service: minio (#232)

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: mg/ansible#232
Co-authored-by: mg <michael.grote@posteo.de>
Co-committed-by: mg <michael.grote@posteo.de>

group_vars/all.yml

@@ -140,6 +140,7 @@
         - physical
         - tor
         - gitea
+        - minio
         - laptop
         - vmtest
     - username: munin

group_vars/minio.yml

@@ -0,0 +1,47 @@
+---
+  ### oefenweb.ufw
+  ufw_rules:
+    - rule: allow
+      to_port: 22
+      protocol: tcp
+      comment: 'ssh'
+      from_ip: 192.168.2.0/24
+    - rule: allow
+      to_port: 4949
+      protocol: tcp
+      comment: 'munin'
+      from_ip: 192.168.2.144/24
+    - rule: allow
+      to_port: "{{ minio_port }}"
+      protocol: tcp
+      comment: 'minio'
+      from_ip: 192.168.2.0/24
+    - rule: allow
+      to_port: "{{ minio_console_port }}"
+      protocol: tcp
+      comment: 'minio-mgmt'
+      from_ip: 192.168.2.0/24
+
+  ### mgrote.minio
+  minio_download_url: https://dl.min.io/server/minio/release/linux-amd64/minio
+
+  minio_bin_path: /usr/local/bin
+  minio_volumes_base_dir: /bm/s3/
+  minio_config_dir: /etc/minio
+
+  minio_fqdn: "" # leer, damit wird an alle ips gebunden
+  minio_port: 9001 # Port für Request
+  minio_console_port: 34081 # Port für Mgmt
+
+  minio_root_user: mg_minio_root
+  minio_root_password: "{{ lookup('keepass', 'minio_root_password', 'password') }}"
+
+  minio_user: minio-user
+  minio_group: minio-user
+
+  minio_server_url: "" # leer, wie "nicht gesetzt"
+  minio_browser_redirect_url: "" # leer, wie "nicht gesetzt"
+
+  # Aufruf:
+  # intern: minio1.grote.lan:9000
+  # extern: s3.mgrote.net

host_vars/pve2.grote.lan.yml

@@ -182,6 +182,14 @@
       dnodesize: auto
       atime: on
       snapdir: hidden
+    - dataset: hdd_data_raidz/s3
+      state: present
+      compression: zstd
+      sync: disabled
+      xattr: sa
+      dnodesize: auto
+      atime: on
+      snapdir: hidden
   zfs_extra_arc_max_size: "8589934592" # 8GB in Bytes
   zfs_extra_zfs_pools:
     - name: "rpool"
@@ -257,6 +265,10 @@
       recursive: 'no'
       snapshots: true
       template: '14tage'
+    - path: hdd_data_raidz/s3
+      recursive: 'no'
+      snapshots: true
+      template: '3tage'
 
   sanoid_templates:
     - name: '31tage'
@@ -369,3 +381,7 @@
       mp_nr: 15
       mp_path_host: /hdd_data_raidz/programme
       mp_path_guest: /shares_programme
+    - vmid: 116
+      mp_nr: 1
+      mp_path_host: /hdd_data_raidz/s3
+      mp_path_guest: /bm/s3

inventory

@@ -4,6 +4,10 @@ all:
       hosts:
         dokuwiki2.grote.lan:
         dokuwiki-test.grote.lan:
+    minio:
+      hosts:
+        minio1.grote.lan:
+        minio-test.grote.lan:
     tor:
       hosts:
         tor1-test.grote.lan:
@@ -70,6 +74,7 @@ all:
         docker3.grote.lan:
         docker4.grote.lan:
         tor1.mgrote.net:
+        minio1.grote.lan:
     test:
       hosts:
         dokuwiki-test.grote.lan:
@@ -83,3 +88,4 @@ all:
         ntp-server-test.grote.lan:
         fileserver2-test.grote.lan:
         tor1-test.grote.lan:
+        minio-test.grote.lan:

playbooks/3_service/minio.yml

@@ -0,0 +1,4 @@
+---
+- hosts: minio
+  roles:
+    - { role: mgrote.minio, tags: "minio", become: true }

roles/mgrote.minio/README.md

@@ -0,0 +1,12 @@
+## mgrote.minio
+
+### Beschreibung
+Installiert einen Single-Minio-Server.
+
+### getestet auf
+- [X] Ubuntu (>=20.04)
+- [ ] Debian
+- [ ] ProxMox 6.1
+
+### Variablen + Defaults
+see [defaults](./defaults/main.yml)

roles/mgrote.minio/defaults/main.yml

@@ -0,0 +1,20 @@
+---
+  minio_download_url: https://dl.min.io/server/minio/release/linux-amd64/minio # downloadlink
+
+  minio_bin_path: /usr/local/bin # where to put the binary
+  minio_volumes_base_dir: /usr/local/share/minio/ # where to store the buckets
+  minio_config_dir: /etc/minio # where to store the config
+
+  minio_fqdn: minio-test.grote.lan
+  minio_port: 9000 # s3 port
+  minio_console_port: 34081 # mgmt-gui port
+
+  minio_root_user: minio # default web user
+  minio_root_password: miniostorage # defaut pass
+
+  minio_user: minio-user # linux user
+  minio_group: minio-user # linux group
+
+  minio_server_url: "" # see https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html
+
+  minio_browser_redirect_url: "" # see https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html

roles/mgrote.minio/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+  - name: (re)start service
+    become: yes
+    ansible.builtin.systemd:
+      name: minio
+      state: restarted

roles/mgrote.minio/tasks/main.yml

@@ -0,0 +1,61 @@
+---
+  - name: ensure group exists
+    ansible.builtin.group:
+      name: "{{ minio_group }}"
+      state: present
+
+  - name: ensure user exists
+    ansible.builtin.user:
+      name: "{{ minio_user }}"
+      group: "{{ minio_group }}"
+      shell: /sbin/nologin
+      state: present
+
+  - name: ensure needed directories are present
+    file:
+      path: "{{ item }}"
+      state: directory
+      owner: "{{ minio_user }}"
+      group: "{{ minio_user }}"
+    with_items:
+      - "{{ minio_volumes_base_dir }}"
+      - "{{ minio_config_dir }}"
+
+  - name: download binary
+    get_url:
+      url: "{{ minio_download_url }}"
+      dest: "{{ minio_bin_path }}/minio"
+      mode: 0744
+      owner: "{{ minio_user }}"
+      group: "{{ minio_user }}"
+
+  - name: template default config
+    become: yes
+    ansible.builtin.template:
+      src: "default.j2"
+      dest: "/etc/default/minio"
+      owner: "{{ minio_user }}"
+      group: "{{ minio_user }}"
+    notify: (re)start service
+    no_log: true
+
+  - name: template systemd-unit
+    become: yes
+    ansible.builtin.template:
+      src: "minio.service.j2"
+      dest: "/etc/systemd/system/minio.service"
+      mode: a+x
+      owner: "{{ minio_user }}"
+      group: "{{ minio_user }}"
+    notify: (re)start service
+
+  - name: systemd daemon reload
+    become: yes
+    ansible.builtin.systemd:
+      daemon_reload: true
+
+  - name: enable systemd service
+    become: yes
+    ansible.builtin.systemd:
+      name: minio
+      enabled: true

roles/mgrote.minio/templates/default.j2

@@ -0,0 +1,7 @@
+MINIO_ROOT_USER="{{ minio_root_user }}"
+MINIO_VOLUMES="{{ minio_volumes_base_dir }}"
+MINIO_OPTS="-C {{ minio_config_dir }} --address {{ minio_fqdn }}:{{ minio_port }} --console-address :{{ minio_console_port }}"
+MINIO_ROOT_PASSWORD="{{ minio_root_password }}"
+
+MINIO_SERVER_URL="{{ minio_server_url }}"
+MINIO_BROWSER_REDIRECT_URL="{{ minio_browser_redirect_url}}"

roles/mgrote.minio/templates/minio.service.j2

@@ -0,0 +1,36 @@
+[Unit]
+Description=MinIO
+Documentation=https://docs.min.io
+Wants=network-online.target
+After=network-online.target
+AssertFileIsExecutable=/usr/local/bin/minio
+
+[Service]
+WorkingDirectory=/usr/local/
+
+User={{ minio_user }}
+Group={{ minio_group }}
+ProtectProc=invisible
+
+EnvironmentFile=/etc/default/minio
+ExecStartPre=/bin/bash -c "if [ -z \"${MINIO_VOLUMES}\" ]; then echo \"Variable MINIO_VOLUMES not set in /etc/default/minio\"; exit 1; fi"
+
+ExecStart={{ minio_bin_path }}/minio server $MINIO_OPTS $MINIO_VOLUMES
+
+# Let systemd restart this service always
+Restart=always
+
+# Specifies the maximum file descriptor number that can be opened by this process
+LimitNOFILE=65536
+
+# Specifies the maximum number of threads this process can create
+TasksMax=infinity
+
+# Disable timeout logic and wait until process is stopped
+TimeoutStopSec=infinity
+SendSIGKILL=no
+
+[Install]
+WantedBy=multi-user.target
+
+# Built for ${project.name}-${project.version} (${project.name})

roles/mgrote.ssh/templates/ubuntu.j2

@@ -54,7 +54,7 @@ Port {{ ssh_listen_port }}
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-PasswordAuthentication no
+PasswordAuthentication {{ ssh_password_authentication }}
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
@@ -120,5 +120,4 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
-PasswordAuthentication {{ ssh_password_authentication }}
 PermitRootLogin {{ ssh_permit_root_login }}