diff --git a/values/ncps/env-oceanbox.yaml.gotmpl b/values/attic/env-oceanbox.yaml.gotmpl similarity index 69% rename from values/ncps/env-oceanbox.yaml.gotmpl rename to values/attic/env-oceanbox.yaml.gotmpl index edab7f33..73914176 100644 --- a/values/ncps/env-oceanbox.yaml.gotmpl +++ b/values/attic/env-oceanbox.yaml.gotmpl @@ -1,2 +1,2 @@ -ncps: +attic: enabled: true diff --git a/values/ncps/env.yaml.gotmpl b/values/attic/env.yaml.gotmpl similarity index 83% rename from values/ncps/env.yaml.gotmpl rename to values/attic/env.yaml.gotmpl index 7ea660d4..fc25113f 100644 --- a/values/ncps/env.yaml.gotmpl +++ b/values/attic/env.yaml.gotmpl @@ -1,3 +1,3 @@ -ncps: +attic: enabled: false autosync: false diff --git a/values/ncps/manifests/ncps.yaml b/values/attic/manifests/attic.yaml similarity index 86% rename from values/ncps/manifests/ncps.yaml rename to values/attic/manifests/attic.yaml index 9cee7418..6fae5639 100644 --- a/values/ncps/manifests/ncps.yaml +++ b/values/attic/manifests/attic.yaml @@ -1,7 +1,7 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: ncps + name: attic namespace: argocd finalizers: - resources-finalizer.argocd.argoproj.io @@ -12,12 +12,12 @@ spec: sources: - repoURL: https://gitlab.com/oceanbox/manifests.git targetRevision: HEAD - path: values/ncps/manifests - project: sys + path: values/attic/manifests + project: aux syncPolicy: managedNamespaceMetadata: labels: - component: sys + component: aux syncOptions: - CreateNamespace=true - ApplyOutOfSyncOnly=true diff --git a/values/attic/manifests/cluster.yaml b/values/attic/manifests/cluster.yaml new file mode 100644 index 00000000..10f33118 --- /dev/null +++ b/values/attic/manifests/cluster.yaml @@ -0,0 +1,16 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: attic-db + namespace: attic + labels: + app: attic-db +spec: + instances: 1 + initdb: + database: attic + primaryUpdateStrategy: unsupervised + backup: + retentionPolicy: "7d" + storage: + size: "20Gi" diff --git a/values/attic/manifests/cm.yaml b/values/attic/manifests/cm.yaml new file mode 100644 index 00000000..345b6029 --- /dev/null +++ b/values/attic/manifests/cm.yaml @@ -0,0 +1,167 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/name: attic + name: attic-config + namespace: attic +data: + config.toml: | + # src: https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml + + # Socket address to listen on + listen = "[::]:8080" + + # Allowed `Host` headers + # + # This _must_ be configured for production use. If unconfigured or the + # list is empty, all `Host` headers are allowed. + allowed-hosts = [] + + # The canonical API endpoint of this server + # + # This is the endpoint exposed to clients in `cache-config` responses. + # + # This _must_ be configured for production use. If not configured, the + # API endpoint is synthesized from the client's `Host` header which may + # be insecure. + # + # The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/` + # not `https://domain.tld/attic`). + api-endpoint = "https://attic.srv.oceanbox.io" + + # Whether to soft-delete caches + # + # If this is enabled, caches are soft-deleted instead of actually + # removed from the database. Note that soft-deleted caches cannot + # have their names reused as long as the original database records + # are there. + #soft-delete-caches = false + + # Whether to require fully uploading a NAR if it exists in the global cache. + # + # If set to false, simply knowing the NAR hash is enough for + # an uploader to gain access to an existing NAR in the global + # cache. + #require-proof-of-possession = true + + # Database connection + [database] + # Connection URL + # + # For production use it's recommended to use PostgreSQL. + url = "" + + # Whether to enable sending on periodic heartbeat queries + # + # If enabled, a heartbeat query will be sent every minute + #heartbeat = false + + # File storage configuration + [storage] + # Storage type + # + # Can be "local" or "s3". + type = "local" + + # ## Local storage + + # The directory to store all files under + path = "/attic" + + # ## S3 Storage (set type to "s3" and uncomment below) + + # The AWS region + #region = "us-east-1" + + # The name of the bucket + #bucket = "some-bucket" + + # Custom S3 endpoint + # + # Set this if you are using an S3-compatible object storage (e.g., Minio). + #endpoint = "https://xxx.r2.cloudflarestorage.com" + + # Credentials + # + # If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and + # `AWS_SECRET_ACCESS_KEY` environment variables. + #[storage.credentials] + # access_key_id = "" + # secret_access_key = "" + + # Data chunking + # + # Warning: If you change any of the values here, it will be + # difficult to reuse existing chunks for newly-uploaded NARs + # since the cutpoints will be different. As a result, the + # deduplication ratio will suffer for a while after the change. + [chunking] + # The minimum NAR size to trigger chunking + # + # If 0, chunking is disabled entirely for newly-uploaded NARs. + # If 1, all NARs are chunked. + nar-size-threshold = 65536 # chunk files that are 64 KiB or larger + + # The preferred minimum size of a chunk, in bytes + min-size = 16384 # 16 KiB + + # The preferred average size of a chunk, in bytes + avg-size = 65536 # 64 KiB + + # The preferred maximum size of a chunk, in bytes + max-size = 262144 # 256 KiB + + # Compression + [compression] + # Compression type + # + # Can be "none", "brotli", "zstd", or "xz" + type = "zstd" + + # Compression level + #level = 8 + + # Garbage collection + [garbage-collection] + # The frequency to run garbage collection at + # + # By default it's 12 hours. You can use natural language + # to specify the interval, like "1 day". + # + # If zero, automatic garbage collection is disabled, but + # it can still be run manually with `atticd --mode garbage-collector-once`. + interval = "1 week" + + # Default retention period + # + # Zero (default) means time-based garbage-collection is + # disabled by default. You can enable it on a per-cache basis. + default-retention-period = "6 months" + + [jwt] + # WARNING: Changing _anything_ in this section will break any existing + # tokens. If you need to regenerate them, ensure that you use the the + # correct secret and include the `iss` and `aud` claims. + + # JWT `iss` claim + # + # Set this to the JWT issuer that you want to validate. + # If this is set, all received JWTs will validate that the `iss` claim + # matches this value. + #token-bound-issuer = "some-issuer" + + # JWT `aud` claim + # + # Set this to the JWT audience(s) that you want to validate. + # If this is set, all received JWTs will validate that the `aud` claim + # contains at least one of these values. + #token-bound-audiences = ["some-audience1", "some-audience2"] + + [jwt.signing] + # JWT RS256 secret key + # + # Set this to the base64-encoded private half of an RSA PEM PKCS1 key. + # You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64` + # environment variable. + token-rs256-secret-base64 = "r0To/djPCwwXRtFcHakhiEHLkEuOQQJtPPeRsfyg8XAkp0A8Tu+AwGz12RFR65JvyhWXSPg7RUIwXzbg6YLcmA==" diff --git a/values/attic/manifests/deployment.yaml b/values/attic/manifests/deployment.yaml new file mode 100644 index 00000000..aebf2d72 --- /dev/null +++ b/values/attic/manifests/deployment.yaml @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: attic +spec: + selector: + matchLabels: + app: attic + strategy: + type: Recreate + template: + metadata: + labels: + app: attic + spec: + nodeName: atlas + containers: + - name: attic + image: ghcr.io/zhaofengli/attic:latest + args: + - -f + - /config.toml + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + env: + - name: ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 + value: "r0To/djPCwwXRtFcHakhiEHLkEuOQQJtPPeRsfyg8XAkp0A8Tu+AwGz12RFR65JvyhWXSPg7RUIwXzbg6YLcmA==" + # valueFrom: + # secretKeyRef: + # name: server + # key: token + - name: ATTIC_SERVER_DATABASE_URL + valueFrom: + secretKeyRef: + name: database + key: url + volumeMounts: + - name: data + mountPath: /attic + - name: attic-config + mountPath: /config.toml + subPath: config.toml + volumes: + - name: server + secret: + secretName: server + - name: attic-config + configMap: + defaultMode: 420 + name: attic-config + - name: data + persistentVolumeClaim: + claimName: attic diff --git a/values/ncps/manifests/ingress.yaml b/values/attic/manifests/ingress.yaml similarity index 66% rename from values/ncps/manifests/ingress.yaml rename to values/attic/manifests/ingress.yaml index 40155c7f..9f46e4a0 100644 --- a/values/ncps/manifests/ingress.yaml +++ b/values/attic/manifests/ingress.yaml @@ -9,23 +9,23 @@ metadata: nginx.ingress.kubernetes.io/ssl-redirect: "true" oceanbox.io/expose: internal labels: - app.kubernetes.io/component: nix-cache - name: nix-cache - namespace: ncps + app.kubernetes.io/component: attic + name: attic + namespace: attic spec: ingressClassName: nginx rules: - - host: cache.srv.oceanbox.io + - host: attic.srv.oceanbox.io http: paths: - backend: service: - name: nix-cache + name: attic port: - name: http-web + name: http path: / - pathType: ImplementationSpecific + pathType: Prefix tls: - hosts: - - cache.srv.oceanbox.io - secretName: cache.srv.oceanbox.io-tls + - attic.srv.oceanbox.io + secretName: attic.srv.oceanbox.io-tls diff --git a/values/ncps/manifests/policies/allow-cache-nixos.yaml b/values/attic/manifests/policies/allow-cache-nixos.yaml similarity index 100% rename from values/ncps/manifests/policies/allow-cache-nixos.yaml rename to values/attic/manifests/policies/allow-cache-nixos.yaml diff --git a/values/ncps/manifests/pvc.yaml b/values/attic/manifests/pvc.yaml similarity index 74% rename from values/ncps/manifests/pvc.yaml rename to values/attic/manifests/pvc.yaml index d1f2bff4..337e2e56 100644 --- a/values/ncps/manifests/pvc.yaml +++ b/values/attic/manifests/pvc.yaml @@ -1,10 +1,9 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: nix-cache + name: attic labels: - app: nix-cache - tier: proxy + app: attic spec: accessModes: - ReadWriteOnce diff --git a/values/attic/manifests/secret.yaml b/values/attic/manifests/secret.yaml new file mode 100644 index 00000000..a85a506f --- /dev/null +++ b/values/attic/manifests/secret.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Secret +metadata: + name: server +stringData: + token: "ref+sops://secrets.yml#attic/jwtToken" \ No newline at end of file diff --git a/values/attic/manifests/svc.yaml b/values/attic/manifests/svc.yaml new file mode 100644 index 00000000..82bc204b --- /dev/null +++ b/values/attic/manifests/svc.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: attic + labels: + app: attic +spec: + type: ClusterIP + selector: + app: attic + component: website + ports: + - name: http + port: 8080 + targetPort: http diff --git a/values/ncps/manifests/sts.yaml b/values/ncps/manifests/sts.yaml deleted file mode 100644 index 1f5a66e3..00000000 --- a/values/ncps/manifests/sts.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: nix-cache - labels: - app: nix-cache - tier: proxy -spec: - replicas: 1 - selector: - matchLabels: - app: nix-cache - tier: proxy - template: - metadata: - labels: - app: nix-cache - tier: proxy - spec: - initContainers: - - image: alpine:latest - name: create-directories - args: - - /bin/sh - - -c - - "mkdir -m 0755 -p /storage/var && mkdir -m 0700 -p /storage/var/ncps && mkdir -m 0700 -p /storage/var/ncps/db" - volumeMounts: - - name: nix-cache-persistent-storage - mountPath: /storage - - image: kalbasit/ncps:latest # NOTE: It's recommended to use a tag here, but we live dangerously - name: migrate-database - args: - - /bin/dbmate - - --url=sqlite:/storage/var/ncps/db/db.sqlite - - migrate - - up - volumeMounts: - - name: nix-cache-persistent-storage - mountPath: /storage - containers: - - image: kalbasit/ncps:latest # NOTE: It's recommended to use a tag here! - name: nix-cache - args: - - /bin/ncps - - serve - - --cache-hostname=cache.srv.oceanbox.io - - --cache-data-path=/storage - - --cache-database-url=sqlite:/storage/var/ncps/db/db.sqlite - - --upstream-cache=https://cache.nixos.org - - --upstream-cache=https://nix-community.cachix.org - - --upstream-public-key=cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - - --upstream-public-key=nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= - ports: - - containerPort: 8501 - name: http-web - volumeMounts: - - name: nix-cache-persistent-storage - mountPath: /storage - volumes: - - name: nix-cache-persistent-storage - persistentVolumeClaim: - claimName: nix-cache diff --git a/values/ncps/manifests/svc.yaml b/values/ncps/manifests/svc.yaml deleted file mode 100644 index b58a7b59..00000000 --- a/values/ncps/manifests/svc.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: nix-cache - labels: - app: nix-cache - tier: proxy -spec: - type: ClusterIP - ports: - - name: http-web - port: 8501 - selector: - app: nix-cache - tier: proxy