nixos-config/profiles/servers/minio.nix

{ config, lib, pkgs, inputs, ... }: {
  sops.secrets.minio-credentials = {
    owner = "minio";
    mode = "0400";
    sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml;
    restartUnits = [ "minio.service" ];
  };

  services.minio = {
    enable = true;
    browser = true;
    configDir = "/media/nas/minio/config";
    dataDir = [ "/media/nas/minio/data" ];
    listenAddress = "127.0.0.1:9600";
    consoleAddress = "127.0.0.1:9601";
    rootCredentialsFile = config.sops.secrets.minio-credentials.path;
  };

  systemd.services.minio = {
    environment = lib.mkAfter {
      MINIO_SERVER_URL = "https://s3.ataraxiadev.com";
      MINIO_BROWSER_REDIRECT_URL = "https://s3.ataraxiadev.com/ui";
      MINIO_IDENTITY_OPENID_COMMENT = "Authentik";
      MINIO_IDENTITY_OPENID_CONFIG_URL =
        "https://auth.ataraxiadev.com/application/o/minio/.well-known/openid-configuration";
      MINIO_IDENTITY_OPENID_REDIRECT_URI =
        "https://s3.ataraxiadev.com/ui/oauth_callback";
      MINIO_IDENTITY_OPENID_SCOPES = "openid,profile,email,minio";
    };
  };

  # Sync local minio buckets to remote s3 storage
  sops.secrets.rclone-s3-sync.sopsFile = inputs.self.secretsDir + /rustic.yaml;
  backups.rclone-sync.minio = {
    rcloneConfigFile = config.sops.secrets.rclone-s3-sync.path;
    syncTargets =
      let buckets = [ "authentik-media" "obsidian" "ocis" "outline" ];
      in map (bucket: {
        source = "minio:${bucket}";
        target = "idrive:${bucket}-backup";
      }) buckets;
  };

  systemd.services.ocis-server.after =
    lib.mkIf config.services.authentik.enable [
      "authentik-server.service"
      "authentik-worker.service"
      "nginx.service"
    ];

  # persist.state.directories = config.services.minio.dataDir ++ [
  #   config.services.minio.configDir
  # ];
}
refactor minio 2024-01-21 16:26:48 +03:00			`{ config, lib, pkgs, inputs, ... }: {`
			`sops.secrets.minio-credentials = {`
			`owner = "minio";`
			`mode = "0400";`
			`sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml;`
			`restartUnits = [ "minio.service" ];`
			`};`

			`services.minio = {`
			`enable = true;`
			`browser = true;`
			`configDir = "/media/nas/minio/config";`
			`dataDir = [ "/media/nas/minio/data" ];`
			`listenAddress = "127.0.0.1:9600";`
			`consoleAddress = "127.0.0.1:9601";`
			`rootCredentialsFile = config.sops.secrets.minio-credentials.path;`
			`};`

			`systemd.services.minio = {`
			`environment = lib.mkAfter {`
			`MINIO_SERVER_URL = "https://s3.ataraxiadev.com";`
			`MINIO_BROWSER_REDIRECT_URL = "https://s3.ataraxiadev.com/ui";`
backup more minio buckets 2024-01-25 21:02:49 +03:00			`MINIO_IDENTITY_OPENID_COMMENT = "Authentik";`
			`MINIO_IDENTITY_OPENID_CONFIG_URL =`
			`"https://auth.ataraxiadev.com/application/o/minio/.well-known/openid-configuration";`
			`MINIO_IDENTITY_OPENID_REDIRECT_URI =`
			`"https://s3.ataraxiadev.com/ui/oauth_callback";`
refactor minio 2024-01-21 16:26:48 +03:00			`MINIO_IDENTITY_OPENID_SCOPES = "openid,profile,email,minio";`
			`};`
			`};`

backup minio buckets 2024-01-24 17:28:57 +03:00			`# Sync local minio buckets to remote s3 storage`
			`sops.secrets.rclone-s3-sync.sopsFile = inputs.self.secretsDir + /rustic.yaml;`
			`backups.rclone-sync.minio = {`
			`rcloneConfigFile = config.sops.secrets.rclone-s3-sync.path;`
backup more minio buckets 2024-01-25 21:02:49 +03:00			`syncTargets =`
			`let buckets = [ "authentik-media" "obsidian" "ocis" "outline" ];`
			`in map (bucket: {`
			`source = "minio:${bucket}";`
			`target = "idrive:${bucket}-backup";`
			`}) buckets;`
backup minio buckets 2024-01-24 17:28:57 +03:00			`};`

start oidc dependant services after authentik 2024-01-25 21:02:29 +03:00			`systemd.services.ocis-server.after =`
			`lib.mkIf config.services.authentik.enable [`
			`"authentik-server.service"`
			`"authentik-worker.service"`
			`"nginx.service"`
			`];`

refactor minio 2024-01-21 16:26:48 +03:00			`# persist.state.directories = config.services.minio.dataDir ++ [`
			`# config.services.minio.configDir`
			`# ];`
start oidc dependant services after authentik 2024-01-25 21:02:29 +03:00			`}`