Add garage :)

2025-11-22 22:12:01 +01:00 · 2025-11-22 22:12:01 +01:00 · 6a9b3f6fa0
commit 6a9b3f6fa0
parent ba16fa4246
3 changed files with 226 additions and 3 deletions
--- a/apps/garage/garage.hcl
+++ b/apps/garage/garage.hcl
@ -0,0 +1,182 @@
+job "garage" {
+  datacenters = ["zuma-house", "gribse-house", "mayel-house"]
+  type = "system"
+  priority = 80
+
+  group "garage" {
+    network {
+      port "s3" { static = 3900 }
+      port "rpc" { static = 3901 }
+      port "web" { static = 3902 }
+      port "admin" { static = 3903 }
+      port "k2v" { static = 3904 }
+    }
+
+    task "server" {
+      # V---- useful to operate a maintenance on one garage node
+      #       do not forget to check that garage is fully healthy before
+      # constraint {
+      #   attribute = "${attr.unique.hostname}"
+      #   operator = "!="
+      #   value = "pamplemousse"
+      # }
+      driver = "docker"
+      config {
+        image = "dxflrs/garage:v2.1.0"
+        command = "/garage"
+        args = [ "server" ]
+        network_mode = "host"
+        volumes = [
+          "/data/garage/data:/data",
+          "/data/garage/meta:/meta",
+          "secrets/garage.toml:/etc/garage.toml",
+        ]
+        logging {
+          type = "journald"
+        }
+      }
+
+      template {
+        data = file("./garage.toml")
+        destination = "secrets/garage.toml"
+        change_mode = "noop"
+      }
+
+      resources {
+        memory = 1000
+        memory_max = 3000
+        cpu = 1000
+      }
+
+      kill_timeout = "20s"
+
+      restart {
+        interval = "30m"
+        attempts = 10
+        delay    = "15s"
+        mode     = "delay"
+      }
+
+      #### Configuration for service ports: admin port (internal use only)
+
+      service {
+        name = "garage-admin"
+        port = "admin"
+        address_mode = "host"
+        # Check that Garage is alive and answering TCP connections
+        check {
+          type = "tcp"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      #### Configuration for service ports: externally available ports (S3 API, K2V, web)
+
+      service {
+        name = "garage-api"
+        tags = [
+          "garage_api",
+          "tricot garage.chokbar.bzh",
+          "tricot *.garage.chokbar.bzh",
+          "tricot-on-demand-tls-ask http://garage-admin.service.filouterie.consul:3903/check",
+        ]
+        port = "s3"
+        address_mode = "host"
+        # Check 1: Garage is alive and answering TCP connections
+        check {
+          name = "garage-api-live"
+          type = "tcp"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+        # Check 2: Garage is in a healthy state and requests should be routed here
+        check {
+          name = "garage-api-healthy"
+          port = "admin"
+          type = "http"
+          path = "/health"
+          interval = "60s"
+          timeout = "5s"
+        }
+      }
+
+      service {
+        name = "garage-k2v"
+        tags = [
+          "garage_k2v",
+          "tricot k2v.chokbar.bzh",
+        ]
+        port = "k2v"
+        address_mode = "host"
+        # Check 1: Garage is alive and answering TCP connections
+        check {
+          name = "garage-k2v-live"
+          type = "tcp"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+        # Check 2: Garage is in a healthy state and requests should be routed here
+        check {
+          name = "garage-k2v-healthy"
+          port = "admin"
+          type = "http"
+          path = "/health"
+          interval = "60s"
+          timeout = "5s"
+        }
+      }
+
+      service {
+        name = "garage-web"
+        tags = [
+            "garage-web",
+            "tricot * 1",
+            "tricot-add-header Strict-Transport-Security max-age=63072000; includeSubDomains; preload",
+            "tricot-add-header X-XSS-Protection 1; mode=block",
+            "tricot-add-header X-Content-Type-Options nosniff",
+            "tricot-on-demand-tls-ask http://garage-admin.service.filouterie.consul:3903/check",
+        ]
+        port = "web"
+        address_mode = "host"
+        # Check 1: Garage is alive and answering TCP connections
+        check {
+          name = "garage-web-live"
+          type = "tcp"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+        # Check 2: Garage is in a healthy state and requests should be routed here
+        check {
+          name = "garage-web-healthy"
+          port = "admin"
+          type = "http"
+          path = "/health"
+          interval = "60s"
+          timeout = "5s"
+        }
+      }
+    }
+  }
+}
+
--- a/apps/garage/garage.toml
+++ b/apps/garage/garage.toml
@ -0,0 +1,35 @@
+metadata_dir = "/meta"
+data_dir = "/data"
+db_engine = "sqlite"
+
+replication_factor = 3
+metadata_auto_snapshot_interval = "24h"
+
+{{ $wg_addr := print "config/wg/by_hostname/" (env "attr.unique.hostname") }}
+rpc_bind_addr = "[::]:3901"
+rpc_public_addr = "{{ key $wg_addr }}:3901"
+
+rpc_secret = "{{ key "secrets/garage/rpc_secret" | trimSpace }}"
+
+allow_punycode = true
+
+[consul_discovery]
+consul_http_addr = "http://127.0.0.1:8500"
+service_name = "garage-prod-discovery"
+
+[s3_api]
+s3_region = "garage"
+api_bind_addr = "[::]:3900"
+root_domain = ".garage.chokbar.bzh"
+
+[k2v_api]
+api_bind_addr = "[::]:3904"
+
+[s3_web]
+bind_addr = "[::]:3902"
+root_domain = ""
+
+[admin]
+api_bind_addr = "[::]:3903"
+metrics_token = "{{ key "secrets/garage/metrics_token" | trimSpace }}"
+admin_token = "{{ key "secrets/garage/admin_token" | trimSpace }}"
--- a/configuration.nix
+++ b/configuration.nix
@ -110,6 +110,7 @@ with pkgs.lib;
        btop
        wget
        neofetch
+	dig
      ];

      # Enable the OpenSSH daemon.
@ -282,6 +283,11 @@ with pkgs.lib;
          22    # SSH
          80    # HTTP
          443 	# HTTPS
+	  3900  # Garage S3 Api
+	  3901  # Garage RPC
+	  3902  # Garage Web
+	  3903  # Garage Admin
+	  3904  # Garage K2V
        ];
        allowedUDPPorts = [
          19720 # Wireguard