commit 195ef05e23ce2f4d59df1eb4d0822131b98b3385 · soopy.moe/gensokyo

+6 -3

creds/sops/koumakan/default.yaml

···

       80
       80
        
           s3:

     

       81
       81
        
               access_key: ENC[AES256_GCM,data:dwV+xA+2MYAizNMuHZptqDFv62s=,iv:MDmcEGAA3gdhDBA4ie4A5nlBwJElek/7qSvzFrGP9FI=,tag:pDIU8LTNagJrVwPw700XQQ==,type:str]

     

       82
       82
        
               access_secret: ENC[AES256_GCM,data:ID9NA21++yUNmF/UGWudyxXuZXbMPfViGnariYe8H06aKZias9OK2A==,iv:PMXdLwkz+JpBJ0ZrVwaUdcqDxew/+Yv9AbVrX1EUfWE=,tag:4puu4oyZVGdfvaZpkdKFFQ==,type:str]

     

       83
       83
       +
       minio:

     

       84
       84
       +
           root_user: ENC[AES256_GCM,data:q+w4FgnCA2QxWsxM,iv:NojzSMmZ2yq7VyPn7fOYauLpgMOE0NGCyTUQ6slGN2Q=,tag:5FfjO4KH8XfLuymxDgV2iA==,type:str]

     

       85
       85
       +
           root_pass: ENC[AES256_GCM,data:oh/VQDU1dR9YLribrhZeVJxMoY9/7Ri8bloM650j6Ut/vHF6BB4NYY94RngkBYRVkHplF9oKx+Ey13kMyIPvC+EvPczoWKCHJ4pJqq3GgWigFp7ufUDdvY4hBjW7SU7fk0wYOjZYH2JlLqjmU0MsVKSqt66Rq9Si0MU7VACNrJzYDe6KbCbL/YT3DmTvBpPR6ysLCE525rH7Tg2LVyn775Si+vo+KGC5gqGMlw==,iv:8pbJMeuDIcvkI8Uda30i8ote/PRUSSAmaua22gQmbHc=,tag:6hNvVytKXbjrKZMKkQ5pEA==,type:str]

     

       83
       86
        
       sops:

     

       84
       87
        
           age:

     

       85
       88
        
               - recipient: age1l3qxt6630dzesdclfm3eqgw3uuhwj09dh6typwlwr6clcv0qhfrqgtj2fk

     
···

       109
       112
        
                   QUlVNExmVGd2QXJwVmRGa0JvMmtocEUK7Zo0Mtj3oZm5Etp61cGbLs+2XP97pjR6

     

       110
       113
        
                   rtfHnuxceJj0+yBugfwgFD1TGJ+6M7z5YCwTx+GAvbPDrmSm2TGrwg==

     

       111
       114
        
                   -----END AGE ENCRYPTED FILE-----

     

       112
       112
       -
           lastmodified: "2025-04-07T08:00:02Z"

     

       113
       113
       -
           mac: ENC[AES256_GCM,data:q0y16grUnIP1EteFS0UrAQN77U6IM00ADbTMoPZek2gklsc9EQnRMfne1sRFfAxxVB9lWRVrmIfWFAZ9SdyQs/sGPrbbzqNT1gGggvgCTcATNUprybMnno4iUDhWjn2B2d6sM4Y9HdcDEKuEnz9JjvVfOQyd95uvMjA8rBAt7rE=,iv:yT9icU+kQUUdBtmLnCQIfk5xSqHfsr1y2XZxIgCqtxY=,tag:bqxuI/KSmnLWODsB6830CQ==,type:str]

     

       115
       115
       +
           lastmodified: "2025-05-10T16:10:38Z"

     

       116
       116
       +
           mac: ENC[AES256_GCM,data:HZAsp6PS6k8Boz95d4zU+14fY2KEpVXIcLRkQXFiXYaaA3lN1i7onh4E5tjcDLFGD7qHOzDjlgRVkNwxpCjKg4LB587eJG1umviClFvZOf/vbkF+fSn2dtwUFRgW5SRIHRsMJ0NL6N+uKM51qWmjAoLxvUMbl/A5zeh0TJeMdEs=,iv:yPZGnF7C6fYImugWMhOpd88nTmBCI+0e128Ssz8oB34=,tag:cJN7BmmgRvEHKu8CDfLwVw==,type:str]

     

       114
       117
        
           unencrypted_suffix: _unencrypted

     

       115
       115
       -
           version: 3.10.0

     

       118
       118
       +
           version: 3.10.2

+3 -11

creds/sops/renko/default.yaml

···

       1
       1
        
       vmetrics:

     

       2
       2
        
           auth: ENC[AES256_GCM,data:oxbj18DlfPJ+PEdIj6YEdF66ZZNar1l9Mak0Bmqu2AOZWlhCo2aRlrcGfvs7mORplvQmcfh5MwjTqGExjQX4ke28SZ7pszoLMGM3XR2BdedPNsO0KcI/zV19dAL1wijBr1c2qqDJGqqO1P0UzLaUbonl9bskG8L9+lB2pr8aU7z1Unejd/Qq2Ae/3x9Ku82deeP5jGWJkeUae9wADEsBPdbqRbv1bpW5zzmc2A==,iv:x65jPFbodvp3/v09OJ0BIgxMUFOLBkpiKRVMoB8seP4=,tag:wz5UVNBJoSl2994GYjVgpA==,type:str]

     

       3
       3
        
           minio_token: ENC[AES256_GCM,data:2joZcYZKcPv7jAlFP+r2xr1840Nv62vWjgE+VvkaIoYlA0Pjg4HWp8qZyEjeJTIOBvmS91RDgooZ7aOmXtZL7venWeMiMyR8k/58+uic3aNg+u5hen461qfYnseQa5bNv2zxXAMVpJG/cAVbnDAk5L1XIX5+GOnGCHC1BXH+xoyp+5ue3DGKeCitJgDBiuEfg68/UiJnQXGAjFe7ZzZX5NTSeb0ktBkxSKHT/Zk7pfoVjY+nzd0he2LVaLKu/qzmSMs3eew2pCHL2BHX7VmF7fDlDfg=,iv:akHyfu47u5luyfzfyFBrkMVmuw+S89LI0wVKNbbHOnQ=,tag:FFVBVNoY3h42c6fUL/v7oQ==,type:str]

     

       4
       4
       -
       minio:

     

       5
       5
       -
           root_user: ENC[AES256_GCM,data:yOb0rhdGKjvFe1vX,iv:cKpsXvA660YL0+ut6cOOmXunFhserBOJslVehITNyog=,tag:7Ak5YnVxlGl7bacFWuoyyg==,type:str]

     

       6
       6
       -
           root_pass: ENC[AES256_GCM,data:WR1nmwMZSKyiB+hG9zsYeDIlwLU5evSplS+F8hWnK/F8OdlrUgdgpAr6hHSHNv7k82cOtycKRUq0JlhKFVzQTcjvvGOPt5ftg1lteGJ+Nc0MYm5MHs+jfh3G5M+/9w7wnWgi6pYjWSjGKBPL0pIdR/bTYkzNbPGrYOIqhUjeaKYOXJTF77OypJAkCGijeKcTLkrf0j+5My1k4GiVHWbo09o9EryiJT+YuDdoBw==,iv:wWIk7CuOeN0V1qrICoKNGuXZdbXmK0niFFQvgJJdKNw=,tag:7KS2x+/qkqy5y4LqWNIsVw==,type:str]

     

       7
       4
        
       sops:

     

       8
       8
       -
           kms: []

     

       9
       9
       -
           gcp_kms: []

     

       10
       10
       -
           azure_kv: []

     

       11
       11
       -
           hc_vault: []

     

       12
       5
        
           age:

     

       13
       6
        
               - recipient: age1l3qxt6630dzesdclfm3eqgw3uuhwj09dh6typwlwr6clcv0qhfrqgtj2fk

     

       14
       7
        
                 enc: |

     
···

       37
       30
        
                   S2duS3ZmMVZJYW9HOERMc1FadlZIekEKaXDFW+Szv9WlqQMIr6Mc5qYlMyt8M19u

     

       38
       31
        
                   DmMZu5Mzl2bLQK5LQvT/iLktWZZidYKfOuP73HpAFf8iIhYXBOLKMQ==

     

       39
       32
        
                   -----END AGE ENCRYPTED FILE-----

     

       40
       40
       -
           lastmodified: "2025-03-25T02:16:32Z"

     

       41
       41
       -
           mac: ENC[AES256_GCM,data:gpy2VdrwuRrcv00wdB5JTxwMelOmoj00Uim754mqGHUMHNpf85e3UJPH5YxzKcchzx1ArV6T1k+US5BwVpuiTJiUwqeusugg7iuzzz1+NNkNC4lQbVsH439a+r6tvNL53VOVu2eLYZLcKJAJOpcSnQ/QjBhqiP1+0hqjXfnz1MY=,iv:a8eSM2QVT75RHu5aw40IrG4pOYvkoSfm5KMlNLwaKCc=,tag:OQ4jpDQFzyDDtb7uzNMc4w==,type:str]

     

       42
       42
       -
           pgp: []

     

       33
       33
       +
           lastmodified: "2025-05-10T16:10:22Z"

     

       34
       34
       +
           mac: ENC[AES256_GCM,data:PoMbrYVUes8rLfPFnSmFLRSSYieIqe/A7vvNoaKiGah5B6JANkGSI33r/4cJJ+I6k0PXgg3fKJ10c4iA36PlJrp8Jn0KljJbhAQjYtjQEmmvjZ6YMkL26R/I5m9FlqzZwCxv4pMmB7Npzo3LDa4plVdYEVHlQHGS8jFGr3miqJI=,iv:9hV4cacbPFu6HEXHogg/WL9o5rIIENisSVdTq9fpvkU=,tag:0PgsrN6eVQK3lxQqy5yLfw==,type:str]

     

       43
       35
        
           unencrypted_suffix: _unencrypted

     

       44
       44
       -
           version: 3.9.4

     

       36
       36
       +
           version: 3.10.2

+31 -1

systems/koumakan/services/proxies/minio.nix

···

       1
       1
        
       {

     

       2
       2
        
         _utils,

     

       3
       3
       +
         config,

     

       3
       4
        
         inputs,

     

       4
       5
        
         ...

     

       5
       6
        
       }:

     

       7
       7
       +
       let

     

       8
       8
       +
         secrets = _utils.setupSecrets config {

     

       9
       9
       +
           namespace = "minio";

     

       10
       10
       +
           secrets = [

     

       11
       11
       +
             "root_user"

     

       12
       12
       +
             "root_pass"

     

       13
       13
       +
           ];

     

       14
       14
       +
         };

     

       15
       15
       +
       in

     

       6
       16
        
       {

     

       17
       17
       +
         imports = [

     

       18
       18
       +
           secrets.generate

     

       19
       19
       +
           (secrets.mkTemplate "minio.env" ''

     

       20
       20
       +
             MINIO_ROOT_USER=${secrets.placeholder "root_user"}

     

       21
       21
       +
             MINIO_ROOT_PASSWORD=${secrets.placeholder "root_pass"}

     

       22
       22
       +
           '')

     

       23
       23
       +
         ];

     

       24
       24
       +
       

     

       25
       25
       +
         services.minio = {

     

       26
       26
       +
           enable = true;

     

       27
       27
       +
           region = "ap-east-1";

     

       28
       28
       +
           listenAddress = "127.0.0.1:26531";

     

       29
       29
       +
           rootCredentialsFile = secrets.getTemplate "minio.env";

     

       30
       30
       +
         };

     

       31
       31
       +
       

     

       32
       32
       +
         # stupid module design

     

       33
       33
       +
         systemd.services.minio.environment = {

     

       34
       34
       +
           MINIO_BROWSER_REDIRECT_URL = "https://s3.soopy.moe/_static";

     

       35
       35
       +
           MINIO_BROWSER_LOGIN_ANIMATION = "false";

     

       36
       36
       +
         };

     

       37
       37
       +
       

     

       7
       38
        
         services.nginx.virtualHosts = {

     

       8
       39
        
           "s3.soopy.moe" = _utils.mkSimpleProxy {

     

       9
       9
       -
             host = "renko.mist-nessie.ts.net";

     

       10
       40
        
             port = 26531;

     

       11
       41
        
             extraConfig = {

     

       12
       42
        
               extraConfig = ''

-5

systems/renko/hardware-configuration.nix

···

       27
       27
        
           fsType = "btrfs";

     

       28
       28
        
         };

     

       29
       29
        
       

     

       30
       30
       -
         fileSystems."/var/lib/minio/data" = {

     

       31
       31
       -
           label = "MINIO0";

     

       32
       32
       -
           fsType = "xfs";

     

       33
       33
       -
         };

     

       34
       34
       -
       

     

       35
       30
        
         boot.initrd.luks.devices."gock".device = "/dev/disk/by-uuid/9d57daa1-f152-443d-992c-b58cbfa57ec1";

     

       36
       31
        
       

     

       37
       32
        
         fileSystems."/efi" = {

-1

systems/renko/services/default.nix

···

       2
       2
        
       {

     

       3
       3
        
         imports = [

     

       4
       4
        
           ./vmagent.nix

     

       5
       5
       -
           ./minio.nix

     

       6
       5
        
         ];

     

       7
       6
        
       }

-36

systems/renko/services/minio.nix

···

       1
       1
       -
       {

     

       2
       2
       -
         _utils,

     

       3
       3
       -
         config,

     

       4
       4
       -
         ...

     

       5
       5
       -
       }:

     

       6
       6
       -
       let

     

       7
       7
       -
         secrets = _utils.setupSecrets config {

     

       8
       8
       -
           namespace = "minio";

     

       9
       9
       -
           secrets = [

     

       10
       10
       -
             "root_user"

     

       11
       11
       -
             "root_pass"

     

       12
       12
       -
           ];

     

       13
       13
       -
         };

     

       14
       14
       -
       in

     

       15
       15
       -
       {

     

       16
       16
       -
         imports = [

     

       17
       17
       -
           secrets.generate

     

       18
       18
       -
           (secrets.mkTemplate "minio.env" ''

     

       19
       19
       -
             MINIO_ROOT_USER=${secrets.placeholder "root_user"}

     

       20
       20
       -
             MINIO_ROOT_PASSWORD=${secrets.placeholder "root_pass"}

     

       21
       21
       -
           '')

     

       22
       22
       -
         ];

     

       23
       23
       -
       

     

       24
       24
       -
         services.minio = {

     

       25
       25
       -
           enable = true;

     

       26
       26
       -
           region = "ap-east-1";

     

       27
       27
       -
           listenAddress = ":26531"; # will be proxied by koumakan

     

       28
       28
       -
           rootCredentialsFile = secrets.getTemplate "minio.env";

     

       29
       29
       -
         };

     

       30
       30
       -
       

     

       31
       31
       -
         # stupid module design

     

       32
       32
       -
         systemd.services.minio.environment = {

     

       33
       33
       -
           MINIO_BROWSER_REDIRECT_URL = "https://s3.soopy.moe/_static";

     

       34
       34
       -
           MINIO_BROWSER_LOGIN_ANIMATION = "false";

     

       35
       35
       -
         };

     

       36
       36
       -
       }