raito
a3f6f573a2
Introduces a full-fleged self-hosted S3 NixOS module with various knobs to perform NGINX-based redirects and s3-revproxy endpoints. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
107 lines
2.5 KiB
Nix
107 lines
2.5 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
let
|
|
cfg = config.bagel.s3.garage;
|
|
inherit (lib) mkEnableOption mkIf mkOption types;
|
|
# TODO: send me back upstream to cl.forkos.org.
|
|
wrap = pkg: name: pkgs.writeShellScriptBin name ''
|
|
set -a
|
|
[[ -z "''${GARAGE_RPC_SECRET:-}" ]] && source ${config.age.secrets.garage.path}
|
|
set +a
|
|
exec ${lib.getExe pkg} "$@"
|
|
'';
|
|
# TODO: generalize this idea
|
|
rootDomains = {
|
|
lix = "lix.systems";
|
|
floral = "floral.systems";
|
|
};
|
|
in
|
|
{
|
|
options.bagel.s3.garage = {
|
|
enable = mkEnableOption "the Garage implementation of S3";
|
|
tenant = mkOption {
|
|
type = types.enum [ "lix" "floral" ];
|
|
};
|
|
|
|
api.address = mkOption {
|
|
type = types.str;
|
|
default = "127.0.0.1:3900";
|
|
};
|
|
|
|
rootDomain = mkOption {
|
|
type = types.str;
|
|
default = rootDomains.${cfg.tenant};
|
|
};
|
|
|
|
dataDir = mkOption {
|
|
type = types.str;
|
|
};
|
|
|
|
metadataDir = mkOption {
|
|
default = "/var/lib/garage/metadata";
|
|
};
|
|
};
|
|
|
|
imports = [
|
|
(import ./garage-ephemeral-key.nix { inherit wrap; })
|
|
];
|
|
|
|
config = mkIf cfg.enable {
|
|
bagel.secrets.files = [
|
|
"garage-environment"
|
|
];
|
|
|
|
services.garage = {
|
|
enable = true;
|
|
# Slightly evil, but we have to wrap it here so the garage cli Just
|
|
# Works(tm) from the shell. It will no-op in the wrapper if the env is
|
|
# already set.
|
|
package = wrap pkgs.garage_0_9 "garage";
|
|
|
|
settings = {
|
|
data_dir = cfg.dataDir;
|
|
metadata_dir = cfg.metadataDir;
|
|
|
|
db_engine = "lmdb";
|
|
|
|
replication_mode = "none";
|
|
compression_level = 7;
|
|
|
|
rpc_bind_addr = "[::]:3901";
|
|
rpc_public_addr = "127.0.0.1:3901";
|
|
|
|
s3_api = {
|
|
s3_region = "garage";
|
|
api_bind_addr = cfg.api.address;
|
|
root_domain = ".s3.${cfg.rootDomain}";
|
|
};
|
|
|
|
s3_web = {
|
|
bind_addr = "127.0.0.1:3902";
|
|
root_domain = ".web.${cfg.rootDomain}";
|
|
index = "index.html";
|
|
};
|
|
|
|
k2v_api.api_bind_addr = "[::]:3904";
|
|
# FIXME(raito): api bind address should be secured.
|
|
# admin.api_bind_addr = "[${wnlib.generateIPv6Address "monitoring" "cache"}]:3903";
|
|
};
|
|
|
|
environmentFile = config.age.secrets.garage-environment.path;
|
|
};
|
|
|
|
systemd.services.garage.serviceConfig = {
|
|
User = "garage";
|
|
ReadWriteDirectories = [
|
|
cfg.dataDir
|
|
];
|
|
StateDirectory = "garage";
|
|
};
|
|
|
|
users.users.garage = {
|
|
isSystemUser = true;
|
|
group = "garage";
|
|
};
|
|
users.groups.garage = { };
|
|
};
|
|
}
|