Configuration for my NixOS based systems and Home Manager
Replace Minio with Garage
+101
-41
+8
-2
host-specific/misaki/networking.nix
+8
-2
host-specific/misaki/networking.nix
+56
-39
host-specific/misaki/services.nix
+56
-39
host-specific/misaki/services.nix
···
187
187
};
188
188
};
189
189
190
-
# Minio's object storage has been mostly replaced with NATS. If I specifically need a
191
-
# S3-like API, this will be revived.
192
-
services.minio = {
193
-
enable = false;
194
-
listenAddress = ":9003";
195
-
consoleAddress = ":9004";
196
-
dataDir = [
197
-
/srv/shokuhou/applications/minio
198
-
];
190
+
age.secrets.garage_rpc = {
191
+
file = ../../secrets/garage_rpc_secret.age;
192
+
owner = "root";
193
+
group = "garage-secrets";
194
+
mode = "640";
195
+
};
196
+
age.secrets.garage_admin = {
197
+
file = ../../secrets/garage_admin_secret.age;
198
+
owner = "root";
199
+
group = "garage-secrets";
200
+
mode = "640";
201
+
};
202
+
age.secrets.garage_metrics = {
203
+
file = ../../secrets/garage_metrics_secret.age;
204
+
owner = "root";
205
+
group = "garage-secrets";
206
+
mode = "640";
207
+
};
208
+
systemd.services.garage.serviceConfig.SupplementaryGroups = "garage-secrets";
209
+
services.garage = {
210
+
enable = true;
211
+
package = pkgs.garage_2;
212
+
# This is necessary because we use group membership to control access to the
213
+
# secrets (the service uses systemd's dynamic user feature).
214
+
extraEnvironment.GARAGE_ALLOW_WORLD_READABLE_SECRETS = "true";
215
+
settings = {
216
+
data_dir = [
217
+
{
218
+
capacity = "1T";
219
+
path = "/srv/shokuhou/applications/garage/data";
220
+
}
221
+
];
222
+
metadata_dir = "/srv/shokuhou/applications/garage/meta";
223
+
rpc_bind_addr = "[::]:9003";
224
+
db_engine = "sqlite";
225
+
replication_factor = 1;
226
+
rpc_secret_file = config.age.secrets.garage_rpc.path;
227
+
s3_api = {
228
+
s3_region = "garage";
229
+
api_bind_addr = "[::]:9004";
230
+
root_domain = ".garage.s3.ngp.computer";
231
+
};
232
+
s3_web = {
233
+
bind_addr = "[::]:9005";
234
+
root_domain = ".garage.web.ngp.computer";
235
+
index = "index.html";
236
+
};
237
+
k2v_api = {
238
+
api_bind_addr = "[::]:9006";
239
+
};
240
+
admin = {
241
+
api_bind_addr = "[::]:9007";
242
+
admin_token_file = config.age.secrets.garage_admin.path;
243
+
metrics_token_file = config.age.secrets.garage_metrics.path;
244
+
};
245
+
};
199
246
};
200
247
201
248
services.netatalk = {
···
300
347
dnsProvider = "porkbun";
301
348
environmentFile = config.age.secrets.acme.path;
302
349
});
303
-
#certs."plex.packetlost.dev" = {
304
-
# group = "httpd";
305
-
# dnsProvider = "porkbun";
306
-
# environmentFile = config.age.secrets.acme.path;
307
-
#};
308
-
#certs."img.ngp.computer" = {
309
-
# group = "httpd";
310
-
# dnsProvider = "porkbun";
311
-
# environmentFile = config.age.secrets.acme.path;
312
-
#};
313
-
#certs."files.ngp.computer" = {
314
-
# group = "httpd";
315
-
# dnsProvider = "porkbun";
316
-
# environmentFile = config.age.secrets.acme.path;
317
-
#};
318
-
#certs."cache.ngp.computer" = {
319
-
# group = "httpd";
320
-
# dnsProvider = "porkbun";
321
-
# environmentFile = config.age.secrets.acme.path;
322
-
#};
323
-
#certs."photos.ngp.computer" = {
324
-
# group = "httpd";
325
-
# dnsProvider = "porkbun";
326
-
# environmentFile = config.age.secrets.acme.path;
327
-
#};
328
-
#certs."jellyfin.packetlost.dev" = {
329
-
# group = "httpd";
330
-
# dnsProvider = "porkbun";
331
-
# environmentFile = config.age.secrets.acme.path;
332
-
#};
333
350
};
334
351
335
352
# A test email server that only works on LAN
+1
host-specific/misaki/users.nix
+1
host-specific/misaki/users.nix
+11
secrets/garage_admin_secret.age
+11
secrets/garage_admin_secret.age
···
1
+
age-encryption.org/v1
2
+
-> ssh-ed25519 e6zq8g Z2uznYsVG9cWJBWUu4TDkZIxSJuqE/f7yfPCaTmgTys
3
+
bxtzgdXIOd3Zd4M0/T4ViS+N+ehjpOZoaqucYxeXa6g
4
+
-> ssh-ed25519 QBbeMw 1svoZMmrNCjr7Bqz4ZALiVray7AMaf5un/XOcQngYTM
5
+
ZNDgEzDCyfVlVRzj9/hPv3uL/bIFpodnUpSfn2gN6oA
6
+
-> ssh-ed25519 Wv0Urw W8PXStn+8TZ5ttMccmD+NLvZSXdtEAeJek7OHqnHSXo
7
+
KkjKgxjT9GCdnerSZpq0bri2ge9TG2NboViTSpp0mmE
8
+
-> ssh-ed25519 WVNCXA YNNppRrW8vpIJx9nOA8o4zvCX3/78d+Yf+3t1YWwbhI
9
+
TT2JmkNRIAK4ntHgUfhFHcyCaSA6aNlEqs91BjIM/YA
10
+
--- pk25ewpjSqbbjylxVkf751yFctvJMPpU2oiY30C/V3k
11
+
��N��\¨O4Us�b�8C��`��#"�D�Z��oW]3��h�:R#�'�f�d���{��v��>���ўMӤ�5l
�
+11
secrets/garage_metrics_secret.age
+11
secrets/garage_metrics_secret.age
···
1
+
age-encryption.org/v1
2
+
-> ssh-ed25519 e6zq8g UVi7WnCLOePcOCHzsKKHBz05oNDNN4Xf80zbSr5J0CY
3
+
3ehg+6Nn6re+XebqcB7IjDFO+dBHtjpubUi7iCLHPJc
4
+
-> ssh-ed25519 QBbeMw J/rTSoYTLk+adeQBdXq9yTtXK3dYB7fp6Nh9GjzMqxo
5
+
4Oe/8kB+fWF+5/8c5kHfw4XOhB+qLIYhpDkb6mP5nBY
6
+
-> ssh-ed25519 Wv0Urw TmkSiKfLURGG7EaJM2ZqCbkSBA8D06Xjo94SlImwvGM
7
+
3ysSy850QzoWlREeQX7nSdOUX3qFnlAa9axbD5FeTTo
8
+
-> ssh-ed25519 WVNCXA D+zQ14SXDJIdemvzubSTFGeAeV7bRQVaBecJmMtwVlA
9
+
Sl+QuCRnHOKbnSeZi5OTCRz4+praTngOxrbBXqDh2vU
10
+
--- QQ7+86ws3U6FTwTGN98w6daPsiViLXdcSJwbaS6dztM
11
+
�ۋ�!��~�D�(c����
��"�t^�;�`���E�ʔ�$E�x��mJ��ĀX�н͕̀��h
BBJ� �Hh��a%��6
+11
secrets/garage_rpc_secret.age
+11
secrets/garage_rpc_secret.age
···
1
+
age-encryption.org/v1
2
+
-> ssh-ed25519 e6zq8g DNxcVK/XSwc/v5OX9MsFBPgy4vcP6ldjC1WP5o5ZXX0
3
+
Sc0GGuqpYLjxww7NWboeQsMZ+tQosiE6EqRsJsPvZHg
4
+
-> ssh-ed25519 QBbeMw iz1umGmXPcm6pikg1pOZKnU7df2BK7KTRkHvJmIqAE4
5
+
L5j7nNHg0YTwaRqfJAEQatJbhB1yzpk6QBwSuUr2Y3c
6
+
-> ssh-ed25519 Wv0Urw 0u8zWYN6a9QBFDFe60aMN5yUy+OJuR+YYHkGHhIIs1w
7
+
FpVuxwqTeRC4Tz57N9a3hwXxI++jxiFpKGGOEbokELs
8
+
-> ssh-ed25519 WVNCXA aT+pGvZ+57XZDexZ+0FWd9l+4Ge+s5a6tSh7WD1Tn3E
9
+
h3aZfgVav1xOWsmMTnvO5nqszdyjkodoc7sjEfXDYGs
10
+
--- qp66s2eD3Z18zJrHO06scZnYK5ocxQnDstNlBxvovFY
11
+
9���du�-ٍ�[J2�C"W��^?eW-BF����<�S��-(�'y�:\بyx���� 6�W&]��4L��n ��
+3
secrets/secrets.nix
+3
secrets/secrets.nix
···
26
26
];
27
27
"validator-identity.age".publicKeys = [ edge ];
28
28
"catgirl-libera.age".publicKeys = noah;
29
+
"garage_rpc_secret.age".publicKeys = [ misaki ] ++ noah;
30
+
"garage_admin_secret.age".publicKeys = [ misaki ] ++ noah;
31
+
"garage_metrics_secret.age".publicKeys = [ misaki ] ++ noah;
29
32
}