pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / web-servers / minio.nix
at 25.11-pre 5.5 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7 8with lib; 9 10let 11 cfg = config.services.minio; 12 13 legacyCredentials = 14 cfg: 15 pkgs.writeText "minio-legacy-credentials" '' 16 MINIO_ROOT_USER=${cfg.accessKey} 17 MINIO_ROOT_PASSWORD=${cfg.secretKey} 18 ''; 19in 20{ 21 meta.maintainers = [ maintainers.bachp ]; 22 23 options.services.minio = { 24 enable = mkEnableOption "Minio Object Storage"; 25 26 listenAddress = mkOption { 27 default = ":9000"; 28 type = types.str; 29 description = "IP address and port of the server."; 30 }; 31 32 consoleAddress = mkOption { 33 default = ":9001"; 34 type = types.str; 35 description = "IP address and port of the web UI (console)."; 36 }; 37 38 dataDir = mkOption { 39 default = [ "/var/lib/minio/data" ]; 40 type = types.listOf (types.either types.path types.str); 41 description = "The list of data directories or nodes for storing the objects. Use one path for regular operation and the minimum of 4 endpoints for Erasure Code mode."; 42 }; 43 44 configDir = mkOption { 45 default = "/var/lib/minio/config"; 46 type = types.path; 47 description = "The config directory, for the access keys and other settings."; 48 }; 49 50 certificatesDir = mkOption { 51 default = "/var/lib/minio/certs"; 52 type = types.path; 53 description = "The directory where TLS certificates are stored."; 54 }; 55 56 accessKey = mkOption { 57 default = ""; 58 type = types.str; 59 description = '' 60 Access key of 5 to 20 characters in length that clients use to access the server. 61 This overrides the access key that is generated by minio on first startup and stored inside the 62 `configDir` directory. 63 ''; 64 }; 65 66 secretKey = mkOption { 67 default = ""; 68 type = types.str; 69 description = '' 70 Specify the Secret key of 8 to 40 characters in length that clients use to access the server. 71 This overrides the secret key that is generated by minio on first startup and stored inside the 72 `configDir` directory. 73 ''; 74 }; 75 76 rootCredentialsFile = mkOption { 77 type = types.nullOr types.path; 78 default = null; 79 description = '' 80 File containing the MINIO_ROOT_USER, default is "minioadmin", and 81 MINIO_ROOT_PASSWORD (length >= 8), default is "minioadmin"; in the format of 82 an EnvironmentFile=, as described by {manpage}`systemd.exec(5)`. 83 ''; 84 example = "/etc/nixos/minio-root-credentials"; 85 }; 86 87 region = mkOption { 88 default = "us-east-1"; 89 type = types.str; 90 description = '' 91 The physical location of the server. By default it is set to us-east-1, which is same as AWS S3's and Minio's default region. 92 ''; 93 }; 94 95 browser = mkOption { 96 default = true; 97 type = types.bool; 98 description = "Enable or disable access to web UI."; 99 }; 100 101 package = mkPackageOption pkgs "minio" { }; 102 }; 103 104 config = mkIf cfg.enable { 105 warnings = 106 optional ((cfg.accessKey != "") || (cfg.secretKey != "")) 107 "services.minio.`accessKey` and services.minio.`secretKey` are deprecated, please use services.minio.`rootCredentialsFile` instead."; 108 109 systemd = lib.mkMerge [ 110 { 111 tmpfiles.rules = 112 [ 113 "d '${cfg.configDir}' - minio minio - -" 114 ] 115 ++ (map (x: "d '" + x + "' - minio minio - - ") (builtins.filter lib.types.path.check cfg.dataDir)); 116 117 services.minio = { 118 description = "Minio Object Storage"; 119 wants = [ "network-online.target" ]; 120 after = [ "network-online.target" ]; 121 wantedBy = [ "multi-user.target" ]; 122 serviceConfig = { 123 ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --console-address ${cfg.consoleAddress} --config-dir=${cfg.configDir} --certs-dir=${cfg.certificatesDir} ${toString cfg.dataDir}"; 124 Type = "simple"; 125 User = "minio"; 126 Group = "minio"; 127 LimitNOFILE = 65536; 128 EnvironmentFile = 129 if (cfg.rootCredentialsFile != null) then 130 cfg.rootCredentialsFile 131 else if ((cfg.accessKey != "") || (cfg.secretKey != "")) then 132 (legacyCredentials cfg) 133 else 134 null; 135 }; 136 environment = { 137 MINIO_REGION = "${cfg.region}"; 138 MINIO_BROWSER = "${if cfg.browser then "on" else "off"}"; 139 }; 140 }; 141 } 142 143 (lib.mkIf (cfg.rootCredentialsFile != null) { 144 # The service will fail if the credentials file is missing 145 services.minio.unitConfig.ConditionPathExists = cfg.rootCredentialsFile; 146 147 # The service will not restart if the credentials file has 148 # been changed. This can cause stale root credentials. 149 paths.minio-root-credentials = { 150 wantedBy = [ "multi-user.target" ]; 151 152 pathConfig = { 153 PathChanged = [ cfg.rootCredentialsFile ]; 154 Unit = "minio-restart.service"; 155 }; 156 }; 157 158 services.minio-restart = { 159 description = "Restart MinIO"; 160 161 script = '' 162 systemctl restart minio.service 163 ''; 164 165 serviceConfig = { 166 Type = "oneshot"; 167 Restart = "on-failure"; 168 RestartSec = 5; 169 }; 170 }; 171 }) 172 ]; 173 174 users.users.minio = { 175 group = "minio"; 176 uid = config.ids.uids.minio; 177 }; 178 179 users.groups.minio.gid = config.ids.uids.minio; 180 }; 181}