shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

♻️ minio custom jail

Browse Source
This commit is contained in:
auricom
2024-01-09 16:52:29 +01:00
parent 9fe75c2b3c
commit badd042d50
15 changed files with 129 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
.github/workflows/minio.yaml vendored Normal file
View File

@@ -0,0 +1,39 @@
name: Minio configuration & upgrade
on:
workflow_dispatch:
push:
branches: ["main"]
paths: [".github/workflows/minio.yaml", "ansible/**minio**"]
schedule:
- cron: '33 7 * * 2'
jobs:
run-ansible-playbook:
runs-on: ["arc-runner-set-home-ops"]
steps:
- name: Generate Token
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: "${{ secrets.BOT_APP_ID }}"
private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
- name: Checkout
uses: actions/checkout@v4
with:
token: "${{ steps.app-token.outputs.token }}"
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install Ansible
run: |
python -m pip install --upgrade pip
pip install ansible
- name: Run Ansible Playbook
run: cd ./ansible ; ansible-playbook ./playbooks/minio.yml

23
ansible/inventory/host_vars/minio.sops.yaml Normal file
View File

@@ -0,0 +1,23 @@
kind: Secret
minio_access_key: ENC[AES256_GCM,data:4MC50gc06VvP9BViitovlw==,iv:Bu8c986MyeHrMioPYlBG/zSzFv4EOytxTHkXZzI6Iow=,tag:EbRlKgdx63M8CDNa/8RrWQ==,type:str]
minio_secret_key: ENC[AES256_GCM,data:zd7bC1c3pam4xqcsaZOf3A==,iv:8K8x9dcsByZ60pytIPl9ESUbZeu+7S8Z+faQEewDZB8=,tag:3/5b8ZzAIqrVtf37eziwjg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVy9DRjhqOW05Wm4rNXZo
bFJxem9UZjNSQW5UaTRZaWQ1clZQSHJrNHpVCmo3Y0RPd1BRRC9ZZHJ0SndSUXJv
UkpPWTNOUWFPL1hCUGJrTFBPZml5QncKLS0tIGI5UUJKMXR0d1d3ZzRDSURuWVFl
ZFlyQ1lGbnVPaSs4cytQYzNwRnJabmcKP0ogZqsaoD6heCqmObwttBgE039aLqe2
R55NPkQJJyFSbDbdDmPApE4IwtXay54QGw2RR4AxOZW4G2dWhdzP3w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-09T13:25:29Z"
mac: ENC[AES256_GCM,data:ro+P8PAr0YDuer3CBf7XBIBz+YlnHGCDGIkKFw1TRvEeJNgNFF6mv+voPyiTFIHRh/541MNlzEyRpc0As1PHU/7O2SLBqKA3GnzaLM4s/5Euu7pXTFl3jtIXtTe1DMGTWmyvyqSNXEoEhPmjFn0bMXKhrINuVWxYkDspZxnnOe4=,iv:MZjiTvWIPacX55RZfVh8qUmVsNPMJaZcJIc8JmxuUag=,tag:Q6MnDbByAno9pwH0xWTKMA==,type:str]
pgp: []
unencrypted_regex: ^(kind)$
version: 3.8.1

3
ansible/inventory/hosts.yml
View File

@@ -7,6 +7,9 @@ all:
coreelec: coreelec:
ansible_host: coreelec.{{ secret_domain }} ansible_host: coreelec.{{ secret_domain }}
ansible_user: root ansible_user: root
minio:
ansible_host: 192.168.9.14
ansible_user: minio
children: children:
truenas-instances: truenas-instances:
hosts: hosts:

1
ansible/playbooks/bootstrap_ansible.yml
View File

@@ -3,6 +3,7 @@
hosts: all hosts: all
become: true become: true
become_user: root become_user: root
gather_facts: false
vars: vars:
python_pwd: /usr/bin/python python_pwd: /usr/bin/python
python_package: python3 python_package: python3

7
ansible/playbooks/minio.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- hosts: minio
become: true
gather_facts: true
any_errors_fatal: true
roles:
- role: minio

42
ansible/roles/minio/tasks/main.yml Normal file
View File

@@ -0,0 +1,42 @@
---
- name: Install MinIO
ansible.builtin.pkgng:
name:
- minio
- curl
state: latest
register: installation
- name: Create MinIO configuration in /etc/rc.conf
ansible.builtin.blockinfile:
path: /etc/rc.conf
state: present
block: |
# MINIO
minio_enable="YES"
minio_disks="/mnt/data"
minio_env="MINIO_ACCESS_KEY={{ minio_access_key }} MINIO_SECRET_KEY={{ minio_secret_key }} MINIO_CONSOLE_ADDRESS=192.168.9.14:9001"
no_log: false
register: configuration
- name: Restart MinIO Service
ansible.builtin.service:
name: minio
state: restarted
enabled: true
when: configuration.changed == true or installation.changed == true
- name: Wait for 5 seconds
ansible.builtin.pause:
seconds: 5
- name: Check MinIO Service
ansible.builtin.command: curl -s localhost:9000/minio/health/live
register: curl_result
ignore_errors: true
changed_when: false
- name: Fail if curl command failed
ansible.builtin.fail:
msg: 'Curl command failed'
when: curl_result.rc != 0

4
kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml
View File

@@ -23,7 +23,7 @@ spec:
compression: bzip2 compression: bzip2
maxParallel: 8 maxParallel: 8
destinationPath: s3://postgresql/ destinationPath: s3://postgresql/
endpointURL: https://truenas.${SECRET_DOMAIN}:51515 endpointURL: https://.${SECRET_DOMAIN}:9000
serverName: postgres-v8 serverName: postgres-v8
s3Credentials: s3Credentials:
accessKeyId: accessKeyId:
@@ -39,7 +39,7 @@ spec:
# - name: postgres-v6 # - name: postgres-v6
# barmanObjectStore: # barmanObjectStore:
# destinationPath: s3://postgresql/ # destinationPath: s3://postgresql/
# endpointURL: https://truenas.${SECRET_DOMAIN}:51515 # endpointURL: http://minio.${SECRET_DOMAIN}:9000
# s3Credentials: # s3Credentials:
# accessKeyId: # accessKeyId:
# name: postgres-minio # name: postgres-minio

2
kubernetes/apps/default/hajimari/app/helmrelease.yaml
View File

@@ -67,7 +67,7 @@ spec:
url: "https://truenas-remote.${SECRET_DOMAIN}" url: "https://truenas-remote.${SECRET_DOMAIN}"
- name: minio - name: minio
icon: mdi:aws icon: mdi:aws
url: "https://minio.${SECRET_DOMAIN}:9000" url: "http://minio.${SECRET_DOMAIN}:9000"
- name: pikvm - name: pikvm
icon: mdi:ip-network icon: mdi:ip-network
url: "https://pikvm.${SECRET_DOMAIN}" url: "https://pikvm.${SECRET_DOMAIN}"

2
kubernetes/apps/default/homelab/minio/backup/rclone.conf
View File

@@ -3,7 +3,7 @@ type = s3
provider = Minio provider = Minio
access_key_id = __RCLONE_ACCESS_ID__ access_key_id = __RCLONE_ACCESS_ID__
secret_access_key = __RCLONE_SECRET_KEY__ secret_access_key = __RCLONE_SECRET_KEY__
endpoint = https://minio.${SECRET_DOMAIN}:51515 endpoint = http://minio.${SECRET_DOMAIN}:9000
acl = private acl = private
[gdrive-homelab-backups] [gdrive-homelab-backups]

2
kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml
View File

@@ -41,7 +41,7 @@ spec:
command: ["/bin/bash", "/app/opnsense-backup.sh"] command: ["/bin/bash", "/app/opnsense-backup.sh"]
env: env:
OPNSENSE_URL: "https://opnsense.${SECRET_DOMAIN}" OPNSENSE_URL: "https://opnsense.${SECRET_DOMAIN}"
S3_URL: "https://truenas.${SECRET_DOMAIN}:51515" S3_URL: "http://minio.${SECRET_DOMAIN}:9000"
envFrom: envFrom:
- secretRef: - secretRef:
name: homelab-opnsense-secret name: homelab-opnsense-secret

2
kubernetes/apps/default/homelab/truenas/backup/truenas-backup.sh
View File

@@ -44,7 +44,7 @@ curl -fsSL \
-H "Date: ${http_request_date}" \ -H "Date: ${http_request_date}" \
-H "Content-Type: ${http_content_type}" \ -H "Content-Type: ${http_content_type}" \
-H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${http_signature}" \ -H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${http_signature}" \
"https://truenas.${SECRET_DOMAIN}:51515/${http_filepath}" "http://minio.${SECRET_DOMAIN}:9000/${http_filepath}"
rm /tmp/backup-*.tar rm /tmp/backup-*.tar

2
kubernetes/apps/default/outline/app/helmrelease.yaml
View File

@@ -54,7 +54,7 @@ spec:
AWS_S3_ACL: private AWS_S3_ACL: private
AWS_S3_FORCE_PATH_STYLE: "true" AWS_S3_FORCE_PATH_STYLE: "true"
AWS_S3_UPLOAD_BUCKET_NAME: outline AWS_S3_UPLOAD_BUCKET_NAME: outline
AWS_S3_UPLOAD_BUCKET_URL: "https://truenas.${SECRET_DOMAIN}:51515" AWS_S3_UPLOAD_BUCKET_URL: "http://minio.${SECRET_DOMAIN}:9000"
ENABLE_UPDATES: "false" ENABLE_UPDATES: "false"
FILE_STORAGE_UPLOAD_MAX_SIZE: "26214400" FILE_STORAGE_UPLOAD_MAX_SIZE: "26214400"
OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization" OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization"

2
kubernetes/apps/default/sharry/app/config/sharry.conf
View File

@@ -33,7 +33,7 @@ sharry.restserver {
minio = minio =
{ enabled = true { enabled = true
type = "s3" type = "s3"
endpoint = "https://truenas.${SECRET_DOMAIN}:51515" endpoint = "http://minio.${SECRET_DOMAIN}:9000"
access-key = "${SECRET_SHARRY_MINIO_S3_ACCESS_KEY}" access-key = "${SECRET_SHARRY_MINIO_S3_ACCESS_KEY}"
secret-key = "${SECRET_SHARRY_MINIO_S3_SECRET_KEY}" secret-key = "${SECRET_SHARRY_MINIO_S3_SECRET_KEY}"
bucket = "sharry" bucket = "sharry"

3
kubernetes/apps/monitoring/thanos/app/helmrelease.yaml
View File

@@ -35,8 +35,9 @@ spec:
type: s3 type: s3
config: config:
bucket: thanos bucket: thanos
endpoint: "truenas.${SECRET_DOMAIN}:51515" endpoint: "minio.${SECRET_DOMAIN}:9000"
region: "" region: ""
insecure: true
query: query:
enabled: true enabled: true
replicaCount: 2 replicaCount: 2

8
kubernetes/flux/vars/cluster-secrets.sops.yaml
View File

@@ -26,8 +26,8 @@ stringData:
SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str] SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str]
SECRET_SHARRY_DB_USERNAME: ENC[AES256_GCM,data:wWnV6hHz,iv:+uV0X2tovaisFuO5KcF9PpKPyYeS4WtrrPt4Ll+CnsU=,tag:zNWR9AqheMGho0yV923vvw==,type:str] SECRET_SHARRY_DB_USERNAME: ENC[AES256_GCM,data:wWnV6hHz,iv:+uV0X2tovaisFuO5KcF9PpKPyYeS4WtrrPt4Ll+CnsU=,tag:zNWR9AqheMGho0yV923vvw==,type:str]
SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:Y0gk4bRcEws2b0SF4AY=,iv:3cQbD/uvWNGjEmz3z8uEbXWwJffIrTj3nSDsGBS0MEU=,tag:RsIBq9zI8+2temGj5r/Lqg==,type:str] SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:Y0gk4bRcEws2b0SF4AY=,iv:3cQbD/uvWNGjEmz3z8uEbXWwJffIrTj3nSDsGBS0MEU=,tag:RsIBq9zI8+2temGj5r/Lqg==,type:str]
SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:2qLE/cs=,iv:Ctrw213BgCC2jyEvFp38aOejzY/ZYiwAj9fsPzXgaY0=,tag:LBlIUm1LTAjUIKu4JeLw9A==,type:str] SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:vAVoafxfbareIodsClVGDQ==,iv:1zojUukd2WQEE3ZBpGrIHaDwkWfAqmF1esjxCGWz3mQ=,tag:8HvBGXkTBJwhel89qffWgA==,type:str]
SECRET_SHARRY_MINIO_S3_SECRET_KEY: ENC[AES256_GCM,data:ewm/Pfjb0t3KY46o2+DsnOGUzrk=,iv:rf6K/qx24iMeHG/a/mCQgD132LsFt+wme4Udx50v6NA=,tag:OskpvWusk2B1P/OACWN2eA==,type:str] SECRET_SHARRY_MINIO_S3_SECRET_KEY: ENC[AES256_GCM,data:3MuIeOh66mJ5mblWSPdz/WybNnSRJKZypRuo4ycvKBA=,iv:NHDNCo+y9f5GlwhlPco5nyrHH7t5diFSUydiX3KFfdY=,tag:vf7RCvIznpiM576gmyJK6w==,type:str]
type: Opaque type: Opaque
sops: sops:
kms: [] kms: []
@@ -44,8 +44,8 @@ sops:
WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg== pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-30T20:44:55Z" lastmodified: "2024-01-10T00:29:33Z"
mac: ENC[AES256_GCM,data:vTeYdFYzqt0WzUl6M6tDMnTEY+7xN7aZl32emkT33hB4GJPWXwPEHIxKd1blKzpZ9+Dm8zUSO/86eqWSKoI36iKw4FRhtqI1dralguPWpDGO8STE8kyYaLs2xW3R/acbucuD3V5M6YJonzHish/xMJlThao6+n4HsSJGNLneaps=,iv:xNYR/KiFkzZ9/jUSHUYO6vI6APVIdQFuYlRZfM7p6LQ=,tag:seNXM22OcDksY2ugx1mYMw==,type:str] mac: ENC[AES256_GCM,data:WtDnq2nkE5pYz1wt7bpkEfwr2BP1WoI7GiZLQwm6h67T9EtrLY9Dk+3XNTIx8rP/YKuOoLcomxCer4aMNZDib1TC62yZ8gwt9loZNmyqePxOBwSnxQntw+hNlwk2MT3D8lcbWlfq+88vXUeRw/S4SZCpExfBD2ig4y1cj5/fVO8=,iv:UqhcLg+8qHhm5qtokYwS93ZZZFT9AcN65zevNj/iZ2A=,tag:4b+b/DKhidhZC0mY3EvomQ==,type:str]
pgp: [] pgp: []
encrypted_regex: ^(data|stringData)$ encrypted_regex: ^(data|stringData)$
version: 3.8.1 version: 3.8.1