felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-05-02 04:33:15 +02:00
Code Issues Projects Releases Wiki Activity
Files
d83c64f246a92578117745b6e10aeab5c1b81094
pvv-nixos-config/hosts/bicep/services/garage.nix
h7x4 d83c64f246 WIP
2026-04-29 14:31:44 +02:00

144 lines
3.4 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
cfg = config.services.garage;
in
{
sops.secrets = lib.mkIf cfg.enable {
"garage/rpc-secret" = {
owner = "garage";
group = "garage";
restartUnits = [ "garage.service" ];
};
"garage/admin-token" = {
owner = "garage";
group = "garage";
restartUnits = [ "garage.service" ];
};
"garage/metrics-token" = {
owner = "garage";
group = "garage";
restartUnits = [ "garage.service" ];
};
};
services.garage = {
enable = true;
package = pkgs.garage_2;
settings = {
data_dir = [
{
capacity = "50G";
path = "/var/lib/garage/data";
}
];
metadata_dir = "/var/lib/garage/meta";
db_engine = "lmdb";
replication_factor = 1;
rpc_bind_addr = "[::]:3901";
rpc_secret_file = config.sops.secrets."garage/rpc-secret".path;
s3_api = {
s3_region = "eu-central";
api_bind_addr = "[::]:3900";
root_domain = ".garage.pvv.ntnu.no";
};
# s3_web = {
# bind_addr = "[::]:3902";
# root_domain = ".garage-web.pvv.ntnu.no";
# index = "index.html";
# };
admin = {
# api_bind_addr = "[::]:3903";
admin_token_file = config.sops.secrets."garage/admin-token".path;
metrics_token_file = config.sops.secrets."garage/metrics-token".path;
};
};
};
users = lib.mkIf cfg.enable {
users.garage = {
isSystemUser = true;
group = "garage";
};
groups.garage = { };
};
systemd.tmpfiles.settings."10-garage" = lib.mkIf cfg.enable {
"/data/garage/data".d = {
user = "garage";
group = "garage";
mode = "0770";
};
"/data/garage/meta".d = {
user = "garage";
group = "garage";
mode = "0770";
};
};
systemd.services.garage = lib.mkIf cfg.enable {
serviceConfig = {
DynamicUser = false;
User = "garage";
Group = "garage";
BindReadWritePaths = [
"/data/garage/data:/var/lib/garage/data"
"/data/garage/meta:/var/lib/garage/meta"
];
LoadCredential = [
"rpc_secret_path:${config.sops.secrets."garage/rpc-secret".path}"
"admin_token_path:${config.sops.secrets."garage/admin-token".path}"
"metrics_token_path:${config.sops.secrets."garage/metrics-token".path}"
];
Environment = [
"GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
"GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
"GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
"GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
];
};
};
services.nginx = lib.mkIf cfg.enable {
upstreams.s3_backend.servers = {
"[::1]:3900" = { };
};
# upstreams.web_backend.servers = {
# "[::1]:3902" = { };
# };
virtualHosts."garage.pvv.ntnu.no" = {
serverAliases = [ "*.garage.pvv.ntnu.no" ];
enableACME = true;
# useACMEHost = "garage.pvv.ntnu.no";
forceSSL = true;
locations."/" = {
proxyPass = "http://s3_backend";
extraConfig = ''
client_max_body_size 64m;
proxy_max_temp_file_size 0;
'';
};
};
# virtualHosts."garage-web.pvv.ntnu.no" = {
# serverAliases = [ "*.garage-web.pvv.ntnu.no" ];
# useACMEHost = "garage-web.pvv.ntnu.no";
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://web_backend";
# };
# };
};
}
Reference in New Issue View Git Blame Copy Permalink