proxy garage web to port 80
This commit is contained in:
parent
011f166fd3
commit
2501c480fb
|
@ -64,17 +64,13 @@ in {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "web.garage.${config.fediversity.domain}";
|
default = "web.garage.${config.fediversity.domain}";
|
||||||
};
|
};
|
||||||
port = mkOption {
|
internalPort = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
default = 3902;
|
default = 3902;
|
||||||
};
|
};
|
||||||
rootDomainAndPort = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}";
|
|
||||||
};
|
|
||||||
urlFor = mkOption {
|
urlFor = mkOption {
|
||||||
type = types.functionTo types.str;
|
type = types.functionTo types.str;
|
||||||
default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}";
|
default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomain}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -5,6 +5,7 @@ let
|
||||||
id = "GK22a15201acacbd51cd43e327";
|
id = "GK22a15201acacbd51cd43e327";
|
||||||
secret = "82b2b4cbef27bf8917b350d5b10a87c92fa9c8b13a415aeeea49726cf335d74e";
|
secret = "82b2b4cbef27bf8917b350d5b10a87c92fa9c8b13a415aeeea49726cf335d74e";
|
||||||
};
|
};
|
||||||
|
cfg = config.fediversity.internal.garage;
|
||||||
in
|
in
|
||||||
|
|
||||||
# TODO: expand to a multi-machine setup
|
# TODO: expand to a multi-machine setup
|
||||||
|
@ -42,7 +43,7 @@ let
|
||||||
${optionalString corsRules.enable ''
|
${optionalString corsRules.enable ''
|
||||||
garage bucket allow --read --write --owner ${bucketArg} --key tmp
|
garage bucket allow --read --write --owner ${bucketArg} --key tmp
|
||||||
# TODO: endpoin-url should not be hard-coded
|
# TODO: endpoin-url should not be hard-coded
|
||||||
aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
|
aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${cfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
|
||||||
garage bucket deny --read --write --owner ${bucketArg} --key tmp
|
garage bucket deny --read --write --owner ${bucketArg} --key tmp
|
||||||
''}
|
''}
|
||||||
'';
|
'';
|
||||||
|
@ -137,21 +138,20 @@ in
|
||||||
# virtualisation.forwardPorts = [
|
# virtualisation.forwardPorts = [
|
||||||
# {
|
# {
|
||||||
# from = "host";
|
# from = "host";
|
||||||
# host.port = config.fediversity.internal.garage.rpc.port;
|
# host.port = cfg.rpc.port;
|
||||||
# guest.port = config.fediversity.internal.garage.rpc.port;
|
# guest.port = cfg.rpc.port;
|
||||||
# }
|
# }
|
||||||
# {
|
# {
|
||||||
# from = "host";
|
# from = "host";
|
||||||
# host.port = config.fediversity.internal.garage.web.port;
|
# host.port = cfg.web.port;
|
||||||
# guest.port = config.fediversity.internal.garage.web.port;
|
# guest.port = cfg.web.port;
|
||||||
# }
|
# }
|
||||||
# ];
|
# ];
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.minio-client pkgs.awscli ];
|
environment.systemPackages = [ pkgs.minio-client pkgs.awscli ];
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
config.fediversity.internal.garage.rpc.port
|
cfg.rpc.port
|
||||||
config.fediversity.internal.garage.web.port
|
|
||||||
];
|
];
|
||||||
services.garage = {
|
services.garage = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -161,15 +161,24 @@ in
|
||||||
# TODO: use a secret file
|
# TODO: use a secret file
|
||||||
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
|
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
|
||||||
# TODO: why does this have to be set? is there not a sensible default?
|
# TODO: why does this have to be set? is there not a sensible default?
|
||||||
rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}";
|
rpc_bind_addr = "[::]:${toString cfg.rpc.port}";
|
||||||
rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}";
|
rpc_public_addr = "[::1]:${toString cfg.rpc.port}";
|
||||||
s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}";
|
s3_api.api_bind_addr = "[::]:${toString cfg.api.port}";
|
||||||
s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}";
|
s3_web.bind_addr = "[::]:${toString cfg.web.port}";
|
||||||
s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}";
|
s3_web.root_domain = ".${cfg.web.rootDomain}";
|
||||||
index = "index.html";
|
index = "index.html";
|
||||||
|
|
||||||
s3_api.s3_region = "garage";
|
s3_api.s3_region = "garage";
|
||||||
s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}";
|
s3_api.root_domain = ".${cfg.api.domain}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.nginx.virtualHosts."garagePortProxy" = {
|
||||||
|
serverName = "${cfg.web.urlFor "*"}"; # wildcard bucket *.foo.com
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "localhost:3902"
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
systemd.services.ensure-garage = {
|
systemd.services.ensure-garage = {
|
||||||
|
@ -184,7 +193,7 @@ in
|
||||||
|
|
||||||
# Give Garage time to start up by waiting until somethings speaks HTTP
|
# Give Garage time to start up by waiting until somethings speaks HTTP
|
||||||
# behind Garage's API URL.
|
# behind Garage's API URL.
|
||||||
until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done
|
until ${pkgs.curl}/bin/curl -sio /dev/null ${cfg.api.url}; do sleep 1; done
|
||||||
|
|
||||||
# XXX: this is very sensitive to being a single instance
|
# XXX: this is very sensitive to being a single instance
|
||||||
# (doing the bare minimum to get garage up and running)
|
# (doing the bare minimum to get garage up and running)
|
||||||
|
|
|
@ -46,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {
|
||||||
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
||||||
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
||||||
S3_PROTOCOL = "http";
|
S3_PROTOCOL = "http";
|
||||||
S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort;
|
S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomain;
|
||||||
# by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
|
# by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
|
||||||
S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}";
|
S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}";
|
||||||
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
|
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
|
||||||
|
|
Reference in a new issue