sendico/infra/s3/docker-compose.yml

configs:
  minio_wait_sh:
    file: ./minio-wait.sh

services:
  vault-agent-s3:
    image: hashicorp/vault:latest
    command: >
      sh -lc 'vault agent -config=/etc/vault/agent.hcl'
    cap_add: ["IPC_LOCK"]
    environment:
      VAULT_ADDR: "http://vault:8200"
    secrets:
      - source: s3_vault_role_id
        target: /vault/secrets/role_id
      - source: s3_vault_secret_id
        target: /vault/secrets/secret_id
    volumes:
      - ./vault:/etc/vault:ro
      - vault-secrets:/vault/secrets:rw
    networks: [cicd]
    healthcheck:
      test: ["CMD-SHELL", "test -s /vault/secrets/MINIO_ROOT_USER -a -s /vault/secrets/MINIO_ROOT_PASSWORD"]
      interval: 10s
      timeout: 3s
      retries: 10
    deploy:
      placement:
        constraints: [node.role == manager]


  minio1:
    image: quay.io/minio/minio:latest
    hostname: minio1
    entrypoint: ["/usr/local/bin/minio-wait"]
    command:
      - server
      - --console-address
      - :9001
      - http://minio1:9000/data
      - http://minio2:9000/data
      - http://minio3:9000/data
      - http://minio4:9000/data
    configs:
      - source: minio_wait_sh
        target: /usr/local/bin/minio-wait
        mode: 0755
    environment:
      MINIO_ROOT_USER_FILE: /vault/secrets/MINIO_ROOT_USER
      MINIO_ROOT_PASSWORD_FILE: /vault/secrets/MINIO_ROOT_PASSWORD
      MINIO_SERVER_URL: https://s3.sendico.io
      MINIO_BROWSER_REDIRECT_URL: https://minio.sendico.io
    volumes:
      - minio1_data:/data
      - vault-secrets:/vault/secrets:ro
    networks: [cicd]
    deploy:
      placement:
        constraints: [node.role == manager]
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=cicd"

      # services (чётко укажем порты)
      - "traefik.http.services.s3-minio-api.loadbalancer.server.port=9000"
      - "traefik.http.services.s3-minio-console.loadbalancer.server.port=9001"

      # router для API
      - "traefik.http.routers.s3-minio-api.rule=Host(`s3.sendico.io`)"
      - "traefik.http.routers.s3-minio-api.entrypoints=websecure"
      - "traefik.http.routers.s3-minio-api.tls=true"
      - "traefik.http.routers.s3-minio-api.tls.certresolver=letsencrypt"
      - "traefik.http.routers.s3-minio-api.service=s3-minio-api"

      # router для Console
      - "traefik.http.routers.s3-minio-console.rule=Host(`minio.sendico.io`)"
      - "traefik.http.routers.s3-minio-console.entrypoints=websecure"
      - "traefik.http.routers.s3-minio-console.tls=true"
      - "traefik.http.routers.s3-minio-console.tls.certresolver=letsencrypt"
      - "traefik.http.routers.s3-minio-console.service=s3-minio-console"


  minio2:
    image: quay.io/minio/minio:latest
    hostname: minio2
    entrypoint: ["/usr/local/bin/minio-wait"]
    command:
      - server
      - --console-address
      - :9001
      - http://minio1:9000/data
      - http://minio2:9000/data
      - http://minio3:9000/data
      - http://minio4:9000/data
    configs:
      - source: minio_wait_sh
        target: /usr/local/bin/minio-wait
        mode: 0755
    environment:
      MINIO_ROOT_USER_FILE: /vault/secrets/MINIO_ROOT_USER
      MINIO_ROOT_PASSWORD_FILE: /vault/secrets/MINIO_ROOT_PASSWORD
      MINIO_SERVER_URL: https://s3.sendico.io
      MINIO_BROWSER_REDIRECT_URL: https://minio.sendico.io
    volumes:
      - minio2_data:/data
      - vault-secrets:/vault/secrets:ro
    networks: [cicd]
    deploy:
      placement:
        constraints: [node.role == manager]
      labels:
        - "traefik.enable=false"
  
  minio3:
    image: quay.io/minio/minio:latest
    hostname: minio3
    entrypoint: ["/usr/local/bin/minio-wait"]
    command:
      - server
      - --console-address
      - :9001
      - http://minio1:9000/data
      - http://minio2:9000/data
      - http://minio3:9000/data
      - http://minio4:9000/data
    configs:
      - source: minio_wait_sh
        target: /usr/local/bin/minio-wait
        mode: 0755
    environment:
      MINIO_ROOT_USER_FILE: /vault/secrets/MINIO_ROOT_USER
      MINIO_ROOT_PASSWORD_FILE: /vault/secrets/MINIO_ROOT_PASSWORD
      MINIO_SERVER_URL: https://s3.sendico.io
      MINIO_BROWSER_REDIRECT_URL: https://minio.sendico.io
    volumes:
      - minio3_data:/data
      - vault-secrets:/vault/secrets:ro
    networks:
      - cicd
    deploy:
      placement:
        constraints: [node.role == manager]
      labels:
        - "traefik.enable=false"

  minio4:
    image: quay.io/minio/minio:latest
    hostname: minio4
    entrypoint: ["/usr/local/bin/minio-wait"]
    command:
      - server
      - --console-address
      - :9001
      - http://minio1:9000/data
      - http://minio2:9000/data
      - http://minio3:9000/data
      - http://minio4:9000/data
    configs:
      - source: minio_wait_sh
        target: /usr/local/bin/minio-wait
        mode: 0755
    environment:
      MINIO_ROOT_USER_FILE: /vault/secrets/MINIO_ROOT_USER
      MINIO_ROOT_PASSWORD_FILE: /vault/secrets/MINIO_ROOT_PASSWORD
      MINIO_SERVER_URL: https://s3.sendico.io
      MINIO_BROWSER_REDIRECT_URL: https://minio.sendico.io
    volumes:
      - minio4_data:/data
      - vault-secrets:/vault/secrets:ro
    networks:
      - cicd
    deploy:
      placement:
        constraints: [node.role == manager]
      labels:
        - "traefik.enable=false"

networks:
  cicd:
    external: true

volumes:
  vault-secrets:
    driver: local
    driver_opts:
      type: tmpfs
      device: tmpfs
      o: size=16m,uid=1000,gid=1000,mode=0750
  minio1_data:
  minio2_data:
  minio3_data:
  minio4_data:

secrets:
  s3_vault_role_id:
    external: true
  s3_vault_secret_id:
    external: true