privatevoid.net/depot
1
1
Fork 0
Code Issues 20 Pull requests 5 Projects 3 Releases Packages Wiki Activity Actions

cluster/services/storage: init

Browse source
This commit is contained in:
Max Headroom 2023-07-05 20:53:04 +02:00
parent 1aad62ca6c
commit 44143ff07f
5 changed files with 122 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
cluster/services/storage/default.nix Normal file
View file

@ -0,0 +1,8 @@
{
services.storage = {
nodes.heresy = [ "VEGAS" ];
nixos.heresy = [
./heresy.nix
];
};
}

101
cluster/services/storage/heresy.nix Normal file
View file

@ -0,0 +1,101 @@
{ config, lib, pkgs, ... }:
let
s3qlWithSystemd = pkgs.s3ql.overrideAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs ++ [
pkgs.python3Packages.systemd
];
});
dirs = {
cache = "/srv/storage/private/s3ql-cache";
underlay = "/mnt/heresy";
mount = "/srv/heresy";
};
in
{
age.secrets = {
storageBoxCredentials.file = ./secrets/storage-box-credentials.age;
heresyEncryptionKey.file = ./secrets/heresy-encryption-key.age;
};
boot.supportedFilesystems = [ "cifs" ];
fileSystems."${dirs.underlay}" = {
fsType = "cifs";
device = "//u357754.your-storagebox.de/u357754-sub1/fs/heresy";
options = [
"credentials=${config.age.secrets.storageBoxCredentials.path}"
"dir_mode=0700"
"file_mode=0600"
"_netdev"
"x-systemd.automount"
];
};
systemd = {
tmpfiles.rules = [
"d '${dirs.cache}' 0700 root root - -"
];
services.heresy = {
description = "Heresy Filesystem";
wantedBy = [ "multi-user.target" ];
requires = [ "mnt-heresy.mount" ];
wants = [ "remote-fs.target" ];
after = [ "mnt-heresy.mount" ];
before = [ "remote-fs.target" ];
# used by umount.s3ql
path = with pkgs; [
psmisc
util-linux
];
serviceConfig = let
commonOptions = [
"--compress" "none"
"--cachedir" dirs.cache
"--authfile" config.age.secrets.heresyEncryptionKey.path
];
in {
Type = "notify";
ExecStartPre = map lib.escapeShellArgs [
[
"${pkgs.coreutils}/bin/install" "-dm755" dirs.mount
]
([
"${s3qlWithSystemd}/bin/fsck.s3ql"
"local://${dirs.underlay}"
] ++ commonOptions)
];
ExecStart = lib.escapeShellArgs ([
"${s3qlWithSystemd}/bin/mount.s3ql"
"local://${dirs.underlay}"
dirs.mount
"--fs-name" "heresy"
"--allow-other"
"--systemd" "--fg"
"--log" "none"
] ++ commonOptions);
ExecStop = lib.escapeShellArgs [
"${s3qlWithSystemd}/bin/umount.s3ql"
"--log" "none"
dirs.mount
];
# fsck and unmounting might take a while
TimeoutStartSec = "600s";
TimeoutStopSec = "600s";
# s3ql only handles SIGINT
KillSignal = "SIGINT";
Restart = "on-failure";
RestartSec = "10s";
};
};
};
}

BIN
cluster/services/storage/secrets/heresy-encryption-key.age Normal file
View file

Binary file not shown.

11
cluster/services/storage/secrets/storage-box-credentials.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A tJRraicHm1ZsU4yrvK3R1xAiIX+0w1WL+maBEcfbZk0
1IvOLKJVvt3lj44lIyDdHbnGzBiQQhfYh92HZYPz36Q
-> ssh-ed25519 5/zT0w a/LO69ZwMzoNUrr8fLR1lKDuYve6KXUZaQKN6ctwSjs
E1OKbXuvynYwf0D9/APjFm3z+l8Y/l8TRkj+CeB04kI
-> ssh-ed25519 d3WGuA fUdpFXP5JDQwpk81dMR9agx8XgeJTP0sTESDadr9Zxk
gPr4DnmX1CqpEnLvObCPuyiTIBJOT0cvoQize7Oe7U4
-> &-grease r 8mj:pc~r
DdZaL+KpxVOKEAQ0MZnpftL1hbOUffIaCsu4zMcafW+cnNzD1R0
--- jV/6H0YdytV3ik3wwoSurOWdugvJus1gbSCtJDJFJMw
Ž¾|à><^~n"iyD|¤I‰šD:Z”XݧVÃ<56>vOðàÄ£<C384>rz•¿j…Sþà‰·©x7c¹ÕÔ»½š «N<C2AB>i©·È`”¿¿ð‚

2
secrets.nix
View file

@ -36,6 +36,8 @@ in with hosts;
"cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ thunderskin VEGAS prophet ]; "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ thunderskin VEGAS prophet ];
"cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ thunderskin VEGAS prophet ]; "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ thunderskin VEGAS prophet ];
"cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ thunderskin VEGAS prophet ]; "cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ thunderskin VEGAS prophet ];
"cluster/services/storage/secrets/heresy-encryption-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/storage/secrets/storage-box-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/wireguard/mesh-keys/checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ]; "cluster/services/wireguard/mesh-keys/checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
"cluster/services/wireguard/mesh-keys/thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ]; "cluster/services/wireguard/mesh-keys/thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];
"cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];