From d83c64f246a92578117745b6e10aeab5c1b81094 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Wed, 29 Apr 2026 21:03:47 +0900
Subject: [PATCH] WIP

---
 hosts/bicep/configuration.nix   |   1 +
 hosts/bicep/services/garage.nix | 143 ++++++++++++++++++++++++++++++++
 secrets/bicep/bicep.yaml        |  10 ++-
 3 files changed, 151 insertions(+), 3 deletions(-)
 create mode 100644 hosts/bicep/services/garage.nix

diff --git a/hosts/bicep/configuration.nix b/hosts/bicep/configuration.nix
index ecca68e..7ced5d1 100644
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -7,6 +7,7 @@
     ./services/nginx
 
     ./services/calendar-bot.nix
+    ./services/garage.nix
     #./services/git-mirrors
     ./services/minecraft-heatmap.nix
     ./services/mysql
diff --git a/hosts/bicep/services/garage.nix b/hosts/bicep/services/garage.nix
new file mode 100644
index 0000000..0084723
--- /dev/null
+++ b/hosts/bicep/services/garage.nix
@@ -0,0 +1,143 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.garage;
+in
+{
+  sops.secrets = lib.mkIf cfg.enable {
+    "garage/rpc-secret" = {
+      owner = "garage";
+      group = "garage";
+      restartUnits = [ "garage.service" ];
+    };
+    "garage/admin-token" = {
+      owner = "garage";
+      group = "garage";
+      restartUnits = [ "garage.service" ];
+    };
+    "garage/metrics-token" = {
+      owner = "garage";
+      group = "garage";
+      restartUnits = [ "garage.service" ];
+    };
+  };
+
+  services.garage = {
+    enable = true;
+    package = pkgs.garage_2;
+    settings = {
+      data_dir = [
+        {
+          capacity = "50G";
+          path = "/var/lib/garage/data";
+        }
+      ];
+      metadata_dir = "/var/lib/garage/meta";
+      db_engine = "lmdb";
+      replication_factor = 1;
+
+      rpc_bind_addr = "[::]:3901";
+      rpc_secret_file = config.sops.secrets."garage/rpc-secret".path;
+
+      s3_api = {
+        s3_region = "eu-central";
+        api_bind_addr = "[::]:3900";
+        root_domain = ".garage.pvv.ntnu.no";
+      };
+
+      # s3_web = {
+      #   bind_addr = "[::]:3902";
+      #   root_domain = ".garage-web.pvv.ntnu.no";
+      #   index = "index.html";
+      # };
+
+      admin = {
+      #   api_bind_addr = "[::]:3903";
+        admin_token_file = config.sops.secrets."garage/admin-token".path;
+        metrics_token_file = config.sops.secrets."garage/metrics-token".path;
+      };
+    };
+  };
+
+  users = lib.mkIf cfg.enable {
+    users.garage = {
+      isSystemUser = true;
+      group = "garage";
+    };
+    groups.garage = { };
+  };
+
+  systemd.tmpfiles.settings."10-garage" = lib.mkIf cfg.enable {
+    "/data/garage/data".d = {
+      user = "garage";
+      group = "garage";
+      mode = "0770";
+    };
+    "/data/garage/meta".d = {
+      user = "garage";
+      group = "garage";
+      mode = "0770";
+    };
+  };
+
+  systemd.services.garage = lib.mkIf cfg.enable {
+    serviceConfig = {
+      DynamicUser = false;
+      User = "garage";
+      Group = "garage";
+
+      BindReadWritePaths = [
+        "/data/garage/data:/var/lib/garage/data"
+        "/data/garage/meta:/var/lib/garage/meta"
+      ];
+
+      LoadCredential = [
+        "rpc_secret_path:${config.sops.secrets."garage/rpc-secret".path}"
+        "admin_token_path:${config.sops.secrets."garage/admin-token".path}"
+        "metrics_token_path:${config.sops.secrets."garage/metrics-token".path}"
+      ];
+
+      Environment = [
+        "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
+        "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
+        "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
+        "GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
+      ];
+    };
+  };
+
+  services.nginx = lib.mkIf cfg.enable {
+    upstreams.s3_backend.servers = {
+      "[::1]:3900" = { };
+    };
+    # upstreams.web_backend.servers = {
+    #   "[::1]:3902" = { };
+    # };
+
+    virtualHosts."garage.pvv.ntnu.no" = {
+      serverAliases = [ "*.garage.pvv.ntnu.no" ];
+
+      enableACME = true;
+      # useACMEHost = "garage.pvv.ntnu.no";
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://s3_backend";
+        extraConfig = ''
+          client_max_body_size 64m;
+          proxy_max_temp_file_size 0;
+        '';
+      };
+    };
+
+    # virtualHosts."garage-web.pvv.ntnu.no" = {
+    #   serverAliases = [ "*.garage-web.pvv.ntnu.no" ];
+
+    #   useACMEHost = "garage-web.pvv.ntnu.no";
+    #   forceSSL = true;
+
+    #   locations."/" = {
+    #     proxyPass = "http://web_backend";
+    #   };
+    # };
+  };
+}
diff --git a/secrets/bicep/bicep.yaml b/secrets/bicep/bicep.yaml
index 75f05ff..9206af7 100644
--- a/secrets/bicep/bicep.yaml
+++ b/secrets/bicep/bicep.yaml
@@ -10,6 +10,10 @@ minecraft-heatmap:
     ssh-key:
         private: ENC[AES256_GCM,data:h9OtD6hxrxyokFDe9bveAkMICrs3YrsAEqg0RVHV+xCkgkNAdoh85wb1QI8FJ0tga4Bfq8ZxZTdMnexQvbYWL8m/N/P6gWoPPJd7dwGuxaUZu5lqngVuHIhH0yWFWtPXjQ0Zyl5Q1aBKyjzJMvJc/H2iprgVH4YFs/fWf/KDEp17Plvvz0AoPGPrOZErDmne4MtLbW3pUm1r5ACo/41OyXYwjHk1Ywgsoz1CMxe/DrmkADnf7jSDWL6Q0mz8hIIYi8GbToJS4BIJ2plttraxV9sqpIPzS/1jMERNchItlkCppSYIy/eohVmskP8dAySm5Z7HNGGtzWSSGLxq15xKc7OVFYPMI+B35nPnp1LVOUWqBHAqVo7dwxc3VXOlVat7AMknUZnr67d4TIIl5BOdy/rvAxzXS/fDV0zntIs5o3phKStVvq07eZFaOVva45B7Pyyn0PdBhHBt2JcBtm+Xtg9i3xvZdwQgbeeJRhnYgDqK6BVhmtTuirwp1GOyslqaFCjg0MJj+W+d8R9gbbfyFR6YrZQAkcd/o/yZGg86z7Phe18=,iv:nt/+qPBwPZKQt43VJ9FbKjLYioFwCxD7VK9WNCJCmpQ=,tag:MuDfnTiro3VVJq9x5rkEQg==,type:str]
         public: ENC[AES256_GCM,data:+fiCO8VRSmV7tmyweYSpZJMOuMORLHkWetYbr20aTQ1vRYr927nYGes4E464t+Dv9OyJPCLmHBdgt7UvxJWuC3pZE8iStnBYnej3D4ebMzi2SMfOkJjGuQSplXtl8QeAYe1YvROmtQ==,iv:thgGQUyWdXfwUt1E/vudoNjl8JjnksFd1rb/asTry+g=,tag:t1iQPocvfI+JafuJycaLuw==,type:str]
+garage:
+    rpc-secret: ENC[AES256_GCM,data:GzLWSrVcjCiZKNC78BCjf1CFDdUxU43w5cjUCxlV2zUv4RLJ9m4rJiw749du+JW/w7CvyVgBHSM7D4ixeunvJA==,iv:VwrmBtbNX0AumaBmMNYwMd+zMHfYwXzvMd5D2uQrIis=,tag:ShHXGuYx4lrg+ORf+JXISw==,type:str]
+    admin-token: ENC[AES256_GCM,data:UFyn0s0t44oEDdV36kkeUyomvP0X+Sw4ed1g6n29Fh6PLYl53gvDnyg0OSI=,iv:w9IMARTfTcfvu/Qdh60JVH7S9W1GkV+/e3YL08WZKh8=,tag:kOx9BZ8OPBNRpvkLgmW3Zw==,type:str]
+    metrics-token: ENC[AES256_GCM,data:/dCSR1OgpEsOsRRzCeiY6OSyGvl8feKovb/Kfqg6QCQ4tb8bAkkR8xLtTxQ=,iv:4wHwBgoiJFTZETtNs9t6dshgG3f84T7HHiEi86LkOmU=,tag:3usDN18uB2ZPo8fDJZEDag==,type:str]
 sops:
     age:
         - recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
@@ -75,8 +79,8 @@ sops:
             U3IrZTB3YUJiREZDQkgzUFMvb3VxU1kKJhYYVcCT8hNJkEK1nD3GBekVGDOI3Nin
             iBat3LwB4Ijzx1jA+jKJ1Ilf4MgdoL2ox6l/uWft27vvsRaQ501VvA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-25T12:27:53Z"
-    mac: ENC[AES256_GCM,data:GoJ2en7e+D4wjyPJqq7i1s8JPdgFO3wcxrtXOgSKTxi6HTibuIcP4KQcKrCMRAZmXOEL1vpnWFA2uk7S00Av7/QOnzP0Zrk3aPBM6lbB+p9XSabN0sOe1UpZDtAM3bzvS9JZzyztT5nHKvO/eV2rP71y/tYbsT6yvj7Y9zxpvKg=,iv:tQiCr7zpo7g5jZpt2VD9jtFKo32XUWs94Jay+T4XWys=,tag:npBqmlbUUfN+ztttajva3w==,type:str]
+    lastmodified: "2026-04-29T12:18:46Z"
+    mac: ENC[AES256_GCM,data:blfYRh75xbA+jeGCCxuZADBVAa4Nih+b5hcXEp8mdzOBrbdOWfL4TfuyYB0Cj/rMDsklIprczmBJ/a/cSTdKSaak/LfAzy7swR6u5R5V3+xLP6CopOhO59RaXc2inoMPEc73XAmP33jynm/kSznRM1PGA+X9oaK6PrWcTgHiM7M=,iv:SwXRz/XpyOVOQzvRjViqK41NOdHXGdTshQ3a/Qi1350=,tag:v6p6QW6qnv1T14PBBB88NQ==,type:str]
     pgp:
         - created_at: "2026-01-16T06:34:45Z"
           enc: |-
@@ -99,4 +103,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.12.2