feat: Replace ncps with attic

2025-08-26 21:02:04 +02:00
parent 12c1f0f060
commit 6eca17a487
13 changed files with 284 additions and 95 deletions
@@ -1,2 +1,2 @@
-ncps:
+attic:
  enabled: true
@@ -1,3 +1,3 @@
-ncps:
+attic:
  enabled: false
  autosync: false
@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: ncps
+  name: attic
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
@@ -12,12 +12,12 @@ spec:
  sources:
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: HEAD
-    path: values/ncps/manifests
+    path: values/attic/manifests
-  project: sys
+  project: aux
  syncPolicy:
    managedNamespaceMetadata:
      labels:
-        component: sys
+        component: aux
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
@@ -0,0 +1,16 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: attic-db
  namespace: attic
  labels:
    app: attic-db
 spec:
  instances: 1
  initdb:
    database: attic
  primaryUpdateStrategy: unsupervised
  backup:
    retentionPolicy: "7d"
  storage:
    size: "20Gi"
@@ -0,0 +1,167 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  labels:
    app.kubernetes.io/name: attic
  name: attic-config
  namespace: attic
 data:
  config.toml: |
    # src: https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
    # Socket address to listen on
    listen = "[::]:8080"
    # Allowed `Host` headers
    #
    # This _must_ be configured for production use. If unconfigured or the
    # list is empty, all `Host` headers are allowed.
    allowed-hosts = []
    # The canonical API endpoint of this server
    #
    # This is the endpoint exposed to clients in `cache-config` responses.
    #
    # This _must_ be configured for production use. If not configured, the
    # API endpoint is synthesized from the client's `Host` header which may
    # be insecure.
    #
    # The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
    # not `https://domain.tld/attic`).
    api-endpoint = "https://attic.srv.oceanbox.io"
    # Whether to soft-delete caches
    #
    # If this is enabled, caches are soft-deleted instead of actually
    # removed from the database. Note that soft-deleted caches cannot
    # have their names reused as long as the original database records
    # are there.
    #soft-delete-caches = false
    # Whether to require fully uploading a NAR if it exists in the global cache.
    #
    # If set to false, simply knowing the NAR hash is enough for
    # an uploader to gain access to an existing NAR in the global
    # cache.
    #require-proof-of-possession = true
    # Database connection
    [database]
    # Connection URL
    #
    # For production use it's recommended to use PostgreSQL.
    url = ""
    # Whether to enable sending on periodic heartbeat queries
    #
    # If enabled, a heartbeat query will be sent every minute
    #heartbeat = false
    # File storage configuration
    [storage]
    # Storage type
    #
    # Can be "local" or "s3".
    type = "local"
    # ## Local storage
    # The directory to store all files under
    path = "/attic"
    # ## S3 Storage (set type to "s3" and uncomment below)
    # The AWS region
    #region = "us-east-1"
    # The name of the bucket
    #bucket = "some-bucket"
    # Custom S3 endpoint
    #
    # Set this if you are using an S3-compatible object storage (e.g., Minio).
    #endpoint = "https://xxx.r2.cloudflarestorage.com"
    # Credentials
    #
    # If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
    # `AWS_SECRET_ACCESS_KEY` environment variables.
    #[storage.credentials]
    #  access_key_id = ""
    #  secret_access_key = ""
    # Data chunking
    #
    # Warning: If you change any of the values here, it will be
    # difficult to reuse existing chunks for newly-uploaded NARs
    # since the cutpoints will be different. As a result, the
    # deduplication ratio will suffer for a while after the change.
    [chunking]
    # The minimum NAR size to trigger chunking
    #
    # If 0, chunking is disabled entirely for newly-uploaded NARs.
    # If 1, all NARs are chunked.
    nar-size-threshold = 65536 # chunk files that are 64 KiB or larger
    # The preferred minimum size of a chunk, in bytes
    min-size = 16384            # 16 KiB
    # The preferred average size of a chunk, in bytes
    avg-size = 65536            # 64 KiB
    # The preferred maximum size of a chunk, in bytes
    max-size = 262144           # 256 KiB
    # Compression
    [compression]
    # Compression type
    #
    # Can be "none", "brotli", "zstd", or "xz"
    type = "zstd"
    # Compression level
    #level = 8
    # Garbage collection
    [garbage-collection]
    # The frequency to run garbage collection at
    #
    # By default it's 12 hours. You can use natural language
    # to specify the interval, like "1 day".
    #
    # If zero, automatic garbage collection is disabled, but
    # it can still be run manually with `atticd --mode garbage-collector-once`.
    interval = "1 week"
    # Default retention period
    #
    # Zero (default) means time-based garbage-collection is
    # disabled by default. You can enable it on a per-cache basis.
    default-retention-period = "6 months"
    [jwt]
    # WARNING: Changing _anything_ in this section will break any existing
    # tokens. If you need to regenerate them, ensure that you use the the
    # correct secret and include the `iss` and `aud` claims.
    # JWT `iss` claim
    #
    # Set this to the JWT issuer that you want to validate.
    # If this is set, all received JWTs will validate that the `iss` claim
    # matches this value.
    #token-bound-issuer = "some-issuer"
    # JWT `aud` claim
    #
    # Set this to the JWT audience(s) that you want to validate.
    # If this is set, all received JWTs will validate that the `aud` claim
    # contains at least one of these values.
    #token-bound-audiences = ["some-audience1", "some-audience2"]
    [jwt.signing]
    # JWT RS256 secret key
    #
    # Set this to the base64-encoded private half of an RSA PEM PKCS1 key.
    # You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64`
    # environment variable.
    token-rs256-secret-base64 = "r0To/djPCwwXRtFcHakhiEHLkEuOQQJtPPeRsfyg8XAkp0A8Tu+AwGz12RFR65JvyhWXSPg7RUIwXzbg6YLcmA=="
@@ -0,0 +1,63 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: attic
 spec:
  selector:
    matchLabels:
      app: attic
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: attic
    spec:
      nodeName: atlas
      containers:
        - name: attic
          image: ghcr.io/zhaofengli/attic:latest
          args:
           - -f
           - /config.toml
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /
              port: http
          readinessProbe:
            httpGet:
              path: /
              port: http
          env:
            - name: ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64
              value: "r0To/djPCwwXRtFcHakhiEHLkEuOQQJtPPeRsfyg8XAkp0A8Tu+AwGz12RFR65JvyhWXSPg7RUIwXzbg6YLcmA=="
              # valueFrom:
              #   secretKeyRef:
              #     name: server
              #     key: token
            - name: ATTIC_SERVER_DATABASE_URL
              valueFrom:
                secretKeyRef:
                  name: database
                  key: url
          volumeMounts:
          - name: data
            mountPath: /attic
          - name: attic-config
            mountPath: /config.toml
            subPath: config.toml
      volumes:
        - name: server
          secret:
            secretName: server
        - name: attic-config
          configMap:
            defaultMode: 420
            name: attic-config
        - name: data
          persistentVolumeClaim:
            claimName: attic
@@ -9,23 +9,23 @@ metadata:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    oceanbox.io/expose: internal
  labels:
-    app.kubernetes.io/component: nix-cache
+    app.kubernetes.io/component: attic
-  name: nix-cache
+  name: attic
-  namespace: ncps
+  namespace: attic
 spec:
  ingressClassName: nginx
  rules:
-  - host: cache.srv.oceanbox.io
+  - host: attic.srv.oceanbox.io
    http:
      paths:
      - backend:
          service:
-            name: nix-cache
+            name: attic
            port:
-              name: http-web
+              name: http
        path: /
-        pathType: ImplementationSpecific
+        pathType: Prefix
  tls:
  - hosts:
-    - cache.srv.oceanbox.io
+    - attic.srv.oceanbox.io
-    secretName: cache.srv.oceanbox.io-tls
+    secretName: attic.srv.oceanbox.io-tls
@@ -1,10 +1,9 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: nix-cache
+  name: attic
  labels:
-    app: nix-cache
+    app: attic
    tier: proxy
 spec:
  accessModes:
    - ReadWriteOnce
@@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: server
 stringData:
  token: "ref+sops://secrets.yml#attic/jwtToken"
@@ -0,0 +1,15 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: attic
  labels:
    app: attic
 spec:
  type: ClusterIP
  selector:
    app: attic
    component: website
  ports:
    - name: http
      port: 8080
      targetPort: http
@@ -1,62 +0,0 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: nix-cache
  labels:
    app: nix-cache
    tier: proxy
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: nix-cache
      tier: proxy
  template:
    metadata:
      labels:
        app: nix-cache
        tier: proxy
    spec:
      initContainers:
        - image: alpine:latest
          name: create-directories
          args:
            - /bin/sh
            - -c
            - "mkdir -m 0755 -p /storage/var && mkdir -m 0700 -p /storage/var/ncps && mkdir -m 0700 -p /storage/var/ncps/db"
          volumeMounts:
            - name: nix-cache-persistent-storage
              mountPath: /storage
        - image: kalbasit/ncps:latest # NOTE: It's recommended to use a tag here, but we live dangerously
          name: migrate-database
          args:
            - /bin/dbmate
            - --url=sqlite:/storage/var/ncps/db/db.sqlite
            - migrate
            - up
          volumeMounts:
            - name: nix-cache-persistent-storage
              mountPath: /storage
      containers:
        - image: kalbasit/ncps:latest # NOTE: It's recommended to use a tag here!
          name: nix-cache
          args:
            - /bin/ncps
            - serve
            - --cache-hostname=cache.srv.oceanbox.io
            - --cache-data-path=/storage
            - --cache-database-url=sqlite:/storage/var/ncps/db/db.sqlite
            - --upstream-cache=https://cache.nixos.org
            - --upstream-cache=https://nix-community.cachix.org
            - --upstream-public-key=cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
            - --upstream-public-key=nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
          ports:
            - containerPort: 8501
              name: http-web
          volumeMounts:
            - name: nix-cache-persistent-storage
              mountPath: /storage
      volumes:
        - name: nix-cache-persistent-storage
          persistentVolumeClaim:
            claimName: nix-cache
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: nix-cache
  labels:
    app: nix-cache
    tier: proxy
 spec:
  type: ClusterIP
  ports:
    - name: http-web
      port: 8501
  selector:
    app: nix-cache
    tier: proxy
`@@ -1,2 +1,2 @@`
	`ncps:`	`attic:`
	`enabled: true`	`enabled: true`