garage

newinfra/nix/hive.nix

@@ -160,6 +160,7 @@
       ./modules/contabo
       ./modules/wg-mesh
       ./modules/ingress
+      ./modules/garage
     ];
 
     deployment.tags = [ "eu" "apps" "wg" ];
@@ -170,6 +171,7 @@
       (modulesPath + "/profiles/qemu-guest.nix")
       ./modules/ingress
       ./modules/wg-mesh
+      ./modules/garage
     ];
 
     deployment.tags = [ "eu" "apps" "hetzner" ];
@@ -219,6 +221,7 @@
       ./modules/contabo
       ./modules/ingress
       ./modules/wg-mesh
+      ./modules/garage
     ];
 
     deployment.tags = [ "eu" "apps" "wg" ];

newinfra/nix/modules/garage/README.md

@@ -0,0 +1,13 @@
+# garage
+
+## layout
+
+- co-ka -> Contabo Karlsruhe
+- co-du -> Contabo Düsseldorf
+- he-nu -> Hetzner Nürnberg
+
+| name | disk space | identifier | zone  |
+| ---- | ---------- | ---------- | ----- |
+| vps3 | 100GB      | 020bd      | co-ka |
+| vps4 | 30GB       | 41e40      | he-nu |
+| vps5 | 100GB      | 848d8      | co-du |

newinfra/nix/modules/garage/default.nix

@@ -0,0 +1,42 @@
+{ config, pkgs, name, ... }: {
+  age.secrets.garage_secrets.file = ../../secrets/garage_secrets.age;
+
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3901 ];
+
+  services.garage = {
+    enable = true;
+    package = pkgs.garage_1_0_0;
+    settings = {
+      metadata_dir = "/var/lib/garage/meta";
+      data_dir = "/var/lib/garage/data";
+      db_engine = "sqlite";
+      metadata_auto_snapshot_interval = "6h";
+
+      replication_factor = 3;
+
+      # arbitrary, but a bit higher as disk space matters more than time. she says, cluelessly.
+      compression-level = 5;
+
+      rpc_bind_addr = "[::]:3901";
+      rpc_public_addr = "${name}.local:3901";
+
+      s3_api = {
+        s3_region = "garage";
+        api_bind_addr = "[::]:3900";
+        root_domain = ".s3.garage.localhost";
+      };
+
+      s3_web = {
+        bind_addr = "[::]:3902";
+        root_domain = ".web.garage.localhost";
+        index = "index.html";
+      };
+
+      admin = {
+        api_bind_addr = "[::]:3903";
+      };
+    };
+    environmentFile = config.age.secrets.garage_secrets.path;
+  };
+}
+

newinfra/nix/secrets/docker_registry_password.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg lW7MJ/iW+nvXMk984BZjeEojIbqDojP1y6w0sRkQpzM
+-> ssh-ed25519 qM6TYg ciJZbD4GUbcVmy6rikyd1kwSJCsBv3itB51s73srmhA
-5t7qrvWDhmIfs0F2Av1kkq0zB9LMiHG1uM9G73KjgY8
+/Z8BXxEbeZgzZZ+EYLbi39LIu1Wxq0xjkCaFn3KhoW0
---- BrrUNOV8vvacVsORvb5tnuoZENT8dvSv9ZQPKDY2cbA
+--- DaLt8rTk6Sng6r8D0mUjP1MMb+NxCa6gYUJ9LLNFGo0
-<EFBFBD>ˆYE¥@¥u6Z®X_B†ðSÃõŒnj0Øiº9™7hC<68>“¨ÛyêSlH{Ø
Ôi<C394>
+²¦xb˜´Vú0½¼‡)ò<ˉ–bz	žRÌ™#°[ù,30ªœ)¢ØEâ7ÿ]ü•—Ì

newinfra/nix/secrets/secrets.nix

@@ -10,6 +10,7 @@ in
   "docker_registry_password.age".publicKeys = [ vps1 ];
   "hugochat_db_password.age".publicKeys = [ vps1 ];
   "minio_env_file.age".publicKeys = [ vps1 vps3 ];
+  "garage_secrets.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];
   "wg_private_vps3.age".publicKeys = [ vps3 ];
   "wg_private_vps4.age".publicKeys = [ vps4 ];

newinfra/nix/secrets/wg_private_vps1.age

@@ -1,6 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg rz0Ls6JosajC8Fuw/rZ0bnC5pAvBhZbmiSwFx/cbszo
+-> ssh-ed25519 qM6TYg Q5X+l2POBANoYyo8HNMy89MLtpodzzN9prnQY71mSTE
-Vo8rHTcmj4b3bX//nA/2PaGHNnuD22JddB7ZujNlNb8
+X3MJesW3kfHCfCyvaWm22mOI8vSgP7JWlLugCXtiy+U
---- SZh6zAv94lZUhWuq4dOdh1nrjI8Ryq0mwtyqLxIx6YU
+--- ZH3UZFDfQwZ+DIF3yFADfBKEv2K6k9DTCh5wLVnyaTs
-ěĐçżsš3ť>4M<n BL ’7RÄŻÎ
+‡‹ÙiÔ,ÿ¯±ª<C2B1>‘1æF¸Äßfë	[_+­õ[
!¢>)ep'ÆYøAïÂWgã ªÇ<­ê^¢Ê=ô(Bˆ®ú)~e±G”
-&Ń„`zAÚöĽMM–lQ;rřeJŇ?mÇj­Ż&w2n”L)Łň‹č©đ‘$#Ç€:<3A>

newinfra/nix/secrets/wg_private_vps3.age

@@ -1,6 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 XzACZQ 2stObavGIOgxEB1ugSCc1wR4cUfx5qOF8OZeqo+VOWo
+-> ssh-ed25519 XzACZQ nsIkJQw/lrrXChkpFc87upQ4pbGefolI36wqMOWZGAE
-pM8j9mTorFEsDHlmxhlzRqYWLoF1mE1H+oLy5rnNLig
+t49QoSdb2azGQlDBX5AyWMxCOt+ETpT7erp4WU5p2rQ
---- FL5+Ok2A5ueUZ2a10VbbwNPUU9egbE2kYTl9uJFq3IU
+--- 4UbCHfpAfwiuRYsiN3HgdhbSLFBG05DxGCw55XT1IGg
-`
7W3΢+,><3E>
ƒ¥<13>ÆÔÛ<C394>ú¡@U_•AQ	Œóï&rV
+YÈ	ìŸÔÆŽ ÆŒ­¿½Æòþ˜€2ô×ÖôRsÝ	À‰ìQÈ4d…
IÑ.KpPFthù©ô±£–Á“a„
½É<C2BD>ÃõRX›
-EÆΓ=å51½'„	hNç~¯¶ŸÈ<C5B8>3íjáe†ï
 ñˆÃ

newinfra/nix/secrets/wg_private_vps4.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 51bcvA XKsa9hdh/Kte1Ywd4E2u7WrZdIiJYK6DiH5j8Dy7nFA
+-> ssh-ed25519 51bcvA 9dYzUZSs/ilKHHRiuMgT6GEbtyBwWHAl8ycBcsvTQz0
-h4pernMl+nyhX75/OimLhW+AS2Jk2s63uEOxK8vUqCY
+iq0ozCU1p1sekOH4qbxKxWezY2pyVM6LjhUuNpmTQx0
---- Mm1KWNxwJt2aei0pMk5Jhol5xTm89nG5wMlNg2wJG7g
+--- wjCRFJISrIrpgosh7ZBNM1qR78BPmhVBBwFpaQc10oA
-[x£ÔD·²ä]Ù÷m²ø5ÒóÕ§OhM#ŠEN2ÌÁÉJ{ÂkZ‡Näµh<C2B5>zqB­Âœí¨'ØC÷84ë;îP^7µæÅ%+
+a~ÊueŠ<0E>?'iIl
ŸŸËC"âwÀ:Í\áR)	(.ŠÕ¥%*>†âp™Éýó’õ"Žu­ †Ÿy4’s<E28099>Ññ>”2¦¿—

newinfra/nix/secrets/widetom_bot_token.age

@@ -1,6 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg wxaRumhsa+QRSzwuWtJnpBoUPIBJLYsX9BUBHUFYMA0
+-> ssh-ed25519 qM6TYg ba85KijEoTsymy3hJMqIKL93ESg8VI13gumBGwL+sw0
-cnSJ3IgH2wysx74eXjYLKWmkouUJ0MsAOwK6OpsSGPs
+aC8TyOMuycKOApJmqfPwIxiNjPya/Q8a9YwzwHwZsUU
---- wYwjkEfkR859+/qp9uneByt6H8f/6bR7qbOK1EXC2kE
+--- 5wE3LD5eotZBVFnIzqEULhghAmwOiu5xL5Q/fM0gYck
-­8´%{bµW.K!äÚÖƒg÷®€“P#™á¢Ámi©0zR^{ë¬ëõoÈk“–<]
+c¿‹'\™„‘Óæ¸Ï¼±OŠöTHÇ-ü2¯×ÆzhòU7ê¤ë 4¸þ¹$7kW{S{&Þβ\sÄŠÎ[<5B>èº1yB)C„ìÈÈûû¢[viþV{xO
-ƒ*GÍ*Îþ«h+áy–ÿ¤xöÍcÓ¸özxwmêj)
Ô