infra/nix/hosts/monoceros/modules/attic.nix

{config, ...}: let
  # https://github.com/zhaofengli/attic/pkgs/container/attic
  containerRev = "24fad0622fc9404c69e83bab7738359c5be4988e";
  # containerRev = "b8c5ab4518f776624fee261385abb98348cd26cf";
  # containerRev = "c2354f658582f7c870316dfce612cf7454720abe";
  # containerRev = "6139576a3ce6bb992e0f6c3022528ec233e45f00";
  # containerRev = "717cc95983cdc357bc347d70be20ced21f935843";
  # containerRev = "fbe252a5c21febbe920c025560cbd63b20e24f3b";
  # containerRev = "4dbdbee45728d8ce5788db6461aaaa89d98081f0"; # latest
  baseDir = "/var/lib/atticd";
  containerPath = "/data";
  configPath = "${containerPath}/server.toml";
  usr = "attic";
  # svc = "atticd.service";
  svc = "podman-attic.service";
  p = config.sops.placeholder;
  # config.deets.attic.Port = 5000;
in {
  imports = [
    # ../../../modules/attic.nix
  ];

  sops = {
    secrets = {
      # owner = config.systemd.services.attic.serviceConfig.User;
      "attic/serverToken".restartUnits = [svc];
      "attic/api-endpoint".restartUnits = [svc];

      "attic/s3_region".restartUnits = [svc];
      "attic/s3_endpoint".restartUnits = [svc];
      "attic/s3_bucket".restartUnits = [svc];
      "attic/s3_key".restartUnits = [svc];
      "attic/s3_key_id".restartUnits = [svc];
    };
    templates = {
      atticCreds = {
        content = ''
          ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="${p."attic/serverToken"}"
        '';
      };
      atticConf = {
        content = ''
          listen = "0.0.0.0:5000"
          api-endpoint = "${p."attic/api-endpoint"}"

          [jwt.signing]
          token-hs256-secret-base64 = "${p."attic/serverToken"}"

          [database]
          url = "sqlite:///${containerPath}/server.db?mode=rwc"

          [storage]
          type = "s3"
          region = "${p."attic/s3_region"}"
          bucket = "${p."attic/s3_bucket"}"
          endpoint = "${p."attic/s3_endpoint"}"
          [storage.credentials]
          access_key_id = "${p."attic/s3_key_id"}"
          secret_access_key = "${p."attic/s3_key"}"

          [chunking]
          nar-size-threshold = 65536
          min-size = 16384
          avg-size = 65536
          max-size = 262144

          [compression]
          type = "zstd"
          # Compression level
          #level = 8

          [garbage-collection]
          interval = "12 hours"

          # Default retention period
          #
          # Zero (default) means time-based garbage-collection is
          # disabled by default. You can enable it on a per-cache basis.
          #default-retention-period = "6 months"
          default-retention-period = "6 months"
        '';
      };
    };
  };

  # ref: https://lgug2z.com/articles/deploying-a-cloudflare-r2-backed-nix-binary-cache-attic-on-fly-io/
  virtualisation.oci-containers.containers."attic" = {
    autoStart = true;
    image = "ghcr.io/zhaofengli/attic:${containerRev}";
    cmd = ["-f" "${configPath}" "--mode" "monolithic"];
    volumes = [
      "${baseDir}:${containerPath}"
      "${config.sops.templates.atticConf.path}:${configPath}"
    ];
    ports = ["127.0.0.1:5000:5000"];
    environment = {
      PUID = toString config.users.users.${toString usr}.uid;
      GUID = toString config.users.groups.${toString usr}.gid;
      TZ = "Europe/Vienna";
    };
  };
  users.users.attic = {
    group = usr;
    home = "/etc/" + usr;
    createHome = false;
    isSystemUser = true;
    extraGroups = ["users"];
    autoSubUidGidRange = true;
    #subUidRanges = [
    #  {
    #    count = 65535;
    #    startUid = 65536 * 30;
    #  }
    #];
  };
  users.groups.attic = {};

  #services.atticd = {
  #  enable = true;
  #  credentialsFile = config.sops.templates.atticCreds.path;
  #  settings.listen = "127.0.0.1:5000";
  #};

  # restart atticd container on config change.
  systemd.paths.attic = {
    pathConfig = {
      PathChanged = [
        config.sops.templates.atticCreds.path
        config.sops.templates.atticConf.path
      ];
      Unit = "podman-attic.service";
    };
  };
}