infra/modules/garage/default.nix
teutat3s 9758aeda5d
garage: fix wildcard DNS cert renewal with wildcard
CNAME records

By usind wildcard CNAME records, we make lego think it needs to validate
challenges using these CNAME records. We actually want regular
_acme-challenge.* records, so use a environment variable to avoid CNAME
detection. This fixes DNS cert renewal. Still curious? See:
https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme/
2024-10-23 20:18:57 +02:00

143 lines
3.7 KiB
Nix

{
config,
lib,
pkgs,
flake,
...
}:
{
age.secrets."garage-rpc-secret" = {
file = "${flake.self}/secrets/garage-rpc-secret.age";
mode = "400";
};
age.secrets."garage-admin-token" = {
file = "${flake.self}/secrets/garage-admin-token.age";
mode = "400";
};
age.secrets."acme-namecheap-env" = {
file = "${flake.self}/secrets/acme-namecheap-env.age";
mode = "400";
};
networking.firewall.allowedTCPPorts = [
3900
3901
3902
];
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 3903 ];
security.acme = {
defaults = {
# LEGO_DISABLE_CNAME_SUPPORT=true set here to fix issues with CNAME
# detection, as we use wildcard DNS for garage
environmentFile = config.age.secrets.acme-namecheap-env.path;
};
certs = {
# Wildcard certificate gets created automatically
"buckets.${config.pub-solar-os.networking.domain}" = {
# disable http challenge
webroot = null;
# enable dns challenge
dnsProvider = "namecheap";
};
# Wildcard certificate gets created automatically
"web.${config.pub-solar-os.networking.domain}" = {
# disable http challenge
webroot = null;
# enable dns challenge
dnsProvider = "namecheap";
};
};
};
services.nginx = {
upstreams.s3_backend.servers = {
"[::1]:3900" = { };
};
upstreams.web_backend.servers = {
"[::1]:3902" = { };
};
virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = {
serverAliases = [ "*.buckets.${config.pub-solar-os.networking.domain}" ];
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://s3_backend";
extraConfig = ''
client_max_body_size 64m;
proxy_max_temp_file_size 0;
'';
};
};
virtualHosts."web.${config.pub-solar-os.networking.domain}" = {
serverAliases = [ "*.web.${config.pub-solar-os.networking.domain}" ];
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://web_backend";
};
};
};
services.garage = {
enable = true;
package = pkgs.garage_1_0_1;
settings = {
data_dir = "/var/lib/garage/data";
metadata_dir = "/var/lib/garage/meta";
db_engine = "lmdb";
replication_factor = 3;
compression_level = 2;
rpc_bind_addr = "[::]:3901";
s3_api = {
s3_region = "eu-central";
api_bind_addr = "[::]:3900";
root_domain = ".buckets.${config.pub-solar-os.networking.domain}";
};
s3_web = {
bind_addr = "[::]:3902";
root_domain = ".web.${config.pub-solar-os.networking.domain}";
index = "index.html";
};
admin = {
api_bind_addr = "[::]:3903";
};
};
};
users.users.garage = {
isSystemUser = true;
home = "/var/lib/garage";
group = "garage";
};
users.groups.garage = { };
# Adapted from https://git.clan.lol/clan/clan-core/src/commit/23a9e35c665ff531fe1193dcc47056432fbbeacf/clanModules/garage/default.nix
# Disabled DynamicUser https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/web-servers/garage.nix
# for mounts + permissions to work
systemd.services.garage = {
serviceConfig = {
user = "garage";
group = "garage";
DynamicUser = false;
LoadCredential = [
"rpc_secret_path:${config.age.secrets.garage-rpc-secret.path}"
"admin_token_path:${config.age.secrets.garage-admin-token.path}"
];
Environment = [
"GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
"GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
"GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
];
};
};
}