Add atticd config

modules/nixos/services/atticd/default.nix

@@ -0,0 +1,57 @@
+{
+  config,
+  namespace,
+  lib,
+  ...
+}:
+let
+  cfg = config.${namespace}.services.atticd;
+in
+{
+  options.${namespace}.services.atticd = {
+    enable = lib.mkEnableOption "atticd";
+    acmeCertName = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+      description = ''
+        If set to a non-empty string, forces SSL with the supplied acme
+        certificate.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    age.secrets.atticd.file = ../../../../secrets/atticd.age;
+    services.atticd = {
+      enable = true;
+      # ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64: The base64-encoded RSA PEM PKCS1 of the RS256 JWT secret. Generate it with openssl genrsa -traditional 4096 | base64 -w0.
+      # This file should have the following content:
+      #
+      # ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=secret
+      #
+      # The secret is a base64-encoded RSA PEM PKCS1 of the RS256 JWT secret. It
+      # can be generated with this command:
+      #
+      # openssl genrsa -traditional 4096 | base64 -w0
+      environmentFile = config.age.secrets.atticd.path;
+      settings = {
+        allowed_hosts = "attic.kilonull.com";
+        api_endpoint = "https://attic.kilonull.com/";
+        listen = "[::]:8080";
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts."attic.kilonull.com" = {
+        locations."/" = {
+          proxyPass = "http://localhost:8080";
+        }
+        // lib.optionalAttrs (cfg.acmeCertName != "") {
+          forceSSL = true;
+          useACMEHost = cfg.acmeCertName;
+        };
+      };
+    };
+  };
+}

secrets/atticd.age

@@ -0,0 +1,104 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHpCTERaZyBUdktL
+MDQvOGtBaUIrOFhxdG5iN202aW5PakcyYjZDQXliblhiWUVWTUJZCnR3bjlkcVQr
+cEVONURSRkJrZXNLSHhEdDBWeXIwUitwVGJMdVBoS0I5ZXcKLT4gc3NoLWVkMjU1
+MTkgUFpLZk9RIHZBem93VTE5aXBYNTRxaVJUREw3cXo5MzVGOHdIVmhrSDR5OHVo
+U2dSbk0KRURNSEZ5TXlzU09TNDNLRTJWMXFDSkpTeVMzbTJsdWxGVDc0TTBGOVBi
+awotPiBwaXYtcDI1NiBVSUVHemcgQXFOOVg0NkxiZjdmdkR4UmNwUDhnZTRZbTFs
+V0IyWXRNQ1Q5QTJRa0NweFIKR3ZUdDdsUHlHcjBhMlBZam4wMTVFZUxzdVRZVVpx
+ejR1OHhLMEVIUUlXQQotPiB2SChHM2xELWdyZWFzZSB9WiB2SDldIEo+YUkvNiBb
+PFYKZlIyWGpwQVNOT3lucmRCTTdjWUgrcVYvOGZJCi0tLSBwUEJ6M25wOVVoSENF
+a2oycWNZTlJQangvckI4THJ6eDNEYjhpSVQzVzlvCn/cvSXYNYJT+NkjOLx8mPnh
+FpPT8TwBTcHS5IRvzRlQsVTBHUCjjeWCwTh+GtesiAsFjvIMa5B0Krx0JDKlnRty
+UDCDtkX5PVb59Azg08qln06tn6TtvqnG/BHm4qRLDtSJouJYiLJeYgwi97Ms9BqX
++LoPIKfJjnJ2+dymWWLMAD9iZQSzg7W+m1mWMN7ARjwAPeUfWhwuMmkmYE4RB+Wu
+wpahkSIyx9+UCDCynUIw3PiTLahY6ltUPUf0ByIPqUjeid6JaND2nwBzWuhZq3Oq
+vwNVY8HcRHHD4HLnDIYccV92Xm7BnYJfBxK4MQV36X8RJ90I6t15+hsm+nHJX3WI
+0mYn2po6n2wYs2MXyFBWk0xkovkJJk0O7uGcGJcwe94roy8FD7hQT8h3hTUNYh3y
+PRoO3ih42Ffsw2fL2+UNaKqFEqVxrTy313PK8SbONhquuVmSzBFOzSo2bA7cyA02
+ssJl+xV53xKBg34JxYMCjeaKGfV27eAe/+OzIBP8Ze4nK+y0hXDDvnpUNmn0qZDx
+iDkCM/+Bw9AlvWOsIVRoSSzngWUaBkiJndVgB2G2TidgUu6NmsdSYTzZLm31rdgB
+uosw/HLp6fmCeOi9DLdphuu2rPSBQcmhuuDgPXta+5STRkMN/oXrNWOm7Os7Imay
+iitbqCRjSGE6JnzWl2aS3ZiuymEe3+lc+xCs/EYnq/2zA2G+FJFq8s2L686RBD4L
+wSTB2u+G5phPP31PPRogr1fLDatDgcBSyn2qs8aquW53IZlFvtzusKmVU2B23aCa
+iX+DnAukcYrR7N/3eQYbPcf7MNgogi6UYuSpTeQW3/lu3OKW+qgkhEQNom9M0vy2
+SRi7E0je0RlrbpOFqOplla2VOe8VSP2SYydO023vt3SuDRLwAHKQNlBIsb0KTGLg
+qhYHYMBlEu6bppWPeUNrmHUrqZcMySJvpQW1i+OyWe7tDEIESetiGe6C6Cq9vR7h
+t7G6JPbWGZmG/gO5BTK/mgwLfn/AAEGpeGVU26tscdmTBRiFYf/7cc3394vTbpes
+Eol6cP7pukp1d1kp5gNlZrEZ6DL4BdSs1kaVJhTLYPNyJz+JUK1SEc9y33VhkeTO
+6smXk3OnBaKqBuF0d6Bt34IuxMuaZDeL6229rtRjY9wKyK/U+R6cWzL51prsv3gk
+afS/HVbul02DvwixBlOFVfOY97DiIK62lp41ImxIyy1ToGYs/446MlQAaw9Tm6lD
+6RloTCMS4qeLmAvO+hQzdX82pJWvTQajhtkMxi4KHlyxREbzIGniFqFmyQFaJnCC
+UAYyliMPkgsN5y+5gGdI46lN3/pp8jIbr59VnVPQVM1hpCbRwglDP+Bu4G95jlmI
+Iv0Izjk88tKJ8qmKFgvvWZRp7L0X4/CJTCwub/+gSQ0IxmRD4d8wDfMbtad8vbl6
+t8h2C7CyZXR/ZpKuV5vVDtK++w/mJvi4MTgYY6B11AM0C25qVNV4AIYKnSKqn5mK
+zkGEiSvnjAvxmLCMAm/diNG+l4R7HS0LA4oGemEWq2ts6EuDi+Tbyy2oMNFHtkTj
+aIRi64S36Q8TRDUsGAzfXeySIdWl1gglmuJJKbFglo60bjX22jTSUJhDgncUX7ae
+DyUqb1cXYnvWyiwQH8EsIZo59SaZYhAfyVN44uvqGxuN+NV6gVmb/MzVVycqWPFU
+VDXwfzgQBJaVO0SNFumNANnGYY4Nf7yK5w/TmsrwDMWeUbrHqIXAHtYGX+1UEFKe
+4zx1dTeO8hbexf/uEhAgbFos4QEMJ2WhwtAvzT1VITbdVNus6zM/RC6OV4TTigMA
+RpZfXiw3L3FMxB7PObOeLJ7UVZSMzOMMRt6apzYOScrwV1WqBvryzE/rxZCHkpDw
+yxRgghD/UnpvwhdY4GQ2BhPUCqD/YYqShLNoFGbAzylaR1BMWUPsawb3KPlaN2/x
+y3+9RcztzwjgDvxk4XVLQhLunBD6HnKwpFyCGDW97DkG85knmv48J7Mw+uY2pfte
+hCc3/oLwNxFFyjW7S3F+w4cBlLRxwtvIq1TfZ14q/dgUcgFqIDSUCEOy3NoBzxDc
+k9eoYTPYXStDFRkNsEwCYqBtqDeUFO8GefMOeE/xC9O2SHjw746BaYz2crDZHqo6
+UewVQrNKk2ofrNliv7qPB410XxdKJ9lwn54sAIzbfplTVjd+vnixRs93ISZYrglP
++8iQB8v1JVuBXNQV8/F3RXBQFZrZ4frtLO6usT/mOxUyhOltJLrH/rcyshKIuxGY
+ATf2SmT5g4ejXhI0fauTHc6yJ4h7XhKgpDysPDxTxOORPzv0H14IDcLitpgsCLh8
+EtGNfMNc/iNrjDj0ydZ3pgURpXHYPFlliTesMK+pA26LQahG+x4UwF0IIxNUUdL2
+xWgrGuif1nqknd4/p1STtaASHNt8I95eDR49aHlozK3D+Yh179+RNHoMJsy58LaU
+Nq7Cx6iimp3LJRsVMqH8khNH3DsVPhHbJFBUeEt0HYzCh4KAe0qJLrLa8Oc975N6
+CzyworGfParm+/edX3JtEenLdzSjdy4xMnySoKVKJpjfjYDo6GGQ1qGnucCWrd3m
+zvqm60kbnWRnSFGVA6oLBvUcKmTOaK+FjCICCuodD9UwvQZuDoxDsRBa8AzBPu4m
+vka4If1uYZUAtefUG2oQASBV9atFpEbQ+sbvI65bBTALMmZzBcF6MW6P6TxZSQkw
+bd1ELgwN1hYQhTFpPwQKMwPfGhYitW2gIeE+cXp0Wi4fKk8Wg2pF3pHftOhUSAg5
+2qbeF8ovlv3APZbTPdlZVuqg993zRgetutoDxvdSCBBp1mvuURUp/Vr2ZijRDZFs
+NnbwcTUCLEPZ/gSgw17XE+ZyYo5L9OJrX6zmRxL88Kxz7dqyN3Yq4WMIdHDDRxFZ
+BEYjGXuekehf3cRtkHytkbEM2m6ACdvHBAsvCpl8Lj2mmMcYy4A88oLUatAgNIzd
+4hb1chaCNePuKRwP7rW7PDJ/8ieiUfG8OiL/blUfVJnDBuHX5PWvYeAiZN4rLm/2
+s1fenVnjzPewVO8flDu8q5/J8msbF+FnSoxqwRE+Uu6Zny5XWSp0ltbKIr1/4Qcw
+mqUu076h5n9abj8P6RYAqn1sZabvXWrkNSA2OqYgnhFT7NYAXZtw1AMxWohOJ8Wq
+q+pjqj9Ci8FBBlwzMLxLuBefmD0Nn4CLWLDTIW7Ee0aDxY50ruM4eF3173jik1LB
+/6wIalfA+M7W4BTGYZk+RkmXHH7CS4mWOepkCmLxdJnltyJBKAPEbjd49OVIwV7R
+Pwp+HkwaKoZxZMhV9sqfLfXBXG1zIDdngp+JgPzdkK38rqiGz2niijqcg3NObOFV
+hPduSyoGbY/hARSwrQwa1QX1YYpv28kjnSzVmsACs5h03xCBQgJIgfPnV1Kv8I5S
+vTLYwNa57hw4f6Td2WljZuwuoAy6ee3her9ArXDr68m02KBjo0GB/gRtPH/ekqbJ
+bpRHNblAXCyfSzIHNZE4Md4iHtZk5/TAqj1AjVnXVrSAwkgMRLLeC+NAcg6N+Vfd
+oLLWeHOBs/kS0bQd+Uo3hkrS6gkFyqbKoC9B1Hh0TA809Ut/gyyAg01mjstWHsfN
+sALvcA9eETOzSw/WoFPxOmpfwuDXBybg/8yXpw3mgNCNDlTZG7M1ZfwStOlZRU58
+gwMeHKh+/oc8VjZWh93F2Xy7paTva7pXpHn84n7nN81jFbPsIhC+GWq0O3hHQaha
++9OgxsThOPcor9mE+HLIk3eL+v89DmS33Cubim1YPxVxFmX8w4VxXaHrU4TC3/iy
+uVhNfoysjX92w503UhUp0pZaOQHuqihpePbEnQMpHr7UEtYq5WXTq+8wQj6xuakY
+FOShK8yvK9RQUTYA5mIoWGRc8z10YTJHagOrQIzp7/WDQHkNIdlMaOnJ7NIq2w19
+vily7S+EcGdf3rPr+H6rE8sq++9ziNQsdnuz4BCcopybdyRdQ08qd1Ok1j1/Hdqj
+aDOLk54Ue1FzQPQh3rcFxWCEk5uRSePHdJI0WNGm+5ji4ME3hv8lWYR0B+PrSD8f
+AmnYRWVzPwzXSDGr9YtiNVezPN9PCSedKBgfhOP0qkxk5lSeFQMpHM+Glmi6SXFw
+i720L3QpLGjQSqD66P1EKErWCVnIBV4nr7dRxKzPMRMdEKZ5MV/c0VGqewrH3q1P
+rs41OFplzz4pMOUngFglayItcmD9FqQab4bGImK7/4ft3W0nZIUmYEPQyoGfNvh+
+qKSO3dBM2wsw8LFMeLzHAoBT+2YfSv6FBRCeFdBQH3ABRqXFcGOgj/oaQp6Qb84r
+v2kCi9BodXD0SWpkMadtW0XWYRkhI90xTsgDTuFdta6QpxjQMt+9Hrcm0Lu+tUG8
+slCQND3+Inq8bfRiEEdKTgTbagzD/SiUOxWeTh2qolIXjaJa1OKf7HSXdFYUH32n
+hSwhPcFnYSdE3q8MaYZD915SjqhlirvVhSSsfz66ME62EotDPNLePplCaVs1wjpI
+6hTUoWJqEvuPN6oz80RurQAeKT+LC1iGRkfIK43RmZ+wk5VhsRUiu/fP2nhqAZmf
+GhmnzOCDt9x1g9STyTXDDLH/wDQqKSFTGbZpbatIo4oA1XkxH3F6BcYSf1ynQ/5J
+Fe+jPD9B/3Q+tdEspXw88MReVEu9kC72gop6psE7i4pQgCIpWnQetEhMSKYY1bOW
+WDR6H0oMYXiNmWRZ193je0S+xM00I+IBO6c6hg5dqyOxl+D0hztKpAOqxM8lohmV
+IH8RmJpAEr6Q4T4s6W0zxFEokL319wlKsTDCvAsEC2RiZREecZhKdOdX0M9yvtq+
+RABjcB4kdx3XF02cEcdrO9auRCXXMNFe7bgBgO0bKU1dwRXZ3EtiVx7/gxhzZ9lH
+NXstrAvZeDGPFk41uj5gaprJqtoQ92fonycFBpbdV7/uUN6cysyjQRN+FLboNjPa
+CvtbK5KTWTMQM1nZlHUa7kkke38GtLjKeZaPPuvPw2eSFBTg3gFvK0wd22uoBSHE
+mUy6mrHJiJ9UVvP+5EWcuFTURes/xv6WZYjPwbAVwGh+aj1t5qMtCZaA0j7yvi8C
+dwUQDUtqRWuwdmGouZG5ooAs8F82FsX8Sl69SFdwIrwoi/zOSj2XgHLKbu/T9Iiv
+Hr387XDxWYL3k2iaopRIEGSgurOAEalcvee173I6/Nw5NuA2ICB6wpBdKKgbxUhz
+dyueYz9DIGGr53iHPbBJlOcxGAFRQLQ07tA7BqtZwHpnGNoF32b114einU7ncgSr
+efTa9CEHRk5Uc02xJa1ZZK4XmFC+b6QKu1DBloPeXE1ohSry8JxO92wwBrAelGbj
+6wp1Thva/ql+HVnZUOwPS6GrDYltUXNt5DqJP3mEOsuf4b6Lji/1fsmFApX/pRvA
+tB/F22KMkTPVkH1WDSd15C+WAX/CkB+Gn27s5YLY99LFeRHoc4ICDUwnslZilFsz
+mP34qb6l5oB6QoHoNmO6Ypkr10FQUS4b+p4BHKSXMDJR0n055p5qqiyprq/nDy8w
+T7IApT76h6xkpLIJjklUHliWGlku5SjTLQaQRNAoZjFfCNDH0P7zrngcs2R9QY46
+oQC1uI3bdEftMGsZ3Djx8M56Z2RUbAgOuYgBdFYUv1BwJZs22/6ePs1JgdikENNt
+vCmlSl9URoUbFcghNKC5J8Niksd8Zn9ozf2xXgpcOsRuElvUO23opv+Hvur+ft5/
+FV4WYj26jOeAagF1Cj6se59MX3VqerTywEC+bKzQeol7wBGiZGRM+errNF0eMf6W
+4x8szh1liYv95p/4dTqSt70bctr+yZi2RjFnBYR+NdIaBgmkSHPBzWpyffUcXAnB
+6Dx29T5rSMwR8GXX3w==
+-----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -13,6 +13,11 @@ let
   };
 in
 {
+  "atticd.age".publicKeys = [
+    users.me
+    machines.gospel
+    tmp
+  ];
   "cf_dns_kilonull.age".publicKeys = [
     users.me
     machines.node

systems/x86_64-linux/gospel/default.nix

@@ -33,6 +33,10 @@
       dnsCredentialsFile = config.age.secrets.cf_dns_kilonull.path;
     };
 
+    services.atticd = {
+      enable = true;
+      acmeCertName = "attic.kilonull.com";
+    };
     services.openssh.enable = true;
     services.printing.enable = true;
     services.tailscale = {