minio: Install and configure MinIO

[MinIO][0] is an S3-compatible object storage server.  It is designed to
provide storage for cloud-native applications for on-premises
deployments.

MinIO has not been packaged for Fedora (yet?).  As such, the best way to
deploy it is usining its official container image.  Here, we are using
`podman-systemd-generator` (Quadlet) to generate a systemd service
unit to manage the container process.

minio.yml

@@ -0,0 +1,3 @@
+- hosts: minio
+  roles:
+  - minio

roles/minio/defaults/main.yml

@@ -0,0 +1,6 @@
+minio_version: latest
+minio_container_image: quay.io/minio/minio
+minio_storage_path: /var/lib/minio
+minio_console_address: '[::]:9090'
+minio_root_user: root
+minio_root_password: changeme

roles/minio/handlers/main.yml

@@ -0,0 +1,8 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: restart minio
+  systemd:
+    name: minio
+    state: restarted

roles/minio/tasks/deploy.yml

@@ -0,0 +1,107 @@
+- name: load minio secrets
+  include_vars: '{{ item }}'
+  with_first_found:
+  - files:
+    - vault/minio/{{ inventory_hostname }}
+    skip: true
+  tags:
+  - always
+
+- name: ensure minio group exists
+  group:
+    name: minio
+    gid: 224
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+- name: ensure minio user exists
+  user:
+    name: minio
+    uid: 224
+    group: minio
+    system: true
+    state: present
+  tags:
+  - user
+  - group
+
+- name: ensure minio storage path exists
+  file:
+    path: '{{ minio_storage_path }}'
+    owner: minio
+    group: minio
+    mode: u=rwx,go=
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure minio certs directory exists
+  file:
+    path: /etc/minio/certs
+    owner: root
+    group: minio
+    mode: u=rwx,g=rx,o=
+    setype: container_file_t
+    state: directory
+  tags:
+  - cert
+- name: ensure minio server certificate is present
+  copy:
+    src: '{{ item }}'
+    dest: /etc/minio/certs/public.crt
+    owner: root
+    group: minio
+    mode: u=rw,g=r,o=
+    setype: container_file_t
+  with_fileglob: certs/minio/{{ inventory_hostname }}.cer
+  tags:
+  - cert
+- name: ensure minio server private key is present
+  copy:
+    src: '{{ item }}'
+    dest: /etc/minio/certs/private.key
+    owner: root
+    group: minio
+    mode: u=rw,g=r,o=
+    setype: container_file_t
+  diff: false
+  with_fileglob: certs/minio/{{ inventory_hostname }}.key
+  tags:
+  - cert
+
+- name: ensure minio environment is configured
+  template:
+    src: minio.env.j2
+    dest: /etc/sysconfig/minio
+    owner: root
+    group: root
+    mode: u=rw,go=
+  notify:
+  - restart minio
+  tags:
+  - config
+
+- name: ensure minio.container systemd unit exists
+  template:
+    src: minio.container.j2
+    dest: /etc/containers/systemd/minio.container
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart minio
+  tags:
+  - systemd
+
+- name: flush_handlers
+  meta: flush_handlers
+
+- name: ensure minio.service is running
+  systemd:
+    name: minio.service
+    state: started
+  tags:
+  - service

roles/minio/tasks/install.yml

@@ -0,0 +1,11 @@
+- name: ensure podman is installed
+  package:
+    name:
+    - container-selinux
+    - podman
+    state: present
+
+- name: ensure minio container image is present
+  podman_image:
+    name: '{{ minio_container_image }}:{{ minio_version }}'
+    state: present

roles/minio/tasks/main.yml

@@ -0,0 +1,7 @@
+- block:
+  - import_tasks: install.yml
+    tags:
+    - install
+  - import_tasks: deploy.yml
+  tags:
+  - minio    

roles/minio/templates/minio.container.j2

@@ -0,0 +1,34 @@
+[Unit]
+Description=MinIO Object Storage
+Wants=network.target
+After=network.target
+
+[Container]
+Image={{ minio_container_image }}:{{ minio_version }}
+Exec=server /data --certs-dir /certs
+User=224
+Group=224
+EnvironmentFile=/etc/sysconfig/minio
+Volume={{ minio_storage_path }}:/data:rw,Z
+Volume=/etc/minio/certs:/certs:ro,z
+Network=host
+NoNewPrivileges=yes
+
+[Service]
+MemoryDenyWriteExecute=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/var/lib/containers/storage
+ReadWritePaths={{ minio_storage_path }}
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

roles/minio/templates/minio.env.j2

@@ -0,0 +1,4 @@
+MINIO_ROOT_USER={{ minio_root_user }}
+MINIO_ROOT_PASSWORD={{ minio_root_password }}
+
+MINIO_CONSOLE_ADDRESS={{ minio_console_address }}