PhilipSchmid/0-minio-readme.md

## 0-minio-readme.md

      
    Raw
  

              0-minio-readme.md
            
          
    Single-host Minio Setup

Docker-Compose single-host Minio S3 setup using Traefik (Let's Encrypt with DNS-01 challenge via Cloudflare) for TLS offloading.
Tested on Ubuntu 20.04.
Host Prerequisites

Run all commands shown here with root or prepend a sudo to the regarding commands which require higher privileges.
Install Docker

apt-get update
apt-get install \
    ca-certificates \
    curl \
    gnupg \
    lsb-release
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install -y docker-ce docker-ce-cli containerd.io
systemctl enable --now docker
# Verification:
systemctl status docker
docker info
Sources:

https://docs.docker.com/engine/install/ubuntu/

Install Docker-Compose

curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
# Verification:
docker-compose --version
Sources:

https://docs.docker.com/compose/install/

Minio Setup

mkdir -p /root/minio
cd /root/minio
mkdir -p ./traefik/letsencrypt
# Rename "1-minio-env.env" to ".env" and "2-minio-docker-compose.yaml" to "docker-compose.yaml" and copy them to this directory
chmod 600 .env
Start Minio

docker-compose up -d
Install Minio CLI

Sometimes the Minio CLI is required to manage Minio buckets, policies or users:
wget https://dl.min.io/client/mc/release/linux-amd64/mc
mv mc /usr/local/bin/
chmod +x /usr/local/bin/mc
mc --help
Minio Management using Minio CLI

# Configure the local Minio instance:
mc alias set myminio https://minio.example.com <MINIO_ROOT_USER> <MINIO_ROOT_PASSWORD>

# Test the access by listing all buckets:
mc ls myminio

# Create bucket
mc mb myminio/my-bucket

# Add an user
mc admin user add myminio my-user <super-secret-40-char-password-here>

# Create the "rw-my-minio-bucket-policy" policy and assign it to the user so the user only has access to the "my-bucket" bucket:
mc admin policy add myminio rw-my-minio-bucket-policy minio-bucket-policy.json
mc admin policy set myminio rw-my-minio-bucket-policy user=my-user

  
## 1-minio-env.env
CLOUDFLARE_API_KEY=...top-secret...
MINIO_ROOT_USER=...top-secret-20-chars...
MINIO_ROOT_PASSWORD=...top-secret-40-chars...

## 2-minio-docker-compose.yaml
version: "2.4"

services:
  traefik:
    image: traefik:v2.6.1
    container_name: traefik
    restart: unless-stopped
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.le.acme.email=admin@example.com"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.le.acme.dnschallenge.resolvers=1.0.0.1:53,1.1.1.1:53"
    environment:
      CF_API_EMAIL: admin@example.com
      CF_API_KEY: ${CLOUDFLARE_API_KEY}
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik/letsencrypt:/letsencrypt"

  minio:
    image: quay.io/minio/minio:RELEASE.2022-03-14T18-25-24Z
    container_name: minio
    restart: unless-stopped
    command: server /data --console-address ":9001"
    expose:
      - 9000
      - 9001
    volumes:
      - /s3data:/data
    environment:
      MINIO_ROOT_USER: ${MINIO_ROOT_USER}
      MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
      MINIO_BROWSER_REDIRECT_URL: https://minio-console.example.com
      MINIO_SERVER_URL: https://minio.example.com
    labels:
      - traefik.enable=true
      - traefik.http.services.minio.loadbalancer.server.port=9000
      - traefik.http.routers.minio.rule=Host(`minio.example.com`)
      - traefik.http.routers.minio.tls.certresolver=le
      - traefik.http.routers.minio.entrypoints=websecure
      - traefik.http.routers.minio.service=minio
      - traefik.http.services.minio-console.loadbalancer.server.port=9001
      - traefik.http.routers.minio-console.rule=Host(`minio-console.example.com`)
      - traefik.http.routers.minio-console.tls.certresolver=le
      - traefik.http.routers.minio-console.entrypoints=websecure
      - traefik.http.routers.minio-console.service=minio-console

## minio-bucket-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}
	CLOUDFLARE_API_KEY=...top-secret...
	MINIO_ROOT_USER=...top-secret-20-chars...
	MINIO_ROOT_PASSWORD=...top-secret-40-chars...
	version: "2.4"

	services:
	traefik:
	image: traefik:v2.6.1
	container_name: traefik
	restart: unless-stopped
	command:
	- "--providers.docker=true"
	- "--providers.docker.exposedbydefault=false"
	- "--entrypoints.web.address=:80"
	- "--entrypoints.websecure.address=:443"
	- "--certificatesresolvers.le.acme.dnschallenge=true"
	- "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
	- "--certificatesresolvers.le.acme.email=admin@example.com"
	- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
	- "--certificatesresolvers.le.acme.dnschallenge.resolvers=1.0.0.1:53,1.1.1.1:53"
	environment:
	CF_API_EMAIL: admin@example.com
	CF_API_KEY: ${CLOUDFLARE_API_KEY}
	ports:
	- "80:80"
	- "443:443"
	volumes:
	- "/var/run/docker.sock:/var/run/docker.sock:ro"
	- "./traefik/letsencrypt:/letsencrypt"

	minio:
	image: quay.io/minio/minio:RELEASE.2022-03-14T18-25-24Z
	container_name: minio
	restart: unless-stopped
	command: server /data --console-address ":9001"
	expose:
	- 9000
	- 9001
	volumes:
	- /s3data:/data
	environment:
	MINIO_ROOT_USER: ${MINIO_ROOT_USER}
	MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
	MINIO_BROWSER_REDIRECT_URL: https://minio-console.example.com
	MINIO_SERVER_URL: https://minio.example.com
	labels:
	- traefik.enable=true
	- traefik.http.services.minio.loadbalancer.server.port=9000
	- traefik.http.routers.minio.rule=Host(`minio.example.com`)
	- traefik.http.routers.minio.tls.certresolver=le
	- traefik.http.routers.minio.entrypoints=websecure
	- traefik.http.routers.minio.service=minio
	- traefik.http.services.minio-console.loadbalancer.server.port=9001
	- traefik.http.routers.minio-console.rule=Host(`minio-console.example.com`)
	- traefik.http.routers.minio-console.tls.certresolver=le
	- traefik.http.routers.minio-console.entrypoints=websecure
	- traefik.http.routers.minio-console.service=minio-console
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"s3:ListBucket"
	],
	"Resource": [
	"arn:aws:s3:::my-bucket"
	]
	},
	{
	"Effect": "Allow",
	"Action": [
	"s3:*"
	],
	"Resource": [
	"arn:aws:s3:::my-bucket/*"
	]
	}
	]
	}