feat: Migrate MinIO → RustFS on m3-atlas #10

Merged

m3tam3re merged 1 commits from feat/rustfs-migration into master 2026-05-05 18:09:26 +02:00

Conversation 0 Commits 1 Files Changed 8

+467 -66

m3ta-chiron commented 2026-05-02 11:44:59 +02:00

Collaborator

Copy Link

Copy Source

MinIO → RustFS Migration

MinIO is marked insecure with 6 unfixed CVEs and abandoned upstream.

Changes

• Replace minio.nix with rustfs.nix using the official rustfs-flake NixOS module
• Add rustfs flake input (github:rustfs/rustfs-flake)
• Reuse same ports (API: 3008, Console: 3007) and data dir (/var/storage/s3)
• Add separate agenix secrets (rustfs-access-key.age, rustfs-secret-key.age)
• Keep Traefik routes unchanged (s3.m3tam3re.com, minio.m3tam3re.com)
• Remove minio.nix (git history preserved)

CVEs Fixed

• CVE-2026-40344: Unauthenticated Object Write (Missing Signature Verification)
• CVE-2026-41145: Query-String Credential Signature Bypass
• CVE-2026-33322: JWT Algorithm Confusion in OIDC
• CVE-2026-33419: LDAP Brute-force via User Enumeration
• CVE-2026-34204: SSE Metadata Injection via Replication Headers
• CVE-2026-39414: DoS via Unbounded Memory Allocation

Manual Steps Required (on m3-atlas)

1. Create new agenix secrets files (see migration guide)
2. Data migration via mc mirror or in-place binary swap
3. Verify service health and bucket access

RustFS Benefits

• Apache 2.0 license (not AGPL)
• 2.3x faster for small objects
• Active development (26K+ GitHub stars)
• Full S3 API compatibility
• Rust memory safety (no GC pauses)

## MinIO → RustFS Migration MinIO is marked insecure with 6 unfixed CVEs and abandoned upstream. ### Changes - Replace `minio.nix` with `rustfs.nix` using the official `rustfs-flake` NixOS module - Add `rustfs` flake input (`github:rustfs/rustfs-flake`) - Reuse same ports (API: 3008, Console: 3007) and data dir (`/var/storage/s3`) - Add separate agenix secrets (`rustfs-access-key.age`, `rustfs-secret-key.age`) - Keep Traefik routes unchanged (`s3.m3tam3re.com`, `minio.m3tam3re.com`) - Remove `minio.nix` (git history preserved) ### CVEs Fixed - CVE-2026-40344: Unauthenticated Object Write (Missing Signature Verification) - CVE-2026-41145: Query-String Credential Signature Bypass - CVE-2026-33322: JWT Algorithm Confusion in OIDC - CVE-2026-33419: LDAP Brute-force via User Enumeration - CVE-2026-34204: SSE Metadata Injection via Replication Headers - CVE-2026-39414: DoS via Unbounded Memory Allocation ### Manual Steps Required (on m3-atlas) 1. Create new agenix secrets files (see migration guide) 2. Data migration via `mc mirror` or in-place binary swap 3. Verify service health and bucket access ### RustFS Benefits - Apache 2.0 license (not AGPL) - 2.3x faster for small objects - Active development (26K+ GitHub stars) - Full S3 API compatibility - Rust memory safety (no GC pauses)

m3ta-chiron added 1 commit 2026-05-02 11:44:59 +02:00

feat: migrate m3-atlas from MinIO to RustFS ... b7dd7f2bf7

- Replace minio.nix with rustfs.nix using rustfs-flake NixOS module
- Add rustfs flake input (github:rustfs/rustfs-flake)
- Reuse same ports (API: 3008, Console: 3007) and data dir (/var/storage/s3)
- Add separate agenix secrets for access-key and secret-key
- Keep Traefik routes unchanged (s3.m3tam3re.com, minio.m3tam3re.com)
- MinIO had 6 unfixed CVEs and is abandoned upstream

m3tam3re merged commit 1b05ed5dc0 into master 2026-05-05 18:09:26 +02:00

m3tam3re deleted branch feat/rustfs-migration 2026-05-05 18:09:26 +02:00

m3tam3re referenced this issue from a commit 2026-05-05 18:09:27 +02:00

Merge pull request 'feat: Migrate MinIO → RustFS on m3-atlas' (#10) from feat/rustfs-migration into master

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

m3ta-chiron m3tam3re

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: m3tam3re/nixos-config#10