mirror of
https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
synced 2026-05-02 04:33:15 +02:00
144 lines
3.4 KiB
Nix
144 lines
3.4 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = config.services.garage;
|
|
in
|
|
{
|
|
sops.secrets = lib.mkIf cfg.enable {
|
|
"garage/rpc-secret" = {
|
|
owner = "garage";
|
|
group = "garage";
|
|
restartUnits = [ "garage.service" ];
|
|
};
|
|
"garage/admin-token" = {
|
|
owner = "garage";
|
|
group = "garage";
|
|
restartUnits = [ "garage.service" ];
|
|
};
|
|
"garage/metrics-token" = {
|
|
owner = "garage";
|
|
group = "garage";
|
|
restartUnits = [ "garage.service" ];
|
|
};
|
|
};
|
|
|
|
services.garage = {
|
|
enable = true;
|
|
package = pkgs.garage_2;
|
|
settings = {
|
|
data_dir = [
|
|
{
|
|
capacity = "50G";
|
|
path = "/var/lib/garage/data";
|
|
}
|
|
];
|
|
metadata_dir = "/var/lib/garage/meta";
|
|
db_engine = "lmdb";
|
|
replication_factor = 1;
|
|
|
|
rpc_bind_addr = "[::]:3901";
|
|
rpc_secret_file = config.sops.secrets."garage/rpc-secret".path;
|
|
|
|
s3_api = {
|
|
s3_region = "eu-central";
|
|
api_bind_addr = "[::]:3900";
|
|
root_domain = ".garage.pvv.ntnu.no";
|
|
};
|
|
|
|
# s3_web = {
|
|
# bind_addr = "[::]:3902";
|
|
# root_domain = ".garage-web.pvv.ntnu.no";
|
|
# index = "index.html";
|
|
# };
|
|
|
|
admin = {
|
|
# api_bind_addr = "[::]:3903";
|
|
admin_token_file = config.sops.secrets."garage/admin-token".path;
|
|
metrics_token_file = config.sops.secrets."garage/metrics-token".path;
|
|
};
|
|
};
|
|
};
|
|
|
|
users = lib.mkIf cfg.enable {
|
|
users.garage = {
|
|
isSystemUser = true;
|
|
group = "garage";
|
|
};
|
|
groups.garage = { };
|
|
};
|
|
|
|
systemd.tmpfiles.settings."10-garage" = lib.mkIf cfg.enable {
|
|
"/data/garage/data".d = {
|
|
user = "garage";
|
|
group = "garage";
|
|
mode = "0770";
|
|
};
|
|
"/data/garage/meta".d = {
|
|
user = "garage";
|
|
group = "garage";
|
|
mode = "0770";
|
|
};
|
|
};
|
|
|
|
systemd.services.garage = lib.mkIf cfg.enable {
|
|
serviceConfig = {
|
|
DynamicUser = false;
|
|
User = "garage";
|
|
Group = "garage";
|
|
|
|
BindReadWritePaths = [
|
|
"/data/garage/data:/var/lib/garage/data"
|
|
"/data/garage/meta:/var/lib/garage/meta"
|
|
];
|
|
|
|
LoadCredential = [
|
|
"rpc_secret_path:${config.sops.secrets."garage/rpc-secret".path}"
|
|
"admin_token_path:${config.sops.secrets."garage/admin-token".path}"
|
|
"metrics_token_path:${config.sops.secrets."garage/metrics-token".path}"
|
|
];
|
|
|
|
Environment = [
|
|
"GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
|
|
"GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
|
|
"GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
|
|
"GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
|
|
];
|
|
};
|
|
};
|
|
|
|
services.nginx = lib.mkIf cfg.enable {
|
|
upstreams.s3_backend.servers = {
|
|
"[::1]:3900" = { };
|
|
};
|
|
# upstreams.web_backend.servers = {
|
|
# "[::1]:3902" = { };
|
|
# };
|
|
|
|
virtualHosts."garage.pvv.ntnu.no" = {
|
|
serverAliases = [ "*.garage.pvv.ntnu.no" ];
|
|
|
|
enableACME = true;
|
|
# useACMEHost = "garage.pvv.ntnu.no";
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://s3_backend";
|
|
extraConfig = ''
|
|
client_max_body_size 64m;
|
|
proxy_max_temp_file_size 0;
|
|
'';
|
|
};
|
|
};
|
|
|
|
# virtualHosts."garage-web.pvv.ntnu.no" = {
|
|
# serverAliases = [ "*.garage-web.pvv.ntnu.no" ];
|
|
|
|
# useACMEHost = "garage-web.pvv.ntnu.no";
|
|
# forceSSL = true;
|
|
|
|
# locations."/" = {
|
|
# proxyPass = "http://web_backend";
|
|
# };
|
|
# };
|
|
};
|
|
}
|