lol

lib/network/default.nix

@@ -99,6 +99,7 @@
       # ---- pi5 services --------------------------------------------------
       pi5 = {
         adguard = 3000;
+        attic = 9012;
         nebula = 4242;
         dns = 53;
       };

systems/aarch64-linux/pi5/default.nix

@@ -107,6 +107,14 @@ in
     # ###################################################
 
     services = {
+      attic = {
+        enable = true;
+        port = net.ports.pi5.attic;
+        listenAddress = "[::]";
+        environmentFile = "/run/secrets/pi5/attic-key";
+        configDir = "/mnt/attic-store";
+      };
+
       nebula = {
         enable = true;
         isLighthouse = true;
@@ -153,7 +161,10 @@ in
       firewall = {
         enable = true;
         allowPing = true;
-        allowedTCPPorts = [ 53 ];
+        allowedTCPPorts = [
+          53
+          net.ports.pi5.attic
+        ];
         allowedUDPPorts = [ 53 ];
       };
       networkmanager.profiles = {
@@ -169,6 +180,16 @@ in
   # #                  FileSystems                  # #
   # ###################################################
 
+  fileSystems."/mnt/attic-store" = {
+    device = "/dev/disk/by-uuid/E81DBFCC-066E-46A3-8018-AA3BF4573074";
+    fsType = "xfs";
+    options = [
+      "defaults"
+      "noatime"
+      "nofail"
+    ];
+  };
+
   boot.supportedFilesystems = [ "bcachefs" ];
 
   programs.seahorse.enable = false;

systems/aarch64-linux/pi5/sops.nix

@@ -9,6 +9,16 @@ in
     # Secrets
     # ------------------------------
     secrets = {
+      # ------------------------------
+      # Attic
+      # ------------------------------
+      "pi5/attic-key" = {
+        sopsFile = defaultSops;
+        mode = "0400";
+        owner = "atticd";
+        restartUnits = [ "atticd.service" ];
+      };
+
       # ------------------------------
       # SSH keys
       # ------------------------------