Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Single-host Minio Setup

Docker-Compose single-host Minio S3 setup using Traefik (Let's Encrypt with DNS-01 challenge via Cloudflare) for TLS offloading.

Tested on Ubuntu 20.04.

Host Prerequisites

Run all commands shown here with root or prepend a sudo to the regarding commands which require higher privileges.

Install Docker

apt-get update
apt-get install \
    ca-certificates \
    curl \
    gnupg \
    lsb-release
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install -y docker-ce docker-ce-cli containerd.io
systemctl enable --now docker
# Verification:
systemctl status docker
docker info

Sources:

Install Docker-Compose

curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
# Verification:
docker-compose --version

Sources:

Minio Setup

mkdir -p /root/minio
cd /root/minio
mkdir -p ./traefik/letsencrypt
# Rename "1-minio-env.env" to ".env" and "2-minio-docker-compose.yaml" to "docker-compose.yaml" and copy them to this directory
chmod 600 .env

Start Minio

docker-compose up -d

Install Minio CLI

Sometimes the Minio CLI is required to manage Minio buckets, policies or users:

wget https://dl.min.io/client/mc/release/linux-amd64/mc
mv mc /usr/local/bin/
chmod +x /usr/local/bin/mc
mc --help

Minio Management using Minio CLI

# Configure the local Minio instance:
mc alias set myminio https://minio.example.com <MINIO_ROOT_USER> <MINIO_ROOT_PASSWORD>

# Test the access by listing all buckets:
mc ls myminio

# Create bucket
mc mb myminio/my-bucket

# Add an user
mc admin user add myminio my-user <super-secret-40-char-password-here>

# Create the "rw-my-minio-bucket-policy" policy and assign it to the user so the user only has access to the "my-bucket" bucket:
mc admin policy add myminio rw-my-minio-bucket-policy minio-bucket-policy.json
mc admin policy set myminio rw-my-minio-bucket-policy user=my-user
CLOUDFLARE_API_KEY=...top-secret...
MINIO_ROOT_USER=...top-secret-20-chars...
MINIO_ROOT_PASSWORD=...top-secret-40-chars...
version: "2.4"
services:
traefik:
image: traefik:v2.6.1
container_name: traefik
restart: unless-stopped
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.le.acme.dnschallenge=true"
- "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.le.acme.email=admin@example.com"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.le.acme.dnschallenge.resolvers=1.0.0.1:53,1.1.1.1:53"
environment:
CF_API_EMAIL: admin@example.com
CF_API_KEY: ${CLOUDFLARE_API_KEY}
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik/letsencrypt:/letsencrypt"
minio:
image: quay.io/minio/minio:RELEASE.2022-03-14T18-25-24Z
container_name: minio
restart: unless-stopped
command: server /data --console-address ":9001"
expose:
- 9000
- 9001
volumes:
- /s3data:/data
environment:
MINIO_ROOT_USER: ${MINIO_ROOT_USER}
MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
MINIO_BROWSER_REDIRECT_URL: https://minio-console.example.com
MINIO_SERVER_URL: https://minio.example.com
labels:
- traefik.enable=true
- traefik.http.services.minio.loadbalancer.server.port=9000
- traefik.http.routers.minio.rule=Host(`minio.example.com`)
- traefik.http.routers.minio.tls.certresolver=le
- traefik.http.routers.minio.entrypoints=websecure
- traefik.http.routers.minio.service=minio
- traefik.http.services.minio-console.loadbalancer.server.port=9001
- traefik.http.routers.minio-console.rule=Host(`minio-console.example.com`)
- traefik.http.routers.minio-console.tls.certresolver=le
- traefik.http.routers.minio-console.entrypoints=websecure
- traefik.http.routers.minio-console.service=minio-console
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment