{ config, lib, pkgs, flake, ... }: { age.secrets."garage-rpc-secret" = { file = "${flake.self}/secrets/garage-rpc-secret.age"; mode = "400"; }; age.secrets."garage-admin-token" = { file = "${flake.self}/secrets/garage-admin-token.age"; mode = "400"; }; age.secrets."acme-namecheap-env" = { file = "${flake.self}/secrets/acme-namecheap-env.age"; mode = "400"; }; networking.firewall.allowedTCPPorts = [ 3900 3901 3902 ]; networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 3903 ]; security.acme = { defaults = { # LEGO_DISABLE_CNAME_SUPPORT=true set here to fix issues with CNAME # detection, as we use wildcard DNS for garage environmentFile = config.age.secrets.acme-namecheap-env.path; }; certs = { # Wildcard certificate gets created automatically "buckets.${config.pub-solar-os.networking.domain}" = { # disable http challenge webroot = null; # enable dns challenge dnsProvider = "namecheap"; }; # Wildcard certificate gets created automatically "web.${config.pub-solar-os.networking.domain}" = { # disable http challenge webroot = null; # enable dns challenge dnsProvider = "namecheap"; }; }; }; services.nginx = { upstreams.s3_backend.servers = { "[::1]:3900" = { }; }; upstreams.web_backend.servers = { "[::1]:3902" = { }; }; virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = { serverAliases = [ "*.buckets.${config.pub-solar-os.networking.domain}" ]; enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://s3_backend"; extraConfig = '' client_max_body_size 64m; proxy_max_temp_file_size 0; ''; }; }; virtualHosts."web.${config.pub-solar-os.networking.domain}" = { serverAliases = [ "*.web.${config.pub-solar-os.networking.domain}" ]; enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://web_backend"; }; }; }; services.garage = { enable = true; package = pkgs.garage_1_0_1; settings = { data_dir = "/var/lib/garage/data"; metadata_dir = "/var/lib/garage/meta"; db_engine = "lmdb"; replication_factor = 3; compression_level = 2; rpc_bind_addr = "[::]:3901"; s3_api = { s3_region = "eu-central"; api_bind_addr = "[::]:3900"; root_domain = ".buckets.${config.pub-solar-os.networking.domain}"; }; s3_web = { bind_addr = "[::]:3902"; root_domain = ".web.${config.pub-solar-os.networking.domain}"; index = "index.html"; }; admin = { api_bind_addr = "[::]:3903"; }; }; }; users.users.garage = { isSystemUser = true; home = "/var/lib/garage"; group = "garage"; }; users.groups.garage = { }; # Adapted from https://git.clan.lol/clan/clan-core/src/commit/23a9e35c665ff531fe1193dcc47056432fbbeacf/clanModules/garage/default.nix # Disabled DynamicUser https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/web-servers/garage.nix # for mounts + permissions to work systemd.services.garage = { serviceConfig = { user = "garage"; group = "garage"; DynamicUser = false; LoadCredential = [ "rpc_secret_path:${config.age.secrets.garage-rpc-secret.path}" "admin_token_path:${config.age.secrets.garage-admin-token.path}" ]; Environment = [ "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true" "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path" "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path" ]; }; }; }