ente

systems/x86_64-linux/stargate/services/ente.nix

@@ -8,6 +8,37 @@ let
 domain = "ente.kylekrein.com";
 in
 {
+    sops.secrets."services/minio" = {};
+    services.minio = {
+        enable = true;
+    	# ente's config must match this region!
+    	region = "us-east-1";
+    # Please use a file, agenix or sops-nix to securely store your root user password!
+    # MINIO_ROOT_USER=your_root_user
+    # MINIO_ROOT_PASSWORD=a_randomly_generated_long_password
+    rootCredentialsFile = config.sops.secrets."services/minio".path;;
+  };
+
+  systemd.services.minio.environment.MINIO_SERVER_URL = "https://s3.kylekrein.com";
+
+  services.nginx = {
+    virtualHosts."s3.kylekrein.com" = {
+      forceSSL = true;
+      useACME = true;
+      locations."/".proxyPass = "http://localhost:9000";
+      # determine max file upload size
+      extraConfig = ''
+        client_max_body_size 16G;
+        proxy_buffering off;
+        proxy_request_buffering off;
+      '';
+    };
+  };
+  sops.secrets."services/ente/minio/user" = {owner = "ente";};
+  sops.secrets."services/ente/minio/password" = {owner = "ente";};
+  sops.secrets."services/ente/encryption" = {owner = "ente";};
+  sops.secrets."services/ente/hash" = {owner = "ente";};
+  sops.secrets."services/ente/jwt" = {owner = "ente";};
     services.ente = {
         web = {
 	    enable = true;
@@ -28,6 +59,25 @@ in
 	        apps.accounts = "https://accounts.${domain}";
 		apps.cast = "https://cast.${domain}";
 		public-albums = "https://albums.${domain}";
+		s3 = {
+          use_path_style_urls = true;
+          b2-eu-cen = {
+            endpoint = "https://s3.kylekrein.com";
+            region = "us-east-1";
+            bucket = "ente";
+            key._secret = config.sops.secrets."services/ente/minio/user".path;
+            secret._secret = config.sops.secrets."services/ente/minio/password".path;
+          };
+        };
+        key = {
+          # generate with: openssl rand -base64 32
+          encryption._secret = config.sops.secrets."services/ente/encryption".path;
+          # generate with: openssl rand -base64 64
+          hash._secret = config.sops.secrets."services/ente/hash".path;
+        };
+        # generate with: openssl rand -base64 32
+        jwt.secret._secret = config.sops.secrets."services/ente/jwt".path;
+      };
 	    };
 	};
     };

systems/x86_64-linux/stargate/services/nginx.nix

@@ -41,6 +41,31 @@ in {
         enableACME = true;
         forceSSL = true;
       };
+      
+      "ente.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+      };
+      "accounts.ente.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+      };
+      "api.ente.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+      };
+      "photos.ente.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+      };
+      "albums.ente.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+      };
+      "cast.ente.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+      };
 
       "matrix.kylekrein.com" = {
         enableACME = true;