cluster/services/ipfs: expose pinning service API cluster endpoint

cluster/services/ipfs/cluster-pinsvc-credentials.age

@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A rEsyPlkI/erMN5MyGI8UNO7m+HzdVsm67biVV2Y4qAM
+ZkQaihDueXmULoYzdlJwTFcBLGdZcpuGU0mipzK8onc
+-> ssh-ed25519 5/zT0w zCwX+WpUi6RaETBuuJdhELWMwHEQqJ71/lyOc9bpuA0
+5Qd+zK35isst8JSIPR3Q8pCBnNDHZIqk3ULKYh+aeXg
+-> ssh-ed25519 d3WGuA 17XzCTxsN3m5b6HcnsKKQ3kRaAbXntjCAmBHFElPbgw
+/BfeszR7QC/RtbosavY4iYcGFDsSFb5ZZacO432ZQ/U
+-> ssh-ed25519 6YMlxg BBarBRrwupTR5lCz8J9pb0J5B49IaWcTFosqTmLTLj8
+a+pZ1w2yTSU6inbJIF38gDoqjp6/shpNZObbTkcDtTo
+-> WR-grease a :&8XH_h% \9P
+H1Wk7QamLxaz/U4eGY0BIw6hgcghDNR2GaZvliKY0tjHvelkcfApYMemHIpmj4iA
+fQjnP4vE0/f4ZQ
+--- joL5rMBVpItBmI/1/v/TJTBzFqivNhizvVbv16KLBAM
+x€T$±î¿Fô!ãÉõ°";+îBÆæ¦Y…—ƒÑMб2¯C
äÁ)ºÉtﺮ«<07>bª©ÍO’ðÚßÇ祿/s;ã1`CËKÔpALëÄè•ÛãÓÿ*¸·®É÷zH<>À·
+r/CŠ­¥ÿÕ–ì9â	*eǧþÆŒ©ªS—Õˆ~³¯Ó¦om$"RšÉ<C5A1>ø[9m–‰¾d<C2BE>óÌÇ‹÷	^âP5ý³Ûy3Œî¡¾é£<C3A9>÷¨ÿ`¥|-}%[f15oƒñJ\ƒ:_9ô‰î@r¢D\ˆ6OQ
ÓÿYÝ%Sî—‰p·GM²£}“Xô
+¯¹§Ê<EFBFBD>9‚‚<E2809A>ó…n958²
+!zþQ
+XÆë±…ÄÁ-ÖË™·»<Ätb5”t¥5°š›€xn8Xþ‰†Ûè“7
+¸u¾‰?'8üÛÜ{E§

cluster/services/ipfs/cluster.nix

@@ -1,6 +1,9 @@
-{ aspect, config, inputs, pkgs, ... }:
+{ aspect, config, inputs, lib, pkgs, tools, ... }:
 
 let
+  inherit (tools.meta) domain;
+  inherit (tools.nginx) vhosts;
+  cfg = config.services.ipfs-cluster;
   ipfsCfg = config.services.ipfs;
 
   apiSocket = "/run/ipfs-cluster/ipfs-cluster-api.sock";
@@ -11,8 +14,12 @@ in {
     aspect.modules.ipfs-cluster
   ];
 
-  age.secrets.ipfs-cluster-secret = {
-    file = ./cluster-secret.age;
+  age.secrets = {
+    ipfs-cluster-secret.file = ./cluster-secret.age;
+    ipfs-cluster-pinsvc-credentials = {
+      file = ./cluster-pinsvc-credentials.age;
+      owner = cfg.user;
+    };
   };
 
   services.ipfs-cluster = {
@@ -21,6 +28,7 @@ in {
     consensus = "crdt";
     dataDir = "/srv/storage/ipfs/cluster";
     secretFile = config.age.secrets.ipfs-cluster-secret.path;
+    pinSvcBasicAuthFile = config.age.secrets.ipfs-cluster-pinsvc-credentials.path;
     openSwarmPort = true;
     settings = {
       cluster = {
@@ -68,4 +76,11 @@ in {
       ];
     };
   };
+
+  services.nginx.virtualHosts."pin.${domain}" = vhosts.proxy "http://unix:${pinSvcSocket}";
+  users.users.nginx.extraGroups = [ cfg.group ];
+  security.acme.certs."pin.${domain}" = {
+    dnsProvider = "pdns";
+    webroot = lib.mkForce null;
+  };
 }

secrets.nix

@@ -10,6 +10,7 @@ in with hosts;
   "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/ipfs/cluster-secret.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/ipfs/cluster-pinsvc-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];