forked from pub-solar/infra
teutat3s
9758aeda5d
CNAME records By usind wildcard CNAME records, we make lego think it needs to validate challenges using these CNAME records. We actually want regular _acme-challenge.* records, so use a environment variable to avoid CNAME detection. This fixes DNS cert renewal. Still curious? See: https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme/
143 lines
3.7 KiB
Nix
143 lines
3.7 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
flake,
|
|
...
|
|
}:
|
|
{
|
|
age.secrets."garage-rpc-secret" = {
|
|
file = "${flake.self}/secrets/garage-rpc-secret.age";
|
|
mode = "400";
|
|
};
|
|
|
|
age.secrets."garage-admin-token" = {
|
|
file = "${flake.self}/secrets/garage-admin-token.age";
|
|
mode = "400";
|
|
};
|
|
|
|
age.secrets."acme-namecheap-env" = {
|
|
file = "${flake.self}/secrets/acme-namecheap-env.age";
|
|
mode = "400";
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
3900
|
|
3901
|
|
3902
|
|
];
|
|
|
|
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 3903 ];
|
|
|
|
security.acme = {
|
|
defaults = {
|
|
# LEGO_DISABLE_CNAME_SUPPORT=true set here to fix issues with CNAME
|
|
# detection, as we use wildcard DNS for garage
|
|
environmentFile = config.age.secrets.acme-namecheap-env.path;
|
|
};
|
|
certs = {
|
|
# Wildcard certificate gets created automatically
|
|
"buckets.${config.pub-solar-os.networking.domain}" = {
|
|
# disable http challenge
|
|
webroot = null;
|
|
# enable dns challenge
|
|
dnsProvider = "namecheap";
|
|
};
|
|
# Wildcard certificate gets created automatically
|
|
"web.${config.pub-solar-os.networking.domain}" = {
|
|
# disable http challenge
|
|
webroot = null;
|
|
# enable dns challenge
|
|
dnsProvider = "namecheap";
|
|
};
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
upstreams.s3_backend.servers = {
|
|
"[::1]:3900" = { };
|
|
};
|
|
upstreams.web_backend.servers = {
|
|
"[::1]:3902" = { };
|
|
};
|
|
virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = {
|
|
serverAliases = [ "*.buckets.${config.pub-solar-os.networking.domain}" ];
|
|
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://s3_backend";
|
|
extraConfig = ''
|
|
client_max_body_size 64m;
|
|
proxy_max_temp_file_size 0;
|
|
'';
|
|
};
|
|
};
|
|
virtualHosts."web.${config.pub-solar-os.networking.domain}" = {
|
|
serverAliases = [ "*.web.${config.pub-solar-os.networking.domain}" ];
|
|
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://web_backend";
|
|
};
|
|
};
|
|
};
|
|
|
|
services.garage = {
|
|
enable = true;
|
|
package = pkgs.garage_1_0_1;
|
|
settings = {
|
|
data_dir = "/var/lib/garage/data";
|
|
metadata_dir = "/var/lib/garage/meta";
|
|
db_engine = "lmdb";
|
|
replication_factor = 3;
|
|
compression_level = 2;
|
|
rpc_bind_addr = "[::]:3901";
|
|
s3_api = {
|
|
s3_region = "eu-central";
|
|
api_bind_addr = "[::]:3900";
|
|
root_domain = ".buckets.${config.pub-solar-os.networking.domain}";
|
|
};
|
|
s3_web = {
|
|
bind_addr = "[::]:3902";
|
|
root_domain = ".web.${config.pub-solar-os.networking.domain}";
|
|
index = "index.html";
|
|
};
|
|
admin = {
|
|
api_bind_addr = "[::]:3903";
|
|
};
|
|
};
|
|
};
|
|
|
|
users.users.garage = {
|
|
isSystemUser = true;
|
|
home = "/var/lib/garage";
|
|
group = "garage";
|
|
};
|
|
|
|
users.groups.garage = { };
|
|
|
|
# Adapted from https://git.clan.lol/clan/clan-core/src/commit/23a9e35c665ff531fe1193dcc47056432fbbeacf/clanModules/garage/default.nix
|
|
# Disabled DynamicUser https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/web-servers/garage.nix
|
|
# for mounts + permissions to work
|
|
systemd.services.garage = {
|
|
serviceConfig = {
|
|
user = "garage";
|
|
group = "garage";
|
|
DynamicUser = false;
|
|
LoadCredential = [
|
|
"rpc_secret_path:${config.age.secrets.garage-rpc-secret.path}"
|
|
"admin_token_path:${config.age.secrets.garage-admin-token.path}"
|
|
];
|
|
Environment = [
|
|
"GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
|
|
"GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
|
|
"GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
|
|
];
|
|
};
|
|
};
|
|
}
|