feat: Replace ncps with attic

2025-08-26 21:02:04 +02:00
parent 12c1f0f060
commit 6eca17a487
13 changed files with 284 additions and 95 deletions
@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: attic
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: ncps
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: HEAD
+    path: values/attic/manifests
+  project: aux
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      # - ServerSideApply=true
+    automated:
+      prune: true
+      # selfHeal: false
@@ -0,0 +1,16 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: attic-db
+  namespace: attic
+  labels:
+    app: attic-db
+spec:
+  instances: 1
+  initdb:
+    database: attic
+  primaryUpdateStrategy: unsupervised
+  backup:
+    retentionPolicy: "7d"
+  storage:
+    size: "20Gi"
@@ -0,0 +1,167 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: attic
+  name: attic-config
+  namespace: attic
+data:
+  config.toml: |
+    # src: https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
+
+    # Socket address to listen on
+    listen = "[::]:8080"
+
+    # Allowed `Host` headers
+    #
+    # This _must_ be configured for production use. If unconfigured or the
+    # list is empty, all `Host` headers are allowed.
+    allowed-hosts = []
+
+    # The canonical API endpoint of this server
+    #
+    # This is the endpoint exposed to clients in `cache-config` responses.
+    #
+    # This _must_ be configured for production use. If not configured, the
+    # API endpoint is synthesized from the client's `Host` header which may
+    # be insecure.
+    #
+    # The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
+    # not `https://domain.tld/attic`).
+    api-endpoint = "https://attic.srv.oceanbox.io"
+
+    # Whether to soft-delete caches
+    #
+    # If this is enabled, caches are soft-deleted instead of actually
+    # removed from the database. Note that soft-deleted caches cannot
+    # have their names reused as long as the original database records
+    # are there.
+    #soft-delete-caches = false
+
+    # Whether to require fully uploading a NAR if it exists in the global cache.
+    #
+    # If set to false, simply knowing the NAR hash is enough for
+    # an uploader to gain access to an existing NAR in the global
+    # cache.
+    #require-proof-of-possession = true
+
+    # Database connection
+    [database]
+    # Connection URL
+    #
+    # For production use it's recommended to use PostgreSQL.
+    url = ""
+
+    # Whether to enable sending on periodic heartbeat queries
+    #
+    # If enabled, a heartbeat query will be sent every minute
+    #heartbeat = false
+
+    # File storage configuration
+    [storage]
+    # Storage type
+    #
+    # Can be "local" or "s3".
+    type = "local"
+
+    # ## Local storage
+
+    # The directory to store all files under
+    path = "/attic"
+
+    # ## S3 Storage (set type to "s3" and uncomment below)
+
+    # The AWS region
+    #region = "us-east-1"
+
+    # The name of the bucket
+    #bucket = "some-bucket"
+
+    # Custom S3 endpoint
+    #
+    # Set this if you are using an S3-compatible object storage (e.g., Minio).
+    #endpoint = "https://xxx.r2.cloudflarestorage.com"
+
+    # Credentials
+    #
+    # If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
+    # `AWS_SECRET_ACCESS_KEY` environment variables.
+    #[storage.credentials]
+    #  access_key_id = ""
+    #  secret_access_key = ""
+
+    # Data chunking
+    #
+    # Warning: If you change any of the values here, it will be
+    # difficult to reuse existing chunks for newly-uploaded NARs
+    # since the cutpoints will be different. As a result, the
+    # deduplication ratio will suffer for a while after the change.
+    [chunking]
+    # The minimum NAR size to trigger chunking
+    #
+    # If 0, chunking is disabled entirely for newly-uploaded NARs.
+    # If 1, all NARs are chunked.
+    nar-size-threshold = 65536 # chunk files that are 64 KiB or larger
+
+    # The preferred minimum size of a chunk, in bytes
+    min-size = 16384            # 16 KiB
+
+    # The preferred average size of a chunk, in bytes
+    avg-size = 65536            # 64 KiB
+
+    # The preferred maximum size of a chunk, in bytes
+    max-size = 262144           # 256 KiB
+
+    # Compression
+    [compression]
+    # Compression type
+    #
+    # Can be "none", "brotli", "zstd", or "xz"
+    type = "zstd"
+
+    # Compression level
+    #level = 8
+
+    # Garbage collection
+    [garbage-collection]
+    # The frequency to run garbage collection at
+    #
+    # By default it's 12 hours. You can use natural language
+    # to specify the interval, like "1 day".
+    #
+    # If zero, automatic garbage collection is disabled, but
+    # it can still be run manually with `atticd --mode garbage-collector-once`.
+    interval = "1 week"
+
+    # Default retention period
+    #
+    # Zero (default) means time-based garbage-collection is
+    # disabled by default. You can enable it on a per-cache basis.
+    default-retention-period = "6 months"
+
+    [jwt]
+    # WARNING: Changing _anything_ in this section will break any existing
+    # tokens. If you need to regenerate them, ensure that you use the the
+    # correct secret and include the `iss` and `aud` claims.
+
+    # JWT `iss` claim
+    #
+    # Set this to the JWT issuer that you want to validate.
+    # If this is set, all received JWTs will validate that the `iss` claim
+    # matches this value.
+    #token-bound-issuer = "some-issuer"
+
+    # JWT `aud` claim
+    #
+    # Set this to the JWT audience(s) that you want to validate.
+    # If this is set, all received JWTs will validate that the `aud` claim
+    # contains at least one of these values.
+    #token-bound-audiences = ["some-audience1", "some-audience2"]
+
+    [jwt.signing]
+    # JWT RS256 secret key
+    #
+    # Set this to the base64-encoded private half of an RSA PEM PKCS1 key.
+    # You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64`
+    # environment variable.
+    token-rs256-secret-base64 = "r0To/djPCwwXRtFcHakhiEHLkEuOQQJtPPeRsfyg8XAkp0A8Tu+AwGz12RFR65JvyhWXSPg7RUIwXzbg6YLcmA=="
@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: attic
+spec:
+  selector:
+    matchLabels:
+      app: attic
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: attic
+    spec:
+      nodeName: atlas
+      containers:
+        - name: attic
+          image: ghcr.io/zhaofengli/attic:latest
+          args:
+           - -f
+           - /config.toml
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          env:
+            - name: ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64
+              value: "r0To/djPCwwXRtFcHakhiEHLkEuOQQJtPPeRsfyg8XAkp0A8Tu+AwGz12RFR65JvyhWXSPg7RUIwXzbg6YLcmA=="
+              # valueFrom:
+              #   secretKeyRef:
+              #     name: server
+              #     key: token
+            - name: ATTIC_SERVER_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: database
+                  key: url
+          volumeMounts:
+          - name: data
+            mountPath: /attic
+          - name: attic-config
+            mountPath: /config.toml
+            subPath: config.toml
+      volumes:
+        - name: server
+          secret:
+            secretName: server
+        - name: attic-config
+          configMap:
+            defaultMode: 420
+            name: attic-config
+        - name: data
+          persistentVolumeClaim:
+            claimName: attic
@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    oceanbox.io/expose: internal
+  labels:
+    app.kubernetes.io/component: attic
+  name: attic
+  namespace: attic
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: attic.srv.oceanbox.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: attic
+            port:
+              name: http
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - attic.srv.oceanbox.io
+    secretName: attic.srv.oceanbox.io-tls
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-cache-nixos
+  namespace: ncps
+spec:
+  egress:
+    - toFQDNs:
+        - matchPattern: 'cache.nixos.org'
+        - matchPattern: 'nix-community.cachix.org'
+  endpointSelector:
+    matchLabels:
+      app: nix-cache
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: attic
+  labels:
+    app: attic
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: server
+stringData:
+  token: "ref+sops://secrets.yml#attic/jwtToken"
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: attic
+  labels:
+    app: attic
+spec:
+  type: ClusterIP
+  selector:
+    app: attic
+    component: website
+  ports:
+    - name: http
+      port: 8080
+      targetPort: http