apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: attic
  name: attic-config
  namespace: attic
data:
  config.toml: |
    # src: https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml

    # Socket address to listen on
    listen = "[::]:8080"

    # Allowed `Host` headers
    #
    # This _must_ be configured for production use. If unconfigured or the
    # list is empty, all `Host` headers are allowed.
    allowed-hosts = []

    # The canonical API endpoint of this server
    #
    # This is the endpoint exposed to clients in `cache-config` responses.
    #
    # This _must_ be configured for production use. If not configured, the
    # API endpoint is synthesized from the client's `Host` header which may
    # be insecure.
    #
    # The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
    # not `https://domain.tld/attic`).
    api-endpoint = "https://attic.srv.oceanbox.io/"

    # Whether to soft-delete caches
    #
    # If this is enabled, caches are soft-deleted instead of actually
    # removed from the database. Note that soft-deleted caches cannot
    # have their names reused as long as the original database records
    # are there.
    #soft-delete-caches = false

    # Whether to require fully uploading a NAR if it exists in the global cache.
    #
    # If set to false, simply knowing the NAR hash is enough for
    # an uploader to gain access to an existing NAR in the global
    # cache.
    #require-proof-of-possession = true

    # Database connection
    [database]
    # Connection URL
    #
    # For production use it's recommended to use PostgreSQL.
    url = "postgresql://app:mZP1BnmnpDU33B7UZvomYKOSS1laRJ4bvUR7jNDZ1AJqPdNxH2rLXykghczg7Bgy@attic-db-rw:5432/app"

    # Whether to enable sending on periodic heartbeat queries
    #
    # If enabled, a heartbeat query will be sent every minute
    #heartbeat = false

    # File storage configuration
    [storage]
    # Storage type
    #
    # Can be "local" or "s3".
    type = "local"

    # ## Local storage

    # The directory to store all files under
    path = "/attic"

    # ## S3 Storage (set type to "s3" and uncomment below)

    # The AWS region
    #region = "us-east-1"

    # The name of the bucket
    #bucket = "some-bucket"

    # Custom S3 endpoint
    #
    # Set this if you are using an S3-compatible object storage (e.g., Minio).
    #endpoint = "https://xxx.r2.cloudflarestorage.com"

    # Credentials
    #
    # If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
    # `AWS_SECRET_ACCESS_KEY` environment variables.
    #[storage.credentials]
    #  access_key_id = ""
    #  secret_access_key = ""

    # Data chunking
    #
    # Warning: If you change any of the values here, it will be
    # difficult to reuse existing chunks for newly-uploaded NARs
    # since the cutpoints will be different. As a result, the
    # deduplication ratio will suffer for a while after the change.
    [chunking]
    # The minimum NAR size to trigger chunking
    #
    # If 0, chunking is disabled entirely for newly-uploaded NARs.
    # If 1, all NARs are chunked.
    nar-size-threshold = 65536 # chunk files that are 64 KiB or larger

    # The preferred minimum size of a chunk, in bytes
    min-size = 16384            # 16 KiB

    # The preferred average size of a chunk, in bytes
    avg-size = 65536            # 64 KiB

    # The preferred maximum size of a chunk, in bytes
    max-size = 262144           # 256 KiB

    # Compression
    [compression]
    # Compression type
    #
    # Can be "none", "brotli", "zstd", or "xz"
    type = "zstd"

    # Compression level
    #level = 8

    # Garbage collection
    [garbage-collection]
    # The frequency to run garbage collection at
    #
    # By default it's 12 hours. You can use natural language
    # to specify the interval, like "1 day".
    #
    # If zero, automatic garbage collection is disabled, but
    # it can still be run manually with `atticd --mode garbage-collector-once`.
    interval = "1 week"

    # Default retention period
    #
    # Zero (default) means time-based garbage-collection is
    # disabled by default. You can enable it on a per-cache basis.
    default-retention-period = "6 months"

    [jwt]
    # WARNING: Changing _anything_ in this section will break any existing
    # tokens. If you need to regenerate them, ensure that you use the the
    # correct secret and include the `iss` and `aud` claims.

    # JWT `iss` claim
    #
    # Set this to the JWT issuer that you want to validate.
    # If this is set, all received JWTs will validate that the `iss` claim
    # matches this value.
    #token-bound-issuer = "some-issuer"

    # JWT `aud` claim
    #
    # Set this to the JWT audience(s) that you want to validate.
    # If this is set, all received JWTs will validate that the `aud` claim
    # contains at least one of these values.
    #token-bound-audiences = ["some-audience1", "some-audience2"]

    [jwt.signing]
    # JWT RS256 secret key
    #
    # Set this to the base64-encoded private half of an RSA PEM PKCS1 key.
    # You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64`
    # environment variable.
    token-rs256-secret-base64 = "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS2dJQkFBS0NBZ0VBdlZrMHQyZUtvdjhpV3prVFFtQzJtRklvd0gxc2liNlVpUFhUaGVwcURiWHMyaERFCnFYa1pKUXRjTnY0T2RtcldmZ2tsbjVyblJNQk5yL1B5dE05OFFMVVJnbzFSU2VTeUVjcmxSU1N4MElVRlhkM3YKV0U0aTJJTktsSzgxblJoY0o4czRUM09iYUpvSUQweEpqS2IzMkhxZmpOSU1vcVdBRk1ES2YyMUM5OWxQeTRXSgpVUUVnYTRzbHo5RzZHVi8wZW5qbFNMa2RRNjEvdEwyRE1ISHgvV2VRUEtpWkF4c2Fwczd3ZVJiNVBrS3J0MVlGClRxa1lJSjY3eDFiNDR1N0NmdWdVbHhMM2JCQ1lqVXVXNnoxdGU3T2ZQUUhoM1FPU2lFZTczQ3I4dU1lSkplV0wKN2VKc1hWSG9uVzBMZWl0aDk5WmJTUTF3YlhieDVPZzNTQ3ZWYnkyZE90Y3Rud2Y2aDN5YlJ3SUNoc24xbk4zMwowRkMyOXlFY0ExQ2VFVzRsMVVHNmxoMGw5cEpiWEhRNlFJS1paempaTlgxZTRGRW5TdytGNGhXd3R1Z2JtKzZnCnVPdEE5QVJxYndJOTFLeEtoT204Q0RJQlRwWThSZG1SaElicWUrc3czT3p3dGk0eTVkU3FMREsrT3Y5b05ucngKQW9TN21TaXNQeDVJS3JwaFhMT3JvVmI2L1puSmNOK3ljaExuenptMDY2Zk5RaTBLNHhzaitvWkphaXVjZnBacAphSElHZGpaY1U3aE5FUzdJNVliVEFqUDdkaDRzdXJnMk1xTUtxbUxsa2ZPcGFoRTlMQTZVVFZRZHZLVFVGNWZwCkdYSnhaT1RKWlpiOGNQTFYxZFdXbnBMaEZNV2h2OUZQTCtDVGZQVUFvQmtmOTE3TzFLdkE3bGsvcTJzQ0F3RUEKQVFLQ0FnQU9WZ3k1dmlzdkFDWTN4ZkNCWEJVM0h6RmFzYVJnSVgvWmh0TkhGbUtGT3pyOW43dGtJWGtYNXU1SwpjNTNndFdJY0ZORTJibUlJUUk4aFBWVW8vM1NtNlk2ejFjTkwxdmJzaGZJcDlBZEtoR2ZOblpvYmszN3I2YlRoCjRRb3NKTVlGZFV1RUtIcWh4dGZKWUx0STNQTnkvb1hLQWJWWE16U3BYWmQzWW14cG01aUJEbEZCUXRhVGpldUUKK3BvZWhiZGE5b0JWcXo1ZCsycnA0bGRtZVpvYTE1YUNJVG5FbEc3R0puRHFtaVN3NUJkZ1FERVNyWmJZRVd5aQpRU0dDL1JUWXl2V1VJcWw5RXh5WnhobGRJaitCMkMyOFRzSXRHN0lpZzF2ajVaVlE0RHF3RmRzc1hiSmF0bkxvClNITlFBcXplT09xY2Mxb0p6N0dzNVRBYVZNZEtEQXZCZm1JMFBMcDNqNmVFOFFIYlduMHk2NzVYbnlqWllLUUcKaWx5R0pUNVRzMWZHWHlPSXBrNG4yQjM1V3dHcjIyTkxnYUd5cnZjRkgxN3JoZGVnaGlrZFJRd1FOcXRsZjBIZApMWDVRQWVwcUt3SE9uR1BGVy9XU2xGU0lEdkt1VFZSVGtvQmFSMTA3OFpiS2JXckZBbEdqYTFvbnNXQUh1YW5UClh5dFE4dWoxUEFFeWFMZUJEaUJxRVJ2am1VVFQ1ZktCOTdaVnRJenVBZ0lyWWZ6YjIyVEk2VFJ6OVZiQ2VyWG8KdTc0cnoxMjM2TXMrbmg5Y2xYd3VtQlBOU1d1eE9OdldOWEZ6VWdIOURzdlFRMWRsMFRJWEFQMGhFYkRHRkNBQwowUlg2M0lpcXFzUG1ZZUZNTGR5K2tVWjViNzI1TlhXWFRHbDRnQ1Y3NFVRU01ya0xrUUtDQVFFQStobXIwYjdnClVYcWRKaGtLRXVsa29IVzVuYzZ4QmhobCtuTkFucVFSTm5tQWpiaDlCeDVpLzQ2WUwxcHFYQUY5cTNIRlowSDIKZEJRZXN2Q0pxbmtSTHVwTi95VE1KSlo0ZE5kMHZqRzZ0UGhMUjZuRmRabHU0TFBRMXRKcU5XZkhZeCtwQ3N2SQo4Wkx3VG8rRGFxSjArZDk3WWF0b0dWNUZHOWtUSjhBYWFXb0Q1R1AyOGtOd0djKzI0b2VNYnJtU0ppQ2I2UlJoCjA5WWJaMGpXdkFHaXJyMzFOTW5nR0dtVmRPMThoOXVMUStLNzFUQWt1eFEzZEhpUzh6UVd6YythRnM1THgyUnIKeXppcEJhR3VySmFJQ05XNklFQm5ndFcvZEZaYXpMbjhQcDVrQlJzQ1NyN1JpQkNFSFZmeHBYVFNoS3cwVWp4NQo2a0gwc01YZnFoOFpMUUtDQVFFQXdkQ3BPUXBRa1RhK0t6Z0VrWGdMVnk2QmZJKzRWdC9BYjRtK2pFSm85aUIzCnN4dEtKNU5tNXltNldXcmFWS25zekxNZy85Mi9vSVZreUlNSklrOWNYdEpuaEU5ak1aVzc2ZjhYbW5CUnJIMnAKVHVmNWtYWWdVUHZLQ2g1U1g5Q2w0UHJENHNSb3cwNHJjbHVxSE1MT2g1MncxUmJPalRrb05tNXBHWlFoVkhxeApaUzh3aVk3bzhLNFZJQXZOVlZOdGlIZFNOY2Y0cDMxL0F6SU5aQjJWdlczeWJHTWNIdDByekQ5TkpZLzhTekc3CktEME5mRTgzeng2OWxHTlhUcURGSnBTV2ZNVlFwSGVCM0FTRTV1YVhVM1c5S3EwN2NDOEJWSHRaK3B5a1B0RTYKOHgrZE9NYWh6UElaMjRqbkIzZkVsaWc0Rk5zd01LZm9aeDdKYUJLRjl3S0NBUUVBdWJUTUgwOWpVenovYVdXWQpWRmlYVG9wN3pGRElvNlVFUEFiT1NiMjd4ajVNRlcrUzd2RkNRMDZIZEVubnhlK1pkKzlmeS85djE5dUV2QXZkCnZRWnVtdTZDQWQwNTlFVUNwb2ZCZU9TR0paQmtuWTdUUHpJeDRZbkRuVy9hUzFPRyt2UnNXY2JkcTNzWEVzNS8KbjNPSDltNWFPRGpGY0dqT1doSkNwZlovNWh4QlRacG9xSlVvclJIT1U4Q2dweXNGK1dlblBWZlVHQzdZWkVYeQpwT0YyQWRpdE5ZaGM3T09oaFpRK0xzYjNUdTRSMlFnSmpoeEIzU3NXdXAzSC9RU1UvekFwbHFIYlpLZnE0WEtmCnVDbUNVMFVZRXBDZ0M4ZFpoVElGOUJSNTE2bFd6Vyt6c1BxbHJTbk9YOWVJWi9vcHd6ZjNGY1V3SmFEWjUxVFcKY29UcTlRS0NBUUVBckhtVTdpYkl0Y0Zpa0RGa2wxT2R1L0t0MW54TFRqd0dFdndnYnM3MmV2ay9yRXEvdmVKRgpzN2NGbDJjb2JpbGRpbmhxQ0doOGpFdkkrVXJxeVBhWXUrVS9xNVcrTHpVUnFkV1JXcVZUZVUzR2FtcXpSQWc4CkQvVlJ3WmxrTXRJSm0rRnNpcFBBcXZVWVlzZEI1aUJTREl0Ky90SXg4NmtHcVJHdVE4MzNyeWNVVUhnakdIYnQKd3FrWU1aRnZJOXgvWCs3WFlQYll4Nnc5YUVtVmN4K0V6ck5XQmJCWktQb25iTFowWDlYM2JhOE8zMnNkWWg5WgpDZDlRVkFubmV4aEUrZVZHMmpmNVlMTGRCRCtkU2FHd3p0dTdBSXh5bFkydkFGQlpMVlZTTUhpZm5oWG5Jc3hZCjFub29HcDZGQWJkS1lWbmZObWdzUlZCVzE5V2s1QkYvMXdLQ0FRRUFqVnR1RXdYZzU5NERIaVN4UjlWbGRBaHYKcXF5dlpieVhPT2pnNHNKZjFLUlpxZkkzV28yL05IQWN0MlZlREE1bnlEM001YndHWEwrdVZGaUlMVk1ZMUp0WQp6MmlHWHgwZVdlbFJya2tRZHFncTI1TE9BQ2dxYTFMNW9tQS9tMGcwQWljWVdYa1FYSXpXRkhwb0ZqcU9KZHpTCnZ0MHhLV2lpWHUxVk5YeDJibFR1dXBCa1JUZUlQNTVxdWdyOUh0ZmY1MHc5MHhwTllaMFR3d0lDMG1neVVMMWEKRkdVdHlPUTlqVFBUUUdGM3h6REJCQ2U2MW5uZUV0TThRMEJ1MXh3Rm90aWFYSE9NaGhiMFBndVkzNHhiekNHYgpHcTlsWjVaN2lRVXByUWNNYjhrUzZ1WFk3VHBDTmUzaDBiTTM5dVlKeHNYNXUzcmVNRWsyZlBNT3dnTlFjdz09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="