forked from pub-solar/infra
garage: init module
This commit is contained in:
parent
9eb746313e
commit
4a3d3ce84b
75
modules/garage/default.nix
Normal file
75
modules/garage/default.nix
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
flake,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
age.secrets."garage-rpc-secret" = {
|
||||||
|
file = "${flake.self}/secrets/garage-rpc-secret.age";
|
||||||
|
mode = "400";
|
||||||
|
};
|
||||||
|
|
||||||
|
age.secrets."garage-admin-token" = {
|
||||||
|
file = "${flake.self}/secrets/garage-admin-token.age";
|
||||||
|
mode = "400";
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
3900
|
||||||
|
3901
|
||||||
|
3902
|
||||||
|
];
|
||||||
|
|
||||||
|
services.garage = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.garage_1_0_0;
|
||||||
|
settings = {
|
||||||
|
data_dir = "/var/lib/garage/data";
|
||||||
|
metadata_dir = "/var/lib/garage/meta";
|
||||||
|
db_engine = "lmdb";
|
||||||
|
replication_factor = 3;
|
||||||
|
compression_level = 2;
|
||||||
|
rpc_bind_addr = "[::]:3901";
|
||||||
|
s3_api = {
|
||||||
|
s3_region = "eu-central";
|
||||||
|
api_bind_addr = "[::]:3900";
|
||||||
|
root_domain = ".s3.${config.pub-solar-os.networking.domain}";
|
||||||
|
};
|
||||||
|
s3_web = {
|
||||||
|
bind_addr = "[::]:3902";
|
||||||
|
root_domain = ".web.${config.pub-solar-os.networking.domain}";
|
||||||
|
index = "index.html";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.garage = {
|
||||||
|
isSystemUser = true;
|
||||||
|
home = "/var/lib/garage";
|
||||||
|
group = "garage";
|
||||||
|
};
|
||||||
|
|
||||||
|
users.groups.garage = { };
|
||||||
|
|
||||||
|
# Adapted from https://git.clan.lol/clan/clan-core/src/commit/23a9e35c665ff531fe1193dcc47056432fbbeacf/clanModules/garage/default.nix
|
||||||
|
# Disabled DynamicUser https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/web-servers/garage.nix
|
||||||
|
# for mounts + permissions to work
|
||||||
|
systemd.services.garage = {
|
||||||
|
serviceConfig = {
|
||||||
|
user = "garage";
|
||||||
|
group = "garage";
|
||||||
|
DynamicUser = false;
|
||||||
|
LoadCredential = [
|
||||||
|
"rpc_secret_path:${config.age.secrets.garage-rpc-secret.path}"
|
||||||
|
"admin_token_path:${config.age.secrets.garage-admin-token.path}"
|
||||||
|
];
|
||||||
|
Environment = [
|
||||||
|
"GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
|
||||||
|
"GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
|
||||||
|
"GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
47
secrets/garage-admin-token.age
Normal file
47
secrets/garage-admin-token.age
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 NID4eA MqbdKdPSNLU32j+ZFTT1bmSFk4ZQowSuYcuP/FRtKgs
|
||||||
|
m0UaJclORGOrQDLIvdIv4Aq4U3XNOet9CzU8pX/pGsI
|
||||||
|
-> ssh-ed25519 9RQHxg WyTt2Lqd2mRtwsx2PLajmk68IB1yP0DkgXR/xfIMERM
|
||||||
|
4JaJ+DB97XxOuI2G/qnk+NX8Xv1ruY28NPRl7aUPWEc
|
||||||
|
-> ssh-ed25519 eP5MMw HUf/aXRbaIEjQFdWpo8vWtNSqzYcQKaNKJ7y+ewMVz0
|
||||||
|
6IcRiPufkMLjOV5mSaOBclPmFDVKII/8mqGN7jmfkYk
|
||||||
|
-> ssh-ed25519 uYcDNw gHg0z1q+4AGZtuMzbV1dZjWojmYNE0JO1ZhMnGqAbR0
|
||||||
|
sFE6mIV3ZgRMlsuHFltkC4M+aAhEDzVQQ3rkgiR5GSY
|
||||||
|
-> ssh-rsa f5THog
|
||||||
|
BFJZWIMurARpA6XJMlxnDYFUTGCX5gEb6IycqUQbIdu9+91mpDR3WxlJYLLZC3vD
|
||||||
|
j7e5xFvr4bOXQg56N59k4AD5CnC7CoZld/PqGtP5JqUcoXPFHgq95GzfiuTLedkZ
|
||||||
|
esPsPvXfdeyqfzcdMhxTz8pO0RRPUk9Xc2wnvHrDyeNO0vS5N+bMsNMvFfRaMZTi
|
||||||
|
xV2Xl98VFl90+gzuPACN0zpfoEqajcJhPtMqoaOjOzD7sGaAz5UYLAIyOHdh3t9w
|
||||||
|
DwVorUheXKLqq1kxZRZ5QCC7N+TCbi7x6B5xCezz9hF2vXkzunDh/d7maQG34AXJ
|
||||||
|
x1sQ4R9dXn778j14RqBBNbsFPDg8WIS4Zs+ypdqev8w+aOhZkcDf5unKQJLdeu3N
|
||||||
|
W+IUJTN5zFObMX0TXtj0yI7xUSkZKSLuZs43MhdVkNo1YewHalMpKetctnw2Lz+z
|
||||||
|
ZcDCRLmD91U5BL7xp9KYQQ9EBjEn8dyw9hn8RmCaRKsvi71cIStv4OtuGxzIvTOJ
|
||||||
|
phqDJdjz53E6L/0NDmhgN7bxolYZJsPC2o/ca0lG1rx3SZdfI18WaTsQrOO2NaeZ
|
||||||
|
i4u9vkw/k7xT65mPxPsN7s67niE6lVGyTOLMwjvfO1sAHABbtto2GL0zRc454b9v
|
||||||
|
gObMCi/ZbOUo6wndMMPnrQh9SsSGKB6EIOEzmg+8M+Y
|
||||||
|
-> ssh-rsa kFDS0A
|
||||||
|
h9TH7j+1hquLDwCIRDvQiN7UJaO6rJ/NtWdeWTuqTqTGSS+aVvm9gDZBZiLzWyqb
|
||||||
|
GLd2guhepOCuSQkxocD7KAz1hp5pqf++XI8/yqepnHuU+CmInsOBmSZsG8QGktbk
|
||||||
|
wjY3ZqZdcfCorgAxjIaw4aNW3zeoq7ATC3rC3aDeOsZC6jImdgEeCvd8BczWSqOa
|
||||||
|
9acfRqd+QNDjqq3MIGIepVBlQ0nNniRtQoh4XtUey8jVb6kjow4TqBo9V33UhO7x
|
||||||
|
r3WMgk5q1onECAhaAlYFxQ3DzLjUxAVdulnkIoSBqdE1b6Njyc70CI9oYwZcGmbD
|
||||||
|
gC3qdQWmcoeOQ95YkdJAxaFIl3VNOTyn9rSXtn3a1PsVygaT+98qd1zwGPY+3ZDk
|
||||||
|
B1chqWp3IJ4y2oPqt1mO4j0am2NAChpcWlEhgeldD0HoUixoXvp2Gu0igD5ENfyH
|
||||||
|
BopesdhSoIxw8PbjKvnuwPFNSa9ysS6mpdmChTdBGpOCSpwMEcEE/m3pLo4FkzJf
|
||||||
|
nhQaxav7VmvZ2jxnmEgP/NUgxmZPHKOzlI3vqWfTsIwz/chHDwekhb6dB0O5nrjO
|
||||||
|
LzmKVrkVH0EEa3R1/BIfF674RSPXOmW89NNU7tCax3IOuPWC0QYv+2r/zjmAEq+Q
|
||||||
|
LJMPf1fUjLlsCmkOlxDYK4E/EyiG5dcjxdyXk8J+l6s
|
||||||
|
-> piv-p256 vRzPNw AzRQKtxg/bXdDoLXM4IBQaPXZ7Tg/6GSg0LeQQ3GNUnw
|
||||||
|
xf8jnJPg8nqUt26lvtemwdvV8h0nT8k/H4iGO8fBa1k
|
||||||
|
-> piv-p256 zqq/iw AtpFzxs9a5N87BOsagEIMnJFxyBv8PZwsF4orrWS7dlP
|
||||||
|
8w3nDD2dIXKRKtnz/xnFW3it99ZmfY9X4ZiQhjXnaPM
|
||||||
|
-> ssh-ed25519 YFSOsg E3q3wZk2o3+Gmv0xMuokFWqhckCEZxVomrj61M2U21w
|
||||||
|
CUlB8ynJwO5JmHND3+x/NN/PyV0HJXfoxI3TgPjOD/4
|
||||||
|
-> ssh-ed25519 iHV63A 4tjRDQ0kSZZYda0V3pEs6teT7n8r0WFQ1iHj90XIP1c
|
||||||
|
OMGjdTkZo8LOojtNDhIw5OXaWpC21f8hIOcnv1suLA4
|
||||||
|
-> ssh-ed25519 BVsyTA 5BzUJ7kmv/3ZwxRGOq6QNohlWn5nuHgCBTjbcGtA1jU
|
||||||
|
vaN4i/JBvrDtdb9IX+F4uLG8v6wiaF0zjTyBXJ7B0Ts
|
||||||
|
-> ssh-ed25519 +3V2lQ eS/DpYwsqIkwm1JENRu1kIHqe+qAcMssglt/DHIAuBk
|
||||||
|
JYdv3kTgpF+3b4a9eycCzl3FWyLSkunas4IYqfw9z48
|
||||||
|
--- iffZKXnN9jbIrfnm0NrUmqfNhsBtd0FCBEc9Zp0YSj8
|
||||||
|
Ñ[4aÏ“ Ü¥¹ŒçG”Žž(˜É\<5C>)YQÍ
'~@L—KñTw¬;æ–jó~,‰¤¤¦îεó½‡Ô*áüq?o}ª' ? ¸×¿
|
BIN
secrets/garage-rpc-secret.age
Normal file
BIN
secrets/garage-rpc-secret.age
Normal file
Binary file not shown.
|
@ -5,6 +5,9 @@ let
|
||||||
flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6";
|
flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6";
|
||||||
metronom-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLX6UvvrKALKL0xsNnytLPHryzZF5evUnxAgGokf14i root@metronom";
|
metronom-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLX6UvvrKALKL0xsNnytLPHryzZF5evUnxAgGokf14i root@metronom";
|
||||||
tankstelle-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdF6cJKPDiloWiDja1ZtqkXDdXOCHPs10HD+JMzgeU4 root@tankstelle";
|
tankstelle-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdF6cJKPDiloWiDja1ZtqkXDdXOCHPs10HD+JMzgeU4 root@tankstelle";
|
||||||
|
trinkgenossin-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZXRDpom/LtyoCxvRuoONARKxIT6wNUwEyUjzHRE7DG root@trinkgenossin";
|
||||||
|
delite-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKo7zlfQhcJ5/okFTOoOstZtmEL1iNlHxQ4q2baEcWT root@delite";
|
||||||
|
blue-shell-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9g9X0a/MaVtbh44IeLxcq+McuYec0GYAdLsseBpk5f root@blue-shell";
|
||||||
|
|
||||||
adminKeys = builtins.foldl' (
|
adminKeys = builtins.foldl' (
|
||||||
keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)
|
keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)
|
||||||
|
@ -17,6 +20,8 @@ let
|
||||||
flora6Keys = [ flora-6-host ];
|
flora6Keys = [ flora-6-host ];
|
||||||
|
|
||||||
metronomKeys = [ metronom-host ];
|
metronomKeys = [ metronom-host ];
|
||||||
|
|
||||||
|
garageKeys = [ trinkgenossin-host delite-host blue-shell-host ];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall
|
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall
|
||||||
|
@ -87,4 +92,8 @@ in
|
||||||
"mail/crew.age".publicKeys = metronomKeys ++ adminKeys;
|
"mail/crew.age".publicKeys = metronomKeys ++ adminKeys;
|
||||||
"mail/erpnext.age".publicKeys = metronomKeys ++ adminKeys;
|
"mail/erpnext.age".publicKeys = metronomKeys ++ adminKeys;
|
||||||
"mail/hakkonaut.age".publicKeys = metronomKeys ++ adminKeys;
|
"mail/hakkonaut.age".publicKeys = metronomKeys ++ adminKeys;
|
||||||
|
|
||||||
|
# garage
|
||||||
|
"garage-rpc-secret.age".publicKeys = garageKeys ++ adminKeys;
|
||||||
|
"garage-admin-token.age".publicKeys = garageKeys ++ adminKeys;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue