feat(host/faunus-ater): new service: seaweedfs
This commit is contained in:
parent
dc9251000e
commit
2cbe2867fd
|
@ -20,6 +20,7 @@ in {
|
||||||
./modules/paperless.nix
|
./modules/paperless.nix
|
||||||
./modules/photoprism.nix
|
./modules/photoprism.nix
|
||||||
./modules/restic.nix
|
./modules/restic.nix
|
||||||
|
./modules/seaweedfs.nix
|
||||||
./modules/timetagger.nix
|
./modules/timetagger.nix
|
||||||
./modules/trilium.nix
|
./modules/trilium.nix
|
||||||
];
|
];
|
||||||
|
|
133
hosts/faunus-ater/modules/seaweedfs.nix
Normal file
133
hosts/faunus-ater/modules/seaweedfs.nix
Normal file
|
@ -0,0 +1,133 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
weed = "${pkgs.seaweedfs}/bin/weed";
|
||||||
|
|
||||||
|
master = {
|
||||||
|
ip = config.state.vpn.machine.faunus-ater.ipv4;
|
||||||
|
port = builtins.toString config.state.services.sea.port;
|
||||||
|
};
|
||||||
|
s3.port = builtins.toString config.state.services.s3.port;
|
||||||
|
|
||||||
|
seaweedfsVolume = number: {
|
||||||
|
enable = true;
|
||||||
|
description = "SeaweedFS Volume ${builtins.toString number}";
|
||||||
|
after = ["network.target"];
|
||||||
|
wantedBy = ["multi-user.target"];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "simple";
|
||||||
|
ExecStart = "${weed} volume -dir=./data -mserver=${master.ip}:${master.port} -ip=${master.ip} -minFreeSpace=50G -max=0";
|
||||||
|
WorkingDirectory = "/data/dirty/seaweedfs";
|
||||||
|
User = "seaweed";
|
||||||
|
Group = "seaweed";
|
||||||
|
Restart = "always";
|
||||||
|
SyslogIdentifier = "seaweedfs-volume-${builtins.toString number}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
filerConfig = pkgs.writeText "filer.toml" ''
|
||||||
|
[leveldb2]
|
||||||
|
enabled = true
|
||||||
|
dir = "./filerdb2"
|
||||||
|
'';
|
||||||
|
in {
|
||||||
|
users.users.seaweed = {
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "seaweed";
|
||||||
|
};
|
||||||
|
users.groups.seaweed = {};
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /data/dirty/seaweedfs 0770 seaweed seaweed -"
|
||||||
|
"d /data/dirty/seaweedfs/data 0770 seaweed seaweed -"
|
||||||
|
"d /data/dirty/seaweedfs/filer 0770 seaweed seaweed -"
|
||||||
|
"L+ /data/dirty/seaweedfs/filer/filer.toml - - - - ${filerConfig}"
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.services = {
|
||||||
|
# Master
|
||||||
|
seaweedfs-master = {
|
||||||
|
enable = true;
|
||||||
|
description = "SeaweedFS Server Master";
|
||||||
|
after = ["network.target"];
|
||||||
|
wantedBy = ["multi-user.target"];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "simple";
|
||||||
|
ExecStart = "${weed} master -mdir=. -ip=${master.ip} -port=${master.port} -volumeSizeLimitMB=1024";
|
||||||
|
WorkingDirectory = "/data/dirty/seaweedfs";
|
||||||
|
User = "seaweed";
|
||||||
|
Group = "seaweed";
|
||||||
|
Restart = "always";
|
||||||
|
SyslogIdentifier = "seaweedfs-master";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
# First volume
|
||||||
|
seaweedfs-volume-1 = seaweedfsVolume 1;
|
||||||
|
# Filer
|
||||||
|
seaweedfs-filer = {
|
||||||
|
enable = true;
|
||||||
|
description = "SeaweedFS Filer";
|
||||||
|
after = ["network.target"];
|
||||||
|
wantedBy = ["multi-user.target"];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "simple";
|
||||||
|
# TODO: Restrict s3 access and expose filer?
|
||||||
|
ExecStart = "${weed} filer -master=${master.ip}:${master.port} -ip=${master.ip} -s3 -s3.port=${s3.port}";
|
||||||
|
WorkingDirectory = "/data/dirty/seaweedfs/filer";
|
||||||
|
User = "seaweed";
|
||||||
|
Group = "seaweed";
|
||||||
|
Restart = "always";
|
||||||
|
SyslogIdentifier = "seaweedfs-filer";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Configure nginx reverse proxy
|
||||||
|
services.nginx.virtualHosts = {
|
||||||
|
"sea.tammena.me" = {
|
||||||
|
addSSL = true;
|
||||||
|
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../../../secrets/ca.crt);
|
||||||
|
sslCertificateKey = config.sops.secrets."certificate-key-sea-tammena-me".path;
|
||||||
|
sslCertificate = pkgs.writeText "sea-tammena-me.crt" (builtins.readFile ../../../secrets/pub/sea-tammena-me.crt);
|
||||||
|
|
||||||
|
serverAliases = [
|
||||||
|
"sea.home"
|
||||||
|
];
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:${builtins.toString config.state.services.sea.port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"s3.tammena.me" = {
|
||||||
|
addSSL = true;
|
||||||
|
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../../../secrets/ca.crt);
|
||||||
|
sslCertificateKey = config.sops.secrets."certificate-key-s3-tammena-me".path;
|
||||||
|
sslCertificate = pkgs.writeText "s3-tammena-me.crt" (builtins.readFile ../../../secrets/pub/s3-tammena-me.crt);
|
||||||
|
extraConfig = ''
|
||||||
|
client_max_body_size 100G;
|
||||||
|
'';
|
||||||
|
|
||||||
|
serverAliases = [
|
||||||
|
"s3.home"
|
||||||
|
];
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:${s3.port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Secrets
|
||||||
|
sops.secrets = {
|
||||||
|
"certificate-key-sea-tammena-me" = {
|
||||||
|
owner = config.users.users.nginx.name;
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
"certificate-key-s3-tammena-me" = {
|
||||||
|
owner = config.users.users.nginx.name;
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -124,6 +124,8 @@ in {
|
||||||
${point "config" faunus-ater}
|
${point "config" faunus-ater}
|
||||||
${point "listen" faunus-ater}
|
${point "listen" faunus-ater}
|
||||||
${point "eat" faunus-ater}
|
${point "eat" faunus-ater}
|
||||||
|
${point "sea" faunus-ater}
|
||||||
|
${point "s3" faunus-ater}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -16,6 +16,8 @@ certificate-key-read-tammena-me: ENC[AES256_GCM,data:Cb0SZkaqArT1GCXsacNBOaIG5Bw
|
||||||
certificate-key-hydra-tammena-me: ENC[AES256_GCM,data:CxAvCuYu8Ftz4ths00roPjsK81/foNbWnQwolButgyAFrVh0Tx3ATpnpF5ck4W1Fpt8l9f5zQ5S2OykDlZu9loB9OkW5UhvdjxMqUxXJ76258NTVgqOLH062BAPLJmX4Oq4LSBJLMqj9teb9tFSkbEb7xnrba/PCLTJk6gP94TumkcYT/LZUfLl/7nQOqDckzem/7/pDcjkvVO2MO8sd5kbsTwzqfnW4hj6pTbhAmTa6X/o4pWMlcEZXclGOmQNN69vKWYKr0//t+nkvAujQ0g7FmJKIEysDCiaG0L5ZYCvtqmq32deGBfJRrZxS/x49Urg4cUPk5cj8/wP4ByEt5ykwDm1p8MP4E5Pz4PtlLYRMz4XFA73blR6U9aERAu6Mg8OcyJzmCYvqpfN8BTM=,iv:5A3J5yeCI2JU2GXdH1iKNWAVAqirdGzXCwoujwOB2bk=,tag:B073+3aobpOA2QU2BOjdHA==,type:str]
|
certificate-key-hydra-tammena-me: ENC[AES256_GCM,data:CxAvCuYu8Ftz4ths00roPjsK81/foNbWnQwolButgyAFrVh0Tx3ATpnpF5ck4W1Fpt8l9f5zQ5S2OykDlZu9loB9OkW5UhvdjxMqUxXJ76258NTVgqOLH062BAPLJmX4Oq4LSBJLMqj9teb9tFSkbEb7xnrba/PCLTJk6gP94TumkcYT/LZUfLl/7nQOqDckzem/7/pDcjkvVO2MO8sd5kbsTwzqfnW4hj6pTbhAmTa6X/o4pWMlcEZXclGOmQNN69vKWYKr0//t+nkvAujQ0g7FmJKIEysDCiaG0L5ZYCvtqmq32deGBfJRrZxS/x49Urg4cUPk5cj8/wP4ByEt5ykwDm1p8MP4E5Pz4PtlLYRMz4XFA73blR6U9aERAu6Mg8OcyJzmCYvqpfN8BTM=,iv:5A3J5yeCI2JU2GXdH1iKNWAVAqirdGzXCwoujwOB2bk=,tag:B073+3aobpOA2QU2BOjdHA==,type:str]
|
||||||
certificate-key-cache-tammena-me: ENC[AES256_GCM,data:ieanG2LnohzctjLggzx1b1IVcxcAaDQi/HPEAg7M8l8qespVKwSLBe31gIEQ2fQXtpmpESy6P4IhSPhVw7W0XyNe4656VycgFuo3JasjeGzfpH9DqXWYa+4wjT62p2gW4mnE8QbpKQ1s17hDkWPgNhrK7ya50ascXsazKD/XMoxdoIBKhFjfICWl+RqL2j1tRmB4U/w2MNQ3GVHBwK6xGy1uauDStR1Ndpz+Ed/fpEmodYyjvHrN2czykab2kD4BCqHISYgyf9y2wkBHSKMj6o1xJWRqAavOWW9YkQTlx7MbFypUOP6j1TYeeJZGAPNhiOFBeMTYapM645spoOECM0KSdAVHQmzIhl9zZ1rA5hx/wXk6OsIjbLRTd6lm8aAr6M9aN5wqLQpcu/ybFq8=,iv:8fP4uxYrZQ1n+0VYhX1Z6lae2GZu/PPqGgJjjtlAzrM=,tag:T95fhh7fTaVN8TR/2dU/0g==,type:str]
|
certificate-key-cache-tammena-me: ENC[AES256_GCM,data:ieanG2LnohzctjLggzx1b1IVcxcAaDQi/HPEAg7M8l8qespVKwSLBe31gIEQ2fQXtpmpESy6P4IhSPhVw7W0XyNe4656VycgFuo3JasjeGzfpH9DqXWYa+4wjT62p2gW4mnE8QbpKQ1s17hDkWPgNhrK7ya50ascXsazKD/XMoxdoIBKhFjfICWl+RqL2j1tRmB4U/w2MNQ3GVHBwK6xGy1uauDStR1Ndpz+Ed/fpEmodYyjvHrN2czykab2kD4BCqHISYgyf9y2wkBHSKMj6o1xJWRqAavOWW9YkQTlx7MbFypUOP6j1TYeeJZGAPNhiOFBeMTYapM645spoOECM0KSdAVHQmzIhl9zZ1rA5hx/wXk6OsIjbLRTd6lm8aAr6M9aN5wqLQpcu/ybFq8=,iv:8fP4uxYrZQ1n+0VYhX1Z6lae2GZu/PPqGgJjjtlAzrM=,tag:T95fhh7fTaVN8TR/2dU/0g==,type:str]
|
||||||
certificate-key-git-new-tammena-me: ENC[AES256_GCM,data:q7Qe3944XnHTzoFOfB6A7dnkYBBdVEF7f95u1wT2Xc1zXiQ3pSG/pzXc6FzM8uJGz0jGFfkD+BUII6PdXeEK1cMKCecEmAv2iQNz0BCwF0FkY4EQ3rlSokFvbbWu34W8NTnoT47KXBu/19DqGZOcODVWJkOJg3WMTm9tAy+sR3xn0MKPknU0Uhz9eOkZagYpwdyNj8coQhd8LCktKx85991MjnwcFOe3lzaYU97/7buDXUmzx51N1ztxR9ZNnTLjqKUtK+T+8uF9Z/+sSq6/40l4YaztMN8G44UFAAsiMRvKOx5w/gGaDeNSm+S5lPegcAo9vsUJCoOmOhN91KQPVFWri45yW0G5h+BIXgLzQQvKAIv+8CQwYYxYi5THyWffbAljIme4F3Otbse3J84=,iv:rbET3RxtYRKAeJFDsqPG/+j4VXU7kn39CVaREGsFI5A=,tag:2itjKPHUvt0B6Yt20LhRZA==,type:str]
|
certificate-key-git-new-tammena-me: ENC[AES256_GCM,data:q7Qe3944XnHTzoFOfB6A7dnkYBBdVEF7f95u1wT2Xc1zXiQ3pSG/pzXc6FzM8uJGz0jGFfkD+BUII6PdXeEK1cMKCecEmAv2iQNz0BCwF0FkY4EQ3rlSokFvbbWu34W8NTnoT47KXBu/19DqGZOcODVWJkOJg3WMTm9tAy+sR3xn0MKPknU0Uhz9eOkZagYpwdyNj8coQhd8LCktKx85991MjnwcFOe3lzaYU97/7buDXUmzx51N1ztxR9ZNnTLjqKUtK+T+8uF9Z/+sSq6/40l4YaztMN8G44UFAAsiMRvKOx5w/gGaDeNSm+S5lPegcAo9vsUJCoOmOhN91KQPVFWri45yW0G5h+BIXgLzQQvKAIv+8CQwYYxYi5THyWffbAljIme4F3Otbse3J84=,iv:rbET3RxtYRKAeJFDsqPG/+j4VXU7kn39CVaREGsFI5A=,tag:2itjKPHUvt0B6Yt20LhRZA==,type:str]
|
||||||
|
certificate-key-sea-tammena-me: ENC[AES256_GCM,data:OXDpH/4nh0y4IGw7KxI/NAFf0U0/dKHWJDKUGCnK/REx6A+HONH0LJ0eacH4eDMU6YUHOd/5qgzCOWx3bFb4pt0j6jAW2mED76r8+n8ojmyYslo1rnJhJcrCNetPRHRgqDoI3PZqqISMfqZ7eJ8XmuyET/HVxsL8h2IA3jTa6e9P8BRjcQREkzAuomzn4s97xu8jT9exmEzN8AxrovSBju9CkSOk/WJcaDP9B1JNCKRCRwj5OfvJVMtMvDw0FdTM6hC883NGSr6dsklS8Zee3LGBoeZm+3X725WamvC4YSeHyVVljDVWQhGu82QzljOq/Im82gwmVljslI+lcLP9rsStiztZC7BY3uWG/Hp9cZuBVNhL4gTgLQzMHkbAQ9zvBlyu9k7NlG+Gs4R6bZk=,iv:WU42jGKUakz5LnCWMIDsHDfTqiukVRWPczNl3SaXKRQ=,tag:WX38fXZvcXLYvd+QwN8Www==,type:str]
|
||||||
|
certificate-key-s3-tammena-me: ENC[AES256_GCM,data:JtR5CaUgJCkHJafMnVwDhYNM+y/jnwNjXJV7c5QqRErTqLrRImUa/TALMAs+CnUqSQmDY+35kqp7LFrwQzEwc4dXyfKtEeE795HOP/hL2G2EpW8WiJMLE0ai/EZz9ZEiF++V72rtQRdf03OgrS2n/gNHDL2unEi34rNkFTmUXG3BCfpIBP6GqRGvOdAd97dQBHB/XHF5Xd9GFWuU7LW0RfstB8D+C9Q/JngXvEX6XDPodNzXaQVoI+uMqHaJLMUhYhgnoSiWFK4IYVLxhsRKYdSO4ysTkEkp+oGTE3mgwpxaAqNANKkaFuvCYjDwJSsE84MkoRRVcpFbwh3OsuFs0PmiO1zI1DjyrjwahD9JrCX8w/4xyuijIK+jehaOhK8ZKcDd3+9iIMq0F5ZjVKY=,iv:KuKYtzb55ABgnJ4ad4amww6Phcbe7K20df94LqPKToE=,tag:S4hh2ionWvrhuBS3pGPXdg==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -31,8 +33,8 @@ sops:
|
||||||
ZzFxdmlXaTRCY2tUZndBSDlNeUVROVUKH1CxbcdwHR3ELn9YlGvO6YbGGg++wGZv
|
ZzFxdmlXaTRCY2tUZndBSDlNeUVROVUKH1CxbcdwHR3ELn9YlGvO6YbGGg++wGZv
|
||||||
97ez/ErXEOq/6IF6HzV3I9BsVV4WCJI2VTP8Lbiwt59qg5riH7CGJQ==
|
97ez/ErXEOq/6IF6HzV3I9BsVV4WCJI2VTP8Lbiwt59qg5riH7CGJQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-01-15T20:03:22Z"
|
lastmodified: "2024-02-03T21:51:12Z"
|
||||||
mac: ENC[AES256_GCM,data:oFa6t5UQR7D6y4Z7NjspNYRHgTXqv7RFYT0oe8nCpr6QTry+y4CC0rZxl+e/eeRC4xlQaj3ElOnZgWOepToezS2AEsAqUcZD3effWEg/Ju3Yt/SQc71M/pQIa+Q8CBgLVkhvtcL2T0OLmPmCmpSgiAVuJ02EwcE4wAm2QN6zLEM=,iv:ehfL2Fvn+6rTwM7wMjDojvYfrUFyHYerGh+dgmJy008=,tag:gJnG5vu+nK7Ohes6+OlaFw==,type:str]
|
mac: ENC[AES256_GCM,data:2t8P8TWN8nre0EcI0JFeyyl83b06p/qvJ2XE1R1ZuM7tqAZ5jTz9p4h/jfMrB+99xF5oITRfcfPm8V074JlLmCWY1Cw+KISUaRIBSJA4VUFS8vRdeN3pcyr6VyaNJi3bE2ifSImbaDElSk7qqiWygyUQ+mpTVZRu4S8GzGnMlM4=,iv:6X61PrN2wmk96w/3whl3YOBRTCJFnwd4fZMm5VObUP4=,tag:DeVPUDdEgYpV2F0wG/pdPw==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2023-11-06T16:58:30Z"
|
- created_at: "2023-11-06T16:58:30Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
12
secrets/pub/s3-tammena-me.crt
Normal file
12
secrets/pub/s3-tammena-me.crt
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBsDCCAVegAwIBAgIURPKYTHbrVd9AFBc9KERxomwis+AwCgYIKoZIzj0EAwIw
|
||||||
|
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yNDAyMDMyMTUxMTFaFw0yNTAyMDIy
|
||||||
|
MTUxMTFaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
||||||
|
A0IABENuZPN1/bWczZ0OIKSeOENWV1Ft3bkXbDkQcwMP1BOoOmF0LPUUQ3us9c82
|
||||||
|
hzyi9j78RWv59FTZYP5n0erMEUijgYgwgYUwCwYDVR0PBAQDAgXgMBMGA1UdJQQM
|
||||||
|
MAoGCCsGAQUFBwMBMCEGA1UdEQQaMBiCDXMzLnRhbW1lbmEubWWCB3MzLmhvbWUw
|
||||||
|
HQYDVR0OBBYEFKv3QJQhFxS39Vbtwk6WGdo39jq8MB8GA1UdIwQYMBaAFAD63A/b
|
||||||
|
JrL4LdckOxmyIq1lmU+rMAoGCCqGSM49BAMCA0cAMEQCIG/itLwW2CfHrk0tZVyf
|
||||||
|
44CX8fAUJ07zOVX+uTXejydpAiB8TbPK1dXZk2sMzSEzCtEKqBliiIQW2uf8bId8
|
||||||
|
ErrlOw==
|
||||||
|
-----END CERTIFICATE-----
|
12
secrets/pub/sea-tammena-me.crt
Normal file
12
secrets/pub/sea-tammena-me.crt
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBszCCAVmgAwIBAgIULiw9IAbb1hMRdB3f7fijW2yIQ5AwCgYIKoZIzj0EAwIw
|
||||||
|
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yNDAyMDMyMDU2MTlaFw0yNTAyMDIy
|
||||||
|
MDU2MTlaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
||||||
|
A0IABP5nGBDUoZ+uCZri8tyeqgpgm9blFpEhAPS+Mo7Vi3hrGoF9nNskGLSz5tfR
|
||||||
|
XF3KUgbQNNJuvKdI0bNrwzAQ2nqjgYowgYcwCwYDVR0PBAQDAgXgMBMGA1UdJQQM
|
||||||
|
MAoGCCsGAQUFBwMBMCMGA1UdEQQcMBqCDnNlYS50YW1tZW5hLm1lgghzZWEuaG9t
|
||||||
|
ZTAdBgNVHQ4EFgQU9lMKoIHKaRJT6xi2O8JOq4EaYMQwHwYDVR0jBBgwFoAUAPrc
|
||||||
|
D9smsvgt1yQ7GbIirWWZT6swCgYIKoZIzj0EAwIDSAAwRQIgOyYYHsae2hFdjdhM
|
||||||
|
2eLJH6IniwIPwkAy/acMVvcTpxoCIQClsIoSeaGnvVG86221Xda7oeca+cKVk8rK
|
||||||
|
XjCSIGAK7Q==
|
||||||
|
-----END CERTIFICATE-----
|
Loading…
Reference in a new issue