Using the storage¶
From a user's point of view Junkmesh is just an S3 endpoint that happens to live at an IPv6 address inside the mesh. Any S3 client works.
Get credentials¶
A cluster member creates them (ring 3):
$ garage key create luke-laptop
$ garage bucket create luke-backups
$ garage bucket allow luke-backups --read --write --key luke-laptop
You receive a Key ID, a Secret key, and an endpoint — any cluster
node's mesh address on port 3900, e.g. http://[200:6fc8:9be3:...:41c2]:3900.
Your client machine must be on the mesh
The S3 port is only reachable over Yggdrasil (ring 1). Install Yggdrasil on your laptop/desktop — it runs fine alongside normal networking — and peer it like any node (Join the mesh, step 1). Your laptop doesn't need Garage, only the mesh — it's a client of the node you host, not a replacement for it. Membership still means hosting a node.
rclone¶
~/.config/rclone/rclone.conf:
[junkmesh]
type = s3
provider = Other
access_key_id = GK31c2f218a2e44f485b94239e
secret_access_key = b892c0665f0ada8a4755dae98960f6...
endpoint = http://[200:6fc8:9be3:...:41c2]:3900
region = junkmesh
force_path_style = true
Client-side encryption (recommended)¶
Node hosts can read raw disk contents, so wrap the remote in rclone crypt:
[junkmesh-crypt]
type = crypt
remote = junkmesh:luke-backups/encrypted
password = <generated by rclone config>
Now rclone copy ~/Documents junkmesh-crypt: stores only ciphertext on the
mesh.
AWS CLI¶
$ aws configure --profile junkmesh # enter key id / secret, region: junkmesh
$ aws --profile junkmesh \
--endpoint-url 'http://[200:6fc8:9be3:...:41c2]:3900' \
s3 ls s3://luke-backups/
restic (encrypted backups)¶
restic encrypts everything client-side by design — a natural fit:
$ export AWS_ACCESS_KEY_ID=GK31c2...
$ export AWS_SECRET_ACCESS_KEY=b892c0...
$ restic -r 's3:http://[200:6fc8:9be3:...:41c2]:3900/luke-backups/restic' init
$ restic -r 's3:...' backup ~/Documents
Endpoint availability¶
Any cluster node serves the S3 API for the whole cluster. For a single
stable name, add mesh addresses of several nodes to your client machine's
/etc/hosts round-robin, or run a local haproxy — a proper convention is on
the roadmap.