From fe3dda9f1bab8ee9320787fd6748e707713b9c3b Mon Sep 17 00:00:00 2001 From: Ethan Turkeltaub Date: Thu, 7 Nov 2024 00:00:05 -0500 Subject: [PATCH] Add Garage --- hosts/gateway/profiles/nginx/default.nix | 63 +++++++++++-- hosts/gateway/profiles/nginx/secrets.yml | 7 +- hosts/monitor/profiles/prometheus.nix | 6 +- hosts/omnibus/configuration.nix | 1 + modules/profiles/services/garage/default.nix | 73 +++++++++++++++ modules/profiles/services/garage/secrets.yml | 95 ++++++++++++++++++++ 6 files changed, 236 insertions(+), 9 deletions(-) create mode 100644 modules/profiles/services/garage/default.nix create mode 100644 modules/profiles/services/garage/secrets.yml diff --git a/hosts/gateway/profiles/nginx/default.nix b/hosts/gateway/profiles/nginx/default.nix index e1246a2..dea0de5 100644 --- a/hosts/gateway/profiles/nginx/default.nix +++ b/hosts/gateway/profiles/nginx/default.nix @@ -1,11 +1,18 @@ { config, profiles, hosts, ... }: { imports = [ profiles.web-servers.nginx ]; - sops.secrets.nginx_fileflows_basic_auth_file = { - sopsFile = ./secrets.yml; - format = "yaml"; - owner = config.services.nginx.user; - inherit (config.services.nginx) group; + sops.secrets = { + nginx_fileflows_basic_auth_file = { + sopsFile = ./secrets.yml; + format = "yaml"; + owner = config.services.nginx.user; + inherit (config.services.nginx) group; + }; + + lego_route53_credentials = { + sopsFile = ./secrets.yml; + format = "yaml"; + }; }; services.nginx.virtualHosts = let @@ -129,6 +136,32 @@ ''; }; + "web.garage.e10.camp" = { + forceSSL = true; + useACMEHost = "web.garage.e10.camp"; + serverAliases = [ "*.web.garage.e10.camp" ]; + + locations."/" = { + proxyPass = + "http://${hosts.omnibus.config.networking.hostName}:${toString 3900}"; + }; + }; + + "s3.garage.e10.camp" = { + forceSSL = true; + useACMEHost = "s3.garage.e10.camp"; + serverAliases = [ "*.s3.garage.e10.camp" ]; + + locations."/" = { + proxyPass = + "http://${hosts.omnibus.config.networking.hostName}:${toString 3900}"; + extraConfig = '' + proxy_max_temp_file_size 0; + client_max_body_size 5G; + ''; + }; + }; + "netbox.e10.camp" = mkVirtualHost { host = hosts.matrix; port = 8002; @@ -190,4 +223,24 @@ ''; }; }; + + security.acme.certs = { + "s3.garage.e10.camp" = { + domain = "s3.garage.e10.camp"; + extraDomainNames = [ "*.s3.garage.e10.camp" ]; + dnsProvider = "route53"; + credentialsFile = config.sops.secrets.lego_route53_credentials.path; + + group = "nginx"; + }; + + "web.garage.e10.camp" = { + domain = "web.garage.e10.camp"; + extraDomainNames = [ "*.web.garage.e10.camp" ]; + dnsProvider = "route53"; + credentialsFile = config.sops.secrets.lego_route53_credentials.path; + + group = "nginx"; + }; + }; } diff --git a/hosts/gateway/profiles/nginx/secrets.yml b/hosts/gateway/profiles/nginx/secrets.yml index 9236158..25ae2a5 100644 --- a/hosts/gateway/profiles/nginx/secrets.yml +++ b/hosts/gateway/profiles/nginx/secrets.yml @@ -1,4 +1,5 @@ nginx_fileflows_basic_auth_file: ENC[AES256_GCM,data:LT/LcmGGFgeisYcmqt067QbsHMy/cicBajp/sU5BcD4Wk2nuSQmUPw3Eoxs=,iv:ODoWmYda+HMRnBD+UiE7QuK7/xWRIMZpKsJfgLAiJrs=,tag:lOnfCoGvocDyGouRZGAmug==,type:str] +lego_route53_credentials: ENC[AES256_GCM,data:gezuGnKLlv1BS5ZR55ZsPlH5wdQlQ6863WTtMBFiMnzu9no7xVV9Ahbb+l9m+1y2RAwBanDS2xYqrO2ycPxYmwGYScQnImjvpqH+4K2DGukbIvI5vQP1p+UixDaRrg9m9XXHt/SMbQ0lka7g1+T9ICzIMqjq6/TQRR+DGgzM4v9c2kWBnpznRV14iBPhj5m2dojnLpovggIR7Y+8ny6rRZh8fFzagw==,iv:jBeCGnN1jZ8X1NkmCQDvRIcqCy+b/q0mUxFsNUwRLRw=,tag:UNYWt6BRUcvkpY14Na+YSg==,type:str] sops: kms: [] gcp_kms: [] @@ -95,8 +96,8 @@ sops: aC9pSGpoSWJrcG5iRGdPZEhhYXF5Q1EKKkPBACESizSI/C0zuF3USsEEDNQpvT93 /ue2bjvAiS84Fzqu6RFITFtW0DsKz2tO344s09nxDEPWWAyh17nxiw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-23T14:32:12Z" - mac: ENC[AES256_GCM,data:C4AQMPeF3dzVEfT2beFFHoYZNLdLsocX8jhvm5obFms5eA5Kw37m07s25IO5ZRD/OaueOTiKSNKRQaIyvemlkssRbnLdHqfI5fmkDaF4Ht9G5i2AgiAiPu/tXLfjmJCMhUyEnf9xeVxFgKmQ49ZSGRubBdQYCoPQOCJlibPYgL0=,iv:dA4xW8wywFX0bMJ0LMdhfczVs8DTCXkh6LaTXdFX7bs=,tag:CQyxTvQVYL7K1BbuEG1UTQ==,type:str] + lastmodified: "2024-11-07T04:39:50Z" + mac: ENC[AES256_GCM,data:DTudp4Fa1GVYKlqmSusxe4CoGV+A7Ar7wju8kfjA31QXxi1GBBiTuVa0Tn3PQQP+WYwEkQ7TLsB02EOhRCsvkh5VghDiK+Asxn3WQAzrRQaVpsm4nzz7kl7hjhvGDk7yRsuGIdwKBVxBAPiHvRuSB1lCbe2e8bXUjQj2GPq3UFE=,iv:hebxSo+t4i7unn+Jt7ryqRnp+gFKFmmwoJbeWPN2hmk=,tag:pSqz+v3PYu7ZCol4GOHCFQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.1 diff --git a/hosts/monitor/profiles/prometheus.nix b/hosts/monitor/profiles/prometheus.nix index 37654f0..5575ce8 100644 --- a/hosts/monitor/profiles/prometheus.nix +++ b/hosts/monitor/profiles/prometheus.nix @@ -469,6 +469,10 @@ }]; scrape_interval = "1m"; } - + { + job_name = "garage"; + static_configs = + [{ targets = [ "${hosts.omnibus.config.networking.hostName}:3903" ]; }]; + } ]; } diff --git a/hosts/omnibus/configuration.nix b/hosts/omnibus/configuration.nix index 0e11a22..ca546fc 100644 --- a/hosts/omnibus/configuration.nix +++ b/hosts/omnibus/configuration.nix @@ -13,6 +13,7 @@ profiles.users.proxmox profiles.databases.postgresql.default profiles.services.atticd.default + profiles.services.garage.default ] ++ [ ./hardware-configuration.nix ./disk-config.nix ]; boot.loader.grub.devices = diff --git a/modules/profiles/services/garage/default.nix b/modules/profiles/services/garage/default.nix new file mode 100644 index 0000000..6fa7ff1 --- /dev/null +++ b/modules/profiles/services/garage/default.nix @@ -0,0 +1,73 @@ +{ config, pkgs, ... }: { + sops.secrets = { + garage_rpc_secret = { + format = "yaml"; + sopsFile = ./secrets.yml; + mode = "0600"; + owner = config.users.users.garage.name; + }; + + garage_admin_token = { + format = "yaml"; + sopsFile = ./secrets.yml; + mode = "0600"; + owner = config.users.users.garage.name; + }; + }; + + users = { + users.garage = { + group = config.users.groups.garage.name; + isSystemUser = true; + }; + + groups.garage = { }; + }; + + systemd.tmpfiles.rules = [ + "d '${config.services.garage.settings.data_dir}' 0777 ${config.users.users.garage.name} ${config.users.groups.garage.name} - -" + ]; + + systemd.services.garage = { + serviceConfig = { + ReadWriteDirectories = [ config.services.garage.settings.data_dir ]; + DynamicUser = false; + User = config.users.users.garage.name; + Group = config.users.groups.garage.name; + }; + }; + + services.garage = { + enable = true; + package = pkgs.garage_1_0_1; + settings = { + metadata_dir = "/var/lib/garage/meta"; + data_dir = "/data/files/services/garage"; + db_engine = "sqlite"; + + replication_factor = 1; + + rpc_bind_addr = "0.0.0.0:3901"; + rpc_secret_file = config.sops.secrets.garage_rpc_secret.path; + + s3_api = { + s3_region = "garage"; + api_bind_addr = "0.0.0.0:3900"; + root_domain = ".s3.garage.e10.camp"; + }; + + s3_web = { + bind_addr = "0.0.0.0:3902"; + root_domain = ".web.garage.e10.camp"; + index = "index.html"; + }; + + admin = { + api_bind_addr = "0.0.0.0:3903"; + admin_token_file = config.sops.secrets.garage_admin_token.path; + }; + }; + }; + + networking.firewall = { allowedTCPPorts = [ 3900 3901 3902 3903 ]; }; +} diff --git a/modules/profiles/services/garage/secrets.yml b/modules/profiles/services/garage/secrets.yml new file mode 100644 index 0000000..5186c34 --- /dev/null +++ b/modules/profiles/services/garage/secrets.yml @@ -0,0 +1,95 @@ +garage_rpc_secret: ENC[AES256_GCM,data:X1TE3Jr1HFGLgPvoejXRkLIMqe/w86YF1XhiHsd7a6Jzn4UIfo5JTKTvMICk3cK76RfekOrTdL2fIlMFK28AQQ==,iv:rDBFiezw7wAHoel315cUQwIRBNaQfnJah0ioom49SeE=,tag:FytY9BuHatFMMOcMPK78zA==,type:str] +garage_admin_token: ENC[AES256_GCM,data:pL4KYCljGpXlQ1AhLwcugIglTNb/pSbP1MaaegrM3O1+Mi/F4tG/E8X+/+qvV6kDP7dA6aly1GczKkfhqkuePw==,iv:cPED05pTV2mF+gUFihMXes4Q84CNjd+6SNvWcH/9Qkw=,tag:iC6ImJn/wnokF3E3dbopSg==,type:str] +garage_metrics_token: ENC[AES256_GCM,data:GLjaX0hfSTkVaheSStn80AI6XYr3EG5aGRKZFt06ojWebBAI6gcrEM0Sc+1YTs+dstv62qZDdea9gq351k6CJQ==,iv:MT5WLiZLBlf3XUR1gX8JCC5ZmytJIrjw5zg09BnFQIM=,tag:IZaHua9TWrb4DJEFbeSgTg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10539mc6shf02hpa8huyjktdw3nfyavxdg8pt247wwvq4xrv8h5zs8nc0k0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURXJKZDRNOGsrOEc3bkt1 + aEJiVlFNMHd3L0REY29MeFF4YzdZOE5ENmhRCldyK2JSKzhsWGVySzZRSnZZZlBS + QzdBK3liT21uWWoxZ3JvMjhiTEFlT0UKLS0tIGEwMkREaGZQd29SQ3ZOaDRteHBS + M01aUFpkbTltNnU2NFpCUDdSYmZiNzAKT2lj4AoRAlZQLSnsKogzPrcUhES+28jx + jKdPoyFe6959ARw62hMNPnxKW7cMCk6gqO94DxHWFpzfq9hY28Wj2Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age17lsd78hka8rmuvmmx6d03cqjl2h55lsvrnzdfq0ge4acujf6nffswdwvr0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNjNBNi9PVVJBOTZCQ0lI + WGdjYnpIR3k4N1phaWtjY0tSRGdZMlpOT1ZFClpEajVLQ2RLb0FhZDhoa1NPdlpo + STcyb01Dbk4wd0VWUTdzbDNZRjhDKzgKLS0tIDFJdkNVeGp4UnVlVW1xM0pEbEtB + Y2U4dEJDQVBDQ1hXMm40VksrWDNCT1UKOKTUHrv0ieJxGQ4abeH/6VwxwDUwbjVA + MN82wNjwnRtbMIrV+dIwOlrSY+Ve3ffoN4bH/3ErGBvThXqUXnrm7g== + -----END AGE ENCRYPTED FILE----- + - recipient: age10jmr8lvn5wmxv6w0lk3vapawljnqfvws095ale94mthcgxueza9sscqq3h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRXJBdnFpaFIvUktrRm1Q + ODFRZ0xic2tjMVpaQm90SWo2UWFPaHl5K3k0CmVWMFVrQXJhVnY3QkIycHBYRXgr + dG1oL0ZTWXhZQVlSaXlDL3pMdTlncncKLS0tIGtRWndxN0gybUJZaXk4VzhmSWxP + Zkc1VjFNSHdHck9aZzhHYmJpRmEwZUEK9otbokxLcfLicFdr/9PEMbiUpVOxmJHD + 0YuMl2vWIyxfCkYys0k4mHHDhwEm2Slc77dvQAnldhfmCjEhmlSNvQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1k5nzxq4ej2u9ls97c2dhlz96j2vghv0assz5g0p4npzyc8c8fqlqld72hg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweWJhU0ZIMEg4dG5ORUlr + TmdRUFFvbmpSa2l5YmNlQnltOFdodXdjZW5jCkJNamhjZzRnNmllMm5EWGxJQyt2 + VEVVRDRVTVpqUWZTbDhyL09JdU8ydDgKLS0tIG1lRW9ZTXVDSjNYZkxDRjdzTExm + d0lRcTU4ek1YTzVKWnNJMCtUUUVteU0KjbDRFbh/AmYZ6+U9adzoPY609RqRs/DF + 7dyvJx3zhQvP6veutlUWQ0/zDTOcs3mEd2YaIGyfYXy5pQBFOuY/sA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1gkzp905yqkla54l52m4xkqtxpn0sndkx0vh6qqa8d2tu29x8f35q354gpe + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2bWFONVp4bnEwRVZqL1VZ + RGZST1g5bWVyVEJZT0dZcnJHQTE2TDYwQUdFCnFWc0czM2s4RDBWTVdWN1QyaFZJ + ajVaL0pmMWJBa1dQNWhDdTlIUHhqS3MKLS0tIDZJL0VTRmc1T1gwaENkTC9VRkJI + TDJUS05yTGtKdHZBUTBCV2pPOGczZUUKBNwDfDnw9ptpIwj2ySIxnlbIjdtfziL0 + oYKXB1chGw5tU1UFEerJxwaBZPC06jxbQgT3UpU8j1yszjvb57K1Mw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1c4d93hmawmx8nt8g2sjrxcngfl7qx7y6vwxpqqg7grrkhjen6fvstljgg9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUXorcTJjNzVQVldnaHBX + OEVBZFdYaG80S2gwWjVCSW4vc3lkZWhxY0M0CnhOM1A5UU5jMW5lWVRkOC93V1Iz + Uk93akluYTVLM25WV0VPSHJlWTlWMW8KLS0tIGs2aHdicWtSQkcyUlVyd1YrWmRt + aGN0UFNmcDdDTU84Z3FFYUdDM25scWMKitYEA3ICgo4Yfs/FtEv9qc0PHhExWfUn + alPV0hhx/32xexG7SzwlUWXcRFMLe/dm3H4iIqK/HP/dulyNV5I5xg== + -----END AGE ENCRYPTED FILE----- + - recipient: age15jjykch8km3l8atssu0n9us6d2xg58z0ds9s0djtdh9l954sud5szqxv29 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBazZCNm1QL0R2Szk5UWxE + QUt3aVo2WlNxcHlvRmNFODhVZTI4L3lCUGtFCm9VL0Jwbk5lK3hCQ29uL1JhMTBO + eWZFd2xic1ZicGJER05xV011LzlSUTgKLS0tIElleFhMK3hFNHNsci90STljb1ZV + VnRiQ1lXMWxXNU4rcHRtT1NNeHNBM3MKCY4XbcEoff40BfCa3DNebSEjQbTpEdkt + qLKM99FFvLqrgzyEicUh+RY+bsRlGGpCu0hT5Or2KN2C40lMyeeZNg== + -----END AGE ENCRYPTED FILE----- + - recipient: age10jhawn266e3wr6rx0lndkl9a47ewtk6jgh35d2582uu2l7dtn4tqdqc29c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxWVZhMUdnemNsVldYR3Fn + SnlqZFdkbzNDc2dSZnVkQWVPaTJiZmhBOXdRCmYzY3pBbmJZT0t6dSs3SWxxejRZ + S3kwLzNyQ05SMVV3TDVKN0JkQ3N2ZzgKLS0tIGVGakQ4VmhXUkhPb09OL1cxN0hU + N1dSeXZWd2daaitzdHNvNitwUlBxQXcKPlqO8mCuugG+PdKI5+h1tzKw+/xyhLBT + 5tp4jER1Jl/eC4gcxkb4BuGv04PCcdYYmxDRE4ujRX8ujjSd1x6Gqw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a4r3d5m0eu94vwsrse83k09fgclcfmthkz93p6h0m5vqyptq2yxswptzjf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMnJ1NGtIbXJzcHBOZ0hu + cFU3WkFMUXJKUTBSQ2E3eTYzZ1NWeGJtY25NCkVqVktLb0plcDNyclMvekE3eVU3 + dWRQUGpCZ3FoUnJvbTdEYnM4dHpmWDQKLS0tIDBoNVZkdnJYd0JtY0JaY3JUMExK + aThUcDVEUGZUU1hvcGZkb0FKMHUyKzQKTtQq0d+Vw2VFmXbxW4vQrv5bmEoGzqCr + cPyuBjJpzX/dONXdgkW304zZ48/zE/Kw1scH5wkSaUrV0PV0LfVKSg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-06T22:17:29Z" + mac: ENC[AES256_GCM,data:WmYHfLeHEVNiDL+BDG7jO/vqtci8llcJDEmikq929xuMfCRMLn6EMIrKj4ImxXrPy69l2+rdLQbnpQEQqDhlnad2xEkEjejaMPRH3NsUwwOEncKi6JsuVHAsmKZnMbxX40kgubKK4g+U3tW4nbMpLvtS8SEURAqwtpjNqBWBxuI=,iv:5mC45BAHTYiz54uJ8oxZ1m+6QQi6px2U8BDCabgLFV4=,tag:eVEtMnC2TIIVfDt7YZFCZQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1