basic s3 garage setup for mastodon

it's still having trouble fetching stored images for some reason

README.md

@@ -25,6 +25,7 @@ You can then access the apps on your local machine (using the magic of port forw
   - You will have to "accept the security risk"
   - It may take a minute for the webpage to come online. Until then you will see "502 Bad Gateway"
   - (NOTE: currently broken) email sent from the mastodon instance (e.g. for setting up an account) will be accessible at <https://mastodon.localhost:55001/letter_opener>
+  - You can also create accounts on the machine itself by running `mastodon-tootctl accounts create <name> --email <email> --confirmed --approve`
 
 - PeerTube: <http://peertube.localhost:9000>
   - The root account can be accessed with username "root". The password can be obtained by running the following command on the VM:
@@ -61,6 +62,13 @@ You can then access the apps on your local machine (using the magic of port forw
   - either forward 443 directly, or get mastodon to accept connections on a different port (maybe 3000? see development environment documentation)
 - [ ] get letter_opener working
 - [ ] share resources (e.g. s3 storage) between the services
+- [ ] get garage running on another machine
+  - [ ] get garage replication running (multiple machines)
+
+# questions
+
+- what is meant to be shared between instances?
+  - this is relevant to the security model. If garage is being shared between instances, we have to be careful having configurations depend on each other.
 
 # resources
 

flake.nix

@@ -14,7 +14,7 @@
     nixosConfigurations = {
       mastodon = nixpkgs.lib.nixosSystem {
         inherit system;
-        modules = [ ./common.nix ./mastodon.nix ];
+        modules = [ ./common.nix ./mastodon.nix ./garage.nix ];
       };
 
       peertube = nixpkgs.lib.nixosSystem {

garage.nix

@@ -0,0 +1,74 @@
+let
+  # generate one using openssl (somehow)
+  # XXX: when importing, garage tells you importing is only meant for keys previously generated by garage. is it okay to generate them using openssl?
+  snakeoil_key = {
+    id = "GK3515373e4c851ebaad366558";
+    secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
+  };
+in
+# TODO: expand to a multi-machine setup
+{ config, lib, pkgs, ... }: {
+  # add in options to ensure creation of buckets and keys
+
+  config = {
+    virtualisation.vmVariant = {
+      virtualisation.diskSize = 2048;
+      virtualisation.forwardPorts = [
+        {
+          from = "host";
+          host.port = 3901;
+          guest.port = 3901;
+        }
+        {
+          from = "host";
+          host.port = 3902;
+          guest.port = 3902;
+        }
+      ];
+    };
+    environment.systemPackages = [ pkgs.minio-client ];
+
+    networking.firewall.allowedTCPPorts = [ 3901 3902 ];
+    services.garage = {
+      enable = true;
+      package = pkgs.garage_0_9;
+      settings = {
+        replication_mode = "none";
+        # TODO: use a secret file
+        rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
+        # TODO: why does this have to be set? is there not a sensible default?
+        rpc_bind_addr = "[::]:3901";
+        rpc_public_addr = "[::1]:3901";
+        s3_api.api_bind_addr = "[::]:3900";
+        s3_web.bind_addr = "[::]:3902";
+        s3_web.root_domain = ".web.garage.localhost";
+        index = "index.html";
+
+        s3_api.s3_region = "garage";
+        s3_api.root_domain = ".s3.garage.localhost";
+      };
+    };
+    systemd.services.ensure-garage = {
+      after = [ "garage.service" ];
+      wantedBy = [ "garage.service" ];
+      path = [ config.services.garage.package pkgs.perl ];
+      script = ''
+        set -xeuo pipefail
+        # give garage time to start up
+        sleep 3
+        # XXX: this is very sensitive to being a single instance
+        # (bare minimum to get garage up and running)
+        # also, it's crazy that we have to parse command output like this
+        GARAGE_ID=$(garage node id 2>/dev/null | perl -ne '/(.*)@.*/ && print $1')
+        garage layout assign -z g1 -c 1G $GARAGE_ID
+        LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1')
+        garage layout apply --version $((LAYOUT_VER + 1))
+
+        garage bucket create mastodon
+        garage key import --yes -n mastodon "${snakeoil_key.id}" "${snakeoil_key.secret}"
+        garage bucket allow --read --write mastodon --key mastodon
+        garage bucket website --allow mastodon
+      '';
+    };
+  };
+}

mastodon.nix

@@ -1,4 +1,32 @@
+let
+  snakeoil_key = {
+    id = "GK3515373e4c851ebaad366558";
+    secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
+  };
+in
 { config, lib, pkgs, ... }: lib.mkMerge [
+  { # garage setup
+    services.mastodon = {
+      extraConfig = {
+        S3_ENABLED = "true";
+        S3_ENDPOINT = "http://s3.garage.localhost:3900";
+        S3_REGION = "garage";
+        S3_BUCKET = "mastodon";
+        # use <S3_BUCKET>.<S3_ENDPOINT>
+        S3_OVERRIDE_PATH_STLE = "true";
+        AWS_ACCESS_KEY_ID = snakeoil_key.id;
+        AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
+        S3_PROTOCOL = "http";
+        S3_HOSTNAME = "web.garage.localhost:3902";
+        # by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
+        # but we want "<S3_BUCKET>.<S3_HOSTNAME>"
+        S3_ALIAS_HOST = "mastodon.web.garage.localhost:3902";
+        # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
+        # TODO: can we set up ACLs with garage?
+        S3_PERMISSION = "";
+      };
+    };
+  }
   # mastodon setup
   {
     # open up access to the mastodon web interface