VEGAS: add object storage service

2021-10-16 19:59:06 +02:00 · 2021-10-16 19:59:06 +02:00 · cf267ccbf8
commit cf267ccbf8
parent b22174e512
6 changed files with 101 additions and 0 deletions
--- a/hosts/VEGAS/services/object-storage/console.nix
+++ b/hosts/VEGAS/services/object-storage/console.nix
@ -0,0 +1,17 @@
+{ buildGoModule, fetchFromGitHub, lib }:
+
+buildGoModule rec {
+  pname = "minio-console";
+  version = "0.10.1";
+
+  src = fetchFromGitHub {
+    owner = "minio";
+    repo = "console";
+    rev = "v${version}";
+    sha256 = "sha256-exzWR5c0u4B+VF54Bp1mLoFOH/N+QnAUoIF2SQOx9l0=";
+  };
+
+  vendorSha256 = "sha256-K+/soCogskzz0C3Zjzrn3GtucefJMWsjPMvCCpghN1A=";
+
+  doCheck = false;
+}
--- a/hosts/VEGAS/services/object-storage/default.nix
+++ b/hosts/VEGAS/services/object-storage/default.nix
@ -0,0 +1,70 @@
+{ config, lib, pkgs, tools, ... }:
+with tools.nginx;
+let
+  addrSplit' = builtins.split ":" config.services.minio.listenAddress;
+  addrSplit = builtins.filter builtins.isString addrSplit';
+  host' = builtins.head addrSplit;
+  host = if host' == "" then "127.0.0.1" else host';
+  port = builtins.head (builtins.tail addrSplit);
+
+  minioConsole = pkgs.callPackage ./console.nix {};
+in
+{
+  age.secrets.minio-root-credentials = {
+    file = ../../../../secrets/minio-root-credentials.age;
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
+  age.secrets.minio-console-secrets = {
+    file = ../../../../secrets/minio-console-secrets.age;
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
+  services.minio = {
+    enable = true;
+    # requires https://github.com/NixOS/nixpkgs/pull/123834
+    # rootCredentialsFile = "/dev/null";
+    dataDir = [ "/srv/storage/objects" ];
+    browser = true;
+  };
+  systemd.services.minio.serviceConfig = {
+    EnvironmentFile = config.age.secrets.minio-root-credentials.path;
+    Slice = "remotefshost.slice";
+  };
+  services.nginx.virtualHosts = mappers.mapSubdomains {
+    # TODO: vhosts.proxy?
+    "object-storage" = vhosts.basic // {
+      locations = {
+        "/".proxyPass = "http://${host}:${port}";
+        "= /dashboard".proxyPass = "http://${host}:${port}";
+      };
+    };
+    "console.object-storage" = vhosts.basic // {
+      locations = {
+        "/".proxyPass = "http://127.0.0.1:39090";
+      };
+    };
+    "cdn" = lib.recursiveUpdate (vhosts.proxy "http://${host}:${port}/content-delivery$request_uri") {
+      locations."= /".return = "302 /index.html";
+    };
+  };
+  services.oauth2_proxy.nginx.virtualHosts = [ "console.object-storage.${tools.meta.domain}" ];
+  systemd.services.minio-console = {
+    enable = true;
+    wantedBy = [ "default.target" ];
+    serviceConfig = {
+      ExecStart = "${minioConsole}/bin/console server --port 39090";
+      EnvironmentFile = config.age.secrets.minio-console-secrets.path;
+      DynamicUser = true;
+      User = "minio-console";
+    };
+    environment = {
+      CONSOLE_MINIO_REGION = "us-east-1";
+      # TODO: external or internal?
+      CONSOLE_MINIO_SERVER = "https://object-storage.${tools.meta.domain}";
+    };
+    path = [ pkgs.glibc.bin ];
+  };
+}
--- a/hosts/VEGAS/system.nix
+++ b/hosts/VEGAS/system.nix
@ -29,6 +29,7 @@
      ./services/nfs
      ./services/mail
      ./services/matrix
+      ./services/object-storage
      ./services/warehouse
      ./services/websites
    ]
--- a/secrets/minio-console-secrets.age
+++ b/secrets/minio-console-secrets.age
--- a/secrets/minio-root-credentials.age
+++ b/secrets/minio-root-credentials.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A NbcM2V0dfRtx/U0J8eJZAUtBLkmhhsFGhr/oQQ+TCV0
+ZcSQRxJ+jCOQPUI8MkwBz/A9MRGOJB2RUdKvbbLEOSk
+-> ssh-ed25519 5/zT0w +gVO5WJaC98c47v5fqZ8UoKAzpBhUANbb/TXr1SQZno
+EeEZmGl/brew2oAZxXag16jNMi7KwyEqCoN/3irzTLQ
+-> ssh-ed25519 d3WGuA eKZVBSuBCDct9xNV7xb2HBBPxggy9mXqRp9/1TgdSGI
+HBeaJzW0L22RhgqQwCL3GPvZqQ7GRofuhNmTndBHF4s
+-> #ie-grease
+OJ2J5t7gGrOu4lqN2nBrbnFHvCyCZ7PL46WgA/cpNYzS
+--- M9W2ygmMMx2zmqXeDT1ytLqShYdJ/E7P6qllAAByKRw
+ž<EFBFBD>¡Sþ`‚>¬sCÄ)Ï>:bŽúŸ)ô«+ÂÎJ¢AæÙ¡Œý†H\Ìòl+uRS9æg%F¤Ó•2°¸Ì™ˆ¤|©@¹L¦™ˆWšD0pqp%mº*ìjk(5äfW2á¹³Œ=ûa#¨V<C2A8>.s¶
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -11,6 +11,8 @@ in with hosts;
  "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ];
  "hydra-s3.age".publicKeys = max ++ map systemKeys [ styx ];
  "matrix-appservice-discord-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "minio-console-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "minio-root-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "nextcloud-adminpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "nextcloud-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "oauth2_proxy-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];