🚀 attic

kubernetes/apps/default/attic/apiserver/config/server.toml

@@ -0,0 +1,136 @@
+# Socket address to listen on
+listen = "[::]:8080"
+
+# Allowed `Host` headers
+#
+# This _must_ be configured for production use. If unconfigured or the
+# list is empty, all `Host` headers are allowed.
+allowed-hosts = []
+
+# The canonical API endpoint of this server
+#
+# This is the endpoint exposed to clients in `cache-config` responses.
+#
+# This _must_ be configured for production use. If not configured, the
+# API endpoint is synthesized from the client's `Host` header which may
+# be insecure.
+#
+# The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
+# not `https://domain.tld/attic`).
+api-endpoint = "https://attic.${SECRET_CLUSTER_DOMAIN}/"
+
+# Whether to soft-delete caches
+#
+# If this is enabled, caches are soft-deleted instead of actually
+# removed from the database. Note that soft-deleted caches cannot
+# have their names reused as long as the original database records
+# are there.
+#soft-delete-caches = false
+
+# Whether to require fully uploading a NAR if it exists in the global cache.
+#
+# If set to false, simply knowing the NAR hash is enough for
+# an uploader to gain access to an existing NAR in the global
+# cache.
+#require-proof-of-possession = true
+
+# JWT signing token
+#
+# Set this to the Base64 encoding of some random data.
+# You can also set it via the `ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64` environment
+# variable.
+# token-hs256-secret-base64 = ""
+
+# Database connection
+[database]
+# Connection URL
+#
+# For production use it's recommended to use PostgreSQL.
+# url = "postgresql://USERNAME:PASSWORD@YOUR_POSTGRESQL_URL:5432/DB_NAME"
+
+# Whether to enable sending on periodic heartbeat queries
+#
+# If enabled, a heartbeat query will be sent every minute
+#heartbeat = false
+
+# File storage configuration
+[storage]
+# Storage type
+#
+# Can be "local" or "s3".
+type = "s3"
+
+# ## Local storage
+
+# The directory to store all files under
+path = "/config/storage"
+
+# ## S3 Storage (set type to "s3" and uncomment below)
+
+# The AWS region
+region = "us-east-1"
+
+# The name of the bucket
+bucket = "attic"
+
+# Custom S3 endpoint
+#
+# Set this if you are using an S3-compatible object storage (e.g., Minio).
+endpoint = "https://minio.${SECRET_DOMAIN}:9000"
+
+# Credentials
+#
+# If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
+# `AWS_SECRET_ACCESS_KEY` environment variables.
+#[storage.credentials]
+#  access_key_id = ""
+#  secret_access_key = ""
+
+# Data chunking
+#
+# Warning: If you change any of the values here, it will be
+# difficult to reuse existing chunks for newly-uploaded NARs
+# since the cutpoints will be different. As a result, the
+# deduplication ratio will suffer for a while after the change.
+[chunking]
+# The minimum NAR size to trigger chunking
+#
+# If 0, chunking is disabled entirely for newly-uploaded NARs.
+# If 1, all NARs are chunked.
+nar-size-threshold = 65536 # chunk files that are 64 KiB or larger
+
+# The preferred minimum size of a chunk, in bytes
+min-size = 16384            # 16 KiB
+
+# The preferred average size of a chunk, in bytes
+avg-size = 65536            # 64 KiB
+
+# The preferred maximum size of a chunk, in bytes
+max-size = 262144           # 256 KiB
+
+# Compression
+[compression]
+# Compression type
+#
+# Can be "none", "brotli", "zstd", or "xz"
+type = "zstd"
+
+# Compression level
+#level = 8
+
+# Garbage collection
+[garbage-collection]
+# The frequency to run garbage collection at
+#
+# By default it's 12 hours. You can use natural language
+# to specify the interval, like "1 day".
+#
+# If zero, automatic garbage collection is disabled, but
+# it can still be run manually with `atticd --mode garbage-collector-once`.
+interval = "12 hours"
+
+# Default retention period
+#
+# Zero (default) means time-based garbage-collection is
+# disabled by default. You can enable it on a per-cache basis.
+default-retention-period = "3 months"

kubernetes/apps/default/attic/apiserver/externalsecret.yaml

@@ -0,0 +1,33 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: attic
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: attic-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        # App
+        ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64: "{{ .ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 }}"
+        ATTIC_SERVER_DATABASE_URL: "postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local:5432/attic"
+        AWS_ACCESS_KEY_ID: "{{ .ATTIC_AWS_ACCESS_KEY_ID }}"
+        AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY }}"
+        # Postgres Init
+        INIT_POSTGRES_DBNAME: attic
+        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
+        INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
+        INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
+        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
+  dataFrom:
+    - extract:
+        key: attic
+    - extract:
+        key: cloudnative-pg

kubernetes/apps/default/attic/apiserver/gatus.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: attic-gatus-ep
+  namespace: default
+  labels:
+    gatus.io/enabled: "true"
+data:
+  config.yaml: |
+    endpoints:
+      - name: attic
+        group: external
+        url: https://nix-cache.${SECRET_CLUSTER_DOMAIN}
+        interval: 1m
+        client:
+          dns-resolver: tcp://1.1.1.1:53
+          insecure: true
+        conditions:
+          - "[STATUS] == 200"
+        alerts:
+          - type: pushover

kubernetes/apps/default/attic/apiserver/helmrelease.yaml

@@ -0,0 +1,103 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app attic-apiserver
+  namespace: default
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    initContainers:
+      01-init-db:
+        image: ghcr.io/auricom/postgres-init:15.4
+        imagePullPolicy: IfNotPresent
+        envFrom: &envFrom
+          - secretRef:
+              name: &secret attic-secret
+    controller:
+      replicas: 2
+      strategy: RollingUpdate
+      annotations:
+        configmap.reloader.stakater.com/reload: &configMap attic-configmap
+        secret.reloader.stakater.com/reload: *secret
+    image:
+      repository: ghcr.io/zhaofengli/attic
+      tag: latest@sha256:06d9ca943cfe38ef954cbe2dd453dac0788f55661f84c31254a3a8044aa3100f
+    args: ["-f", "/config/server.toml", "--mode", "api-server" ]
+    envFrom: *envFrom
+    service:
+      main:
+        ports:
+          http:
+            port: &port 8080
+    probes:
+      liveness: &probes
+        enabled: true
+        custom: true
+        spec:
+          httpGet:
+            path: /
+            port: *port
+          initialDelaySeconds: 0
+          periodSeconds: 10
+          timeoutSeconds: 1
+          failureThreshold: 3
+      readiness: *probes
+      startup:
+        enabled: false
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: nginx
+        annotations:
+          # external-dns.home.arpa/enabled: "true"
+          hajimari.io/enable: "false"
+        hosts:
+          - host: &host nix-cache.${SECRET_CLUSTER_DOMAIN}
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    persistence:
+      config:
+        enabled: true
+        type: configMap
+        name: *configMap
+        subPath: server.toml
+        mountPath: /config/server.toml
+        readOnly: false
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: *app
+    resources:
+      requests:
+        cpu: 50m
+        memory: 200Mi
+      limits:
+        memory: 1Gi

kubernetes/apps/default/attic/apiserver/kustomization.yaml

@@ -0,0 +1,15 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./externalsecret.yaml
+  - ./gatus.yaml
+  - ./helmrelease.yaml
+configMapGenerator:
+  - name: attic-configmap
+    files:
+      - ./config/server.toml
+generatorOptions:
+  disableNameSuffixHash: true

kubernetes/apps/default/attic/apiserver/readme.md

@@ -0,0 +1,65 @@
+# Attic
+
+## S3 Configuration
+
+1. Create `~/.mc/config.json`
+
+   ```json
+   {
+     "version": "10",
+     "aliases": {
+       "minio": {
+         "url": "https://s3.<domain>",
+         "accessKey": "<access-key>",
+         "secretKey": "<secret-key>",
+         "api": "S3v4",
+         "path": "auto"
+       }
+     }
+   }
+   ```
+
+2. Create the attic user and password
+
+   ```sh
+   mc admin user add minio attic <super-secret-password>
+   ```
+
+3. Create the attic bucket
+
+   ```sh
+   mc mb minio/attic
+   ```
+
+4. Create `attic-user-policy.json`
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Action": [
+           "s3:ListBucket",
+           "s3:PutObject",
+           "s3:GetObject",
+           "s3:DeleteObject"
+         ],
+         "Effect": "Allow",
+         "Resource": ["arn:aws:s3:::attic/*", "arn:aws:s3:::attic"],
+         "Sid": ""
+       }
+     ]
+   }
+   ```
+
+5. Apply the bucket policies
+
+    ```sh
+    mc admin policy create minio attic-private attic-user-policy.json
+    ```
+
+6. Associate private policy with the user
+
+    ```sh
+    mc admin policy set minio attic-private user=attic
+    ```

kubernetes/apps/default/attic/garbage-collector/helmrelease.yaml

@@ -0,0 +1,73 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app attic-garbage-collector
+  namespace: default
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    controller:
+      replicas: 1
+      strategy: Recreate
+      annotations:
+        configmap.reloader.stakater.com/reload: &configMap attic-configmap
+        secret.reloader.stakater.com/reload: &secret attic-secret
+    image:
+      repository: ghcr.io/zhaofengli/attic
+      tag: latest@sha256:06d9ca943cfe38ef954cbe2dd453dac0788f55661f84c31254a3a8044aa3100f
+    args: ["-f", "/config/server.toml", "--mode", "garbage-collector" ]
+    envFrom:
+      - secretRef:
+          name: *secret
+    service:
+      main:
+        ports:
+          http:
+            port: &port 8080
+    probes:
+      liveness: &probe
+        enabled: false
+      readiness: *probe
+      startup: *probe
+    persistence:
+      config:
+        enabled: true
+        type: configMap
+        name: *configMap
+        subPath: server.toml
+        mountPath: /config/server.toml
+        readOnly: false
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: *app
+    resources:
+      requests:
+        cpu: 50m
+        memory: 200Mi
+      limits:
+        memory: 1Gi

kubernetes/apps/default/attic/garbage-collector/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml

kubernetes/apps/default/attic/ks.yaml

@@ -0,0 +1,51 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-attic-appiserver
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-cloudnative-pg-cluster
+    - name: cluster-apps-external-secrets-stores
+  path: ./kubernetes/apps/default/attic/apiserver
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: attic-apiserver
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-attic-garbage-collector
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-attic-appiserver
+  path: ./kubernetes/apps/default/attic/garbage-collector
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: attic-garbage-collector
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m

kubernetes/apps/default/kustomization.yaml

@@ -6,6 +6,7 @@ resources:
   # Pre Flux-Kustomizations
   - ./namespace.yaml
   # Flux-Kustomizations
+  - ./attic/ks.yaml
   - ./authelia/ks.yaml
   - ./babybuddy/ks.yaml
   - ./bazarr/ks.yaml