ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions 1 Packages Projects Releases Wiki Activity

add garage #223

Merged
ahuston-0 merged 1 commits from feature/garage into main 2026-05-02 12:14:13 -04:00
Conversation 0 Commits 1 Files Changed 5 +210 -164
5 changed files with 210 additions and 164 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 086ca6377f - Show all commits

306
.github/workflows/update-claurst.yml vendored
View File

@@ -1,181 +1,169 @@
name: "Update claurst" name: "Update claurst"
on: on:
repository_dispatch: repository_dispatch:
workflow_dispatch: workflow_dispatch:
schedule: schedule:
- cron: "00 14 * * 1" # Every Monday at 14:00 UTC - cron: "00 14 * * 1" # Every Monday at 14:00 UTC
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true
jobs: jobs:
update_claurst: update_claurst:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Get current claurst version
id: current
run: |
VERSION=$(grep 'version = ' pkgs/claurst/default.nix | head -1 | sed 's/.*version = "\(.*\)".*/\1/')
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "Current version: $VERSION"
- name: Get latest claurst release
id: latest
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const release = await github.rest.repos.getLatestRelease({
owner: 'Kuberwastaken',
repo: 'claurst',
});
const tag = release.data.tag_name.replace(/^v/, '');
core.setOutput('version', tag);
core.info(`Latest release: ${tag}`);
- name: Check if update needed
id: check_update
run: |
CURRENT="${{ steps.current.outputs.version }}"
LATEST="${{ steps.latest.outputs.version }}"
if [ "$CURRENT" = "$LATEST" ]; then
echo "No update needed (current: $CURRENT, latest: $LATEST)"
echo "update_needed=false" >> $GITHUB_OUTPUT
else
echo "Update needed (current: $CURRENT, latest: $LATEST)"
echo "update_needed=true" >> $GITHUB_OUTPUT
fi
- name: Update claurst if new version available
if: steps.check_update.outputs.update_needed == 'true'
id: update
run: |
NEW_VERSION="${{ steps.latest.outputs.version }}"
- name: Install nix # Backup original file
uses: https://github.com/DeterminateSystems/nix-installer-action@main cp pkgs/claurst/default.nix pkgs/claurst/default.nix.bak
- name: Setup Attic cache # Update version placeholder with empty hash to compute it
uses: ryanccn/attic-action@v0 sed -i "s/version = \"[^\"]*\"/version = \"$NEW_VERSION\"/" pkgs/claurst/default.nix
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Get current claurst version # Try to fetch the new src hash
id: current echo "Computing src hash for v$NEW_VERSION..."
run: | SRC_HASH=$(nix-prefetch-url --unpack "https://github.com/Kuberwastaken/claurst/archive/refs/tags/v$NEW_VERSION.tar.gz" 2>/dev/null | tail -1 || echo "")
VERSION=$(grep 'version = ' pkgs/claurst/default.nix | head -1 | sed 's/.*version = "\(.*\)".*/\1/')
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "Current version: $VERSION"
- name: Get latest claurst release if [ -z "$SRC_HASH" ]; then
id: latest echo "Failed to compute src hash, reverting"
uses: actions/github-script@v7 mv pkgs/claurst/default.nix.bak pkgs/claurst/default.nix
with: exit 1
github-token: ${{ secrets.GITHUB_TOKEN }} fi
script: |
const release = await github.rest.repos.getLatestRelease({
owner: 'Kuberwastaken',
repo: 'claurst',
});
const tag = release.data.tag_name.replace(/^v/, '');
core.setOutput('version', tag);
core.info(`Latest release: ${tag}`);
- name: Check if update needed SRC_HASH="sha256-$SRC_HASH"
id: check_update echo "New src hash: $SRC_HASH"
run: |
CURRENT="${{ steps.current.outputs.version }}"
LATEST="${{ steps.latest.outputs.version }}"
if [ "$CURRENT" = "$LATEST" ]; then
echo "No update needed (current: $CURRENT, latest: $LATEST)"
echo "update_needed=false" >> $GITHUB_OUTPUT
else
echo "Update needed (current: $CURRENT, latest: $LATEST)"
echo "update_needed=true" >> $GITHUB_OUTPUT
fi
- name: Update claurst if new version available # Update src hash
if: steps.check_update.outputs.update_needed == 'true' sed -i "s|hash = \"sha256-[^\"]*\"|hash = \"$SRC_HASH\"|" pkgs/claurst/default.nix
id: update
run: |
NEW_VERSION="${{ steps.latest.outputs.version }}"
# Backup original file # Compute cargoHash - this requires building
cp pkgs/claurst/default.nix pkgs/claurst/default.nix.bak echo "Computing cargo hash..."
CARGO_HASH=$(nix build \
--no-eval-cache \
--expr "(import ./pkgs/default.nix { nixpkgs = import <nixpkgs> { }; }).mkPkgs \"x86_64-linux\" | .claurst" \
2>&1 | grep -oP 'got:\s*\K[^"]+' | head -1 || echo "")
# Update version placeholder with empty hash to compute it if [ -z "$CARGO_HASH" ]; then
sed -i "s/version = \"[^\"]*\"/version = \"$NEW_VERSION\"/" pkgs/claurst/default.nix echo "Failed to compute cargo hash, trying with attribute substitution..."
CARGO_HASH=$(nix eval \
--impure \
--expr "
let
pkgs = import <nixpkgs> { config.allowUnsupportedSystem = true; };
claurst = import pkgs/claurst { inherit pkgs; };
in claurst.cargoHash
" 2>&1 | tail -1)
fi
# Try to fetch the new src hash if [ ! -z "$CARGO_HASH" ]; then
echo "Computing src hash for v$NEW_VERSION..." echo "New cargo hash: $CARGO_HASH"
SRC_HASH=$(nix-prefetch-url --unpack "https://github.com/Kuberwastaken/claurst/archive/refs/tags/v$NEW_VERSION.tar.gz" 2>/dev/null | tail -1 || echo "") sed -i "s|cargoHash = \"[^\"]*\"|cargoHash = \"$CARGO_HASH\"|" pkgs/claurst/default.nix
fi
if [ -z "$SRC_HASH" ]; then rm -f pkgs/claurst/default.nix.bak
echo "Failed to compute src hash, reverting" echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
mv pkgs/claurst/default.nix.bak pkgs/claurst/default.nix - name: Validate nix flake
exit 1 if: steps.check_update.outputs.update_needed == 'true'
fi run: |
echo "Running nix flake check..."
nix flake check --show-trace || true
- name: Build claurst to verify changes
if: steps.check_update.outputs.update_needed == 'true'
run: |
echo "Building updated claurst package..."
nix build ".#artemision.config.environment.systemPackages" --no-eval-cache 2>&1 | tail -20 || true
- name: Generate PR body
if: steps.check_update.outputs.update_needed == 'true'
id: pr_body
run: |
cat > pr_body.md << 'EOF'
# Claurst Update
SRC_HASH="sha256-$SRC_HASH" Automated claurst package update.
echo "New src hash: $SRC_HASH"
# Update src hash **Changes:**
sed -i "s|hash = \"sha256-[^\"]*\"|hash = \"$SRC_HASH\"|" pkgs/claurst/default.nix - Version: `${{ steps.current.outputs.version }}` → `${{ steps.update.outputs.version }}`
- Source hash updated
- Cargo hash updated
# Compute cargoHash - this requires building Auto-generated by [update-claurst.yml][1].
echo "Computing cargo hash..."
CARGO_HASH=$(nix build \
--no-eval-cache \
--expr "(import ./pkgs/default.nix { nixpkgs = import <nixpkgs> { }; }).mkPkgs \"x86_64-linux\" | .claurst" \
2>&1 | grep -oP 'got:\s*\K[^"]+' | head -1 || echo "")
if [ -z "$CARGO_HASH" ]; then [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml
echo "Failed to compute cargo hash, trying with attribute substitution..." EOF
CARGO_HASH=$(nix eval \ cat pr_body.md
--impure \ - name: Create Pull Request
--expr " if: steps.check_update.outputs.update_needed == 'true'
let uses: https://nayeonie.com/ahuston-0/create-pull-request@main
pkgs = import <nixpkgs> { config.allowUnsupportedSystem = true; }; with:
claurst = import pkgs/claurst { inherit pkgs; }; token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
in claurst.cargoHash add-paths: pkgs/claurst/default.nix
" 2>&1 | tail -1) body-path: pr_body.md
fi author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: "automated: Update claurst to ${{ steps.update.outputs.version }}"
commit-message: |
automated: Update claurst to ${{ steps.update.outputs.version }}
if [ ! -z "$CARGO_HASH" ]; then - Bumped version from ${{ steps.current.outputs.version }} to ${{ steps.update.outputs.version }}
echo "New cargo hash: $CARGO_HASH" - Updated src and cargo hashes
sed -i "s|cargoHash = \"[^\"]*\"|cargoHash = \"$CARGO_HASH\"|" pkgs/claurst/default.nix
fi
rm -f pkgs/claurst/default.nix.bak Auto-generated by [update-claurst.yml][1].
echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
- name: Validate nix flake
if: steps.check_update.outputs.update_needed == 'true'
run: |
echo "Running nix flake check..."
nix flake check --show-trace || true
- name: Build claurst to verify changes
if: steps.check_update.outputs.update_needed == 'true'
run: |
echo "Building updated claurst package..."
nix build ".#artemision.config.environment.systemPackages" --no-eval-cache 2>&1 | tail -20 || true
- name: Generate PR body
if: steps.check_update.outputs.update_needed == 'true'
id: pr_body
run: |
cat > pr_body.md << 'EOF'
# Claurst Update
Automated claurst package update.
**Changes:**
- Version: `${{ steps.current.outputs.version }}` → `${{ steps.update.outputs.version }}`
- Source hash updated
- Cargo hash updated
Auto-generated by [update-claurst.yml][1].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml
EOF
cat pr_body.md
- name: Create Pull Request
if: steps.check_update.outputs.update_needed == 'true'
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
add-paths: pkgs/claurst/default.nix
body-path: pr_body.md
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: "automated: Update claurst to ${{ steps.update.outputs.version }}"
commit-message: |
automated: Update claurst to ${{ steps.update.outputs.version }}
- Bumped version from ${{ steps.current.outputs.version }} to ${{ steps.update.outputs.version }}
- Updated src and cargo hashes
Auto-generated by [update-claurst.yml][1].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml
branch: update-claurst
delete-branch: true
pr-labels: |
dependencies
automated
- name: Print PR result
if: steps.check_update.outputs.update_needed == 'true'
run: |
echo "Pull request created successfully"
echo "Version updated: ${{ steps.current.outputs.version }} → ${{ steps.update.outputs.version }}"
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml
branch: update-claurst
delete-branch: true
pr-labels: |
dependencies
automated
- name: Print PR result
if: steps.check_update.outputs.update_needed == 'true'
run: |
echo "Pull request created successfully"
echo "Version updated: ${{ steps.current.outputs.version }} → ${{ steps.update.outputs.version }}"
permissions: permissions:
pull-requests: write pull-requests: write
contents: write contents: write

1
systems/palatine-hill/configuration.nix
View File

@@ -9,6 +9,7 @@
./acme.nix ./acme.nix
./attic ./attic
./docker ./docker
./garage.nix
./gitea.nix ./gitea.nix
./firewall.nix ./firewall.nix
./haproxy ./haproxy

6
systems/palatine-hill/docker/haproxy.cfg
View File

@@ -50,6 +50,7 @@ frontend ContentSwitching
acl host_minio hdr(host) -i minio.alicehuston.xyz acl host_minio hdr(host) -i minio.alicehuston.xyz
acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz
acl host_attic hdr(host) -i attic.nayeonie.com acl host_attic hdr(host) -i attic.nayeonie.com
acl host_s3 hdr(host) -i s3.nayeonie.com
acl host_minio hdr(host) -i minio.nayeonie.com acl host_minio hdr(host) -i minio.nayeonie.com
acl host_minio_console hdr(host) -i minio-console.nayeonie.com acl host_minio_console hdr(host) -i minio-console.nayeonie.com
#acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz #acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz
@@ -67,6 +68,7 @@ frontend ContentSwitching
use_backend nextcloud_nodes if host_nextcloud use_backend nextcloud_nodes if host_nextcloud
use_backend hydra_nodes if host_hydra use_backend hydra_nodes if host_hydra
use_backend attic_nodes if host_attic use_backend attic_nodes if host_attic
use_backend garage_nodes if host_s3
#use_backend nextcloud_vol_nodes if host_nextcloud_vol #use_backend nextcloud_vol_nodes if host_nextcloud_vol
# use_backend collabora_nodes if host_collabora # use_backend collabora_nodes if host_collabora
use_backend prometheus_nodes if host_prometheus use_backend prometheus_nodes if host_prometheus
@@ -142,6 +144,10 @@ backend minio_console_nodes
mode http mode http
server server 192.168.76.2:8501 server server 192.168.76.2:8501
backend garage_nodes
mode http
server server 192.168.76.2:8502
# backend foundry_nodes # backend foundry_nodes
# timeout tunnel 50s # timeout tunnel 50s
# mode http # mode http

48
systems/palatine-hill/garage.nix Normal file
View File

@@ -0,0 +1,48 @@
{
config,
pkgs,
...
}:
let
vars = import ./vars.nix;
basePath = "${vars.primary_minio}/garage";
in
{
services.garage = {
enable = true;
package = pkgs.garage;
logLevel = "info";
settings = {
metadata_dir = "${basePath}/meta";
data_dir = "${basePath}/data";
db_engine = "sqlite";
replication_factor = 1;
rpc_bind_addr = "127.0.0.1:8504";
rpc_public_addr = "127.0.0.1:8504";
rpc_secret_file = config.sops.secrets."garage/rpc-secret".path;
s3_api = {
api_bind_addr = "127.0.0.1:8502";
s3_region = "us-east-1";
root_domain = ".s3.nayeonie.com";
};
admin = {
api_bind_addr = "127.0.0.1:8503";
admin_token_file = config.sops.secrets."garage/admin-token".path;
};
};
};
systemd.tmpfiles.rules = [
"d ${basePath}/meta 0750 garage garage -"
"d ${basePath}/data 0750 garage garage -"
];
sops.secrets = {
"garage/rpc-secret" = { };
"garage/admin-token" = { };
};
}

9
systems/palatine-hill/secrets.yaml
View File

@@ -42,6 +42,9 @@ server-validation:
webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str] webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str]
typhon: typhon:
hashedPassword: ENC[AES256_GCM,data:gMyY8gxUn3HzycQRu2cminqRFWghqWcjzZzTxAQZ5PJqn604iSwDiVdr7icHB7drJfCAfsE7L4oKRJgxaIAE32043oOkb2T7DDH8y2jxMzqmZCfbvrfMI4wdfRTHGqzxb6X/aZ5ai2rr1Q==,iv:4EsTo/lQld0o9iktDX9gobMlPUCitx1i9wn8EL16sIs=,tag:FgVDRHk2glDwpC/mprrPqQ==,type:str] hashedPassword: ENC[AES256_GCM,data:gMyY8gxUn3HzycQRu2cminqRFWghqWcjzZzTxAQZ5PJqn604iSwDiVdr7icHB7drJfCAfsE7L4oKRJgxaIAE32043oOkb2T7DDH8y2jxMzqmZCfbvrfMI4wdfRTHGqzxb6X/aZ5ai2rr1Q==,iv:4EsTo/lQld0o9iktDX9gobMlPUCitx1i9wn8EL16sIs=,tag:FgVDRHk2glDwpC/mprrPqQ==,type:str]
garage:
rpc-secret: ENC[AES256_GCM,data:Q2ZaAXcntD3yK6DynEpxab2TITByMZ7ECVrq1pb0ZU7hXOZnhaBmjdty/Os6len8l+GBl6+WaC0An6cFkhQTlQ==,iv:E8C4bnxMLXK9fky+KC7q8sHpmrEU5un0TEAwxVUBiLk=,tag:PiSiU+9NpyilH2aMs2Qc/Q==,type:str]
admin-token: ENC[AES256_GCM,data:Xjm8Xq99aDseR0jN50Uj3gLpeDaq2IGXzJCS0o1H0RgKX9LGdP8w508nWWE=,iv:+L9T3TEUSbIz+jo08ykjGHVhuz5ecmzrlhzD2iv48HE=,tag:7P2rY4F8cWFdG4Lm9n/etQ==,type:str]
sops: sops:
age: age:
- recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
@@ -53,8 +56,8 @@ sops:
cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw== LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-17T01:50:50Z" lastmodified: "2026-05-02T16:02:29Z"
mac: ENC[AES256_GCM,data:8TGSqwEcfmrW1PjuzTVNyDTNs6s3oWbT0tI+rg7u2w5Dcw1EEU+SjJ6VpNY06AZHTjSD6E0O7NzUxybtMpslHUGitOGWwQCk+sbqRJuUseFe7bWFboEVoJpEoYGN5pnn52opMT+NeHGkXumaxjhDjCxfwn1RBHR7TgD4ZHEH6pE=,iv:szBUnn3HL/osWhmTwYmHrUghobWdBR60Lc6uUD/eGMY=,tag:6vgdJeJjL4ZYKc8WjixClg==,type:str] mac: ENC[AES256_GCM,data:dDv33vEGVeEEeTSXZPcIG3BO0GjFOswBGUsOY+/6IJqAC8omHaSQ6hdcVaXKScC56kEn5w/494hfOOEEficJt1nGQBrnfE8u95tdBqcODtSmTWbonXgpfckX68jV7Y9iTSxisih6ciAwFToxovhiI36kLrWoeVlzs5DdfwJp1YU=,iv:jkThy/omE/9SyqfAr6ARrDYLGVhhACmSxm4EgM+Is1s=,tag:Key2xC4btvI8HqQglIcXkg==,type:str]
pgp: pgp:
- created_at: "2024-11-28T18:56:39Z" - created_at: "2024-11-28T18:56:39Z"
enc: |- enc: |-
@@ -69,4 +72,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330 fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.12.2