about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--modules/services/atticd.nix185
1 files changed, 95 insertions, 90 deletions
diff --git a/modules/services/atticd.nix b/modules/services/atticd.nix
index 6229b11..ef79871 100644
--- a/modules/services/atticd.nix
+++ b/modules/services/atticd.nix
@@ -20,102 +20,107 @@ in
     };
   };
 
-  config = mkIf cfg.enable {
-    services.atticd = {
-      enable = true;
-      credentialsFile = cfg.secrets.attic-credentials;
-
-      settings = {
-        listen = "[::]:4005";
-        allowed-hosts = cfg.hosts;
-        api-endpoint = cfg.baseURL;
-
-        database.url = "postgres://atticd?host=/run/postgresql";
-
-        require-proof-of-possession = false;
-
-        # Data chunking
-        #
-        # Warning: If you change any of the values here, it will be
-        # difficult to reuse existing chunks for newly-uploaded NARs
-        # since the cutpoints will be different. As a result, the
-        # deduplication ratio will suffer for a while after the change.
-        chunking = {
-          # The minimum NAR size to trigger chunking
-          #
-          # IUUU, chunking is disabled entirely for newly-uploaded NARs.
-          # If 1, all NARs are chunked.
-          nar-size-threshold = 64 * 1024; # 64 KiB
+  config = mkMerge [
+    (mkIf cfg.enable {
+      services.atticd = {
+        enable = true;
+        credentialsFile = cfg.secrets.attic-credentials;
 
-          # The preferred minimum size of a chunk, in bytes
-          min-size = 16 * 1024; # 16 KiB
+        settings = {
+          listen = "[::]:4005";
+          allowed-hosts = cfg.hosts;
+          api-endpoint = cfg.baseURL;
 
-          # The preferred average size of a chunk, in bytes
-          avg-size = 64 * 1024; # 64 KiB
+          database.url = "postgres://atticd?host=/run/postgresql";
 
-          # The preferred maximum size of a chunk, in bytes
-          max-size = 256 * 1024; # 256 KiB
-        };
-        storage = {
-          type = "local";
-          path = cfg.storagePath;
-        };
-        compression = {
-          type = "zstd";
-          level = 9;
-        };
-        garbage-collection = {
-          interval = "12 hours";
-          default-retention-period = "4 weeks";
+          require-proof-of-possession = false;
+
+          # Data chunking
+          #
+          # Warning: If you change any of the values here, it will be
+          # difficult to reuse existing chunks for newly-uploaded NARs
+          # since the cutpoints will be different. As a result, the
+          # deduplication ratio will suffer for a while after the change.
+          chunking = {
+            # The minimum NAR size to trigger chunking
+            #
+            # IUUU, chunking is disabled entirely for newly-uploaded NARs.
+            # If 1, all NARs are chunked.
+            nar-size-threshold = 64 * 1024; # 64 KiB
+
+            # The preferred minimum size of a chunk, in bytes
+            min-size = 16 * 1024; # 16 KiB
+
+            # The preferred average size of a chunk, in bytes
+            avg-size = 64 * 1024; # 64 KiB
+
+            # The preferred maximum size of a chunk, in bytes
+            max-size = 256 * 1024; # 256 KiB
+          };
+          storage = {
+            type = "local";
+            path = cfg.storagePath;
+          };
+          compression = {
+            type = "zstd";
+            level = 9;
+          };
+          garbage-collection = {
+            interval = "12 hours";
+            default-retention-period = "4 weeks";
+          };
         };
       };
-    };
 
-    services.postgresql.ensureDatabases = [ "atticd" ];
-    services.postgresql.ensureUsers = [
-      {
-        name = "atticd";
-        ensureDBOwnership = true;
-      }
-    ];
-
-    services.nginx.virtualHosts = builtins.listToAttrs (map (host: {
-      name = host;
-      value = {
-        extraConfig = ''
-          client_max_body_size 0;
-
-          proxy_read_timeout 300s;
-          proxy_send_timeout 300s;
-        '';
-      };
-    }) cfg.hosts);
-
-    systemd.services.atticd-watch-store = mkIf cfg.watchStore {
-      wantedBy = [ "multi-user.target" ];
-      wants = [ "network-online.target" ];
-      serviceConfig = {
-        DynamicUser = true;
-        StateDirectory = "atticd-watch-store";
-        # NOTE: currently this expects `attic/config.toml` to be manually
-        # generated and placed on `/var/lib/atticd-watch-store`
-        Environment = "XDG_CONFIG_HOME=/var/lib/atticd-watch-store";
-        ExecStart = "${pkgs.attic}/bin/attic watch-store hydra";
-        Restart = "on-failure";
-        RestartSec = "5s";
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
-        RestrictNamespaces = true;
-        RestrictSUIDSGID = true;
+      services.postgresql.ensureDatabases = [ "atticd" ];
+      services.postgresql.ensureUsers = [
+        {
+          name = "atticd";
+          ensureDBOwnership = true;
+        }
+      ];
+
+      services.nginx.virtualHosts = builtins.listToAttrs (map
+        (host: {
+          name = host;
+          value = {
+            extraConfig = ''
+              client_max_body_size 0;
+
+              proxy_read_timeout 300s;
+              proxy_send_timeout 300s;
+            '';
+          };
+        })
+        cfg.hosts);
+    })
+    (mkIf cfg.watchStore {
+      systemd.services.atticd-watch-store = mkIf cfg.watchStore {
+        wantedBy = [ "multi-user.target" ];
+        wants = [ "network-online.target" ];
+        serviceConfig = {
+          DynamicUser = true;
+          StateDirectory = "atticd-watch-store";
+          # NOTE: currently this expects `attic/config.toml` to be manually
+          # generated and placed on `/var/lib/atticd-watch-store`
+          Environment = "XDG_CONFIG_HOME=/var/lib/atticd-watch-store";
+          ExecStart = "${pkgs.attic}/bin/attic watch-store hydra";
+          Restart = "on-failure";
+          RestartSec = "5s";
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
+          RestrictNamespaces = true;
+          RestrictSUIDSGID = true;
+        };
       };
-    };
 
-    modules.persistence.directories = [
-      "/var/lib/private/atticd-watch-store"
-    ];
-  };
+      modules.persistence.directories = [
+        "/var/lib/private/atticd-watch-store"
+      ];
+     })
+  ];
 }