# MinIO Storage - Gitea Actions

This directory contains automated CI/CD workflows for MinIO deployment and maintenance.

## Workflows

### 1. `deploy.yml` - Production Deployment
**Trigger:** Push to `main` or `master` branch

**What it does:**
- Uploads docker-compose.prod.yml to server
- Creates/updates MinIO production container
- Sets up buckets automatically
- Performs health checks

**Deployment location:** `/var/www/apps/minio-storage`

**Access:**
- S3 API: https://minio.crewsportswear.com
- Console: https://console.crewsportswear.com

---

### 2. `deploy-dev.yml` - Development Deployment
**Trigger:** Push to `dev` branch

**What it does:**
- Deploys MinIO to development environment
- Uses default credentials (minioadmin/minioadmin123)
- Exposed on ports 9000/9001
- Sets up development buckets

**Deployment location:** `/var/www/apps/minio-storage-dev`

**Access:**
- S3 API: http://dev.crewsportswear.com:9000
- Console: http://dev.crewsportswear.com:9001

---

### 3. `backup.yml` - Automated Backups
**Trigger:** 
- Daily at 2 AM (cron: `0 2 * * *`)
- Manual via workflow_dispatch

**What it does:**
- Backs up all MinIO buckets
- Compresses backups (.tar.gz)
- Stores in `/var/backups/minio/`
- Keeps last 7 days of backups
- Verifies backup completion

**Manual trigger:**
```bash
# Via Gitea UI: Actions → Backup MinIO Buckets → Run Workflow
```

---

## Required Secrets

Configure these in your Gitea repository settings:  
**Settings → Secrets → Actions**

| Secret | Description | Example |
|--------|-------------|---------|
| `DEPLOY_SSH_KEY` | Private SSH key for deployment | `-----BEGIN OPENSSH PRIVATE KEY-----...` |
| `DEPLOY_HOST` | Production server hostname/IP | `123.45.67.89` or `server.example.com` |
| `DEPLOY_USER` | SSH username on server | `deploy` or `ubuntu` |

### Generate SSH Key

```bash
# On your local machine
ssh-keygen -t ed25519 -C "gitea-minio-deploy" -f ~/.ssh/gitea_minio_deploy

# Copy public key to server
ssh-copy-id -i ~/.ssh/gitea_minio_deploy.pub user@server

# Copy private key content to Gitea secret
cat ~/.ssh/gitea_minio_deploy
```

---

## Deployment Process

### Production Deployment

1. **Make changes** to docker-compose.prod.yml or setup scripts
2. **Commit and push** to `main` branch:
   ```bash
   git add .
   git commit -m "Update MinIO configuration"
   git push origin main
   ```
3. **Watch workflow** in Gitea: Repository → Actions
4. **Verify deployment:**
   ```bash
   curl https://minio.crewsportswear.com/minio/health/live
   # Should return: OK
   ```

### Development Deployment

1. **Create/switch to dev branch:**
   ```bash
   git checkout -b dev
   ```
2. **Push changes:**
   ```bash
   git push origin dev
   ```
3. **Access dev environment:**
   - Console: http://dev.crewsportswear.com:9001

### Manual Workflow Trigger

You can manually trigger any workflow:

1. Go to: **Repository → Actions**
2. Select workflow (e.g., "Deploy MinIO Production")
3. Click **"Run Workflow"**
4. Select branch
5. Click **"Run Workflow"** button

---

## First-Time Setup

### 1. Configure Server

Ensure your server has:
- Docker and Docker Compose installed
- Networks created: `traefik-public`, `crew-app-net`
- Traefik running (for production HTTPS)

```bash
# On server
docker network create traefik-public
docker network create crew-app-net
```

### 2. Configure Gitea Secrets

Add the three required secrets (see table above).

### 3. Initial Deployment

```bash
# Clone repo
git clone your-gitea-url/minio-storage.git
cd minio-storage

# Push to trigger deployment
git push origin main
```

### 4. Post-Deployment Setup

After first deployment, SSH into server and configure:

```bash
ssh user@server

# Set production credentials
cd /var/www/apps/minio-storage
nano .env

# Update these:
MINIO_ROOT_USER=your_secure_username
MINIO_ROOT_PASSWORD=your_secure_password_32chars

# For secured console, add BasicAuth
htpasswd -nb admin YourPassword
# Copy output to .env:
TRAEFIK_CONSOLE_AUTH='admin:$$apr1$$...'

# Restart
docker compose down && docker compose up -d
```

---

## Monitoring

### Check Deployment Status

```bash
# On server
cd /var/www/apps/minio-storage

# Check container status
docker ps | grep minio

# Check logs
docker logs crew-minio-prod

# View recent deployments
ls -lt /var/www/apps/minio-storage
```

### View Backups

```bash
# On server
ls -lh /var/backups/minio/

# Extract a backup
cd /tmp
tar -xzf /var/backups/minio/minio_backup_YYYYMMDD_HHMMSS.tar.gz

# Restore if needed (see README.md for restore procedure)
```

---

## Troubleshooting

### Deployment Failed

```bash
# Check Gitea Actions logs
# Repository → Actions → Failed workflow → View logs

# Common issues:
# 1. SSH key not added to server authorized_keys
# 2. Server disk space full
# 3. Docker not running on server
```

### Container Not Starting

```bash
ssh user@server
cd /var/www/apps/minio-storage

# Check .env file exists
cat .env

# Check Docker logs
docker logs crew-minio-prod

# Check networks
docker network ls | grep crew-app-net

# Recreate manually
docker compose down
docker compose up -d
```

### Backup Failed

```bash
# Check backup directory permissions
ls -ld /var/backups/minio/

# Check disk space
df -h

# Manual backup
cd /var/www/apps/minio-storage
docker exec crew-minio-prod mc mirror backup/crewsportswear /tmp/manual_backup
```

---

## Workflow Customization

### Change Backup Schedule

Edit `.gitea/workflows/backup.yml`:

```yaml
on:
  schedule:
    - cron: '0 2 * * *'  # Daily 2 AM
    # Change to:
    - cron: '0 */6 * * *'  # Every 6 hours
    - cron: '0 0 * * 0'  # Weekly on Sunday
```

### Add Post-Deployment Hooks

Edit `.gitea/workflows/deploy.yml`, add step:

```yaml
- name: Notify team
  shell: sh
  run: |
    curl -X POST https://your-webhook-url \
      -d "MinIO deployed successfully"
```

### Custom Health Checks

Add to deploy.yml:

```yaml
- name: Test bucket access
  shell: sh
  run: |
    # Test upload
    echo "test" > test.txt
    curl -X PUT https://minio.crewsportswear.com/crewsportswear/test.txt \
      --upload-file test.txt
```

---

## Security Best Practices

1. **Rotate SSH keys** regularly
2. **Use strong MinIO credentials** (32+ characters)
3. **Enable BasicAuth** for console (production)
4. **Monitor backup logs** for failures
5. **Test restore procedure** quarterly
6. **Limit Gitea Actions secrets** access to admins only

---

## Related Documentation

- [Main README](../README.md) - MinIO setup and usage
- [Security Guide](../SECURITY.md) - Security best practices
- [Gitea Actions Docs](https://docs.gitea.com/usage/actions/overview)

---

## Quick Reference

```bash
# View workflows
ls .gitea/workflows/

# Trigger production deploy
git push origin main

# Trigger dev deploy
git push origin dev

# Manual backup (via Gitea UI)
Repository → Actions → Backup MinIO Buckets → Run Workflow

# Check deployment
ssh user@server
docker ps | grep minio
docker logs crew-minio-prod
```