Merge branch 'minio'

certs/minio/burp1.pyrocufflink.blue.cer

@@ -0,0 +1 @@
+../lego/_.pyrocufflink.net.crt

certs/minio/burp1.pyrocufflink.blue.key

@@ -0,0 +1 @@
+../lego/_.pyrocufflink.net.key

host_vars/burp1.pyrocufflink.blue.yml

@@ -6,3 +6,5 @@ collectd_plugins:
 # its domain permissive until the problems are identified and resolved
 # upstream.
 collectd_selinux_permissive: true
+
+minio_storage_path: /srv/minio

hosts

@@ -89,6 +89,9 @@ k8s-node
 [metricspi]
 mtrcs0.pyrocufflink.blue
 
+[minio:children]
+burp-server
+
 [motioneye]
 
 [named-server:children]

minio.yml

@@ -0,0 +1,3 @@
+- hosts: minio
+  roles:
+  - minio

roles/minio/defaults/main.yml

@@ -0,0 +1,6 @@
+minio_version: latest
+minio_container_image: quay.io/minio/minio
+minio_storage_path: /var/lib/minio
+minio_console_address: '[::]:9090'
+minio_root_user: root
+minio_root_password: changeme

roles/minio/handlers/main.yml

@@ -0,0 +1,8 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: restart minio
+  systemd:
+    name: minio
+    state: restarted

roles/minio/tasks/deploy.yml

@@ -0,0 +1,107 @@
+- name: load minio secrets
+  include_vars: '{{ item }}'
+  with_first_found:
+  - files:
+    - vault/minio/{{ inventory_hostname }}
+    skip: true
+  tags:
+  - always
+
+- name: ensure minio group exists
+  group:
+    name: minio
+    gid: 224
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure minio user exists
+  user:
+    name: minio
+    uid: 224
+    group: minio
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+
+- name: ensure minio storage path exists
+  file:
+    path: '{{ minio_storage_path }}'
+    owner: minio
+    group: minio
+    mode: u=rwx,go=
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure minio certs directory exists
+  file:
+    path: /etc/minio/certs
+    owner: root
+    group: minio
+    mode: u=rwx,g=rx,o=
+    setype: container_file_t
+    state: directory
+  tags:
+  - cert
+- name: ensure minio server certificate is present
+  copy:
+    src: '{{ item }}'
+    dest: /etc/minio/certs/public.crt
+    owner: root
+    group: minio
+    mode: u=rw,g=r,o=
+    setype: container_file_t
+  with_fileglob: certs/minio/{{ inventory_hostname }}.cer
+  tags:
+  - cert
+- name: ensure minio server private key is present
+  copy:
+    src: '{{ item }}'
+    dest: /etc/minio/certs/private.key
+    owner: root
+    group: minio
+    mode: u=rw,g=r,o=
+    setype: container_file_t
+  diff: false
+  with_fileglob: certs/minio/{{ inventory_hostname }}.key
+  tags:
+  - cert
+
+- name: ensure minio environment is configured
+  template:
+    src: minio.env.j2
+    dest: /etc/sysconfig/minio
+    owner: root
+    group: root
+    mode: u=rw,go=
+  notify:
+  - restart minio
+  tags:
+  - config
+
+- name: ensure minio.container systemd unit exists
+  template:
+    src: minio.container.j2
+    dest: /etc/containers/systemd/minio.container
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart minio
+  tags:
+  - systemd
+
+- name: flush_handlers
+  meta: flush_handlers
+
+- name: ensure minio.service is running
+  systemd:
+    name: minio.service
+    state: started
+  tags:
+  - service

roles/minio/tasks/install.yml

@@ -0,0 +1,11 @@
+- name: ensure podman is installed
+  package:
+    name:
+    - container-selinux
+    - podman
+    state: present
+
+- name: ensure minio container image is present
+  podman_image:
+    name: '{{ minio_container_image }}:{{ minio_version }}'
+    state: present

roles/minio/tasks/main.yml

@@ -0,0 +1,7 @@
+- block:
+  - import_tasks: install.yml
+    tags:
+    - install
+  - import_tasks: deploy.yml
+  tags:
+  - minio    

roles/minio/templates/minio.container.j2

@@ -0,0 +1,34 @@
+[Unit]
+Description=MinIO Object Storage
+Wants=network.target
+After=network.target
+
+[Container]
+Image={{ minio_container_image }}:{{ minio_version }}
+Exec=server /data --certs-dir /certs
+User=224
+Group=224
+EnvironmentFile=/etc/sysconfig/minio
+Volume={{ minio_storage_path }}:/data:rw,Z
+Volume=/etc/minio/certs:/certs:ro,z
+Network=host
+NoNewPrivileges=yes
+
+[Service]
+MemoryDenyWriteExecute=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/var/lib/containers/storage
+ReadWritePaths={{ minio_storage_path }}
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

roles/minio/templates/minio.env.j2

@@ -0,0 +1,4 @@
+MINIO_ROOT_USER={{ minio_root_user }}
+MINIO_ROOT_PASSWORD={{ minio_root_password }}
+
+MINIO_CONSOLE_ADDRESS={{ minio_console_address }}

vault/minio/burp1.pyrocufflink.blue

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+62313461666639393836343966373038663838396461353539313837616239376565643533393635
+3663336262643538303934633366636266303032393231650a643036363735653634366363393334
+61353835323163656533613662356235373235303735313862656462623333393863646566666163
+3030623963376631660a656465313765623866376633636136303630343161393833623864623337
+63376363333364343766633363306665363433623332303131626338643633653861363765306234
+35306462306364396263383263363933353330633361623532346563376434313534323539326262
+61616361303563316430616166336433393734383433633237383163326661353833373938616638
+39386532313938353932366565663633613966313566613762653938663331636435353339613038
+6236