refactor minio

machines/Home-Hypervisor/dns-headscale.nix

@@ -36,6 +36,7 @@
     { name = "qbit.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "radarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "restic.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "s3.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "shoko.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "sonarrtv.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
@@ -83,6 +84,7 @@
     { name = "qbit.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "radarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "restic.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "s3.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "shoko.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "sonarrtv.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }

machines/Home-Hypervisor/dns-mapping.nix

@@ -34,6 +34,7 @@
     "/qbit.ataraxiadev.com/192.168.0.10"
     "/radarr.ataraxiadev.com/192.168.0.10"
     "/restic.ataraxiadev.com/192.168.0.10"
+    "/s3.ataraxiadev.com/192.168.0.10"
     "/shoko.ataraxiadev.com/192.168.0.10"
     "/sonarr.ataraxiadev.com/192.168.0.10"
     "/sonarrtv.ataraxiadev.com/192.168.0.10"

profiles/servers/minio.nix

@@ -0,0 +1,33 @@
+{ config, lib, pkgs, inputs, ... }: {
+  sops.secrets.minio-credentials = {
+    owner = "minio";
+    mode = "0400";
+    sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml;
+    restartUnits = [ "minio.service" ];
+  };
+
+  services.minio = {
+    enable = true;
+    browser = true;
+    configDir = "/media/nas/minio/config";
+    dataDir = [ "/media/nas/minio/data" ];
+    listenAddress = "127.0.0.1:9600";
+    consoleAddress = "127.0.0.1:9601";
+    rootCredentialsFile = config.sops.secrets.minio-credentials.path;
+  };
+
+  systemd.services.minio = {
+    environment = lib.mkAfter {
+      MINIO_SERVER_URL = "https://s3.ataraxiadev.com";
+      MINIO_BROWSER_REDIRECT_URL = "https://s3.ataraxiadev.com/ui";
+      MINIO_IDENTITY_OPENID_COMMENT="Authentik";
+      MINIO_IDENTITY_OPENID_CONFIG_URL = "https://auth.ataraxiadev.com/application/o/minio/.well-known/openid-configuration";
+      MINIO_IDENTITY_OPENID_REDIRECT_URI = "https://s3.ataraxiadev.com/ui/oauth_callback";
+      MINIO_IDENTITY_OPENID_SCOPES = "openid,profile,email,minio";
+    };
+  };
+
+  # persist.state.directories = config.services.minio.dataDir ++ [
+  #   config.services.minio.configDir
+  # ];
+}

profiles/servers/nginx.nix

@@ -84,6 +84,7 @@ in {
         "pdf.ataraxiadev.com"
         "qbit.ataraxiadev.com"
         "radarr.ataraxiadev.com"
+        "s3.ataraxiadev.com"
         "sonarr.ataraxiadev.com"
         "startpage.ataraxiadev.com"
         "tools.ataraxiadev.com"
@@ -345,6 +346,35 @@ in {
           extraConfig = proxySettings;
         };
       } // default;
+      "s3.ataraxiadev.com" = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:9600";
+          extraConfig = ''
+            proxy_connect_timeout 300;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            chunked_transfer_encoding off;
+          '' + proxySettings;
+        };
+        locations."/ui/" = {
+          proxyPass = "http://127.0.0.1:9601";
+          extraConfig = ''
+            rewrite ^/ui/(.*) /$1 break;
+            proxy_set_header X-NginX-Proxy true;
+            real_ip_header X-Real-IP;
+
+            proxy_connect_timeout 300;
+            chunked_transfer_encoding off;
+          '' + proxySettings;
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          ignore_invalid_headers off;
+          client_max_body_size 0;
+          proxy_buffering off;
+          proxy_request_buffering off;
+        '';
+      } // default;
       # "fsync.ataraxiadev.com" = {
       #   locations."/" = {
       #     proxyPass = "http://127.0.0.1:5000";

profiles/servers/outline.nix

@@ -5,67 +5,53 @@
       services = [ "outline.service" ];
     };
   in {
-    minio-cred.owner = "minio";
-    minio-cred.services = [ "minio.service" ];
     minio-outline = default;
     outline-mail = default;
     outline-oidc = default;
     outline-key = default;
     outline-utils = default;
   };
-  services = {
+  services.outline = {
-    # TODO: migrate from s3 to local storage
+    enable = true;
-    outline = {
+    port = 3010;
-      enable = true;
+    publicUrl = "https://docs.ataraxiadev.com";
-      port = 3010;
+    forceHttps = false;
-      publicUrl = "https://docs.ataraxiadev.com";
-      forceHttps = false;
 
-      storage = {
+    storage = {
-        accessKey = "outline";
+      accessKey = "outline";
-        secretKeyFile = config.secrets.minio-outline.decrypted;
+      secretKeyFile = config.secrets.minio-outline.decrypted;
-        region = config.services.minio.region;
+      region = config.services.minio.region;
-        uploadBucketUrl = "http://127.0.0.1:9100";
+      uploadBucketUrl = "https://s3.ataraxiadev.com";
-        uploadBucketName = "outline";
+      uploadBucketName = "outline";
-        # uploadMaxSize = 0;
+      # uploadMaxSize = 0;
-      };
-
-      oidcAuthentication = {
-        authUrl = "https://auth.ataraxiadev.com/application/o/authorize/";
-        tokenUrl = "https://auth.ataraxiadev.com/application/o/token/";
-        userinfoUrl = "https://auth.ataraxiadev.com/application/o/userinfo/";
-        clientId = "tUs7tv85xlK3W4VOw7AQDMYNXqibpV5H8ofR7zix";
-        clientSecretFile = config.secrets.outline-oidc.decrypted;
-        scopes = [ "openid" "email" "profile" ];
-        usernameClaim = "email";
-        displayName = "openid";
-      };
-
-      smtp = {
-        host = "mail.ataraxiadev.com";
-        port = 465;
-        secure = true;
-        username = "outline@ataraxiadev.com";
-        passwordFile = config.secrets.outline-mail.decrypted;
-        fromEmail = "Outline <no-reply@ataraxiadev.com>";
-        replyEmail = "Outline <outline@ataraxiadev.com>";
-      };
-
-      secretKeyFile = config.secrets.outline-key.decrypted;
-      utilsSecretFile = config.secrets.outline-utils.decrypted;
     };
-    minio = {
+
-      enable = true;
+    oidcAuthentication = {
-      listenAddress = "127.0.0.1:9100";
+      authUrl = "https://auth.ataraxiadev.com/application/o/authorize/";
-      consoleAddress = "192.168.0.10:9101";
+      tokenUrl = "https://auth.ataraxiadev.com/application/o/token/";
-      rootCredentialsFile = config.secrets.minio-cred.decrypted;
+      userinfoUrl = "https://auth.ataraxiadev.com/application/o/userinfo/";
+      clientId = "tUs7tv85xlK3W4VOw7AQDMYNXqibpV5H8ofR7zix";
+      clientSecretFile = config.secrets.outline-oidc.decrypted;
+      scopes = [ "openid" "email" "profile" ];
+      usernameClaim = "email";
+      displayName = "openid";
     };
+
+    smtp = {
+      host = "mail.ataraxiadev.com";
+      port = 465;
+      secure = true;
+      username = "outline@ataraxiadev.com";
+      passwordFile = config.secrets.outline-mail.decrypted;
+      fromEmail = "Outline <no-reply@ataraxiadev.com>";
+      replyEmail = "Outline <outline@ataraxiadev.com>";
+    };
+
+    secretKeyFile = config.secrets.outline-key.decrypted;
+    utilsSecretFile = config.secrets.outline-utils.decrypted;
   };
 
-  networking.firewall.allowedTCPPorts = [ 9101 ];
+  persist.state.directories = [
-
-  persist.state.directories = config.services.minio.dataDir ++ [
     "/var/lib/redis-outline"
-    config.services.minio.configDir
   ];
 }

secrets/home-hypervisor/minio.yaml

@@ -0,0 +1,47 @@
+minio-credentials: ENC[AES256_GCM,data:yK/skw8GkY6rlhfIYHKoHV4+pBMHkLtXtwG8hQMVit6SQtcC74T7tQOnwe/AU79xKZAL9Bpvn1vBurBAVmsBiyPWNZVvkuWWT1033LkE9lApwwb6HaF4PAqPgiCvXwc0svPKPaFp+Kfyc07+I6KhKuL2tQLKWtZLIVhwEltSsQME/X1f2pAfJMxd/JfiZYd9kpv2JNN5PGPtDNCddsqHg8x5xJfVS3rCDe3LCiIZliKHOHD0D+EpFpnCrdR5GLH67LCwNT/1ZHjOntWoTVHDFMzWYW+bahE+HQp/C+462NmDTFFqT3cfh+c+hArADVAwIrgPNo5jbPkbkSFYhhC9kyWmCwasgtb1Pw+/66wNJWIrZ2lQWIFsV73NmNPv3qsuXJ/Iw4fRXzy8x0FY8fXhdIUOlpBmZINiGmwPEVGLRv+Fym6RGOsKWSqx3q9vgT3hA0AU6bh1,iv:PBXOkdagtbApkWY/dM4cH61lfJtsk+PbVeeGmSvnNzs=,tag:CqhqHbNxGNItLfQTrXEc4w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-01-20T18:53:33Z"
+    mac: ENC[AES256_GCM,data:KnuQeJpvts2n53WRRsPOeSJLVPu5D/aTiqcbmB+zzWGxAmRRJz+Nx2iPPAy3Soz1Plg9LlcAW0P42wQ392qlxwq0SYPceJ6wxllnqOURoPF4hHTfvkPmJoQjgt782tunDvzKP8EsBb3GQwpwG7yPkFSCU4NpZc1hQsuFlWxjfJw=,iv:YVJLsTMBRmmuSXV5IHLxNysKIQqwN5P4D5qINrQwieY=,tag:+Z1Rj5JJilHqkR6M0i7aGQ==,type:str]
+    pgp:
+        - created_at: "2024-01-20T17:06:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAwcagTG/Fm6AAQf9HMlE0UBYlccSvDcVG/yVq2DLZJYXnBruGbVZqpk8JIBu
+            syj9b9rpJk48yi97ZVlvJkzaU/tADLyo8CgI3qDHh/lOmB3o/205Rrlu2fW8M9z3
+            s74Dgwt9BsmnRzy4ht9SaqmI2PEL2xJrD3LpyC3vq+n8TlGvmmtUjeoaEu6/qich
+            570cArO02cOtIjZF9AJtyzQr/6oht84yx9lrhMACNPcxAJaaRSdlLkzVFo2GI6gf
+            ESjaew3/FJxPtdJV3OFy/A4bFNM/4bUdL50wERfnemLq7GhGp97ZP+pKTQcYV0KQ
+            c5MSdoQs8Vy5x0vofRVF7yEddSdB6rTbm3QkBNd0a9JWAc6jdLKiP1k7miYfL8OS
+            vGBBz7NeHQvx0Iu2jruMFxDvE4gYaRrWYRmAmy/Hml5f58g1JwQzac7sDoTeR6YV
+            k9Jg5PXX3tU1qjG2IGhmmJoucHL7Hmg=
+            =weHd
+            -----END PGP MESSAGE-----
+          fp: ad382d058c964607b7bbf01b071a8131bf166e80
+        - created_at: "2024-01-20T17:06:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA187ia82lSDGAQ/+LWe2cLp9fLKVmc2p97lJgXe/LNgKHEXx3kmP9EbylVSW
+            oCbmq1cKmZwXijSx9yhJYSj9S8nVhqAESWzzlKNRVFC7kwTeNoVwIPscNXIjuHwM
+            ApEzsBkpKWTTXHsuVuvKfl7smf0fC90/NRIrEQwWsdSjFmm2/WAlHn0M5hFcbW0f
+            CDQr0AfoICD+C6sMDHNhVzcSdsnxHTo0YbQgm2EeuU22EYXCdFAPNfZMnG3F2fcH
+            ncCygKWBvQOw4SUNxHUt3CZz1E8JYT4Dv9BGL0ODi4mFHnJYKpFJ/jj7NVIDa5Nl
+            EHVXjWaU2cwu4FGThBEJ+7LjIFQBf7pG2jXAW4CeVdGSAELcobl+OykF5liqTe9S
+            Q0JKz7ABxurhnTki3Ht8r1QZqADwkc8gN2Kv/q+1PN3YbeRG1SBy2M22K/4loW2j
+            LMOaC7V2sWk32qzcYGSB4muGbjW67vXjHPHhXagl+oirz5cPYHTO3xvgXWS7Ut1o
+            Bz/HxP//wj/zzddvtrX8q4v9wqh7hppI2kl5SJOl2mGuCmP6K3iGQbEIjpc2+LbQ
+            3S/RKUMX8EWNmNyMQWyvKfJqvGLkDdYlrcCgv+G82nTi53XEkYQzdBZ1DDuU+iOb
+            gRtXAh2m+FZJgp6kPmHD9Wb3gSspxnr5K2V9J+coFn+qrT8Q2roE0PfQYOms0QTS
+            VgEq5F8giC9A8rc14kjNfha102ipESwXDh+Lr1Z29CQLqR6CFDInO31QiLgNjitv
+            /mySGYecMZkMyKoIaxuJMkCyd603Ak/4uWzMDdF8zIX37yyHt1MA
+            =T7/J
+            -----END PGP MESSAGE-----
+          fp: a32018133c7afbfd05d5b2795f3b89af369520c6
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1