options for ensuring garage buckets
This commit is contained in:
parent
5fd1e115a0
commit
48084fa688
|
@ -64,6 +64,8 @@ You can then access the apps on your local machine (using the magic of port forw
|
||||||
- [ ] share resources (e.g. s3 storage) between the services
|
- [ ] share resources (e.g. s3 storage) between the services
|
||||||
- [ ] get garage running on another machine
|
- [ ] get garage running on another machine
|
||||||
- [ ] get garage replication running (multiple machines)
|
- [ ] get garage replication running (multiple machines)
|
||||||
|
- [ ] some way of declaratively defining users?
|
||||||
|
- [ ] shared users between fediverse services
|
||||||
|
|
||||||
# questions
|
# questions
|
||||||
|
|
||||||
|
|
73
garage.nix
73
garage.nix
|
@ -9,6 +9,55 @@ in
|
||||||
# TODO: expand to a multi-machine setup
|
# TODO: expand to a multi-machine setup
|
||||||
{ config, lib, pkgs, ... }: {
|
{ config, lib, pkgs, ... }: {
|
||||||
# add in options to ensure creation of buckets and keys
|
# add in options to ensure creation of buckets and keys
|
||||||
|
options =
|
||||||
|
let
|
||||||
|
inherit (lib) types mkOption;
|
||||||
|
in {
|
||||||
|
services.garage = {
|
||||||
|
ensureBuckets = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule {
|
||||||
|
options = {
|
||||||
|
website = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
};
|
||||||
|
ensureKeys = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule {
|
||||||
|
options = {
|
||||||
|
id = mkOption {
|
||||||
|
type = types.string;
|
||||||
|
};
|
||||||
|
secret = mkOption {
|
||||||
|
type = types.string;
|
||||||
|
};
|
||||||
|
# TODO: assert at least one of these is true
|
||||||
|
ensureAccess = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule {
|
||||||
|
options = {
|
||||||
|
read = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
write = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
owner = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
virtualisation.vmVariant = {
|
virtualisation.vmVariant = {
|
||||||
|
@ -56,6 +105,7 @@ in
|
||||||
set -xeuo pipefail
|
set -xeuo pipefail
|
||||||
# give garage time to start up
|
# give garage time to start up
|
||||||
sleep 3
|
sleep 3
|
||||||
|
|
||||||
# XXX: this is very sensitive to being a single instance
|
# XXX: this is very sensitive to being a single instance
|
||||||
# (bare minimum to get garage up and running)
|
# (bare minimum to get garage up and running)
|
||||||
# also, it's crazy that we have to parse command output like this
|
# also, it's crazy that we have to parse command output like this
|
||||||
|
@ -64,10 +114,25 @@ in
|
||||||
LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1')
|
LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1')
|
||||||
garage layout apply --version $((LAYOUT_VER + 1))
|
garage layout apply --version $((LAYOUT_VER + 1))
|
||||||
|
|
||||||
garage bucket create mastodon
|
${
|
||||||
garage key import --yes -n mastodon "${snakeoil_key.id}" "${snakeoil_key.secret}"
|
lib.concatStringsSep "\n" (lib.mapAttrsToList (bucket: { website }: ''
|
||||||
garage bucket allow --read --write mastodon --key mastodon
|
garage bucket create ${bucket}
|
||||||
garage bucket website --allow mastodon
|
# XXX: should this --deny the website if `website` is false?
|
||||||
|
${lib.optionalString website ''
|
||||||
|
garage bucket website --allow ${bucket}
|
||||||
|
''}
|
||||||
|
'') config.services.garage.ensureBuckets)
|
||||||
|
}
|
||||||
|
${
|
||||||
|
lib.concatStringsSep "\n" (lib.mapAttrsToList (key: {id, secret, ensureAccess}: ''
|
||||||
|
garage key import --yes -n ${key} ${id} ${secret}
|
||||||
|
${
|
||||||
|
lib.concatStringsSep "\n" (lib.mapAttrsToList (bucket: { read, write, owner }: ''
|
||||||
|
garage bucket allow ${lib.optionalString read "--read"} ${lib.optionalString write "--write"} ${lib.optionalString owner "--owner"} ${bucket} --key ${key}
|
||||||
|
'') ensureAccess)
|
||||||
|
}
|
||||||
|
'') config.services.garage.ensureKeys)
|
||||||
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
17
mastodon.nix
17
mastodon.nix
|
@ -6,6 +6,23 @@ let
|
||||||
in
|
in
|
||||||
{ config, lib, pkgs, ... }: lib.mkMerge [
|
{ config, lib, pkgs, ... }: lib.mkMerge [
|
||||||
{ # garage setup
|
{ # garage setup
|
||||||
|
services.garage = {
|
||||||
|
ensureBuckets = {
|
||||||
|
mastodon = { website = true; };
|
||||||
|
};
|
||||||
|
ensureKeys = {
|
||||||
|
mastodon = {
|
||||||
|
inherit (snakeoil_key) id secret;
|
||||||
|
ensureAccess = {
|
||||||
|
mastodon = {
|
||||||
|
read = true;
|
||||||
|
write = true;
|
||||||
|
owner = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
services.mastodon = {
|
services.mastodon = {
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
S3_ENABLED = "true";
|
S3_ENABLED = "true";
|
||||||
|
|
Reference in a new issue