dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

Merge branch 'minio'

step-ssh
Dustin 2023-05-10 08:05:03 -05:00
parent 9722fed1b8 a3ea838cac
commit 5ebe10fb0b
13 changed files with 197 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
certs/minio/burp1.pyrocufflink.blue.cer Symbolic link
View File

@ -0,0 +1 @@
../lego/_.pyrocufflink.net.crt

1
certs/minio/burp1.pyrocufflink.blue.key Symbolic link
View File

@ -0,0 +1 @@
../lego/_.pyrocufflink.net.key

2
host_vars/burp1.pyrocufflink.blue.yml
View File

@ -6,3 +6,5 @@ collectd_plugins:
# its domain permissive until the problems are identified and resolved
# upstream.
collectd_selinux_permissive: true
minio_storage_path: /srv/minio

3
hosts
View File

@ -89,6 +89,9 @@ k8s-node
[metricspi]
mtrcs0.pyrocufflink.blue
[minio:children]
burp-server
[motioneye]
[named-server:children]

3
minio.yml Normal file
View File

@ -0,0 +1,3 @@
- hosts: minio
roles:
- minio

6
roles/minio/defaults/main.yml Normal file
View File

@ -0,0 +1,6 @@
minio_version: latest
minio_container_image: quay.io/minio/minio
minio_storage_path: /var/lib/minio
minio_console_address: '[::]:9090'
minio_root_user: root
minio_root_password: changeme

8
roles/minio/handlers/main.yml Normal file
View File

@ -0,0 +1,8 @@
- name: reload systemd
systemd:
daemon_reload: true
- name: restart minio
systemd:
name: minio
state: restarted

107
roles/minio/tasks/deploy.yml Normal file
View File

@ -0,0 +1,107 @@
- name: load minio secrets
include_vars: '{{ item }}'
with_first_found:
- files:
- vault/minio/{{ inventory_hostname }}
skip: true
tags:
- always
- name: ensure minio group exists
group:
name: minio
gid: 224
system: true
state: present
tags:
- user
- group
- name: ensure minio user exists
user:
name: minio
uid: 224
group: minio
system: true
state: present
tags:
- user
- group
- name: ensure minio storage path exists
file:
path: '{{ minio_storage_path }}'
owner: minio
group: minio
mode: u=rwx,go=
state: directory
tags:
- datadir
- name: ensure minio certs directory exists
file:
path: /etc/minio/certs
owner: root
group: minio
mode: u=rwx,g=rx,o=
setype: container_file_t
state: directory
tags:
- cert
- name: ensure minio server certificate is present
copy:
src: '{{ item }}'
dest: /etc/minio/certs/public.crt
owner: root
group: minio
mode: u=rw,g=r,o=
setype: container_file_t
with_fileglob: certs/minio/{{ inventory_hostname }}.cer
tags:
- cert
- name: ensure minio server private key is present
copy:
src: '{{ item }}'
dest: /etc/minio/certs/private.key
owner: root
group: minio
mode: u=rw,g=r,o=
setype: container_file_t
diff: false
with_fileglob: certs/minio/{{ inventory_hostname }}.key
tags:
- cert
- name: ensure minio environment is configured
template:
src: minio.env.j2
dest: /etc/sysconfig/minio
owner: root
group: root
mode: u=rw,go=
notify:
- restart minio
tags:
- config
- name: ensure minio.container systemd unit exists
template:
src: minio.container.j2
dest: /etc/containers/systemd/minio.container
owner: root
group: root
mode: u=rw,go=r
notify:
- reload systemd
- restart minio
tags:
- systemd
- name: flush_handlers
meta: flush_handlers
- name: ensure minio.service is running
systemd:
name: minio.service
state: started
tags:
- service

11
roles/minio/tasks/install.yml Normal file
View File

@ -0,0 +1,11 @@
- name: ensure podman is installed
package:
name:
- container-selinux
- podman
state: present
- name: ensure minio container image is present
podman_image:
name: '{{ minio_container_image }}:{{ minio_version }}'
state: present

7
roles/minio/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
- block:
- import_tasks: install.yml
tags:
- install
- import_tasks: deploy.yml
tags:
- minio

34
roles/minio/templates/minio.container.j2 Normal file
View File

@ -0,0 +1,34 @@
[Unit]
Description=MinIO Object Storage
Wants=network.target
After=network.target
[Container]
Image={{ minio_container_image }}:{{ minio_version }}
Exec=server /data --certs-dir /certs
User=224
Group=224
EnvironmentFile=/etc/sysconfig/minio
Volume={{ minio_storage_path }}:/data:rw,Z
Volume=/etc/minio/certs:/certs:ro,z
Network=host
NoNewPrivileges=yes
[Service]
MemoryDenyWriteExecute=yes
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/var/lib/containers/storage
ReadWritePaths={{ minio_storage_path }}
RestrictRealtime=yes
RestrictSUIDSGID=yes
UMask=0077
[Install]
WantedBy=multi-user.target

4
roles/minio/templates/minio.env.j2 Normal file
View File

@ -0,0 +1,4 @@
MINIO_ROOT_USER={{ minio_root_user }}
MINIO_ROOT_PASSWORD={{ minio_root_password }}
MINIO_CONSOLE_ADDRESS={{ minio_console_address }}

10
vault/minio/burp1.pyrocufflink.blue Normal file
View File

@ -0,0 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
62313461666639393836343966373038663838396461353539313837616239376565643533393635
3663336262643538303934633366636266303032393231650a643036363735653634366363393334
61353835323163656533613662356235373235303735313862656462623333393863646566666163
3030623963376631660a656465313765623866376633636136303630343161393833623864623337
63376363333364343766633363306665363433623332303131626338643633653861363765306234
35306462306364396263383263363933353330633361623532346563376434313534323539326262
61616361303563316430616166336433393734383433633237383163326661353833373938616638
39386532313938353932366565663633613966313566613762653938663331636435353339613038
6236