Deploy MinIO by docker compose. Get proxied by Nginx, with TLS certificates auto renewed by Certbot.
If you want to self-host an AWS S3-compatible object storage service in your office or home lab, and access from anywhere, with zero cloud cost, you come to the right place. While this repository is opinionated and tailored for my use cases, it may help you get started as a heuristic reference.
flowchart LR
pub("Access from WAN")
private("Access from LAN")
cf("Cloudflare edge nodes")
pub -.-> cf
cf ---|tunnel| cloudflared
subgraph Docker Compose
cloudflared("Cloudflared")
nginx("Nginx")
minio("MinIO"):::red_stroke
certbot("Certbot")
cloudflared --- nginx
nginx --- minio
nginx -.- certbot
end
private -...-> nginx
classDef red_stroke stroke: #f66
style certbot stroke-dasharray: 2
- Setup infrastructure by Terraform or OpenTofu.
- Config environment variables in
.envfile (referto example.env). - Run
docker compose up -dto spin up services. - Run
sh helper.sh applyto apply tls certs for the first time. - Run
sh helper.sh renewto check if renewal works. - Config cron to automatically renew tls certs (see below).
Edit .env to configure env vars available in compose.yaml.
Duplicate example.env as .env to get started.
Due to historical reasons, the command for docker compose differs.
It can be either docker compose (new) or docker-compose (old).
Thus specify the command by DOCKER_COMPOSE env var in .env file.
Cloudflare Tunnel provides a secure way to host without a publicly IP address. It's recommended to set up infrastructures like Cloudflare Tunnel by Terraform. See infra/README.md for more details.
By default, template files in /etc/nginx/templates/*.template will be read
and the result of executing envsubst will be output to /etc/nginx/conf.d/.
Refer to Using environment variables in nginx configuration (new in 1.19).
Scripts under /docker-entrypoint.d are automatically executed by nginx
container. dummy-tls.sh is mounted there for creating
dummy tls certs to prevent nginx crash loop. The dummy tls certs will be
replaced by eligible ones after running sh helper.sh apply.
Nginx is also used in conjunction with certbot to apply and renew tls certificates.
apply-tls.sh and renew-tls.sh
are helper scripts to simplify TLS certs management.
Both of them will source the environment variables defined in .env file.
apply-tls.sh will probably be executed only once (if everything's ok in Get Started).
renew-tls.sh should be executed repeatedly before tls
certs expire (no more than 3 months). To reduce manual work, it's recommended to
config crontab in the host OS:
# run the following command in the root path of this repo.
sudo tee /etc/cron.d/minio-compose << EOF
# renew every 2 months (on the first day of the month).
0 0 1 */2 * root cd $(pwd) && sh helper.sh renew
EOF