nixos-config/profiles/servers/minio.nix

{ config, lib, inputs, ... }:
let
  minio-secret = {
    owner = "minio";
    mode = "0400";
    sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml;
    restartUnits = [ "minio.service" ];
  };
  kes-secret = {
    owner = "kes";
    mode = "0400";
    sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml;
    restartUnits = [ "kes.service" ];
  };
in {
  imports = [ inputs.ataraxiasjel-nur.nixosModules.kes ];

  sops.secrets.minio-credentials = minio-secret;
  sops.secrets.kes-vault-env = kes-secret;
  sops.secrets.kes-key = kes-secret;
  sops.secrets.kes-cert = kes-secret // {
    group = "minio";
    mode = "0440";
    restartUnits = [ "kes.service" "minio.service" ];
  };

  services.minio = {
    enable = true;
    browser = true;
    configDir = "/media/nas/minio/config";
    dataDir = [ "/media/nas/minio/data" ];
    listenAddress = "127.0.0.1:9600";
    consoleAddress = "127.0.0.1:9601";
    rootCredentialsFile = config.sops.secrets.minio-credentials.path;
  };

  systemd.services.minio = {
    environment = lib.mkAfter {
      MINIO_SERVER_URL = "https://s3.ataraxiadev.com";
      MINIO_BROWSER_REDIRECT_URL = "https://s3.ataraxiadev.com/ui";
      MINIO_IDENTITY_OPENID_COMMENT = "Authentik";
      MINIO_IDENTITY_OPENID_CONFIG_URL =
        "https://auth.ataraxiadev.com/application/o/minio/.well-known/openid-configuration";
      MINIO_IDENTITY_OPENID_REDIRECT_URI =
        "https://s3.ataraxiadev.com/ui/oauth_callback";
      MINIO_IDENTITY_OPENID_SCOPES = "openid,profile,email,minio";
      # KMS
      MINIO_KMS_KES_ENDPOINT = "https://${config.services.kes.settings.address}";
      MINIO_KMS_KES_CAPATH = config.sops.secrets.kes-cert.path;
      MINIO_KMS_KES_KEY_NAME = "minio-default-key";
      MINIO_KMS_KES_ENCLAVE = "minio-hypervisor";
    };
  };
  systemd.services.minio.after =
    lib.mkIf config.services.authentik.enable [
      "authentik-server.service"
      "authentik-worker.service"
      "nginx.service"
      "kes.service"
    ];

  services.kes = {
    enable = true;
    environmentFile = config.sops.secrets.kes-vault-env.path;
    settings = {
      address = "127.0.0.1:7373";
      admin.identity = "disabled";
      tls = {
        key = config.sops.secrets.kes-key.path;
        cert = config.sops.secrets.kes-cert.path;
      };
      policy.minio = {
        allow = [
          "/v1/key/create/minio-*"
          "/v1/key/generate/minio-*"
          "/v1/key/decrypt/minio-*"
          "/v1/key/bulk/decrypt"
          "/v1/key/list/*"
          "/v1/status"
          "/v1/metrics"
          "/v1/log/audit"
          "/v1/log/errot"
        ];
        identities = [
          "d76b126754bd382de969e18ab71c3ba3fe1fdf9bb89927b3f16e08ebae07d242"
        ];
      };
      keystore.vault = {
        endpoint = "http://${config.services.vault.address}";
        engine = "kv/";
        version = "v1";
        approle = {
          id = ''''${KES_APPROLE_ID}'';
          secret = ''''${KES_APPROLE_SECRET}'';
          retry = "15s";
        };
        status.ping = "10s";
      };
    };
  };
  systemd.services.kes.after = [ "vault.service" "vault-unseal.service" ];

  # Sync local minio buckets to remote s3 storage
  sops.secrets.rclone-s3-sync.sopsFile = inputs.self.secretsDir + /rustic.yaml;
  backups.rclone-sync.minio = {
    rcloneConfigFile = config.sops.secrets.rclone-s3-sync.path;
    syncTargets =
      let buckets = [
        "authentik-media"
        # "ocis"
        "outline"
        "obsidian-ataraxia"
        "obsidian-doste"
        "obsidian-kpoxa"
      ]; in map (bucket: {
        source = "minio:${bucket}";
        target = "backblaze:ataraxia-minio-${bucket}";
      }) buckets;
  };
}