nixos/modules/services/web-servers/minio.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-servers / minio.nix
at 23.11-pre 5.3 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  cfg = config.services.minio;
  7
  8  legacyCredentials = cfg: pkgs.writeText "minio-legacy-credentials" ''
  9    MINIO_ROOT_USER=${cfg.accessKey}
 10    MINIO_ROOT_PASSWORD=${cfg.secretKey}
 11  '';
 12in
 13{
 14  meta.maintainers = [ maintainers.bachp ];
 15
 16  options.services.minio = {
 17    enable = mkEnableOption (lib.mdDoc "Minio Object Storage");
 18
 19    listenAddress = mkOption {
 20      default = ":9000";
 21      type = types.str;
 22      description = lib.mdDoc "IP address and port of the server.";
 23    };
 24
 25    consoleAddress = mkOption {
 26      default = ":9001";
 27      type = types.str;
 28      description = lib.mdDoc "IP address and port of the web UI (console).";
 29    };
 30
 31    dataDir = mkOption {
 32      default = [ "/var/lib/minio/data" ];
 33      type = types.listOf types.path;
 34      description = lib.mdDoc "The list of data directories for storing the objects. Use one path for regular operation and the minimum of 4 endpoints for Erasure Code mode.";
 35    };
 36
 37    configDir = mkOption {
 38      default = "/var/lib/minio/config";
 39      type = types.path;
 40      description = lib.mdDoc "The config directory, for the access keys and other settings.";
 41    };
 42
 43    accessKey = mkOption {
 44      default = "";
 45      type = types.str;
 46      description = lib.mdDoc ''
 47        Access key of 5 to 20 characters in length that clients use to access the server.
 48        This overrides the access key that is generated by minio on first startup and stored inside the
 49        `configDir` directory.
 50      '';
 51    };
 52
 53    secretKey = mkOption {
 54      default = "";
 55      type = types.str;
 56      description = lib.mdDoc ''
 57        Specify the Secret key of 8 to 40 characters in length that clients use to access the server.
 58        This overrides the secret key that is generated by minio on first startup and stored inside the
 59        `configDir` directory.
 60      '';
 61    };
 62
 63    rootCredentialsFile = mkOption {
 64      type = types.nullOr types.path;
 65      default = null;
 66      description = lib.mdDoc ''
 67        File containing the MINIO_ROOT_USER, default is "minioadmin", and
 68        MINIO_ROOT_PASSWORD (length >= 8), default is "minioadmin"; in the format of
 69        an EnvironmentFile=, as described by systemd.exec(5).
 70      '';
 71      example = "/etc/nixos/minio-root-credentials";
 72    };
 73
 74    region = mkOption {
 75      default = "us-east-1";
 76      type = types.str;
 77      description = lib.mdDoc ''
 78        The physical location of the server. By default it is set to us-east-1, which is same as AWS S3's and Minio's default region.
 79      '';
 80    };
 81
 82    browser = mkOption {
 83      default = true;
 84      type = types.bool;
 85      description = lib.mdDoc "Enable or disable access to web UI.";
 86    };
 87
 88    package = mkOption {
 89      default = pkgs.minio;
 90      defaultText = literalExpression "pkgs.minio";
 91      type = types.package;
 92      description = lib.mdDoc "Minio package to use.";
 93    };
 94  };
 95
 96  config = mkIf cfg.enable {
 97    warnings = optional ((cfg.accessKey != "") || (cfg.secretKey != "")) "services.minio.`accessKey` and services.minio.`secretKey` are deprecated, please use services.minio.`rootCredentialsFile` instead.";
 98
 99    systemd = lib.mkMerge [{
100      tmpfiles.rules = [
101        "d '${cfg.configDir}' - minio minio - -"
102      ] ++ (map (x: "d '" + x + "' - minio minio - - ") cfg.dataDir);
103
104      services.minio = {
105        description = "Minio Object Storage";
106        after = [ "network-online.target" ];
107        wantedBy = [ "multi-user.target" ];
108        serviceConfig = {
109          ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --console-address ${cfg.consoleAddress} --config-dir=${cfg.configDir} ${toString cfg.dataDir}";
110          Type = "simple";
111          User = "minio";
112          Group = "minio";
113          LimitNOFILE = 65536;
114          EnvironmentFile =
115            if (cfg.rootCredentialsFile != null) then cfg.rootCredentialsFile
116            else if ((cfg.accessKey != "") || (cfg.secretKey != "")) then (legacyCredentials cfg)
117            else null;
118        };
119        environment = {
120          MINIO_REGION = "${cfg.region}";
121          MINIO_BROWSER = "${if cfg.browser then "on" else "off"}";
122        };
123      };
124    }
125
126      (lib.mkIf (cfg.rootCredentialsFile != null) {
127        # The service will fail if the credentials file is missing
128        services.minio.unitConfig.ConditionPathExists = cfg.rootCredentialsFile;
129
130        # The service will not restart if the credentials file has
131        # been changed. This can cause stale root credentials.
132        paths.minio-root-credentials = {
133          wantedBy = [ "multi-user.target" ];
134
135          pathConfig = {
136            PathChanged = [ cfg.rootCredentialsFile ];
137            Unit = "minio-restart.service";
138          };
139        };
140
141        services.minio-restart = {
142          description = "Restart MinIO";
143
144          script = ''
145            systemctl restart minio.service
146          '';
147
148          serviceConfig = {
149            Type = "oneshot";
150            Restart = "on-failure";
151            RestartSec = 5;
152          };
153        };
154      })];
155
156    users.users.minio = {
157      group = "minio";
158      uid = config.ids.uids.minio;
159    };
160
161    users.groups.minio.gid = config.ids.uids.minio;
162  };
163}