diff --git a/.github/workflows/minio.yaml b/.github/workflows/minio.yaml new file mode 100644 index 000000000..c9dc3e1c2 --- /dev/null +++ b/.github/workflows/minio.yaml @@ -0,0 +1,39 @@ +name: Minio configuration & upgrade + +on: + workflow_dispatch: + push: + branches: ["main"] + paths: [".github/workflows/minio.yaml", "ansible/**minio**"] + schedule: + - cron: '33 7 * * 2' + +jobs: + run-ansible-playbook: + runs-on: ["arc-runner-set-home-ops"] + steps: + - name: Generate Token + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: "${{ secrets.BOT_APP_ID }}" + private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" + + - name: Checkout + uses: actions/checkout@v4 + with: + token: "${{ steps.app-token.outputs.token }}" + fetch-depth: 0 + + - name: Set up Python + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Ansible + run: | + python -m pip install --upgrade pip + pip install ansible + + - name: Run Ansible Playbook + run: cd ./ansible ; ansible-playbook ./playbooks/minio.yml diff --git a/ansible/inventory/host_vars/minio.sops.yaml b/ansible/inventory/host_vars/minio.sops.yaml new file mode 100644 index 000000000..4d1355fb2 --- /dev/null +++ b/ansible/inventory/host_vars/minio.sops.yaml @@ -0,0 +1,23 @@ +kind: Secret +minio_access_key: ENC[AES256_GCM,data:4MC50gc06VvP9BViitovlw==,iv:Bu8c986MyeHrMioPYlBG/zSzFv4EOytxTHkXZzI6Iow=,tag:EbRlKgdx63M8CDNa/8RrWQ==,type:str] +minio_secret_key: ENC[AES256_GCM,data:zd7bC1c3pam4xqcsaZOf3A==,iv:8K8x9dcsByZ60pytIPl9ESUbZeu+7S8Z+faQEewDZB8=,tag:3/5b8ZzAIqrVtf37eziwjg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVy9DRjhqOW05Wm4rNXZo + bFJxem9UZjNSQW5UaTRZaWQ1clZQSHJrNHpVCmo3Y0RPd1BRRC9ZZHJ0SndSUXJv + UkpPWTNOUWFPL1hCUGJrTFBPZml5QncKLS0tIGI5UUJKMXR0d1d3ZzRDSURuWVFl + ZFlyQ1lGbnVPaSs4cytQYzNwRnJabmcKP0ogZqsaoD6heCqmObwttBgE039aLqe2 + R55NPkQJJyFSbDbdDmPApE4IwtXay54QGw2RR4AxOZW4G2dWhdzP3w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-09T13:25:29Z" + mac: ENC[AES256_GCM,data:ro+P8PAr0YDuer3CBf7XBIBz+YlnHGCDGIkKFw1TRvEeJNgNFF6mv+voPyiTFIHRh/541MNlzEyRpc0As1PHU/7O2SLBqKA3GnzaLM4s/5Euu7pXTFl3jtIXtTe1DMGTWmyvyqSNXEoEhPmjFn0bMXKhrINuVWxYkDspZxnnOe4=,iv:MZjiTvWIPacX55RZfVh8qUmVsNPMJaZcJIc8JmxuUag=,tag:Q6MnDbByAno9pwH0xWTKMA==,type:str] + pgp: [] + unencrypted_regex: ^(kind)$ + version: 3.8.1 diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml index 8bdddb59a..e7f60d6de 100644 --- a/ansible/inventory/hosts.yml +++ b/ansible/inventory/hosts.yml @@ -7,6 +7,9 @@ all: coreelec: ansible_host: coreelec.{{ secret_domain }} ansible_user: root + minio: + ansible_host: 192.168.9.14 + ansible_user: minio children: truenas-instances: hosts: diff --git a/ansible/playbooks/bootstrap_ansible.yml b/ansible/playbooks/bootstrap_ansible.yml index 5245287be..eb29771be 100644 --- a/ansible/playbooks/bootstrap_ansible.yml +++ b/ansible/playbooks/bootstrap_ansible.yml @@ -3,6 +3,7 @@ hosts: all become: true become_user: root + gather_facts: false vars: python_pwd: /usr/bin/python python_package: python3 diff --git a/ansible/playbooks/minio.yml b/ansible/playbooks/minio.yml new file mode 100644 index 000000000..470a3a70c --- /dev/null +++ b/ansible/playbooks/minio.yml @@ -0,0 +1,7 @@ +--- +- hosts: minio + become: true + gather_facts: true + any_errors_fatal: true + roles: + - role: minio diff --git a/ansible/roles/minio/tasks/main.yml b/ansible/roles/minio/tasks/main.yml new file mode 100644 index 000000000..ed78a2853 --- /dev/null +++ b/ansible/roles/minio/tasks/main.yml @@ -0,0 +1,42 @@ +--- +- name: Install MinIO + ansible.builtin.pkgng: + name: + - minio + - curl + state: latest + register: installation + +- name: Create MinIO configuration in /etc/rc.conf + ansible.builtin.blockinfile: + path: /etc/rc.conf + state: present + block: | + # MINIO + minio_enable="YES" + minio_disks="/mnt/data" + minio_env="MINIO_ACCESS_KEY={{ minio_access_key }} MINIO_SECRET_KEY={{ minio_secret_key }} MINIO_CONSOLE_ADDRESS=192.168.9.14:9001" + no_log: false + register: configuration + +- name: Restart MinIO Service + ansible.builtin.service: + name: minio + state: restarted + enabled: true + when: configuration.changed == true or installation.changed == true + +- name: Wait for 5 seconds + ansible.builtin.pause: + seconds: 5 + +- name: Check MinIO Service + ansible.builtin.command: curl -s localhost:9000/minio/health/live + register: curl_result + ignore_errors: true + changed_when: false + +- name: Fail if curl command failed + ansible.builtin.fail: + msg: 'Curl command failed' + when: curl_result.rc != 0 diff --git a/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml b/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml index 58a6e5137..dbe719b3b 100644 --- a/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml +++ b/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml @@ -23,7 +23,7 @@ spec: compression: bzip2 maxParallel: 8 destinationPath: s3://postgresql/ - endpointURL: https://truenas.${SECRET_DOMAIN}:51515 + endpointURL: https://.${SECRET_DOMAIN}:9000 serverName: postgres-v8 s3Credentials: accessKeyId: @@ -39,7 +39,7 @@ spec: # - name: postgres-v6 # barmanObjectStore: # destinationPath: s3://postgresql/ - # endpointURL: https://truenas.${SECRET_DOMAIN}:51515 + # endpointURL: http://minio.${SECRET_DOMAIN}:9000 # s3Credentials: # accessKeyId: # name: postgres-minio diff --git a/kubernetes/apps/default/hajimari/app/helmrelease.yaml b/kubernetes/apps/default/hajimari/app/helmrelease.yaml index 7316d4555..808ef3ffe 100644 --- a/kubernetes/apps/default/hajimari/app/helmrelease.yaml +++ b/kubernetes/apps/default/hajimari/app/helmrelease.yaml @@ -67,7 +67,7 @@ spec: url: "https://truenas-remote.${SECRET_DOMAIN}" - name: minio icon: mdi:aws - url: "https://minio.${SECRET_DOMAIN}:9000" + url: "http://minio.${SECRET_DOMAIN}:9000" - name: pikvm icon: mdi:ip-network url: "https://pikvm.${SECRET_DOMAIN}" diff --git a/kubernetes/apps/default/homelab/minio/backup/rclone.conf b/kubernetes/apps/default/homelab/minio/backup/rclone.conf index 3b0df3c60..b04e1d7e8 100644 --- a/kubernetes/apps/default/homelab/minio/backup/rclone.conf +++ b/kubernetes/apps/default/homelab/minio/backup/rclone.conf @@ -3,7 +3,7 @@ type = s3 provider = Minio access_key_id = __RCLONE_ACCESS_ID__ secret_access_key = __RCLONE_SECRET_KEY__ -endpoint = https://minio.${SECRET_DOMAIN}:51515 +endpoint = http://minio.${SECRET_DOMAIN}:9000 acl = private [gdrive-homelab-backups] diff --git a/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml b/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml index 4f91e2ab7..6d4ff0554 100644 --- a/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml +++ b/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml @@ -41,7 +41,7 @@ spec: command: ["/bin/bash", "/app/opnsense-backup.sh"] env: OPNSENSE_URL: "https://opnsense.${SECRET_DOMAIN}" - S3_URL: "https://truenas.${SECRET_DOMAIN}:51515" + S3_URL: "http://minio.${SECRET_DOMAIN}:9000" envFrom: - secretRef: name: homelab-opnsense-secret diff --git a/kubernetes/apps/default/homelab/truenas/backup/truenas-backup.sh b/kubernetes/apps/default/homelab/truenas/backup/truenas-backup.sh index 5dbdcca85..75ce12c8c 100755 --- a/kubernetes/apps/default/homelab/truenas/backup/truenas-backup.sh +++ b/kubernetes/apps/default/homelab/truenas/backup/truenas-backup.sh @@ -44,7 +44,7 @@ curl -fsSL \ -H "Date: ${http_request_date}" \ -H "Content-Type: ${http_content_type}" \ -H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${http_signature}" \ - "https://truenas.${SECRET_DOMAIN}:51515/${http_filepath}" + "http://minio.${SECRET_DOMAIN}:9000/${http_filepath}" rm /tmp/backup-*.tar diff --git a/kubernetes/apps/default/outline/app/helmrelease.yaml b/kubernetes/apps/default/outline/app/helmrelease.yaml index cebdb1dbe..c9a3ac27f 100644 --- a/kubernetes/apps/default/outline/app/helmrelease.yaml +++ b/kubernetes/apps/default/outline/app/helmrelease.yaml @@ -54,7 +54,7 @@ spec: AWS_S3_ACL: private AWS_S3_FORCE_PATH_STYLE: "true" AWS_S3_UPLOAD_BUCKET_NAME: outline - AWS_S3_UPLOAD_BUCKET_URL: "https://truenas.${SECRET_DOMAIN}:51515" + AWS_S3_UPLOAD_BUCKET_URL: "http://minio.${SECRET_DOMAIN}:9000" ENABLE_UPDATES: "false" FILE_STORAGE_UPLOAD_MAX_SIZE: "26214400" OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization" diff --git a/kubernetes/apps/default/sharry/app/config/sharry.conf b/kubernetes/apps/default/sharry/app/config/sharry.conf index 5d0a4314c..435327220 100644 --- a/kubernetes/apps/default/sharry/app/config/sharry.conf +++ b/kubernetes/apps/default/sharry/app/config/sharry.conf @@ -33,7 +33,7 @@ sharry.restserver { minio = { enabled = true type = "s3" - endpoint = "https://truenas.${SECRET_DOMAIN}:51515" + endpoint = "http://minio.${SECRET_DOMAIN}:9000" access-key = "${SECRET_SHARRY_MINIO_S3_ACCESS_KEY}" secret-key = "${SECRET_SHARRY_MINIO_S3_SECRET_KEY}" bucket = "sharry" diff --git a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml b/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml index 24d4454b3..83ae8b402 100644 --- a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml @@ -35,8 +35,9 @@ spec: type: s3 config: bucket: thanos - endpoint: "truenas.${SECRET_DOMAIN}:51515" + endpoint: "minio.${SECRET_DOMAIN}:9000" region: "" + insecure: true query: enabled: true replicaCount: 2 diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index 937be5a2a..45b6e0b58 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -26,8 +26,8 @@ stringData: SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str] SECRET_SHARRY_DB_USERNAME: ENC[AES256_GCM,data:wWnV6hHz,iv:+uV0X2tovaisFuO5KcF9PpKPyYeS4WtrrPt4Ll+CnsU=,tag:zNWR9AqheMGho0yV923vvw==,type:str] SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:Y0gk4bRcEws2b0SF4AY=,iv:3cQbD/uvWNGjEmz3z8uEbXWwJffIrTj3nSDsGBS0MEU=,tag:RsIBq9zI8+2temGj5r/Lqg==,type:str] - SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:2qLE/cs=,iv:Ctrw213BgCC2jyEvFp38aOejzY/ZYiwAj9fsPzXgaY0=,tag:LBlIUm1LTAjUIKu4JeLw9A==,type:str] - SECRET_SHARRY_MINIO_S3_SECRET_KEY: ENC[AES256_GCM,data:ewm/Pfjb0t3KY46o2+DsnOGUzrk=,iv:rf6K/qx24iMeHG/a/mCQgD132LsFt+wme4Udx50v6NA=,tag:OskpvWusk2B1P/OACWN2eA==,type:str] + SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:vAVoafxfbareIodsClVGDQ==,iv:1zojUukd2WQEE3ZBpGrIHaDwkWfAqmF1esjxCGWz3mQ=,tag:8HvBGXkTBJwhel89qffWgA==,type:str] + SECRET_SHARRY_MINIO_S3_SECRET_KEY: ENC[AES256_GCM,data:3MuIeOh66mJ5mblWSPdz/WybNnSRJKZypRuo4ycvKBA=,iv:NHDNCo+y9f5GlwhlPco5nyrHH7t5diFSUydiX3KFfdY=,tag:vf7RCvIznpiM576gmyJK6w==,type:str] type: Opaque sops: kms: [] @@ -44,8 +44,8 @@ sops: WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-30T20:44:55Z" - mac: ENC[AES256_GCM,data:vTeYdFYzqt0WzUl6M6tDMnTEY+7xN7aZl32emkT33hB4GJPWXwPEHIxKd1blKzpZ9+Dm8zUSO/86eqWSKoI36iKw4FRhtqI1dralguPWpDGO8STE8kyYaLs2xW3R/acbucuD3V5M6YJonzHish/xMJlThao6+n4HsSJGNLneaps=,iv:xNYR/KiFkzZ9/jUSHUYO6vI6APVIdQFuYlRZfM7p6LQ=,tag:seNXM22OcDksY2ugx1mYMw==,type:str] + lastmodified: "2024-01-10T00:29:33Z" + mac: ENC[AES256_GCM,data:WtDnq2nkE5pYz1wt7bpkEfwr2BP1WoI7GiZLQwm6h67T9EtrLY9Dk+3XNTIx8rP/YKuOoLcomxCer4aMNZDib1TC62yZ8gwt9loZNmyqePxOBwSnxQntw+hNlwk2MT3D8lcbWlfq+88vXUeRw/S4SZCpExfBD2ig4y1cj5/fVO8=,iv:UqhcLg+8qHhm5qtokYwS93ZZZFT9AcN65zevNj/iZ2A=,tag:4b+b/DKhidhZC0mY3EvomQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1