configpolicy/roles/minio/templates/minio.container.j2

[Unit]
Description=MinIO Object Storage
Wants=network.target
After=network.target

[Container]
Image={{ minio_container_image }}:{{ minio_version }}
Exec=server /data --certs-dir /certs
User=224
Group=224
EnvironmentFile=/etc/sysconfig/minio
Volume={{ minio_storage_path }}:/data:rw,Z
Volume=/etc/minio/certs:/certs:ro,z
Network=host
NoNewPrivileges=yes

[Service]
ExecReload=/bin/kill -HUP $MAINPID
MemoryDenyWriteExecute=yes
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/var/lib/containers/storage
ReadWritePaths={{ minio_storage_path }}
RestrictRealtime=yes
RestrictSUIDSGID=yes
UMask=0077

[Install]
WantedBy=multi-user.target