diff --git a/hosts/faunus-ater/default.nix b/hosts/faunus-ater/default.nix index dcb54ce..d7bab5d 100644 --- a/hosts/faunus-ater/default.nix +++ b/hosts/faunus-ater/default.nix @@ -20,6 +20,7 @@ in { ./modules/paperless.nix ./modules/photoprism.nix ./modules/restic.nix + ./modules/seaweedfs.nix ./modules/timetagger.nix ./modules/trilium.nix ]; diff --git a/hosts/faunus-ater/modules/seaweedfs.nix b/hosts/faunus-ater/modules/seaweedfs.nix new file mode 100644 index 0000000..2db9588 --- /dev/null +++ b/hosts/faunus-ater/modules/seaweedfs.nix @@ -0,0 +1,133 @@ +{ + pkgs, + config, + ... +}: let + weed = "${pkgs.seaweedfs}/bin/weed"; + + master = { + ip = config.state.vpn.machine.faunus-ater.ipv4; + port = builtins.toString config.state.services.sea.port; + }; + s3.port = builtins.toString config.state.services.s3.port; + + seaweedfsVolume = number: { + enable = true; + description = "SeaweedFS Volume ${builtins.toString number}"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "simple"; + ExecStart = "${weed} volume -dir=./data -mserver=${master.ip}:${master.port} -ip=${master.ip} -minFreeSpace=50G -max=0"; + WorkingDirectory = "/data/dirty/seaweedfs"; + User = "seaweed"; + Group = "seaweed"; + Restart = "always"; + SyslogIdentifier = "seaweedfs-volume-${builtins.toString number}"; + }; + }; + + filerConfig = pkgs.writeText "filer.toml" '' + [leveldb2] + enabled = true + dir = "./filerdb2" + ''; +in { + users.users.seaweed = { + isSystemUser = true; + group = "seaweed"; + }; + users.groups.seaweed = {}; + + systemd.tmpfiles.rules = [ + "d /data/dirty/seaweedfs 0770 seaweed seaweed -" + "d /data/dirty/seaweedfs/data 0770 seaweed seaweed -" + "d /data/dirty/seaweedfs/filer 0770 seaweed seaweed -" + "L+ /data/dirty/seaweedfs/filer/filer.toml - - - - ${filerConfig}" + ]; + + systemd.services = { + # Master + seaweedfs-master = { + enable = true; + description = "SeaweedFS Server Master"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "simple"; + ExecStart = "${weed} master -mdir=. -ip=${master.ip} -port=${master.port} -volumeSizeLimitMB=1024"; + WorkingDirectory = "/data/dirty/seaweedfs"; + User = "seaweed"; + Group = "seaweed"; + Restart = "always"; + SyslogIdentifier = "seaweedfs-master"; + }; + }; + # First volume + seaweedfs-volume-1 = seaweedfsVolume 1; + # Filer + seaweedfs-filer = { + enable = true; + description = "SeaweedFS Filer"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "simple"; + # TODO: Restrict s3 access and expose filer? + ExecStart = "${weed} filer -master=${master.ip}:${master.port} -ip=${master.ip} -s3 -s3.port=${s3.port}"; + WorkingDirectory = "/data/dirty/seaweedfs/filer"; + User = "seaweed"; + Group = "seaweed"; + Restart = "always"; + SyslogIdentifier = "seaweedfs-filer"; + }; + }; + }; + + # Configure nginx reverse proxy + services.nginx.virtualHosts = { + "sea.tammena.me" = { + addSSL = true; + sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../../../secrets/ca.crt); + sslCertificateKey = config.sops.secrets."certificate-key-sea-tammena-me".path; + sslCertificate = pkgs.writeText "sea-tammena-me.crt" (builtins.readFile ../../../secrets/pub/sea-tammena-me.crt); + + serverAliases = [ + "sea.home" + ]; + + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.state.services.sea.port}"; + }; + }; + "s3.tammena.me" = { + addSSL = true; + sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../../../secrets/ca.crt); + sslCertificateKey = config.sops.secrets."certificate-key-s3-tammena-me".path; + sslCertificate = pkgs.writeText "s3-tammena-me.crt" (builtins.readFile ../../../secrets/pub/s3-tammena-me.crt); + extraConfig = '' + client_max_body_size 100G; + ''; + + serverAliases = [ + "s3.home" + ]; + + locations."/" = { + proxyPass = "http://localhost:${s3.port}"; + }; + }; + }; + + # Secrets + sops.secrets = { + "certificate-key-sea-tammena-me" = { + owner = config.users.users.nginx.name; + mode = "0400"; + }; + "certificate-key-s3-tammena-me" = { + owner = config.users.users.nginx.name; + mode = "0400"; + }; + }; +} diff --git a/hosts/granodomus-lima/default.nix b/hosts/granodomus-lima/default.nix index dca04e8..48b0767 100644 --- a/hosts/granodomus-lima/default.nix +++ b/hosts/granodomus-lima/default.nix @@ -124,6 +124,8 @@ in { ${point "config" faunus-ater} ${point "listen" faunus-ater} ${point "eat" faunus-ater} + ${point "sea" faunus-ater} + ${point "s3" faunus-ater} ''; }; }; diff --git a/secrets/hosts/faunus-ater/secrets.yaml b/secrets/hosts/faunus-ater/secrets.yaml index 479b0a1..512afc7 100644 --- a/secrets/hosts/faunus-ater/secrets.yaml +++ b/secrets/hosts/faunus-ater/secrets.yaml @@ -16,6 +16,8 @@ certificate-key-read-tammena-me: ENC[AES256_GCM,data:Cb0SZkaqArT1GCXsacNBOaIG5Bw certificate-key-hydra-tammena-me: ENC[AES256_GCM,data:CxAvCuYu8Ftz4ths00roPjsK81/foNbWnQwolButgyAFrVh0Tx3ATpnpF5ck4W1Fpt8l9f5zQ5S2OykDlZu9loB9OkW5UhvdjxMqUxXJ76258NTVgqOLH062BAPLJmX4Oq4LSBJLMqj9teb9tFSkbEb7xnrba/PCLTJk6gP94TumkcYT/LZUfLl/7nQOqDckzem/7/pDcjkvVO2MO8sd5kbsTwzqfnW4hj6pTbhAmTa6X/o4pWMlcEZXclGOmQNN69vKWYKr0//t+nkvAujQ0g7FmJKIEysDCiaG0L5ZYCvtqmq32deGBfJRrZxS/x49Urg4cUPk5cj8/wP4ByEt5ykwDm1p8MP4E5Pz4PtlLYRMz4XFA73blR6U9aERAu6Mg8OcyJzmCYvqpfN8BTM=,iv:5A3J5yeCI2JU2GXdH1iKNWAVAqirdGzXCwoujwOB2bk=,tag:B073+3aobpOA2QU2BOjdHA==,type:str] certificate-key-cache-tammena-me: ENC[AES256_GCM,data:ieanG2LnohzctjLggzx1b1IVcxcAaDQi/HPEAg7M8l8qespVKwSLBe31gIEQ2fQXtpmpESy6P4IhSPhVw7W0XyNe4656VycgFuo3JasjeGzfpH9DqXWYa+4wjT62p2gW4mnE8QbpKQ1s17hDkWPgNhrK7ya50ascXsazKD/XMoxdoIBKhFjfICWl+RqL2j1tRmB4U/w2MNQ3GVHBwK6xGy1uauDStR1Ndpz+Ed/fpEmodYyjvHrN2czykab2kD4BCqHISYgyf9y2wkBHSKMj6o1xJWRqAavOWW9YkQTlx7MbFypUOP6j1TYeeJZGAPNhiOFBeMTYapM645spoOECM0KSdAVHQmzIhl9zZ1rA5hx/wXk6OsIjbLRTd6lm8aAr6M9aN5wqLQpcu/ybFq8=,iv:8fP4uxYrZQ1n+0VYhX1Z6lae2GZu/PPqGgJjjtlAzrM=,tag:T95fhh7fTaVN8TR/2dU/0g==,type:str] certificate-key-git-new-tammena-me: ENC[AES256_GCM,data:q7Qe3944XnHTzoFOfB6A7dnkYBBdVEF7f95u1wT2Xc1zXiQ3pSG/pzXc6FzM8uJGz0jGFfkD+BUII6PdXeEK1cMKCecEmAv2iQNz0BCwF0FkY4EQ3rlSokFvbbWu34W8NTnoT47KXBu/19DqGZOcODVWJkOJg3WMTm9tAy+sR3xn0MKPknU0Uhz9eOkZagYpwdyNj8coQhd8LCktKx85991MjnwcFOe3lzaYU97/7buDXUmzx51N1ztxR9ZNnTLjqKUtK+T+8uF9Z/+sSq6/40l4YaztMN8G44UFAAsiMRvKOx5w/gGaDeNSm+S5lPegcAo9vsUJCoOmOhN91KQPVFWri45yW0G5h+BIXgLzQQvKAIv+8CQwYYxYi5THyWffbAljIme4F3Otbse3J84=,iv:rbET3RxtYRKAeJFDsqPG/+j4VXU7kn39CVaREGsFI5A=,tag:2itjKPHUvt0B6Yt20LhRZA==,type:str] +certificate-key-sea-tammena-me: ENC[AES256_GCM,data:OXDpH/4nh0y4IGw7KxI/NAFf0U0/dKHWJDKUGCnK/REx6A+HONH0LJ0eacH4eDMU6YUHOd/5qgzCOWx3bFb4pt0j6jAW2mED76r8+n8ojmyYslo1rnJhJcrCNetPRHRgqDoI3PZqqISMfqZ7eJ8XmuyET/HVxsL8h2IA3jTa6e9P8BRjcQREkzAuomzn4s97xu8jT9exmEzN8AxrovSBju9CkSOk/WJcaDP9B1JNCKRCRwj5OfvJVMtMvDw0FdTM6hC883NGSr6dsklS8Zee3LGBoeZm+3X725WamvC4YSeHyVVljDVWQhGu82QzljOq/Im82gwmVljslI+lcLP9rsStiztZC7BY3uWG/Hp9cZuBVNhL4gTgLQzMHkbAQ9zvBlyu9k7NlG+Gs4R6bZk=,iv:WU42jGKUakz5LnCWMIDsHDfTqiukVRWPczNl3SaXKRQ=,tag:WX38fXZvcXLYvd+QwN8Www==,type:str] +certificate-key-s3-tammena-me: ENC[AES256_GCM,data:JtR5CaUgJCkHJafMnVwDhYNM+y/jnwNjXJV7c5QqRErTqLrRImUa/TALMAs+CnUqSQmDY+35kqp7LFrwQzEwc4dXyfKtEeE795HOP/hL2G2EpW8WiJMLE0ai/EZz9ZEiF++V72rtQRdf03OgrS2n/gNHDL2unEi34rNkFTmUXG3BCfpIBP6GqRGvOdAd97dQBHB/XHF5Xd9GFWuU7LW0RfstB8D+C9Q/JngXvEX6XDPodNzXaQVoI+uMqHaJLMUhYhgnoSiWFK4IYVLxhsRKYdSO4ysTkEkp+oGTE3mgwpxaAqNANKkaFuvCYjDwJSsE84MkoRRVcpFbwh3OsuFs0PmiO1zI1DjyrjwahD9JrCX8w/4xyuijIK+jehaOhK8ZKcDd3+9iIMq0F5ZjVKY=,iv:KuKYtzb55ABgnJ4ad4amww6Phcbe7K20df94LqPKToE=,tag:S4hh2ionWvrhuBS3pGPXdg==,type:str] sops: kms: [] gcp_kms: [] @@ -31,8 +33,8 @@ sops: ZzFxdmlXaTRCY2tUZndBSDlNeUVROVUKH1CxbcdwHR3ELn9YlGvO6YbGGg++wGZv 97ez/ErXEOq/6IF6HzV3I9BsVV4WCJI2VTP8Lbiwt59qg5riH7CGJQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-15T20:03:22Z" - mac: ENC[AES256_GCM,data:oFa6t5UQR7D6y4Z7NjspNYRHgTXqv7RFYT0oe8nCpr6QTry+y4CC0rZxl+e/eeRC4xlQaj3ElOnZgWOepToezS2AEsAqUcZD3effWEg/Ju3Yt/SQc71M/pQIa+Q8CBgLVkhvtcL2T0OLmPmCmpSgiAVuJ02EwcE4wAm2QN6zLEM=,iv:ehfL2Fvn+6rTwM7wMjDojvYfrUFyHYerGh+dgmJy008=,tag:gJnG5vu+nK7Ohes6+OlaFw==,type:str] + lastmodified: "2024-02-03T21:51:12Z" + mac: ENC[AES256_GCM,data:2t8P8TWN8nre0EcI0JFeyyl83b06p/qvJ2XE1R1ZuM7tqAZ5jTz9p4h/jfMrB+99xF5oITRfcfPm8V074JlLmCWY1Cw+KISUaRIBSJA4VUFS8vRdeN3pcyr6VyaNJi3bE2ifSImbaDElSk7qqiWygyUQ+mpTVZRu4S8GzGnMlM4=,iv:6X61PrN2wmk96w/3whl3YOBRTCJFnwd4fZMm5VObUP4=,tag:DeVPUDdEgYpV2F0wG/pdPw==,type:str] pgp: - created_at: "2023-11-06T16:58:30Z" enc: | diff --git a/secrets/pub/s3-tammena-me.crt b/secrets/pub/s3-tammena-me.crt new file mode 100644 index 0000000..3f95269 --- /dev/null +++ b/secrets/pub/s3-tammena-me.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBsDCCAVegAwIBAgIURPKYTHbrVd9AFBc9KERxomwis+AwCgYIKoZIzj0EAwIw +FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yNDAyMDMyMTUxMTFaFw0yNTAyMDIy +MTUxMTFaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABENuZPN1/bWczZ0OIKSeOENWV1Ft3bkXbDkQcwMP1BOoOmF0LPUUQ3us9c82 +hzyi9j78RWv59FTZYP5n0erMEUijgYgwgYUwCwYDVR0PBAQDAgXgMBMGA1UdJQQM +MAoGCCsGAQUFBwMBMCEGA1UdEQQaMBiCDXMzLnRhbW1lbmEubWWCB3MzLmhvbWUw +HQYDVR0OBBYEFKv3QJQhFxS39Vbtwk6WGdo39jq8MB8GA1UdIwQYMBaAFAD63A/b +JrL4LdckOxmyIq1lmU+rMAoGCCqGSM49BAMCA0cAMEQCIG/itLwW2CfHrk0tZVyf +44CX8fAUJ07zOVX+uTXejydpAiB8TbPK1dXZk2sMzSEzCtEKqBliiIQW2uf8bId8 +ErrlOw== +-----END CERTIFICATE----- diff --git a/secrets/pub/sea-tammena-me.crt b/secrets/pub/sea-tammena-me.crt new file mode 100644 index 0000000..567f8d8 --- /dev/null +++ b/secrets/pub/sea-tammena-me.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBszCCAVmgAwIBAgIULiw9IAbb1hMRdB3f7fijW2yIQ5AwCgYIKoZIzj0EAwIw +FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yNDAyMDMyMDU2MTlaFw0yNTAyMDIy +MDU2MTlaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABP5nGBDUoZ+uCZri8tyeqgpgm9blFpEhAPS+Mo7Vi3hrGoF9nNskGLSz5tfR +XF3KUgbQNNJuvKdI0bNrwzAQ2nqjgYowgYcwCwYDVR0PBAQDAgXgMBMGA1UdJQQM +MAoGCCsGAQUFBwMBMCMGA1UdEQQcMBqCDnNlYS50YW1tZW5hLm1lgghzZWEuaG9t +ZTAdBgNVHQ4EFgQU9lMKoIHKaRJT6xi2O8JOq4EaYMQwHwYDVR0jBBgwFoAUAPrc +D9smsvgt1yQ7GbIirWWZT6swCgYIKoZIzj0EAwIDSAAwRQIgOyYYHsae2hFdjdhM +2eLJH6IniwIPwkAy/acMVvcTpxoCIQClsIoSeaGnvVG86221Xda7oeca+cKVk8rK +XjCSIGAK7Q== +-----END CERTIFICATE----- diff --git a/state.nix b/state.nix index d7dd20d..b31bba3 100644 --- a/state.nix +++ b/state.nix @@ -62,5 +62,15 @@ port = 28981; external = true; }; + sea = { + host = "faunus-ater"; + port = 9333; + external = false; + }; + s3 = { + host = "faunus-ater"; + port = 8333; + external = false; + }; }; }