archy/apps/indeedhub-minio/manifest.yml

app:
  id: indeedhub-minio
  name: IndeedHub MinIO
  version: "RELEASE.2024-11-07T00-52-20Z"
  description: MinIO S3-compatible object storage for IndeedHub media.
  category: community

  # Hyphen name matches runtime references + the live container (adoption);
  # alias `minio` is the short hostname the api/ffmpeg use (S3_ENDPOINT=
  # http://minio:9000) AND the frontend nginx proxies to (http://minio:9000).
  container_name: indeedhub-minio

  container:
    image: 146.59.87.168:3000/lfg2025/minio:RELEASE.2024-11-07T00-52-20Z
    pull_policy: if-not-present
    network: indeedhub-net
    network_aliases: [minio]
    # `server /data` — the minio entrypoint args from the legacy installer.
    custom_args: [server, /data]
    generated_secrets:
      - name: indeedhub-minio-password
        kind: hex32
    secret_env:
      - key: MINIO_ROOT_PASSWORD
        secret_file: indeedhub-minio-password

  dependencies:
    - storage: 50Gi

  resources:
    memory_limit: 1Gi
    disk_limit: 50Gi

  security:
    capabilities: []
    readonly_root: false
    network_policy: isolated

  ports: []

  # Named volume matches the live indeedhub-minio-data volume on .228.
  volumes:
    - type: volume
      source: indeedhub-minio-data
      target: /data
      options: [rw]

  # MINIO_ROOT_USER "indeeadmin" is the fixed admin identity baked by the legacy
  # installer (api/ffmpeg use it as AWS_ACCESS_KEY); the password is the
  # generated secret above. Not secret, so it stays a plain env value.
  environment:
    - MINIO_ROOT_USER=indeeadmin

  health_check:
    type: http
    endpoint: http://localhost:9000
    path: /minio/health/live
    interval: 30s
    timeout: 5s
    retries: 5
feat(indeedhub): manifest-driven 7-member stack, orchestrator-first (#20 phase 3) Author the IndeedHub stack as 7 manifests (postgres/redis/minio/relay/api/ ffmpeg + frontend) and route install_indeedhub_stack through the orchestrator first (immich pattern), falling back to the legacy installer only when the manifests aren't deployed. Data-preserving by construction — the manifests reproduce the live install exactly so an existing node ADOPTS rather than recreates: - container_name = the live hyphenated names the runtime already references (health_monitor tiers/deps, crash_recovery). - named volumes indeedhub-{postgres,redis,minio,relay}-data (not bind mounts). - dedicated indeedhub-net + network_aliases [postgres\|redis\|minio\|relay\|api] so the api/ffmpeg env hostnames and the frontend nginx upstreams resolve unchanged. - generated_secrets (indeedhub-db-password/-minio-password owned by their backends, indeedhub-jwt by the api) reuse the live /var/lib/archipelago/ secrets values (ensure_one no-ops on existing files; postgres pw is fixed at PGDATA init). minio user "indeeadmin" + AES_MASTER_SECRET literal kept. The frontend carries the post_install hook (#20) that replaces the hardcoded patch_indeedhub_nostr_provider: strip X-Frame-Options, refresh nostr-provider.js from /opt/archipelago/web-ui, inject the <script> if absent, reload nginx — defensive/idempotent since indeedhub:1.0.0 already bakes these. Frontend manifest also corrected off its dead Next.js shape (health check now nginx :7777, tmpfs /run + /var/cache/nginx). Builds + unit-tested; live adoption/lifecycle verification on .228 next. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-21 15:46:26 -04:00			`app:`
			`id: indeedhub-minio`
			`name: IndeedHub MinIO`
			`version: "RELEASE.2024-11-07T00-52-20Z"`
			`description: MinIO S3-compatible object storage for IndeedHub media.`
			`category: community`

			`# Hyphen name matches runtime references + the live container (adoption);`
			# alias `minio` is the short hostname the api/ffmpeg use (S3_ENDPOINT=
			`# http://minio:9000) AND the frontend nginx proxies to (http://minio:9000).`
			`container_name: indeedhub-minio`

			`container:`
			`image: 146.59.87.168:3000/lfg2025/minio:RELEASE.2024-11-07T00-52-20Z`
			`pull_policy: if-not-present`
			`network: indeedhub-net`
			`network_aliases: [minio]`
			# `server /data` — the minio entrypoint args from the legacy installer.
			`custom_args: [server, /data]`
			`generated_secrets:`
			`- name: indeedhub-minio-password`
			`kind: hex32`
			`secret_env:`
			`- key: MINIO_ROOT_PASSWORD`
			`secret_file: indeedhub-minio-password`

			`dependencies:`
			`- storage: 50Gi`

			`resources:`
			`memory_limit: 1Gi`
			`disk_limit: 50Gi`

			`security:`
			`capabilities: []`
			`readonly_root: false`
			`network_policy: isolated`

			`ports: []`

			`# Named volume matches the live indeedhub-minio-data volume on .228.`
			`volumes:`
			`- type: volume`
			`source: indeedhub-minio-data`
			`target: /data`
			`options: [rw]`

			`# MINIO_ROOT_USER "indeeadmin" is the fixed admin identity baked by the legacy`
			`# installer (api/ffmpeg use it as AWS_ACCESS_KEY); the password is the`
			`# generated secret above. Not secret, so it stays a plain env value.`
			`environment:`
			`- MINIO_ROOT_USER=indeeadmin`

			`health_check:`
			`type: http`
			`endpoint: http://localhost:9000`
			`path: /minio/health/live`
			`interval: 30s`
			`timeout: 5s`
			`retries: 5`