MinIO S3-compatible object storage for recordings, assets, and backups.
Overview¶
MinIO provides S3-compatible object storage. The SpaceMusic installation is pinned to version RELEASE.2025-04-22T22-12-26Z -- this is the last MinIO community edition release that includes the admin console, SSO login, bucket management, and IAM in the web UI.
Do not upgrade MinIO
All MinIO community releases after RELEASE.2025-04-22 removed the admin console, SSO, and bucket management from the web UI, replacing them with a minimal "object browser." The pinned version must be preserved unless migrating to AIStor (enterprise).
Access¶
| Endpoint | URL |
|---|---|
| Console (web UI) | storage.spacemusic.tv |
| S3 API | storage-api.spacemusic.tv |
| Health check | storage-api.spacemusic.tv/minio/health/live |
The console uses Authentik OIDC for login. The S3 API uses standard AWS-style credentials (access key + secret key).
Buckets¶
| Bucket | Purpose | Lifecycle |
|---|---|---|
recordings |
LiveKit egress recordings | 30-day expiry |
textures |
vvvv rendered textures | Never expires |
assets |
Project files, 3D models, images | Never expires |
exports |
Client deliverables | 90-day expiry |
backups |
Config backups, DB dumps | 90-day expiry |
Lifecycle policies are applied via mcli ilm add --expiry-days N.
Authentication¶
MinIO uses Authentik OIDC with the following configuration:
- Authentik provider slug:
minio - Signing key: RS256 (required -- the default HS256 self-signed cert does not work)
- Claim:
groups-- MinIO maps Authentik group names directly to IAM policy names
OIDC config must be set via both environment variables and mcli admin config set for full effect.
IAM Policies¶
MinIO uses Authentik group names as policy names -- they must match exactly:
| Authentik Group | MinIO Policy | Permissions |
|---|---|---|
spacemusic-admins |
spacemusic-admins |
Full admin + S3 access |
authentik Admins |
authentik Admins |
Full admin + S3 access |
spacemusic-studio |
spacemusic-studio |
S3 read/write on all buckets |
spacemusic-viewers |
spacemusic-viewers |
S3 read-only |
Service Accounts¶
Programmatic access uses service accounts (credentials stored in 1Password):
| Account | Policy | Purpose |
|---|---|---|
livekit-egress |
egress-write |
Write recordings to recordings bucket |
studio-rclone |
readwrite |
rclone mount for studio file sync |
backup-agent |
backup-write |
Automated config backups to backups bucket |
CLI Access¶
MinIO CLI is installed on the server as mcli (not mc, which conflicts with GNU Midnight Commander):
# List all buckets
mcli ls spacemusic/
# List objects in a bucket
mcli ls spacemusic/recordings/
# Copy a file to storage
mcli cp ./file.mp4 spacemusic/recordings/
# Create a new bucket
mcli mb spacemusic/new-bucket
# Check lifecycle rules
mcli ilm ls spacemusic/recordingsThe spacemusic alias is pre-configured on the server pointing to http://localhost:9000.
Monitoring¶
Prometheus scrapes MinIO metrics at spacemusic-minio:9000/minio/v2/metrics/cluster using a bearer token. These metrics power the "Storage" Grafana dashboard.
Kuvasz monitors both the S3 API health endpoint and the console URL for uptime tracking.