dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/shill: Add MinIO container

Browse Source
This commit is contained in:
Jack O'Sullivan
2022-07-16 15:01:15 +01:00
parent 55da6aa276
commit accb14721d
21 changed files with 154 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
nixos/boxes/colony/vms/default.nix
View File

@@ -149,6 +149,19 @@
};
frontend = "virtio-blk";
}
{
name = "minio";
backend = {
driver = "host_device";
filename = "/dev/ssds/minio";
discard = "unmap";
};
format = {
driver = "raw";
discard = "unmap";
};
frontend = "virtio-blk";
}
]);
};
};

1
nixos/boxes/colony/vms/shill/containers/default.nix
View File

@@ -5,5 +5,6 @@
./colony-psql.nix
./chatterbox.nix
./jackflix
./object.nix
];
}

1
nixos/boxes/colony/vms/shill/containers/middleman/default.nix
View File

@@ -162,6 +162,7 @@
"${lib.my.pubDomain}" = {
extraDomainNames = [
"*.${lib.my.pubDomain}"
"*.s3.${lib.my.pubDomain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;

20
nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
View File

@@ -279,6 +279,26 @@ in
};
useACMEHost = lib.my.pubDomain;
};
"minio.${lib.my.pubDomain}" = {
extraConfig = ''
chunked_transfer_encoding off;
'';
locations = {
"/".proxyPass = "http://object-ctr.${config.networking.domain}:9001";
};
useACMEHost = lib.my.pubDomain;
};
"s3.${lib.my.pubDomain}" = {
serverAliases = [ "*.s3.${lib.my.pubDomain}" ];
extraConfig = ''
chunked_transfer_encoding off;
'';
locations = {
"/".proxyPass = "http://object-ctr.${config.networking.domain}:9000";
};
useACMEHost = lib.my.pubDomain;
};
};
in
mkMerge [

74
nixos/boxes/colony/vms/shill/containers/object.nix Normal file
View File

@@ -0,0 +1,74 @@
{ lib, ... }: {
nixos.systems.object = {
system = "x86_64-linux";
nixpkgs = "mine";
assignments = {
internal = {
name = "object-ctr";
domain = lib.my.colony.domain;
ipv4.address = "${lib.my.colony.start.ctrs.v4}7";
ipv6 = {
iid = "::7";
address = "${lib.my.colony.start.ctrs.v6}7";
};
};
};
configuration = { lib, config, assignments, ... }:
let
inherit (lib) mkMerge mkIf;
inherit (lib.my) networkdAssignment;
in
{
config = mkMerge [
{
my = {
deploy.enable = false;
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdHbZErWLmTPO/aEWB1Fup/aGMf31Un5Wk66FJwTz/8";
files."minio.env" = {};
};
firewall = {
tcp.allowed = [ 9000 9001 ];
};
};
systemd = {
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
services = {
minio = {
environment = {
MINIO_ROOT_USER = "minioadmin";
MINIO_DOMAIN = "s3.nul.ie";
MINIO_SERVER_URL = "https://s3.nul.ie";
MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie";
};
};
};
};
services = {
minio = {
enable = true;
region = "eu-central-1";
browser = true;
rootCredentialsFile = config.age.secrets."minio.env".path;
};
};
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = [
{ from = "host"; host.port = 9000; guest.port = 9000; }
{ from = "host"; host.port = 9001; guest.port = 9001; }
];
};
})
];
};
};
}

10
nixos/boxes/colony/vms/shill/default.nix
View File

@@ -70,9 +70,14 @@
device = "/dev/disk/by-label/media";
fsType = "ext4";
};
"/mnt/minio" = {
device = "/dev/disk/by-label/minio";
fsType = "xfs";
};
};
services = {
fstrim.enable = true;
netdata.enable = true;
};
@@ -140,6 +145,11 @@
"/mnt/media".readOnly = false;
};
};
object = {
bindMounts = {
"/mnt/minio".readOnly = false;
};
};
};
in
mkMerge [

9
nixos/modules/tmproot.nix
View File

@@ -298,6 +298,15 @@ in
(persistSimpleSvc "jackett")
(persistSimpleSvc "radarr")
(persistSimpleSvc "sonarr")
(mkIf config.services.minio.enable {
my.tmproot.persistence.config.directories = [
{
directory = config.services.minio.configDir;
user = "minio";
group = "minio";
}
];
})
(mkIf config.my.build.isDevVM {
fileSystems = mkVMOverride {
# Hijack the "root" device for persistence in the VM

18
secrets/chatterbox/nul.ie.signing.key.age
View File

@@ -1,11 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 ZB3e6Q o3nZEDuOm/JC/EhJ5uRnbMMHPNwRcKwfsPFNBVCjtHk
cYKUNgQmkpTRSEm9ZINYlslv9O6MM3ujb1rNO7p7gvc
-> X25519 TQ2jWod+e0a3ylj+GL8gPoScvzFdBCZcaYauY2gtsDY
pP5q3ZYkRYqSeOEHxYXzQXCfltBGKi5jMpCfSP7PPSI
-> `)-v-grease fr R1 W`Y
pjfwfNM9JTJe0/mYB6OC6LtgJeIvn4RVJogageAl/djWgMVZ4DDr2kakgF3V28xf
0g
--- 4b27xLN78GCex7VdHqlJj8g+SuUlOOgZjZ4Qj8/RIsk
-<2D><>N/&<26><>ˀ<EFBFBD>v<EFBFBD><76>Eֶ`}<7D>D<EFBFBD><44><EFBFBD>O#<23>`ZV<5A>^D<>"&<13><><EFBFBD>p
<12>p<EFBFBD><12><>Ĭ<EFBFBD>iq<>lᅳj@<40>i57O<37>,<2C><><E487A9>$F2<46>h<03>S
-> ssh-ed25519 ZB3e6Q sQJFhvr8FRUhNhBMue77730wcbg28fTFnsszgerwEBo
7VzmwSkllK2wbSyFSCClvjY4X6sT6vLLPBAcXSbmnRU
-> X25519 DufjAOGVQtGU2oiDCymV7rv9bdw5Llk3KjbOj5wJxxs
9sOvYKIfp+fUKcW6zbhAU3kwaUrF9PCBlu56qmGhOss
-> m-grease s$ A ,2 =sKpm
lLRsEhRI4PsWw9K6uygWxFznKZSJUXesteKQ7hZ/wWJXkRHq
--- XYl7iGPy1+YfKOWNoZoiYvfFjctfqhWWzR4hMCWmXYU
<EFBFBD>5<EFBFBD>0K<EFBFBD><EFBFBD><EFBFBD><EFBFBD><07>2Rp)w<>.(rh<72>U~w|%j͂<6A><CD82><EFBFBD><EFBFBD> <0C><> 9<><39><EFBFBD>V<EFBFBD><11><><EFBFBD> 0d<30>{<7B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>E<EFBFBD>\Vag<1B>~"T -<2D><>3\<5C>)N<><4E><EFBFBD>S"I

BIN
secrets/chatterbox/synapse.yaml.age
View File

Binary file not shown.

BIN
secrets/dhparams.pem.age
View File

Binary file not shown.

BIN
secrets/estuary/netdata/powerdns.conf.age
View File

Binary file not shown.

BIN
secrets/estuary/netdata/powerdns_recursor.conf.age
View File

Binary file not shown.

16
secrets/estuary/pdns/auth.conf.age
View File

@@ -1,9 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 n8CpUw AcjQZzA4G7pdhn011TXFQmTdDIQuTEfFc0mKjmPWUho
tecWVMzkggw92meDkh2tZV+lbvQCvrYr0YSV5/fCTRs
-> X25519 JGc6LzCMH2LhJlUSyk4H5IDGfQNjtW9W6rz3SzoV/0Y
vGNuHYO95z5i+OVkj4TRuCxF122V/shxvD6CnGCT+kw
-> g)n[I4U>-grease ^Tm {G saw
q/ODO7xmWIcsr2cMaVpEg38
--- VHUzlGz2hT3SbnZ32S0SzBDCn3QwWxEohH9Cw3N2Je0
<EFBFBD>.<2E>=-<2D><><EFBFBD>f<EFBFBD>˯<EFBFBD>c}<7D>}Sza<7A><61><EFBFBD><50><DB90>Z7&g,GH;WV<57><18>P<EFBFBD>*<2A><><02>'-<2D>s<EFBFBD><73><EFBFBD>uh\<5C>KJ4<EFBFBD>
-> ssh-ed25519 n8CpUw ACIVtxzORRq2ptG0/MNlBt83MQZJu3Pc3R/5QRpgi2A
NSO8o2fL/EDLXegZ/kkzMW4/Za79q/6QfMQ1t0Sk9BM
-> X25519 nHYed6I+w6lIxgQNPUdeO35HlHmd0tKATpvnbtB5WzU
IWRKvT2csHQplib3ms1akiqdzGS37xQ2ev45yGW5d+w
-> %YW{-grease
4/tMk8Gzztby5x5ojQXj3853G0V8t7AoZA
--- 6vzp2wJk0Eh0O33xXCLrQiNbqeV7oMgvvqrgyRMK9Mg
2<EFBFBD><EFBFBD><EFBFBD>ȬGh<EFBFBD><12><>l<EFBFBD><6C>)N˺<4E><CBBA><17><>[N<EFBFBD>

BIN
secrets/estuary/pdns/recursor.conf.age
View File

Binary file not shown.

BIN
secrets/jackflix/mullvad-privkey.age
View File

Binary file not shown.

BIN
secrets/middleman/cloudflare-credentials.conf.age
View File

Binary file not shown.

BIN
secrets/middleman/nginx-sso.yaml.age
View File

Binary file not shown.

10
secrets/minio.env.age Normal file
View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 hkbtvg IrwZ+4sEJvFpB/zrFR/8Lu4GgpPppm84IYOAP7QWH0o
Px7RM+aKmjRQKdr0Ta/v+s9M+rRvRTNs9YYaZnNeORk
-> X25519 lSIE40xvHLkKFMCgsKjVhbxYfv7ddDJ3xyMlcDdxgxU
sc+2ibxqyLtlcpFUPCab+x4imPjuedQadA4b1Qg63a4
-> [J"78S~E-grease S||B(wq} suB8~I ~?E@d}
/3IplD0a0o3phrEIX85CAVkFRvLcCh3ncK/0Reur0bvKsqOjg37KH+Az5dDh2h9D
63kpJpGxwNKlRntnWQWxeYN2PN3cZrggH25/EJuJT3td2Q
--- a+cb3+9Z7WWk6vGGaiXz11G2fKUqLbYuUPyzturVFXY
<EFBFBD><EFBFBD><EFBFBD><08>CEB<45>(c#<1A><>Y$J<><4A>4g*t<>~<7E><><EFBFBD>)<29><><EFBFBD>h<>:<1C>H<EFBFBD>`<60><>ݷ<EFBFBD>a'<27>

BIN
secrets/pdns-file-records.key.age
View File

Binary file not shown.

BIN
secrets/user-passwd.txt.age
View File

Binary file not shown.

BIN
secrets/vaultwarden.env.age
View File

Binary file not shown.