add: minio, pastebin

devshell/default.nix

@@ -53,6 +53,7 @@
       nvfetcher
 
       ruby
+      minio-client
     ];
   };
 }

lib/data/data.json

@@ -126,6 +126,14 @@
       "on": "fra1",
       "proxy": false
     },
+    "minio": {
+      "on": "fra1",
+      "proxy": false
+    },
+    "minio-console": {
+      "on": "fra1",
+      "proxy": false
+    },
     "morty": {
       "on": "hkg4",
       "proxy": false

nixos/hosts/fra1/default.nix

@@ -10,6 +10,7 @@
       nixosModules.services.headscale
       nixosModules.services.derp
       nixosModules.services.postgres
+      nixosModules.services.minio
       nixosModules.services.doraim
       nixosModules.services.ntfy
       nixosModules.services.sogo

nixos/modules/services/pastebin.nix

@@ -22,25 +22,25 @@
       export AWS_ACCESS_KEY_ID=$(cat "$CREDENTIALS_DIRECTORY/key-id")
       export AWS_SECRET_ACCESS_KEY=$(cat "$CREDENTIALS_DIRECTORY/access-key")
       ${pkgs.pastebin}/bin/pastebin \
-        --endpoint-host s3.eu-central-003.backblazeb2.com \
-        --bucket doraim-pastebin-media \
+        --endpoint-host minio.${config.networking.domain} \
+        --bucket pastebin \
         --addressing-style path \
         --port "${toString config.ports.pastebin}"
     '';
     serviceConfig = {
       DynamicUser = true;
       LoadCredential = [
-        "key-id:${config.sops.secrets."b2_pastebin_media_key_id".path}"
-        "access-key:${config.sops.secrets."b2_pastebin_media_access_key".path}"
+        "key-id:${config.sops.secrets."minio_pastebin_key_id".path}"
+        "access-key:${config.sops.secrets."minio_pastebin_access_key".path}"
       ];
     };
     wantedBy = [ "multi-user.target" ];
   };
-  sops.secrets."b2_pastebin_media_access_key" = {
+  sops.secrets."minio_pastebin_key_id" = {
     terraformOutput.enable = true;
     restartUnits = [ "pastebin.service" ];
   };
-  sops.secrets."b2_pastebin_media_key_id" = {
+  sops.secrets."minio_pastebin_access_key" = {
     terraformOutput.enable = true;
     restartUnits = [ "pastebin.service" ];
   };

secrets/terraform/hosts/fra1.yaml

@@ -1,5 +1,5 @@
-b2_pastebin_media_access_key: ENC[AES256_GCM,data:b0nZS9f6zDrgv0eVCbNsGHb6bl8ZKv9S2aUMOVjcYQ==,iv:gGwF/a93/mWSTA2xW7FD/vSzy9bsNoFighglmC4TrXQ=,tag:tTCYQi2JJSzyqrQtag35bA==,type:str]
-b2_pastebin_media_key_id: ENC[AES256_GCM,data:9VEZxCQwQ2AjTh+YXkX4VVe6HPKlpm4OxA==,iv:SKTFaO/RIDNxel3dWZscik3rXoAVb37utSp03ljbaj4=,tag:WL/8hVzzjjwGYD5OOiFJyA==,type:str]
+minio_pastebin_access_key: ENC[AES256_GCM,data:nMwoZXpwK2tkTOwSPdFunIljw+zteIlz5Jz5lUEr8kQUOx6uccMLgN7LNHQ5MdzjOlZWV37tXhs=,iv:TA2qvDxFhjw59IikfFCMcCIluadua32EGLb/hDrMtdM=,tag:tycg5WmUhb4SrESMZlNSaA==,type:str]
+minio_pastebin_key_id: ENC[AES256_GCM,data:+P4y+OxYbyg=,iv:hk6XwxJDs7OyPjyko/KWbekYvqWrcIBsYnZmcno9d2g=,tag:5S4xQd39ys/iu/hdY2G/wg==,type:str]
 sops:
   kms: []
   gcp_kms: []
@@ -24,8 +24,8 @@ sops:
         MCtFRHUzbmw2VmpCSDhYeWJDWWNqTTAKDylvMWW9j7i86dkY4JG6H2hmwhD8R8Vk
         Kf30nttK6c1CAm4vRFYAmImv3hWGeYF11Y5Rbmp7C8r9U6v87lGtuw==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-09-22T09:16:46Z"
-  mac: ENC[AES256_GCM,data:jPt7hFD4CflXsalUM7D0Xn7FGDw8X2l5OGVkHyGv+GqiK8RHmRU7ttEJraCBPifvK9HfvRfI/V5ZSsqNZ2CqfgInCOjAAoeCJNINzIk0bj3AifACT2h8ztJzPgXYQlf8uDD84tJUvLoEXqSweF8y54sNf7rBJeR5CCtlvJy6cFo=,iv:WPvRh53SrkCncvXsVFjxIIDVlhXyeNVSzN2yk8RvHWM=,tag:88hz8WcC0VhnOprgByra+g==,type:str]
+  lastmodified: "2024-09-25T16:55:09Z"
+  mac: ENC[AES256_GCM,data:bYCPjhFpSnhoYNl+ZFA7WyWsFcqg1JVjFzsdiOAbOTHbPDEFGO1jFO3NwEDcpJIouG04aspTd7DBI5wvB6BAf/X1OqkGb8W14RNpWzGAhZmEzAfYOT8BSRFjj3xoNGlg0BeWIEhzXhWFUqqwQjgZq4xhBgl9rLgZb49dSdR2HdI=,iv:rPewa3PEb6Y9rti1ZjefJ/l99vQ25IxfA+UOC6m5itA=,tag:x5683rl9IZlV6J7Y5HCnyQ==,type:str]
   pgp:
     - created_at: "2024-09-22T09:16:46Z"
       enc: |-

terraform/b2.tf

@@ -137,10 +137,15 @@ resource "b2_bucket" "pastebin_media" {
   cors_rules {
     cors_rule_name = "allow-media-on-dora-im"
     allowed_operations = [
-      "s3_head",
-      "b2_download_file_by_id",
       "b2_download_file_by_name",
-      "s3_get"
+      "b2_download_file_by_id",
+      "b2_upload_file",
+      "b2_upload_part",
+      "s3_delete",
+      "s3_get",
+      "s3_head",
+      "s3_post",
+      "s3_put"
     ]
     allowed_origins = [
       "https://*.dora.im"

terraform/cloudflare.tf

@@ -84,6 +84,8 @@ locals {
     pb                 = { on = "fra1", proxy = false }
     ollama             = { on = "fra1", proxy = false }
     ollama-ui          = { on = "fra1", proxy = false }
+    minio              = { on = "fra1", proxy = false }
+    minio-console      = { on = "fra1", proxy = false }
     "admin.m"          = { on = "fra1", proxy = false }
     searx              = { on = "hkg4", proxy = false }
     morty              = { on = "hkg4", proxy = false }

terraform/minio.tf

@@ -0,0 +1,200 @@
+provider "minio" {
+  minio_server   = "minio.dora.im"
+  minio_user     = data.sops_file.terraform.data["minio.root.user"]
+  minio_password = data.sops_file.terraform.data["minio.root.password"]
+  minio_ssl      = true
+}
+
+# Pastebin
+
+resource "minio_s3_bucket" "pastebin" {
+  bucket = "pastebin"
+  acl    = "private"
+  quota  = 1 * 1024 * 1024 * 1024 # in bytes, 1 GiB
+}
+
+resource "minio_iam_user" "pastebin" {
+  name = "pastebin"
+}
+
+output "minio_pastebin_key_id" {
+  value     = minio_iam_user.pastebin.id
+  sensitive = false
+}
+output "minio_pastebin_access_key" {
+  value     = minio_iam_user.pastebin.secret
+  sensitive = true
+}
+
+data "minio_iam_policy_document" "pastebin" {
+  statement {
+    actions = [
+      "s3:*",
+    ]
+    resources = [
+      "arn:aws:s3:::pastebin/*",
+    ]
+  }
+}
+
+resource "minio_iam_policy" "pastebin" {
+  name   = "pastebin"
+  policy = data.minio_iam_policy_document.pastebin.json
+}
+
+resource "minio_iam_user_policy_attachment" "pastebin" {
+  policy_name = minio_iam_policy.pastebin.name
+  user_name   = minio_iam_user.pastebin.name
+}
+
+resource "minio_ilm_policy" "pastebin_expire_1d" {
+  bucket = minio_s3_bucket.pastebin.bucket
+
+  rule {
+    id         = "expire-7d"
+    expiration = "7d"
+  }
+}
+
+# Cache test
+
+resource "minio_s3_bucket" "cache_test" {
+  bucket = "cache-test"
+  acl    = "private"
+}
+
+resource "minio_iam_user" "cache_test" {
+  name = "cache-test"
+}
+
+output "minio_cache_test_key_id" {
+  value     = minio_iam_user.cache_test.id
+  sensitive = false
+}
+output "minio_cache_test_access_key" {
+  value     = minio_iam_user.cache_test.secret
+  sensitive = true
+}
+
+data "minio_iam_policy_document" "cache_test" {
+  statement {
+    actions = [
+      "s3:*",
+    ]
+    resources = [
+      "arn:aws:s3:::cache-test/*",
+    ]
+  }
+}
+
+resource "minio_iam_policy" "cache_test" {
+  name   = "cache-test"
+  policy = data.minio_iam_policy_document.cache_test.json
+}
+
+resource "minio_iam_user_policy_attachment" "cache_test" {
+  policy_name = minio_iam_policy.cache_test.name
+  user_name   = minio_iam_user.cache_test.name
+}
+
+# Metrics
+
+resource "minio_iam_user" "metrics" {
+  name = "metrics"
+}
+
+output "minio_metrics_key_id" {
+  value     = minio_iam_user.metrics.id
+  sensitive = false
+}
+output "minio_metrics_access_key" {
+  value     = minio_iam_user.metrics.secret
+  sensitive = true
+}
+
+data "minio_iam_policy_document" "metrics" {
+  statement {
+    actions = [
+      "admin:Prometheus",
+    ]
+    resources = [
+      "arn:aws:s3:::*",
+    ]
+  }
+}
+
+resource "minio_iam_policy" "metrics" {
+  name   = "metrics"
+  policy = data.minio_iam_policy_document.metrics.json
+}
+
+resource "minio_iam_user_policy_attachment" "metrics" {
+  policy_name = minio_iam_policy.metrics.name
+  user_name   = minio_iam_user.metrics.name
+}
+
+resource "shell_sensitive_script" "minio_metrics_generate_prometheus_config" {
+  lifecycle_commands {
+    create = <<EOT
+      set -e
+
+      mc alias set minio-metrics https://minio.dora.im "$KEY_ID" "$ACCESS_KEY" >&2
+      mc admin prometheus generate minio-metrics --json
+      mc alias remove minio-metrics >&2
+    EOT
+    delete = <<EOT
+      # do nothing
+    EOT
+  }
+  environment = {
+    KEY_ID = minio_iam_user.metrics.id
+  }
+  sensitive_environment = {
+    ACCESS_KEY = minio_iam_user.metrics.secret
+  }
+}
+output "minio_metrics_bearer_token" {
+  value     = shell_sensitive_script.minio_metrics_generate_prometheus_config.output.bearerToken
+  sensitive = true
+}
+
+# SICP staging
+
+resource "minio_s3_bucket" "sicp_staging" {
+  bucket = "sicp-staging"
+  acl    = "private"
+}
+
+resource "minio_iam_user" "sicp_staging" {
+  name = "sicp-staging"
+}
+
+output "minio_sicp_staging_key_id" {
+  value     = minio_iam_user.sicp_staging.id
+  sensitive = false
+}
+output "minio_sicp_staging_access_key" {
+  value     = minio_iam_user.sicp_staging.secret
+  sensitive = true
+}
+
+data "minio_iam_policy_document" "sicp_staging" {
+  statement {
+    actions = [
+      "s3:*",
+    ]
+    resources = [
+      "arn:aws:s3:::sicp-staging/*",
+    ]
+  }
+}
+
+resource "minio_iam_policy" "sicp_staging" {
+  name   = "sicp-staging"
+  policy = data.minio_iam_policy_document.sicp_staging.json
+}
+
+resource "minio_iam_user_policy_attachment" "sicp_staging" {
+  policy_name = minio_iam_policy.sicp_staging.name
+  user_name   = minio_iam_user.sicp_staging.name
+}

terraform/providers.tf

@@ -18,5 +18,11 @@ terraform {
     htpasswd = {
       source = "loafoe/htpasswd"
     }
+    minio = {
+      source = "aminueza/minio"
+    }
+    shell = {
+      source = "linyinfeng/shell"
+    }
   }
 }