garage

2026-01-14 16:55:00 +01:00 · 2024-08-06 19:51:03 +02:00 · 2024-08-06 19:51:03 +02:00 · 9ce4ff862f
commit 9ce4ff862f
parent f50cbbbeb4
15 changed files with 79 additions and 23 deletions
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@ -160,6 +160,7 @@
      ./modules/contabo
      ./modules/wg-mesh
      ./modules/ingress
+      ./modules/garage
    ];

    deployment.tags = [ "eu" "apps" "wg" ];
@ -170,6 +171,7 @@
      (modulesPath + "/profiles/qemu-guest.nix")
      ./modules/ingress
      ./modules/wg-mesh
+      ./modules/garage
    ];

    deployment.tags = [ "eu" "apps" "hetzner" ];
@ -219,6 +221,7 @@
      ./modules/contabo
      ./modules/ingress
      ./modules/wg-mesh
+      ./modules/garage
    ];

    deployment.tags = [ "eu" "apps" "wg" ];
--- a/newinfra/nix/modules/garage/README.md
+++ b/newinfra/nix/modules/garage/README.md
@ -0,0 +1,13 @@
+# garage
+
+## layout
+
+- co-ka -> Contabo Karlsruhe
+- co-du -> Contabo Düsseldorf
+- he-nu -> Hetzner Nürnberg
+
+| name | disk space | identifier | zone  |
+| ---- | ---------- | ---------- | ----- |
+| vps3 | 100GB      | 020bd      | co-ka |
+| vps4 | 30GB       | 41e40      | he-nu |
+| vps5 | 100GB      | 848d8      | co-du |
--- a/newinfra/nix/modules/garage/default.nix
+++ b/newinfra/nix/modules/garage/default.nix
@ -0,0 +1,42 @@
+{ config, pkgs, name, ... }: {
+  age.secrets.garage_secrets.file = ../../secrets/garage_secrets.age;
+
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3901 ];
+
+  services.garage = {
+    enable = true;
+    package = pkgs.garage_1_0_0;
+    settings = {
+      metadata_dir = "/var/lib/garage/meta";
+      data_dir = "/var/lib/garage/data";
+      db_engine = "sqlite";
+      metadata_auto_snapshot_interval = "6h";
+
+      replication_factor = 3;
+
+      # arbitrary, but a bit higher as disk space matters more than time. she says, cluelessly.
+      compression-level = 5;
+
+      rpc_bind_addr = "[::]:3901";
+      rpc_public_addr = "${name}.local:3901";
+
+      s3_api = {
+        s3_region = "garage";
+        api_bind_addr = "[::]:3900";
+        root_domain = ".s3.garage.localhost";
+      };
+
+      s3_web = {
+        bind_addr = "[::]:3902";
+        root_domain = ".web.garage.localhost";
+        index = "index.html";
+      };
+
+      admin = {
+        api_bind_addr = "[::]:3903";
+      };
+    };
+    environmentFile = config.age.secrets.garage_secrets.path;
+  };
+}
+
--- a/newinfra/nix/secrets/docker_registry_password.age
+++ b/newinfra/nix/secrets/docker_registry_password.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg lW7MJ/iW+nvXMk984BZjeEojIbqDojP1y6w0sRkQpzM
-5t7qrvWDhmIfs0F2Av1kkq0zB9LMiHG1uM9G73KjgY8
--- BrrUNOV8vvacVsORvb5tnuoZENT8dvSv9ZQPKDY2cbA
-<EFBFBD>ˆYE¥@¥u6Z®X_B†ðSÃõŒnj0Øiº9™7hC<68>“¨ÛyêSlH{Ø
Ôi<C394>
+-> ssh-ed25519 qM6TYg ciJZbD4GUbcVmy6rikyd1kwSJCsBv3itB51s73srmhA
+/Z8BXxEbeZgzZZ+EYLbi39LIu1Wxq0xjkCaFn3KhoW0
+--- DaLt8rTk6Sng6r8D0mUjP1MMb+NxCa6gYUJ9LLNFGo0
+²¦xb˜´Vú0Â½¼‡)ò<Ë‰–bz	žRÌ™#°[ù,30ªœ)¢ØEâ7ÿ]ü•—Ì
--- a/newinfra/nix/secrets/garage_secrets.age
+++ b/newinfra/nix/secrets/garage_secrets.age
--- a/newinfra/nix/secrets/hugochat_db_password.age
+++ b/newinfra/nix/secrets/hugochat_db_password.age
--- a/newinfra/nix/secrets/minio_env_file.age
+++ b/newinfra/nix/secrets/minio_env_file.age
--- a/newinfra/nix/secrets/secrets.nix
+++ b/newinfra/nix/secrets/secrets.nix
@ -10,6 +10,7 @@ in
  "docker_registry_password.age".publicKeys = [ vps1 ];
  "hugochat_db_password.age".publicKeys = [ vps1 ];
  "minio_env_file.age".publicKeys = [ vps1 vps3 ];
+  "garage_secrets.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
  "wg_private_vps1.age".publicKeys = [ vps1 ];
  "wg_private_vps3.age".publicKeys = [ vps3 ];
  "wg_private_vps4.age".publicKeys = [ vps4 ];
--- a/newinfra/nix/secrets/wg_private_vps1.age
+++ b/newinfra/nix/secrets/wg_private_vps1.age
@ -1,6 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg rz0Ls6JosajC8Fuw/rZ0bnC5pAvBhZbmiSwFx/cbszo
-Vo8rHTcmj4b3bX//nA/2PaGHNnuD22JddB7ZujNlNb8
--- SZh6zAv94lZUhWuq4dOdh1nrjI8Ryq0mwtyqLxIx6YU
-ěĐçżsš3ť>4M<n BL ’7RÄŻÎ
-&Ń„`zAÚöĽMM–lQ;rřeJŇ?mÇjŻ&w2n”L)Łň‹č©đ‘$#Ç€:<3A>
+-> ssh-ed25519 qM6TYg Q5X+l2POBANoYyo8HNMy89MLtpodzzN9prnQY71mSTE
+X3MJesW3kfHCfCyvaWm22mOI8vSgP7JWlLugCXtiy+U
+--- ZH3UZFDfQwZ+DIF3yFADfBKEv2K6k9DTCh5wLVnyaTs
+‡‹ÙiÔ,ÿ¯±ª<C2B1>‘1æF¸Äßfë	[_+õ[
!¢>)ep'ÆYøAïÂWgã ªÇ<ê^¢Ê=ô(Bˆ®ú)~e±G”
--- a/newinfra/nix/secrets/wg_private_vps3.age
+++ b/newinfra/nix/secrets/wg_private_vps3.age
@ -1,6 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 XzACZQ 2stObavGIOgxEB1ugSCc1wR4cUfx5qOF8OZeqo+VOWo
-pM8j9mTorFEsDHlmxhlzRqYWLoF1mE1H+oLy5rnNLig
--- FL5+Ok2A5ueUZ2a10VbbwNPUU9egbE2kYTl9uJFq3IU
-`
7W3Î¢+,><3E>
ƒ¥<13>ÆÔÛ<C394>ú¡@U_•AQ	Œóï&rV
-EÆÎ“=å51½'„	hNç~¯¶ŸÈ<C5B8>3íjáe†ï ñˆÃ
+-> ssh-ed25519 XzACZQ nsIkJQw/lrrXChkpFc87upQ4pbGefolI36wqMOWZGAE
+t49QoSdb2azGQlDBX5AyWMxCOt+ETpT7erp4WU5p2rQ
+--- 4UbCHfpAfwiuRYsiN3HgdhbSLFBG05DxGCw55XT1IGg
+YÈ	ìŸÔÆŽ Ã†Œ¿½Æòþ˜€2ô×ÖôRsÝ	À‰ìQÈ4d…
IÑ.KpPFthù©ô±£–Á“a„½É<C2BD>ÃõRX›
--- a/newinfra/nix/secrets/wg_private_vps4.age
+++ b/newinfra/nix/secrets/wg_private_vps4.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 51bcvA XKsa9hdh/Kte1Ywd4E2u7WrZdIiJYK6DiH5j8Dy7nFA
-h4pernMl+nyhX75/OimLhW+AS2Jk2s63uEOxK8vUqCY
--- Mm1KWNxwJt2aei0pMk5Jhol5xTm89nG5wMlNg2wJG7g
-[x£ÔD·²ä]Ù÷m²ø5ÒóÕ§OhM#ŠEN2ÌÁÉJ{ÂkZ‡Näµh<C2B5>zqBÂœí¨'ØC÷84ë;îP^7µæÅ%+
+-> ssh-ed25519 51bcvA 9dYzUZSs/ilKHHRiuMgT6GEbtyBwWHAl8ycBcsvTQz0
+iq0ozCU1p1sekOH4qbxKxWezY2pyVM6LjhUuNpmTQx0
+--- wjCRFJISrIrpgosh7ZBNM1qR78BPmhVBBwFpaQc10oA
+a~ÊueŠ<0E>?'iIl
ŸŸËC"âwÀ:Í\áR)	(.ŠÕ¥%*>†âp™Éýó’õ"Žu †Ÿy4’s<E28099>Ññ>”2¦¿—
--- a/newinfra/nix/secrets/wg_private_vps5.age
+++ b/newinfra/nix/secrets/wg_private_vps5.age
--- a/newinfra/nix/secrets/widetom_bot_token.age
+++ b/newinfra/nix/secrets/widetom_bot_token.age
@ -1,6 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg wxaRumhsa+QRSzwuWtJnpBoUPIBJLYsX9BUBHUFYMA0
-cnSJ3IgH2wysx74eXjYLKWmkouUJ0MsAOwK6OpsSGPs
--- wYwjkEfkR859+/qp9uneByt6H8f/6bR7qbOK1EXC2kE
-8´%{bµW.K!äÚÖƒg÷®€“P#™á¢Ámi©0zR^{ë¬ëõoÈk“–<]
-ƒ*GÍ*Îþ«h+Ã¡y–ÿ¤xöÍcÓ¸özxwmêj)
Ô
+-> ssh-ed25519 qM6TYg ba85KijEoTsymy3hJMqIKL93ESg8VI13gumBGwL+sw0
+aC8TyOMuycKOApJmqfPwIxiNjPya/Q8a9YwzwHwZsUU
+--- 5wE3LD5eotZBVFnIzqEULhghAmwOiu5xL5Q/fM0gYck
+c¿‹'\™„‘Óæ¸Ï¼±OŠöTHÇ-ü2¯×ÆzhòU7ê¤ë 4¸þ¹$7kW{S{&ÞÎ²\sÄŠÎ[<5B>èº1yB)C„ìÈÈûû¢[viþV{xO
--- a/newinfra/nix/secrets/widetom_config_toml.age
+++ b/newinfra/nix/secrets/widetom_config_toml.age
--- a/newinfra/secrets-git-crypt/garage_secrets
+++ b/newinfra/secrets-git-crypt/garage_secrets