Update vars, install minio

ansible/group_vars/all/main.yml

@@ -57,4 +57,7 @@ vault_ca_cert_payload: |
 
 # lnd
 lnd_version: 0.16.4-beta
+
+# minio
+minio_version: RELEASE.2023-07-07T07-13-57Z
 ...

ansible/host_vars/ivyking.minhas.io/main.yml

@@ -1,2 +1,3 @@
 ---
 docker_repo_storage: /tank0/docker-repo
+minio_volume: /tank0/minio

ansible/inventory.txt

@@ -33,3 +33,6 @@ sedan.minhas.io
 
 [bitcoind]
 ivyking.minhas.io
+
+[minio]
+ivyking.minhas.io

ansible/playbooks/minio.yml

@@ -0,0 +1,5 @@
+---
+- hosts: minio
+  roles:
+    - role: minio
+...

ansible/playbooks/site.yml

@@ -2,7 +2,7 @@
 - import_playbook: common.yml
 - import_playbook: vault-server.yml
 - import_playbook: k3s.yml
-- import_playbook: docker-repo.yml
+  #- import_playbook: docker-repo.yml
 - import_playbook: lnd.yml
 - import_playbook: wekan.yml
 ...

ansible/roles/bitcoind/tasks/main.yml

@@ -38,7 +38,7 @@
   copy:
     src: files/bitcoind.service
     dest: /etc/systemd/system/bitcoind.service
-    mode: 0755
+    mode: 0750
     owner: root
     group: root
   notify: reload systemd

ansible/roles/minio/files/minio.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=MinIO
+Documentation=https://min.io/docs/minio/linux/index.html
+Wants=network-online.target
+After=network-online.target
+AssertFileIsExecutable=/usr/local/bin/minio
+
+[Service]
+WorkingDirectory=/usr/local
+
+User=minio
+Group=minio
+ProtectProc=invisible
+
+EnvironmentFile=-/etc/default/minio
+ExecStart=/usr/local/bin/minio server $MINIO_OPTS $MINIO_VOLUMES
+Restart=always
+LimitNOFILE=65536
+TasksMax=infinity
+TimeoutStopSec=infinity
+SendSIGKILL=no
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/minio/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: reload systemd
+  systemd:
+    daemon_reload: True
+
+- name: restart minio
+  systemd:
+    name: minio
+    state: restarted
+...

ansible/roles/minio/tasks/main.yml

@@ -0,0 +1,64 @@
+---
+- name: create minio group
+  group:
+    name: minio
+    state: present
+
+- name: create minio user
+  user:
+    name: minio
+    group: minio
+    system: True
+    shell: /usr/sbin/nologin
+
+- name: ensure minio cert dir
+  file:
+    path: /etc/minio/certs
+    state: directory
+    owner: minio
+    group: minio
+    mode: 0750
+
+- name: ensure minio owns minio path
+  file:
+    path: '{{ minio_volume }}'
+    state: directory
+    owner: minio
+    group: minio
+    mode: 0750
+
+- name: ensure minio systemd file
+  copy:
+    src: minio.service
+    dest: /etc/systemd/system/minio.service
+    owner: root
+    group: root
+  notify:
+    - reload systemd
+    - restart minio
+
+- name: template minio config
+  template:
+    src: minio.j2
+    dest: /etc/default/minio
+    owner: root
+    group: minio
+    mode: 0640
+  notify: restart minio
+
+- name: download minio
+  get_url:
+    url: 'https://dl.minio.io/server/minio/release/linux-amd64/archive/minio.{{ minio_version }}'
+    dest: /usr/local/bin/minio
+    owner: root
+    group: root
+    mode: 0755
+    checksum: "sha256:https://dl.minio.io/server/minio/release/linux-amd64/archive/minio.{{ minio_version}}.sha256sum"
+  notify: restart minio
+
+- name: enable and start minio
+  systemd:
+    name: minio
+    state: started
+    enabled: True
+    daemon_reload: True

ansible/roles/minio/templates/minio.j2

@@ -0,0 +1,5 @@
+MINIO_ROOT_USER={{ lookup('hashi_vault', 'secret=kv/data/minio:admin_username') }}
+MINIO_ROOT_PASSWORD={{ lookup('hashi_vault', 'secret=kv/data/minio:admin_password') }}
+MINIO_VOLUMES="{{ minio_volume }}"
+MINIO_SERVER_URL="http://ivyking.minhas.io:9000"
+MINIO_DOMAIN=ivyking.minhas.io