task b: add f3s/garage deploy layout (Rex, Just, host TOMLs)

- Per-host garage.fN.toml with __RPC_SECRET__ placeholder and 23G data cap - Rexfile: paul@f0–f2, inject secret from secrets/rpc_secret, install to /usr/local/etc/garage.toml, restart garage - Justfile: deploy, init-secrets, status, layout, stats, bucket-create - Root Rexfile: require f3s/garage/Rexfile (not matched by */Rexfile glob) - Gitignore f3s/garage/secrets/ Made-with: Cursor
author: Paul Buetow <paul@buetow.org> 2026-04-08 10:44:55 +0300
committer: Paul Buetow <paul@buetow.org> 2026-04-08 10:44:55 +0300
commit: ec7ae97d99e1230242951567bb7a021701818fbb (patch)
tree: 0e7be325d1ee2aa8522809fae817bdc4108d7129 /f3s
parent: 25b75130bdf65c5d54f6334614738f24a6fb743b (diff)
5 files changed, 144 insertions, 0 deletions
diff --git a/f3s/garage/Justfile b/f3s/garage/Justfile
new file mode 100644
index 0000000..f2782c2
--- /dev/null
+++ b/f3s/garage/Justfile
@@ -0,0 +1,27 @@
+# Garage cluster on FreeBSD f0–f2. Run rex from repo root unless noted.
+ssh_host := "paul@f0.lan.buetow.org"
+_garage_dir := justfile_directory()
+
+# Deploy TOML (RPC secret from secrets/rpc_secret) and restart garage on all nodes
+deploy:
+    cd "{{_garage_dir}}/../.." && rex garage_deploy
+
+# Ensure secrets/rpc_secret exists (openssl rand -hex 32)
+init-secrets:
+    mkdir -p "{{_garage_dir}}/secrets" && ( test -f "{{_garage_dir}}/secrets/rpc_secret" || openssl rand -hex 32 > "{{_garage_dir}}/secrets/rpc_secret" ) && chmod 600 "{{_garage_dir}}/secrets/rpc_secret"
+
+# garage service status on f0
+status:
+    ssh {{ssh_host}} 'doas service garage status'
+
+# Cluster layout (garage CLI on f0)
+layout:
+    ssh {{ssh_host}} garage layout show
+
+# Aggregated stats
+stats:
+    ssh {{ssh_host}} 'garage stats -a'
+
+# Create a bucket (usage: just bucket-create watchos-app)
+bucket-create name:
+    ssh {{ssh_host}} 'garage bucket create {{name}}'
diff --git a/f3s/garage/Rexfile b/f3s/garage/Rexfile
new file mode 100644
index 0000000..0343c5c
--- /dev/null
+++ b/f3s/garage/Rexfile
@@ -0,0 +1,69 @@
+# Deploy Garage config to FreeBSD hosts f0–f2.
+# Run from repository root: rex garage_deploy
+#
+# Requires secrets/rpc_secret (gitignored). Create with:
+#   just -f f3s/garage/Justfile init-secrets
+
+use Rex -feature => [ '1.14', 'exec_autodie' ];
+use Rex::Logger;
+use File::Basename qw(dirname);
+use File::Slurp qw(read_file);
+use File::Spec::Functions qw(catfile rel2abs);
+
+use constant GARAGE_ETC => '/usr/local/etc/garage.toml';
+
+my $GARAGE_DIR = dirname( rel2abs(__FILE__) );
+
+group garage_nodes => qw(
+  f0.lan.buetow.org
+  f1.lan.buetow.org
+  f2.lan.buetow.org
+);
+
+user 'paul';
+sudo FALSE;
+
+parallelism 1;
+
+sub _garage_host_suffix {
+    my $server = connection->server;
+    return 'f0' if $server =~ /^f0\./;
+    return 'f1' if $server =~ /^f1\./;
+    return 'f2' if $server =~ /^f2\./;
+    Rex::Logger::info( "Unknown garage host: $server", 'error' );
+    die "Cannot map $server to garage.fN.toml\n";
+}
+
+desc 'Deploy garage.toml to f0/f1/f2 (injects RPC secret from secrets/rpc_secret)';
+task 'garage_deploy',
+  group => 'garage_nodes',
+  sub {
+    my $suffix      = _garage_host_suffix();
+    my $toml_path   = catfile( $GARAGE_DIR, 'etc', "garage.$suffix.toml" );
+    my $secret_path = catfile( $GARAGE_DIR, 'secrets', 'rpc_secret' );
+
+    die "Missing $secret_path — run: just -f f3s/garage/Justfile init-secrets\n"
+      unless -f $secret_path;
+
+    my $secret = read_file($secret_path);
+    chomp $secret;
+    die "RPC secret in $secret_path is empty\n" unless length $secret;
+
+    my $content = read_file($toml_path);
+    my $replaced = ( $content =~ s/__RPC_SECRET__/$secret/g );
+    die "Placeholder __RPC_SECRET__ missing in $toml_path\n" unless $replaced;
+
+    my $tmp = '/tmp/garage.toml.rex.' . $$;
+
+    file $tmp,
+      content => $content,
+      owner   => 'paul',
+      group   => 'paul',
+      mode    => '600';
+
+    run "doas install -o root -g wheel -m 600 $tmp " . GARAGE_ETC;
+    run "rm -f $tmp";
+    run 'doas service garage restart';
+  };
+
+# vim: syntax=perl
diff --git a/f3s/garage/etc/garage.f0.toml b/f3s/garage/etc/garage.f0.toml
new file mode 100644
index 0000000..6c4c2ad
--- /dev/null
+++ b/f3s/garage/etc/garage.f0.toml
@@ -0,0 +1,16 @@
+[metadata]
+path = "/var/db/garage/meta"
+auto_snapshot_interval = "6h"
+
+[data]
+path = [
+  { path = "/var/db/garage/data", capacity = "23G" }
+]
+
+[rpc]
+bind_addr = "[::]:3901"
+secret = "__RPC_SECRET__"
+
+[api]
+s3_bind_addr = "[::]:3900"
+admin_bind_addr = "[::]:3903"
diff --git a/f3s/garage/etc/garage.f1.toml b/f3s/garage/etc/garage.f1.toml
new file mode 100644
index 0000000..6c4c2ad
--- /dev/null
+++ b/f3s/garage/etc/garage.f1.toml
@@ -0,0 +1,16 @@
+[metadata]
+path = "/var/db/garage/meta"
+auto_snapshot_interval = "6h"
+
+[data]
+path = [
+  { path = "/var/db/garage/data", capacity = "23G" }
+]
+
+[rpc]
+bind_addr = "[::]:3901"
+secret = "__RPC_SECRET__"
+
+[api]
+s3_bind_addr = "[::]:3900"
+admin_bind_addr = "[::]:3903"
diff --git a/f3s/garage/etc/garage.f2.toml b/f3s/garage/etc/garage.f2.toml
new file mode 100644
index 0000000..6c4c2ad
--- /dev/null
+++ b/f3s/garage/etc/garage.f2.toml
@@ -0,0 +1,16 @@
+[metadata]
+path = "/var/db/garage/meta"
+auto_snapshot_interval = "6h"
+
+[data]
+path = [
+  { path = "/var/db/garage/data", capacity = "23G" }
+]
+
+[rpc]
+bind_addr = "[::]:3901"
+secret = "__RPC_SECRET__"
+
+[api]
+s3_bind_addr = "[::]:3900"
+admin_bind_addr = "[::]:3903"
author	Paul Buetow <paul@buetow.org>	2026-04-08 10:44:55 +0300
committer	Paul Buetow <paul@buetow.org>	2026-04-08 10:44:55 +0300
commit	ec7ae97d99e1230242951567bb7a021701818fbb (patch)
tree	0e7be325d1ee2aa8522809fae817bdc4108d7129 /f3s
parent	25b75130bdf65c5d54f6334614738f24a6fb743b (diff)