From 4a3d3ce84b7060b590227d9ed90077ce854725e5 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:05:16 +0200 Subject: [PATCH] garage: init module --- modules/garage/default.nix | 75 +++++++++++++++++++++++++++++++++ secrets/garage-admin-token.age | 47 +++++++++++++++++++++ secrets/garage-rpc-secret.age | Bin 0 -> 2686 bytes secrets/secrets.nix | 9 ++++ 4 files changed, 131 insertions(+) create mode 100644 modules/garage/default.nix create mode 100644 secrets/garage-admin-token.age create mode 100644 secrets/garage-rpc-secret.age diff --git a/modules/garage/default.nix b/modules/garage/default.nix new file mode 100644 index 00000000..0ee39d42 --- /dev/null +++ b/modules/garage/default.nix @@ -0,0 +1,75 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: +{ + age.secrets."garage-rpc-secret" = { + file = "${flake.self}/secrets/garage-rpc-secret.age"; + mode = "400"; + }; + + age.secrets."garage-admin-token" = { + file = "${flake.self}/secrets/garage-admin-token.age"; + mode = "400"; + }; + + networking.firewall.allowedTCPPorts = [ + 3900 + 3901 + 3902 + ]; + + services.garage = { + enable = true; + package = pkgs.garage_1_0_0; + settings = { + data_dir = "/var/lib/garage/data"; + metadata_dir = "/var/lib/garage/meta"; + db_engine = "lmdb"; + replication_factor = 3; + compression_level = 2; + rpc_bind_addr = "[::]:3901"; + s3_api = { + s3_region = "eu-central"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.${config.pub-solar-os.networking.domain}"; + }; + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".web.${config.pub-solar-os.networking.domain}"; + index = "index.html"; + }; + }; + }; + + users.users.garage = { + isSystemUser = true; + home = "/var/lib/garage"; + group = "garage"; + }; + + users.groups.garage = { }; + + # Adapted from https://git.clan.lol/clan/clan-core/src/commit/23a9e35c665ff531fe1193dcc47056432fbbeacf/clanModules/garage/default.nix + # Disabled DynamicUser https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/web-servers/garage.nix + # for mounts + permissions to work + systemd.services.garage = { + serviceConfig = { + user = "garage"; + group = "garage"; + DynamicUser = false; + LoadCredential = [ + "rpc_secret_path:${config.age.secrets.garage-rpc-secret.path}" + "admin_token_path:${config.age.secrets.garage-admin-token.path}" + ]; + Environment = [ + "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true" + "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path" + "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path" + ]; + }; + }; +} diff --git a/secrets/garage-admin-token.age b/secrets/garage-admin-token.age new file mode 100644 index 00000000..a8ed9e99 --- /dev/null +++ b/secrets/garage-admin-token.age @@ -0,0 +1,47 @@ +age-encryption.org/v1 +-> ssh-ed25519 NID4eA MqbdKdPSNLU32j+ZFTT1bmSFk4ZQowSuYcuP/FRtKgs +m0UaJclORGOrQDLIvdIv4Aq4U3XNOet9CzU8pX/pGsI +-> ssh-ed25519 9RQHxg WyTt2Lqd2mRtwsx2PLajmk68IB1yP0DkgXR/xfIMERM +4JaJ+DB97XxOuI2G/qnk+NX8Xv1ruY28NPRl7aUPWEc +-> ssh-ed25519 eP5MMw HUf/aXRbaIEjQFdWpo8vWtNSqzYcQKaNKJ7y+ewMVz0 +6IcRiPufkMLjOV5mSaOBclPmFDVKII/8mqGN7jmfkYk +-> ssh-ed25519 uYcDNw gHg0z1q+4AGZtuMzbV1dZjWojmYNE0JO1ZhMnGqAbR0 +sFE6mIV3ZgRMlsuHFltkC4M+aAhEDzVQQ3rkgiR5GSY +-> ssh-rsa f5THog +BFJZWIMurARpA6XJMlxnDYFUTGCX5gEb6IycqUQbIdu9+91mpDR3WxlJYLLZC3vD +j7e5xFvr4bOXQg56N59k4AD5CnC7CoZld/PqGtP5JqUcoXPFHgq95GzfiuTLedkZ +esPsPvXfdeyqfzcdMhxTz8pO0RRPUk9Xc2wnvHrDyeNO0vS5N+bMsNMvFfRaMZTi +xV2Xl98VFl90+gzuPACN0zpfoEqajcJhPtMqoaOjOzD7sGaAz5UYLAIyOHdh3t9w +DwVorUheXKLqq1kxZRZ5QCC7N+TCbi7x6B5xCezz9hF2vXkzunDh/d7maQG34AXJ +x1sQ4R9dXn778j14RqBBNbsFPDg8WIS4Zs+ypdqev8w+aOhZkcDf5unKQJLdeu3N +W+IUJTN5zFObMX0TXtj0yI7xUSkZKSLuZs43MhdVkNo1YewHalMpKetctnw2Lz+z +ZcDCRLmD91U5BL7xp9KYQQ9EBjEn8dyw9hn8RmCaRKsvi71cIStv4OtuGxzIvTOJ +phqDJdjz53E6L/0NDmhgN7bxolYZJsPC2o/ca0lG1rx3SZdfI18WaTsQrOO2NaeZ +i4u9vkw/k7xT65mPxPsN7s67niE6lVGyTOLMwjvfO1sAHABbtto2GL0zRc454b9v +gObMCi/ZbOUo6wndMMPnrQh9SsSGKB6EIOEzmg+8M+Y +-> ssh-rsa kFDS0A +h9TH7j+1hquLDwCIRDvQiN7UJaO6rJ/NtWdeWTuqTqTGSS+aVvm9gDZBZiLzWyqb +GLd2guhepOCuSQkxocD7KAz1hp5pqf++XI8/yqepnHuU+CmInsOBmSZsG8QGktbk +wjY3ZqZdcfCorgAxjIaw4aNW3zeoq7ATC3rC3aDeOsZC6jImdgEeCvd8BczWSqOa +9acfRqd+QNDjqq3MIGIepVBlQ0nNniRtQoh4XtUey8jVb6kjow4TqBo9V33UhO7x +r3WMgk5q1onECAhaAlYFxQ3DzLjUxAVdulnkIoSBqdE1b6Njyc70CI9oYwZcGmbD +gC3qdQWmcoeOQ95YkdJAxaFIl3VNOTyn9rSXtn3a1PsVygaT+98qd1zwGPY+3ZDk +B1chqWp3IJ4y2oPqt1mO4j0am2NAChpcWlEhgeldD0HoUixoXvp2Gu0igD5ENfyH +BopesdhSoIxw8PbjKvnuwPFNSa9ysS6mpdmChTdBGpOCSpwMEcEE/m3pLo4FkzJf +nhQaxav7VmvZ2jxnmEgP/NUgxmZPHKOzlI3vqWfTsIwz/chHDwekhb6dB0O5nrjO +LzmKVrkVH0EEa3R1/BIfF674RSPXOmW89NNU7tCax3IOuPWC0QYv+2r/zjmAEq+Q +LJMPf1fUjLlsCmkOlxDYK4E/EyiG5dcjxdyXk8J+l6s +-> piv-p256 vRzPNw AzRQKtxg/bXdDoLXM4IBQaPXZ7Tg/6GSg0LeQQ3GNUnw +xf8jnJPg8nqUt26lvtemwdvV8h0nT8k/H4iGO8fBa1k +-> piv-p256 zqq/iw AtpFzxs9a5N87BOsagEIMnJFxyBv8PZwsF4orrWS7dlP +8w3nDD2dIXKRKtnz/xnFW3it99ZmfY9X4ZiQhjXnaPM +-> ssh-ed25519 YFSOsg E3q3wZk2o3+Gmv0xMuokFWqhckCEZxVomrj61M2U21w +CUlB8ynJwO5JmHND3+x/NN/PyV0HJXfoxI3TgPjOD/4 +-> ssh-ed25519 iHV63A 4tjRDQ0kSZZYda0V3pEs6teT7n8r0WFQ1iHj90XIP1c +OMGjdTkZo8LOojtNDhIw5OXaWpC21f8hIOcnv1suLA4 +-> ssh-ed25519 BVsyTA 5BzUJ7kmv/3ZwxRGOq6QNohlWn5nuHgCBTjbcGtA1jU +vaN4i/JBvrDtdb9IX+F4uLG8v6wiaF0zjTyBXJ7B0Ts +-> ssh-ed25519 +3V2lQ eS/DpYwsqIkwm1JENRu1kIHqe+qAcMssglt/DHIAuBk +JYdv3kTgpF+3b4a9eycCzl3FWyLSkunas4IYqfw9z48 +--- iffZKXnN9jbIrfnm0NrUmqfNhsBtd0FCBEc9Zp0YSj8 +[4aϓ ܥG( \)YQ '~@LKTw;j~,*q?o}' ? ׿ diff --git a/secrets/garage-rpc-secret.age b/secrets/garage-rpc-secret.age new file mode 100644 index 0000000000000000000000000000000000000000..e8ad9873aacd2faef45d3d51bec8592f5be944a3 GIT binary patch literal 2686 zcmZXWyUYAo9fuWBmNYJw+PtmA*Gz7c1VPMoGRfqA9}#wPzfJC$TpByETN_IkY!+SZ zU93cHEd&u23vI+gY{bUO5&Vg+f517<;d?&k`J7vpye3UFY~56}%@^AtgB~#O`sJ5# z%wLlj!Eu;+QO_Kf&@VB$fxgNLj9Ge^bDJa`LR~WLjheCww8eduXNE>P`Thc6(WBIq zP83eVS&|xJG{#hwm0@%f~f5e3V9+hPY-g(>=&7gWXon3b9T&z`3(; zIYlKybGI%mrc~Ez5G+eE&%mY~uA(m4!?buai0gF>77?VEZGAzV3f&DwH#%k|ZbI}? zTB75Mvb?AJnn50BR&_$X}-B2HaiPO-E2+Q@0H1H*bbROF;+N|6U^E+hh6 zq%D{d0wt^Y86cMd)0^@l+PJNv=xA*lg~N)`cc7P5w?k?t%?LdV{&}*0-`gvQfs`Pd`q~gLgB`XG!HI3_~kj#5TAXGQ*CeWlB zt3yeDvE6l(#e;LEw>>FUwenlpVqvyGf>yg2N@k_tpvT=1C=w`*VV+RFcT|8~x_c(; zVF8wn6s3snNtg!$hs2&@%~;Q=B`zo@z$hwMuSzN@BwK#kFvc zm{1p5{9sBs$8`#maVkPIz!x6$i3>`RSTC39MkBW{Iv16SPlX(Ix-c;vPvD~u>TN-S z#G`9nIN~ZU0lnO!ZZQym<1x9F84)Ejih}r3dC{R(W-8Hc5s&5D^+278*)a2Q^Q<*k z&Xk84ZOX2((vAZG7>5gNbrzRj>-CXcdn0o%giW)u>MfKx_9t(&;roWAR^>lDO+T7W zrup@~RO^5~gAs6uh`Ea^Jr~#ZQHC7Iq6}u}&TyFvq5^X>N%JdzK$*iDKVKA&Ne^%e zYQBBYN6oTqAa;UIleqZ+Uh~{jhUcOor7rf$I;V?ssqq61V;;JgwO=0TiFO4g@-li z6QIKK&`b1D=1w$nx!?n``;2jKLx^lwWxpj6pDt0_sW6o*ITGd4A;qn})z`xqU0DQp zU_9akqVL>Nd162kub~uDn(a=tBMrgrEI@)@cDxW^>d0JA_anWO(%75uyh_930mmEZ zo)Er5TA_O|$Xr-9v7)C#X{FqB#6_c-(~EGa4|evi9CyXzwL|dZ%fsCDr~2t^p;!u| z={ro|`MC(3Iv6x=x@Wj#=QTrI3i}R0mi#~(0NqU88x-V-R;*6D9Avb}qHgio$6(0~1rxH7=v-C~An02$4rIJUQwCba9@Kxp5Z)j8QwV6J^ z!K-cEml8?g&(ZyiVXI1yjzt3bStfDNHLc)KAp+t_Yv)U*Twz$O^AVnQyz0o5rfJvz zn^xgHi_a-MnM)zqxw)vhysuq#6)9$t!6z@!Js1ZCEhD|svJ z8F40?%Mz%x-Uznztjs1?bB*3*O95VAUtfG0S%pxJdV_pwI=-oGb2T7&r2Y zt4|4ZDJmX-uYUMb>^Hw4wzuhz-QI%W`Th3qpS$GPC!6p7