infra/services/lix-s3/garage.nix

{ config, pkgs, lib, ... }:
let
  cfg = config.bagel.s3.garage;
  inherit (lib) mkEnableOption mkIf mkOption types;
  # TODO: send me back upstream to cl.forkos.org.
  wrap = pkg: name: pkgs.writeShellScriptBin name ''
    set -a
    [[ -z "''${GARAGE_RPC_SECRET:-}" ]] && source ${config.age.secrets.garage.path}
    set +a
    exec ${lib.getExe pkg} "$@"
  '';
  # TODO: generalize this idea
  rootDomains = {
    lix = "lix.systems";
    floral = "floral.systems";
  };
in
{
  options.bagel.s3.garage = {
    enable = mkEnableOption "the Garage implementation of S3";
    tenant = mkOption {
      type = types.enum [ "lix" "floral" ];
    };

    api.address = mkOption {
      type = types.str;
      default = "127.0.0.1:3900";
    };

    rootDomain = mkOption {
      type = types.str;
      default = rootDomains.${cfg.tenant};
    };

    dataDir = mkOption {
      type = types.str;
    };

    metadataDir = mkOption {
      default = "/var/lib/garage/metadata";
    };
  };

  imports = [
    (import ./garage-ephemeral-key.nix { inherit wrap; })
  ];

  config = mkIf cfg.enable {
    bagel.secrets.files = [
      "garage-environment"
    ];

    services.garage = {
      enable = true;
      # Slightly evil, but we have to wrap it here so the garage cli Just
      # Works(tm) from the shell. It will no-op in the wrapper if the env is
      # already set.
      package = wrap pkgs.garage_0_9 "garage";

      settings = {
        data_dir = cfg.dataDir;
        metadata_dir = cfg.metadataDir;

        db_engine = "lmdb";

        replication_mode = "none";
        compression_level = 7;

        rpc_bind_addr = "[::]:3901";
        rpc_public_addr = "127.0.0.1:3901";

        s3_api = {
          s3_region = "garage";
          api_bind_addr = cfg.api.address;
          root_domain = ".s3.${cfg.rootDomain}";
        };

        s3_web = {
          bind_addr = "127.0.0.1:3902";
          root_domain = ".web.${cfg.rootDomain}";
          index = "index.html";
        };

        k2v_api.api_bind_addr = "[::]:3904";
        # FIXME(raito): api bind address should be secured.
        # admin.api_bind_addr = "[${wnlib.generateIPv6Address "monitoring" "cache"}]:3903";
      };

      environmentFile = config.age.secrets.garage-environment.path;
    };

    systemd.services.garage.serviceConfig = {
      User = "garage";
      ReadWriteDirectories = [
        cfg.dataDir
      ];
      StateDirectory = "garage";
    };

    users.users.garage = {
      isSystemUser = true;
      group = "garage";
    };
    users.groups.garage = { };
  };
}
feat: add cache.lix.systems Introduces a full-fleged self-hosted S3 NixOS module with various knobs to perform NGINX-based redirects and s3-revproxy endpoints. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-07 13:21:03 +00:00			`{ config, pkgs, lib, ... }:`
			`let`
			`cfg = config.bagel.s3.garage;`
			`inherit (lib) mkEnableOption mkIf mkOption types;`
			`# TODO: send me back upstream to cl.forkos.org.`
			`wrap = pkg: name: pkgs.writeShellScriptBin name ''`
			`set -a`
			`[[ -z "''${GARAGE_RPC_SECRET:-}" ]] && source ${config.age.secrets.garage.path}`
			`set +a`
			`exec ${lib.getExe pkg} "$@"`
			`'';`
			`# TODO: generalize this idea`
			`rootDomains = {`
			`lix = "lix.systems";`
			`floral = "floral.systems";`
			`};`
			`in`
			`{`
			`options.bagel.s3.garage = {`
			`enable = mkEnableOption "the Garage implementation of S3";`
			`tenant = mkOption {`
			`type = types.enum [ "lix" "floral" ];`
			`};`

			`api.address = mkOption {`
			`type = types.str;`
			`default = "127.0.0.1:3900";`
			`};`

			`rootDomain = mkOption {`
			`type = types.str;`
			`default = rootDomains.${cfg.tenant};`
			`};`

			`dataDir = mkOption {`
			`type = types.str;`
			`};`

			`metadataDir = mkOption {`
			`default = "/var/lib/garage/metadata";`
			`};`
			`};`

			`imports = [`
			`(import ./garage-ephemeral-key.nix { inherit wrap; })`
			`];`

			`config = mkIf cfg.enable {`
			`bagel.secrets.files = [`
			`"garage-environment"`
			`];`

			`services.garage = {`
			`enable = true;`
			`# Slightly evil, but we have to wrap it here so the garage cli Just`
			`# Works(tm) from the shell. It will no-op in the wrapper if the env is`
			`# already set.`
			`package = wrap pkgs.garage_0_9 "garage";`

			`settings = {`
			`data_dir = cfg.dataDir;`
			`metadata_dir = cfg.metadataDir;`

			`db_engine = "lmdb";`

			`replication_mode = "none";`
			`compression_level = 7;`

			`rpc_bind_addr = "[::]:3901";`
			`rpc_public_addr = "127.0.0.1:3901";`

			`s3_api = {`
			`s3_region = "garage";`
			`api_bind_addr = cfg.api.address;`
			`root_domain = ".s3.${cfg.rootDomain}";`
			`};`

			`s3_web = {`
			`bind_addr = "127.0.0.1:3902";`
			`root_domain = ".web.${cfg.rootDomain}";`
			`index = "index.html";`
			`};`

			`k2v_api.api_bind_addr = "[::]:3904";`
			`# FIXME(raito): api bind address should be secured.`
			`# admin.api_bind_addr = "[${wnlib.generateIPv6Address "monitoring" "cache"}]:3903";`
			`};`

			`environmentFile = config.age.secrets.garage-environment.path;`
			`};`

			`systemd.services.garage.serviceConfig = {`
			`User = "garage";`
			`ReadWriteDirectories = [`
			`cfg.dataDir`
			`];`
			`StateDirectory = "garage";`
			`};`

			`users.users.garage = {`
			`isSystemUser = true;`
			`group = "garage";`
			`};`
			`users.groups.garage = { };`
			`};`
			`}`