From 7b953a5bed7e6b0a45fa8efa8dfec44ba2d87eeb Mon Sep 17 00:00:00 2001
From: RGBCube <git@rgbcu.be>
Date: Wed, 26 Feb 2025 00:35:06 +0300
Subject: [PATCH] feat: add garage to best

---
 .gitignore                        |  1 +
 hosts/best/garage/default.nix     | 44 +++++++++++++++++++++++++++++++
 hosts/best/garage/environment.age |  8 ++++++
 secrets.nix                       |  4 ++-
 4 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 hosts/best/garage/default.nix
 create mode 100644 hosts/best/garage/environment.age

diff --git a/.gitignore b/.gitignore
index 58bf904..04e74dc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 !hosts/
 
 !hosts/best/
+!hosts/best/garage/
 !hosts/best/nix-serve/
 
 !hosts/cube/
diff --git a/hosts/best/garage/default.nix b/hosts/best/garage/default.nix
new file mode 100644
index 0000000..55b3bf1
--- /dev/null
+++ b/hosts/best/garage/default.nix
@@ -0,0 +1,44 @@
+{ self, config, lib, pkgs, ... }: let
+  inherit (config.networking) domain;
+  inherit (lib) enabled merge;
+
+  fqdn    = "s3.${domain}";
+  portS3  = 8004;
+  portRpc = 8005;
+in {
+  imports = [(self + /modules/nginx.nix)];
+
+  secrets.garageEnvironment.file  = ./environment.age;
+
+  services.garage = enabled {
+    package = pkgs.garage_1_0_1;
+
+    environmentFile = config.secrets.garageEnvironment.path;
+
+    settings = {
+      data_dir = [{
+        capacity = "2T";
+        path     = "/var/lib/garage/data";
+      }];
+
+      replication_factor = 1; # TODO: Expand.
+      consistency_mode   = "consistent";
+
+      metadata_fsync = true;
+      data_fsync     = true;
+
+      rpc_bind_addr   = "[::]:${toString portRpc}";
+
+      s3_api = {
+        s3_region = "garage";
+
+        api_bind_addr = "[::1]:${toString portS3}";
+        root_domain   = fqdn;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+    locations."/".proxyPass = "http://[::1]:${toString portS3}";
+  };
+}
diff --git a/hosts/best/garage/environment.age b/hosts/best/garage/environment.age
new file mode 100644
index 0000000..798e977
--- /dev/null
+++ b/hosts/best/garage/environment.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 8y3T6w izWjzENLwfqk9n6gvSvSQVPl/BZJZCa8hhLOVu5IvjY
+wvfsfYEoYRWf93ArRNP/6rmXikqr0pZa2WyoYmoOYuw
+-> ssh-ed25519 CzqbPQ h4ciazCxdHa0kEhImX9PPxLRs9Qw4eP9GFm4GgzQzzo
+0wgm2Bf1/OfsxESnaoYQlXjN1IFHtBihU7yTDm3nGK0
+--- kzbMa60jx3l2aqxA3Ll86mwCOzBLxcy2X2HjQS/iFtE
+!@xAmzôU Ð"{G)ÏŠÎbYihJ}öÖºõ›@&g†çæ ·Ô
+Ù5•Cñ¾¾{b/\=Ùxð (´Ï}z–[ ŸA \ÔÏÔè7 EBœ3¢­„™2Ùk~A%§äLðù«k0l1M¸­Õ³TàiÏ
\ No newline at end of file
diff --git a/secrets.nix b/secrets.nix
index 491a228..e7ce42b 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -5,7 +5,9 @@ in {
   "hosts/best/id.age".publicKeys            = [ best ] ++ admins;
   "hosts/best/password.the.age".publicKeys  = [ best ] ++ admins;
 
-  "hosts/best/nix-serve/key.age".publicKeys = [ best ] ++ admins;
+  "hosts/best/garage/environment.age".publicKeys = [ best ] ++ admins;
+
+  "hosts/best/nix-serve/key.age".publicKeys     = [ best ] ++ admins;
 
   # cube
   "hosts/cube/id.age".publicKeys                      = [ cube ] ++ admins;