From 15b507904fb24a0b3f37e6e6ebd4da7ea1e62de2 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 21:48:48 +0200 Subject: [PATCH] garage: init buckets.pub.solar, use nginx as reverse proxy https://garagehq.deuxfleurs.fr/documentation/cookbook/reverse-proxy/ --- hosts/default.nix | 3 ++ modules/garage/default.nix | 61 +++++++++++++++++++++++++++++++++ secrets/acme-namecheap-env.age | Bin 0 -> 2700 bytes secrets/secrets.nix | 2 ++ terraform/dns.tf | 45 ++++++++++++++++++++++++ 5 files changed, 111 insertions(+) create mode 100644 secrets/acme-namecheap-env.age diff --git a/hosts/default.nix b/hosts/default.nix index 0d7fa471..a9e0b5ac 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -100,6 +100,7 @@ #self.nixosModules.promtail self.nixosModules.garage + self.nixosModules.nginx ]; }; @@ -116,6 +117,7 @@ #self.nixosModules.promtail self.nixosModules.garage + self.nixosModules.nginx ]; }; @@ -132,6 +134,7 @@ #self.nixosModules.promtail self.nixosModules.garage + self.nixosModules.nginx ]; }; }; diff --git a/modules/garage/default.nix b/modules/garage/default.nix index 0ee39d42..21c7ca7b 100644 --- a/modules/garage/default.nix +++ b/modules/garage/default.nix @@ -16,12 +16,73 @@ mode = "400"; }; + age.secrets."acme-namecheap-env" = { + file = "${flake.self}/secrets/acme-namecheap-env.age"; + mode = "400"; + }; + networking.firewall.allowedTCPPorts = [ 3900 3901 3902 ]; + security.acme = { + defaults = { + environmentFile = config.age.secrets.acme-namecheap-env.path; + }; + certs = { + # Wildcard certificate gets created automatically + "buckets.${config.pub-solar-os.networking.domain}" = { + # disable http challenge + webroot = null; + # enable dns challenge + dnsProvider = "namecheap"; + dnsPropagationCheck = false; + }; + # Wildcard certificate gets created automatically + "web.${config.pub-solar-os.networking.domain}" = { + # disable http challenge + webroot = null; + # enable dns challenge + dnsProvider = "namecheap"; + dnsPropagationCheck = false; + }; + }; + }; + + services.nginx = { + upstreams.s3_backend.servers = { + "[::1]:3900" = { }; + }; + upstreams.web_backend.servers = { + "[::1]:3902" = { }; + }; + virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = { + serverAliases = ["*.buckets.${config.pub-solar-os.networking.domain}"]; + + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://s3_backend"; + extraConfig = '' + proxy_max_temp_file_size 0; + ''; + }; + }; + virtualHosts."web.${config.pub-solar-os.networking.domain}" = { + serverAliases = ["*.web.${config.pub-solar-os.networking.domain}"]; + + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://web_backend"; + }; + }; + }; + services.garage = { enable = true; package = pkgs.garage_1_0_0; diff --git a/secrets/acme-namecheap-env.age b/secrets/acme-namecheap-env.age new file mode 100644 index 0000000000000000000000000000000000000000..a09e587497125f91dbbfc33c4194b0f2351f286d GIT binary patch literal 2700 zcmZXW$?N=f8OQY+z34>`B3~4t8h&Qqz=ce<$v)W^5lk|Z%w#gzGg%Hj2zpWQAbL{t z9}p?tL&_L5JDP^bAVQ4Ib99`N zGczQ%$39Ox9SB{YpUymmYUgu%O3f=Xi26aE(cxTJhc2<;$VbMjB1V#iu9gKHYm9^S zs*yU1vqdB0+m&9Z5Nx8hA!)sA%sjv`3&KJ8dD;|ZyfHs%Q0!fq)1fnD&x&sj?_8$X zy!8`IiM1mcs0{Bo$PB1`0q7bY6ir{-FnL3+^AJMk;zGk31tn-p8EkP=)QKs}C>GwQ z^+WQM6Yjn#fHtrUblac7@KT65v*|2uQwWP8I74j51Z;y7e?HrOPDJ_SQ->=fIjcJ8 z#$!y6BNC9hR)keex^<1ZHfN_tPiaASt2UfkyQoxN4G+t7onUAgFg5TL2A()Pa|SJz z1u@+KwQ+2F@GiMc4H&AD$)IX%EQX_g%3E|&d#jaCdJ)`@VK=%-(4S9Xr@E zy0%kK)~jq7*FyC5y*e^1or|uEiA5iPZggaAY-~45OcTdHMp|l+A--&M2+TR?9>?=G zS0}#Ac?Lx-q8=swBqV|ZLb+Ys_?ko(+e#;=zMGdA!LGI;%7$`BFrD+poX`(^PHIXh>Eyn;FCErWlSjk3C;>k22CZ4oDK4L{_d24E zw7^t{`cQ1*QBJ5R@Q;CO?KeU_+AE$4P{ZcV;aV#;uYy7YZ0&LrWX^2hFr3@C0#Ceo zo$eKdMRCt2PP{*KWgjyw^FboKr{k;0J1`66Y2J$cXmofoGgy7N`BnM!R;oGIqjFQO~!j0Rd%L?cNkVO z$JV^$1$2pG9HRgn|7LDbaySCRzZCs zjij)T9F+mY6=|ULGJ>Yt!K5f-l8Ul019SVJOzso7Zb4thC*+iro!G;ijmj_12vO$ndI<^Od2*y>q}66Dj}-VTrG zXM5_f2Up$<>M15dzSOl|`%qc&$MxWHL%GP=$} zds*n&J1;}l6|r=dGg*9iFZ(}WZCwXl9<26wV?`vi9eN%zxYt13gI73Rh=}!xEz)W$ zQ0Y@FGhql+RR=x_5AJ*=_L_|q=GlVuWhSS1+K)LyGCpw>EJJ1H_j~63|3M@==1@G{ z`XC?=M^=%U#I+s{%N+>ZVh77)L8^CTwI3F=hqVp%fJ2ozAj$}66dxOtu}U9AXE%%0 zhcje}i4?IR?j6)!dHH$TW$%+1`^4PYd2KX5kr2MzS^nTl9JvgLa@&T7h}C-E#s}R@ z@NxjW*@uiswwhIhS3@Bh&kt#(CvRcHI5V#C)`}o`yT7X(&pIq-#KMRtgT6Z%8^eaod85+xoE%mz)jW)(l81g}D(N z#Da+pn@X_Jaj#N>N8?~#SP;!^;EHmpVGla+?Afy?g>$!+%#%s2aPe-Sr!(21SZ(7C zOK~Ls=;~|XY;+`%5%A&H-=JRm=)Ye0$cx`n_1FKbena2C{K8wW{&@b!PhWcb#m{_4 z|Nc8)`s?@J`Rc#l{9*a`x4!u`{?+KWANt29|MY9;wNL!urFTEy{`{4{eT@6(ACX^u x_ZPnjm%qIE_Ag)Qzx}h9Z-4#rPrmT(f9}WMf9lg;|HJ1#{>G2s*FO8Z{{oXdeO>?n literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 686345a9..94073752 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -100,4 +100,6 @@ in # garage "garage-rpc-secret.age".publicKeys = garageKeys ++ adminKeys; "garage-admin-token.age".publicKeys = garageKeys ++ adminKeys; + + "acme-namecheap-env.age".publicKeys = garageKeys ++ adminKeys; } diff --git a/terraform/dns.tf b/terraform/dns.tf index f30dee1b..70d9f156 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -99,6 +99,51 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "80.71.153.210" } + record { + hostname = "buckets" + type = "A" + address = "85.215.152.22" + } + record { + hostname = "buckets" + type = "A" + address = "5.255.119.132" + } + record { + hostname = "buckets" + type = "A" + address = "194.13.83.205" + } + record { + hostname = "buckets" + type = "AAAA" + address = "2a01:239:35d:f500::1" + } + record { + hostname = "buckets" + type = "AAAA" + address = "2a04:52c0:124:9d8c::2" + } + record { + hostname = "buckets" + type = "AAAA" + address = "2a03:4000:43:24e::1" + } + record { + hostname = "*.buckets" + type = "CNAME" + address = "buckets.pub.solar." + } + record { + hostname = "web" + type = "CNAME" + address = "buckets.pub.solar." + } + record { + hostname = "*.web" + type = "CNAME" + address = "buckets.pub.solar." + } record { hostname = "tankstelle" type = "A"