add garage

.github/workflows/update-claurst.yml

@@ -13,10 +13,8 @@ jobs:
         steps:
             - name: Checkout repository
               uses: actions/checkout@v4
-
             - name: Install nix
               uses: https://github.com/DeterminateSystems/nix-installer-action@main
-
             - name: Setup Attic cache
               uses: ryanccn/attic-action@v0
               with:
@@ -24,14 +22,12 @@ jobs:
                 cache: ${{ secrets.ATTIC_CACHE }}
                 token: ${{ secrets.ATTIC_TOKEN }}
                 skip-push: "true"
-
             - name: Get current claurst version
               id: current
               run: |
                 VERSION=$(grep 'version = ' pkgs/claurst/default.nix | head -1 | sed 's/.*version = "\(.*\)".*/\1/')
                 echo "version=$VERSION" >> $GITHUB_OUTPUT
                 echo "Current version: $VERSION"
-
             - name: Get latest claurst release
               id: latest
               uses: actions/github-script@v7
@@ -45,7 +41,6 @@ jobs:
                     const tag = release.data.tag_name.replace(/^v/, '');
                     core.setOutput('version', tag);
                     core.info(`Latest release: ${tag}`);
-
             - name: Check if update needed
               id: check_update
               run: |
@@ -58,7 +53,6 @@ jobs:
                   echo "Update needed (current: $CURRENT, latest: $LATEST)"
                   echo "update_needed=true" >> $GITHUB_OUTPUT
                 fi
-
             - name: Update claurst if new version available
               if: steps.check_update.outputs.update_needed == 'true'
               id: update
@@ -113,19 +107,16 @@ jobs:
 
                 rm -f pkgs/claurst/default.nix.bak
                 echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
-
             - name: Validate nix flake
               if: steps.check_update.outputs.update_needed == 'true'
               run: |
                 echo "Running nix flake check..."
                 nix flake check --show-trace || true
-
             - name: Build claurst to verify changes
               if: steps.check_update.outputs.update_needed == 'true'
               run: |
                 echo "Building updated claurst package..."
                 nix build ".#artemision.config.environment.systemPackages" --no-eval-cache 2>&1 | tail -20 || true
-
             - name: Generate PR body
               if: steps.check_update.outputs.update_needed == 'true'
               id: pr_body
@@ -145,7 +136,6 @@ jobs:
                 [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml
                 EOF
                 cat pr_body.md
-
             - name: Create Pull Request
               if: steps.check_update.outputs.update_needed == 'true'
               uses: https://nayeonie.com/ahuston-0/create-pull-request@main
@@ -169,13 +159,11 @@ jobs:
                 pr-labels: |
                     dependencies
                     automated
-
             - name: Print PR result
               if: steps.check_update.outputs.update_needed == 'true'
               run: |
                 echo "Pull request created successfully"
                 echo "Version updated: ${{ steps.current.outputs.version }} → ${{ steps.update.outputs.version }}"
-
 permissions:
     pull-requests: write
     contents: write

systems/palatine-hill/configuration.nix

@@ -9,6 +9,7 @@
     ./acme.nix
     ./attic
     ./docker
+    ./garage.nix
     ./gitea.nix
     ./firewall.nix
     ./haproxy

systems/palatine-hill/docker/haproxy.cfg

@@ -50,6 +50,7 @@ frontend ContentSwitching
   acl host_minio hdr(host) -i minio.alicehuston.xyz
   acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz
   acl host_attic hdr(host) -i attic.nayeonie.com
+  acl host_s3 hdr(host) -i s3.nayeonie.com
   acl host_minio hdr(host) -i minio.nayeonie.com
   acl host_minio_console hdr(host) -i minio-console.nayeonie.com
   #acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz
@@ -67,6 +68,7 @@ frontend ContentSwitching
   use_backend nextcloud_nodes if host_nextcloud
   use_backend hydra_nodes if host_hydra
   use_backend attic_nodes if host_attic
+  use_backend garage_nodes if host_s3
   #use_backend nextcloud_vol_nodes if host_nextcloud_vol
 #  use_backend collabora_nodes if host_collabora
   use_backend prometheus_nodes if host_prometheus
@@ -142,6 +144,10 @@ backend minio_console_nodes
   mode http
   server server 192.168.76.2:8501
 
+backend garage_nodes
+  mode http
+  server server 192.168.76.2:8502
+
 # backend foundry_nodes
 #   timeout tunnel 50s
 #   mode http

systems/palatine-hill/garage.nix

@@ -0,0 +1,48 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+
+let
+  vars = import ./vars.nix;
+  basePath = "${vars.primary_minio}/garage";
+in
+{
+  services.garage = {
+    enable = true;
+    package = pkgs.garage;
+    logLevel = "info";
+    settings = {
+      metadata_dir = "${basePath}/meta";
+      data_dir = "${basePath}/data";
+      db_engine = "sqlite";
+      replication_factor = 1;
+
+      rpc_bind_addr = "127.0.0.1:8504";
+      rpc_public_addr = "127.0.0.1:8504";
+      rpc_secret_file = config.sops.secrets."garage/rpc-secret".path;
+
+      s3_api = {
+        api_bind_addr = "127.0.0.1:8502";
+        s3_region = "us-east-1";
+        root_domain = ".s3.nayeonie.com";
+      };
+
+      admin = {
+        api_bind_addr = "127.0.0.1:8503";
+        admin_token_file = config.sops.secrets."garage/admin-token".path;
+      };
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${basePath}/meta 0750 garage garage -"
+    "d ${basePath}/data 0750 garage garage -"
+  ];
+
+  sops.secrets = {
+    "garage/rpc-secret" = { };
+    "garage/admin-token" = { };
+  };
+}

systems/palatine-hill/secrets.yaml

@@ -42,6 +42,9 @@ server-validation:
     webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str]
 typhon:
     hashedPassword: ENC[AES256_GCM,data:gMyY8gxUn3HzycQRu2cminqRFWghqWcjzZzTxAQZ5PJqn604iSwDiVdr7icHB7drJfCAfsE7L4oKRJgxaIAE32043oOkb2T7DDH8y2jxMzqmZCfbvrfMI4wdfRTHGqzxb6X/aZ5ai2rr1Q==,iv:4EsTo/lQld0o9iktDX9gobMlPUCitx1i9wn8EL16sIs=,tag:FgVDRHk2glDwpC/mprrPqQ==,type:str]
+garage:
+    rpc-secret: ENC[AES256_GCM,data:Q2ZaAXcntD3yK6DynEpxab2TITByMZ7ECVrq1pb0ZU7hXOZnhaBmjdty/Os6len8l+GBl6+WaC0An6cFkhQTlQ==,iv:E8C4bnxMLXK9fky+KC7q8sHpmrEU5un0TEAwxVUBiLk=,tag:PiSiU+9NpyilH2aMs2Qc/Q==,type:str]
+    admin-token: ENC[AES256_GCM,data:Xjm8Xq99aDseR0jN50Uj3gLpeDaq2IGXzJCS0o1H0RgKX9LGdP8w508nWWE=,iv:+L9T3TEUSbIz+jo08ykjGHVhuz5ecmzrlhzD2iv48HE=,tag:7P2rY4F8cWFdG4Lm9n/etQ==,type:str]
 sops:
     age:
         - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
@@ -53,8 +56,8 @@ sops:
             cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
             LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-17T01:50:50Z"
+    lastmodified: "2026-05-02T16:02:29Z"
-    mac: ENC[AES256_GCM,data:8TGSqwEcfmrW1PjuzTVNyDTNs6s3oWbT0tI+rg7u2w5Dcw1EEU+SjJ6VpNY06AZHTjSD6E0O7NzUxybtMpslHUGitOGWwQCk+sbqRJuUseFe7bWFboEVoJpEoYGN5pnn52opMT+NeHGkXumaxjhDjCxfwn1RBHR7TgD4ZHEH6pE=,iv:szBUnn3HL/osWhmTwYmHrUghobWdBR60Lc6uUD/eGMY=,tag:6vgdJeJjL4ZYKc8WjixClg==,type:str]
+    mac: ENC[AES256_GCM,data:dDv33vEGVeEEeTSXZPcIG3BO0GjFOswBGUsOY+/6IJqAC8omHaSQ6hdcVaXKScC56kEn5w/494hfOOEEficJt1nGQBrnfE8u95tdBqcODtSmTWbonXgpfckX68jV7Y9iTSxisih6ciAwFToxovhiI36kLrWoeVlzs5DdfwJp1YU=,iv:jkThy/omE/9SyqfAr6ARrDYLGVhhACmSxm4EgM+Is1s=,tag:Key2xC4btvI8HqQglIcXkg==,type:str]
     pgp:
         - created_at: "2024-11-28T18:56:39Z"
           enc: |-
@@ -69,4 +72,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.12.2