proxy garage web to port 80
This commit is contained in:
Taeer Bar-Yam
parent
011f166fd3
commit
2501c480fb
3 changed files with 26 additions and 21 deletions
|
|
@ -64,17 +64,13 @@ in {
|
|||
type = types.str;
|
||||
default = "web.garage.${config.fediversity.domain}";
|
||||
};
|
||||
port = mkOption {
|
||||
internalPort = mkOption {
|
||||
type = types.int;
|
||||
default = 3902;
|
||||
};
|
||||
rootDomainAndPort = mkOption {
|
||||
type = types.str;
|
||||
default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}";
|
||||
};
|
||||
urlFor = mkOption {
|
||||
type = types.functionTo types.str;
|
||||
default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}";
|
||||
default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ let
|
|||
id = "GK22a15201acacbd51cd43e327";
|
||||
secret = "82b2b4cbef27bf8917b350d5b10a87c92fa9c8b13a415aeeea49726cf335d74e";
|
||||
};
|
||||
cfg = config.fediversity.internal.garage;
|
||||
in
|
||||
|
||||
# TODO: expand to a multi-machine setup
|
||||
|
|
@ -42,7 +43,7 @@ let
|
|||
${optionalString corsRules.enable ''
|
||||
garage bucket allow --read --write --owner ${bucketArg} --key tmp
|
||||
# TODO: endpoin-url should not be hard-coded
|
||||
aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
|
||||
aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${cfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
|
||||
garage bucket deny --read --write --owner ${bucketArg} --key tmp
|
||||
''}
|
||||
'';
|
||||
|
|
@ -137,21 +138,20 @@ in
|
|||
# virtualisation.forwardPorts = [
|
||||
# {
|
||||
# from = "host";
|
||||
# host.port = config.fediversity.internal.garage.rpc.port;
|
||||
# guest.port = config.fediversity.internal.garage.rpc.port;
|
||||
# host.port = cfg.rpc.port;
|
||||
# guest.port = cfg.rpc.port;
|
||||
# }
|
||||
# {
|
||||
# from = "host";
|
||||
# host.port = config.fediversity.internal.garage.web.port;
|
||||
# guest.port = config.fediversity.internal.garage.web.port;
|
||||
# host.port = cfg.web.port;
|
||||
# guest.port = cfg.web.port;
|
||||
# }
|
||||
# ];
|
||||
|
||||
environment.systemPackages = [ pkgs.minio-client pkgs.awscli ];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
config.fediversity.internal.garage.rpc.port
|
||||
config.fediversity.internal.garage.web.port
|
||||
cfg.rpc.port
|
||||
];
|
||||
services.garage = {
|
||||
enable = true;
|
||||
|
|
@ -161,15 +161,24 @@ in
|
|||
# TODO: use a secret file
|
||||
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
|
||||
# TODO: why does this have to be set? is there not a sensible default?
|
||||
rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}";
|
||||
rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}";
|
||||
s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}";
|
||||
s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}";
|
||||
s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}";
|
||||
rpc_bind_addr = "[::]:${toString cfg.rpc.port}";
|
||||
rpc_public_addr = "[::1]:${toString cfg.rpc.port}";
|
||||
s3_api.api_bind_addr = "[::]:${toString cfg.api.port}";
|
||||
s3_web.bind_addr = "[::]:${toString cfg.web.port}";
|
||||
s3_web.root_domain = ".${cfg.web.rootDomain}";
|
||||
index = "index.html";
|
||||
|
||||
s3_api.s3_region = "garage";
|
||||
s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}";
|
||||
s3_api.root_domain = ".${cfg.api.domain}";
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."garagePortProxy" = {
|
||||
serverName = "${cfg.web.urlFor "*"}"; # wildcard bucket *.foo.com
|
||||
locations."/" = {
|
||||
proxyPass = "localhost:3902"
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
'';
|
||||
};
|
||||
};
|
||||
systemd.services.ensure-garage = {
|
||||
|
|
@ -184,7 +193,7 @@ in
|
|||
|
||||
# Give Garage time to start up by waiting until somethings speaks HTTP
|
||||
# behind Garage's API URL.
|
||||
until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done
|
||||
until ${pkgs.curl}/bin/curl -sio /dev/null ${cfg.api.url}; do sleep 1; done
|
||||
|
||||
# XXX: this is very sensitive to being a single instance
|
||||
# (doing the bare minimum to get garage up and running)
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {
|
|||
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
||||
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
||||
S3_PROTOCOL = "http";
|
||||
S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort;
|
||||
S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomain;
|
||||
# by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
|
||||
S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}";
|
||||
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
|
||||
|
|
|
|||
Reference in a new issue