwWThSZG1SaElicWUrc3czT3p3dGk0eTVkU3FMREsrT3Y5b05ucngKQW9TN21TaXNQeDVJS3JwaFhMT3JvVmI2L1puSmNOK3ljaExuenptMDY2Zk5RaTBLNHhzaitvWkphaXVjZnBacAphSElHZGpaY1U3aE5FUzdJNVliVEFqUDdkaDRzdXJnMk1xTUtxbUxsa2ZPcGFoRTlMQTZVVFZRZHZLVFVGNWZwCkdYSnhaT1RKWlpiOGNQTFYxZFdXbnBMaEZNV2h2OUZQTCtDVGZQVUFvQmtmOTE3TzFLdkE3bGsvcTJzQ0F3RUEKQVFLQ0FnQU9WZ3k1dmlzdkFDWTN4ZkNCWEJVM0h6RmFzYVJnSVgvWmh0TkhGbUtGT3pyOW43dGtJWGtYNXU1SwpjNTNndFdJY0ZORTJibUlJUUk4aFBWVW8vM1NtNlk2ejFjTkwxdmJzaGZJcDlBZEtoR2ZOblpvYmszN3I2YlRoCjRRb3NKTVlGZFV1RUtIcWh4dGZKWUx0STNQTnkvb1hLQWJWWE16U3BYWmQzWW14cG01aUJEbEZCUXRhVGpldUUKK3BvZWhiZGE5b0JWcXo1ZCsycnA0bGRtZVpvYTE1YUNJVG5FbEc3R0puRHFtaVN3NUJkZ1FERVNyWmJZRVd5aQpRU0dDL1JUWXl2V1VJcWw5RXh5WnhobGRJaitCMkMyOFRzSXRHN0lpZzF2ajVaVlE0RHF3RmRzc1hiSmF0bkxvClNITlFBcXplT09xY2Mxb0p6N0dzNVRBYVZNZEtEQXZCZm1JMFBMcDNqNmVFOFFIYlduMHk2NzVYbnlqWllLUUcKaWx5R0pUNVRzMWZHWHlPSXBrNG4yQjM1V3dHcjIyTkxnYUd5cnZjRkgxN3JoZGVnaGlrZFJRd1FOcXRsZjBIZApMWDVRQWVwcUt3SE9uR1BGVy9XU2xGU0lEdkt1VFZSVGtvQmFSMTA3OFpiS2JXckZBbEdqYTFvbnNXQUh1YW5UClh5dFE4dWoxUEFFeWFMZUJEaUJxRVJ2am1VVFQ1ZktCOTdaVnRJenVBZ0lyWWZ6YjIyVEk2VFJ6OVZiQ2VyWG8KdTc0cnoxMjM2TXMrbmg5Y2xYd3VtQlBOU1d1eE9OdldOWEZ6VWdIOURzdlFRMWRsMFRJWEFQMGhFYkRHRkNBQwowUlg2M0lpcXFzUG1ZZUZNTGR5K2tVWjViNzI1TlhXWFRHbDRnQ1Y3NFVRU01ya0xrUUtDQVFFQStobXIwYjdnClVYcWRKaGtLRXVsa29IVzVuYzZ4QmhobCtuTkFucVFSTm5tQWpiaDlCeDVpLzQ2WUwxcHFYQUY5cTNIRlowSDIKZEJRZXN2Q0pxbmtSTHVwTi95VE1KSlo0ZE5kMHZqRzZ0UGhMUjZuRmRabHU0TFBRMXRKcU5XZkhZeCtwQ3N2SQo4Wkx3VG8rRGFxSjArZDk3WWF0b0dWNUZHOWtUSjhBYWFXb0Q1R1AyOGtOd0djKzI0b2VNYnJtU0ppQ2I2UlJoCjA5WWJaMGpXdkFHaXJyMzFOTW5nR0dtVmRPMThoOXVMUStLNzFUQWt1eFEzZEhpUzh6UVd6YythRnM1THgyUnIKeXppcEJhR3VySmFJQ05XNklFQm5ndFcvZEZaYXpMbjhQcDVrQlJzQ1NyN1JpQkNFSFZmeHBYVFNoS3cwVWp4NQo2a0gwc01YZnFoOFpMUUtDQVFFQXdkQ3BPUXBRa1RhK0t6Z0VrWGdMVnk2QmZJKzRWdC9BYjRtK2pFSm85aUIzCnN4dEtKNU5tNXltNldXcmFWS25zekxNZy85Mi9vSVZreUlNSklrOWNYdEpuaEU5ak1aVzc2ZjhYbW5CUnJIMnAKVHVmNWtYWWdVUHZLQ2g1U1g5Q2w0UHJENHNSb3cwNHJjbHVxSE1MT2g1MncxUmJPalRrb05tNXBHWlFoVkhxeApaUzh3aVk3bzhLNFZJQXZOVlZOdGlIZFNOY2Y0cDMxL0F6SU5aQjJWdlczeWJHTWNIdDByekQ5TkpZLzhTekc3CktEME5mRTgzeng2OWxHTlhUcURGSnBTV2ZNVlFwSGVCM0FTRTV1YVhVM1c5S3EwN2NDOEJWSHRaK3B5a1B0RTYKOHgrZE9NYWh6UElaMjRqbkIzZkVsaWc0Rk5zd01LZm9aeDdKYUJLRjl3S0NBUUVBdWJUTUgwOWpVenovYVdXWQpWRmlYVG9wN3pGRElvNlVFUEFiT1NiMjd4ajVNRlcrUzd2RkNRMDZIZEVubnhlK1pkKzlmeS85djE5dUV2QXZkCnZRWnVtdTZDQWQwNTlFVUNwb2ZCZU9TR0paQmtuWTdUUHpJeDRZbkRuVy9hUzFPRyt2UnNXY2JkcTNzWEVzNS8KbjNPSDltNWFPRGpGY0dqT1doSkNwZlovNWh4QlRacG9xSlVvclJIT1U4Q2dweXNGK1dlblBWZlVHQzdZWkVYeQpwT0YyQWRpdE5ZaGM3T09oaFpRK0xzYjNUdTRSMlFnSmpoeEIzU3NXdXAzSC9RU1UvekFwbHFIYlpLZnE0WEtmCnVDbUNVMFVZRXBDZ0M4ZFpoVElGOUJSNTE2bFd6Vyt6c1BxbHJTbk9YOWVJWi9vcHd6ZjNGY1V3SmFEWjUxVFcKY29UcTlRS0NBUUVBckhtVTdpYkl0Y0Zpa0RGa2wxT2R1L0t0MW54TFRqd0dFdndnYnM3MmV2ay9yRXEvdmVKRgpzN2NGbDJjb2JpbGRpbmhxQ0doOGpFdkkrVXJxeVBhWXUrVS9xNVcrTHpVUnFkV1JXcVZUZVUzR2FtcXpSQWc4CkQvVlJ3WmxrTXRJSm0rRnNpcFBBcXZVWVlzZEI1aUJTREl0Ky90SXg4NmtHcVJHdVE4MzNyeWNVVUhnakdIYnQKd3FrWU1aRnZJOXgvWCs3WFlQYll4Nnc5YUVtVmN4K0V6ck5XQmJCWktQb25iTFowWDlYM2JhOE8zMnNkWWg5WgpDZDlRVkFubmV4aEUrZVZHMmpmNVlMTGRCRCtkU2FHd3p0dTdBSXh5bFkydkFGQlpMVlZTTUhpZm5oWG5Jc3hZCjFub29HcDZGQWJkS1lWbmZObWdzUlZCVzE5V2s1QkYvMXdLQ0FRRUFqVnR1RXdYZzU5NERIaVN4UjlWbGRBaHYKcXF5dlpieVhPT2pnNHNKZjFLUlpxZkkzV28yL05IQWN0MlZlREE1bnlEM001YndHWEwrdVZGaUlMVk1ZMUp0WQp6MmlHWHgwZVdlbFJya2tRZHFncTI1TE9BQ2dxYTFMNW9tQS9tMGcwQWljWVdYa1FYSXpXRkhwb0ZqcU9KZHpTCnZ0MHhLV2lpWHUxVk5YeDJibFR1dXBCa1JUZUlQNTVxdWdyOUh0ZmY1MHc5MHhwTllaMFR3d0lDMG1neVVMMWEKRkdVdHlPUTlqVFBUUUdGM3h6REJCQ2U2MW5uZUV0TThRMEJ1MXh3Rm90aWFYSE9NaGhiMFBndVkzNHhiekNHYgpHcTlsWjVaN2lRVXByUWNNYjhrUzZ1WFk3VHBDTmUzaDBiTTM5dVlKeHNYNXUzcmVNRWsyZlBNT3dnTlFjdz09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="
              # valueFrom:
              #   secretKeyRef:
              #     name: server
              #     key: token
            - name: ATTIC_SERVER_DATABASE_URL
              value: "postgresql://app:mZP1BnmnpDU33B7UZvomYKOSS1laRJ4bvUR7jNDZ1AJqPdNxH2rLXykghczg7Bgy@attic-db-rw:5432/app"
              # valueFrom:
                # secretKeyRef:
                  # name: database
                  # key: url
          volumeMounts:
          - name: data
            mountPath: /attic
          - name: attic-config
            mountPath: /config.toml
            subPath: config.toml
      volumes:
        - name: server
          secret:
            secretName: server
        - name: attic-config
          configMap:
            defaultMode: 420
            name: attic-config
        - name: data
          persistentVolumeClaim:
            claimName: attic
@@ -1,28 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    haproxy.org/backend-protocol: h1
    haproxy.org/timeout-server: 600s
  labels:
    app.kubernetes.io/component: attic
  name: attic
  namespace: attic
 spec:
  ingressClassName: haproxy
  rules:
  - host: attic.srv.oceanbox.io
    http:
      paths:
      - backend:
          service:
            name: attic
            port:
              name: http
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - attic.srv.oceanbox.io
    secretName: attic.srv.oceanbox.io-tls
@@ -1,13 +0,0 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-cache-nixos
  namespace: ncps
 spec:
  egress:
    - toFQDNs:
        - matchPattern: 'cache.nixos.org'
        - matchPattern: 'nix-community.cachix.org'
  endpointSelector:
    matchLabels:
      app: nix-cache
@@ -1,12 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: attic
  labels:
    app: attic
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
@@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: server
 stringData:
  token: "ref+sops://secrets.yml#attic/jwtToken"
@@ -0,0 +1,2 @@
 niks3:
  enabled: true
@@ -1,3 +1,3 @@
-attic:
+niks3:
  enabled: false
  autosync: false
@@ -1,10 +1,10 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: attic-db
+  name: niks3-db
-  namespace: attic
+  namespace: niks3
  labels:
-    app: attic-db
+    app: niks3-db
 spec:
  instances: 1
  primaryUpdateStrategy: unsupervised
@@ -0,0 +1,73 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: niks3
 spec:
  selector:
    matchLabels:
      app: niks3
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: niks3
    spec:
      containers:
        - name: niks3
          image: ghcr.io/mic92/niks3:v1.6.1
          ports:
            - name: http
              containerPort: 5751
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /
              port: http
          readinessProbe:
            httpGet:
              path: /
              port: http
          env:
            - name: NIKS3_DB
              valueFrom:
                secretKeyRef:
                  name: niks3-db-app
                  key: uri
            - name: NIKS3_API_TOKEN
              valueFrom:
                secretKeyRef:
                  name: server
                  key: api-token
            - name: NIKS3_S3_ENDPOINT
              value: "10.255.241.30:30080"
            - name: NIKS3_S3_BUCKET
              value: "niks3"
            - name: NIKS3_S3_REGION
              value: "default"
            - name: NIKS3_S3_USE_SSL
              value: "false"
            - name: NIKS3_S3_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: server
                  key: s3-access-key
            - name: NIKS3_S3_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: server
                  key: s3-secret-key
            - name: NIKS3_ENABLE_READ_PROXY
              value: "true"
            - name: NIKS3_CACHE_URL
              value: "https://cache.ekman.oceanbox.io"
            - name: NIKS3_SIGN_KEY_PATHS
              value: "/secrets/sign-key"
          volumeMounts:
            - name: server
              mountPath: /secrets
              readOnly: true
      volumes:
        - name: server
          secret:
            secretName: server
@@ -0,0 +1,28 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    oceanbox.io/expose: internal
  labels:
    app.kubernetes.io/component: niks3
  name: niks3
  namespace: niks3
 spec:
  ingressClassName: nginx
  rules:
  - host: cache.ekman.oceanbox.io
    http:
      paths:
      - backend:
          service:
            name: niks3
            port:
              name: http
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - cache.ekman.oceanbox.io
    secretName: cache.ekman.oceanbox.io-tls
@@ -0,0 +1,42 @@
 {{- if .Values.clusterConfig.argo.enabled }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: niks3
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
    namespace: niks3
    server: https://kubernetes.default.svc
  project: aux
  sources:
  - repoURL: {{ .Values.clusterConfig.manifests }}
    targetRevision: HEAD
    path: helmfile.d
    plugin:
      name: helmfile-cmp
      env:
      - name: CLUSTER_NAME
        value: {{ .Values.clusterConfig.cluster }}
      - name: HELMFILE_ENVIRONMENT
        value: default
      - name: HELMFILE_FILE_PATH
        value: niks3.yaml.gotmpl
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        component: aux
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
      # - ServerSideApply=true
    {{- if .Values.niks3.autosync }}
    automated:
      prune: true
      # selfHeal: false
    {{- end }}
 {{- end }}
@@ -0,0 +1,47 @@
 {{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-egress
  namespace: niks3
 spec:
  # ekman has no cluster-wide allow-namespace-traffic baseline (unlike hel1/oceanbox),
  # so once niks3 is selected by an egress rule it is default-deny for egress and every
  # destination must be listed explicitly: RGW (S3), in-namespace PostgreSQL, and DNS.
  description: niks3 egress to Ceph RGW (S3), in-namespace PostgreSQL, and kube-dns
  endpointSelector:
    matchLabels:
      app: niks3
  egress:
    # Ceph RadosGW (S3 object storage backend) via NodePort
    - toCIDR:
        - 10.255.241.30/32
        - 10.255.241.31/32
        - 10.255.241.32/32
      toPorts:
        - ports:
            - port: "30080"
              protocol: TCP
    # PostgreSQL (CNPG niks3-db cluster, same namespace)
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: niks3
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP
    # DNS resolution
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: kube-system
            k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
            - port: "53"
              protocol: TCP
          rules:
            dns:
              - matchPattern: "*"
 {{- end }}
@@ -1,14 +1,14 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: attic
+  name: niks3
  labels:
-    app: attic
+    app: niks3
 spec:
  type: ClusterIP
  selector:
-    app: attic
+    app: niks3
  ports:
    - name: http
-      port: 8080
+      port: 5751
      targetPort: http