diff --git a/.sops.yaml b/.sops.yaml index 3cfb014..66efdab 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -103,3 +103,8 @@ creation_rules: - age: - *chunk - *cy + - path_regex: secrets/services/minio.yaml + key_groups: + - age: + - *chunk + - *cy diff --git a/hosts/chunk/Caddyfile b/hosts/chunk/Caddyfile index d9a069d..17c7397 100644 --- a/hosts/chunk/Caddyfile +++ b/hosts/chunk/Caddyfile @@ -80,10 +80,10 @@ cache.cything.io { s3.cy7.sh { import common - reverse_proxy localhost:3900 + reverse_proxy localhost:9000 } admin.s3.cy7.sh { import common - reverse_proxy localhost:3903 + reverse_proxy localhost:9001 } diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index edb153b..1852b13 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -25,7 +25,7 @@ ./element.nix ./attic.nix ./forgejo.nix - ./garage.nix + ./minio.nix ]; sops.age.keyFile = "/root/.config/sops/age/keys.txt"; @@ -67,8 +67,8 @@ sopsFile = ../../secrets/services/attic.yaml; }; - "garage/env" = { - sopsFile = ../../secrets/services/garage.yaml; + "minio/env" = { + sopsFile = ../../secrets/services/minio.yaml; }; }; diff --git a/hosts/chunk/minio.nix b/hosts/chunk/minio.nix new file mode 100644 index 0000000..2cef65c --- /dev/null +++ b/hosts/chunk/minio.nix @@ -0,0 +1,8 @@ +{config, ...}: { + services.minio = { + enable = true; + rootCredentialsFile = config.sops.secrets."minio/env".path; + region = "universe"; + dataDir = ["/mnt/minio"]; + }; +} diff --git a/hosts/chunk/rclone.nix b/hosts/chunk/rclone.nix index be833af..c6e94e5 100644 --- a/hosts/chunk/rclone.nix +++ b/hosts/chunk/rclone.nix @@ -56,5 +56,22 @@ }; }; + systemd.services.minio-mount = { + enable = true; + description = "Mount the minio data remote"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + requiredBy = [ "minio.service" ]; + before = [ "minio.service" ]; + serviceConfig = { + Type = "notify"; + ExecStartPre = "/usr/bin/env mkdir -p /mnt/minio"; + ExecStart = "${lib.getExe pkgs.rclone} mount --config ${ + config.sops.secrets."rclone/config".path + } --cache-dir /var/cache/rclone --transfers=32 --checkers=32 --vfs-cache-mode writes --vfs-cache-max-size 5G --allow-other rsyncnet:minio /mnt/minio "; + ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -u /mnt/minio"; + }; + }; + programs.fuse.userAllowOther = true; } diff --git a/secrets/services/minio.yaml b/secrets/services/minio.yaml new file mode 100644 index 0000000..cd30dac --- /dev/null +++ b/secrets/services/minio.yaml @@ -0,0 +1,31 @@ +minio: + env: ENC[AES256_GCM,data:3wb5XH2HxQQEKqvCqdth6vY9P1ByyMKpcq5QDiHq3xLCKOeM2L6K6tmD802R05uxyVVWOJ2RxJhAFc7vHg==,iv:80oTja4e5Ep0oObgWVTViyo3ODgTV/+YOkDHjCmB/Oo=,tag:SNfXXdAsOINE+5FDPUo4CQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeFA1VjRZSy9IYlVhc3pz + NWdORnRab0lFSmR4NGJ4UUFxalIweWJ6QUI4ClZQbU5CTGhhZE1TV2R5WERLQ2lJ + MkJFQnNxbmpUY0FmcXdxaDdkNGhZSjQKLS0tIFBWaENPVU5WUTNNMGdNeStVdEF2 + aUhmZnU4QkwxU2pvNXFveUtEdXp3dkEKbV9CA1D+5r3nKXHDkis6TixV1WALNe+q + 4d1U8M+i6T8SKeWGiW2WgR/2WqrjgaZv22ZSJvORHUFZjCbQLMtjYw== + -----END AGE ENCRYPTED FILE----- + - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVUUh0eUp0NjJpekk4aFhi + YXJKazJIdG45cXE4Yy9jdGU0TUl3RitsV2xjCjNYbUdzRHl1TXU1MEpDSHBYMjhs + cEFjbkJXcTdRdzhyUHprNklJVlZvNGcKLS0tIDFFNDlYTlZMWm5wTHVzdm9BeEt2 + dm9sdzFoTGpaR0ZYVEtFcG4vLzB3VlEKko4/GbpXhhytdOmqLhgPOKKmPFwgNSUv + EdAf8W3MhirilmuFgrFMO9NA3pNa0Ae4s0ueT4+xJXoOQuHRiucBHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-12T06:07:20Z" + mac: ENC[AES256_GCM,data:11yN8Tqz/5vnvEhqmABbLcx5RJ9o2IVh1U/DkDPEatKDQOhyaSc2P4Jea4OLFIGvnrDcSeQVPuO1mVNV68wOJtOpAEPzGiEk8nhpKhFfyVl80XGrHZMuR9+TnTv28SlwFS6tuD+LzNhRn3x45VnLlaKOkzWZAk8JUACXjVIUh9Q=,iv:G346D2RuMFTDwdiEtUNLA3AeyGt/9gMZOkLzEUT5Otk=,tag:WrGjiQ4/JlWMowDDZyYB8A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2