feat(host/faunus-ater): new service: seaweedfs

This commit is contained in:
Malte Tammena 2024-02-03 23:05:42 +01:00
parent dc9251000e
commit 2cbe2867fd
7 changed files with 174 additions and 2 deletions

View file

@ -20,6 +20,7 @@ in {
./modules/paperless.nix ./modules/paperless.nix
./modules/photoprism.nix ./modules/photoprism.nix
./modules/restic.nix ./modules/restic.nix
./modules/seaweedfs.nix
./modules/timetagger.nix ./modules/timetagger.nix
./modules/trilium.nix ./modules/trilium.nix
]; ];

View file

@ -0,0 +1,133 @@
{
pkgs,
config,
...
}: let
weed = "${pkgs.seaweedfs}/bin/weed";
master = {
ip = config.state.vpn.machine.faunus-ater.ipv4;
port = builtins.toString config.state.services.sea.port;
};
s3.port = builtins.toString config.state.services.s3.port;
seaweedfsVolume = number: {
enable = true;
description = "SeaweedFS Volume ${builtins.toString number}";
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
ExecStart = "${weed} volume -dir=./data -mserver=${master.ip}:${master.port} -ip=${master.ip} -minFreeSpace=50G -max=0";
WorkingDirectory = "/data/dirty/seaweedfs";
User = "seaweed";
Group = "seaweed";
Restart = "always";
SyslogIdentifier = "seaweedfs-volume-${builtins.toString number}";
};
};
filerConfig = pkgs.writeText "filer.toml" ''
[leveldb2]
enabled = true
dir = "./filerdb2"
'';
in {
users.users.seaweed = {
isSystemUser = true;
group = "seaweed";
};
users.groups.seaweed = {};
systemd.tmpfiles.rules = [
"d /data/dirty/seaweedfs 0770 seaweed seaweed -"
"d /data/dirty/seaweedfs/data 0770 seaweed seaweed -"
"d /data/dirty/seaweedfs/filer 0770 seaweed seaweed -"
"L+ /data/dirty/seaweedfs/filer/filer.toml - - - - ${filerConfig}"
];
systemd.services = {
# Master
seaweedfs-master = {
enable = true;
description = "SeaweedFS Server Master";
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
ExecStart = "${weed} master -mdir=. -ip=${master.ip} -port=${master.port} -volumeSizeLimitMB=1024";
WorkingDirectory = "/data/dirty/seaweedfs";
User = "seaweed";
Group = "seaweed";
Restart = "always";
SyslogIdentifier = "seaweedfs-master";
};
};
# First volume
seaweedfs-volume-1 = seaweedfsVolume 1;
# Filer
seaweedfs-filer = {
enable = true;
description = "SeaweedFS Filer";
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
# TODO: Restrict s3 access and expose filer?
ExecStart = "${weed} filer -master=${master.ip}:${master.port} -ip=${master.ip} -s3 -s3.port=${s3.port}";
WorkingDirectory = "/data/dirty/seaweedfs/filer";
User = "seaweed";
Group = "seaweed";
Restart = "always";
SyslogIdentifier = "seaweedfs-filer";
};
};
};
# Configure nginx reverse proxy
services.nginx.virtualHosts = {
"sea.tammena.me" = {
addSSL = true;
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../../../secrets/ca.crt);
sslCertificateKey = config.sops.secrets."certificate-key-sea-tammena-me".path;
sslCertificate = pkgs.writeText "sea-tammena-me.crt" (builtins.readFile ../../../secrets/pub/sea-tammena-me.crt);
serverAliases = [
"sea.home"
];
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.state.services.sea.port}";
};
};
"s3.tammena.me" = {
addSSL = true;
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../../../secrets/ca.crt);
sslCertificateKey = config.sops.secrets."certificate-key-s3-tammena-me".path;
sslCertificate = pkgs.writeText "s3-tammena-me.crt" (builtins.readFile ../../../secrets/pub/s3-tammena-me.crt);
extraConfig = ''
client_max_body_size 100G;
'';
serverAliases = [
"s3.home"
];
locations."/" = {
proxyPass = "http://localhost:${s3.port}";
};
};
};
# Secrets
sops.secrets = {
"certificate-key-sea-tammena-me" = {
owner = config.users.users.nginx.name;
mode = "0400";
};
"certificate-key-s3-tammena-me" = {
owner = config.users.users.nginx.name;
mode = "0400";
};
};
}

View file

@ -124,6 +124,8 @@ in {
${point "config" faunus-ater} ${point "config" faunus-ater}
${point "listen" faunus-ater} ${point "listen" faunus-ater}
${point "eat" faunus-ater} ${point "eat" faunus-ater}
${point "sea" faunus-ater}
${point "s3" faunus-ater}
''; '';
}; };
}; };

View file

@ -16,6 +16,8 @@ certificate-key-read-tammena-me: ENC[AES256_GCM,data:Cb0SZkaqArT1GCXsacNBOaIG5Bw
certificate-key-hydra-tammena-me: ENC[AES256_GCM,data:CxAvCuYu8Ftz4ths00roPjsK81/foNbWnQwolButgyAFrVh0Tx3ATpnpF5ck4W1Fpt8l9f5zQ5S2OykDlZu9loB9OkW5UhvdjxMqUxXJ76258NTVgqOLH062BAPLJmX4Oq4LSBJLMqj9teb9tFSkbEb7xnrba/PCLTJk6gP94TumkcYT/LZUfLl/7nQOqDckzem/7/pDcjkvVO2MO8sd5kbsTwzqfnW4hj6pTbhAmTa6X/o4pWMlcEZXclGOmQNN69vKWYKr0//t+nkvAujQ0g7FmJKIEysDCiaG0L5ZYCvtqmq32deGBfJRrZxS/x49Urg4cUPk5cj8/wP4ByEt5ykwDm1p8MP4E5Pz4PtlLYRMz4XFA73blR6U9aERAu6Mg8OcyJzmCYvqpfN8BTM=,iv:5A3J5yeCI2JU2GXdH1iKNWAVAqirdGzXCwoujwOB2bk=,tag:B073+3aobpOA2QU2BOjdHA==,type:str] certificate-key-hydra-tammena-me: ENC[AES256_GCM,data:CxAvCuYu8Ftz4ths00roPjsK81/foNbWnQwolButgyAFrVh0Tx3ATpnpF5ck4W1Fpt8l9f5zQ5S2OykDlZu9loB9OkW5UhvdjxMqUxXJ76258NTVgqOLH062BAPLJmX4Oq4LSBJLMqj9teb9tFSkbEb7xnrba/PCLTJk6gP94TumkcYT/LZUfLl/7nQOqDckzem/7/pDcjkvVO2MO8sd5kbsTwzqfnW4hj6pTbhAmTa6X/o4pWMlcEZXclGOmQNN69vKWYKr0//t+nkvAujQ0g7FmJKIEysDCiaG0L5ZYCvtqmq32deGBfJRrZxS/x49Urg4cUPk5cj8/wP4ByEt5ykwDm1p8MP4E5Pz4PtlLYRMz4XFA73blR6U9aERAu6Mg8OcyJzmCYvqpfN8BTM=,iv:5A3J5yeCI2JU2GXdH1iKNWAVAqirdGzXCwoujwOB2bk=,tag:B073+3aobpOA2QU2BOjdHA==,type:str]
certificate-key-cache-tammena-me: ENC[AES256_GCM,data:ieanG2LnohzctjLggzx1b1IVcxcAaDQi/HPEAg7M8l8qespVKwSLBe31gIEQ2fQXtpmpESy6P4IhSPhVw7W0XyNe4656VycgFuo3JasjeGzfpH9DqXWYa+4wjT62p2gW4mnE8QbpKQ1s17hDkWPgNhrK7ya50ascXsazKD/XMoxdoIBKhFjfICWl+RqL2j1tRmB4U/w2MNQ3GVHBwK6xGy1uauDStR1Ndpz+Ed/fpEmodYyjvHrN2czykab2kD4BCqHISYgyf9y2wkBHSKMj6o1xJWRqAavOWW9YkQTlx7MbFypUOP6j1TYeeJZGAPNhiOFBeMTYapM645spoOECM0KSdAVHQmzIhl9zZ1rA5hx/wXk6OsIjbLRTd6lm8aAr6M9aN5wqLQpcu/ybFq8=,iv:8fP4uxYrZQ1n+0VYhX1Z6lae2GZu/PPqGgJjjtlAzrM=,tag:T95fhh7fTaVN8TR/2dU/0g==,type:str] certificate-key-cache-tammena-me: ENC[AES256_GCM,data:ieanG2LnohzctjLggzx1b1IVcxcAaDQi/HPEAg7M8l8qespVKwSLBe31gIEQ2fQXtpmpESy6P4IhSPhVw7W0XyNe4656VycgFuo3JasjeGzfpH9DqXWYa+4wjT62p2gW4mnE8QbpKQ1s17hDkWPgNhrK7ya50ascXsazKD/XMoxdoIBKhFjfICWl+RqL2j1tRmB4U/w2MNQ3GVHBwK6xGy1uauDStR1Ndpz+Ed/fpEmodYyjvHrN2czykab2kD4BCqHISYgyf9y2wkBHSKMj6o1xJWRqAavOWW9YkQTlx7MbFypUOP6j1TYeeJZGAPNhiOFBeMTYapM645spoOECM0KSdAVHQmzIhl9zZ1rA5hx/wXk6OsIjbLRTd6lm8aAr6M9aN5wqLQpcu/ybFq8=,iv:8fP4uxYrZQ1n+0VYhX1Z6lae2GZu/PPqGgJjjtlAzrM=,tag:T95fhh7fTaVN8TR/2dU/0g==,type:str]
certificate-key-git-new-tammena-me: ENC[AES256_GCM,data:q7Qe3944XnHTzoFOfB6A7dnkYBBdVEF7f95u1wT2Xc1zXiQ3pSG/pzXc6FzM8uJGz0jGFfkD+BUII6PdXeEK1cMKCecEmAv2iQNz0BCwF0FkY4EQ3rlSokFvbbWu34W8NTnoT47KXBu/19DqGZOcODVWJkOJg3WMTm9tAy+sR3xn0MKPknU0Uhz9eOkZagYpwdyNj8coQhd8LCktKx85991MjnwcFOe3lzaYU97/7buDXUmzx51N1ztxR9ZNnTLjqKUtK+T+8uF9Z/+sSq6/40l4YaztMN8G44UFAAsiMRvKOx5w/gGaDeNSm+S5lPegcAo9vsUJCoOmOhN91KQPVFWri45yW0G5h+BIXgLzQQvKAIv+8CQwYYxYi5THyWffbAljIme4F3Otbse3J84=,iv:rbET3RxtYRKAeJFDsqPG/+j4VXU7kn39CVaREGsFI5A=,tag:2itjKPHUvt0B6Yt20LhRZA==,type:str] certificate-key-git-new-tammena-me: ENC[AES256_GCM,data:q7Qe3944XnHTzoFOfB6A7dnkYBBdVEF7f95u1wT2Xc1zXiQ3pSG/pzXc6FzM8uJGz0jGFfkD+BUII6PdXeEK1cMKCecEmAv2iQNz0BCwF0FkY4EQ3rlSokFvbbWu34W8NTnoT47KXBu/19DqGZOcODVWJkOJg3WMTm9tAy+sR3xn0MKPknU0Uhz9eOkZagYpwdyNj8coQhd8LCktKx85991MjnwcFOe3lzaYU97/7buDXUmzx51N1ztxR9ZNnTLjqKUtK+T+8uF9Z/+sSq6/40l4YaztMN8G44UFAAsiMRvKOx5w/gGaDeNSm+S5lPegcAo9vsUJCoOmOhN91KQPVFWri45yW0G5h+BIXgLzQQvKAIv+8CQwYYxYi5THyWffbAljIme4F3Otbse3J84=,iv:rbET3RxtYRKAeJFDsqPG/+j4VXU7kn39CVaREGsFI5A=,tag:2itjKPHUvt0B6Yt20LhRZA==,type:str]
certificate-key-sea-tammena-me: ENC[AES256_GCM,data:OXDpH/4nh0y4IGw7KxI/NAFf0U0/dKHWJDKUGCnK/REx6A+HONH0LJ0eacH4eDMU6YUHOd/5qgzCOWx3bFb4pt0j6jAW2mED76r8+n8ojmyYslo1rnJhJcrCNetPRHRgqDoI3PZqqISMfqZ7eJ8XmuyET/HVxsL8h2IA3jTa6e9P8BRjcQREkzAuomzn4s97xu8jT9exmEzN8AxrovSBju9CkSOk/WJcaDP9B1JNCKRCRwj5OfvJVMtMvDw0FdTM6hC883NGSr6dsklS8Zee3LGBoeZm+3X725WamvC4YSeHyVVljDVWQhGu82QzljOq/Im82gwmVljslI+lcLP9rsStiztZC7BY3uWG/Hp9cZuBVNhL4gTgLQzMHkbAQ9zvBlyu9k7NlG+Gs4R6bZk=,iv:WU42jGKUakz5LnCWMIDsHDfTqiukVRWPczNl3SaXKRQ=,tag:WX38fXZvcXLYvd+QwN8Www==,type:str]
certificate-key-s3-tammena-me: ENC[AES256_GCM,data:JtR5CaUgJCkHJafMnVwDhYNM+y/jnwNjXJV7c5QqRErTqLrRImUa/TALMAs+CnUqSQmDY+35kqp7LFrwQzEwc4dXyfKtEeE795HOP/hL2G2EpW8WiJMLE0ai/EZz9ZEiF++V72rtQRdf03OgrS2n/gNHDL2unEi34rNkFTmUXG3BCfpIBP6GqRGvOdAd97dQBHB/XHF5Xd9GFWuU7LW0RfstB8D+C9Q/JngXvEX6XDPodNzXaQVoI+uMqHaJLMUhYhgnoSiWFK4IYVLxhsRKYdSO4ysTkEkp+oGTE3mgwpxaAqNANKkaFuvCYjDwJSsE84MkoRRVcpFbwh3OsuFs0PmiO1zI1DjyrjwahD9JrCX8w/4xyuijIK+jehaOhK8ZKcDd3+9iIMq0F5ZjVKY=,iv:KuKYtzb55ABgnJ4ad4amww6Phcbe7K20df94LqPKToE=,tag:S4hh2ionWvrhuBS3pGPXdg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -31,8 +33,8 @@ sops:
ZzFxdmlXaTRCY2tUZndBSDlNeUVROVUKH1CxbcdwHR3ELn9YlGvO6YbGGg++wGZv ZzFxdmlXaTRCY2tUZndBSDlNeUVROVUKH1CxbcdwHR3ELn9YlGvO6YbGGg++wGZv
97ez/ErXEOq/6IF6HzV3I9BsVV4WCJI2VTP8Lbiwt59qg5riH7CGJQ== 97ez/ErXEOq/6IF6HzV3I9BsVV4WCJI2VTP8Lbiwt59qg5riH7CGJQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-15T20:03:22Z" lastmodified: "2024-02-03T21:51:12Z"
mac: ENC[AES256_GCM,data:oFa6t5UQR7D6y4Z7NjspNYRHgTXqv7RFYT0oe8nCpr6QTry+y4CC0rZxl+e/eeRC4xlQaj3ElOnZgWOepToezS2AEsAqUcZD3effWEg/Ju3Yt/SQc71M/pQIa+Q8CBgLVkhvtcL2T0OLmPmCmpSgiAVuJ02EwcE4wAm2QN6zLEM=,iv:ehfL2Fvn+6rTwM7wMjDojvYfrUFyHYerGh+dgmJy008=,tag:gJnG5vu+nK7Ohes6+OlaFw==,type:str] mac: ENC[AES256_GCM,data:2t8P8TWN8nre0EcI0JFeyyl83b06p/qvJ2XE1R1ZuM7tqAZ5jTz9p4h/jfMrB+99xF5oITRfcfPm8V074JlLmCWY1Cw+KISUaRIBSJA4VUFS8vRdeN3pcyr6VyaNJi3bE2ifSImbaDElSk7qqiWygyUQ+mpTVZRu4S8GzGnMlM4=,iv:6X61PrN2wmk96w/3whl3YOBRTCJFnwd4fZMm5VObUP4=,tag:DeVPUDdEgYpV2F0wG/pdPw==,type:str]
pgp: pgp:
- created_at: "2023-11-06T16:58:30Z" - created_at: "2023-11-06T16:58:30Z"
enc: | enc: |

View file

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBsDCCAVegAwIBAgIURPKYTHbrVd9AFBc9KERxomwis+AwCgYIKoZIzj0EAwIw
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yNDAyMDMyMTUxMTFaFw0yNTAyMDIy
MTUxMTFaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABENuZPN1/bWczZ0OIKSeOENWV1Ft3bkXbDkQcwMP1BOoOmF0LPUUQ3us9c82
hzyi9j78RWv59FTZYP5n0erMEUijgYgwgYUwCwYDVR0PBAQDAgXgMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMCEGA1UdEQQaMBiCDXMzLnRhbW1lbmEubWWCB3MzLmhvbWUw
HQYDVR0OBBYEFKv3QJQhFxS39Vbtwk6WGdo39jq8MB8GA1UdIwQYMBaAFAD63A/b
JrL4LdckOxmyIq1lmU+rMAoGCCqGSM49BAMCA0cAMEQCIG/itLwW2CfHrk0tZVyf
44CX8fAUJ07zOVX+uTXejydpAiB8TbPK1dXZk2sMzSEzCtEKqBliiIQW2uf8bId8
ErrlOw==
-----END CERTIFICATE-----

View file

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBszCCAVmgAwIBAgIULiw9IAbb1hMRdB3f7fijW2yIQ5AwCgYIKoZIzj0EAwIw
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yNDAyMDMyMDU2MTlaFw0yNTAyMDIy
MDU2MTlaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABP5nGBDUoZ+uCZri8tyeqgpgm9blFpEhAPS+Mo7Vi3hrGoF9nNskGLSz5tfR
XF3KUgbQNNJuvKdI0bNrwzAQ2nqjgYowgYcwCwYDVR0PBAQDAgXgMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMCMGA1UdEQQcMBqCDnNlYS50YW1tZW5hLm1lgghzZWEuaG9t
ZTAdBgNVHQ4EFgQU9lMKoIHKaRJT6xi2O8JOq4EaYMQwHwYDVR0jBBgwFoAUAPrc
D9smsvgt1yQ7GbIirWWZT6swCgYIKoZIzj0EAwIDSAAwRQIgOyYYHsae2hFdjdhM
2eLJH6IniwIPwkAy/acMVvcTpxoCIQClsIoSeaGnvVG86221Xda7oeca+cKVk8rK
XjCSIGAK7Q==
-----END CERTIFICATE-----

View file

@ -62,5 +62,15 @@
port = 28981; port = 28981;
external = true; external = true;
}; };
sea = {
host = "faunus-ater";
port = 9333;
external = false;
};
s3 = {
host = "faunus-ater";
port = 8333;
external = false;
};
}; };
} }