proxy garage web to port 80

fediversity/default.nix

@@ -64,17 +64,13 @@ in {
                   type = types.str;
                   default = "web.garage.${config.fediversity.domain}";
                 };
-                port = mkOption {
+                internalPort = mkOption {
                   type = types.int;
                   default = 3902;
                 };
-                rootDomainAndPort = mkOption {
-                  type = types.str;
-                  default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}";
-                };
                 urlFor = mkOption {
                   type = types.functionTo types.str;
-                  default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}";
+                  default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomain}";
                 };
               };
             };

fediversity/garage.nix

@@ -5,6 +5,7 @@ let
     id = "GK22a15201acacbd51cd43e327";
     secret = "82b2b4cbef27bf8917b350d5b10a87c92fa9c8b13a415aeeea49726cf335d74e";
   };
+  cfg = config.fediversity.internal.garage;
 in
 
 # TODO: expand to a multi-machine setup
@@ -42,7 +43,7 @@ let
       ${optionalString corsRules.enable ''
         garage bucket allow --read --write --owner ${bucketArg} --key tmp
         # TODO: endpoin-url should not be hard-coded
-        aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
+        aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${cfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
         garage bucket deny --read --write --owner ${bucketArg} --key tmp
       ''}
     '';
@@ -137,21 +138,20 @@ in
     # virtualisation.forwardPorts = [
     #   {
     #     from = "host";
-    #     host.port = config.fediversity.internal.garage.rpc.port;
+    #     host.port = cfg.rpc.port;
-    #     guest.port = config.fediversity.internal.garage.rpc.port;
+    #     guest.port = cfg.rpc.port;
     #   }
     #   {
     #     from = "host";
-    #     host.port = config.fediversity.internal.garage.web.port;
+    #     host.port = cfg.web.port;
-    #     guest.port = config.fediversity.internal.garage.web.port;
+    #     guest.port = cfg.web.port;
     #   }
     # ];
 
     environment.systemPackages = [ pkgs.minio-client pkgs.awscli ];
 
     networking.firewall.allowedTCPPorts = [
-      config.fediversity.internal.garage.rpc.port
+      cfg.rpc.port
-      config.fediversity.internal.garage.web.port
     ];
     services.garage = {
       enable = true;
@@ -161,15 +161,24 @@ in
         # TODO: use a secret file
         rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
         # TODO: why does this have to be set? is there not a sensible default?
-        rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}";
+        rpc_bind_addr = "[::]:${toString cfg.rpc.port}";
-        rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}";
+        rpc_public_addr = "[::1]:${toString cfg.rpc.port}";
-        s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}";
+        s3_api.api_bind_addr = "[::]:${toString cfg.api.port}";
-        s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}";
+        s3_web.bind_addr = "[::]:${toString cfg.web.port}";
-        s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}";
+        s3_web.root_domain = ".${cfg.web.rootDomain}";
         index = "index.html";
 
         s3_api.s3_region = "garage";
-        s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}";
+        s3_api.root_domain = ".${cfg.api.domain}";
+      };
+    };
+    services.nginx.virtualHosts."garagePortProxy" = {
+      serverName = "${cfg.web.urlFor "*"}"; # wildcard bucket *.foo.com
+      locations."/" = {
+        proxyPass = "localhost:3902"
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
       };
     };
     systemd.services.ensure-garage = {
@@ -184,7 +193,7 @@ in
 
         # Give Garage time to start up by waiting until somethings speaks HTTP
         # behind Garage's API URL.
-        until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done
+        until ${pkgs.curl}/bin/curl -sio /dev/null ${cfg.api.url}; do sleep 1; done
 
         # XXX: this is very sensitive to being a single instance
         # (doing the bare minimum to get garage up and running)

fediversity/mastodon.nix

@@ -46,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {
       AWS_ACCESS_KEY_ID = snakeoil_key.id;
       AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
       S3_PROTOCOL = "http";
-      S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort;
+      S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomain;
       # by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
       S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}";
       # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/