cluster/services/storage: use incandescence
This commit is contained in:
parent
014c1f9cd2
commit
baed1ce871
3 changed files with 72 additions and 103 deletions
|
@ -7,6 +7,7 @@ in
|
|||
{
|
||||
imports = [
|
||||
./options.nix
|
||||
./incandescence.nix
|
||||
];
|
||||
|
||||
services.storage = {
|
||||
|
@ -52,7 +53,7 @@ in
|
|||
};
|
||||
simulacrum = {
|
||||
enable = true;
|
||||
deps = [ "wireguard" "consul" "locksmith" ];
|
||||
deps = [ "wireguard" "consul" "locksmith" "incandescence" ];
|
||||
settings = ./test.nix;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -26,62 +26,6 @@ let
|
|||
sleep 1
|
||||
done
|
||||
}
|
||||
# FIXME: returns bogus empty string when one of the lists is empty
|
||||
diffAdded() {
|
||||
comm -13 <(printf '%s\n' $1 | sort) <(printf '%s\n' $2 | sort)
|
||||
}
|
||||
diffRemoved() {
|
||||
comm -23 <(printf '%s\n' $1 | sort) <(printf '%s\n' $2 | sort)
|
||||
}
|
||||
# FIXME: this does not handle list items with spaces
|
||||
listKeys() {
|
||||
garage key list | tail -n +2 | grep -ow '[^ ]*$' || true
|
||||
}
|
||||
ensureKeys() {
|
||||
old="$(listKeys)"
|
||||
if [[ -z "$1" ]]; then
|
||||
for key in $old; do
|
||||
garage key delete --yes "$key"
|
||||
done
|
||||
elif [[ -z "$old" ]]; then
|
||||
for key in $1; do
|
||||
# don't print secret key
|
||||
garage key new --name "$key" >/dev/null
|
||||
echo Key "$key" was created.
|
||||
done
|
||||
else
|
||||
diffAdded "$old" "$1" | while read key; do
|
||||
# don't print secret key
|
||||
garage key new --name "$key" >/dev/null
|
||||
echo Key "$key" was created.
|
||||
done
|
||||
diffRemoved "$old" "$1" | while read key; do
|
||||
garage key delete --yes "$key"
|
||||
done
|
||||
fi
|
||||
}
|
||||
listBuckets() {
|
||||
garage bucket list | tail -n +2 | grep -ow '^ *[^ ]*' | tr -d ' ' || true
|
||||
}
|
||||
ensureBuckets() {
|
||||
old="$(listBuckets)"
|
||||
if [[ -z "$1" ]]; then
|
||||
for bucket in $old; do
|
||||
garage bucket delete --yes "$bucket"
|
||||
done
|
||||
elif [[ -z "$old" ]]; then
|
||||
for bucket in $1; do
|
||||
garage bucket create "$bucket"
|
||||
done
|
||||
else
|
||||
diffAdded "$old" "$1" | while read bucket; do
|
||||
garage bucket create "$bucket"
|
||||
done
|
||||
diffRemoved "$old" "$1" | while read bucket; do
|
||||
garage bucket delete --yes "$bucket"
|
||||
done
|
||||
fi
|
||||
}
|
||||
'';
|
||||
in
|
||||
|
||||
|
@ -203,9 +147,7 @@ in
|
|||
garage layout apply --version 1
|
||||
'';
|
||||
};
|
||||
garage-apply = {
|
||||
distributed.enable = true;
|
||||
wantedBy = [ "garage.service" "multi-user.target" ];
|
||||
garage-ready = {
|
||||
wants = [ "garage.service" ];
|
||||
after = [ "garage.service" "garage-layout-init.service" ];
|
||||
path = [ config.services.garage.package ];
|
||||
|
@ -219,54 +161,70 @@ in
|
|||
script = ''
|
||||
source ${garageShellLibrary}
|
||||
waitForGarageOperational
|
||||
|
||||
ensureKeys '${lib.concatStringsSep " " (lib.attrNames cfg.keys)}'
|
||||
ensureBuckets '${lib.concatStringsSep " " (lib.attrNames cfg.buckets)}'
|
||||
|
||||
# key permissions
|
||||
${lib.pipe cfg.keys [
|
||||
(lib.mapAttrsToList (key: kCfg: ''
|
||||
garage key ${if kCfg.allow.createBucket then "allow" else "deny"} '${key}' --create-bucket >/dev/null
|
||||
''))
|
||||
(lib.concatStringsSep "\n")
|
||||
]}
|
||||
|
||||
# bucket permissions
|
||||
${lib.pipe cfg.buckets [
|
||||
(lib.mapAttrsToList (bucket: bCfg:
|
||||
lib.mapAttrsToList (key: perms: ''
|
||||
garage bucket allow '${bucket}' --key '${key}' ${lib.escapeShellArgs (map (x: "--${x}") perms)}
|
||||
garage bucket deny '${bucket}' --key '${key}' ${lib.escapeShellArgs (map (x: "--${x}") (lib.subtractLists perms [ "read" "write" "owner" ]))}
|
||||
'') bCfg.allow
|
||||
))
|
||||
lib.flatten
|
||||
(lib.concatStringsSep "\n")
|
||||
]}
|
||||
|
||||
# bucket quotas
|
||||
${lib.pipe cfg.buckets [
|
||||
(lib.mapAttrsToList (bucket: bCfg: ''
|
||||
garage bucket set-quotas '${bucket}' \
|
||||
--max-objects '${if bCfg.quotas.maxObjects == null then "none" else toString bCfg.quotas.maxObjects}' \
|
||||
--max-size '${if bCfg.quotas.maxSize == null then "none" else toString bCfg.quotas.maxSize}'
|
||||
''))
|
||||
(lib.concatStringsSep "\n")
|
||||
]}
|
||||
|
||||
# bucket website access
|
||||
${lib.pipe cfg.buckets [
|
||||
(lib.mapAttrsToList (bucket: bCfg: ''
|
||||
garage bucket website ${if bCfg.web.enable then "--allow" else "--deny"} '${bucket}'
|
||||
''))
|
||||
(lib.concatStringsSep "\n")
|
||||
]}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.incandescence.providers.garage = {
|
||||
locksmith = true;
|
||||
wantedBy = [ "garage.service" "multi-user.target" ];
|
||||
partOf = [ "garage.service" ];
|
||||
wants = [ "garage-ready.service" ];
|
||||
after = [ "garage-ready.service" ];
|
||||
|
||||
packages = [
|
||||
config.services.garage.package
|
||||
];
|
||||
formulae = {
|
||||
key = {
|
||||
destroyAfterDays = 0;
|
||||
create = key: ''
|
||||
# don't print secret key
|
||||
garage key new --name ${lib.escapeShellArg key} >/dev/null
|
||||
echo Key ${lib.escapeShellArg key} was created.
|
||||
'';
|
||||
destroy = ''
|
||||
garage key delete --yes "$OBJECT"
|
||||
'';
|
||||
change = key: let
|
||||
kCfg = cfg.keys.${key};
|
||||
in ''
|
||||
garage key ${if kCfg.allow.createBucket then "allow" else "deny"} ${lib.escapeShellArg key} --create-bucket >/dev/null
|
||||
'';
|
||||
};
|
||||
bucket = {
|
||||
deps = [ "key" ];
|
||||
destroyAfterDays = 30;
|
||||
create = bucket: ''
|
||||
garage bucket create ${lib.escapeShellArg bucket}
|
||||
'';
|
||||
destroy = ''
|
||||
garage bucket delete --yes "$OBJECT"
|
||||
'';
|
||||
change = bucket: let
|
||||
bCfg = cfg.buckets.${bucket};
|
||||
in ''
|
||||
# permissions
|
||||
${lib.concatStringsSep "\n" (lib.flatten (
|
||||
lib.mapAttrsToList (key: perms: ''
|
||||
garage bucket allow ${lib.escapeShellArg bucket} --key ${lib.escapeShellArg key} ${lib.escapeShellArgs (map (x: "--${x}") perms)}
|
||||
garage bucket deny ${lib.escapeShellArg bucket} --key ${lib.escapeShellArg key} ${lib.escapeShellArgs (map (x: "--${x}") (lib.subtractLists perms [ "read" "write" "owner" ]))}
|
||||
'') bCfg.allow
|
||||
))}
|
||||
|
||||
# quotas
|
||||
garage bucket set-quotas ${lib.escapeShellArg bucket} \
|
||||
--max-objects '${if bCfg.quotas.maxObjects == null then "none" else toString bCfg.quotas.maxObjects}' \
|
||||
--max-size '${if bCfg.quotas.maxSize == null then "none" else toString bCfg.quotas.maxSize}'
|
||||
|
||||
# website access
|
||||
garage bucket website ${if bCfg.web.enable then "--allow" else "--deny"} ${lib.escapeShellArg bucket}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.locksmith.providers.garage = {
|
||||
wantedBy = [ "garage-apply.service" ];
|
||||
after = [ "garage-apply.service" ];
|
||||
secrets = lib.mkMerge (lib.mapAttrsToList (key: kCfg: let
|
||||
common = {
|
||||
inherit (kCfg.locksmith) mode owner group nodes;
|
||||
|
|
10
cluster/services/storage/incandescence.nix
Normal file
10
cluster/services/storage/incandescence.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
incandescence.providers.garage = {
|
||||
objects = {
|
||||
key = lib.attrNames config.garage.keys;
|
||||
bucket = lib.attrNames config.garage.buckets;
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue