Add garage S3 config for Mastodon

The respective bucket needs to be configured with a domain alias. When a
new alias is added to the `s3_web_domains` config, a new nginx site can
then be deployed to the `nginx_proxy` hosts.

data_bags/credentials/mastodon.json

@@ -1,57 +1,108 @@
 {
   "id": "mastodon",
   "paperclip_secret": {
-    "encrypted_data": "4IAa8NMwj25MksFkh79r/Gf0ev2bKP9g5Gbz0MZLK8JxekM9+qRSes1bZK1q\nuV+/W/KxQW22GgRCNu6heimGUTnaIM2T5oneCwikDWJPMO11ngiAKkzeJWI9\nxhecxAfCyKEZWdwTIB8U9mjDV9GhppmwjLsMdC5nzcAzGzpFfjMZVVsIhmEg\nWuPIz7GPWqn/+G8pG2Q1DR7ZFJZSVYV+ig==\n",
-    "iv": "TQl3HBj/eakZ9nrMygW9pg==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "RRiNnMXWGcqh6aXl1rDPA93+6Pqw08Uc1s3wGpNXquryCYW47ndbakl4tjc0\nOW4yDhfiBF02nkXSt86vtvaxEm1jXlSTtP3EWHD1ZqzMZHceyIC2HVjYiwlM\nOXiWdMUIlLQnGkSP6R8NldPXjy5Rf5C5VomfQHF7WuTft1vSQ/gPfBm9iVtg\nyOFZR6WVeNtLsFGy\n",
+    "iv": "w2a3L+3fB6xD8b3m\n",
+    "auth_tag": "knC7vpB4x1e10IIFgvrTGQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "secret_key_base": {
-    "encrypted_data": "hH1860J8V4LFNE2OCG8pIVJd8l3hFZ56n0xONXUd98IAmVodM1Eip5nvyQmp\ntfkzAXfKMR4hUz5Y399Gp67BCh4TLum2oTqcLBF+RFP/52ZcVLESQh+ielC0\nxfUXE5Usf1YVL/gxwbmzp2l7Gr87YIAWCcGySbbb6hK+MVyr8degIHBveF0R\nNeUfRLe0B9Y/ZZGExRej+ULiiEn+c5Fubg==\n",
-    "iv": "+GOTOBWPb72QWX1G1Oaf3g==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "Mv7ohwLtwz7KDfvGjrXgNlcfWqm8QlbmPxDv6Tw1Lu+ZH9JRC9TPW3WQw0en\n6/9btymY8mcYbI8/Uyrv6CoE4UgJRHYs/cKwG20B9TZX+RpvcZtBS6JSPQsj\niXBEj6WhT1CapME9HPDV9gYmpUviU1giLYcvMbNkAkTDSELNUNDiSQ9UoHsl\nxqmztU3Frq1RPn1m\n",
+    "iv": "BRAk4pjKsqvuEzFM\n",
+    "auth_tag": "lglc926SSnA8hKHrlZUbNw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "otp_secret": {
-    "encrypted_data": "UZDcQYsfYJxhuaSDEFKdnC9BIryoJPWo95bbVqFcCDCQxO13iGuN5ZiZ4aUp\nRLMrT/pmnirID9qUQfSRgALR9KUTGonPwF03tO8xCvUCLCS7Y9l9fbIG9xUa\nY3c0b6xfwNLVP1fpax3iNfQSGuJMwTShZO8pCOeDxlhe67KawOw2obNeuTUG\n0wTKdxhywNntoLHnXKNqANZebKtqkcCV6A==\n",
-    "iv": "lMApicoykymve7hcnxx1DQ==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "nZXLF6bijukzuBJQ1RZUT0+Zju127OYezkKL5bcWMzY8cWuEFFsvCcHPy6Ww\nkFm8mdvGpNlyuIRPipwJkTPn5NVuIrmcYFzLtoTFnF9yLQAPSmDdKO0wgd8D\nEOUF7w33o4ZJKHRVPsibou1T43YIpiLtbe7ukP7+8haGKsJApPduqd9jIlwo\n/cAkq+pMbTdo83Lg\n",
+    "iv": "+bP/nOnccCqc3StV\n",
+    "auth_tag": "Y2qZigfjTrtdfH/Klp1FzQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "aws_access_key_id": {
-    "encrypted_data": "t2B+oZZcz+EzKFO+BLSzq3oWyGRHQkxiG3NOBWs3bYctgX3Lq24xFZsne9i/\nQmLl\n",
-    "iv": "TU4RGm3Rl8f/wbEkwmlEvQ==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "/t8K7WOjAftE/lj2uqGXEC51HTWZLnlDXgzEwHqaUlNEiSSpSRJV\n",
+    "iv": "JrbDzUUKm7RvpfgV\n",
+    "auth_tag": "W5yJGIkALe1zi+7Ah6woIw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "aws_secret_access_key": {
-    "encrypted_data": "ffOTmy9aiHIc9GIjuTlGkgUL4QnujC2cdeAkXpTEi+VBiYjVybrruDalXg3p\nuDZmSqnWB0sfQgNpp9sCOUqUiQ==\n",
-    "iv": "OnSjyXonCFrq9gGfW/t1TA==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "YSVaIe4sCuSAA31YwOpD3+Z58rkfbmPAlJPF8NRMOjSZcfvuLGFhnZN7kejv\nRqvO5iy9ueIO+W7a1nw=\n",
+    "iv": "oo7xeDu7KncEYEFA\n",
+    "auth_tag": "V1DmNizGIsXwFP3AzTr/aw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "smtp_user_name": {
-    "encrypted_data": "D9UXRNnvBQOICQ2nFjh+CLAazmeA/avlSuQwikDmYU0VoApXbfmPiUBLIvIF\nUtSy\n",
-    "iv": "nnM8YaTSWUzuVpBJOVn0rA==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "aMuLejWLobxi328xuv0uXetne11bD1qFOagyLSdOSoGuDeotxzeOTWgDVW94\naA==\n",
+    "iv": "V+VYYRqFeisHm0eD\n",
+    "auth_tag": "kH9ONcISn8+2cG6JzcdO6Q==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "smtp_password": {
-    "encrypted_data": "edFmMcnLHVEL/hpVslJj6L85WPeC7Wu3/ijTWH93pRZGCchgmcolJCK4S6//\npDz5qKG+KZX7sZLRe5PrAvnwaA==\n",
-    "iv": "1Nffd1NayckQDa83+LNv8w==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "UutnfD7NSaYOg9DgfV9/W+VhJ2YyIYWlv/eSZOvfuu96n4qkAgEKlpyOTvum\n1SiYX5Dl\n",
+    "iv": "71kKako2q3MicELe\n",
+    "auth_tag": "jBUwyud5MK2Lqch6Ms2CSw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "vapid_private_key": {
-    "encrypted_data": "VD+4vZxL1Z3FzQRyPVmowGb0qi6+zz7YCsQPTYUIbW693CKpxOtIkt+f6aXj\n95ENI4CsK4bftUC6nMwL+PK4Yw==\n",
-    "iv": "FE9FzilV00euQiuNxgUgvA==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "6Bzjkm3V/dCO3c+Qj0eHHiepusSvN2Dn4wMZTOBmh3ZWlYKmf0pw2eq5bzbU\nr5rzqtJBRbShplD8jDOFK9Bw\n",
+    "iv": "8Z/Xc9zzqCQaB6MX\n",
+    "auth_tag": "myIe7oeKMvAVBSLKgcEBcA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "vapid_public_key": {
-    "encrypted_data": "2Cg2XN5PCSw/O0WhwAU3KlALWh8NBThdgaeW0faIexgetFozEhLOkwiYqdNa\nK/fTYoW2fQNJLJ/jJ6CcGrgwI3V9qy6u6lJnXQDO51vdz09wXWCZKZTue7NE\n0qGUNrq4Atq9mRTNjQ8eUTImlRO+yg==\n",
-    "iv": "7GeDps0go/IJ7HspQUBAdg==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "tIS/6Y/TNj0h+vNNxEXXj23mjqWWBEzeR0yofjOb7EFJUxNLFVjkuke9Qui8\nSCA4SID/prw8mcDLt4+jjEIEfhFEb+jxUQCokhbR7XmXMhp/FsUHz9/hBTZm\nN3JiDNU+NUHAH0D5lqbZ/0U=\n",
+    "iv": "8Y6tR83eJEWDyhuF\n",
+    "auth_tag": "G0o5ecKQvK/QE7BWmpzGOQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_endpoint": {
+    "encrypted_data": "uBpzs/4P6IKvmeosEMVtFq/Icd5P/xmlY9/015A9fc26\n",
+    "iv": "69rwf193xvQr+mEU\n",
+    "auth_tag": "ZSY3tnqSuBq2EOZnGddFOQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_region": {
+    "encrypted_data": "dSI1bDfpTcmkcEzRDSewrPOvAOStjOCX/g==\n",
+    "iv": "UfD0qpF2oJNuPPiq\n",
+    "auth_tag": "Vmgbe8hbkerTGXcgtBEIbA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_bucket": {
+    "encrypted_data": "qLBEu9Op+m1oXqpUd+Nom0+znTB4lUycpC/cygA210E=\n",
+    "iv": "h+6FTstMBoeTnlyA\n",
+    "auth_tag": "MyHbvnq5EnHC+bqL6y2pAg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_key_id": {
+    "encrypted_data": "JvWesI6gnTDr2+61c7D+NT3Q642sfuvUWJA1asEElMAbszLDJUJN4T/H46WX\n",
+    "iv": "8cK5seIY64yKWeQf\n",
+    "auth_tag": "h7NTnbwCJzc6/ZjqPMiYag==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_secret_key": {
+    "encrypted_data": "/e6HPASZHxTf0JTOeX9X4nlzmhitaFaFK8FqGzLjE2FF2clDJQPEdUzfVrz6\n0yiS7QWWKmycSesC+2qEwmKqF1vt5qQcvg/+z5iKXZ6VmlZx0yc=\n",
+    "iv": "nGlsRUGt4f8M9vaD\n",
+    "auth_tag": "OyOoxjwUaXZAYzprTW8/oA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_alias_host": {
+    "encrypted_data": "3JLiHJi7SZojYtrtoXY8rp3Ez6BSIV3Fjaw6J1kW7dCpCLQ=\n",
+    "iv": "O11DxH8WrjNM1QkZ\n",
+    "auth_tag": "i8FB/f0+MzsKc3LISKLX7Q==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   }
 }

environments/production.json

@@ -4,7 +4,10 @@
     "garage": {
       "replication_mode": "2",
       "s3_api_root_domain": ".s3.garage.kosmos.org",
-      "s3_web_root_domain": ".web.garage.kosmos.org"
+      "s3_web_root_domain": ".web.garage.kosmos.org",
+      "s3_web_domains": [
+        "s3.kosmos.social"
+      ]
     },
     "gitea": {
       "postgresql_host": "pg.kosmos.local:5432",
@@ -23,4 +26,4 @@
       ]
     }
   }
-}
+}

site-cookbooks/kosmos_garage/attributes/default.rb

@@ -1,5 +1,6 @@
 node.default['garage']['version']            = '0.8.0'
 node.default['garage']['checksum']['amd64']  = '66dd2ea1f677281a43e10eb619523b1b269f8fde9047ce8caa70958f3b13ca74'
+node.default['garage']['replication_mode']   = 'none'
 node.default['garage']['s3_api_port']        = 3900
 node.default['garage']['rpc_port']           = 3901
 node.default['garage']['s3_web_port']        = 3902
@@ -7,4 +8,4 @@ node.default['garage']['admin_port']         = 3903
 node.default['garage']['k2v_api_port']       = 3904
 node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost'
 node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost'
-node.default['garage']['replication_mode']   = 'none'
+node.default['garage']['s3_web_domains']     = []

site-cookbooks/kosmos_garage/recipes/nginx_web.rb

@@ -0,0 +1,26 @@
+#
+# Cookbook Name:: kosmos_garage
+# Recipe:: nginx_web
+#
+
+include_recipe "kosmos-nginx"
+
+domains = node['garage']['s3_web_domains']
+
+domains.each do |server_name|
+  nginx_certbot_site server_name
+
+  template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
+    source 'nginx_conf_web.erb'
+    owner 'www-data'
+    mode 0640
+    variables server_name:         server_name,
+              ssl_cert:            "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
+              ssl_key:             "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+    notifies :reload, 'service[nginx]', :delayed
+  end
+
+  nginx_site server_name do
+    action :enable
+  end
+end

site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb

@@ -0,0 +1,33 @@
+upstream garage_web {
+  server localhost:3902;
+}
+
+proxy_cache_path /var/cache/nginx/garage levels=1:2 keys_zone=garage_cache:10m
+                 max_size=1g inactive=60m use_temp_path=off;
+
+server {
+  listen 443 http2 ssl;
+  listen [::]:443 http2 ssl;
+
+  server_name <%= @server_name %>;
+
+  access_log off;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  error_page 401 403 404 500 /__empty-page.html;
+
+  location = /__empty-page.html {
+    internal;
+    return 200 "";
+  }
+
+  location / {
+    proxy_intercept_errors on;
+    proxy_cache garage_cache;
+    proxy_pass http://garage_web;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+  }
+}