chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

remove vault stuff from storage for now

Browse source
This commit is contained in:
chaos 2025-01-27 17:25:44 +00:00
parent 922de801ab
commit c014677675
No known key found for this signature in database
6 changed files with 42 additions and 129 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
hosts/hetzner-arm/containers/storage/data/ports.nix
View file

@ -1,13 +1,16 @@
let
webdav = 4200;
http = 4300;
{
webdav = let
base = 4200;
in {
webdav_main = webdav + 0;
webdav_music_ro = webdav + 1;
webdav_uploads = webdav + 2;
webdav_notes = webdav + 3;
public = base + 0;
uploads = base + 1;
};
http_music = http + 0;
http_public = http + 1;
http_uploads_public = http + 2;
http = let
base = 4300;
in {
music = http + 0;
public = http + 1;
uploads_public = http + 2;
};
}

15
hosts/hetzner-arm/containers/storage/data/rclone_config.template
View file

@ -1,15 +0,0 @@
[Storage]
type = combine
upstreams = "Music=B2:Chaos-Music" "Public=B2:Chaos-Public" "Notes=Notes:" "Uploads=B2:Chaos-Uploads"
[B2]
type = b2
account = B2_ACCOUNT
key = B2_KEY
hard_delete = true
[Notes]
type = crypt
remote = B2:Chaos-Notes
password = STORAGE_NOTES_CRYPT_PASSWORD
password2 = STORAGE_NOTES_CRYPT_SALT

44
hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
View file

@ -15,26 +15,14 @@ in {
user = "storage";
}
// remote) [
#{
# id = "main";
# remote = "Storage:";
# type = "webdav";
# extraArgs = [
# "--addr=0.0.0.0:${toString ports.webdav_main}"
# "--htpasswd=${secrets.webdav_main_htpasswd.path}"
# "--baseurl=/Main/"
# "--cache-dir=/caches/main_webdav_serve"
# "--vfs-cache-mode=full"
# ];
#}
{
id = "music-ro";
remote = "Storage:Music";
id = "public";
remote = "Public:";
type = "webdav";
extraArgs = [
"--addr=0.0.0.0:${toString ports.webdav_music_ro}"
"--read-only"
"--baseurl=/MusicRO/"
"--addr=0.0.0.0:${toString ports.webdav.public}"
"--htpasswd=${secrets.webdav_public_htpasswd.path}"
"--baseurl=/Public/"
];
}
{
@ -42,27 +30,17 @@ in {
remote = "Storage:Uploads";
type = "webdav";
extraArgs = [
"--addr=0.0.0.0:${toString ports.webdav_uploads}"
"--addr=0.0.0.0:${toString ports.webdav.uploads}"
"--htpasswd=${secrets.webdav_uploads_htpasswd.path}"
"--baseurl=/Uploads/"
];
}
{
id = "notes";
remote = "Notes:";
type = "webdav";
extraArgs = [
"--addr=0.0.0.0:${toString ports.webdav_notes}"
"--htpasswd=${secrets.webdav_notes_htpasswd.path}"
"--baseurl=/Notes/"
];
}
{
id = "music-ro";
id = "music";
remote = "Storage:Music";
type = "http";
extraArgs = [
"--addr=0.0.0.0:${toString ports.http_music}"
"--addr=0.0.0.0:${toString ports.http.music}"
"--baseurl=/Music/"
"--read-only"
];
@ -72,17 +50,17 @@ in {
remote = "Storage:Public";
type = "http";
extraArgs = [
"--addr=0.0.0.0:${toString ports.http_public}"
"--addr=0.0.0.0:${toString ports.http.public}"
"--baseurl=/Public/"
"--read-only"
];
}
{
id = "uploads-public";
id = "uploads_public";
remote = "Storage:Uploads/Public";
type = "http";
extraArgs = [
"--addr=0.0.0.0:${toString ports.http_uploads_public}"
"--addr=0.0.0.0:${toString ports.http.uploads_public}"
"--baseurl=/Uploads/"
"--read-only"
];

69
hosts/hetzner-arm/containers/storage/secrets.nix
View file

@ -8,54 +8,15 @@
};
requiredVaultPaths = [
"api-keys/data/backblaze/Backblaze"
#"api-keys/data/storage/webdav/Main"
"api-keys/data/storage/webdav/Public"
"api-keys/data/storage/webdav/Uploads"
"api-keys/data/storage/webdav/Notes"
"private-public-keys/data/rclone/Chaos-Notes-Crypt"
];
packages = with pkgs; [
# for music & mail passwd files
apacheHttpd
# for rclone obscure config file
rclone
];
extraFunctions = ''
replace_slash_for_sed() {
sed "s#/#\\\/#"
}
simple_get_obscure() {
rclone obscure "$(simple_get "$@")"
}
simple_get_replace_b2() {
api_account=$(simple_get "$1" .keyID | replace_slash_for_sed)
api_key=$(simple_get "$1" .applicationKey | replace_slash_for_sed)
replace_account=''${2}_ACCOUNT
replace_key=''${2}_KEY
sed -i "s/$replace_account/$api_account/" "$3"
sed -i "s/$replace_key/$api_key/" "$3"
}
simple_get_replace_crypt() {
password=$(simple_get_obscure "$1" .password)
salt=$(simple_get_obscure "$1" .salt)
replace_password=''${2}_PASSWORD
replace_salt=''${2}_SALT
sed -i "s/$replace_password/$password/" "$3"
sed -i "s/$replace_salt/$salt/" "$3"
}
simple_get_htpasswd() {
if [ -f "$2" ]; then
rm "$2"
@ -76,21 +37,7 @@
manual = true;
};
#webdav_main_htpasswd = {
# user = "storage";
# group = "storage";
# fetchScript = ''
# simple_get_htpasswd "/api-keys/storage/webdav/Main" "$secretFile"
# '';
#};
webdav_uploads_htpasswd = {
user = "storage";
group = "storage";
fetchScript = ''
simple_get_htpasswd "/api-keys/storage/webdav/Uploads" "$secretFile"
'';
};
webdav_notes_htpasswd = {
webdav_public_htpasswd = {
user = "storage";
group = "storage";
fetchScript = ''
@ -98,17 +45,19 @@
'';
};
rclone_config = {
webdav_uploads_htpasswd = {
user = "storage";
group = "storage";
fetchScript = ''
cp ${./data/rclone_config.template} "$secretFile"
simple_get_replace_b2 "/api-keys/backblaze/Backblaze" "B2" "$secretFile"
simple_get_replace_crypt "/private-public-keys/rclone/Chaos-Notes-Crypt" "STORAGE_NOTES_CRYPT" "$secretFile"
simple_get_htpasswd "/api-keys/storage/webdav/Uploads" "$secretFile"
'';
};
rclone_config = {
user = "storage";
group = "storage";
manual = true;
};
};
};
}

14
hosts/hetzner-arm/containers/storage/storage.nix
View file

@ -72,7 +72,7 @@ in {
networking.firewall = {
enable = true;
allowedTCPPorts = attrValues ports;
allowedTCPPorts = flatten attrValues (attrValues ports);
};
home-manager.users.root.home.stateVersion = "25.05";
@ -84,10 +84,8 @@ in {
forceSSL = true;
enableACME = true;
locations = {
"/Main/".proxyPass = "http://${containerIP}:${toString ports.webdav_main}";
"/MusicRO/".proxyPass = "http://${containerIP}:${toString ports.webdav_music_ro}";
"/Uploads/".proxyPass = "http://${containerIP}:${toString ports.webdav_uploads}";
"/Notes/".proxyPass = "http://${containerIP}:${toString ports.webdav_notes}";
"/Public/".proxyPass = "http://${containerIP}:${toString ports.webdav.public}";
"/Uploads/".proxyPass = "http://${containerIP}:${toString ports.webdav.uploads}";
};
extraConfig = ''
client_max_body_size ${clientMaxBodySize};
@ -98,9 +96,9 @@ in {
forceSSL = true;
enableACME = true;
locations = {
"/Music/".proxyPass = "http://${containerIP}:${toString ports.http_music}";
"/Public/".proxyPass = "http://${containerIP}:${toString ports.http_public}";
"/Uploads/".proxyPass = "http://${containerIP}:${toString ports.http_uploads_public}";
"/Music/".proxyPass = "http://${containerIP}:${toString ports.http.music}";
"/Public/".proxyPass = "http://${containerIP}:${toString ports.http.public}";
"/Uploads/".proxyPass = "http://${containerIP}:${toString ports.http.uploads_public}";
};
extraConfig = ''
client_max_body_size ${clientMaxBodySize};