diff --git a/cluster/services/storage/default.nix b/cluster/services/storage/default.nix index f291055..fd683bd 100644 --- a/cluster/services/storage/default.nix +++ b/cluster/services/storage/default.nix @@ -24,6 +24,7 @@ in ./garage.nix ./garage-options.nix ./garage-layout.nix + ./garage-gateway.nix { services.garage = { inherit (config.garage) buckets keys; @@ -51,4 +52,6 @@ in allow.storage-prophet = [ "read" "write" ]; }; }; + + dns.records.garage.consulService = "garage"; } diff --git a/cluster/services/storage/garage-gateway.nix b/cluster/services/storage/garage-gateway.nix new file mode 100644 index 0000000..6c24ad2 --- /dev/null +++ b/cluster/services/storage/garage-gateway.nix @@ -0,0 +1,52 @@ +{ config, cluster, depot, lib, ... }: + +let + inherit (depot.lib.meta) domain; +in + +{ + links.garageMetrics.protocol = "http"; + + services.garage.settings.admin.api_bind_addr = config.links.garageMetrics.tuple; + + services.nginx.virtualHosts = { + "garage.${domain}" = depot.lib.nginx.vhosts.basic // { + locations = { + "/".proxyPass = cluster.config.hostLinks.${config.networking.hostName}.garageS3.url; + + "= /".proxyPass = config.links.garageMetrics.tuple; + }; + }; + }; + security.acme.certs."garage.${domain}" = { + dnsProvider = "pdns"; + webroot = lib.mkForce null; + }; + + consul.services.garage = { + mode = "external"; + definition = rec { + name = "garage"; + address = depot.reflection.interfaces.primary.addrPublic; + port = 443; + checks = [ + rec { + name = "Frontend"; + id = "service:garage:frontend"; + interval = "60s"; + http = "https://${address}/health"; + tls_server_name = "garage.${domain}"; + header.Host = lib.singleton tls_server_name; + method = "HEAD"; + } + { + name = "Garage Node"; + id = "service:garage:node"; + interval = "5s"; + http = "${config.links.garageMetrics.url}/health"; + method = "HEAD"; + } + ]; + }; + }; +}