nixos/shill: Add MinIO container

2022-07-16 15:01:15 +01:00
parent 55da6aa276
commit accb14721d
21 changed files with 154 additions and 18 deletions
--- a/nixos/boxes/colony/vms/default.nix
+++ b/nixos/boxes/colony/vms/default.nix
@@ -149,6 +149,19 @@
                };
                frontend = "virtio-blk";
              }
+              {
+                name = "minio";
+                backend = {
+                  driver = "host_device";
+                  filename = "/dev/ssds/minio";
+                  discard = "unmap";
+                };
+                format = {
+                  driver = "raw";
+                  discard = "unmap";
+                };
+                frontend = "virtio-blk";
+              }
            ]);
          };
        };
--- a/nixos/boxes/colony/vms/shill/containers/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/default.nix
@@ -5,5 +5,6 @@
    ./colony-psql.nix
    ./chatterbox.nix
    ./jackflix
+    ./object.nix
  ];
 }
--- a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
@@ -162,6 +162,7 @@
                "${lib.my.pubDomain}" = {
                  extraDomainNames = [
                    "*.${lib.my.pubDomain}"
+                    "*.s3.${lib.my.pubDomain}"
                  ];
                  dnsProvider = "cloudflare";
                  credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -279,6 +279,26 @@ in
        };
        useACMEHost = lib.my.pubDomain;
      };
+
+      "minio.${lib.my.pubDomain}" = {
+        extraConfig = ''
+          chunked_transfer_encoding off;
+        '';
+        locations = {
+          "/".proxyPass = "http://object-ctr.${config.networking.domain}:9001";
+        };
+        useACMEHost = lib.my.pubDomain;
+      };
+      "s3.${lib.my.pubDomain}" = {
+        serverAliases = [ "*.s3.${lib.my.pubDomain}" ];
+        extraConfig = ''
+          chunked_transfer_encoding off;
+        '';
+        locations = {
+          "/".proxyPass = "http://object-ctr.${config.networking.domain}:9000";
+        };
+        useACMEHost = lib.my.pubDomain;
+      };
    };
  in
  mkMerge [
--- a/nixos/boxes/colony/vms/shill/containers/object.nix
+++ b/nixos/boxes/colony/vms/shill/containers/object.nix
@@ -0,0 +1,74 @@
+{ lib, ... }: {
+  nixos.systems.object = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+
+    assignments = {
+      internal = {
+        name = "object-ctr";
+        domain = lib.my.colony.domain;
+        ipv4.address = "${lib.my.colony.start.ctrs.v4}7";
+        ipv6 = {
+          iid = "::7";
+          address = "${lib.my.colony.start.ctrs.v6}7";
+        };
+      };
+    };
+
+    configuration = { lib, config, assignments, ... }:
+    let
+      inherit (lib) mkMerge mkIf;
+      inherit (lib.my) networkdAssignment;
+    in
+    {
+      config = mkMerge [
+        {
+          my = {
+            deploy.enable = false;
+            server.enable = true;
+
+            secrets = {
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdHbZErWLmTPO/aEWB1Fup/aGMf31Un5Wk66FJwTz/8";
+              files."minio.env" = {};
+            };
+
+            firewall = {
+              tcp.allowed = [ 9000 9001 ];
+            };
+          };
+
+          systemd = {
+            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
+            services = {
+              minio = {
+                environment = {
+                  MINIO_ROOT_USER = "minioadmin";
+                  MINIO_DOMAIN = "s3.nul.ie";
+                  MINIO_SERVER_URL = "https://s3.nul.ie";
+                  MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie";
+                };
+              };
+            };
+          };
+
+          services = {
+            minio = {
+              enable = true;
+              region = "eu-central-1";
+              browser = true;
+              rootCredentialsFile = config.age.secrets."minio.env".path;
+            };
+          };
+        }
+        (mkIf config.my.build.isDevVM {
+          virtualisation = {
+            forwardPorts = [
+              { from = "host"; host.port = 9000; guest.port = 9000; }
+              { from = "host"; host.port = 9001; guest.port = 9001; }
+            ];
+          };
+        })
+      ];
+    };
+  };
+}
--- a/nixos/boxes/colony/vms/shill/default.nix
+++ b/nixos/boxes/colony/vms/shill/default.nix
@@ -70,9 +70,14 @@
                device = "/dev/disk/by-label/media";
                fsType = "ext4";
              };
+              "/mnt/minio" = {
+                device = "/dev/disk/by-label/minio";
+                fsType = "xfs";
+              };
            };

            services = {
+              fstrim.enable = true;
              netdata.enable = true;
            };

@@ -140,6 +145,11 @@
                      "/mnt/media".readOnly = false;
                    };
                  };
+                  object = {
+                    bindMounts = {
+                      "/mnt/minio".readOnly = false;
+                    };
+                  };
                };
              in
              mkMerge [
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -298,6 +298,15 @@ in
      (persistSimpleSvc "jackett")
      (persistSimpleSvc "radarr")
      (persistSimpleSvc "sonarr")
+      (mkIf config.services.minio.enable {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = config.services.minio.configDir;
+            user = "minio";
+            group = "minio";
+          }
+        ];
+      })
      (mkIf config.my.build.isDevVM {
        fileSystems = mkVMOverride {
          # Hijack the "root" device for persistence in the VM