From 2bdfb3e1a295fe41f1e53d14a60c87a638f78359 Mon Sep 17 00:00:00 2001
From: cy <hi@cything.io>
Date: Sat, 11 Jan 2025 23:18:22 -0500
Subject: [PATCH] bring back garage (#1)

make it work with my fork

Reviewed-on: https://git.cy7.sh/cy/infra/pulls/1
---
 .sops.yaml                   |  5 +++++
 flake.lock                   | 17 +++++++++++++++++
 flake.nix                    |  5 +++++
 hosts/chunk/Caddyfile        | 10 ++++++++++
 hosts/chunk/default.nix      |  5 +++++
 hosts/chunk/garage.nix       | 18 ++++++++++++++++++
 hosts/chunk/rclone.nix       | 18 ++++++++++++++++++
 secrets/services/garage.yaml | 31 +++++++++++++++++++++++++++++++
 8 files changed, 109 insertions(+)
 create mode 100644 hosts/chunk/garage.nix
 create mode 100644 secrets/services/garage.yaml

diff --git a/.sops.yaml b/.sops.yaml
index 4966beb..3cfb014 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -98,3 +98,8 @@ creation_rules:
       - age:
           - *chunk
           - *cy
+  - path_regex: secrets/services/garage.yaml
+    key_groups:
+      - age:
+          - *chunk
+          - *cy
diff --git a/flake.lock b/flake.lock
index e48dca5..554b079 100644
--- a/flake.lock
+++ b/flake.lock
@@ -422,6 +422,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-garage": {
+      "locked": {
+        "lastModified": 1736655158,
+        "narHash": "sha256-1ZVtf+4BvqJrGGXBQEjAxjKWSaoySVt46un4pN1zH5g=",
+        "owner": "cything",
+        "repo": "nixpkgs",
+        "rev": "b7bc158e553db4031ce6242e341e64e1023ec86a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cything",
+        "ref": "garage-module",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1710695816,
@@ -525,6 +541,7 @@
         "nixpkgs": "nixpkgs",
         "nixpkgs-borg": "nixpkgs-borg",
         "nixpkgs-btrbk": "nixpkgs-btrbk",
+        "nixpkgs-garage": "nixpkgs-garage",
         "nixvim": "nixvim",
         "sops-nix": "sops-nix",
         "treefmt": "treefmt"
diff --git a/flake.nix b/flake.nix
index 38b3382..e84606c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -31,6 +31,7 @@
     nixpkgs-borg.url = "github:cything/nixpkgs/borg"; # unmerged PR
     nixpkgs-btrbk.url = "github:cything/nixpkgs/btrbk"; # unmerged PR
     eza.url = "github:nixos/nixpkgs/d722e8ce81cf103280ce1ff65accb3fc25cbd2ba";
+    nixpkgs-garage.url = "github:cything/nixpkgs/garage-module";
   };
 
   nixConfig = {
@@ -142,10 +143,14 @@
             modules = [
               {
                 nixpkgs = { inherit pkgs; };
+                disabledModules = [
+                  "services/web-servers/garage.nix"
+                ];
               }
               ./hosts/chunk
               inputs.sops-nix.nixosModules.sops
               ./modules
+              (inputs.nixpkgs-garage + "/nixos/modules/services/web-servers/garage.nix")
             ];
           };
 
diff --git a/hosts/chunk/Caddyfile b/hosts/chunk/Caddyfile
index 6d2916d..d9a069d 100644
--- a/hosts/chunk/Caddyfile
+++ b/hosts/chunk/Caddyfile
@@ -77,3 +77,13 @@ cache.cything.io {
   import common
   reverse_proxy localhost:8090
 }
+
+s3.cy7.sh {
+  import common
+  reverse_proxy localhost:3900
+}
+
+admin.s3.cy7.sh {
+  import common
+  reverse_proxy localhost:3903
+}
diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix
index 287b57b..edb153b 100644
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@@ -25,6 +25,7 @@
     ./element.nix
     ./attic.nix
     ./forgejo.nix
+    ./garage.nix
   ];
 
   sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@@ -65,6 +66,10 @@
     "attic/env" = {
       sopsFile = ../../secrets/services/attic.yaml;
     };
+
+    "garage/env" = {
+      sopsFile = ../../secrets/services/garage.yaml;
+    };
   };
 
   boot.loader.grub.enable = true;
diff --git a/hosts/chunk/garage.nix b/hosts/chunk/garage.nix
new file mode 100644
index 0000000..aac9396
--- /dev/null
+++ b/hosts/chunk/garage.nix
@@ -0,0 +1,18 @@
+{config, pkgs, ...}: {
+  services.garage = {
+    enable = true;
+    package = pkgs.garage;
+    settings = {
+      data_dir = "/mnt/garage";
+      s3_api = {
+        s3_region = "earth";
+        api_bind_addr = "[::]:3900";
+      };
+      admin.api_bind_addr = "[::]:3903";
+      rpc_bind_addr = "[::]:3901";
+      replication_factor = 1;
+      db_engine = "lmdb";
+    };
+    environmentFile = config.sops.secrets."garage/env".path;
+  };
+}
diff --git a/hosts/chunk/rclone.nix b/hosts/chunk/rclone.nix
index ba9e45d..be833af 100644
--- a/hosts/chunk/rclone.nix
+++ b/hosts/chunk/rclone.nix
@@ -38,5 +38,23 @@
       ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/attic";
     };
   };
+
+  systemd.services.garage-mount = {
+    enable = true;
+    description = "Mount the garage data remote";
+    requires = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+    requiredBy = [ "garage.service" ];
+    before = [ "garage.service" ];
+    serviceConfig = {
+      Type = "notify";
+      ExecStartPre = "/usr/bin/env mkdir -p /mnt/garage";
+      ExecStart = "${lib.getExe pkgs.rclone} mount --config ${
+        config.sops.secrets."rclone/config".path
+      } --cache-dir /var/cache/rclone --transfers=32 --checkers=32 --vfs-cache-mode writes --vfs-cache-max-size 5G --allow-other rsyncnet:garage /mnt/garage ";
+      ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/garage";
+    };
+  };
+
   programs.fuse.userAllowOther = true;
 }
diff --git a/secrets/services/garage.yaml b/secrets/services/garage.yaml
new file mode 100644
index 0000000..d84d4af
--- /dev/null
+++ b/secrets/services/garage.yaml
@@ -0,0 +1,31 @@
+garage:
+    env: ENC[AES256_GCM,data:miNp4SJ9xuMXSEIJYCZFWM96enAh8uwCxv0ySn2Jbp5V4Iso2uZ2R9dXqSS7y60pRq+bbXPYbBxBnmb+fhjvB7TdCLPom9CKSY8zMI7n/p1IE4qUFvzCG4ejV6BIsh/887BjzAx1UNcRG/9eUNcMfTu58wQwKmIzr1iu5pD+IlLHa+0/orpZKssQ2Ba1hMwLOAXp,iv:zgkGikunB4zQ4CfGgEd1DmLgYpEREJhoX4oT/zK3mI8=,tag:ohpZWF/lPHQc010mteJZDw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIemdMVVE4alZ2MElWeUpj
+            TjNhL2VYL2dwMmN0VzJxVGwzWHgvbm82QWtjCk1pem5SdzFpR0dRci80emo1VlVu
+            VWtWMVpoN2M4NUphcTgxeTB6aU83bjAKLS0tIGlJanA1TFBnaE9PTmRnQWVidE53
+            elRZaFVaZ1VTRU1MbWlqSkJNZG1oRW8K8IupEpJzC0CJGpxSTssiFrQgdHAzCW4I
+            IlvYdZkUou/6km5OMnsFqhqEqIjAwVuJ08YiNzAv67ZzTG0ThD133A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiemRZRmF1NWozM1RFS2Z2
+            bld5V0lTS3V1OW1SU0VaR2IzZjJmbEtJVkhjCnBVKzFYUXYveGdkSTVmbzRldGRo
+            eVAxWXQ1TzczVjZiQ2NsUEk3YmhGNk0KLS0tIG04d0FDYXF1MU5ab3ZMTmpCUWNa
+            WTQ3dWs4enQrc2F3K3AvMUQvWEh6RDgKxJl3ftSpIrK+45LzjX9gIy41Lv+bcZsV
+            7rriUhKAtaCXsQcO6Povif7zJyCROYhC0sgpRhmMKoN76TAH3zxvag==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-08T20:44:32Z"
+    mac: ENC[AES256_GCM,data:rVv9sNYb9Fttm5IjonAZBmcrCqC1cAp2sjMJDZ3JMt+YeyiCUI6jsXSGAc3pgP+7vvaTvDvdNwlAa5axxA72omE4eAK+9me0RLI75vA4UGrh3KiB4qrHK6H6qMUFg92uhKFo+uhtxERIV5/HSwbZPBT2R0pbSSQzTKk5U9UuJsY=,iv:CRSEqphlBsHwPvwXlTQui5U4fsXWgWnZ+8KYFAyVRlg=,tag:82mxRsp5uCo235jzJNK8LQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2