move website to garage

dynamic updates at any time without a nixos rebuild!

nix/apps/website/default.nix

@@ -1,25 +1,23 @@
-{ pkgs, lib, my-projects-versions, ... }:
+{ ... }: {
-let
+  services.caddy.globalConfig = ''
-  website = import (pkgs.fetchFromGitHub my-projects-versions.website.fetchFromGitHub);
+    filesystem garage s3 {
-  blog = pkgs.fetchFromGitHub my-projects-versions.blog.fetchFromGitHub;
+      bucket noratrieb.dev
-  slides = pkgs.fetchFromGitHub my-projects-versions.slides.fetchFromGitHub;
+      region garage
-  website-build = website { inherit pkgs slides blog; };
+      endpoint http://localhost:3900
-in
+      use_path_style
-{
+    }
+  '';
   services.caddy.virtualHosts = {
     "noratrieb.dev" = {
       logFormat = "";
       extraConfig = ''
         encode zstd gzip
         header -Last-Modified
-        root * ${import ../../packages/caddy-static-prepare {
-          name = "website";
-          src = website-build;
-          inherit pkgs lib;
-        }}
         file_server {
-          etag_file_extensions .sha256
+          fs garage
-          precompressed zstd gzip br
+          # TODO: run precompress script
+          # etag_file_extensions .sha256
+          # precompressed zstd gzip br
         }
       '';
     };

nix/modules/caddy/default.nix

@@ -4,8 +4,9 @@ let
   caddy = pkgs.caddy.withPlugins {
     plugins = [
       "github.com/noratrieb-mirrors/certmagic-s3@v1.1.3"
+      "github.com/sagikazarmark/caddy-fs-s3@v0.10.0"
     ];
-    hash = "sha256-HdCXbqrrGPZSdHv7bZvGz9T6loVbrfKydTbjTyt5Wt0=";
+    hash = "sha256-wHxwRimtLCd/lhF5IQloAZoCfXgGEnkgeI77ObdG7cA=";
   };
 in
 {
@@ -25,7 +26,7 @@ in
 
   age.secrets.caddy_s3_key_secret.file = ../../secrets/caddy_s3_key_secret.age;
 
-  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.caddy_s3_key_secret.path;
+  systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.age.secrets.caddy_s3_key_secret.path ];
   systemd.services.caddy.after = [ "garage.service" ]; # the cert store depends on garage
   services.caddy = {
     enable = true;

nix/modules/dns/noratrieb.dev.nix

@@ -60,6 +60,8 @@ let
           };
         };
 
+        garage = combine [ vps1 vps2 vps3 vps4 ];
+
         # --- apps
         docker = vps1;
         hugo-chat = vps1 // {

nix/modules/garage/default.nix

@@ -53,5 +53,12 @@ in
     };
     environmentFile = config.age.secrets.garage_secrets.path;
   };
+  services.caddy.virtualHosts."garage.noratrieb.dev" = {
+    logFormat = "";
+    extraConfig = ''
+      encode zstd gzip
+      reverse_proxy * localhost:3900
+    '';
+  };
 }
 

nix/my-projects.json

@@ -1,29 +1,11 @@
 {
   "website": {
-    "commit": "57c4a239da5d17eafde4ade165f3c6706639a9b4",
+    "commit": "bf24af343128c6ac4e4b7d1034315df28121dab5",
     "fetchFromGitHub": {
       "owner": "Noratrieb",
       "repo": "website",
-      "rev": "57c4a239da5d17eafde4ade165f3c6706639a9b4",
+      "rev": "bf24af343128c6ac4e4b7d1034315df28121dab5",
-      "hash": "sha256-or6mCQjbc7tWAzzAKQpznZv+2vWJMhyzqxBPwRE2HKw="
+      "hash": "sha256-lmOyHLWBCurLuN8J9sRCO082WRqL8+/OXN6W4Jq8W/8="
-    }
-  },
-  "blog": {
-    "commit": "ea2758dd10f29e8d66ca3f54d7303f2ac20005d2",
-    "fetchFromGitHub": {
-      "owner": "Noratrieb",
-      "repo": "blog",
-      "rev": "ea2758dd10f29e8d66ca3f54d7303f2ac20005d2",
-      "hash": "sha256-LvQ41eJzOvI7mLYDTvlFwGZ2TKrZO26rasydqnEZ/t4="
-    }
-  },
-  "slides": {
-    "commit": "0401f35c22b124b69447655f0c537badae9e223c",
-    "fetchFromGitHub": {
-      "owner": "Noratrieb",
-      "repo": "slides",
-      "rev": "0401f35c22b124b69447655f0c537badae9e223c",
-      "hash": "sha256-K1Me4wf/GSfoc1PGWVJygPyTVV8SXienxUrzXkdCrjQ="
     }
   },
   "pretense": {

nix/secrets/docker_registry_password.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg kxQujT+O6ZGlzTONdS/18DUVoxNapwtxitQo8GKr2hc
+-> ssh-ed25519 qM6TYg aOAjlUp3G75gqvm+LVZhhAg45oJsobkyDTLY49b/zRU
-b7KjCjuvhmWcqNB6BvNruL17Ww6yWkVKjjm/MGd+jlE
+pogMMIptbR/b1RKM3uJxEHT9WzSyZSHFQjAsNvcSAYU
---- q3EzroLr8b0T2gKQ4xUR67YOLSwFP1V8UxAnKY0PP24
+--- t29inWsEHgMh0rx6BGbMBBvCy9wrhxqLmssWUBgZAxA
-ﾟl貊0嬌1ｽCXq<58>謎{T姻tg傅ﾘﾟｭﾍ<EFBDAD>ﾛ捕詑<E68D95>ｦ<EFBFBD>s5<13>hxk-
+ÞI‰zb"ã«übD–Û©P<C2A9>æd@ºf‹Žùšv°ŒeŽ¾Å—pk*ùe¢Ý

nix/secrets/forgejo_s3_key_secret.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg yxVVZ7LOgN9NiKsl1+dN7Rp6Rsf0zlqb25Y6w43styk
+-> ssh-ed25519 qM6TYg QhiVyWtk2dq2YqG+wQFWaZLFHQo05mBd92IKwxMjqhQ
-gQ5g7TL8+lyGp0SxdcoRg0nTpu1w6WbZZK0ERyqRpkc
+nOLu8KsLxTOKBGggph/qy3Y1sTsHoWFajEQ3XFf2ktA
---- 5uKpMbkW4zZ035mNXCuty+64IZ360gly/ezxnwtRX/0
+--- x9n+BLZcUdhVJ1nkUWcYL2IFztoiItD0tI5AfScS68U
-šË<EFBFBD>ô±ëSϸ>q!ŁźěOß·żźŤ”ÉT››CU˙ż¸ŁŇşž<C59F>Ď[ń*󅬟«’\wźÝ‹tcÇ×Őíg?
|B±ŘĹë;’»"*îd<C3AE>Wţ<57>ţÔvŔ/vĚnqe
+»­¡Õ×sjéòÙ¡H'´œÇ<C593>ZÄ¿âoÇ
¹@ݶþêt²owÒZ/Z	Ü#bU0ú—†‰²êÖ+äòe`ÀëX\­M"y+
­«:Ë^¬Ö„ª„C@U+·öØLúÎÌ

nix/secrets/garage_secrets.age

@@ -1,14 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg L6XQVJyw/T2kwH2iOa3dAxwxlAInVTKXek5QHUKsU3g
+-> ssh-ed25519 qM6TYg 1WRiwfAjRtvM4SNe0Kb39CNjo3HbOTAyFtqxLCtbmxs
-Mm8VXH3CITbrJTqBcjdMHGm1k7Kztd4irHqWnF0yKWM
+IvaCCjpo61RBYwcUz/QPNFmxZaD+F48LIs6ojdBqxok
--> ssh-ed25519 91VHug 2PoHH6c5lVj6hfTH6+2NLzJcpXh20LgYgUHYrpY9Wg4
+-> ssh-ed25519 91VHug 0FQFOLE2YZF5GGqcjaHap9t9z6xvyVkY3kzsUlU9cSI
-iSaKgUoh0eSjeoiZ7mggn7LWV9C9xsM2foZrpJZY/ok
+j9hGw7d+UCkOaN4K/GGChDdQUsFDt0kw+bj/+QP6xiU
--> ssh-ed25519 XzACZQ xyYG90gHM9XHAxIv2cFU/WvZsdLo6prAPQgRKADP0UY
+-> ssh-ed25519 XzACZQ tGQdswquRCp+iXrYXHLlg64DC/lor2QvgiWY10Shkg4
-XdiJz1Zmh3S+IvaOCZBqrF8DSWBrrqePjy+ZiEwuaSA
+ejl3+e9EVGyS+oP3161B0VdfXup9RPeyWI8wHJliHEw
--> ssh-ed25519 51bcvA IYyt435x3NPiTKDKCVb8dIK5naOSyU/Wh7dOLQ6SRAM
+-> ssh-ed25519 51bcvA La5y55eSktxwiIQaNOzEIh8QFTv7MvToPVNefwgpAFg
-M0s39vyjDY24Mlb16UHy9lFEseaJxzZhtCvszKxwVSA
+e+mKIU1sMXbQmZ2EUGEAAV4vdCIY24MM1/EGrNBn7+c
--> ssh-ed25519 vT7ExA ZBvUjCU8vYFddKgNfnuROuiDnDXhitG6eR6ek4+1R1E
+-> ssh-ed25519 vT7ExA McL/w6ZheS2TkmfyrTsdbdtT03hsHuqMx6VwpMtHDF4
-fiyuqamkakZ4t1MosIUqZaR0WEh7XVAwJiwH8lz3bsc
+uBvctWaqmECReOwyW7rT/OsEn9b8qaivo4n5RQ3Cabg
---- zvHNHd6bOMd0f3eIrl1qzyRh6zUe7G8mdrraYGtrnXU
+--- AITRERll2MxhVYGt8EIbYSOlEDfCTfRm2/jvgvvPbqY
-¿Ÿ%iFr Ñ™Ù`|)Ñ+é¢ÏŽúÜ<C3BA>ÿšS—”®ŽGÎNP²ß>ƒ?E{Ö¦<C396>mda‡dä<64>j`Ôˆ¾îþVÙü uÅn¢§­ÅZ¥Ö»X±ÂïUæ—½}ú¾>Ðj_´Dü_;	5ŠOpaò;	
+(¢ÑCÍoêpvjI¦§5ÄlÒ<g½1Îäú"ت•K™%òt®.
é%ìLäÛu¹q[pë×Cé^¶eMœÉê,ùÌ}"Êã&²² >e\<ÙŽÞÙ>‰§§¥ò6ÐÄx¹$i%.ÿO«xòúQ¦yr®Å—ã7í¨ë<C2A8>
-Ÿ¾Þ~4bðwZ'7¬µ0æ^Œ2Žã+w­Z0j;<3B>4ÕyTdp·•1'9Ù ²7Zësbøó¿ß.JÁ*(§¦y”Wö
_‡P¡‹g`S^Gäàrƒ
+[š›®¨Šý€¨Ò%ø2<C3B8>DYÞÄ‘¼Nˆ¢Tœ¦ŸpŽ&	&.ÀåFL?üZ–üµ[³ñŠì•÷
ù•ç
O›²éˆ(P@ý³x»j[)«F

nix/secrets/grafana_admin_password.age

@@ -1,6 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 XzACZQ OeTS5wU4ac+Qh7s1PXbdFH3LDlRW1LV+qFtoVGI47XQ
+-> ssh-ed25519 XzACZQ kPs0o1RyOBiyicD/j76VTf+ZEF9qgl4OXGbsJKupwlM
-JsixYPLzpnF45ODQH7nuVowXzwbNQi8lWx1Bp2YFVWc
+s2z+UPLm1r+GUcKd3Mh+M+cOaCiGxtKwqTFlSoWQLeQ
---- MEG4bfGwoFRm9HizYdqtK7KApYhYH+QjAIEp7CpLznA
+--- 7+XH7gdCThNz812SwfS4V4xBacSGPoOhIJCt7NYR++s
-CŒ¢µÍ/wC
+ˇÄť”	ąXô? +­É^¬DΙw{şCÖϸÝ1<C39D>V±ŕˇ]›Ďă’“w?%Ó©k±­‰†„ŔÔSĺߧ5ę€ęNG)*Í-
߇Fŕ2ŘÔHA›Ă&Z‡Ě=‡,Ŕ*C'z-ĽŻ˘
-F‘<EFBFBD>zÙ?ŸMÀõókÙr‰ Žx£N¸©'NTzùà¼WŽÈb¹åº{›ÞóÕéAj3X6m¹Ý²²J@í¼OI—{u<15>ßý
”Ï?¹ A,CÃdûý^

nix/secrets/minio_env_file.age

@@ -1,8 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg k3jtd2qoiQCsKZYJliH9ySFuO7CVQQ5Sv2ikFYcaD2c
+-> ssh-ed25519 qM6TYg rrAASuKrjVYunxCZCyiGI94hiIcnj5tCZgtrNwDM6Dk
-TSIg6y4C2WaLQJUyNT3HQOj09VmKSkQxlsVlaDc+1tY
+drt/hxV1oD6F9km2P6ODRl48o7Z5DzNxZzGp475gJdk
--> ssh-ed25519 XzACZQ NZhP9TD5nYxBMgO1O3vDOITeh7qxq4vhjG7AppQmRlM
+-> ssh-ed25519 XzACZQ aC2p4JKStZyOBcAOxKMHm1CubsILvhLm0AADzYEPB1Q
-I1JiT8ISWLVUgoCphHSbhYvfssfP55NuBI2jclG3DVQ
+rTIR+IXgD+65JmE+GNTmZUHYwjOasbHMyS8amWLr+6M
---- 6UR3wbSTB/f0s8hP/YHaY9HFDpnLAts0yksKCv7p9BA
+--- Lq0EHVDsbHi5jo6xHl8tu5lNmlm/4+gmQCXDzJ/RJ9c
-¤<EFBFBD>­iÓÆg50ß2LQÑî°káL†
+×AîPÊ#&h.£Ò$3hÆmãåçÉ/ˆT–ß–ilïØGÙ¥\)&èhÀçô
^HƒašˆQ;æðÐF>\Ò¬H%tFÖ%oÃægxSa²í<C2B2>F«|þ XwLgf«—€ˆÙ¼ûC
-»vÛB×$5Ñ˵m²¾#„{_8Õê‹ÏÞj&+<2B><>Ñ;Zûç-'ƒÐWHSòÑ‹aÄæ·f?óÎ56[t8¿¥&Zë¸_/î3BÀ”Ó_4½n
+È!'–

nix/secrets/secrets.nix

@@ -28,6 +28,7 @@ in
   "pyroscope_s3_secret.age".publicKeys = [ vps3 ];
   "restic_backup.age".publicKeys = [ vps1 vps2 vps3 vps4 vps5 ];
   "generic_backup_password.age".publicKeys = [ vps1 vps2 vps3 vps4 vps5 ];
+  "website_s3_key_write.age".publicKeys = [ vps1 ]; # only used by Noratrieb/website GHA
   "wg_private_dns1.age".publicKeys = [ dns1 ];
   "wg_private_dns2.age".publicKeys = [ dns2 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];

nix/secrets/website_s3_key_write.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg 89WLUVxmODcP3iwW/dRLUO2/4Q3qmuFU8rqfWI2ENRk
+o65QiUjc42lO+nMkmO/PWTBMdJAjTho/PUWDv6ymgw8
+--- LOxBuiZaR+Dp/x2IUucWqWGW454w5DcLzD3LzQE+jY8
+&¿ÜM· ü@Ãfh“,'xw`ü¹ocQðð5˜è6GÈ'!y§8>6Xhy¬uv±®ÎPõ3[ï|ø7K¬F¹C9z¥I8¿„Ôw_Yãk <>“5Z7?/H§©,¶<>…íu¨‚Š`‰jbçÔªçóYb±õ¾á—Ï?;ž¤€ø\O›‡±[[Ý]þç÷Ö
†Þ
È^ ‚žÊ× è#·ßÖ“áߣ

nix/secrets/wg_private_dns1.age

@@ -1,5 +1,6 @@
 age-encryption.org/v1
--> ssh-ed25519 LZU5Eg o+MPatbYPM3sZq0MCqvvxlvKMQwlbajHURPQ+0g0qm8
+-> ssh-ed25519 LZU5Eg vEsVLUdg/m+EWIX6pdlKH3xPNRoEzQLG34SjUU3dP38
-UUurAYkPWXCaow746EV4dAQ+qTJnHIehcorUmanBc+o
+OiTw/STEWVuZDmaSWuhUDjlty5NCXOYal9GrhitOgJA
---- BV+bxd0OIc3J4uT39al2odyn8ScDpq58SiwnW5pvRj4
+--- acirsYbJtNaJGlfGf2Ukapl66fvaqQmaYcU0agfRjPg
-òçT7W
 í|õfJÞÜ%"cõôäqÁ{TãP~f<>v,;Ñ:å…<C3A5>¾êŒ-ÓÏšÛ4þ€a† æ-¯uÌ\L
ƒ_-¼VHâøûš³½%
+<EFBFBD><EFBFBD>Yy><3E><>
+Z<><5A><EFBFBD>mNR<4E><52>V<EFBFBD><56>ס,<2C>@q<>}{5z<35>o<02>ep<65><70><1E> <20>j<EFBFBD><6A>ز<0E><>\<0F><>w<EFBFBD>B<>&<26><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>7<EFBFBD><37><EFBFBD>	)

nix/secrets/wg_private_vps2.age

@@ -1,8 +1,6 @@
 age-encryption.org/v1
--> ssh-ed25519 91VHug cjq3el2rlJCWS3VwM5Dt22Ot/PoCdU5wJWTMosYQ6VE
+-> ssh-ed25519 91VHug DSVlC+Y9wXBRTPtMeyGNsqTGN6p2j9GDcJZyVoXqmRM
-w/IyVNNAObRJxpV162CojPRE8yYbXJj1kaCBoPo3rNk
+dCEnH6wtFCD4QaNf6Gph4Ic9mEwr+GukB7GBJiMKCsU
---- EDM/kgV9ewXhMvrQfHDtPLl7W46VCbZL5ciBO/B+Iu8
+--- o8VhUzFXGMSoFL/zHICEjK4qr+HozGzGrx+R/FLCJbA
-cL>¡‡È&ð°Â²=°^³$Úüm TüãÃ4õ&
+­L<EFBFBD>¯„¦®•è‡“l[•màuûöu“
…Vª\NÇž
-ƧÀÀI–¢Ç)
+ÿ„<EFBFBD>/Ôeššìg·P¤µT ¼>fZš¿}èËzè›KÑ<ìL˜#IJã}
-c
-¶LQiŠµá6ÓRÞÐòS•Üøÿ+T@ó0=ÉÉðö

nix/secrets/wg_private_vps3.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 XzACZQ lm64+fQEWa9hF98cV/x1U3Mz+6zuM23dAV3XkwE7iz4
+-> ssh-ed25519 XzACZQ //MVwFVmv8J0fNDH35jA/wRYWEwBpTNeuqb22JDlQ1M
-7Rgqd13DThp/JLryCe5xTdXwDujaTj4viR2CBTdXYLs
+WxQNXyyaOwR+jbLEd6qul81Tcy5ZmC9xQzXLdokrdBM
---- pwebssA2O2VjzPFRAQ0/65+qiiF/MijCIIXexwH5mgk
+--- 4hvQvXwTU3vuYYkO1cud43LbDvFKfzSY+HB0nEfQbGA
-\ ‹fóËæÅv×̤ä[§ýÚŸÆIŒ´†[—5á÷*×·90²'ý4Âôî+áV<C3A1>;L›‹~jÌÂà¦
‹úœ†;ÝÒSÁª2y·b
+HʹTÔ–,Þ2ÚµGÿÐ2tI|	¡ì4jüœçx
ßzŒÕ7°ƒ)ü	éiNw,IóN	ŽÏÒ„“w£bpnœF
ø™VA£

nix/secrets/wg_private_vps4.age

@@ -1,7 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 51bcvA mVJPirZJQxHgpX6CkMckYTpJk6HYN7CZYlUPPF1mYDM
+-> ssh-ed25519 51bcvA afHu7io35iOiA79ghD+kTKgaiLv7t4UDH3MY4vc57kE
-XVZqovyalftEtV//FQM11Za+YAEMAuBTypcPQz1+G3E
+ZW0xYUH9bqD3vFWvmWT0LMGdcbnqFHafdO0/EakU29k
---- 7QAtADWyWr8SY3jLLzKxPsedOLyasfLs4lK3nmhkOi0
+--- oMTnoSLV3ZvjjEjIbJpFp37Twz7GbljLuhrPfyYzvVU
-]J„éÄÑäXt‘E¬šŽæ)<29>þ–ÿhS
<01>ö¾º»ÈF·
+M9__–:¸2®b_%¼‚c	e”î’
Áe<C381>>¨`ÈuÑݬ‚ûèêSÍJÑiQ¿Àz\ÿ]¨$c<11>[Êð<C38A>²Ó½Vuêï<C3AA>d4<64>
-ïÈÓ×þ¤$’Ò2"ðTö‚¾aû`’†Ä®ùÒ{ŸŽ<>:=
-

nix/secrets/widetom_bot_token.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg oaTrhtYhEl2Za2fhNt0BgnjXPCkzo1Or9jsLLCnJhzA
+-> ssh-ed25519 qM6TYg oOHHqlwmPvW9l6F125mS5u7iJ2hznWVpZrVh9Gs9SkQ
-Wk99OfMEXXG+cV1LEvC9wf0GeVgT1Z2GA0AtLYCRKD4
+M8Xbif6Ts+upr+ri6X8H6JviwYhZhZsL41eMNCOIJo4
---- 4U4dwN+tJ2LFpIjxEaoZ6HHV5QQU4kr0r0pDXKKcTgE
+--- PXmESo/wbek0iXWltDKEUzQFt8ehaYinWqzlm2nTPvg
-NäÖ]èn<C3A8>Ý?óã€àð‚ý¹!ý|!ƒ³:Öú»ÐÁMlØ*Èý
Ü'÷×?E ØùôM@Ér_iÎvo:Niõlk<13>¾8S(ÿ:øÖŠÇR/0^xiÛ[x‹Cå
+–ð€`íT¨Ksh¤iÂiÏOò	AD–ó.s—…Y9Ù<39>•f~ÀàF‹DÜÉGÖåäø^âøyשƒÕ<C692>va®{—mµ<6D>Ì-ÀP?ÈTÛT”`×(
P½A<0<>