Rebase to flake parts #11

modules/hosts/nix-server/_services/attic-cache-server.nix

@@ -1,4 +1,5 @@
-{ config, ... }: {
+{ config, lib, ... }:
+{
   sops = {
     templates."atticd.env" = {
       owner = "root";
@@ -17,14 +18,48 @@
     mode = "0400";
   };
 
+  # SQLite on disk was the main source of random multi-minute stalls (see attic#113).
+  # NAR blobs stay in /var/lib/atticd/storage; only metadata moves to Postgres.
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "atticd" ];
+    ensureUsers = [
+      {
+        name = "atticd";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
   services.atticd = {
     enable = true;
     environmentFile = config.sops.templates."atticd.env".path;
     settings = {
-      listen = "[::]:8080";
+      listen = "0.0.0.0:8080";
       jwt = { };
+      # Use a libpq socket URI format accepted by Attic's parser.
+      database.url = "postgresql:///atticd?host=/run/postgresql&user=atticd";
+      chunking = {
+        nar-size-threshold = 65536;
+        min-size = 16384;
+        avg-size = 65536;
+        max-size = 262144;
+      };
+      storage = {
+        type = "local";
+        path = "/var/lib/atticd/storage";
+      };
+    };
+  };
+
+  systemd.services.atticd = {
+    serviceConfig = {
+      Restart = lib.mkForce "always";
+      RestartSec = lib.mkForce 5;
+      # Large closures; default limits can wedge uploads under load.
+      LimitNOFILE = 1048576;
     };
   };
 
   chiasson.system.networking.firewall.allowedTCPPorts = [ 8080 ];
-}
+}

modules/hosts/nix-server/_services/jellyfin.nix

@@ -53,7 +53,7 @@
   # not writable by uid jellyfin (it only had group `jellyfin`), so deletes fail.
   systemd.services.jellyfin.serviceConfig = {
     SupplementaryGroups = [ "media" ];
-    # Jellyfin libraries on NFS (e.g. /mnt/media, /mnt/nixdesk-jellyfin). PrivateUsers breaks
+    # Jellyfin libraries on NFS (e.g. /mnt/nixdesk-jellyfin). PrivateUsers breaks
     # uid mapping for NFS auth in practice; disable so metadata writes use the real jellyfin uid
     # (squashed to olivier:nfsmedia on nixdesk exports).
     PrivateUsers = lib.mkForce false;

modules/hosts/nix-server/_services/nixdesk-nfs-client.nix

@@ -28,13 +28,7 @@ let
 in
 {
   fileSystems."/mnt/nixdesk-jellyfin" = {
-    device = "${nfsExportHost}:/mnt/test/jellyfin";
-    fsType = "nfs";
-    options = nfsClientOpts;
-  };
-
-  fileSystems."/mnt/media" = {
-    device = "${nfsExportHost}:/mnt/media";
+    device = "${nfsExportHost}:/mnt/deep/jellyfin";
     fsType = "nfs";
     options = nfsClientOpts;
   };