feat: add minio+cockroachdb

services/cockroachdb.nix

@@ -0,0 +1,21 @@
+{ config, meta, lib, ... }: let
+  inherit (lib.attrsets) mapAttrsToList filterAttrs;
+  inherit (lib.strings) concatStringsSep;
+in {
+  services = {
+    cockroachdb = {
+      enable = true;
+      insecure = true;
+      join = concatStringsSep "," (mapAttrsToList (_: nixos:
+        "${nixos.networks.tailscale.ipv4}:${builtins.toString nixos.services.cockroachdb.listen.port}"
+      ) (filterAttrs (_: nixos: nixos.services.cockroachdb.enable) meta.network.nodes.nixos));
+      http = {
+        address = config.networks.tailscale.ipv4;
+        port = 8973;
+      };
+      listen = {
+        address = config.networks.tailscale.ipv4;
+      };
+    };
+  };
+}

services/minio.nix

@@ -0,0 +1,41 @@
+{ config, lib, ... }: let
+  import (lib.modules) mkIf mkDefault;
+  cfg = config.services.minio;
+in {
+  options.services.minio.isNAS = mkEnableFunction "NAS lack of defaults";
+
+  config = {
+    secrets = {
+      variables = mapAttrs' (name: value: nameValuePair "minio-${name}-key" value) (genAttrs ["access" "secret"] (name: {
+          path = "gensokyo/minio";
+          field = "${name}-key";
+      }));
+      };
+      files = {
+        minio-root-credentials = {
+          text = ''
+            MINIO_ROOT_USER=${tf.variables.minio-access-key.ref}
+            MINIO_ROOT_PASSWORD=${tf.variables.minio-secret-key.ref}
+          '';
+          owner = "minio";
+          group = "minio";
+        };
+      };
+    };
+
+    systemd.tmpfiles.rules = mkIf !cfg.isNAS ''
+      v /minio 700 minio minio
+    '';
+
+    services = {
+      minio = {
+        region = config.services.cockroachdb.locality;
+        enable = true;
+        dataDir = lib.optional !cfg.isNAS "/minio";
+        listenAddress = "${config.networks.tailscale.ipv4}:9000";
+        consoleAddress = "${config.networks.tailcale.ipv4}:9001";
+        rootCredentialsFile = config.secrets.files.minio-root-credentials.path;
+      };
+    };
+  };
+}