Skip to content

Commit

Permalink
feat: add dev-garage module for future reference
Browse files Browse the repository at this point in the history
intermediately i used garage as an S3 storage.
it didn't fit the workflow well because garage doesn't currently support
anonymous access to S3 objects.
`rfs pack` stores the s3 credentials that it uses for pushing to the
store into the resulting flist (by default with a stripped password).

options for making this work are
* adding anonymous download support to garage
* creating a read-only credential and either modify rfs to store
  alternative credentials or post-process the flist (sqlite3 db).
  • Loading branch information
steveej committed Jun 26, 2024
1 parent 5f34301 commit 94f2543
Showing 1 changed file with 92 additions and 0 deletions.
92 changes: 92 additions & 0 deletions modules/nixos/dev-garage.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
{
self,
config,
...
}: let
root_domain = "dev.infra.holochain.org";
s3_web_port = "3902";
s3_port = "3900";
in {
users.groups.garage-secrets.members = [
"dev"
];

sops = {
defaultSopsFile = self + "/secrets/${config.networking.hostName}/secrets.yaml";
secrets = {
GARAGE_ADMIN_TOKEN = {
group = "garage-secrets";
mode = "440";
};
GARAGE_METRICS_TOKEN = {
group = "garage-secrets";
mode = "440";
};
GARAGE_RPC_SECRET = {
group = "garage-secrets";
mode = "440";
};
};
};

systemd.services.garage.serviceConfig.Group = "garage-secrets";
/*
post deployment actions taken to get the node ready for storing files
```
garage status
garage layout assign fdf468cca3934a18 -c 100G -z dc0
garage layout apply --version 1
```
*/
services.garage = {
enable = true;
package = self.inputs.nixpkgs-24-05.legacyPackages.${pkgs.stdenv.system}.garage_1_0_0;
settings = {
# it's *NOT* world-readable, however not was garage exepects either
# Jun 20 17:27:39 x64-linux-dev-01 garage[1701365]: Error: File /run/secrets/GARAGE_RPC_SECRET is world-readable! (mode: 0100440, expected 0600)
allow_world_readable_secrets = true;

rpc_bind_addr = "[::]:3901";
rpc_secret_file = config.sops.secrets.GARAGE_RPC_SECRET.path;

s3_api = {
api_bind_addr = "[::]:${s3_port}";
s3_region = "garage";
root_domain = ".s3.${root_domain}";
};

s3_web = {
bind_addr = "[::]:${s3_web_port}";
root_domain = ".web.${root_domain}";
};
admin = {
api_bind_addr = "0.0.0.0:3903";
metrics_token_file = config.sops.secrets.GARAGE_METRICS_TOKEN.path;
admin_token_file = config.sops.secrets.GARAGE_ADMIN_TOKEN.path;
};
};
};

services.caddy.enable = true;
services.caddy.email = "admin@holochain.org";
services.caddy.globalConfig = ''
auto_https disable_redirects
'';

services.caddy.virtualHosts."s3web.${root_domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${s3_web_port}
'';
};
services.caddy.virtualHosts."s3.${root_domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${s3_port}
'';
};

networking.firewall.allowedTCPPorts = [
80
443
];
}

0 comments on commit 94f2543

Please sign in to comment.