garage: init buckets.pub.solar, use nginx as reverse proxy

https://garagehq.deuxfleurs.fr/documentation/cookbook/reverse-proxy/
This commit is contained in:
teutat3s 2024-08-24 21:48:48 +02:00
parent b0790876ec
commit 15b507904f
Signed by: teutat3s
GPG key ID: 4FA1D3FA524F22C1
5 changed files with 111 additions and 0 deletions

View file

@ -100,6 +100,7 @@
#self.nixosModules.promtail #self.nixosModules.promtail
self.nixosModules.garage self.nixosModules.garage
self.nixosModules.nginx
]; ];
}; };
@ -116,6 +117,7 @@
#self.nixosModules.promtail #self.nixosModules.promtail
self.nixosModules.garage self.nixosModules.garage
self.nixosModules.nginx
]; ];
}; };
@ -132,6 +134,7 @@
#self.nixosModules.promtail #self.nixosModules.promtail
self.nixosModules.garage self.nixosModules.garage
self.nixosModules.nginx
]; ];
}; };
}; };

View file

@ -16,12 +16,73 @@
mode = "400"; mode = "400";
}; };
age.secrets."acme-namecheap-env" = {
file = "${flake.self}/secrets/acme-namecheap-env.age";
mode = "400";
};
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
3900 3900
3901 3901
3902 3902
]; ];
security.acme = {
defaults = {
environmentFile = config.age.secrets.acme-namecheap-env.path;
};
certs = {
# Wildcard certificate gets created automatically
"buckets.${config.pub-solar-os.networking.domain}" = {
# disable http challenge
webroot = null;
# enable dns challenge
dnsProvider = "namecheap";
dnsPropagationCheck = false;
};
# Wildcard certificate gets created automatically
"web.${config.pub-solar-os.networking.domain}" = {
# disable http challenge
webroot = null;
# enable dns challenge
dnsProvider = "namecheap";
dnsPropagationCheck = false;
};
};
};
services.nginx = {
upstreams.s3_backend.servers = {
"[::1]:3900" = { };
};
upstreams.web_backend.servers = {
"[::1]:3902" = { };
};
virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = {
serverAliases = ["*.buckets.${config.pub-solar-os.networking.domain}"];
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://s3_backend";
extraConfig = ''
proxy_max_temp_file_size 0;
'';
};
};
virtualHosts."web.${config.pub-solar-os.networking.domain}" = {
serverAliases = ["*.web.${config.pub-solar-os.networking.domain}"];
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://web_backend";
};
};
};
services.garage = { services.garage = {
enable = true; enable = true;
package = pkgs.garage_1_0_0; package = pkgs.garage_1_0_0;

Binary file not shown.

View file

@ -100,4 +100,6 @@ in
# garage # garage
"garage-rpc-secret.age".publicKeys = garageKeys ++ adminKeys; "garage-rpc-secret.age".publicKeys = garageKeys ++ adminKeys;
"garage-admin-token.age".publicKeys = garageKeys ++ adminKeys; "garage-admin-token.age".publicKeys = garageKeys ++ adminKeys;
"acme-namecheap-env.age".publicKeys = garageKeys ++ adminKeys;
} }

View file

@ -99,6 +99,51 @@ resource "namecheap_domain_records" "pub-solar" {
type = "A" type = "A"
address = "80.71.153.210" address = "80.71.153.210"
} }
record {
hostname = "buckets"
type = "A"
address = "85.215.152.22"
}
record {
hostname = "buckets"
type = "A"
address = "5.255.119.132"
}
record {
hostname = "buckets"
type = "A"
address = "194.13.83.205"
}
record {
hostname = "buckets"
type = "AAAA"
address = "2a01:239:35d:f500::1"
}
record {
hostname = "buckets"
type = "AAAA"
address = "2a04:52c0:124:9d8c::2"
}
record {
hostname = "buckets"
type = "AAAA"
address = "2a03:4000:43:24e::1"
}
record {
hostname = "*.buckets"
type = "CNAME"
address = "buckets.pub.solar."
}
record {
hostname = "web"
type = "CNAME"
address = "buckets.pub.solar."
}
record {
hostname = "*.web"
type = "CNAME"
address = "buckets.pub.solar."
}
record { record {
hostname = "tankstelle" hostname = "tankstelle"
type = "A" type = "A"