garage01: add Garage S3 service with Caddy HTTPS proxy

Configure Garage object storage on garage01 with S3 API, Vault secrets
for RPC secret and admin token, and Caddy reverse proxy for HTTPS access
at s3.home.2rjus.net via internal ACME CA. Includes flake entry, VM
definition, and Vault policy for the host.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

flake.nix

@@ -200,6 +200,15 @@
             ./hosts/nix-cache02
           ];
         };
+        garage01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self;
+          };
+          modules = commonModules ++ [
+            ./hosts/garage01
+          ];
+        };
       };
       packages = forAllSystems (
         { pkgs }:

hosts/garage01/configuration.nix

@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../template2/hardware-configuration.nix
+
+    ../../system
+    ../../common/vm
+  ];
+
+  # Host metadata (adjust as needed)
+  homelab.host = {
+    tier = "test";  # Start in test tier, move to prod after validation
+    role = "storage";
+  };
+
+  homelab.dns.cnames = [ "s3" ];
+
+  # Enable Vault integration
+  vault.enable = true;
+
+  # Enable remote deployment via NATS
+  homelab.deploy.enable = true;
+
+  nixpkgs.config.allowUnfree = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+
+  networking.hostName = "garage01";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.26/24"
+    ];
+    routes = [
+      { Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.tarball-ttl = 0;
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "25.11"; # Did you read the comment?
+}

hosts/garage01/default.nix

@@ -0,0 +1,6 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+    ../../services/garage
+  ];
+}

services/garage/default.nix

@@ -0,0 +1,61 @@
+{ config, pkgs, ... }:
+{
+  homelab.monitoring.scrapeTargets = [
+    {
+      job_name = "garage";
+      port = 3903;
+      metrics_path = "/metrics";
+    }
+    {
+      job_name = "caddy";
+      port = 9117;
+    }
+  ];
+
+  vault.secrets.garage-env = {
+    secretPath = "hosts/${config.networking.hostName}/garage";
+    extractKey = "env";
+    outputDir = "/run/secrets/garage-env";
+    services = [ "garage" ];
+  };
+
+  services.garage = {
+    enable = true;
+    package = pkgs.garage;
+    environmentFile = "/run/secrets/garage-env";
+    settings = {
+      metadata_dir = "/var/lib/garage/meta";
+      data_dir = "/var/lib/garage/data";
+      replication_factor = 1;
+      rpc_bind_addr = "[::]:3901";
+      rpc_public_addr = "garage01.home.2rjus.net:3901";
+      s3_api = {
+        api_bind_addr = "[::]:3900";
+        s3_region = "garage";
+        root_domain = ".s3.home.2rjus.net";
+      };
+      admin = {
+        api_bind_addr = "[::]:3903";
+      };
+    };
+  };
+
+  services.caddy = {
+    enable = true;
+    package = pkgs.unstable.caddy;
+    configFile = pkgs.writeText "Caddyfile" ''
+      {
+        acme_ca https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
+        metrics
+      }
+
+      s3.home.2rjus.net {
+        reverse_proxy http://localhost:3900
+      }
+
+      http://garage01.home.2rjus.net:9117/metrics {
+        metrics
+      }
+    '';
+  };
+}

terraform/vault/hosts-generated.tf

@@ -39,6 +39,11 @@ locals {
         "secret/data/shared/homelab-deploy/*",
       ]
     }
+    "garage01" = {
+      paths = [
+        "secret/data/hosts/garage01/*",
+      ]
+    }
   
   }
 

terraform/vms.tf

@@ -93,6 +93,13 @@ locals {
       disk_size = "200G"
       vault_wrapped_token = "s.C5EuHFyULACEqZgsLqMC3cJB"
     }
+    "garage01" = {
+      ip        = "10.69.13.26/24"
+      cpu_cores = 2
+      memory    = 2048
+      disk_size = "30G"
+      vault_wrapped_token = "s.dtMKPT35AIrbyEiHf9c2UcsB"
+    }
   }
 
   # Compute VM configurations with defaults applied