soopy.moe / gensokyo
nixos config
fork atom

host(koumakan): fix s3 vhost based routing

Sophie Cheung b411872f 6c0b19c2

options
unified split
Changed files
+21 -9
systems
koumakan
certificates
default.nix
garage-s3.nix
services
storage
garage.nix
+1 -1
systems/koumakan/certificates/default.nix 
···

       
1

       

       
-

       
{ ... }:


     

       
2

       
1

       
 

       
{


     

       
3

       
2

       
 

       
  imports = [


     

       
4

       
3

       
 

       
    ./global.nix


     
···

       
6

       
5

       
 

       
    ./fediverse.nix


     

       
7

       
6

       
 

       
    ./bsky-pds.nix


     

       
8

       
7

       
 

       
    ./breezewiki.nix


     

       

       
8

       
+

       
    ./garage-s3.nix


     

       
9

       
9

       
 

       
  ];


     

       
10

       
10

       
 

       
}
+10
systems/koumakan/certificates/garage-s3.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  # Certificate for garage domains


     

       

       
3

       
+

       
  security.acme.certs."s3.soopy.moe" = {


     

       

       
4

       
+

       
    group = "nginx";


     

       

       
5

       
+

       
    extraDomainNames = [


     

       

       
6

       
+

       
      "*.s3.soopy.moe"


     

       

       
7

       
+

       
      "*.s3web.soopy.moe"


     

       

       
8

       
+

       
    ];


     

       

       
9

       
+

       
  };


     

       

       
10

       
+

       
}
+10 -8
systems/koumakan/services/storage/garage.nix 
···

       
50

       
50

       
 

       
      # this is needed because garage apparently still doesn't support anon access via path based api, so this is more like a hack than anything atm.


     

       
51

       
51

       
 

       
      s3_web = {


     

       
52

       
52

       
 

       
        bind_addr = "[::1]:39939";


     

       
53

       

       
-

       
        root_domain = "root.invalid";


     

       

       
53

       
+

       
        root_domain = ".s3web.soopy.moe";


     

       
54

       
54

       
 

       
      };


     

       
55

       
55

       
 

       



     

       
56

       
56

       
 

       
      rpc_bind_addr = "100.100.16.16:39931";


     
···

       
77

       
77

       
 

       
    Group = config.users.groups.garage.name;


     

       
78

       
78

       
 

       
    Restart = "on-failure";


     

       
79

       
79

       
 

       
    StateDirectory = lib.mkForce null; # this somehow breaks mounting dirs into /var/lib; systemd complains about id-mapped mount: device or resource busy


     

       
80

       

       
-

       
    # ReadWritePaths = [


     

       
81

       

       
-

       
    #   "/var/lib/garage"


     

       
82

       

       
-

       
    #   "/var/lib/garage/data"


     

       
83

       

       
-

       
    #   "/var/lib/garage/meta"


     

       
84

       

       
-

       
    #   "/var/lib/garage/snapshots"


     

       
85

       

       
-

       
    # ];


     

       
86

       
80

       
 

       
  };


     

       
87

       
81

       
 

       



     

       
88

       
82

       
 

       
  services.nginx.virtualHosts.".s3.soopy.moe" = _utils.mkSimpleProxy {


     

       
89

       
83

       
 

       
    port = 39930;


     

       
90

       
84

       
 

       
    extraConfig = {


     

       

       
85

       
+

       
      useACMEHost = "s3.soopy.moe";


     

       
91

       
86

       
 

       
      extraConfig = ''


     

       
92

       
87

       
 

       
        client_max_body_size 32G;


     

       
93

       
88

       
 

       
        proxy_max_temp_file_size 0;


     
···

       
116

       
111

       
 

       
    };


     

       
117

       
112

       
 

       
  };


     

       
118

       
113

       
 

       



     

       
119

       

       
-

       
  services.nginx.virtualHosts."cache.soopy.moe" = _utils.mkSimpleProxy {


     

       

       
114

       
+

       
  services.nginx.virtualHosts."*.s3web.soopy.moe" = _utils.mkSimpleProxy {


     

       
120

       
115

       
 

       
    port = 39939;


     

       

       
116

       
+

       
    extraConfig.useACMEHost = "s3.soopy.moe";


     

       
121

       
117

       
 

       
  };


     

       
122

       
118

       
 

       



     

       
123

       
119

       
 

       
  systemd.services.vmagent.serviceConfig.LoadCredential = [


     
···

       
137

       
133

       
 

       
    # https://docs.victoriametrics.com/sd_configs/#scrape_configs


     

       
138

       
134

       
 

       
    # hard coding because we can't use %{ENV_VAR} syntax (yet) when checking.


     

       
139

       
135

       
 

       
    bearer_token_file = "/run/credentials/vmagent.service/garage_token";


     

       

       
136

       
+

       
  };


     

       

       
137

       
+

       



     

       

       
138

       
+

       
  ##################### NAMED BUCKETS WITH WEB HOSTING ###########################


     

       

       
139

       
+

       



     

       

       
140

       
+

       
  services.nginx.virtualHosts."cache.soopy.moe" = _utils.mkSimpleProxy {


     

       

       
141

       
+

       
    port = 39939;


     

       
140

       
142

       
 

       
  };


     

       
141

       
143

       
 

       
}