feat: migrate m3-atlas from MinIO to RustFS

- Replace minio.nix with rustfs.nix using rustfs-flake NixOS module - Add rustfs flake input (github:rustfs/rustfs-flake) - Reuse same ports (API: 3008, Console: 3007) and data dir (/var/storage/s3) - Add separate agenix secrets for access-key and secret-key - Keep Traefik routes unchanged (s3.m3tam3re.com, minio.m3tam3re.com) - MinIO had 6 unfixed CVEs and is abandoned upstream
2026-05-02 11:44:32 +02:00
parent 90e417525b
commit b7dd7f2bf7
8 changed files with 467 additions and 66 deletions
--- a/hosts/m3-atlas/services/default.nix
+++ b/hosts/m3-atlas/services/default.nix
@@ -4,7 +4,7 @@
    ./containers
    ./gitea.nix
    ./gitea-actions-runner.nix
-    ./minio.nix
+    ./rustfs.nix
    ./mysql.nix
    ./netbird.nix
    ./n8n.nix
--- a/hosts/m3-atlas/services/rustfs.nix
+++ b/hosts/m3-atlas/services/rustfs.nix
@@ -1,14 +1,29 @@
-{config, ...}: {
-  services.minio = {
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}: {
+  services.rustfs = {
    enable = true;
-    region = "eu-central-1";
+    package = inputs.rustfs.packages.${pkgs.stdenv.hostPlatform.system}.default;
+
+    # Reuse existing MinIO data directory
+    volumes = "/var/storage/s3";
+
+    # Keep same ports as MinIO to avoid changing Traefik and client configs
+    address = ":3008";
+    consoleEnable = true;
    consoleAddress = ":3007";
-    listenAddress = ":3008";
-    browser = true;
-    rootCredentialsFile = config.age.secrets.minio-root-cred.path;
-    dataDir = ["/var/storage/s3"];
+
+    # Credentials via agenix
+    accessKeyFile = config.age.secrets.rustfs-access-key.path;
+    secretKeyFile = config.age.secrets.rustfs-secret-key.path;
+
+    logLevel = "info";
  };
-  # Traefik configuration specific to minio
+
+  # Traefik configuration — same routes as before
  services.traefik.dynamicConfigOptions.http = {
    services.minio-console.loadBalancer.servers = [
      {