feat: migrate m3-atlas from MinIO to RustFS

- Replace minio.nix with rustfs.nix using rustfs-flake NixOS module - Add rustfs flake input (github:rustfs/rustfs-flake) - Reuse same ports (API: 3008, Console: 3007) and data dir (/var/storage/s3) - Add separate agenix secrets for access-key and secret-key - Keep Traefik routes unchanged (s3.m3tam3re.com, minio.m3tam3re.com) - MinIO had 6 unfixed CVEs and is abandoned upstream
2026-05-02 11:44:32 +02:00
parent 90e417525b
commit b7dd7f2bf7
8 changed files with 467 additions and 66 deletions
--- a/hosts/m3-atlas/services/rustfs.nix
+++ b/hosts/m3-atlas/services/rustfs.nix
@@ -0,0 +1,56 @@
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}: {
+  services.rustfs = {
+    enable = true;
+    package = inputs.rustfs.packages.${pkgs.stdenv.hostPlatform.system}.default;
+
+    # Reuse existing MinIO data directory
+    volumes = "/var/storage/s3";
+
+    # Keep same ports as MinIO to avoid changing Traefik and client configs
+    address = ":3008";
+    consoleEnable = true;
+    consoleAddress = ":3007";
+
+    # Credentials via agenix
+    accessKeyFile = config.age.secrets.rustfs-access-key.path;
+    secretKeyFile = config.age.secrets.rustfs-secret-key.path;
+
+    logLevel = "info";
+  };
+
+  # Traefik configuration — same routes as before
+  services.traefik.dynamicConfigOptions.http = {
+    services.minio-console.loadBalancer.servers = [
+      {
+        url = "http://localhost:3007/";
+      }
+    ];
+    services.minio.loadBalancer.servers = [
+      {
+        url = "http://localhost:3008/";
+      }
+    ];
+
+    routers.minio = {
+      rule = "Host(`s3.m3tam3re.com`)";
+      tls = {
+        certResolver = "godaddy";
+      };
+      service = "minio";
+      entrypoints = "websecure";
+    };
+    routers.minio-console = {
+      rule = "Host(`minio.m3tam3re.com`)";
+      tls = {
+        certResolver = "godaddy";
+      };
+      service = "minio-console";
+      entrypoints = "websecure";
+    };
+  };
+}