feat(garage): Use a module and replicate on tower01

REUSE.toml

@@ -14,7 +14,7 @@ precedence = "closest"
 [[annotations]]
 SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
 SPDX-License-Identifier = "CC-BY-NC-ND-4.0"
-path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file"]
+path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file", "modules/nixos/dgn-s3/garage-*_file"]
 precedence = "closest"
 
 [[annotations]]

default.nix

@@ -79,6 +79,7 @@ let
           "modules/nixos/dgn-netbox-agent/secrets/netbox-agent"
           "modules/nixos/dgn-notify/mail"
           "modules/nixos/dgn-records/__arkheon-token_file"
+          "modules/nixos/dgn-s3/garage-*_file"
         ];
         license = "CC-BY-NC-ND-4.0";
       }

machines/nixos/storage01/garage.nix

@@ -4,22 +4,10 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
 let
-  inherit (lib) mapAttrs' nameValuePair;
-
   host = "s3.dgnum.eu";
   webHost = "cdn.dgnum.eu";
 
-  data_dir = "/data/slow/garage/data";
-  metadata_dir = "/data/fast/garage/meta";
-
   domains = [
     "bandarretdurgence.ens.fr"
     "boussole-sante.normalesup.eu"
@@ -50,68 +38,27 @@ let
   };
 in
 {
-  dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
-
-  services.garage = {
+  dgn-s3 = {
     enable = true;
 
-    package = pkgs.garage_1_0_1;
+    inherit ports;
 
-    settings = {
-      inherit data_dir metadata_dir;
-
-      db_engine = "lmdb";
-
-      consistency_mode = "consistent";
-      replication_factor = 1;
-
-      compression_level = 7;
-
-      rpc_bind_addr = "[::]:${toString ports.rpc}";
-      rpc_public_addr = "127.0.0.1:${toString ports.rpc}";
-
-      s3_api = {
-        s3_region = "garage";
-        api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
-        root_domain = ".${host}";
+    data_dir = "/data/slow/garage/data";
+    metadata_dir = "/data/fast/garage/meta";
   };
 
-      s3_web = {
-        bind_addr = "127.0.0.1:${toString ports.s3_web}";
-        root_domain = ".${webHost}";
-        index = "index.html";
+  services.garage.settings = {
+    s3_api.root_domain = ".${host}";
+    s3_web.root_domain = ".${webHost}";
   };
 
-      k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";
-
-      admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
-    };
-
-    environmentFile = config.age.secrets."garage-environment_file".path;
-  };
-
-  systemd.services.garage.serviceConfig = {
-    User = "garage";
-    ReadWriteDirectories = [
-      data_dir
-      metadata_dir
-    ];
-    TimeoutSec = 600;
-  };
-
-  users.users.garage = {
-    isSystemUser = true;
-    group = "garage";
-  };
-  users.groups.garage = { };
-
   services.nginx.virtualHosts = {
     "s3-admin.dgnum.eu" = {
       enableACME = true;
       forceSSL = true;
 
       locations."/".extraConfig = ''
-        proxy_pass http://127.0.0.1:${toString ports.admin_api};
+        proxy_pass http://127.0.0.1:${builtins.toString ports.admin_api};
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $host;
       '';
@@ -124,7 +71,7 @@ in
       serverAliases = mkHosted host buckets;
 
       locations."/".extraConfig = ''
-        proxy_pass http://127.0.0.1:${toString ports.s3_api};
+        proxy_pass http://127.0.0.1:${builtins.toString ports.s3_api};
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $host;
         # Disable buffering to a temporary file.
@@ -140,7 +87,7 @@ in
       serverAliases = domains ++ (mkHosted webHost buckets);
 
       locations."/".extraConfig = ''
-        proxy_pass http://127.0.0.1:${toString ports.s3_web};
+        proxy_pass http://127.0.0.1:${builtins.toString ports.s3_web};
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $host;
       '';

machines/nixos/storage01/secrets/secrets.nix

@@ -7,7 +7,6 @@
   "bupstash-put_key"
   "forgejo-mailer_password_file"
   "forgejo_runners-token_file"
-  "garage-environment_file"
   "influxdb2-grafana_token_file"
   "influxdb2-initial_password_file"
   "influxdb2-initial_token_file"

machines/nixos/tower01/_configuration.nix

@@ -7,7 +7,9 @@
 lib.extra.mkConfig {
   enabledModules = [ ];
 
-  enabledServices = [ ];
+  enabledServices = [
+    "garage"
+  ];
 
   extraConfig = {
     services.netbird.enable = true;

machines/nixos/tower01/garage.nix

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  dgn-s3 = {
+    enable = true;
+
+    ports = {
+      admin_api = 3903;
+      rpc = 3901;
+      s3_api = 3900;
+      s3_web = 3902;
+    };
+
+    data_dir = "/data/garage/data";
+    metadata_dir = "/data/garage/meta";
+  };
+}

machines/nixos/tower01/secrets/secrets.nix

@@ -2,6 +2,6 @@
 #
 # SPDX-License-Identifer: EUPL-1.2
 
-(import ../../../../keys).mkSecrets [ "tower01" ] [
-
-]
+(import ../../../../keys).mkSecrets [ "tower01" ]
+  [
+  ]

modules/nixos/default.nix

@@ -29,6 +29,7 @@
       "dgn-notify"
       "dgn-records"
       "dgn-redirections"
+      "dgn-s3"
       "dgn-ssh"
       "dgn-vm-variant"
       "dgn-web"

modules/nixos/dgn-s3/default.nix

@@ -0,0 +1,163 @@
+# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  config,
+  lib,
+  pkgs,
+  meta,
+  name,
+  ...
+}:
+
+let
+  inherit (lib)
+    genAttrs
+    mapAttrs'
+    mkDefault
+    mkEnableOption
+    mkIf
+    mkOption
+    nameValuePair
+    ;
+
+  inherit (lib.types)
+    path
+    nullOr
+    package
+    port
+    ;
+
+  mkListen =
+    local: port:
+    mkIf (port != null) "${if local then "127.0.0.1" else "[::]"}:${builtins.toString port}";
+
+  mkPortOption =
+    name:
+    mkOption {
+      type = nullOr port;
+      default = null;
+      description = ''
+        Listening port for the ${name} garage service.
+      '';
+    };
+
+  cfg = config.dgn-s3;
+in
+
+{
+  options.dgn-s3 = {
+    enable = mkEnableOption "a Garage node for the DGNum S3 server";
+
+    data_dir = mkOption {
+      type = path;
+      description = ''
+        The directory in which Garage will store the data blocks of objects.
+        Can be put on slow hardware.
+      '';
+    };
+
+    metadata_dir = mkOption {
+      type = path;
+      description = ''
+        The directory in which Garage will store the metadata of objects.
+        Should be put on fast hardware.
+      '';
+    };
+
+    package = mkOption {
+      type = package;
+      default = pkgs.garage_1_0_1;
+      description = ''
+        Garage package to use, needs to be set explicitly.
+        If you are upgrading from a major version, please read NixOS
+        and Garage release notes for upgrade instructions.
+      '';
+    };
+
+    ports =
+      {
+        rpc = mkOption {
+          type = port;
+          default = null;
+          description = ''
+            Listening port for the ${name} garage service.
+          '';
+        };
+      }
+      // (genAttrs [
+        "admin_api"
+        "k2v_api"
+        "s3_api"
+        "s3_web"
+      ] mkPortOption);
+  };
+
+  config = mkIf cfg.enable {
+    age-secrets = {
+      autoMatch = [ "garage" ];
+      sources = [ ./. ];
+    };
+
+    dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") cfg.ports;
+
+    networking.firewall.allowedTCPPorts = [ cfg.ports.rpc ];
+
+    services.garage = {
+      enable = true;
+
+      inherit (cfg) package;
+
+      settings = {
+        inherit (cfg) data_dir metadata_dir;
+
+        db_engine = "lmdb";
+
+        consistency_mode = "consistent";
+        replication_factor = 2;
+
+        compression_level = 7;
+
+        rpc_bind_addr = mkListen false cfg.ports.rpc;
+        rpc_public_addr = "${meta.network.${name}.netbirdIp}:${builtins.toString cfg.ports.rpc}";
+        rpc_secret_file = config.age.secrets."garage-rpc_secret_file".path;
+
+        s3_api = {
+          s3_region = "garage";
+          api_bind_addr = mkListen true cfg.ports.s3_api;
+          root_domain = mkDefault ".s3.dgnum";
+        };
+
+        s3_web = {
+          bind_addr = mkListen true cfg.ports.s3_web;
+          index = "index.html";
+          root_domain = mkDefault ".web.dgnum";
+        };
+
+        k2v_api.api_bind_addr = mkListen false cfg.ports.k2v_api;
+
+        admin = {
+          api_bind_addr = mkListen true cfg.ports.admin_api;
+          admin_token_file = config.age.secrets."garage-admin_token_file".path;
+          metrics_token_file = config.age.secrets."garage-metrics_token_file".path;
+        };
+      };
+    };
+
+    systemd.services.garage.serviceConfig = {
+      User = "garage";
+      ReadWriteDirectories = [
+        cfg.data_dir
+        cfg.metadata_dir
+      ];
+      TimeoutSec = 600;
+    };
+
+    users.users.garage = {
+      isSystemUser = true;
+      group = "garage";
+    };
+    users.groups.garage = { };
+  };
+}

modules/nixos/dgn-s3/garage-admin_token_file

@@ -0,0 +1,33 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA 7X7KyvWBdR4Lrw+LKL1xq1H/K850+mAV+nQ5qtYoNHA
+KmCsLh9cXkSOxvOfU+P2VI4s6aWKXTqaataumdkMRkk
+-> ssh-ed25519 QlRB9Q dvreglAXZlEziCV+lX4AdYp8p09sPFXuzrakTbs8ITY
+VTGDi/2yVgnQVnWeWvyn20E2aX/O2rdVKjQmnuixGrE
+-> ssh-ed25519 r+nK/Q aecxYzGLiqRt7U4EmDuk8JhhaM5P+SSCysmbn8je7Tw
+d3jBESgqJZb6aq8PRp0fgkK0H3bdjJXN9uuav2wn71o
+-> ssh-rsa krWCLQ
+nTRrAzHOh7YZYviyeKHLfMABV7Ie+Z6aRi53J8/TaDobAOXKbFpWKnftfu1Vwuwf
+uUaoo7OApUVQAnHGJVSN7VEXd6YbwXBKkH6Va1hPuvXsaIL0/RS8YReOBdxZA6fn
+AZeVWgWth3mbekz1XR1+1uIP1hMwYwNUTV2CHI6l4J5aAMS5nJtJDlkFqw8WdKJn
+pDxGe+P21sJqXkb8m9f3PE5p+ZjqX9rj7uzVPr+yqpnApIkWTUzgPIaLj6ayPJKl
+rcXGXx0aTeruEpDivKtK/axIqbnlhWmpr8FbGjqlbU74OEWqfFPqm5TafKsQTgfM
+4iA1wir0vPdeMkq7+iCZoQ
+-> ssh-ed25519 /vwQcQ NRitxiTeU4MOI6J4h21fPLs3X2OL9VRkEJWbVeEjCH0
+ZE17NfO5KaTQqXHQ1J0g3B/GbEubJvezcJdU5axzUt4
+-> ssh-ed25519 0R97PA Fp18gDCSxn5NJSEzcrWaUpDAsyEAJTPtmKRQ3iVsrCo
+xXtf1XUdpFqnLNVhl01M1RQFd6lKkUFwmvOfJoUrP68
+-> ssh-ed25519 JGx7Ng jzlKENztbotMcIVbQdvFInj1zwabqBtj4cBfgJ8rK10
+PRCEQKM35x3N3OEUZtvqVqCJQkiFZfIf7vHNqHtgtsg
+-> ssh-ed25519 bUjjig q3b85evViS19M+LcPc6UR6aSrcP+7JY8CbRAjvi7CSE
+/TKH6yqZe+lYGHxhpHrbbxOWvIeO92cwc9gHX0Z9ZKo
+-> ssh-ed25519 rHotTw oR4gxowpLxD2CDUJBKiWhjIGSr8MK+qaG9mp4WJWaDc
+lfdhqNH2zEC72IwKeJBSurWYBiHwLAcxPy1wkgIo4H0
+-> ssh-ed25519 oRtTqQ SxHjvwikFUE5+vD/OpNleu03FAHFgZ+zt9HShLzqumA
+ZVpu6VDWAxBH5iRc8GYC7xVc/FTUdRpEC8yI/B3amb8
+-> ssh-ed25519 NaIdrw N2y/7JpXUFDQUPmSZRBtXMtCyOUbrRgvsc7bWcNJ2kU
+Z8rFjomLFrsYvOJzQ4LBUw+51cLt19cMAHmoTaSh73I
+-> $-grease B5QzJ oBIIjF8s n=>k/^'0 ^
+O/4f4rtDksmPzXYWI4pCMXtpeZ70oK9P03yHdBpn3jpdX0yfonmtUPN++BKhW5jW
+mMQncuJDICy9oKMNRd1379h8P8QYTme2lfmaZGBjf9NuFt+6RPvJeix7teqJ
+--- xY8PoCKN7yB3bAlGhXVGm7OW6Z9a1sVK/JChcgAUxNM
+PfÌ­™p½Îð<>! ù
ŸÃkhn@€ ,ï
ÖVf5Ešº"…wý‡É<¹w£ÕÀp»X’_6ñ"¦v;Åtó
5m¸›>'ÃKí‚'NÊoبxc¸>Yß4

modules/nixos/dgn-s3/garage-metrics_token_file

@@ -0,0 +1,33 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA I4kF+E0/u6pqt6eFYdrPH6b479dECVo1OMbfRzkdyHU
+VcD/IbNI2DBMXl6F1yyGXBl0I1kN7o0MsogDMD3nhYM
+-> ssh-ed25519 QlRB9Q UVpkCT132kfie4VA0dJYRYUNHzFEDQNAEsICpYHTvjg
+HuudHaOSkEt1FxmtJIEsc04tw4/CRCGalXR7zc48jR8
+-> ssh-ed25519 r+nK/Q t4aEMzIjZU5AgrrbraIz8PX+hkwRZa7J+ja6lzI9sl8
+FTc4LVCNByA9bPstxkVfsjZXIrUWDN0v/76K/Dhdz7A
+-> ssh-rsa krWCLQ
+zD4HayffU0MzzBDd/FZX2yUg9dg9Yfb8DV+K7jR+X6uDRe1frWtlAAvHLRk9FMox
+mlC0cDrKa+N8yg9ZWsTtzK1r2gI7PZKt164C8HfAPYLDzuY3vUinYdZiXYGlJ52J
+5+zlDMah1qE2ZzTp5iONwj+Ng6mQiSC3q19Q2T/jYuiXuoc/fyLL5ME/+3nHX3OM
+OV8prtoHB99VF7+e1N+bEC2OCDWJvLkiMysrqb8vsxlQeBNRmThE9EfKZKn7zqS2
+2P9TtS7mfppLb/ARkWAUv8Av/7nNZs7JMAjL/RKNC4cIWrShObfcRETbqgPUlf4x
+g2vUm46cyFDcbq7aZTW8wQ
+-> ssh-ed25519 /vwQcQ oNvtZtDgoAD7pTtvAP3Okzn71yEUo347XRonLtpzV3A
+3d95tKV6G/MVdC2MVWSjnFcvTJTve0KWJzPqxWMq6CE
+-> ssh-ed25519 0R97PA QKjpWxh3X0KcL5sQA8EjwQRQYsxvOWpB5w9+8I584Qw
+Dn++EsXvndiwzkG2Oi4Z6iCZtqy7nR+LjEWDUdirZmE
+-> ssh-ed25519 JGx7Ng fxOb1DHqpX9Iurj/2dRBp7omSE+BxyMxhVhxHqM/+j0
+EtnKjSOy+q/7rnmAXjv7pDuKfyomCM748v9yNOGO33A
+-> ssh-ed25519 bUjjig samBH6/AasnQZcXszNXhuQVdyQtoWDTWKeL/r5p/LwU
+vplAeESgi9SS5fWENCX9GZjnCSuFJwO2gxueJBHYhd4
+-> ssh-ed25519 rHotTw zDvNC+PtbiWWHUZVtQYZE697LsGEb6h9UnqK/sUZGGI
+2eZWAl2h2WQTo5Uzp86AdjnG/mWpivAszH6Dwq2mOjY
+-> ssh-ed25519 oRtTqQ 4pGJxfSiUEVB4XPe5xfb6QBnQyBN35yr0twZ1PmPSnM
+ZqpGePQWInGbh15890706GMFQljvRzdel2A8w+QQ3Iw
+-> ssh-ed25519 NaIdrw VOduEJKHbxzhEHdm2C6eoO8CWo8KX5WYDf4X5C275Fo
+v0m5XOWVcAUPwnhus7OhiSvjqrITiaZqpVlbBVLzw4U
+-> DGmIj973-grease <0?l.i 6uaPL"]E
+0CX09qh4P1yaRoYy1A6Wy2csOqX9JYF7UrYMdi6w1d4rPDPe4PpAfbqSfLga6j77
+J75T8VDW7hQvLjpJBX222Yxaolpkbaf+3wVfhN+kKXRHhe5me24e3P9n
+--- wdvzqKKPRU40rhOPpnPtP++pYPERZKsCGShDvKg6s2Y
+m&%<25>Öu,Gð¬¬DÝ4÷ëÓóÂ#ŽÎÙ<C38E>r1šAÈÃ
RˆÍ¬<êaX0‚ÜY~BæßÞá'r:AsyYÛ¥kQ*Ñæiwu¹

modules/nixos/dgn-s3/garage-rpc_secret_file

@@ -0,0 +1,59 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA dWYT87UONQqJriApPSjalyX4iWMVenZhnbJA6Yk/8Hw
+Ey26q2cLkYWKEK3jeSHBXL5e73x2vAYTzJ6vtvrinh0
+-> ssh-ed25519 QlRB9Q 3VnU1Oz1vjV+hMAgsvYNrrZ3FeZnpJK3Pm1cD0fU3QE
+p7MDQcIyfO8y/jKS0y2DuYZe6c+oEfQrUmNZYp8wmfM
+-> ssh-ed25519 r+nK/Q R8/ZBd4+EMpmv2AbeFTa9L06hvLyCo/UkSEPeo2YmkM
+j+Y+Irh/wwX39hCXZ1TEGMyEOzKWFZ5cNhoXTs++LYg
+-> ssh-rsa krWCLQ
+mBZxTC2YL+VSL9fvCCJvEVRDvPFwtnZKhNkUUKkVoBiegqnftCSk0xRBdZHMwNQM
++8238s4gry5oMQQgNWfBaDrkoMG/+hggvmaGIV0FLVSnyeVuLLeOHBpN+Pprw8UI
+wf2DctSEvdY59YaaNmz0qh7L20rdZPi8VoWcvIfFr2bdxcBR420OjRu5E56duBWR
+4LEtS8o2tqiS6ZOYqORhJL3WIm8WutjuLqXMpz7sZiBLvJqz00NrsFI2UhVDw4Ez
+vaPVet8/ioRghSFtNVdj8mVblDfFdhPI0STDJ2PFS5Ldge+FJhOXC5DpKK6G+N6f
+HaJK5DRVkE9IkKSFaYiaOA
+-> ssh-ed25519 /vwQcQ Hh0FDXSHEdL+RsTOGvguZ1ZwFjgZCvtMDTFmIP4It1Q
+N4ZoiChhfUGQ3EFY2F6Gh5ojEXi/X3y48tm9VcRKAos
+-> ssh-ed25519 0R97PA CsBxpLgMUOmTsnAFwq12B0FQnMiOVuU/zDsQWLMSEF8
+Ukoci1zMiBy2S+hMYBLcdbRmPvPj/24VCUCSpgawv3A
+-> ssh-ed25519 JGx7Ng aTUfNYNhqPPrbs1xzsQPWCRAFLQvZeY/Zg0ZWVCwZF0
+QOR6rk4szm0VZlpxF0QhLNZxznuM28XECCGJo14Llu0
+-> ssh-ed25519 bUjjig 5hhVEGfXD/Yywb8WtOCkQ5Rk7yIZgqy/asuM69RXFAc
++Veh6yKTJmkuvIopjXLDzx9XiqmaEoyHI2kNgA7ojUk
+-> ssh-ed25519 DqHxWQ VhPsgKnHhLgx1/52aID+0IcBneITTiu2/HazWyziYQI
+Ulzo/CZiZIr17EekToNWKrsUHyfHSQwQUHGSXBILSG8
+-> ssh-ed25519 IxxZqA MEYeuE7vtA9NsuyePdyPLt4TLtuqDsIHF5MPrUhsiDM
+G6ZvfbWBetQtCMfcF/AF0Pn+GymA2ryxsYArjNomzMI
+-> ssh-ed25519 tDqJRg kFlONbMWWsBwqh4ptqV/OIQ/XTNJDuPlBqwNpDDoyDY
+CVUNw6B3cuyX8yTD6kzGB13iwaOIrNxvqYXrhhWh1dY
+-> ssh-ed25519 9pVK7Q qFIMwhDTQ8ZtlkkYFUOYNO9PWX0u0Q5sz2t3AQ78mWQ
+RNRPehVR88F9QXEfn8GderSt7wEEU2zmN8q7k3ykPHs
+-> ssh-ed25519 /BRpBQ vybR48XHXlfm7HBpPsNGu8rr/xaiRZpvXwyPnlcTklU
+o5fWJ3VXqb1/aqvwE1+OZxi9kUU/r76wNgiu1kWJlHY
+-> ssh-ed25519 t0vvHQ XsWeEV3ItPly/ESsvZRQJPF12wr7pXpeLqtBgRNC9n4
+f4iCSxJNBHtwgoh343DL4WX0lVgdE9bcmPEusKMOoXY
+-> ssh-ed25519 E6cGqw htgxAcXUpht9RqPKrCDjDJh0dD89GhGBo/sGmHEczQI
+fU9AvChNceHpIqXOdSQfagn+AM+5cQbYqxeWOQqWIq0
+-> ssh-ed25519 EEPmeQ HSFgjvBWBa1d/t/1inKQEmY8PAduJjbQyHRobtR43Uk
+E8OrKw2Xmsdhq2N/5wmS0yS6h/azHa0x+MnY3pDTFgs
+-> ssh-ed25519 +MNHsw Vq99uqEHmOmMOL3jvxqfxOJyn3UDNfQTsDhn40EZ00Q
+bPjQ7oRYg9CUeqOV0Oj4/vlIRIfNVPvFOYV/Ck1i6sQ
+-> ssh-ed25519 rHotTw OVs3a9QclLVwSZgAhfL/IFtCRk/dB6rZyFqep53/rTE
+osV6Cd1OosjdJG9Qqurs0Xam8fspl/qhGgH5B/vt670
+-> ssh-ed25519 NaIdrw +ZEMJpdVzrjJTOt4ljYJOXTZTRf+ke2o/lqygE4Ryko
+O2g1ZNJc1GeZ0wOCKSxlD2xBaOcQSC9grAGtnFuAUSg
+-> ssh-ed25519 +mFdtQ 34abmHERavOul64mkvcAZ4a/jHpv/dTMJpPPLepb5j8
+k8I8npz05YOHyYxzg8wm982a2XfRWIAQC/oCq54TYnM
+-> ssh-ed25519 0IVRbA 2oozz/YtTVVkbcL9u3OvYHKujVwNQWmixV4shAuqrWo
+o94wXA+8M1t1uolDYqnQJV6QrSwViONLhNYusEz5E5I
+-> ssh-ed25519 IY5FSQ NPzmgSO3d3kfJzudHT58nEMquA9LSrSKZIcHZIqcohw
+VkPy13tzuR+3yV+xzmaH3txxITZWAvRAkqctp7gmzl0
+-> ssh-ed25519 VQSaNw dtLobBKYBVWFNwqMUjhc6T6M/VqbcCgzklOy5ZnqMnM
++0y6HrrelFBI8V4bw4K2nQRUVlCtOQh1qQLhi5i2tXg
+-> @iEvx-grease KejL7mF S=T\^5 9auSEL
+hj62uWlvi51PBuFCrNa4TLeEf3QE8VGU6+27iOLMLgTDs0l52MB90lGWIr5HM6oU
+
+--- 3LZoaoHaD5wRvcKT8ODWnMfpthtKEHcpfjEvndQY0OY
+Šã<EFBFBD>0
ç­žë)*
+à
îŽ7HË
° t‘4T½’v@UÞ O¢´ç]¹ÉÒ¡%	+
ãy¹Où<4F>ßN’‰ä
+{ÿ
‰£eEñ‡R·28:£ ¨@¼‚•Œ6Bbèsô<>Ú±

modules/nixos/dgn-s3/secrets.nix

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <contact@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+(import ../../../keys).mkSecrets
+  [
+    "storage01"
+    "tower01"
+  ]
+  [
+    # List of Garage secrets
+    "garage-admin_token_file"
+    "garage-metrics_token_file"
+    "garage-rpc_secret_file"
+  ]