Merge pull request #221096 from awakesecurity/minio-paths

  config = mkIf cfg.enable {

    warnings = optional ((cfg.accessKey != "") || (cfg.secretKey != "")) "services.minio.`accessKey` and services.minio.`secretKey` are deprecated, please use services.minio.`rootCredentialsFile` instead.";

    systemd.tmpfiles.rules = [

    systemd = lib.mkMerge [{

      tmpfiles.rules = [

        "d '${cfg.configDir}' - minio minio - -"

      ] ++ (map (x: "d '" + x + "' - minio minio - - ") cfg.dataDir);

    systemd.services.minio = {

      services.minio = {

        description = "Minio Object Storage";

        after = [ "network-online.target" ];

        wantedBy = [ "multi-user.target" ];

          User = "minio";

          Group = "minio";

          LimitNOFILE = 65536;

        EnvironmentFile = if (cfg.rootCredentialsFile != null) then cfg.rootCredentialsFile

          EnvironmentFile =

            if (cfg.rootCredentialsFile != null) then cfg.rootCredentialsFile

            else if ((cfg.accessKey != "") || (cfg.secretKey != "")) then (legacyCredentials cfg)

            else null;

        };

          MINIO_BROWSER = "${if cfg.browser then "on" else "off"}";

        };

      };

    }

      (lib.mkIf (cfg.rootCredentialsFile != null) {

        # The service will fail if the credentials file is missing

        services.minio.unitConfig.ConditionPathExists = cfg.rootCredentialsFile;

        # The service will not restart if the credentials file has

        # been changed. This can cause stale root credentials.

        paths.minio-root-credentials = {

          wantedBy = [ "multi-user.target" ];

          pathConfig = {

            PathChanged = [ cfg.rootCredentialsFile ];

            Unit = "minio-restart.service";

          };

        };

        services.minio-restart = {

          description = "Restart MinIO";

          script = ''

            systemctl restart minio.service

          '';

          serviceConfig = {

            Type = "oneshot";

            Restart = "on-failure";

            RestartSec = 5;

          };

        };

      })];

    users.users.minio = {

      group = "minio";

      sio.seek(0)

      minioClient.put_object('test-bucket', 'test.txt', sio, sio_len, content_type='text/plain')

    '';

in {

    rootCredentialsFile = "/etc/nixos/minio-root-credentials";

    credsPartial = pkgs.writeText "minio-credentials-partial" ''

      MINIO_ROOT_USER=${accessKey}

    '';

    credsFull = pkgs.writeText "minio-credentials-full" ''

      MINIO_ROOT_USER=${accessKey}

      MINIO_ROOT_PASSWORD=${secretKey}

    '';

  in

  {

    name = "minio";

    meta = with pkgs.lib.maintainers; {

      maintainers = [ bachp ];

      machine = { pkgs, ... }: {

        services.minio = {

          enable = true;

        rootCredentialsFile = pkgs.writeText "minio-credentials" ''

          MINIO_ROOT_USER=${accessKey}

          MINIO_ROOT_PASSWORD=${secretKey}

        '';

          inherit rootCredentialsFile;

        };

        environment.systemPackages = [ pkgs.minio-client ];

    };

    testScript = ''

      import time

      start_all()

      # simulate manually editing root credentials file

      machine.wait_for_unit("multi-user.target")

      machine.copy_from_host("${credsPartial}", "${rootCredentialsFile}")

      time.sleep(3)

      machine.copy_from_host("${credsFull}", "${rootCredentialsFile}")

      machine.wait_for_unit("minio.service")

      machine.wait_for_open_port(9000)