privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

cluster/services/storage: declarative garage keys and buckets

Browse source
This commit is contained in:
Max Headroom 2023-09-04 02:50:09 +02:00
parent 95375b7fda
commit f4779a8512
1 changed files with 183 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

211
cluster/services/storage/garage-options.nix
View file

@ -1,9 +1,9 @@
{ config, lib, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.services.garage; cfg = config.services.garage;
garageShellLibrary = /*bash*/ '' garageShellLibrary = pkgs.writeText "garage-shell-library.sh" ''
getNodeId() { getNodeId() {
nodeId="" nodeId=""
while [[ -z "$nodeId" ]]; do while [[ -z "$nodeId" ]]; do
@ -20,58 +20,213 @@ let
sleep 1 sleep 1
done done
} }
waitForGarageOperational() {
waitForGarage
while garage layout show | grep -qwm1 '^Current cluster layout version: 0'; do
sleep 1
done
}
# FIXME: returns bogus empty string when one of the lists is empty
diffAdded() {
comm -13 <(printf '%s\n' $1 | sort) <(printf '%s\n' $2 | sort)
}
diffRemoved() {
comm -23 <(printf '%s\n' $1 | sort) <(printf '%s\n' $2 | sort)
}
# FIXME: this does not handle list items with spaces
listKeys() {
garage key list | tail -n +2 | grep -ow '[^ ]*$' || true
}
ensureKeys() {
old="$(listKeys)"
if [[ -z "$1" ]]; then
for key in $old; do
garage key delete --yes "$key"
done
elif [[ -z "$old" ]]; then
for key in $1; do
# don't print secret key
garage key new --name "$key" >/dev/null
echo Key "$key" was created.
done
else
diffAdded "$old" "$1" | while read key; do
# don't print secret key
garage key new --name "$key" >/dev/null
echo Key "$key" was created.
done
diffRemoved "$old" "$1" | while read key; do
garage key delete --yes "$key"
done
fi
}
listBuckets() {
garage bucket list | tail -n +2 | grep -ow '^ *[^ ]*' | tr -d ' ' || true
}
ensureBuckets() {
old="$(listBuckets)"
if [[ -z "$1" ]]; then
for bucket in $old; do
garage bucket delete --yes "$bucket"
done
elif [[ -z "$old" ]]; then
for bucket in $1; do
garage bucket create "$bucket"
done
else
diffAdded "$old" "$1" | while read bucket; do
garage bucket create "$bucket"
done
diffRemoved "$old" "$1" | while read bucket; do
garage bucket delete --yes "$bucket"
done
fi
}
''; '';
in in
{ {
options.services.garage.layout = { options.services.garage = with lib; {
initial = lib.mkOption { layout.initial = mkOption {
default = {}; default = {};
type = with lib.types; attrsOf (submodule { type = with types; attrsOf (submodule {
options = { options = {
zone = lib.mkOption { zone = mkOption {
type = lib.types.str; type = types.str;
}; };
capacity = lib.mkOption { capacity = mkOption {
type = lib.types.ints.positive; type = types.ints.positive;
}; };
}; };
}); });
}; };
keys = mkOption {
type = with types; attrsOf (submodule {
options.allow = {
createBucket = mkOption {
description = "Allow the key to create new buckets.";
type = bool;
default = false;
};
};
});
default = {};
};
buckets = mkOption {
type = with types; attrsOf (submodule {
options = {
allow = mkOption {
description = "List of permissions to grant on this bucket, grouped by key name.";
type = attrsOf (listOf (enum [ "read" "write" "owner" ]));
default = {};
};
quotas = {
maxObjects = mkOption {
description = "Maximum number of objects in this bucket. Null for unlimited.";
type = nullOr ints.positive;
default = null;
};
maxSize = mkOption {
description = "Maximum size of this bucket in bytes. Null for unlimited.";
type = nullOr ints.positive;
default = null;
};
};
};
});
default = {};
};
}; };
config = { config = {
system.extraIncantations = { system.extraIncantations = {
runGarage = i: script: i.execShellWith [ config.services.garage.package ] '' runGarage = i: script: i.execShellWith [ config.services.garage.package ] ''
${garageShellLibrary} source ${garageShellLibrary}
waitForGarage waitForGarage
${script} ${script}
''; '';
}; };
systemd.services.garage-layout-init = { systemd.services = {
distributed.enable = true; garage-layout-init = {
wantedBy = [ "garage.service" ]; distributed.enable = true;
after = [ "garage.service" ]; wantedBy = [ "garage.service" "multi-user.target" ];
path = [ config.services.garage.package ]; wants = [ "garage.service" ];
after = [ "garage.service" ];
path = [ config.services.garage.package ];
serviceConfig = { serviceConfig = {
TimeoutStartSec = "1800s"; Type = "oneshot";
TimeoutStartSec = "1800s";
Restart = "on-failure";
RestartSec = "10s";
};
script = ''
source ${garageShellLibrary}
waitForGarage
if [[ "$(garage layout show | grep -m1 '^Current cluster layout version:' | cut -d: -f2 | tr -d ' ')" != "0" ]]; then
exit 0
fi
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: layout: ''
garage layout assign -z '${layout.zone}' -c '${toString layout.capacity}' "$(getNodeId '${name}')"
'') cfg.layout.initial)}
garage layout apply --version 1
'';
}; };
script = '' garage-apply = {
${garageShellLibrary} distributed.enable = true;
waitForGarage wantedBy = [ "garage.service" "multi-user.target" ];
wants = [ "garage.service" ];
after = [ "garage.service" "garage-layout-init.service" ];
path = [ config.services.garage.package ];
if [[ "$(garage layout show | grep -m1 '^Current cluster layout version:' | cut -d: -f2 | tr -d ' ')" != "0" ]]; then serviceConfig = {
exit 0 Type = "oneshot";
fi TimeoutStartSec = "1800s";
Restart = "on-failure";
RestartSec = "10s";
};
script = ''
source ${garageShellLibrary}
waitForGarageOperational
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: layout: '' ensureKeys '${lib.concatStringsSep " " (lib.attrNames cfg.keys)}'
garage layout assign -z '${layout.zone}' -c '${toString layout.capacity}' "$(getNodeId '${name}')" ensureBuckets '${lib.concatStringsSep " " (lib.attrNames cfg.buckets)}'
'') cfg.layout.initial)}
garage layout apply --version 1 # key permissions
''; ${lib.pipe cfg.keys [
(lib.mapAttrsToList (key: kCfg: ''
garage key ${if kCfg.allow.createBucket then "allow" else "deny"} '${key}' --create-bucket >/dev/null
''))
(lib.concatStringsSep "\n")
]}
# bucket permissions
${lib.pipe cfg.buckets [
(lib.mapAttrsToList (bucket: bCfg:
lib.mapAttrsToList (key: perms: ''
garage bucket allow '${bucket}' --key '${key}' ${lib.escapeShellArgs (map (x: "--${x}") perms)}
garage bucket deny '${bucket}' --key '${key}' ${lib.escapeShellArgs (map (x: "--${x}") (lib.subtractLists perms [ "read" "write" "owner" ]))}
'') bCfg.allow
))
lib.flatten
(lib.concatStringsSep "\n")
]}
# bucket quotas
${lib.pipe cfg.buckets [
(lib.mapAttrsToList (bucket: bCfg: ''
garage bucket set-quotas '${bucket}' \
--max-objects '${if bCfg.quotas.maxObjects == null then "none" else toString bCfg.quotas.maxObjects}' \
--max-size '${if bCfg.quotas.maxSize == null then "none" else toString bCfg.quotas.maxSize}'
''))
(lib.concatStringsSep "\n")
]}
'';
};
}; };
}; };
} }