made s3 buckets work

This commit is contained in:
Ingolf Wagner 2024-01-07 00:27:29 +01:00
parent de8a334588
commit cea37fb8ca
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
13 changed files with 76 additions and 103 deletions

View file

@ -1308,11 +1308,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1703323989, "lastModified": 1704582381,
"narHash": "sha256-YC2itrHIVrg1TazWnsuZ51BBYD3HJMFKONgh9RWn5Qk=", "narHash": "sha256-GC56ZF7qAtRqxF/SchmlVN86mA4BMwRFRz411utqUvc=",
"ref": "main", "ref": "main",
"rev": "23c91088d677f3f1e7d21bb1a8afd4f729d1e030", "rev": "cd333595c000cd2b1cbce7b2a6027fd6c3f07769",
"revCount": 61, "revCount": 62,
"type": "git", "type": "git",
"url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git" "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
}, },

View file

@ -48,6 +48,7 @@ with lib;
locations."/" = { locations."/" = {
root = pkgs.landingpage.override { root = pkgs.landingpage.override {
jsonConfig = [ jsonConfig = [
{ title = config.networking.hostName; }
{ title = "System Links"; } { title = "System Links"; }
{ {
text = "Syncthings"; text = "Syncthings";

View file

@ -40,6 +40,7 @@ let
"loki.chungus" = hosts.chungus; "loki.chungus" = hosts.chungus;
"prometheus.chungus" = hosts.chungus; "prometheus.chungus" = hosts.chungus;
"s3.chungus" = hosts.chungus; "s3.chungus" = hosts.chungus;
"minio.chungus" = hosts.chungus;
"sync.chungus" = hosts.chungus; "sync.chungus" = hosts.chungus;
"tdarr.chungus" = hosts.chungus; "tdarr.chungus" = hosts.chungus;
"trilium.chungus" = hosts.chungus; "trilium.chungus" = hosts.chungus;

View file

@ -13,6 +13,10 @@ with lib;
units units
parallel parallel
wget
curl
]; ];
} }
(mkIf config.gui.enable { (mkIf config.gui.enable {

View file

@ -3,11 +3,21 @@
services.minio = { services.minio = {
enable = true; enable = true;
region = "home"; region = "home";
rootCredentialsFile = config.sops.secrets.minioRootCredentials.path;
}; };
sops.secrets.minioRootCredentials = { };
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."s3.${config.networking.hostName}.private" = { virtualHosts."s3.${config.networking.hostName}.private" = {
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://localhost:9000";
};
};
virtualHosts."minio.${config.networking.hostName}.private" = {
locations."/" = { locations."/" = {
recommendedProxySettings = true; recommendedProxySettings = true;
proxyWebsockets = true; proxyWebsockets = true;

View file

@ -0,0 +1,18 @@
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
backend "s3" {
bucket = "terraform-state-terranix-website"
encrypt = false
endpoint = "http://s3.chungus.private"
force_path_style = true
iam_endpoint = "http://s3.chungus.private"
key = "namecheap/terraform.tfstate"
region = "home"
skip_credentials_validation = true
skip_metadata_api_check = true
skip_region_validation = true
skip_requesting_account_id = true
skip_s3_checksum = true
sts_endpoint = "http://s3.chunugs.private"
}
}

View file

@ -1,4 +1,8 @@
include {
path = find_in_parent_folders()
}
inputs = { inputs = {
namecheap_user = run_cmd("--terragrunt-quiet", "pass", "show", "development/namecheap.com/username") namecheap_user = run_cmd("--terragrunt-quiet", "pass", "show", "development/namecheap.com/username")
namecheap_api_key = run_cmd("--terragrunt-quiet", "pass", "show", "development/namecheap.com/api-key") namecheap_api_key = run_cmd("--terragrunt-quiet", "pass", "show", "development/namecheap.com/api-key")

View file

@ -0,0 +1,31 @@
remote_state {
backend = "s3"
generate = {
path = "__backend.tf"
if_exists = "overwrite"
}
config = {
bucket = "terraform-state-terranix-website"
key = "${path_relative_to_include()}/terraform.tfstate"
region = "home"
encrypt = false
endpoint = "http://s3.chungus.private"
iam_endpoint = "http://s3.chungus.private"
sts_endpoint = "http://s3.chunugs.private"
force_path_style = true
enable_lock_table_ssencryption = false
skip_s3_checksum = true
skip_bucket_public_access_blocking = true
skip_bucket_enforced_tls = true
skip_credentials_validation = true
skip_bucket_root_access = true # use only if the AWS account root user should not have access to the remote state bucket for some reason
skip_bucket_versioning = true # use only if the object store does not support versioning
skip_bucket_ssencryption = true # use only if non-encrypted Terraform State is required and/or the object store does not support server-side encryption
skip_metadata_api_check = true
skip_region_validation = true
skip_requesting_account_id = true
}
}

View file

@ -1,48 +0,0 @@
{ pkgs, lib, ... }:
let
hcloud-modules = pkgs.fetchgit {
url = "https://github.com/mrVanDalo/terranix-hcloud.git";
rev = "5fa359a482892cd973dcc6ecfc607f4709f24495";
sha256 = "0smgmdiklj98y71fmcdjsqjq8l41i66hs8msc7k4m9dpkphqk86p";
};
#nixosInfect = pkgs.fetchgit {
# "url" = "https://github.com/elitak/nixos-infect.git";
# rev = "928f9e5e1d63e77a91f2ca57ffa2be1fef3078ec";
#sha256 = "0rs84c549l863vbnnqgnx7v6m2zlq0wz46jbhm4v1l1a25d966s1";
#};
in
{
imports = [ (toString hcloud-modules) ];
# configure admin ssh keys
users.admins.palo.publicKey =
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== cardno:000611343142";
users.admins.terranix.publicKey = "${lib.fileContents ./sshkey.pub}";
# configure provisioning private Key to be used when running provisioning on the machines
provisioner.privateKeyFile = toString ./sshkey;
hcloud.nixserver = {
playground = {
enable = true;
channel = "nixos-20.09";
provisioners = [
#{
# file.source = "${nixosInfect}/nixos-infect";
# file.destination = "/root/nixos-infect";
#}
{
file.source = "${toString ./../../images/translate-setup}";
file.destination = "/root/translate-setup";
}
];
configurationFile = pkgs.writeText "configuration.nix" ''
{ pkgs, lib, config, ... }:
{ environment.systemPackages = [ pkgs.git ]; }
'';
};
};
}

View file

@ -1,48 +0,0 @@
{ pkgs ? import <nixpkgs> { } }:
let
terranix = pkgs.callPackage
(pkgs.fetchgit {
url = "https://github.com/mrVanDalo/terranix.git";
rev = "2.3.0";
sha256 = "030067h3gjc02llaa7rx5iml0ikvw6szadm0nrss2sqzshsfimm4";
})
{ };
terraform = pkgs.writers.writeBashBin "terraform" ''
export TF_VAR_hcloud_api_token=`${pkgs.pass}/bin/pass development/hetzner.com/api-token`
${pkgs.terraform_0_12}/bin/terraform "$@"
'';
in
pkgs.mkShell {
buildInputs = [
terranix
terraform
(pkgs.writers.writeBashBin "prepare" ''
set -e
set -o pipefail
${pkgs.openssh}/bin/ssh-keygen -P "" -f ${toString ./.}/sshkey
'')
(pkgs.writers.writeBashBin "build" ''
set -e
set -o pipefail
${terranix}/bin/terranix | ${pkgs.jq}/bin/jq '.' > config.tf.json
${terraform}/bin/terraform init
${terraform}/bin/terraform apply
'')
(pkgs.writers.writeBashBin "cleanup" ''
${terraform}/bin/terraform destroy
rm ${toString ./.}/config.tf.json
rm ${toString ./.}/sshkey
rm ${toString ./.}/sshkey.pub
rm ${toString ./.}/terraform.tfstate*
'')
];
}