diff options
| author | John Soo <john.soo@arista.com> | 2023-03-13 16:50:04 -0700 |
|---|---|---|
| committer | John Soo <john.soo@arista.com> | 2023-03-13 17:43:19 -0700 |
| commit | e30469a37bfdd898b0f359c758c18bc00167cbaf (patch) | |
| tree | 77dbc077aa01e8f9d17d4fb29dbec0430aa58cfd /nixos/modules/services/web-servers/minio.nix | |
| parent | 7f85002ec004d0f4bfe5023598047567273fec71 (diff) | |
nixos/minio: activate/restart service on credentials path changes
Otherwise the `minio.service` service will fail either: * with a message that the EnvironmentFile does not exist * or silently with potentially stale credentials
Diffstat (limited to 'nixos/modules/services/web-servers/minio.nix')
| -rw-r--r-- | nixos/modules/services/web-servers/minio.nix | 75 |
1 files changed, 52 insertions, 23 deletions
diff --git a/nixos/modules/services/web-servers/minio.nix b/nixos/modules/services/web-servers/minio.nix index b2d48f961f14a..a1695e6a1edf2 100644 --- a/nixos/modules/services/web-servers/minio.nix +++ b/nixos/modules/services/web-servers/minio.nix @@ -96,30 +96,59 @@ in config = mkIf cfg.enable { warnings = optional ((cfg.accessKey != "") || (cfg.secretKey != "")) "services.minio.`accessKey` and services.minio.`secretKey` are deprecated, please use services.minio.`rootCredentialsFile` instead."; - systemd.tmpfiles.rules = [ - "d '${cfg.configDir}' - minio minio - -" - ] ++ (map (x: "d '" + x + "' - minio minio - - ") cfg.dataDir); - - systemd.services.minio = { - description = "Minio Object Storage"; - after = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --console-address ${cfg.consoleAddress} --config-dir=${cfg.configDir} ${toString cfg.dataDir}"; - Type = "simple"; - User = "minio"; - Group = "minio"; - LimitNOFILE = 65536; - EnvironmentFile = - if (cfg.rootCredentialsFile != null) then cfg.rootCredentialsFile - else if ((cfg.accessKey != "") || (cfg.secretKey != "")) then (legacyCredentials cfg) - else null; + systemd = lib.mkMerge [{ + tmpfiles.rules = [ + "d '${cfg.configDir}' - minio minio - -" + ] ++ (map (x: "d '" + x + "' - minio minio - - ") cfg.dataDir); + + services.minio = { + description = "Minio Object Storage"; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --console-address ${cfg.consoleAddress} --config-dir=${cfg.configDir} ${toString cfg.dataDir}"; + Type = "simple"; + User = "minio"; + Group = "minio"; + LimitNOFILE = 65536; + EnvironmentFile = + if (cfg.rootCredentialsFile != null) then cfg.rootCredentialsFile + else if ((cfg.accessKey != "") || (cfg.secretKey != "")) then (legacyCredentials cfg) + else null; + }; + environment = { + MINIO_REGION = "${cfg.region}"; + MINIO_BROWSER = "${if cfg.browser then "on" else "off"}"; + }; }; - environment = { - MINIO_REGION = "${cfg.region}"; - MINIO_BROWSER = "${if cfg.browser then "on" else "off"}"; - }; - }; + } + + (lib.mkIf (cfg.rootCredentialsFile != null) { + services.minio.unitConfig.ConditionPathExists = cfg.rootCredentialsFile; + + paths.minio-root-credentials = { + wantedBy = [ "multi-user.target" ]; + + pathConfig = { + PathChanged = [ cfg.rootCredentialsFile ]; + Unit = "minio-restart.service"; + }; + }; + + services.minio-restart = { + description = "Restart MinIO"; + + script = '' + systemctl restart minio.service + ''; + + serviceConfig = { + Type = "oneshot"; + Restart = "on-failure"; + RestartSec = 5; + }; + }; + })]; users.users.minio = { group = "minio"; |