Arion: Add s3-compatible minio file hosting

2024-06-13 23:27:38 +02:00 · 2024-06-13 23:27:38 +02:00 · b0e2738905
commit b0e2738905
parent 20c587bb5e
5 changed files with 85 additions and 2 deletions
--- a/hosts/franz/arion/default.nix
+++ b/hosts/franz/arion/default.nix
@ -20,6 +20,7 @@
    ./matrix
    ./headscale
    ./auth
+    ./minio
  ];

  environment.systemPackages = with pkgs; [arion];
--- a/hosts/franz/arion/minio/arion-compose.nix
+++ b/hosts/franz/arion/minio/arion-compose.nix
@ -0,0 +1,48 @@
+{
+  project.name = "minio";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    minio.service = {
+      image = "bitnami/minio:2024.5.10";
+      container_name = "minio";
+      labels = {
+        "traefik.enable" = "true";
+
+        # API
+        "traefik.http.routers.minio.rule" = "Host(`files.ghoscht.com`)";
+        "traefik.http.routers.minio.service" = "minio";
+        "traefik.http.routers.minio.entrypoints" = "websecure";
+        "traefik.http.services.minio.loadbalancer.server.port" = "9000";
+        "traefik.http.routers.minio.tls" = "true";
+        "traefik.http.routers.minio.tls.certresolver" = "letsencrypt";
+
+        # Dashboard
+        "traefik.http.routers.minio-dash.rule" = "Host(`minio.ghoscht.com`)";
+        "traefik.http.routers.minio-dash.service" = "minio-dash";
+        "traefik.http.routers.minio-dash.entrypoints" = "websecure";
+        "traefik.http.services.minio-dash.loadbalancer.server.port" = "9001";
+        "traefik.http.routers.minio-dash.tls" = "true";
+        "traefik.http.routers.minio-dash.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/storage/dataset/docker/minio/minio_data:/data"
+      ];
+      environment = {
+        MINIO_DATA_DIR = "/data";
+        MINIO_BROWSER_REDIRECT_URL = "https://minio.ghoscht.com";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/minio/minio.env"
+      ];
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}
--- a/hosts/franz/arion/minio/arion-pkgs.nix
+++ b/hosts/franz/arion/minio/arion-pkgs.nix
@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}
--- a/hosts/franz/arion/minio/default.nix
+++ b/hosts/franz/arion/minio/default.nix
@ -0,0 +1,25 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.minio.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+  sops.secrets."minio/root_user" = {
+    owner = vars.user;
+  };
+  sops.secrets."minio/root_password" = {
+    owner = vars.user;
+  };
+
+  sops.templates."minio.env" = {
+    path = "/home/${vars.user}/.docker/minio/minio.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      MINIO_ROOT_USER="${config.sops.placeholder."minio/root_user"}"
+      MINIO_ROOT_PASSWORD="${config.sops.placeholder."minio/root_password"}"
+    '';
+  };
+}
--- a/secrets/franz.yaml
+++ b/secrets/franz.yaml
@ -45,6 +45,9 @@ auth:
 homarr:
    oidc_client_secret: ENC[AES256_GCM,data:ykaMgcS1x/sMFPmi9vF8RdS7Dj8tTpNFybqwJ5MkK3OCIqYt5FtY8si7ZbKC4IMquOA4w3fWpHdygvFJwJOyNNvznWuasR1afhaAHIHb85J41GWCpMLWWZub+NUuU2pSudvUYk9LeDUBTKwtfHgr4DUzoQeBocG0httGFKBAXbo=,iv:vThB7ZCgEB5yQoiOYhDcHiGm0lYXy1LCJWunH5HwFq0=,tag:68jkMBnCc2e3bKWR/Hnnww==,type:str]
    oidc_client_id: ENC[AES256_GCM,data:2KxgJ7rFNru7rf8P9v/LOcA7TjH2ZFerc4PBmetrkB7hre9fHTa+TQ==,iv:9k0YuPNzEjTTBN0l/oyT5mtZKLCGWZ7ZJpE8g2SBu3E=,tag:C/hzffeOVgke1SQZHPjyrA==,type:str]
+minio:
+    root_user: ENC[AES256_GCM,data:Q5yRACtvoQ==,iv:GTLtwwQ5W50w6eDO+PuihNAHWm6xyM9uNa8mbGG3tWI=,tag:O3MUlh2d8iuFTPRq1PvTWw==,type:str]
+    root_password: ENC[AES256_GCM,data:0//dfGYkV80=,iv:h1b0R2QRpN/RI9kUBU0fiKLOI3PUYmisa7RH1ibSF4c=,tag:ln1cv5LQpb76vK5+eTvSuA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -60,8 +63,8 @@ sops:
            VUUxcEhvYi8zeXlCUUViUTl0eWdhcU0KXOfbnDc+zc8lnBcyEAV5EiJSjcSU6AgI
            EfeRw8qVqwChrYn1agslcNnDbE0WQsOCBuA6cE4V3kRofp9HU949ig==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-18T21:12:01Z"
-    mac: ENC[AES256_GCM,data:kBGP7V4f8d8JWdMdwPEYM1L2zZ4p6eHfwiepfLpBAr0VyhE9YOpPIdt9Tl+ky3mRyfn/DnX03ThiAKQtTrls3/lJEmJRd1dswRd+Mtls3j1QlxhorHYb8g6QvlmyepNf5j5Egqm9hNX+L3aV29mKoO42VxvfaopKduNGt1BrSFo=,iv:Uq+hQUMF+PBV5f6V9AsnxIxX0fKn84MAPEfTFtOtsus=,tag:6LtblCK7FLnhfS0dHsrcnQ==,type:str]
+    lastmodified: "2024-06-13T21:23:27Z"
+    mac: ENC[AES256_GCM,data:B/2p+VmjLXV6UfJASN3l/q60GUqJfsXBYxMCzgecgAdr4yiKr+1ACgDOCQv3V3ucuK0dhTZMAIs6pGN3+JcooV89xXCH93vfay9LLAxCuCiR4X6wn0U074l53OGz2wmxTmSQSaPp3jLQir1v01Q6jFwi2RI+UZLfzBnM5QmTbIk=,iv:vWbac6RSZ8EcdPhJzo1Hs9P/1tpyCePmxQdhEkN+qBg=,tag:v1fdDqN5gt9v2LfVKWKxlQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1