Dustin C. Hatch
5edfbf2408
The `:Z` flag tells the container runtime to run `chcon` recursively on the specified path, in order to ensure that the files are accessible inside the container. For a very large volume like the MinIO storage directory, this can take an extremely long time. It's really only necessary on the first startup anyway, because the context won't change after that. To avoid spending a bunch of time, we can set the context correctly when we create the directory, and then not worry about it after that.
128 lines
2.4 KiB
YAML
128 lines
2.4 KiB
YAML
- name: load minio secrets
|
|
include_vars: '{{ item }}'
|
|
with_first_found:
|
|
- files:
|
|
- vault/minio/{{ inventory_hostname }}
|
|
skip: true
|
|
tags:
|
|
- always
|
|
|
|
- name: ensure minio group exists
|
|
group:
|
|
name: minio
|
|
gid: 224
|
|
system: true
|
|
state: present
|
|
tags:
|
|
- user
|
|
- group
|
|
- name: ensure minio user exists
|
|
user:
|
|
name: minio
|
|
uid: 224
|
|
group: minio
|
|
system: true
|
|
state: present
|
|
tags:
|
|
- user
|
|
- group
|
|
|
|
- name: ensure minio storage path exists
|
|
file:
|
|
path: '{{ minio_storage_path }}'
|
|
owner: minio
|
|
group: minio
|
|
mode: u=rwx,go=
|
|
state: directory
|
|
setype: container_file_t
|
|
tags:
|
|
- datadir
|
|
|
|
- name: ensure minio certs directory exists
|
|
file:
|
|
path: /etc/minio/certs
|
|
owner: root
|
|
group: minio
|
|
mode: u=rwx,g=rx,o=
|
|
setype: container_file_t
|
|
state: directory
|
|
tags:
|
|
- cert
|
|
- name: ensure minio server certificate is present
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: /etc/minio/certs/public.crt
|
|
owner: root
|
|
group: minio
|
|
mode: u=rw,g=r,o=
|
|
setype: container_file_t
|
|
with_fileglob: certs/minio/{{ inventory_hostname }}.cer
|
|
notify:
|
|
- reload minio
|
|
tags:
|
|
- cert
|
|
- name: ensure minio server private key is present
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: /etc/minio/certs/private.key
|
|
owner: root
|
|
group: minio
|
|
mode: u=rw,g=r,o=
|
|
setype: container_file_t
|
|
diff: false
|
|
with_fileglob: certs/minio/{{ inventory_hostname }}.key
|
|
notify:
|
|
- reload minio
|
|
tags:
|
|
- cert
|
|
|
|
- name: ensure minio environment is configured
|
|
template:
|
|
src: minio.env.j2
|
|
dest: /etc/sysconfig/minio
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=
|
|
notify:
|
|
- restart minio
|
|
tags:
|
|
- config
|
|
|
|
- name: ensure minio.container systemd unit exists
|
|
template:
|
|
src: minio.container.j2
|
|
dest: /etc/containers/systemd/minio.container
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload systemd
|
|
- restart minio
|
|
tags:
|
|
- systemd
|
|
|
|
- name: flush_handlers
|
|
meta: flush_handlers
|
|
tags:
|
|
- always
|
|
|
|
- name: ensure minio.service is running
|
|
systemd:
|
|
name: minio.service
|
|
state: started
|
|
tags:
|
|
- service
|
|
|
|
- name: ensure firewall is configured for minio
|
|
firewalld:
|
|
port: '{{ item }}/tcp'
|
|
permanent: true
|
|
immediate: true
|
|
state: '{{ "enabled" if minio_allow_outside|d(true) else "disabled" }}'
|
|
loop:
|
|
- 9000
|
|
- 9090
|
|
when: host_uses_firewalld|d(true)|bool
|
|
tags:
|
|
- firewalld
|