Add minio stuff

2023-01-06 00:11:11 +01:00 · 2023-01-06 00:11:11 +01:00 · 83b15681b1
commit 83b15681b1
parent 7fc716534f
7 changed files with 180 additions and 4 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,13 +1,14 @@
 keys:
-  - &erwin b785a9688947edabb9ec8933ee7adefe1d943c7b
+  # - &erwin b785a9688947edabb9ec8933ee7adefe1d943c7b
  - &erwin_age age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
-  - &loki a6e31f5ab2bf34ca3f614d81ed9d6ae54dbcb9f7
+  # - &loki a6e31f5ab2bf34ca3f614d81ed9d6ae54dbcb9f7
  - &loki_age age1m93jeyexus2uqvrk99r7hh0xp7qxk55tgmju4h422dfkf92jce2sxpntu5
-  - &drone 8eefb1f8c85704ca47aa226a692372b1fc4bb9bf
+  # - &drone 8eefb1f8c85704ca47aa226a692372b1fc4bb9bf
  - &drone_age age1q0dfxz58vt4zxwx2etqy8xycf4l0p5nujpznh53kd0fwwc28ms7q6qrhct
-  - &gitea ca0dba2f767679957879077fb8922c8ba16710be
+  # - &gitea ca0dba2f767679957879077fb8922c8ba16710be
  - &gitea_age age1jkj6xrhr3uf52hac4wlda4a8jcegha86jf5lgv58df0xunadz53qpjlpae
  - &vpn 554dd0be7ba432b2a2c72df52b35c2235938f603
+  - &minio age1p5hu2l0ys8z2j9rhf0xp5et2wd4222utyn3tk562ksrxmckye9dqu25f49
 creation_rules:
  - path_regex: machines/loki/[^/]+\.yaml$
    key_groups:
@ -28,3 +29,8 @@ creation_rules:
    key_groups:
      - age:
          - *erwin_age
+  - path_regex: machines/minio/[^/]+\.yaml$
+    key_groups:
+      - age:
+          - *erwin_age
+          - *minio
--- a/flake.nix
+++ b/flake.nix
@ -211,6 +211,18 @@
              };
            };
          };
+
+          minio = {
+            hostname = "10.0.0.204";
+
+            profiles = {
+              system = {
+                sshUser = "root";
+                path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.minio;
+                user = "root";
+              };
+            };
+          };
        };
      }
      // (flake-utils.lib.eachSystem [ "aarch64-linux" "x86_64-linux" ])
@ -289,6 +301,8 @@
                  nix-prefetch-docker
                  nixos-install-tools
                  deploy-rs.packages.${system}.deploy-rs
+                  terraform
+                  terraform-ls

                  eww-wayland
                ];
--- a/machines/default.nix
+++ b/machines/default.nix
@ -18,6 +18,9 @@ inputs: {
  mimir = {
    config = import ./mimir/configuration.nix inputs;
  };
+  minio = {
+    config = import ./minio/configuration.nix inputs;
+  };
  proxy = {
    config = import ./proxy/configuration.nix inputs;
  };
--- a/machines/minio/configuration.nix
+++ b/machines/minio/configuration.nix
@ -0,0 +1,58 @@
+{ self, ... }:
+{ modulesPath, ... }: {
+  imports = [
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+    ../../users/root
+    ../../users/erwin
+  ];
+
+  eboskma = {
+    users.erwin.enable = true;
+    services = {
+      minio.enable = true;
+    };
+    nix-common = {
+      enable = true;
+      remote-builders = true;
+    };
+  };
+
+  time.timeZone = "Europe/Amsterdam";
+
+  system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
+
+  # networking = {
+  # hostName = "gitea";
+  # useDHCP = false;
+
+  # interfaces = {
+  #   eth0 = {
+  #     ipv4.addresses = [
+  #       {
+  #         address = "10.0.0.204";
+  #         prefixLength = 24;
+  #       }
+  #     ];
+  #   };
+  # };
+
+  # defaultGateway = "10.0.0.1";
+  # nameservers = [ "10.0.0.254" ];
+  # };
+
+  proxmoxLXC = {
+    privileged = true;
+  };
+
+  security.sudo.execWheelOnly = true;
+  security.pam.enableSSHAgentAuth = true;
+
+  # services.openssh.enable = true;
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets = {
+    minio-root-credentials = { };
+  };
+
+  system.stateVersion = "23.05";
+}
--- a/machines/minio/main.tf
+++ b/machines/minio/main.tf
@ -0,0 +1,45 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source  = "Telmate/proxmox"
+      version = "2.9.11"
+    }
+  }
+}
+
+provider "proxmox" {
+  pm_api_url          = var.proxmox_api_url
+  pm_api_token_id     = var.proxmox_token_id
+  pm_api_token_secret = var.proxmox_token_secret
+  pm_tls_insecure     = true
+}
+
+resource "proxmox_lxc" "minio" {
+  target_node  = "pve"
+  hostname     = "minio"
+  ostemplate   = "loki:vztmpl/nixos-23.05-default_20230104_amd64.tar.xz"
+  unprivileged = false
+
+  memory = 2048
+  swap   = 2048
+
+  rootfs {
+    storage = "local-lvm"
+    size    = "32G"
+  }
+
+  mountpoint {
+    key     = "0"
+    slot    = 0
+    storage = "local-lvm"
+    mp      = "/data"
+    size    = "256G"
+  }
+
+  network {
+    name   = "eth0"
+    bridge = "vmbr0"
+    ip     = "10.0.0.204/24"
+    gw     = "10.0.0.1"
+  }
+}
--- a/machines/minio/secrets.yaml
+++ b/machines/minio/secrets.yaml
@ -0,0 +1,30 @@
+minio-root-credentials: ENC[AES256_GCM,data:IR2xlQ/pXHUA0baJTe9J+iH4qsw3dHeCP+oSQ3yZohQSm1mrXil7HR1NlsI2sbQVQM1GAJcmPytrn7z3YocrainnDv3WZ0AeRqwyEtItC2cXfw3mfh+SIeq2sX2jkYDycuW0J7jRdCBV+Bs=,iv:A7cgR9ykXY4qkixDp699wzNLs4AEVEJRJ8PxzOAnCqU=,tag:++C4ejM5h8wM95G2N6PZmg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1N09uWml0ZUtjNU1KeGdq
+            OERZMDI2TGJQVmlkNjR4WVZ6NGNKZVU3RFE0Cm1DcHpHOGpjVitsVnVFVnJLTVdq
+            NmJ3Z1FWQVM5Nmg5aFBsMkVWNzR2Ym8KLS0tIERpQ1ZEQk9MaEJBZEFHcHU1QUty
+            a2gxTUJvQTlWcENqWVpGOXRkUjhKanMKDEyB7p8Dg61szFU06W+384FJ3GcUNbvc
+            1J7kdL/8JdsS5ziTmI5PU5pz0rARkZuloxKpBX/QEuSLcQiYtBY2qQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1p5hu2l0ys8z2j9rhf0xp5et2wd4222utyn3tk562ksrxmckye9dqu25f49
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMkNBUmJwNG5aanBWcUFz
+            MFdiVjlJQk83YnJvM2hTQURZWjJIU1lkQzBNCmZKK2Nzak5nOGJLdURJaUJTcURo
+            TW9DY0ZrYXBITUl5UVA5R1JJVXp5dTQKLS0tIEVvNUZRWkZrSjRWNFQ2RVlHemxJ
+            UmhqQTFQeWc3L1BlazlINnltUDFzdEEKO2PfIgkx36lOUDPn3EmZTw/Puy+Oou6G
+            oiICgnNvvBOlHTX+myOKA+Y1J0hmSiPQCpFTIPSJLvn67a0uxTAdpw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-01-04T22:17:52Z"
+    mac: ENC[AES256_GCM,data:aK5XNUiQYVHpSRuztLO7WXQnBQwScvtF3rABMjsJBbJ2aep74MhVUYEq9FwQOaC3puB2J0jdfKd0i6Mxdn0iScZ1JndGizEqBOeyxVZuAIfg5jL2sL/FjKGIU6BgbNquExiCnllikVyEKfjfX9sxkaB7vfjuYNauQ7hPW68GCwI=,iv:HYx9SaTBDICgWcU9B+a7h9pWA5+fVjZ0Y9pfrv4iAJM=,tag:fJXCQdCXd7IddyRP9Scueg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/modules/minio/default.nix
+++ b/modules/minio/default.nix
@ -0,0 +1,20 @@
+{ config, lib, ... }:
+with lib;
+let
+  cfg = config.eboskma.services.minio;
+in
+{
+  options.eboskma.services.minio = { enable = mkEnableOption "minio"; };
+
+  config = mkIf cfg.enable {
+    services.minio = {
+      enable = true;
+      dataDir = [ "/data" ];
+      browser = true;
+      region = "local";
+      rootCredentialsFile = config.sops.secrets.minio-root-credentials.path;
+    };
+
+    networking.firewall.allowedTCPPorts = [ 9000 9001 ];
+  };
+}