Initial commit

hosts/sesame/buckets.nix

@@ -0,0 +1,65 @@
+{ inputs, pkgs, lib, config, ... }:
+let
+  endpoint = "s3.${region}.backblazeb2.com";
+  region = "eu-central-003";
+  accessKeyId = "0030c2377ff19920000000002";
+
+  inherit (config.sops) secrets;
+in {
+  imports = [ ./sops.nix ];
+
+  # Forgejo
+
+  services.forgejo.settings.storage = {
+    STORAGE_TYPE = "minio";
+    MINIO_USE_SSL = true;
+    MINIO_ENDPOINT = endpoint;
+    MINIO_ACCESS_KEY_ID = accessKeyId;
+    MINIO_SECRET_ACCESS_KEY = "#BACKBLAZE_APPLICATION_SECRET#";
+    MINIO_BUCKET = "jhemono-forgejo";
+    MINIO_LOCATION = region;
+  };
+
+  sops.secrets = {
+    forgejo_backblaze_application_secret = {
+      key = "backblaze_application_secret";
+      owner = config.services.forgejo.user;
+      inherit (config.services.forgejo) group;
+    };
+  };
+
+  # Replace the placefoler for the secret with actual value on pre-start
+  systemd.services.forgejo = {
+    preStart = let
+      runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
+      replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
+      storageSettings = config.services.forgejo.settings.storage;
+    in ''
+      chmod u+w '${runConfig}'
+      ${replaceSecretBin} '${storageSettings.MINIO_SECRET_ACCESS_KEY}' '${secrets.forgejo_backblaze_application_secret.path}' '${runConfig}'
+      chmod u-w '${runConfig}'
+    '';
+  };
+
+  # Nextcloud
+  sops.secrets = {
+    nextcloud_backblaze_application_secret = {
+      key = "backblaze_application_secret";
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+  };
+
+  services.nextcloud.config.objectstore.s3 = {
+    enable = true;
+    bucket = "seitan-nextcloud";
+    autocreate = true;
+    key = accessKeyId;
+    secretFile = secrets.nextcloud_backblaze_application_secret.path;
+    hostname = endpoint;
+    useSsl = true;
+    port = 443;
+    region = region;
+  };
+
+}