From b2b6ab47999f9732a61c90aa967db2505b9bff9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Fri, 13 Feb 2026 21:24:25 +0100 Subject: [PATCH] garage01: add Garage S3 service with Caddy HTTPS proxy Configure Garage object storage on garage01 with S3 API, Vault secrets for RPC secret and admin token, and Caddy reverse proxy for HTTPS access at s3.home.2rjus.net via internal ACME CA. Includes flake entry, VM definition, and Vault policy for the host. Co-Authored-By: Claude Opus 4.6 --- flake.nix | 9 ++++ hosts/garage01/configuration.nix | 75 ++++++++++++++++++++++++++++++ hosts/garage01/default.nix | 6 +++ services/garage/default.nix | 61 ++++++++++++++++++++++++ terraform/vault/hosts-generated.tf | 5 ++ terraform/vms.tf | 7 +++ 6 files changed, 163 insertions(+) create mode 100644 hosts/garage01/configuration.nix create mode 100644 hosts/garage01/default.nix create mode 100644 services/garage/default.nix diff --git a/flake.nix b/flake.nix index 41881e0..222b88f 100644 --- a/flake.nix +++ b/flake.nix @@ -200,6 +200,15 @@ ./hosts/nix-cache02 ]; }; + garage01 = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { + inherit inputs self; + }; + modules = commonModules ++ [ + ./hosts/garage01 + ]; + }; }; packages = forAllSystems ( { pkgs }: diff --git a/hosts/garage01/configuration.nix b/hosts/garage01/configuration.nix new file mode 100644 index 0000000..35e5c93 --- /dev/null +++ b/hosts/garage01/configuration.nix @@ -0,0 +1,75 @@ +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + ../template2/hardware-configuration.nix + + ../../system + ../../common/vm + ]; + + # Host metadata (adjust as needed) + homelab.host = { + tier = "test"; # Start in test tier, move to prod after validation + role = "storage"; + }; + + homelab.dns.cnames = [ "s3" ]; + + # Enable Vault integration + vault.enable = true; + + # Enable remote deployment via NATS + homelab.deploy.enable = true; + + nixpkgs.config.allowUnfree = true; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/vda"; + + networking.hostName = "garage01"; + networking.domain = "home.2rjus.net"; + networking.useNetworkd = true; + networking.useDHCP = false; + services.resolved.enable = true; + networking.nameservers = [ + "10.69.13.5" + "10.69.13.6" + ]; + + systemd.network.enable = true; + systemd.network.networks."ens18" = { + matchConfig.Name = "ens18"; + address = [ + "10.69.13.26/24" + ]; + routes = [ + { Gateway = "10.69.13.1"; } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + time.timeZone = "Europe/Oslo"; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + nix.settings.tarball-ttl = 0; + environment.systemPackages = with pkgs; [ + vim + wget + git + ]; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + system.stateVersion = "25.11"; # Did you read the comment? +} \ No newline at end of file diff --git a/hosts/garage01/default.nix b/hosts/garage01/default.nix new file mode 100644 index 0000000..337c309 --- /dev/null +++ b/hosts/garage01/default.nix @@ -0,0 +1,6 @@ +{ ... }: { + imports = [ + ./configuration.nix + ../../services/garage + ]; +} \ No newline at end of file diff --git a/services/garage/default.nix b/services/garage/default.nix new file mode 100644 index 0000000..e5cc0dd --- /dev/null +++ b/services/garage/default.nix @@ -0,0 +1,61 @@ +{ config, pkgs, ... }: +{ + homelab.monitoring.scrapeTargets = [ + { + job_name = "garage"; + port = 3903; + metrics_path = "/metrics"; + } + { + job_name = "caddy"; + port = 9117; + } + ]; + + vault.secrets.garage-env = { + secretPath = "hosts/${config.networking.hostName}/garage"; + extractKey = "env"; + outputDir = "/run/secrets/garage-env"; + services = [ "garage" ]; + }; + + services.garage = { + enable = true; + package = pkgs.garage; + environmentFile = "/run/secrets/garage-env"; + settings = { + metadata_dir = "/var/lib/garage/meta"; + data_dir = "/var/lib/garage/data"; + replication_factor = 1; + rpc_bind_addr = "[::]:3901"; + rpc_public_addr = "garage01.home.2rjus.net:3901"; + s3_api = { + api_bind_addr = "[::]:3900"; + s3_region = "garage"; + root_domain = ".s3.home.2rjus.net"; + }; + admin = { + api_bind_addr = "[::]:3903"; + }; + }; + }; + + services.caddy = { + enable = true; + package = pkgs.unstable.caddy; + configFile = pkgs.writeText "Caddyfile" '' + { + acme_ca https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory + metrics + } + + s3.home.2rjus.net { + reverse_proxy http://localhost:3900 + } + + http://garage01.home.2rjus.net:9117/metrics { + metrics + } + ''; + }; +} diff --git a/terraform/vault/hosts-generated.tf b/terraform/vault/hosts-generated.tf index adc5489..7172d20 100644 --- a/terraform/vault/hosts-generated.tf +++ b/terraform/vault/hosts-generated.tf @@ -39,6 +39,11 @@ locals { "secret/data/shared/homelab-deploy/*", ] } + "garage01" = { + paths = [ + "secret/data/hosts/garage01/*", + ] + } } diff --git a/terraform/vms.tf b/terraform/vms.tf index ef1551d..62d27a2 100644 --- a/terraform/vms.tf +++ b/terraform/vms.tf @@ -93,6 +93,13 @@ locals { disk_size = "200G" vault_wrapped_token = "s.C5EuHFyULACEqZgsLqMC3cJB" } + "garage01" = { + ip = "10.69.13.26/24" + cpu_cores = 2 + memory = 2048 + disk_size = "30G" + vault_wrapped_token = "s.dtMKPT35AIrbyEiHf9c2UcsB" + } } # Compute VM configurations with defaults applied