Dustin C. Hatch
0037a3c281
MinIO is supposed to automatically reload itself when the certificate changes, but this does not appear to happen in all cases. To ensure the updated certificate gets used, we need to send SIGHUP to the MinIO server process.
125 lines
2.3 KiB
YAML
125 lines
2.3 KiB
YAML
- name: load minio secrets
|
|
include_vars: '{{ item }}'
|
|
with_first_found:
|
|
- files:
|
|
- vault/minio/{{ inventory_hostname }}
|
|
skip: true
|
|
tags:
|
|
- always
|
|
|
|
- name: ensure minio group exists
|
|
group:
|
|
name: minio
|
|
gid: 224
|
|
system: true
|
|
state: present
|
|
tags:
|
|
- user
|
|
- group
|
|
- name: ensure minio user exists
|
|
user:
|
|
name: minio
|
|
uid: 224
|
|
group: minio
|
|
system: true
|
|
state: present
|
|
tags:
|
|
- user
|
|
- group
|
|
|
|
- name: ensure minio storage path exists
|
|
file:
|
|
path: '{{ minio_storage_path }}'
|
|
owner: minio
|
|
group: minio
|
|
mode: u=rwx,go=
|
|
state: directory
|
|
tags:
|
|
- datadir
|
|
|
|
- name: ensure minio certs directory exists
|
|
file:
|
|
path: /etc/minio/certs
|
|
owner: root
|
|
group: minio
|
|
mode: u=rwx,g=rx,o=
|
|
setype: container_file_t
|
|
state: directory
|
|
tags:
|
|
- cert
|
|
- name: ensure minio server certificate is present
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: /etc/minio/certs/public.crt
|
|
owner: root
|
|
group: minio
|
|
mode: u=rw,g=r,o=
|
|
setype: container_file_t
|
|
with_fileglob: certs/minio/{{ inventory_hostname }}.cer
|
|
notify:
|
|
- reload minio
|
|
tags:
|
|
- cert
|
|
- name: ensure minio server private key is present
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: /etc/minio/certs/private.key
|
|
owner: root
|
|
group: minio
|
|
mode: u=rw,g=r,o=
|
|
setype: container_file_t
|
|
diff: false
|
|
with_fileglob: certs/minio/{{ inventory_hostname }}.key
|
|
notify:
|
|
- reload minio
|
|
tags:
|
|
- cert
|
|
|
|
- name: ensure minio environment is configured
|
|
template:
|
|
src: minio.env.j2
|
|
dest: /etc/sysconfig/minio
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=
|
|
notify:
|
|
- restart minio
|
|
tags:
|
|
- config
|
|
|
|
- name: ensure minio.container systemd unit exists
|
|
template:
|
|
src: minio.container.j2
|
|
dest: /etc/containers/systemd/minio.container
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload systemd
|
|
- restart minio
|
|
tags:
|
|
- systemd
|
|
|
|
- name: flush_handlers
|
|
meta: flush_handlers
|
|
|
|
- name: ensure minio.service is running
|
|
systemd:
|
|
name: minio.service
|
|
state: started
|
|
tags:
|
|
- service
|
|
|
|
- name: ensure firewall is configured for minio
|
|
firewalld:
|
|
port: '{{ item }}/tcp'
|
|
permanent: true
|
|
immediate: true
|
|
state: enabled
|
|
loop:
|
|
- 9000
|
|
- 9090
|
|
when: host_uses_firewalld|d(true)|bool
|
|
tags:
|
|
- firewalld
|