infra/services/lix-s3/garage.nix

107 lines
2.5 KiB
Nix
Raw Permalink Normal View History

{ config, pkgs, lib, ... }:
let
cfg = config.bagel.s3.garage;
inherit (lib) mkEnableOption mkIf mkOption types;
# TODO: send me back upstream to cl.forkos.org.
wrap = pkg: name: pkgs.writeShellScriptBin name ''
set -a
[[ -z "''${GARAGE_RPC_SECRET:-}" ]] && source ${config.age.secrets.garage.path}
set +a
exec ${lib.getExe pkg} "$@"
'';
# TODO: generalize this idea
rootDomains = {
lix = "lix.systems";
floral = "floral.systems";
};
in
{
options.bagel.s3.garage = {
enable = mkEnableOption "the Garage implementation of S3";
tenant = mkOption {
type = types.enum [ "lix" "floral" ];
};
api.address = mkOption {
type = types.str;
default = "127.0.0.1:3900";
};
rootDomain = mkOption {
type = types.str;
default = rootDomains.${cfg.tenant};
};
dataDir = mkOption {
type = types.str;
};
metadataDir = mkOption {
default = "/var/lib/garage/metadata";
};
};
imports = [
(import ./garage-ephemeral-key.nix { inherit wrap; })
];
config = mkIf cfg.enable {
bagel.secrets.files = [
"garage-environment"
];
services.garage = {
enable = true;
# Slightly evil, but we have to wrap it here so the garage cli Just
# Works(tm) from the shell. It will no-op in the wrapper if the env is
# already set.
package = wrap pkgs.garage_0_9 "garage";
settings = {
data_dir = cfg.dataDir;
metadata_dir = cfg.metadataDir;
db_engine = "lmdb";
replication_mode = "none";
compression_level = 7;
rpc_bind_addr = "[::]:3901";
rpc_public_addr = "127.0.0.1:3901";
s3_api = {
s3_region = "garage";
api_bind_addr = cfg.api.address;
root_domain = ".s3.${cfg.rootDomain}";
};
s3_web = {
bind_addr = "127.0.0.1:3902";
root_domain = ".web.${cfg.rootDomain}";
index = "index.html";
};
k2v_api.api_bind_addr = "[::]:3904";
# FIXME(raito): api bind address should be secured.
# admin.api_bind_addr = "[${wnlib.generateIPv6Address "monitoring" "cache"}]:3903";
};
environmentFile = config.age.secrets.garage-environment.path;
};
systemd.services.garage.serviceConfig = {
User = "garage";
ReadWriteDirectories = [
cfg.dataDir
];
StateDirectory = "garage";
};
users.users.garage = {
isSystemUser = true;
group = "garage";
};
users.groups.garage = { };
};
}