feat: add minio (#161)

* feat: add minio * fix: minio's reverse proxy * fix: minio secrets & reverse proxy
2026-01-11 20:40:24 +01:00 · 2024-09-02 18:28:56 +08:00
parent 2ff2c56fae
commit 07b74cd2e5
4 changed files with 58 additions and 3 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -470,10 +470,10 @@
    "mysecrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1723827270,
-        "narHash": "sha256-nBq/Sp7u+riKV7xNWq85+owzUGfWdpKdq3qR/0PYTSU=",
+        "lastModified": 1725269346,
+        "narHash": "sha256-VR/gaksXhlNIrnaQg2+uccKn8ZXag8gx6hh1yHARbE4=",
        "ref": "refs/heads/main",
-        "rev": "f80a6c11f7b27e257e07f294b45c64a1369438a4",
+        "rev": "4f3ddacef411d4c3d59011a3bd6c14a1dcf19c07",
        "shallow": true,
        "type": "git",
        "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
--- a/hosts/idols-aquamarine/caddy.nix
+++ b/hosts/idols-aquamarine/caddy.nix
@@ -91,6 +91,38 @@ in {
      encode zstd gzip
      reverse_proxy http://localhost:9093
    '';
+    virtualHosts."minio.writefor.fun".extraConfig = ''
+      ${hostCommonConfig}
+      encode zstd gzip
+      reverse_proxy http://localhost:9096 {
+        header_up Host {http.request.host}
+        header_up X-Real-IP {http.request.remote.host}
+        header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
+        header_up X-Forwarded-Proto {scheme}
+        transport http {
+            dial_timeout 300s
+            read_timeout 300s
+            write_timeout 300s
+        }
+      }
+    '';
+    virtualHosts."minio-ui.writefor.fun".extraConfig = ''
+      ${hostCommonConfig}
+      encode zstd gzip
+      reverse_proxy http://localhost:9097 {
+        header_up Host {http.request.host}
+        header_up X-Real-IP {http.request.remote.host}
+        header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
+        header_up X-Forwarded-Proto {scheme}
+        header_up Upgrade {http.request.header.Upgrade}
+        header_up Connection {http.request.header.Connection}
+        transport http {
+            dial_timeout 300s
+            read_timeout 300s
+            write_timeout 300s
+        }
+      }
+    '';
  };
  networking.firewall.allowedTCPPorts = [80 443];

--- a/hosts/idols-aquamarine/minio.nix
+++ b/hosts/idols-aquamarine/minio.nix
@@ -0,0 +1,18 @@
+{config, ...}: let
+  dataDir = ["/data/apps/minio/data"];
+  configDir = "/data/apps/minio/config";
+in {
+  # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/web-servers/minio.nix
+  services.minio = {
+    enable = true;
+    browser = true; # Enable or disable access to web UI.
+
+    inherit dataDir configDir;
+    listenAddress = "127.0.0.1:9096";
+    consoleAddress = "127.0.0.1:9097"; # Web UI
+    region = "us-east-1"; # default to us-east-1, same as AWS S3.
+
+    # File containing the MINIO_ROOT_USER, default is “minioadmin”, and MINIO_ROOT_PASSWORD (length >= 8), default is “minioadmin”;
+    rootCredentialsFile = config.age.secrets."minio.env".path;
+  };
+}
--- a/secrets/nixos.nix
+++ b/secrets/nixos.nix
@@ -206,6 +206,11 @@ in {
            mode = "0400";
            owner = "sftpgo";
          };
+          "minio.env" = {
+            file = "${mysecrets}/server/minio.env.age";
+            mode = "0400";
+            owner = "minio";
+          };
        };
      })