feat[server]: setup attic cache automatically

2026-04-14 13:19:09 +02:00 · 2025-12-23 02:49:58 +01:00 · 2025-12-23 02:49:58 +01:00 · 1cc890ea9d
commit 1cc890ea9d
parent ecbaf9482a
4 changed files with 60 additions and 4 deletions
--- a/modules/nixos/server/attic-setup.nix
+++ b/modules/nixos/server/attic-setup.nix
@ -0,0 +1,54 @@
+{ lib, config, pkgs, globals, ... }:
+
+{
+  options.swarselmodules.server.attic-setup = lib.mkEnableOption "enable attic setup";
+  config = lib.mkIf config.swarselmodules.server.attic-setup {
+
+    environment.systemPackages = with pkgs; [
+      attic-client
+    ];
+
+    sops = {
+      secrets = {
+        attic-cache-key = { };
+      };
+      templates = {
+        "attic-env".content = ''
+          DOMAIN=https://${globals.services.attic.domain}
+          TOKEN=${config.sops.placeholder.attic-cache-key}
+        '';
+      };
+    };
+
+    systemd.services.attic-cache-setup = {
+      description = "Ensure attic is authenticated to cache";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        EnvironmentFile = [
+          config.sops.templates.attic-env.path
+        ];
+      };
+      script =
+        let
+          attic = lib.getExe pkgs.attic-client;
+        in
+        ''
+          set -eu
+          if ${attic} cache info ${config.swarselsystems.mainUser} >/dev/null 2>&1; then
+            echo "cache already authenticated"
+            exit 0
+          fi
+          echo "cache not authenticated, attempting login..."
+          ${attic} login ${config.swarselsystems.mainUser} "$DOMAIN" "$TOKEN" --set-default
+          ${attic} use ${config.swarselsystems.mainUser}
+        '';
+
+    };
+
+  };
+
+}
--- a/modules/nixos/server/packages.nix
+++ b/modules/nixos/server/packages.nix
@ -11,10 +11,9 @@
      emacs
      vim
      sops
-      swarsel-deploy
      tmux
      busybox
-      attic-client
+      swarsel-deploy
      swarsel-gens
      swarsel-switch
    ];
--- a/profiles/nixos/localserver/default.nix
+++ b/profiles/nixos/localserver/default.nix
@ -20,6 +20,7 @@
        diskEncryption = lib.mkDefault true;
        packages = lib.mkDefault true;
        ssh = lib.mkDefault true;
+        attic-setup = lib.mkDefault true;
      };
    };
  };
--- a/secrets/repo/common.yaml
+++ b/secrets/repo/common.yaml
@ -31,6 +31,8 @@ github-nixpkgs-review-token: ENC[AES256_GCM,data:/4ssZAEwEc9fZeR69GCvLMm4eRv4uab
 #ENC[AES256_GCM,data:PI5MX6PgK1y0lqyoYA0=,iv:25UAvFaANHFD04GRafGlCzOc5h+15YPtSES2z2tmpXw=,tag:+XLwQ01+AtGWjtsSQhQ1AQ==,type:comment]
 anki-user: ENC[AES256_GCM,data:WoGaNDAHFw==,iv:ZSjHfKMIjlgOuvGl7hVxJc1fE80nfxxXYLgsKangBCs=,tag:UP8ZI7gzOrJJjNDHovIkyg==,type:str]
 anki-pw: ENC[AES256_GCM,data:z2SCsSvZIqN2/2VK1EdmcAnl42x5A15PAiK932k3n50Vj1jczGRoSw==,iv:keQCutY4vizVzu5YzPBJLgDLveYDb2VGeEnYmO7CeQw=,tag:KGplFfC5xktNAOTbIlt+Tg==,type:str]
+#ENC[AES256_GCM,data:veUC1sj6BSqHBA==,iv:L36lv9aQ38/WEaIccQDgOw2PB9U9k/t8x00wIw2Y858=,tag:3s2LBCwGzYpUk8WBj70UGQ==,type:comment]
+attic-cache-key: ENC[AES256_GCM,data:2Xw8YX6wiQg2yb2pbZ/UowmzUdhtb2iRTVZZD2ypGaiwhI3mteG3qUgQm1oCz0bp+5jip6+kVzt576qVbUGim/m+dUZYU6mqm64/78bfuTvd/UBlJnmjNtWE2ILjnP+M4EodzbYlBlxwGhFS28wrVOHo77rzbcrPJEwZiqIzSgGIWKdNzzo5AXL2b1lKAngXO6Bi5Jc9W4lkTVFJ/Ixh6aOoHpq9TzsHHx2Aak22969pnxmFFpXKof4eiNGnoGBZDAr8pC7oSwVqDYbZwxH1ulRq863KVQkve+HBR2JJLAQjYHHUJJGhJG9jWYT03WjBNHwIDMTTvC9Fiw9Cr0TG0B8Bxwm3dhgLirjUyLOiST2CbDxxld1M8DJFkBwrih6hMJXmJw8Dlqy/D+3EZXT947BI8ythYjuL3jIHHQhUjfEf+sLdqPSngHolAAKqKE84Xv2FDn2wXGwe8UY3NMmIeaWYZsyDu77KnQR2R+6TuJTOw6vOdDoUJ55YRPdb9UR186b+TiSrP0SZOujoSYGs9dattEvN3XKlm3cQztB9UygmdEk/stDZ/CJIRUNXsu46o1nR5FWPkgoW91Fzxs00QgQMpYlnXM2CWknYMSHL45t0BYA7yuFwq9MYNUK/vrdCr3mtHxA6R28HajDUWoZA6uS+DF/i1nF79sYfam7SdKNCqu2r/1CGLblHQwKT27HmrTCXdjeLqe+Yv7sJzlEbV+sKD+ccW8jI4NZRjCbVJVKydK23YWj94NEt/M2rtxzV30XKw8GClqsdEF+v4nu48oB894RPZCy9qQjaFHnqYpiqSa0oXluiQQmRfA0jtQLRTXN5ri7U/GtfH1za179MFWwMorRMK6qdTt3pi8Fie4UgzGyGq6CugN8HxeMNl70pPVIKjGNO8Npezk6T3YDUpB3/OGY56jhSYxIEadBvW9CqDS7al7zEKgD1wx1gzT2mQh60H2B/InWg9p96qOqVEQxOFDklxlcnygLu3z7Y0mAds/HXOJJnJbagjfxVi+qROOtVrR5y/kySR0pM9Syk8GvqdtRct7qorONAV/yonarEgz+eEFj10kderSsPdz1sgiYe93VLmPp07cdVsUsaDtLW8gXafc3aWOZ8JIkSUhYDbR49pf2bTeoMDoyi9d6pgLr+cJGQbJC/1LmsAIqOQ7WPiTeAZG2lStNf3bwClpUuL0t78UabZyNzJJN5TFDZqGkwXlaJmQ==,iv:6sa44WnyrXW3KQHdGIKuiGWwqp3qtQu4Q9RSXA45PYs=,tag:MbtS4Xx5K8O3mFAlriuuIA==,type:str]
 #ENC[AES256_GCM,data:KCqwghIJ8tlGFxMt94svo6285cA1YRbYoeivx6A=,iv:qlZCGrCn5fU1xPQF9wfOMarU6Z7oa3mLtd1LzVzMbuI=,tag:Qq5lBtUsd3lQMx6ffk+kzQ==,type:comment]
 builder-key: ENC[AES256_GCM,data:OOoA7oRIFJwS48qs42WmIXU4vLTQLRi6Nzb6IUNXAwnj7E9Q/uzOnmJ6ZihqUr3uP3/kqICdZqkB5Lf+lwUqrPmGi8PH8c4uq3L9ZVQyRTKRWvS5biYRMd/NI1ACRevxFJygKZ/q1dH8Cf++m26Jo9On24liepQbogwIctmN8bLXuXrUYVYMcLyGb2W2uznj5Jtwyji87S1xc/TTh/IOFexPY7yAnlwSZ7IoPTOj8o/00Hny8KIwRVf0uLBmtarIS8u4kfjkFUN38X9xmzQqhITaZNRmwerb3JDbD3SYapfsyeLzkzVgsDooOniCRehX1pg7KJu/qHnFM8t7e4qZe9u4PZP08aVAS3tqChuG/Nm4fv3vnF0SwctGQsar2HDmby1IXAw3fSNCW/v/l8VY4IaRX9s7e6c95gd5NX7/CJ2CJUDb4s3e7U0SkftOUz/B1zX47xBHSibZ2Js24N6Tvq/5S4OJFwryvt57Ed+cY+zSROlJwjrTgaGcuwH3MHLfHJlA,iv:2RpiHF4b7+520UJcHVobfJs165EjgxaTATSyOx7HJik=,tag:tGddPi0YeO3E0kHl+E7uGA==,type:str]
 nixbuild-net-key: ENC[AES256_GCM,data:aAa6iyZsjH1sAb6ucSPJb2R+QiG2bTj46Csnjg58+2ngYdfuim6SzWEid8IHJV1+M0s/hVTbZWiPsU2KQ+JCdJ84as520avxs6I0URvNx+VmFi6DNGbBJJJJKdTXIKvtmLHqHobs9XtIHahQKoyUpXiSY88DcwAt4e2mUTa6olgrDv66+/fEGeexP4S7AVB0wYeegyMgWODRrA9gS/YLMxMdqk/VHuwIQpWkhxX+AY8mXkx7LalxrbtV/24qdNtr2GittrvYBAkYGWAVZYotBVKjaWVUVzqF3BU+wmg0c56OG5qtt9eD1THAqNauN3iIfUnV301S+TvVtYjpy7gOj3WzntO/kh4kD+7FnfleLXIVSLgBRc0vHhd+7HKKtVRnAINyPkyjaBpnnBa4cksBvHtI0uis0Pi+4JtObD3m+5dywTeL+HDQfHwu+7CgjvXHQYKvEaJ8z6alyXL88Q6uT2Ikaoyrkpi7OJsuIBiNbs5YzRReSfLVyepm8SAtA8UIwnMiTtgFvwGUEW19ne96,iv:2HN9X9CA1liWuY+LYqTCX6Zy3xARMS/TOL61r2UKsE8=,tag:XcPBwYrQjqhexI7u+0zXQw==,type:str]
@ -144,8 +146,8 @@ sops:
            L0gzWDFia2Jha0lDaGZaSWEwOWFmb1EKJqqjxODIgVeiMKtV6361sjYQa559pKCG
            1pKczlzXxL1FliBQoZZGq55NR4azWYEl/yV5tee1dtUohJW0pAyScA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-01T19:57:43Z"
-    mac: ENC[AES256_GCM,data:2CLFlduO1fsxtvF1fbH18kadQuawMwIYEjsJBvZ65tecIdjT5efPD07+czmysKWBh6FQuVPL8a3uVlqT2WUW57AjQZtxloCMAFS9m2S//I6I8GsLVccGnmudiHUdXFnt+gI1gtb6ukZMEps4m/LSqUHGSptVwqrIN2gBM6Yy9Mo=,iv:S/crBYhr2HTzMYn83bK2YYO7kwfDspF0gvkoiuI9J7o=,tag:+sO+jFMFGZSsCb7PGnlUmw==,type:str]
+    lastmodified: "2025-12-23T01:11:36Z"
+    mac: ENC[AES256_GCM,data:e0WoFBQSR5q3GOQ+GMJGBd4lNBAMqlnVjtUq3snxrdvcytb9YvKnoYQH+GjbdGIiqrND8pOVnZt34AjkR8YfpWe+VrkP3Vj/3l+1GjF1XIHbzBNKOQHdYPSVsH2NZwftcAdphbStf3GTlb+b+cpTn4a9Y4pTNGVoOaOA1tBr8bM=,iv:sPXktitTNMkBhHr6E/QRZCVKrgyED9/o9hiivbObACI=,tag:tTNr4UEf92UrtI0Jvi5o3g==,type:str]
    pgp:
        - created_at: "2025-12-15T21:53:36Z"
          enc: |-