switch to storj

2022-03-02 18:34:06 +01:00 · 2022-03-02 18:34:06 +01:00 · 2344b78ebd
commit 2344b78ebd
parent 54d34d60dc
5 changed files with 121 additions and 7 deletions
--- a/config/server.nix
+++ b/config/server.nix
@ -4,6 +4,5 @@
    ./services/nginx.nix
    ./services/acme.nix
    ./services/fail2ban.nix
-    ./services/minio.nix
  ];
 }
--- a/config/services/gitea.nix
+++ b/config/services/gitea.nix
@ -1,6 +1,7 @@
 { config, ... }: {
  imports = [
    ../../modules/gitea.nix
+    ../../modules/gateway-st.nix
  ];
  services.gitea = {
    enable = true;
@ -20,11 +21,11 @@
    settings = rec {
      storage = {
        STORAGE_TYPE = "minio";
-        MINIO_ENDPOINT = "minio.int.chir.rs:443";
+        MINIO_ENDPOINT = "localhost:7777";
        MINIO_ACCESS_KEY_ID = "gitea";
        MINIO_SECRET_ACCESS_KEY = "#storageSecret#";
        MINIO_BUCKET = "gitea";
-        MINIO_USE_SSL = "true";
+        MINIO_USE_SSL = "false";
      };
      openid = {
        ENABLE_OPENID_SIGNIN = true;
@ -51,6 +52,15 @@
    };
  };

+  services.storj-gateway.gitea = {
+    accessGrantFile = "/run/secrets/services/storj/gitea/accessGrant";
+    accessKeyFile = "/run/secrets/services/storj/gitea/accessKey";
+    secretKeyFile = "/run/secrets/services/storj/gitea/secretKey";
+  };
+  sops.secrets."services/storj/gitea/accessGrant".owner = "storj";
+  sops.secrets."services/storj/gitea/accessKey".owner = "storj";
+  sops.secrets."services/storj/gitea/secretKey".owner = "storj";
+
  services.nginx.virtualHosts."git.chir.rs" = {
    sslCertificate = "/var/lib/acme/chir.rs/cert.pem";
    sslCertificateKey = "/var/lib/acme/chir.rs/key.pem";
--- a/modules/gateway-st.nix
+++ b/modules/gateway-st.nix
@ -0,0 +1,89 @@
+{ config, lib, options, pkgs, ... }:
+with lib;
+let
+  gateway = pkgs.callPackage ../packages/gateway-st.nix { };
+  cfg = config.services.storj-gateway;
+  opt = options.services.storj-gateway;
+in
+{
+  options.services.storj-gateway = mkOption {
+    default = { };
+    description = "Storj gateway";
+    type = types.attrsOf (types.submodule {
+      options = {
+        enable = mkOption {
+          default = true;
+          description = "Enable Storj gateway";
+          type = types.bool;
+        };
+        accessGrantFile = mkOption {
+          description = "File containing the access key";
+          type = types.str;
+        };
+        accessKeyFile = mkOption {
+          description = "File containing the access key";
+          type = types.str;
+        };
+        secretKeyFile = mkOption {
+          description = "File containing the secret key";
+          type = types.str;
+        };
+        port = mkOption {
+          default = 7777;
+          description = "Port to listen on";
+          type = types.ints.port;
+        };
+      };
+    });
+  };
+  config = mkMerge (map (name: mkIf cfg.${name}.enable
+    {
+      systemd.services."storj-gateway@${name}" = {
+        description = "storj gateway ${name}";
+        after = [ "network.target" ];
+        wantedBy = [ "multi-user.target" ];
+        preStart = let cfg = cfg.${name}; in
+          ''
+            cd $HOME
+            mkdir -p ${name}
+            echo -n "access: " > ${name}/config.yaml
+            cat ${cfg.accessGrantFile} >> ${name}/config.yaml
+            echo "" >> ${name}/config.yaml
+            echo -n "minio.access-key: " >> ${name}/config.yaml
+            cat ${cfg.accessKeyFile} >> ${name}/config.yaml
+            echo "" >> ${name}/config.yaml
+            echo -n "minio.secret-key: " >> ${name}/config.yaml
+            cat ${cfg.secretKeyFile} >> ${name}/config.yaml
+            echo "" >> ${name}/config.yaml
+          '';
+        serviceConfig = {
+          Type = "simple";
+          User = "storj";
+          Group = "storj";
+          WorkingDirectory = "/var/lib/storj";
+          ExecStart = "${gateway}/bin/gateway run --config-dir /var/lib/storj/${name} --server.address 127.0.0.1:${cfg.port}";
+          Restart = "always";
+          RuntimeDirectory = "storj";
+          RuntimeDirectoryMode = "0700";
+          Umask = "0077";
+          ReadWritePaths = [ "/var/lib/storj" ]; # Grant access to the state directory
+        };
+        environment = {
+          USER = "storj";
+          HOME = "/var/lib/storj";
+        };
+      };
+      users.users.storj = mkDefault {
+        description = "storj user";
+        home = "/var/lib/storj";
+        useDefaultShell = true;
+        group = "storj";
+        isSystemUser = true;
+      };
+      users.groups.storj = { };
+      systemd.tmpfiles.rules = [
+        "d '/var/lib/storj' 0700 storj storj - -"
+      ];
+    }
+    (builtins.attrNames cfg)));
+}
--- a/packages/gateway-st.nix
+++ b/packages/gateway-st.nix
@ -0,0 +1,13 @@
+{ lib, buildGoModule, fetchFromGitHub }: buildGoModule rec {
+  pname = "gateway-st";
+  version = "1.6.1";
+  src = fetchFromGitHub {
+    owner = "storj";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "0v5gh03xaqld4l017fgzp46zi0r31az6cvk7war1brl2ir33nw47";
+  };
+  subPackages = [ "." ];
+  vendorSha256 = "sha256-4cqNhQK/I3oRXYuF08bTU31SFkS8Mj6MPA7W6MIaxh8=";
+  doCheck = false;
+}
--- a/secrets/nixos-8gb-fsn1-1/secrets.yaml
+++ b/secrets/nixos-8gb-fsn1-1/secrets.yaml
@ -4,8 +4,6 @@ network:
 security:
    acme:
        dns: ENC[AES256_GCM,data:/R/403rsvtWuQe6GDHKW+dL69U6A8e6PM3bB9rDHlLEGIZlyrzvVF+OfFgkXU6VJOX50p53wnw2G7Lcc2sJ2Ew8fy/r1E/J+AD8gYuLt9VPwI5wHzDxZYTVI28zA2hLxR6NgQzctRytC8zcTD3r1Y0ZswLfXtg4Emv/VHZyRQN8AhXQklXt6rW3jHQWA9hBV2OzV0v6q4zoOpcMp2G/wpUX4FPC5lmd+Tg5PsdA003oX/4uIXZx+m3NAEFWhZE97tTLHyv365h9X3iW5n/PIk5mEKUj1nm7v8w==,iv:KMLo99u+Cy8SLvcBXV+Rhb4a0HFLETKmUvLg1f0sPwg=,tag:i2kH+DZWnvWvE5KTh8932Q==,type:str]
-    minio:
-        credentials_file: ENC[AES256_GCM,data:tBNvwrEdu4KVkADT3tnHcomxcpJbjBntAjJnACxqS3IzaHcpxtFM3tBnMw2zjpgCbtF8h+GCZrye+o5RhJWo5vW6KSmIvYnoM5w=,iv:0SzUMSZoYMl+SlINDj1tJjNABoJBjrMJoXfh88kVBDI=,tag:8kXujM6obBXmDCuPMWo35Q==,type:str]
    restic:
        password: ENC[AES256_GCM,data:8W1pEFt+1lW2/Y11OrJa+glMM1A=,iv:V0R7PlBMxl/oTJxE10MIDMtbqr98bE/po+/92MGMftY=,tag:juGYo8nQy7IJUX28f2ZznQ==,type:str]
 services:
@ -13,6 +11,11 @@ services:
    hydra:
        gitea_token: ENC[AES256_GCM,data:8OOn7dlMaBTLNpRB9K2M+Cg4ZB9V2qFXdm7c0/2F/5CdOGfKF63a8Q==,iv:htbnKmNuaHlUw0E2PYRy3en00fni5hmwbkhDcQJRfE4=,tag:MpVnRX6HBxORghcsbEShNw==,type:str]
    gitea: ENC[AES256_GCM,data:i+reN0mYGY2iMQ06atN/i6YzAg==,iv:HT1H9/UIBweErA5+YFq7aprPjPB2d0gNbt/3MKayuHI=,tag:vDGL31LBw+9sU7UHE9GYKw==,type:str]
+    storj:
+        gitea:
+            accessGrant: ENC[AES256_GCM,data:QdRa+T5aujIRJiuKhuF4cD4hqHWGXqEQhGuoNdF953FSKlH+ajR0R8lo3eoGjJe3ZkSy5MPUlg6fqMZmnE8NSSBRpKm+uSdGt4N9OIrqWrQ9ahPUY8MOHOCWrpFTclsloXk7mG6WblHlntlmq9/XxjDfSl7DP1KgCggWhcAh3jhccQPzSLq+/iXrcCBM8KaP5AzLiuCar89lX5UFnkEZw/oTtebIzL2cE2GUJPSAILQGFwUaxPlfJrYKAyEmN7OC9ZpT7u4CmVeNAmeVMlbbZudnY1Yj2QtpftyACJWjKVvBuPeUFY+qHgl6QmVSoOPXPkI8z1hCEQCWa4jbM72oc8PQliLrfxJYmlYJe44kUXgFdmA6vEgnIfec1ioosOG2uVJAiTq9iyQ=,iv:76ZEo2VO4p9csQeZYyVln+28Y1L+hwii61GqfppQbOA=,tag:aLGWOVMWwh0vODOFz0H3Vg==,type:str]
+            accessKey: ENC[AES256_GCM,data:KoaoTqA=,iv:KQCJaCzkK6WA0rbRMwfKBubSuVaFOvk1AEF1dLFROIY=,tag:Kq7S8efArNXMwVQUTyI7Iw==,type:str]
+            secretKey: ENC[AES256_GCM,data:yUGS7NZo4ZirOK6d+5hABnfnCA==,iv:H1YXDW0y0jehCyt/RLzb/VptGL6iweOCwWtPuREEVdU=,tag:RqZv6h9Y3MaMXQoIFjSDjQ==,type:str]
    minio_scrape: ENC[AES256_GCM,data:w+VescGVui8/70HsSP/WCQG/E9fU0X45BXF2qwPNE2vnYM9XyCreHezX218Vb5qDOU3vRl71CJGVH4nv28nBgWvtu017ITfh56CX9dZt7tFAUx198WqXxW1Xc+D9NggWHXUFyAD80+dkzoPH2mUrdhBYeXwlhwyp9+DLF0Up00kdLsjDtSHpDiKKoIvzk3m0K00GZkMtOOENpomAoqtUduUupYRmL1GaHBMJ+XcuLuyvfSI3uSK9BzFxIfNPcJdrP2F28g==,iv:xe7BrC5mLz48efufLup5v0x/aI0kaqXNQ07l4G6kUdg=,tag:yepSZfc3034JaYo2pp15CA==,type:str]
    old-homepage: ENC[AES256_GCM,data:DgOLD0YCRXsRSvrjQ/pK4RpYdzcO/j2Ifg4eYXFivrEVVj5ooPKeeeJAMX+L+XOjjNmHo5r8o0AvBnvJ4TeGto3VOQynkxw5apvkedR5ecC654Sz5+bRGr2bgtVzujiLH7+IiB3ljH9KYflYASvfmumowmR8R6074GNGKZlH2F7UYDKDdbd48p4pOFWP3Lv5/1iDvJ7Ve3hVASZqiUlS4elMa+8T0HYKkJyxWb76AT+t0M54ps6xgqDYbjrmbO2+UK95Z8DanOk06tk1t30=,iv:2/KdwQ86SO/LFeHTGNDVY+d4ZQnujK7OGuBuGEwkCbU=,tag:7yOVg0V29aGMTT8O5422kw==,type:str]
    postfixadmin:
@ -63,8 +66,8 @@ sops:
            N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP
            dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-02-18T18:50:32Z"
-    mac: ENC[AES256_GCM,data:asDF6tjVtj3dcQvi91HO3nNbrml8dOkQexp7GPScnvmtA+d53ZHOWRZeTa00uNUGFGOWWkvm2z1+dAMMPF1PTsmq9F8IGvsshMRSsPRl38byjR3KrYhyvItviYdRJv2g9hnYKF6L2RPd6podqOu6ymzlsrUeEaKRtFn1vAyieN8=,iv:/mICE0q4m/0SyxLmniig5VHffsCX4JSDdHxeEJNkzio=,tag:cIXWblAUsuZm1Ks8+Nsurw==,type:str]
+    lastmodified: "2022-03-02T17:27:25Z"
+    mac: ENC[AES256_GCM,data:plNwqM4UKS0QSZxnOO9WUh+QQv05iAqE3ahgRkWrih9888zCJ85XZm2gpuoZcfB8HdklaRlms+oGIZ6zc3LgkfhFmkZRPjwcZWMX2b7KDXTE2bdl2f9nompDIuDXYMORgMH34fUJ/asFuPrX/NMm8y/JWZVjEZdvg95kqO58Qg8=,iv:MAIuNk7Vc/qw6zCHukQAOB05A1L1OZwlLcFMAarX/Jc=,tag:Y6xEPu4UGnEqq7knfN6NwQ==,type:str]
    pgp:
        - created_at: "2022-02-02T17:50:42Z"
          enc: |