cluster/services/ipfs: add ipfs-cluster

cluster/services/ipfs/cluster-secret.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A iv0xv0HLpVtB0ah0zJ1kvxE4A3mrWr5bClqouxUI/GQ
+/UKC/6mXk9ym9hnt7xDJ88ENxdFf6BXlAHqITZ0kHnY
+-> ssh-ed25519 5/zT0w ZYb2QgdbbAZYw9L0CCv2XOamhKgi+vPL/QQp4mGFc3E
+sr9xtnp0DKHprYy5DQakiKbqFyqEqlSv0ZG6c4OrXXg
+-> ssh-ed25519 d3WGuA Eeyzfc4Wf8S4cdb+YDOTMUHnXnTZGTpDnrNCsxIhMD4
+iLu5XkMStfBDJ82QT8/eh3c91KSO6GqwpmcTUpEWmfA
+-> ssh-ed25519 6YMlxg lpiCiRHjvVVkhwZ2ZJI2GBWDhlpjajVFodRnECX63Ts
+cEsMNfpVVz4gDrbO/kVajfMDp6kaU5UNhLbF5WxhdwU
+-> OvP-grease W b)m(Q{
+IUjVquGYb2jWe/q1LYmsDRBlow
+--- 3L9JqzQzSvC6M54BsIyIfkG5d6bgP/tTuQJJG2tq19A
+ö!Ž@µ3bPUØ÷½¼Ê<¸,@Þ²SýÃSè-O|kÖÒ3,Wû¬¼Ç÷ÞÄ`œAÐqahÖ-×Åí!h7*4Ž1žý—á§L6<4C>y(³C2¢˜ˆ/Ñ(½Ó
Øc_á߶þ}™÷<ˆÇ<CB86>ˆ°

cluster/services/ipfs/cluster.nix

@@ -0,0 +1,71 @@
+{ aspect, config, inputs, pkgs, ... }:
+
+let
+  ipfsCfg = config.services.ipfs;
+
+  apiSocket = "/run/ipfs-cluster/ipfs-cluster-api.sock";
+  pinSvcSocket = "/run/ipfs-cluster/ipfs-pinning-service-api.sock";
+  proxySocket = "/run/ipfs-cluster/ipfs-api-proxy.sock";
+in {
+  imports = [
+    aspect.modules.ipfs-cluster
+  ];
+
+  age.secrets.ipfs-cluster-secret = {
+    file = ./cluster-secret.age;
+  };
+
+  services.ipfs-cluster = {
+    enable = true;
+    package = inputs.self.packages.${pkgs.system}.ipfs-cluster;
+    consensus = "crdt";
+    dataDir = "/srv/storage/ipfs/cluster";
+    secretFile = config.age.secrets.ipfs-cluster-secret.path;
+    openSwarmPort = true;
+    settings = {
+      cluster = {
+        peer_addresses = [
+          "/ip4/95.216.8.12/tcp/9096/p2p/12D3KooWFqccQN24XbpJbguWmtqAJwKarPXxMNqGCz1wSQqKL97D"
+          "/ip4/152.67.79.222/tcp/9096/p2p/12D3KooWC7y9GH5j6zioqGx6354WfWwKCQAKbRMDJY2gJ5j5qLzm"
+        ];
+        replication_factor_min = 1;
+        replication_factor_max = 2;
+      };
+      api = {
+        ipfsproxy = {
+          listen_multiaddress = "/unix${proxySocket}";
+          node_multiaddress = ipfsCfg.apiAddress;
+        };
+        pinsvcapi.http_listen_multiaddress = "/unix${pinSvcSocket}";
+        restapi.http_listen_multiaddress = "/unix${apiSocket}";
+      };
+      ipfs_connector.ipfshttp.node_multiaddress = ipfsCfg.apiAddress;
+    };
+  };
+
+  systemd.services.ipfs-cluster = {
+    postStart = ''
+      chmod 0660 ${apiSocket} ${pinSvcSocket} ${proxySocket}
+    '';
+    serviceConfig = {
+      IPAddressDeny = [
+        "10.0.0.0/8"
+        "100.64.0.0/10"
+        "169.254.0.0/16"
+        "172.16.0.0/12"
+        "192.0.0.0/24"
+        "192.0.2.0/24"
+        "192.168.0.0/16"
+        "198.18.0.0/15"
+        "198.51.100.0/24"
+        "203.0.113.0/24"
+        "240.0.0.0/4"
+        "100::/64"
+        "2001:2::/48"
+        "2001:db8::/32"
+        "fc00::/7"
+        "fe80::/10"
+      ];
+    };
+  };
+}

cluster/services/ipfs/default.nix

@@ -4,6 +4,7 @@
   services.ipfs = {
     nodes = {
       node = [ "VEGAS" "prophet" ];
+      clusterPeer = [ "VEGAS" "prophet" ];
       gateway = [ "VEGAS" ];
     };
     nixos = {
@@ -14,6 +15,9 @@
         ./gateway.nix
         ./monitoring.nix
       ];
+      clusterPeer = [
+        ./cluster.nix
+      ];
     };
   };
 }

secrets.nix

@@ -9,6 +9,7 @@ in with hosts;
   "cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/ipfs/cluster-secret.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];