diff --git a/apps/garage/garage.hcl b/apps/garage/garage.hcl new file mode 100644 index 0000000..0614e59 --- /dev/null +++ b/apps/garage/garage.hcl @@ -0,0 +1,182 @@ +job "garage" { + datacenters = ["zuma-house", "gribse-house", "mayel-house"] + type = "system" + priority = 80 + + group "garage" { + network { + port "s3" { static = 3900 } + port "rpc" { static = 3901 } + port "web" { static = 3902 } + port "admin" { static = 3903 } + port "k2v" { static = 3904 } + } + + task "server" { + # V---- useful to operate a maintenance on one garage node + # do not forget to check that garage is fully healthy before + # constraint { + # attribute = "${attr.unique.hostname}" + # operator = "!=" + # value = "pamplemousse" + # } + driver = "docker" + config { + image = "dxflrs/garage:v2.1.0" + command = "/garage" + args = [ "server" ] + network_mode = "host" + volumes = [ + "/data/garage/data:/data", + "/data/garage/meta:/meta", + "secrets/garage.toml:/etc/garage.toml", + ] + logging { + type = "journald" + } + } + + template { + data = file("./garage.toml") + destination = "secrets/garage.toml" + change_mode = "noop" + } + + resources { + memory = 1000 + memory_max = 3000 + cpu = 1000 + } + + kill_timeout = "20s" + + restart { + interval = "30m" + attempts = 10 + delay = "15s" + mode = "delay" + } + + #### Configuration for service ports: admin port (internal use only) + + service { + name = "garage-admin" + port = "admin" + address_mode = "host" + # Check that Garage is alive and answering TCP connections + check { + type = "tcp" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + #### Configuration for service ports: externally available ports (S3 API, K2V, web) + + service { + name = "garage-api" + tags = [ + "garage_api", + "tricot garage.chokbar.bzh", + "tricot *.garage.chokbar.bzh", + "tricot-on-demand-tls-ask http://garage-admin.service.filouterie.consul:3903/check", + ] + port = "s3" + address_mode = "host" + # Check 1: Garage is alive and answering TCP connections + check { + name = "garage-api-live" + type = "tcp" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + # Check 2: Garage is in a healthy state and requests should be routed here + check { + name = "garage-api-healthy" + port = "admin" + type = "http" + path = "/health" + interval = "60s" + timeout = "5s" + } + } + + service { + name = "garage-k2v" + tags = [ + "garage_k2v", + "tricot k2v.chokbar.bzh", + ] + port = "k2v" + address_mode = "host" + # Check 1: Garage is alive and answering TCP connections + check { + name = "garage-k2v-live" + type = "tcp" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + # Check 2: Garage is in a healthy state and requests should be routed here + check { + name = "garage-k2v-healthy" + port = "admin" + type = "http" + path = "/health" + interval = "60s" + timeout = "5s" + } + } + + service { + name = "garage-web" + tags = [ + "garage-web", + "tricot * 1", + "tricot-add-header Strict-Transport-Security max-age=63072000; includeSubDomains; preload", + "tricot-add-header X-XSS-Protection 1; mode=block", + "tricot-add-header X-Content-Type-Options nosniff", + "tricot-on-demand-tls-ask http://garage-admin.service.filouterie.consul:3903/check", + ] + port = "web" + address_mode = "host" + # Check 1: Garage is alive and answering TCP connections + check { + name = "garage-web-live" + type = "tcp" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + # Check 2: Garage is in a healthy state and requests should be routed here + check { + name = "garage-web-healthy" + port = "admin" + type = "http" + path = "/health" + interval = "60s" + timeout = "5s" + } + } + } + } +} + diff --git a/apps/garage/garage.toml b/apps/garage/garage.toml new file mode 100644 index 0000000..fdc391e --- /dev/null +++ b/apps/garage/garage.toml @@ -0,0 +1,35 @@ +metadata_dir = "/meta" +data_dir = "/data" +db_engine = "sqlite" + +replication_factor = 3 +metadata_auto_snapshot_interval = "24h" + +{{ $wg_addr := print "config/wg/by_hostname/" (env "attr.unique.hostname") }} +rpc_bind_addr = "[::]:3901" +rpc_public_addr = "{{ key $wg_addr }}:3901" + +rpc_secret = "{{ key "secrets/garage/rpc_secret" | trimSpace }}" + +allow_punycode = true + +[consul_discovery] +consul_http_addr = "http://127.0.0.1:8500" +service_name = "garage-prod-discovery" + +[s3_api] +s3_region = "garage" +api_bind_addr = "[::]:3900" +root_domain = ".garage.chokbar.bzh" + +[k2v_api] +api_bind_addr = "[::]:3904" + +[s3_web] +bind_addr = "[::]:3902" +root_domain = "" + +[admin] +api_bind_addr = "[::]:3903" +metrics_token = "{{ key "secrets/garage/metrics_token" | trimSpace }}" +admin_token = "{{ key "secrets/garage/admin_token" | trimSpace }}" diff --git a/configuration.nix b/configuration.nix index c8f9723..64966e7 100755 --- a/configuration.nix +++ b/configuration.nix @@ -110,6 +110,7 @@ with pkgs.lib; btop wget neofetch + dig ]; # Enable the OpenSSH daemon. @@ -279,9 +280,14 @@ with pkgs.lib; networking.firewall = { enable = true; allowedTCPPorts = [ - 22 # SSH - 80 # HTTP - 443 # HTTPS + 22 # SSH + 80 # HTTP + 443 # HTTPS + 3900 # Garage S3 Api + 3901 # Garage RPC + 3902 # Garage Web + 3903 # Garage Admin + 3904 # Garage K2V ]; allowedUDPPorts = [ 19720 # Wireguard