From 086ca6377ff69f2bfba20c6bc0227613f36c21ac Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Sat, 2 May 2026 12:11:02 -0400 Subject: [PATCH] add garage --- .github/workflows/update-claurst.yml | 310 +++++++++++------------ systems/palatine-hill/configuration.nix | 1 + systems/palatine-hill/docker/haproxy.cfg | 6 + systems/palatine-hill/garage.nix | 48 ++++ systems/palatine-hill/secrets.yaml | 9 +- 5 files changed, 210 insertions(+), 164 deletions(-) create mode 100644 systems/palatine-hill/garage.nix diff --git a/.github/workflows/update-claurst.yml b/.github/workflows/update-claurst.yml index 787ab89..e7a7e4b 100644 --- a/.github/workflows/update-claurst.yml +++ b/.github/workflows/update-claurst.yml @@ -1,181 +1,169 @@ name: "Update claurst" on: - repository_dispatch: - workflow_dispatch: - schedule: - - cron: "00 14 * * 1" # Every Monday at 14:00 UTC + repository_dispatch: + workflow_dispatch: + schedule: + - cron: "00 14 * * 1" # Every Monday at 14:00 UTC concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true jobs: - update_claurst: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v4 + update_claurst: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Install nix + uses: https://github.com/DeterminateSystems/nix-installer-action@main + - name: Setup Attic cache + uses: ryanccn/attic-action@v0 + with: + endpoint: ${{ secrets.ATTIC_ENDPOINT }} + cache: ${{ secrets.ATTIC_CACHE }} + token: ${{ secrets.ATTIC_TOKEN }} + skip-push: "true" + - name: Get current claurst version + id: current + run: | + VERSION=$(grep 'version = ' pkgs/claurst/default.nix | head -1 | sed 's/.*version = "\(.*\)".*/\1/') + echo "version=$VERSION" >> $GITHUB_OUTPUT + echo "Current version: $VERSION" + - name: Get latest claurst release + id: latest + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const release = await github.rest.repos.getLatestRelease({ + owner: 'Kuberwastaken', + repo: 'claurst', + }); + const tag = release.data.tag_name.replace(/^v/, ''); + core.setOutput('version', tag); + core.info(`Latest release: ${tag}`); + - name: Check if update needed + id: check_update + run: | + CURRENT="${{ steps.current.outputs.version }}" + LATEST="${{ steps.latest.outputs.version }}" + if [ "$CURRENT" = "$LATEST" ]; then + echo "No update needed (current: $CURRENT, latest: $LATEST)" + echo "update_needed=false" >> $GITHUB_OUTPUT + else + echo "Update needed (current: $CURRENT, latest: $LATEST)" + echo "update_needed=true" >> $GITHUB_OUTPUT + fi + - name: Update claurst if new version available + if: steps.check_update.outputs.update_needed == 'true' + id: update + run: | + NEW_VERSION="${{ steps.latest.outputs.version }}" - - name: Install nix - uses: https://github.com/DeterminateSystems/nix-installer-action@main + # Backup original file + cp pkgs/claurst/default.nix pkgs/claurst/default.nix.bak - - name: Setup Attic cache - uses: ryanccn/attic-action@v0 - with: - endpoint: ${{ secrets.ATTIC_ENDPOINT }} - cache: ${{ secrets.ATTIC_CACHE }} - token: ${{ secrets.ATTIC_TOKEN }} - skip-push: "true" + # Update version placeholder with empty hash to compute it + sed -i "s/version = \"[^\"]*\"/version = \"$NEW_VERSION\"/" pkgs/claurst/default.nix - - name: Get current claurst version - id: current - run: | - VERSION=$(grep 'version = ' pkgs/claurst/default.nix | head -1 | sed 's/.*version = "\(.*\)".*/\1/') - echo "version=$VERSION" >> $GITHUB_OUTPUT - echo "Current version: $VERSION" + # Try to fetch the new src hash + echo "Computing src hash for v$NEW_VERSION..." + SRC_HASH=$(nix-prefetch-url --unpack "https://github.com/Kuberwastaken/claurst/archive/refs/tags/v$NEW_VERSION.tar.gz" 2>/dev/null | tail -1 || echo "") - - name: Get latest claurst release - id: latest - uses: actions/github-script@v7 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const release = await github.rest.repos.getLatestRelease({ - owner: 'Kuberwastaken', - repo: 'claurst', - }); - const tag = release.data.tag_name.replace(/^v/, ''); - core.setOutput('version', tag); - core.info(`Latest release: ${tag}`); + if [ -z "$SRC_HASH" ]; then + echo "Failed to compute src hash, reverting" + mv pkgs/claurst/default.nix.bak pkgs/claurst/default.nix + exit 1 + fi - - name: Check if update needed - id: check_update - run: | - CURRENT="${{ steps.current.outputs.version }}" - LATEST="${{ steps.latest.outputs.version }}" - if [ "$CURRENT" = "$LATEST" ]; then - echo "No update needed (current: $CURRENT, latest: $LATEST)" - echo "update_needed=false" >> $GITHUB_OUTPUT - else - echo "Update needed (current: $CURRENT, latest: $LATEST)" - echo "update_needed=true" >> $GITHUB_OUTPUT - fi + SRC_HASH="sha256-$SRC_HASH" + echo "New src hash: $SRC_HASH" - - name: Update claurst if new version available - if: steps.check_update.outputs.update_needed == 'true' - id: update - run: | - NEW_VERSION="${{ steps.latest.outputs.version }}" - - # Backup original file - cp pkgs/claurst/default.nix pkgs/claurst/default.nix.bak - - # Update version placeholder with empty hash to compute it - sed -i "s/version = \"[^\"]*\"/version = \"$NEW_VERSION\"/" pkgs/claurst/default.nix - - # Try to fetch the new src hash - echo "Computing src hash for v$NEW_VERSION..." - SRC_HASH=$(nix-prefetch-url --unpack "https://github.com/Kuberwastaken/claurst/archive/refs/tags/v$NEW_VERSION.tar.gz" 2>/dev/null | tail -1 || echo "") - - if [ -z "$SRC_HASH" ]; then - echo "Failed to compute src hash, reverting" - mv pkgs/claurst/default.nix.bak pkgs/claurst/default.nix - exit 1 - fi - - SRC_HASH="sha256-$SRC_HASH" - echo "New src hash: $SRC_HASH" - - # Update src hash - sed -i "s|hash = \"sha256-[^\"]*\"|hash = \"$SRC_HASH\"|" pkgs/claurst/default.nix - - # Compute cargoHash - this requires building - echo "Computing cargo hash..." - CARGO_HASH=$(nix build \ - --no-eval-cache \ - --expr "(import ./pkgs/default.nix { nixpkgs = import { }; }).mkPkgs \"x86_64-linux\" | .claurst" \ - 2>&1 | grep -oP 'got:\s*\K[^"]+' | head -1 || echo "") - - if [ -z "$CARGO_HASH" ]; then - echo "Failed to compute cargo hash, trying with attribute substitution..." - CARGO_HASH=$(nix eval \ - --impure \ - --expr " - let - pkgs = import { config.allowUnsupportedSystem = true; }; - claurst = import pkgs/claurst { inherit pkgs; }; - in claurst.cargoHash - " 2>&1 | tail -1) - fi - - if [ ! -z "$CARGO_HASH" ]; then - echo "New cargo hash: $CARGO_HASH" - sed -i "s|cargoHash = \"[^\"]*\"|cargoHash = \"$CARGO_HASH\"|" pkgs/claurst/default.nix - fi - - rm -f pkgs/claurst/default.nix.bak - echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT + # Update src hash + sed -i "s|hash = \"sha256-[^\"]*\"|hash = \"$SRC_HASH\"|" pkgs/claurst/default.nix - - name: Validate nix flake - if: steps.check_update.outputs.update_needed == 'true' - run: | - echo "Running nix flake check..." - nix flake check --show-trace || true + # Compute cargoHash - this requires building + echo "Computing cargo hash..." + CARGO_HASH=$(nix build \ + --no-eval-cache \ + --expr "(import ./pkgs/default.nix { nixpkgs = import { }; }).mkPkgs \"x86_64-linux\" | .claurst" \ + 2>&1 | grep -oP 'got:\s*\K[^"]+' | head -1 || echo "") - - name: Build claurst to verify changes - if: steps.check_update.outputs.update_needed == 'true' - run: | - echo "Building updated claurst package..." - nix build ".#artemision.config.environment.systemPackages" --no-eval-cache 2>&1 | tail -20 || true + if [ -z "$CARGO_HASH" ]; then + echo "Failed to compute cargo hash, trying with attribute substitution..." + CARGO_HASH=$(nix eval \ + --impure \ + --expr " + let + pkgs = import { config.allowUnsupportedSystem = true; }; + claurst = import pkgs/claurst { inherit pkgs; }; + in claurst.cargoHash + " 2>&1 | tail -1) + fi - - name: Generate PR body - if: steps.check_update.outputs.update_needed == 'true' - id: pr_body - run: | - cat > pr_body.md << 'EOF' - # Claurst Update - - Automated claurst package update. - - **Changes:** - - Version: `${{ steps.current.outputs.version }}` → `${{ steps.update.outputs.version }}` - - Source hash updated - - Cargo hash updated - - Auto-generated by [update-claurst.yml][1]. - - [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml - EOF - cat pr_body.md + if [ ! -z "$CARGO_HASH" ]; then + echo "New cargo hash: $CARGO_HASH" + sed -i "s|cargoHash = \"[^\"]*\"|cargoHash = \"$CARGO_HASH\"|" pkgs/claurst/default.nix + fi - - name: Create Pull Request - if: steps.check_update.outputs.update_needed == 'true' - uses: https://nayeonie.com/ahuston-0/create-pull-request@main - with: - token: ${{ secrets.GH_TOKEN_FOR_UPDATES }} - add-paths: pkgs/claurst/default.nix - body-path: pr_body.md - author: '"github-actions[bot]" ' - title: "automated: Update claurst to ${{ steps.update.outputs.version }}" - commit-message: | - automated: Update claurst to ${{ steps.update.outputs.version }} + rm -f pkgs/claurst/default.nix.bak + echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT + - name: Validate nix flake + if: steps.check_update.outputs.update_needed == 'true' + run: | + echo "Running nix flake check..." + nix flake check --show-trace || true + - name: Build claurst to verify changes + if: steps.check_update.outputs.update_needed == 'true' + run: | + echo "Building updated claurst package..." + nix build ".#artemision.config.environment.systemPackages" --no-eval-cache 2>&1 | tail -20 || true + - name: Generate PR body + if: steps.check_update.outputs.update_needed == 'true' + id: pr_body + run: | + cat > pr_body.md << 'EOF' + # Claurst Update - - Bumped version from ${{ steps.current.outputs.version }} to ${{ steps.update.outputs.version }} - - Updated src and cargo hashes + Automated claurst package update. - Auto-generated by [update-claurst.yml][1]. + **Changes:** + - Version: `${{ steps.current.outputs.version }}` → `${{ steps.update.outputs.version }}` + - Source hash updated + - Cargo hash updated - [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml - branch: update-claurst - delete-branch: true - pr-labels: | - dependencies - automated + Auto-generated by [update-claurst.yml][1]. - - name: Print PR result - if: steps.check_update.outputs.update_needed == 'true' - run: | - echo "Pull request created successfully" - echo "Version updated: ${{ steps.current.outputs.version }} → ${{ steps.update.outputs.version }}" + [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml + EOF + cat pr_body.md + - name: Create Pull Request + if: steps.check_update.outputs.update_needed == 'true' + uses: https://nayeonie.com/ahuston-0/create-pull-request@main + with: + token: ${{ secrets.GH_TOKEN_FOR_UPDATES }} + add-paths: pkgs/claurst/default.nix + body-path: pr_body.md + author: '"github-actions[bot]" ' + title: "automated: Update claurst to ${{ steps.update.outputs.version }}" + commit-message: | + automated: Update claurst to ${{ steps.update.outputs.version }} + - Bumped version from ${{ steps.current.outputs.version }} to ${{ steps.update.outputs.version }} + - Updated src and cargo hashes + + Auto-generated by [update-claurst.yml][1]. + + [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml + branch: update-claurst + delete-branch: true + pr-labels: | + dependencies + automated + - name: Print PR result + if: steps.check_update.outputs.update_needed == 'true' + run: | + echo "Pull request created successfully" + echo "Version updated: ${{ steps.current.outputs.version }} → ${{ steps.update.outputs.version }}" permissions: - pull-requests: write - contents: write + pull-requests: write + contents: write diff --git a/systems/palatine-hill/configuration.nix b/systems/palatine-hill/configuration.nix index 11f7f7e..820c23a 100644 --- a/systems/palatine-hill/configuration.nix +++ b/systems/palatine-hill/configuration.nix @@ -9,6 +9,7 @@ ./acme.nix ./attic ./docker + ./garage.nix ./gitea.nix ./firewall.nix ./haproxy diff --git a/systems/palatine-hill/docker/haproxy.cfg b/systems/palatine-hill/docker/haproxy.cfg index 86abb37..972162b 100755 --- a/systems/palatine-hill/docker/haproxy.cfg +++ b/systems/palatine-hill/docker/haproxy.cfg @@ -50,6 +50,7 @@ frontend ContentSwitching acl host_minio hdr(host) -i minio.alicehuston.xyz acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz acl host_attic hdr(host) -i attic.nayeonie.com + acl host_s3 hdr(host) -i s3.nayeonie.com acl host_minio hdr(host) -i minio.nayeonie.com acl host_minio_console hdr(host) -i minio-console.nayeonie.com #acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz @@ -67,6 +68,7 @@ frontend ContentSwitching use_backend nextcloud_nodes if host_nextcloud use_backend hydra_nodes if host_hydra use_backend attic_nodes if host_attic + use_backend garage_nodes if host_s3 #use_backend nextcloud_vol_nodes if host_nextcloud_vol # use_backend collabora_nodes if host_collabora use_backend prometheus_nodes if host_prometheus @@ -142,6 +144,10 @@ backend minio_console_nodes mode http server server 192.168.76.2:8501 +backend garage_nodes + mode http + server server 192.168.76.2:8502 + # backend foundry_nodes # timeout tunnel 50s # mode http diff --git a/systems/palatine-hill/garage.nix b/systems/palatine-hill/garage.nix new file mode 100644 index 0000000..09e4407 --- /dev/null +++ b/systems/palatine-hill/garage.nix @@ -0,0 +1,48 @@ +{ + config, + pkgs, + ... +}: + +let + vars = import ./vars.nix; + basePath = "${vars.primary_minio}/garage"; +in +{ + services.garage = { + enable = true; + package = pkgs.garage; + logLevel = "info"; + settings = { + metadata_dir = "${basePath}/meta"; + data_dir = "${basePath}/data"; + db_engine = "sqlite"; + replication_factor = 1; + + rpc_bind_addr = "127.0.0.1:8504"; + rpc_public_addr = "127.0.0.1:8504"; + rpc_secret_file = config.sops.secrets."garage/rpc-secret".path; + + s3_api = { + api_bind_addr = "127.0.0.1:8502"; + s3_region = "us-east-1"; + root_domain = ".s3.nayeonie.com"; + }; + + admin = { + api_bind_addr = "127.0.0.1:8503"; + admin_token_file = config.sops.secrets."garage/admin-token".path; + }; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${basePath}/meta 0750 garage garage -" + "d ${basePath}/data 0750 garage garage -" + ]; + + sops.secrets = { + "garage/rpc-secret" = { }; + "garage/admin-token" = { }; + }; +} diff --git a/systems/palatine-hill/secrets.yaml b/systems/palatine-hill/secrets.yaml index ef8b67c..3be1671 100644 --- a/systems/palatine-hill/secrets.yaml +++ b/systems/palatine-hill/secrets.yaml @@ -42,6 +42,9 @@ server-validation: webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str] typhon: hashedPassword: ENC[AES256_GCM,data:gMyY8gxUn3HzycQRu2cminqRFWghqWcjzZzTxAQZ5PJqn604iSwDiVdr7icHB7drJfCAfsE7L4oKRJgxaIAE32043oOkb2T7DDH8y2jxMzqmZCfbvrfMI4wdfRTHGqzxb6X/aZ5ai2rr1Q==,iv:4EsTo/lQld0o9iktDX9gobMlPUCitx1i9wn8EL16sIs=,tag:FgVDRHk2glDwpC/mprrPqQ==,type:str] +garage: + rpc-secret: ENC[AES256_GCM,data:Q2ZaAXcntD3yK6DynEpxab2TITByMZ7ECVrq1pb0ZU7hXOZnhaBmjdty/Os6len8l+GBl6+WaC0An6cFkhQTlQ==,iv:E8C4bnxMLXK9fky+KC7q8sHpmrEU5un0TEAwxVUBiLk=,tag:PiSiU+9NpyilH2aMs2Qc/Q==,type:str] + admin-token: ENC[AES256_GCM,data:Xjm8Xq99aDseR0jN50Uj3gLpeDaq2IGXzJCS0o1H0RgKX9LGdP8w508nWWE=,iv:+L9T3TEUSbIz+jo08ykjGHVhuz5ecmzrlhzD2iv48HE=,tag:7P2rY4F8cWFdG4Lm9n/etQ==,type:str] sops: age: - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh @@ -53,8 +56,8 @@ sops: cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-17T01:50:50Z" - mac: ENC[AES256_GCM,data:8TGSqwEcfmrW1PjuzTVNyDTNs6s3oWbT0tI+rg7u2w5Dcw1EEU+SjJ6VpNY06AZHTjSD6E0O7NzUxybtMpslHUGitOGWwQCk+sbqRJuUseFe7bWFboEVoJpEoYGN5pnn52opMT+NeHGkXumaxjhDjCxfwn1RBHR7TgD4ZHEH6pE=,iv:szBUnn3HL/osWhmTwYmHrUghobWdBR60Lc6uUD/eGMY=,tag:6vgdJeJjL4ZYKc8WjixClg==,type:str] + lastmodified: "2026-05-02T16:02:29Z" + mac: ENC[AES256_GCM,data:dDv33vEGVeEEeTSXZPcIG3BO0GjFOswBGUsOY+/6IJqAC8omHaSQ6hdcVaXKScC56kEn5w/494hfOOEEficJt1nGQBrnfE8u95tdBqcODtSmTWbonXgpfckX68jV7Y9iTSxisih6ciAwFToxovhiI36kLrWoeVlzs5DdfwJp1YU=,iv:jkThy/omE/9SyqfAr6ARrDYLGVhhACmSxm4EgM+Is1s=,tag:Key2xC4btvI8HqQglIcXkg==,type:str] pgp: - created_at: "2024-11-28T18:56:39Z" enc: |- @@ -69,4 +72,4 @@ sops: -----END PGP MESSAGE----- fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330 unencrypted_suffix: _unencrypted - version: 3.11.0 + version: 3.12.2 -- 2.53.0