pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.services.minio;
7
8 legacyCredentials = cfg: pkgs.writeText "minio-legacy-credentials" ''
9 MINIO_ROOT_USER=${cfg.accessKey}
10 MINIO_ROOT_PASSWORD=${cfg.secretKey}
11 '';
12in
13{
14 meta.maintainers = [ maintainers.bachp ];
15
16 options.services.minio = {
17 enable = mkEnableOption "Minio Object Storage";
18
19 listenAddress = mkOption {
20 default = ":9000";
21 type = types.str;
22 description = "IP address and port of the server.";
23 };
24
25 consoleAddress = mkOption {
26 default = ":9001";
27 type = types.str;
28 description = "IP address and port of the web UI (console).";
29 };
30
31 dataDir = mkOption {
32 default = [ "/var/lib/minio/data" ];
33 type = types.listOf types.path;
34 description = "The list of data directories for storing the objects. Use one path for regular operation and the minimum of 4 endpoints for Erasure Code mode.";
35 };
36
37 configDir = mkOption {
38 default = "/var/lib/minio/config";
39 type = types.path;
40 description = "The config directory, for the access keys and other settings.";
41 };
42
43 accessKey = mkOption {
44 default = "";
45 type = types.str;
46 description = ''
47 Access key of 5 to 20 characters in length that clients use to access the server.
48 This overrides the access key that is generated by minio on first startup and stored inside the
49 <literal>configDir</literal> directory.
50 '';
51 };
52
53 secretKey = mkOption {
54 default = "";
55 type = types.str;
56 description = ''
57 Specify the Secret key of 8 to 40 characters in length that clients use to access the server.
58 This overrides the secret key that is generated by minio on first startup and stored inside the
59 <literal>configDir</literal> directory.
60 '';
61 };
62
63 rootCredentialsFile = mkOption {
64 type = types.nullOr types.path;
65 default = null;
66 description = ''
67 File containing the MINIO_ROOT_USER, default is "minioadmin", and
68 MINIO_ROOT_PASSWORD (length >= 8), default is "minioadmin"; in the format of
69 an EnvironmentFile=, as described by systemd.exec(5).
70 '';
71 example = "/etc/nixos/minio-root-credentials";
72 };
73
74 region = mkOption {
75 default = "us-east-1";
76 type = types.str;
77 description = ''
78 The physical location of the server. By default it is set to us-east-1, which is same as AWS S3's and Minio's default region.
79 '';
80 };
81
82 browser = mkOption {
83 default = true;
84 type = types.bool;
85 description = "Enable or disable access to web UI.";
86 };
87
88 package = mkOption {
89 default = pkgs.minio;
90 defaultText = literalExpression "pkgs.minio";
91 type = types.package;
92 description = "Minio package to use.";
93 };
94 };
95
96 config = mkIf cfg.enable {
97 warnings = optional ((cfg.accessKey != "") || (cfg.secretKey != "")) "services.minio.`accessKey` and services.minio.`secretKey` are deprecated, please use services.minio.`rootCredentialsFile` instead.";
98
99 systemd.tmpfiles.rules = [
100 "d '${cfg.configDir}' - minio minio - -"
101 ] ++ (map (x: "d '" + x + "' - minio minio - - ") cfg.dataDir);
102
103 systemd.services.minio = {
104 description = "Minio Object Storage";
105 after = [ "network.target" ];
106 wantedBy = [ "multi-user.target" ];
107 serviceConfig = {
108 ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --console-address ${cfg.consoleAddress} --config-dir=${cfg.configDir} ${toString cfg.dataDir}";
109 Type = "simple";
110 User = "minio";
111 Group = "minio";
112 LimitNOFILE = 65536;
113 EnvironmentFile = if (cfg.rootCredentialsFile != null) then cfg.rootCredentialsFile
114 else if ((cfg.accessKey != "") || (cfg.secretKey != "")) then (legacyCredentials cfg)
115 else null;
116 };
117 environment = {
118 MINIO_REGION = "${cfg.region}";
119 MINIO_BROWSER = "${if cfg.browser then "on" else "off"}";
120 };
121 };
122
123 users.users.minio = {
124 group = "minio";
125 uid = config.ids.uids.minio;
126 };
127
128 users.groups.minio.gid = config.ids.uids.minio;
129 };
130}