Minio, move to different host

nixos/flake.nix

@@ -45,6 +45,28 @@
         '';
       };
 
+      packages.x86_64-linux.vm = let
+        vm = nixos-generators.nixosGenerate {
+          pkgs = pkgs;
+          modules = [ ./machines/base ];
+          format = "qcow";
+        };
+        metadata = nixos-generators.nixosGenerate {
+          pkgs = pkgs;
+          modules = [ ./machines/base ];
+          format = "lxc-metadata";
+        };
+      in with import nixpkgs { system = "x86_64-linux"; };
+      stdenv.mkDerivation {
+        name = "make-nixos-vm";
+        buildInputs = [ ];
+        src = self;
+        buildPhase =
+          "mkdir -p $out; ln -s ${vm} $out/vm; ln -s ${metadata} $out/metadata";
+        installPhase =
+          "ln -s $out/vm/nixos.qcow2 $out/nixos.qcow2;ln -s $out/metadata/tarball/nixos-system-x86_64-linux.tar.xz $out/metadata.tar.xz;";
+      };
+
       colmena = {
         meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; };
         nginx = {
@@ -78,6 +100,28 @@
           };
         };
 
+        k3s = {
+          imports = [ ./machines/k3s ];
+          deployment = {
+            targetHost = "k3s.lxd";
+            tags = [ "system" ];
+          };
+        };
+
+        minio = {
+          imports = [ ./machines/minio ];
+          deployment = {
+            targetHost = "minio.lxd";
+            tags = [ "system" ];
+            keys."minioSettings" = {
+              keyCommand = [ "vault" "kv" "get" "-field=settings" "kv/minio" ];
+              destDir = "/var/lib/keys";
+              user = "minio";
+              group = "minio";
+            };
+          };
+        };
+
         # k3s = {
         #   imports = [ ./machines/k3s ];
         #   deployment = {

nixos/machines/minio/default.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, ... }: {
+  imports = [ ../../common ../../common/lxc.nix ];
+  networking.hostName = "minio";
+  system.stateVersion = "21.11";
+
+  networking.firewall.enable = false;
+  networking.firewall.allowedTCPPorts = [ 9000 9001 ];
+
+  services.minio = {
+    enable = true;
+    rootCredentialsFile = "/var/lib/keys/minioSettings";
+  };
+}

nixos/machines/nginx/default.nix

@@ -1,4 +1,28 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, ... }:
+let
+  proxy = path: {
+
+    forceSSL = true;
+    enableACME = true;
+    http2 = true;
+    locations."/" = {
+      proxyPass = path;
+      proxyWebsockets = true;
+    };
+  };
+  bigProxy = path: {
+    forceSSL = true;
+    enableACME = true;
+    http2 = true;
+    locations."/" = {
+      proxyPass = path;
+      proxyWebsockets = true;
+      extraConfig = ''
+        client_max_body_size 0;
+      '';
+    };
+  };
+in {
   imports = [ ../../common ../../common/lxc.nix ];
   networking.hostName = "nginx";
   system.stateVersion = "21.11";
@@ -17,24 +41,10 @@
       enableACME = true;
       root = "/etc/main";
     };
-    virtualHosts."git.asraphiel.dev" = {
+    virtualHosts."git.asraphiel.dev" = proxy "http://gitea.lxd:3000/";
-      forceSSL = true;
+    virtualHosts."vault.asraphiel.dev" = proxy "http://vault.lxd:8200/";
-      enableACME = true;
+    virtualHosts."s3.asraphiel.dev" = bigProxy "http://minio.lxd:9000/";
-      http2 = true;
+    virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/";
-      locations."/" = {
-        proxyPass = "http://gitea.lxd:3000/";
-        proxyWebsockets = true;
-      };
-    };
-    virtualHosts."vault.asraphiel.dev" = {
-      forceSSL = true;
-      enableACME = true;
-      http2 = true;
-      locations."/" = {
-        proxyPass = "http://vault.lxd:8200/";
-        proxyWebsockets = true;
-      };
-    };
   };
   security.acme.email = "acme@voidcorp.nl";
   security.acme.acceptTerms = true;

nixos/machines/postgres/default.nix

@@ -15,7 +15,7 @@
     authentication = ''
       local all all trust
       host all all 10.0.0.0/8 trust
-      host all all fd42:14c:5baf:51ec:216:3eff:fe6e:32a7/96 trust
+      host all all fd42:8db7:2e6b:8e9b:216:3eff::/96 trust
     '';
     ensureDatabases = [ "gitea" "vault" ];
     ensureUsers = [