From a6c4828cb66eb74ef2320f9fa06b59ae299e5c5f Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Thu, 30 Dec 2021 13:27:39 +0100
Subject: Add systemd service to mount garage

---
 .gitignore                       |  2 ++
 app/bad.csi-s3/deploy/csi-s3.hcl | 39 +++++++++++++++++++++++++++++++++++++++
 app/csi-s3/deploy/csi-s3.hcl     | 39 ---------------------------------------
 app/im/deploy/im.hcl             |  4 ++--
 configuration.nix                | 19 +++++++++++++++++++
 deploy.sh                        |  9 +++++++--
 secrets/rclone.conf.sample       |  8 ++++++++
 7 files changed, 77 insertions(+), 43 deletions(-)
 create mode 100644 app/bad.csi-s3/deploy/csi-s3.hcl
 delete mode 100644 app/csi-s3/deploy/csi-s3.hcl
 create mode 100644 secrets/rclone.conf.sample

diff --git a/.gitignore b/.gitignore
index e61812f..f19976d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
 notes/
+secrets/*
+!secrets/*.sample
diff --git a/app/bad.csi-s3/deploy/csi-s3.hcl b/app/bad.csi-s3/deploy/csi-s3.hcl
new file mode 100644
index 0000000..8e70c6a
--- /dev/null
+++ b/app/bad.csi-s3/deploy/csi-s3.hcl
@@ -0,0 +1,39 @@
+job "plugin-csi-s3-nodes" {
+  datacenters = ["neptune", "pluton"]
+
+  # you can run node plugins as service jobs as well, but this ensures
+  # that all nodes in the DC have a copy.
+  type = "system"
+
+  group "nodes" {
+    task "plugin" {
+      driver = "docker"
+
+      config {
+        image = "ctrox/csi-s3:v1.2.0-rc.1"
+
+        args = [
+          "--endpoint=unix://csi/csi.sock",
+          "--nodeid=${node.unique.id}",
+          "--logtostderr",
+          "--v=5",
+        ]
+
+        # node plugins must run as privileged jobs because they
+        # mount disks to the host
+        privileged = true
+      }
+
+      csi_plugin {
+        id        = "csi-s3"
+        type      = "node"
+        mount_dir = "/csi"
+      }
+
+      resources {
+        cpu    = 500
+        memory = 256
+      }
+    }
+  }
+}
diff --git a/app/csi-s3/deploy/csi-s3.hcl b/app/csi-s3/deploy/csi-s3.hcl
deleted file mode 100644
index 8e70c6a..0000000
--- a/app/csi-s3/deploy/csi-s3.hcl
+++ /dev/null
@@ -1,39 +0,0 @@
-job "plugin-csi-s3-nodes" {
-  datacenters = ["neptune", "pluton"]
-
-  # you can run node plugins as service jobs as well, but this ensures
-  # that all nodes in the DC have a copy.
-  type = "system"
-
-  group "nodes" {
-    task "plugin" {
-      driver = "docker"
-
-      config {
-        image = "ctrox/csi-s3:v1.2.0-rc.1"
-
-        args = [
-          "--endpoint=unix://csi/csi.sock",
-          "--nodeid=${node.unique.id}",
-          "--logtostderr",
-          "--v=5",
-        ]
-
-        # node plugins must run as privileged jobs because they
-        # mount disks to the host
-        privileged = true
-      }
-
-      csi_plugin {
-        id        = "csi-s3"
-        type      = "node"
-        mount_dir = "/csi"
-      }
-
-      resources {
-        cpu    = 500
-        memory = 256
-      }
-    }
-  }
-}
diff --git a/app/im/deploy/im.hcl b/app/im/deploy/im.hcl
index 734669a..3cf4e95 100644
--- a/app/im/deploy/im.hcl
+++ b/app/im/deploy/im.hcl
@@ -29,7 +29,7 @@ job "im" {
 
       driver = "docker"
       config {
-        image = "litestream/litestream"
+        image = "litestream/litestream:0.3.7"
         args = [
 		      "restore", "-config", "/etc/litestream.yml", "/ephemeral/homeserver.db"
         ]
@@ -109,7 +109,7 @@ job "im" {
     task "replicate-db" {
       driver = "docker"
       config {
-        image = "litestream/litestream"
+        image = "litestream/litestream:0.3.7"
         args = [
 		      "replicate", "-config", "/etc/litestream.yml"
         ]
diff --git a/configuration.nix b/configuration.nix
index c9fecd0..bb44c40 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -176,6 +176,7 @@ in
     htop
     links
     git
+    rclone
     docker
     docker-compose
   ];
@@ -243,6 +244,24 @@ in
     ];
   };
 
+  # Mount Garage using Rclone
+  systemd.services.mountgarage = {
+    enable = true;
+    description = "Mount the Garage data store";
+    path = [
+      pkgs.fuse
+      pkgs.rclone
+    ];
+    unitConfig = {
+      Type = "simple";
+    };
+    serviceConfig = {
+      ExecStartPre = "${pkgs.bash}/bin/sh -c \"mkdir -p /mnt/garage-staging; fusermount -u /mnt/garage-staging || exit 0\"";
+      ExecStart = "${pkgs.rclone}/bin/rclone --config /root/rclone.conf mount --vfs-cache-mode full --vfs-cache-max-size 1G --cache-dir /root/mountgarage-cache staging: /mnt/garage-staging";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+
   # Open ports in the firewall.
   networking.firewall = {
     enable = true;
diff --git a/deploy.sh b/deploy.sh
index 989e4dd..e4470c0 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -19,10 +19,15 @@ for NIXHOST in $NIXHOSTLIST; do
 
 	echo "==== DOING $NIXHOST ===="
 
-	echo "generating NixOS config"
+	echo "Sending NixOS config files"
+
 	cat configuration.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/configuration.nix > /dev/null
 	cat node/$NIXHOST.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/node.nix > /dev/null
 	cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/site.nix > /dev/null
-	echo "rebuilding NixOS"
+
+	echo "Sending secret files"
+	test -f secrets/rclone.conf && (cat secrets/rclone.conf | ssh -F ssh_config $SSH_DEST sudo tee /root/rclone.conf > /dev/null)
+
+	echo "Rebuilding NixOS"
 	ssh -F ssh_config $SSH_DEST sudo nixos-rebuild switch
 done
diff --git a/secrets/rclone.conf.sample b/secrets/rclone.conf.sample
new file mode 100644
index 0000000..048bdba
--- /dev/null
+++ b/secrets/rclone.conf.sample
@@ -0,0 +1,8 @@
+[staging]
+type = s3
+provider = Other
+env_auth = false
+access_key_id = GK...
+secret_access_key = ...
+endpoint = http://127.0.0.1:3990
+region = garage-staging
-- 
cgit v1.2.3