From e6906a0aa34eb33ff11e74980038d04877b4ef4f Mon Sep 17 00:00:00 2001 From: sinavir Date: Sat, 11 Jan 2025 05:48:31 +0100 Subject: [PATCH] feat(garage): Use a module and replicate on tower01 --- REUSE.toml | 2 +- default.nix | 1 + machines/nixos/storage01/garage.nix | 73 ++------ .../storage01/secrets/garage-environment_file | Bin 1776 -> 0 bytes machines/nixos/storage01/secrets/secrets.nix | 1 - machines/nixos/tower01/_configuration.nix | 4 +- machines/nixos/tower01/garage.nix | 18 ++ machines/nixos/tower01/secrets/secrets.nix | 6 +- modules/nixos/default.nix | 1 + modules/nixos/dgn-s3/default.nix | 163 ++++++++++++++++++ modules/nixos/dgn-s3/garage-admin_token_file | 33 ++++ .../nixos/dgn-s3/garage-metrics_token_file | 33 ++++ modules/nixos/dgn-s3/garage-rpc_secret_file | 59 +++++++ modules/nixos/dgn-s3/secrets.nix | 15 ++ 14 files changed, 340 insertions(+), 69 deletions(-) delete mode 100644 machines/nixos/storage01/secrets/garage-environment_file create mode 100644 machines/nixos/tower01/garage.nix create mode 100644 modules/nixos/dgn-s3/default.nix create mode 100644 modules/nixos/dgn-s3/garage-admin_token_file create mode 100644 modules/nixos/dgn-s3/garage-metrics_token_file create mode 100644 modules/nixos/dgn-s3/garage-rpc_secret_file create mode 100644 modules/nixos/dgn-s3/secrets.nix diff --git a/REUSE.toml b/REUSE.toml index 1e6ae4c..076efb7 100644 --- a/REUSE.toml +++ b/REUSE.toml @@ -14,7 +14,7 @@ precedence = "closest" [[annotations]] SPDX-FileCopyrightText = "La Délégation Générale Numérique " SPDX-License-Identifier = "CC-BY-NC-ND-4.0" -path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file"] +path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file", "modules/nixos/dgn-s3/garage-*_file"] precedence = "closest" [[annotations]] diff --git a/default.nix b/default.nix index 7aa2701..f5fcce0 100644 --- a/default.nix +++ b/default.nix @@ -79,6 +79,7 @@ let "modules/nixos/dgn-netbox-agent/secrets/netbox-agent" "modules/nixos/dgn-notify/mail" "modules/nixos/dgn-records/__arkheon-token_file" + "modules/nixos/dgn-s3/garage-*_file" ]; license = "CC-BY-NC-ND-4.0"; } diff --git a/machines/nixos/storage01/garage.nix b/machines/nixos/storage01/garage.nix index 6bd5eee..811ae0a 100644 --- a/machines/nixos/storage01/garage.nix +++ b/machines/nixos/storage01/garage.nix @@ -4,22 +4,10 @@ # # SPDX-License-Identifier: EUPL-1.2 -{ - config, - lib, - pkgs, - ... -}: - let - inherit (lib) mapAttrs' nameValuePair; - host = "s3.dgnum.eu"; webHost = "cdn.dgnum.eu"; - data_dir = "/data/slow/garage/data"; - metadata_dir = "/data/fast/garage/meta"; - domains = [ "bandarretdurgence.ens.fr" "boussole-sante.normalesup.eu" @@ -50,68 +38,27 @@ let }; in { - dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports; - - services.garage = { + dgn-s3 = { enable = true; - package = pkgs.garage_1_0_1; + inherit ports; - settings = { - inherit data_dir metadata_dir; - - db_engine = "lmdb"; - - consistency_mode = "consistent"; - replication_factor = 1; - - compression_level = 7; - - rpc_bind_addr = "[::]:${toString ports.rpc}"; - rpc_public_addr = "127.0.0.1:${toString ports.rpc}"; - - s3_api = { - s3_region = "garage"; - api_bind_addr = "127.0.0.1:${toString ports.s3_api}"; - root_domain = ".${host}"; - }; - - s3_web = { - bind_addr = "127.0.0.1:${toString ports.s3_web}"; - root_domain = ".${webHost}"; - index = "index.html"; - }; - - k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}"; - - admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}"; - }; - - environmentFile = config.age.secrets."garage-environment_file".path; + data_dir = "/data/slow/garage/data"; + metadata_dir = "/data/fast/garage/meta"; }; - systemd.services.garage.serviceConfig = { - User = "garage"; - ReadWriteDirectories = [ - data_dir - metadata_dir - ]; - TimeoutSec = 600; + services.garage.settings = { + s3_api.root_domain = ".${host}"; + s3_web.root_domain = ".${webHost}"; }; - users.users.garage = { - isSystemUser = true; - group = "garage"; - }; - users.groups.garage = { }; - services.nginx.virtualHosts = { "s3-admin.dgnum.eu" = { enableACME = true; forceSSL = true; locations."/".extraConfig = '' - proxy_pass http://127.0.0.1:${toString ports.admin_api}; + proxy_pass http://127.0.0.1:${builtins.toString ports.admin_api}; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; ''; @@ -124,7 +71,7 @@ in serverAliases = mkHosted host buckets; locations."/".extraConfig = '' - proxy_pass http://127.0.0.1:${toString ports.s3_api}; + proxy_pass http://127.0.0.1:${builtins.toString ports.s3_api}; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; # Disable buffering to a temporary file. @@ -140,7 +87,7 @@ in serverAliases = domains ++ (mkHosted webHost buckets); locations."/".extraConfig = '' - proxy_pass http://127.0.0.1:${toString ports.s3_web}; + proxy_pass http://127.0.0.1:${builtins.toString ports.s3_web}; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; ''; diff --git a/machines/nixos/storage01/secrets/garage-environment_file b/machines/nixos/storage01/secrets/garage-environment_file deleted file mode 100644 index dce047c9e8d20eda2b67caab5ec66ac1079649f0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1776 zcmZY8{qNia0mt!0M3TaOAc9d8bNDc`Z}au857)a2j$M0wx;|a6z23D;zO2{wdUx&h z`L5T4NPrAXh))SdWX|z0rg0K9FqsLO7>FS#qD&29Wb%!3hWLY9%wiCU-(U92m%reZ zeDZl)p1bLWc3Q^yGzvc-rCxOj0hQkMvS5+RYU5>Tkd}-Uo*xIQ zS?~i&tbvMbjqrRj2nxmRWq=Fypdl>`>}iQgHAdt$)vUIMQW*~I>o1Ii*2?SGps4j zH6$TYy)#|KG(dW$Uv;XjEGI^|=LVn`=&ZdG$U)wOEGSl#8p(G;0Y%!jl+2of%o0Ru zE0ghvZ&E@4nE8m7pS9%% z&KA1U8UgA^FTx>+4@I0r8AhuW+&J^DtbOIT)n%dBN(BuGcP_=?v?x;>8WrKr{N0gN zop9ZiM5npZh%>Casx?CnV90htNW#?jI%}m^pd}+axJ36+!q=+>Iw=KVwrCUX#Ibj4 zwI1Hssf6J&lyvMA7U?A;)Trq+(IKYAYqnrRtdBIh&YH(_LW7$?pQ!PsBGOXSFN6*f zxzIqT8XcqB-^m5FVz4eE3Z^a=)%R7>VO9;vtIQKTatsb?S#q}UeW|Z`VX1W~j6f8; zAMw?ZGI1nSAF~vow@O+I3C~8zzRws7!n6|=Efff%Vz@v?QW}MD&ctQ#KCP}A4c@Du zMw!L_7#TuitUcCiXixLdHRlb*=2Fv5bX~0d1aXiS)d#xuWeIa?B1J7~+Ur15LRi&1 zo*9dMgljTYHEB1?d<^C`x_ilZr*BlL1gaHTb64V*<=k9_%ZbdU4izz&fMiBjq*&E) z*_52Mb}mU7oXx;gE7$OX*3F6LOZA345AFrIVz;npvSGp1+_#dT_jPbl)w{ocYRoZyoc$_`|Cof17%B^4HT_ zm%rxux6}8YI=lVy;1BoS@$d!U=?_+-`)@dNx;(ehIR(7&)6?1=KRfx~e}~1VD}!ea zKk*s(#+%lUh$rrjA2_n{x%coN?>YR=TW9$n;YV)y-6QY*N4xD^bo==q1Ycep_{(+S zbx+=Z@v5`mlMfxg_S)?e8{5D5L;EWe&qOl z&)xL&%MU^0Utjh04e?E8|6@nAjJuS)c<06Y?gU@o_{M9mA2|B2t-S|N-h7w;;+|8? z-!4D9+I!~FyI;9=tvoP)Tt9d2%=xE2eq_eKQ{{!j@!|ceUw-zn-+u~8K5*k7_h#o` z*)Cq#cWm=FU$}nX`oe|l_q_e5#li1vwXXT-ZLdOG+_wPv=AZ04dHcgB9(?Za?fUoM e{NIQF`E%>iOVJA!bL_Xze|PKr4Icve2mcR6EOf~L diff --git a/machines/nixos/storage01/secrets/secrets.nix b/machines/nixos/storage01/secrets/secrets.nix index 6e9e7e4..3ff3ae9 100644 --- a/machines/nixos/storage01/secrets/secrets.nix +++ b/machines/nixos/storage01/secrets/secrets.nix @@ -7,7 +7,6 @@ "bupstash-put_key" "forgejo-mailer_password_file" "forgejo_runners-token_file" - "garage-environment_file" "influxdb2-grafana_token_file" "influxdb2-initial_password_file" "influxdb2-initial_token_file" diff --git a/machines/nixos/tower01/_configuration.nix b/machines/nixos/tower01/_configuration.nix index 68b2c0f..7208aec 100644 --- a/machines/nixos/tower01/_configuration.nix +++ b/machines/nixos/tower01/_configuration.nix @@ -7,7 +7,9 @@ lib.extra.mkConfig { enabledModules = [ ]; - enabledServices = [ ]; + enabledServices = [ + "garage" + ]; extraConfig = { services.netbird.enable = true; diff --git a/machines/nixos/tower01/garage.nix b/machines/nixos/tower01/garage.nix new file mode 100644 index 0000000..ce72b5d --- /dev/null +++ b/machines/nixos/tower01/garage.nix @@ -0,0 +1,18 @@ +# SPDX-FileCopyrightText: 2024 Maurice Debray +# SPDX-License-Identifier: EUPL-1.2 + +{ + dgn-s3 = { + enable = true; + + ports = { + admin_api = 3903; + rpc = 3901; + s3_api = 3900; + s3_web = 3902; + }; + + data_dir = "/data/garage/data"; + metadata_dir = "/data/garage/meta"; + }; +} diff --git a/machines/nixos/tower01/secrets/secrets.nix b/machines/nixos/tower01/secrets/secrets.nix index cd9456c..fc092fd 100644 --- a/machines/nixos/tower01/secrets/secrets.nix +++ b/machines/nixos/tower01/secrets/secrets.nix @@ -2,6 +2,6 @@ # # SPDX-License-Identifer: EUPL-1.2 -(import ../../../../keys).mkSecrets [ "tower01" ] [ - -] +(import ../../../../keys).mkSecrets [ "tower01" ] + [ + ] diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 3951b22..46ac60b 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -29,6 +29,7 @@ "dgn-notify" "dgn-records" "dgn-redirections" + "dgn-s3" "dgn-ssh" "dgn-vm-variant" "dgn-web" diff --git a/modules/nixos/dgn-s3/default.nix b/modules/nixos/dgn-s3/default.nix new file mode 100644 index 0000000..ddd500e --- /dev/null +++ b/modules/nixos/dgn-s3/default.nix @@ -0,0 +1,163 @@ +# SPDX-FileCopyrightText: 2024 Maurice Debray +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + config, + lib, + pkgs, + meta, + name, + ... +}: + +let + inherit (lib) + genAttrs + mapAttrs' + mkDefault + mkEnableOption + mkIf + mkOption + nameValuePair + ; + + inherit (lib.types) + path + nullOr + package + port + ; + + mkListen = + local: port: + mkIf (port != null) "${if local then "127.0.0.1" else "[::]"}:${builtins.toString port}"; + + mkPortOption = + name: + mkOption { + type = nullOr port; + default = null; + description = '' + Listening port for the ${name} garage service. + ''; + }; + + cfg = config.dgn-s3; +in + +{ + options.dgn-s3 = { + enable = mkEnableOption "a Garage node for the DGNum S3 server"; + + data_dir = mkOption { + type = path; + description = '' + The directory in which Garage will store the data blocks of objects. + Can be put on slow hardware. + ''; + }; + + metadata_dir = mkOption { + type = path; + description = '' + The directory in which Garage will store the metadata of objects. + Should be put on fast hardware. + ''; + }; + + package = mkOption { + type = package; + default = pkgs.garage_1_0_1; + description = '' + Garage package to use, needs to be set explicitly. + If you are upgrading from a major version, please read NixOS + and Garage release notes for upgrade instructions. + ''; + }; + + ports = + { + rpc = mkOption { + type = port; + default = null; + description = '' + Listening port for the ${name} garage service. + ''; + }; + } + // (genAttrs [ + "admin_api" + "k2v_api" + "s3_api" + "s3_web" + ] mkPortOption); + }; + + config = mkIf cfg.enable { + age-secrets = { + autoMatch = [ "garage" ]; + sources = [ ./. ]; + }; + + dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") cfg.ports; + + networking.firewall.allowedTCPPorts = [ cfg.ports.rpc ]; + + services.garage = { + enable = true; + + inherit (cfg) package; + + settings = { + inherit (cfg) data_dir metadata_dir; + + db_engine = "lmdb"; + + consistency_mode = "consistent"; + replication_factor = 2; + + compression_level = 7; + + rpc_bind_addr = mkListen false cfg.ports.rpc; + rpc_public_addr = "${meta.network.${name}.netbirdIp}:${builtins.toString cfg.ports.rpc}"; + rpc_secret_file = config.age.secrets."garage-rpc_secret_file".path; + + s3_api = { + s3_region = "garage"; + api_bind_addr = mkListen true cfg.ports.s3_api; + root_domain = mkDefault ".s3.dgnum"; + }; + + s3_web = { + bind_addr = mkListen true cfg.ports.s3_web; + index = "index.html"; + root_domain = mkDefault ".web.dgnum"; + }; + + k2v_api.api_bind_addr = mkListen false cfg.ports.k2v_api; + + admin = { + api_bind_addr = mkListen true cfg.ports.admin_api; + admin_token_file = config.age.secrets."garage-admin_token_file".path; + metrics_token_file = config.age.secrets."garage-metrics_token_file".path; + }; + }; + }; + + systemd.services.garage.serviceConfig = { + User = "garage"; + ReadWriteDirectories = [ + cfg.data_dir + cfg.metadata_dir + ]; + TimeoutSec = 600; + }; + + users.users.garage = { + isSystemUser = true; + group = "garage"; + }; + users.groups.garage = { }; + }; +} diff --git a/modules/nixos/dgn-s3/garage-admin_token_file b/modules/nixos/dgn-s3/garage-admin_token_file new file mode 100644 index 0000000..ee79204 --- /dev/null +++ b/modules/nixos/dgn-s3/garage-admin_token_file @@ -0,0 +1,33 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA 7X7KyvWBdR4Lrw+LKL1xq1H/K850+mAV+nQ5qtYoNHA +KmCsLh9cXkSOxvOfU+P2VI4s6aWKXTqaataumdkMRkk +-> ssh-ed25519 QlRB9Q dvreglAXZlEziCV+lX4AdYp8p09sPFXuzrakTbs8ITY +VTGDi/2yVgnQVnWeWvyn20E2aX/O2rdVKjQmnuixGrE +-> ssh-ed25519 r+nK/Q aecxYzGLiqRt7U4EmDuk8JhhaM5P+SSCysmbn8je7Tw +d3jBESgqJZb6aq8PRp0fgkK0H3bdjJXN9uuav2wn71o +-> ssh-rsa krWCLQ +nTRrAzHOh7YZYviyeKHLfMABV7Ie+Z6aRi53J8/TaDobAOXKbFpWKnftfu1Vwuwf +uUaoo7OApUVQAnHGJVSN7VEXd6YbwXBKkH6Va1hPuvXsaIL0/RS8YReOBdxZA6fn +AZeVWgWth3mbekz1XR1+1uIP1hMwYwNUTV2CHI6l4J5aAMS5nJtJDlkFqw8WdKJn +pDxGe+P21sJqXkb8m9f3PE5p+ZjqX9rj7uzVPr+yqpnApIkWTUzgPIaLj6ayPJKl +rcXGXx0aTeruEpDivKtK/axIqbnlhWmpr8FbGjqlbU74OEWqfFPqm5TafKsQTgfM +4iA1wir0vPdeMkq7+iCZoQ +-> ssh-ed25519 /vwQcQ NRitxiTeU4MOI6J4h21fPLs3X2OL9VRkEJWbVeEjCH0 +ZE17NfO5KaTQqXHQ1J0g3B/GbEubJvezcJdU5axzUt4 +-> ssh-ed25519 0R97PA Fp18gDCSxn5NJSEzcrWaUpDAsyEAJTPtmKRQ3iVsrCo +xXtf1XUdpFqnLNVhl01M1RQFd6lKkUFwmvOfJoUrP68 +-> ssh-ed25519 JGx7Ng jzlKENztbotMcIVbQdvFInj1zwabqBtj4cBfgJ8rK10 +PRCEQKM35x3N3OEUZtvqVqCJQkiFZfIf7vHNqHtgtsg +-> ssh-ed25519 bUjjig q3b85evViS19M+LcPc6UR6aSrcP+7JY8CbRAjvi7CSE +/TKH6yqZe+lYGHxhpHrbbxOWvIeO92cwc9gHX0Z9ZKo +-> ssh-ed25519 rHotTw oR4gxowpLxD2CDUJBKiWhjIGSr8MK+qaG9mp4WJWaDc +lfdhqNH2zEC72IwKeJBSurWYBiHwLAcxPy1wkgIo4H0 +-> ssh-ed25519 oRtTqQ SxHjvwikFUE5+vD/OpNleu03FAHFgZ+zt9HShLzqumA +ZVpu6VDWAxBH5iRc8GYC7xVc/FTUdRpEC8yI/B3amb8 +-> ssh-ed25519 NaIdrw N2y/7JpXUFDQUPmSZRBtXMtCyOUbrRgvsc7bWcNJ2kU +Z8rFjomLFrsYvOJzQ4LBUw+51cLt19cMAHmoTaSh73I +-> $-grease B5QzJ oBIIjF8s n=>k/^'0 ^ +O/4f4rtDksmPzXYWI4pCMXtpeZ70oK9P03yHdBpn3jpdX0yfonmtUPN++BKhW5jW +mMQncuJDICy9oKMNRd1379h8P8QYTme2lfmaZGBjf9NuFt+6RPvJeix7teqJ +--- xY8PoCKN7yB3bAlGhXVGm7OW6Z9a1sVK/JChcgAUxNM +Pf̭p! khn@, Vf5E"w'K'Noبxc>Y4 \ No newline at end of file diff --git a/modules/nixos/dgn-s3/garage-metrics_token_file b/modules/nixos/dgn-s3/garage-metrics_token_file new file mode 100644 index 0000000..2a9b599 --- /dev/null +++ b/modules/nixos/dgn-s3/garage-metrics_token_file @@ -0,0 +1,33 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA I4kF+E0/u6pqt6eFYdrPH6b479dECVo1OMbfRzkdyHU +VcD/IbNI2DBMXl6F1yyGXBl0I1kN7o0MsogDMD3nhYM +-> ssh-ed25519 QlRB9Q UVpkCT132kfie4VA0dJYRYUNHzFEDQNAEsICpYHTvjg +HuudHaOSkEt1FxmtJIEsc04tw4/CRCGalXR7zc48jR8 +-> ssh-ed25519 r+nK/Q t4aEMzIjZU5AgrrbraIz8PX+hkwRZa7J+ja6lzI9sl8 +FTc4LVCNByA9bPstxkVfsjZXIrUWDN0v/76K/Dhdz7A +-> ssh-rsa krWCLQ +zD4HayffU0MzzBDd/FZX2yUg9dg9Yfb8DV+K7jR+X6uDRe1frWtlAAvHLRk9FMox +mlC0cDrKa+N8yg9ZWsTtzK1r2gI7PZKt164C8HfAPYLDzuY3vUinYdZiXYGlJ52J +5+zlDMah1qE2ZzTp5iONwj+Ng6mQiSC3q19Q2T/jYuiXuoc/fyLL5ME/+3nHX3OM +OV8prtoHB99VF7+e1N+bEC2OCDWJvLkiMysrqb8vsxlQeBNRmThE9EfKZKn7zqS2 +2P9TtS7mfppLb/ARkWAUv8Av/7nNZs7JMAjL/RKNC4cIWrShObfcRETbqgPUlf4x +g2vUm46cyFDcbq7aZTW8wQ +-> ssh-ed25519 /vwQcQ oNvtZtDgoAD7pTtvAP3Okzn71yEUo347XRonLtpzV3A +3d95tKV6G/MVdC2MVWSjnFcvTJTve0KWJzPqxWMq6CE +-> ssh-ed25519 0R97PA QKjpWxh3X0KcL5sQA8EjwQRQYsxvOWpB5w9+8I584Qw +Dn++EsXvndiwzkG2Oi4Z6iCZtqy7nR+LjEWDUdirZmE +-> ssh-ed25519 JGx7Ng fxOb1DHqpX9Iurj/2dRBp7omSE+BxyMxhVhxHqM/+j0 +EtnKjSOy+q/7rnmAXjv7pDuKfyomCM748v9yNOGO33A +-> ssh-ed25519 bUjjig samBH6/AasnQZcXszNXhuQVdyQtoWDTWKeL/r5p/LwU +vplAeESgi9SS5fWENCX9GZjnCSuFJwO2gxueJBHYhd4 +-> ssh-ed25519 rHotTw zDvNC+PtbiWWHUZVtQYZE697LsGEb6h9UnqK/sUZGGI +2eZWAl2h2WQTo5Uzp86AdjnG/mWpivAszH6Dwq2mOjY +-> ssh-ed25519 oRtTqQ 4pGJxfSiUEVB4XPe5xfb6QBnQyBN35yr0twZ1PmPSnM +ZqpGePQWInGbh15890706GMFQljvRzdel2A8w+QQ3Iw +-> ssh-ed25519 NaIdrw VOduEJKHbxzhEHdm2C6eoO8CWo8KX5WYDf4X5C275Fo +v0m5XOWVcAUPwnhus7OhiSvjqrITiaZqpVlbBVLzw4U +-> DGmIj973-grease <0?l.i 6uaPL"]E +0CX09qh4P1yaRoYy1A6Wy2csOqX9JYF7UrYMdi6w1d4rPDPe4PpAfbqSfLga6j77 +J75T8VDW7hQvLjpJBX222Yxaolpkbaf+3wVfhN+kKXRHhe5me24e3P9n +--- wdvzqKKPRU40rhOPpnPtP++pYPERZKsCGShDvKg6s2Y +m&%u,GD4#ٍr1A Rͬ ssh-ed25519 jIXfPA dWYT87UONQqJriApPSjalyX4iWMVenZhnbJA6Yk/8Hw +Ey26q2cLkYWKEK3jeSHBXL5e73x2vAYTzJ6vtvrinh0 +-> ssh-ed25519 QlRB9Q 3VnU1Oz1vjV+hMAgsvYNrrZ3FeZnpJK3Pm1cD0fU3QE +p7MDQcIyfO8y/jKS0y2DuYZe6c+oEfQrUmNZYp8wmfM +-> ssh-ed25519 r+nK/Q R8/ZBd4+EMpmv2AbeFTa9L06hvLyCo/UkSEPeo2YmkM +j+Y+Irh/wwX39hCXZ1TEGMyEOzKWFZ5cNhoXTs++LYg +-> ssh-rsa krWCLQ +mBZxTC2YL+VSL9fvCCJvEVRDvPFwtnZKhNkUUKkVoBiegqnftCSk0xRBdZHMwNQM ++8238s4gry5oMQQgNWfBaDrkoMG/+hggvmaGIV0FLVSnyeVuLLeOHBpN+Pprw8UI +wf2DctSEvdY59YaaNmz0qh7L20rdZPi8VoWcvIfFr2bdxcBR420OjRu5E56duBWR +4LEtS8o2tqiS6ZOYqORhJL3WIm8WutjuLqXMpz7sZiBLvJqz00NrsFI2UhVDw4Ez +vaPVet8/ioRghSFtNVdj8mVblDfFdhPI0STDJ2PFS5Ldge+FJhOXC5DpKK6G+N6f +HaJK5DRVkE9IkKSFaYiaOA +-> ssh-ed25519 /vwQcQ Hh0FDXSHEdL+RsTOGvguZ1ZwFjgZCvtMDTFmIP4It1Q +N4ZoiChhfUGQ3EFY2F6Gh5ojEXi/X3y48tm9VcRKAos +-> ssh-ed25519 0R97PA CsBxpLgMUOmTsnAFwq12B0FQnMiOVuU/zDsQWLMSEF8 +Ukoci1zMiBy2S+hMYBLcdbRmPvPj/24VCUCSpgawv3A +-> ssh-ed25519 JGx7Ng aTUfNYNhqPPrbs1xzsQPWCRAFLQvZeY/Zg0ZWVCwZF0 +QOR6rk4szm0VZlpxF0QhLNZxznuM28XECCGJo14Llu0 +-> ssh-ed25519 bUjjig 5hhVEGfXD/Yywb8WtOCkQ5Rk7yIZgqy/asuM69RXFAc ++Veh6yKTJmkuvIopjXLDzx9XiqmaEoyHI2kNgA7ojUk +-> ssh-ed25519 DqHxWQ VhPsgKnHhLgx1/52aID+0IcBneITTiu2/HazWyziYQI +Ulzo/CZiZIr17EekToNWKrsUHyfHSQwQUHGSXBILSG8 +-> ssh-ed25519 IxxZqA MEYeuE7vtA9NsuyePdyPLt4TLtuqDsIHF5MPrUhsiDM +G6ZvfbWBetQtCMfcF/AF0Pn+GymA2ryxsYArjNomzMI +-> ssh-ed25519 tDqJRg kFlONbMWWsBwqh4ptqV/OIQ/XTNJDuPlBqwNpDDoyDY +CVUNw6B3cuyX8yTD6kzGB13iwaOIrNxvqYXrhhWh1dY +-> ssh-ed25519 9pVK7Q qFIMwhDTQ8ZtlkkYFUOYNO9PWX0u0Q5sz2t3AQ78mWQ +RNRPehVR88F9QXEfn8GderSt7wEEU2zmN8q7k3ykPHs +-> ssh-ed25519 /BRpBQ vybR48XHXlfm7HBpPsNGu8rr/xaiRZpvXwyPnlcTklU +o5fWJ3VXqb1/aqvwE1+OZxi9kUU/r76wNgiu1kWJlHY +-> ssh-ed25519 t0vvHQ XsWeEV3ItPly/ESsvZRQJPF12wr7pXpeLqtBgRNC9n4 +f4iCSxJNBHtwgoh343DL4WX0lVgdE9bcmPEusKMOoXY +-> ssh-ed25519 E6cGqw htgxAcXUpht9RqPKrCDjDJh0dD89GhGBo/sGmHEczQI +fU9AvChNceHpIqXOdSQfagn+AM+5cQbYqxeWOQqWIq0 +-> ssh-ed25519 EEPmeQ HSFgjvBWBa1d/t/1inKQEmY8PAduJjbQyHRobtR43Uk +E8OrKw2Xmsdhq2N/5wmS0yS6h/azHa0x+MnY3pDTFgs +-> ssh-ed25519 +MNHsw Vq99uqEHmOmMOL3jvxqfxOJyn3UDNfQTsDhn40EZ00Q +bPjQ7oRYg9CUeqOV0Oj4/vlIRIfNVPvFOYV/Ck1i6sQ +-> ssh-ed25519 rHotTw OVs3a9QclLVwSZgAhfL/IFtCRk/dB6rZyFqep53/rTE +osV6Cd1OosjdJG9Qqurs0Xam8fspl/qhGgH5B/vt670 +-> ssh-ed25519 NaIdrw +ZEMJpdVzrjJTOt4ljYJOXTZTRf+ke2o/lqygE4Ryko +O2g1ZNJc1GeZ0wOCKSxlD2xBaOcQSC9grAGtnFuAUSg +-> ssh-ed25519 +mFdtQ 34abmHERavOul64mkvcAZ4a/jHpv/dTMJpPPLepb5j8 +k8I8npz05YOHyYxzg8wm982a2XfRWIAQC/oCq54TYnM +-> ssh-ed25519 0IVRbA 2oozz/YtTVVkbcL9u3OvYHKujVwNQWmixV4shAuqrWo +o94wXA+8M1t1uolDYqnQJV6QrSwViONLhNYusEz5E5I +-> ssh-ed25519 IY5FSQ NPzmgSO3d3kfJzudHT58nEMquA9LSrSKZIcHZIqcohw +VkPy13tzuR+3yV+xzmaH3txxITZWAvRAkqctp7gmzl0 +-> ssh-ed25519 VQSaNw dtLobBKYBVWFNwqMUjhc6T6M/VqbcCgzklOy5ZnqMnM ++0y6HrrelFBI8V4bw4K2nQRUVlCtOQh1qQLhi5i2tXg +-> @iEvx-grease KejL7mF S=T\^5 9auSEL +hj62uWlvi51PBuFCrNa4TLeEf3QE8VGU6+27iOLMLgTDs0l52MB90lGWIr5HM6oU + +--- 3LZoaoHaD5wRvcKT8ODWnMfpthtKEHcpfjEvndQY0OY +0筞)* +7Ht4Tv@UޠO]ҡ% +yON +{eER28:@6Bbsڱ \ No newline at end of file diff --git a/modules/nixos/dgn-s3/secrets.nix b/modules/nixos/dgn-s3/secrets.nix new file mode 100644 index 0000000..6d17c51 --- /dev/null +++ b/modules/nixos/dgn-s3/secrets.nix @@ -0,0 +1,15 @@ +# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique +# +# SPDX-License-Identifier: EUPL-1.2 + +(import ../../../keys).mkSecrets + [ + "storage01" + "tower01" + ] + [ + # List of Garage secrets + "garage-admin_token_file" + "garage-metrics_token_file" + "garage-rpc_secret_file" + ]