service: minio (#232)

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: mg/ansible#232
Co-authored-by: mg <michael.grote@posteo.de>
Co-committed-by: mg <michael.grote@posteo.de>
This commit is contained in:
Michael Grote 2021-10-23 17:47:57 +02:00
parent 3cdb9ec604
commit e2707856d8
13 changed files with 217 additions and 2 deletions

View file

@ -140,6 +140,7 @@
- physical
- tor
- gitea
- minio
- laptop
- vmtest
- username: munin

47
group_vars/minio.yml Normal file
View file

@ -0,0 +1,47 @@
---
### oefenweb.ufw
ufw_rules:
- rule: allow
to_port: 22
protocol: tcp
comment: 'ssh'
from_ip: 192.168.2.0/24
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.144/24
- rule: allow
to_port: "{{ minio_port }}"
protocol: tcp
comment: 'minio'
from_ip: 192.168.2.0/24
- rule: allow
to_port: "{{ minio_console_port }}"
protocol: tcp
comment: 'minio-mgmt'
from_ip: 192.168.2.0/24
### mgrote.minio
minio_download_url: https://dl.min.io/server/minio/release/linux-amd64/minio
minio_bin_path: /usr/local/bin
minio_volumes_base_dir: /bm/s3/
minio_config_dir: /etc/minio
minio_fqdn: "" # leer, damit wird an alle ips gebunden
minio_port: 9001 # Port für Request
minio_console_port: 34081 # Port für Mgmt
minio_root_user: mg_minio_root
minio_root_password: "{{ lookup('keepass', 'minio_root_password', 'password') }}"
minio_user: minio-user
minio_group: minio-user
minio_server_url: "" # leer, wie "nicht gesetzt"
minio_browser_redirect_url: "" # leer, wie "nicht gesetzt"
# Aufruf:
# intern: minio1.grote.lan:9000
# extern: s3.mgrote.net

View file

@ -182,6 +182,14 @@
dnodesize: auto
atime: on
snapdir: hidden
- dataset: hdd_data_raidz/s3
state: present
compression: zstd
sync: disabled
xattr: sa
dnodesize: auto
atime: on
snapdir: hidden
zfs_extra_arc_max_size: "8589934592" # 8GB in Bytes
zfs_extra_zfs_pools:
- name: "rpool"
@ -257,6 +265,10 @@
recursive: 'no'
snapshots: true
template: '14tage'
- path: hdd_data_raidz/s3
recursive: 'no'
snapshots: true
template: '3tage'
sanoid_templates:
- name: '31tage'
@ -369,3 +381,7 @@
mp_nr: 15
mp_path_host: /hdd_data_raidz/programme
mp_path_guest: /shares_programme
- vmid: 116
mp_nr: 1
mp_path_host: /hdd_data_raidz/s3
mp_path_guest: /bm/s3

View file

@ -4,6 +4,10 @@ all:
hosts:
dokuwiki2.grote.lan:
dokuwiki-test.grote.lan:
minio:
hosts:
minio1.grote.lan:
minio-test.grote.lan:
tor:
hosts:
tor1-test.grote.lan:
@ -70,6 +74,7 @@ all:
docker3.grote.lan:
docker4.grote.lan:
tor1.mgrote.net:
minio1.grote.lan:
test:
hosts:
dokuwiki-test.grote.lan:
@ -83,3 +88,4 @@ all:
ntp-server-test.grote.lan:
fileserver2-test.grote.lan:
tor1-test.grote.lan:
minio-test.grote.lan:

Binary file not shown.

View file

@ -0,0 +1,4 @@
---
- hosts: minio
roles:
- { role: mgrote.minio, tags: "minio", become: true }

View file

@ -0,0 +1,12 @@
## mgrote.minio
### Beschreibung
Installiert einen Single-Minio-Server.
### getestet auf
- [X] Ubuntu (>=20.04)
- [ ] Debian
- [ ] ProxMox 6.1
### Variablen + Defaults
see [defaults](./defaults/main.yml)

View file

@ -0,0 +1,20 @@
---
minio_download_url: https://dl.min.io/server/minio/release/linux-amd64/minio # downloadlink
minio_bin_path: /usr/local/bin # where to put the binary
minio_volumes_base_dir: /usr/local/share/minio/ # where to store the buckets
minio_config_dir: /etc/minio # where to store the config
minio_fqdn: minio-test.grote.lan
minio_port: 9000 # s3 port
minio_console_port: 34081 # mgmt-gui port
minio_root_user: minio # default web user
minio_root_password: miniostorage # defaut pass
minio_user: minio-user # linux user
minio_group: minio-user # linux group
minio_server_url: "" # see https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html
minio_browser_redirect_url: "" # see https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html

View file

@ -0,0 +1,6 @@
---
- name: (re)start service
become: yes
ansible.builtin.systemd:
name: minio
state: restarted

View file

@ -0,0 +1,61 @@
---
- name: ensure group exists
ansible.builtin.group:
name: "{{ minio_group }}"
state: present
- name: ensure user exists
ansible.builtin.user:
name: "{{ minio_user }}"
group: "{{ minio_group }}"
shell: /sbin/nologin
state: present
- name: ensure needed directories are present
file:
path: "{{ item }}"
state: directory
owner: "{{ minio_user }}"
group: "{{ minio_user }}"
with_items:
- "{{ minio_volumes_base_dir }}"
- "{{ minio_config_dir }}"
- name: download binary
get_url:
url: "{{ minio_download_url }}"
dest: "{{ minio_bin_path }}/minio"
mode: 0744
owner: "{{ minio_user }}"
group: "{{ minio_user }}"
- name: template default config
become: yes
ansible.builtin.template:
src: "default.j2"
dest: "/etc/default/minio"
owner: "{{ minio_user }}"
group: "{{ minio_user }}"
notify: (re)start service
no_log: true
- name: template systemd-unit
become: yes
ansible.builtin.template:
src: "minio.service.j2"
dest: "/etc/systemd/system/minio.service"
mode: a+x
owner: "{{ minio_user }}"
group: "{{ minio_user }}"
notify: (re)start service
- name: systemd daemon reload
become: yes
ansible.builtin.systemd:
daemon_reload: true
- name: enable systemd service
become: yes
ansible.builtin.systemd:
name: minio
enabled: true

View file

@ -0,0 +1,7 @@
MINIO_ROOT_USER="{{ minio_root_user }}"
MINIO_VOLUMES="{{ minio_volumes_base_dir }}"
MINIO_OPTS="-C {{ minio_config_dir }} --address {{ minio_fqdn }}:{{ minio_port }} --console-address :{{ minio_console_port }}"
MINIO_ROOT_PASSWORD="{{ minio_root_password }}"
MINIO_SERVER_URL="{{ minio_server_url }}"
MINIO_BROWSER_REDIRECT_URL="{{ minio_browser_redirect_url}}"

View file

@ -0,0 +1,36 @@
[Unit]
Description=MinIO
Documentation=https://docs.min.io
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/minio
[Service]
WorkingDirectory=/usr/local/
User={{ minio_user }}
Group={{ minio_group }}
ProtectProc=invisible
EnvironmentFile=/etc/default/minio
ExecStartPre=/bin/bash -c "if [ -z \"${MINIO_VOLUMES}\" ]; then echo \"Variable MINIO_VOLUMES not set in /etc/default/minio\"; exit 1; fi"
ExecStart={{ minio_bin_path }}/minio server $MINIO_OPTS $MINIO_VOLUMES
# Let systemd restart this service always
Restart=always
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Specifies the maximum number of threads this process can create
TasksMax=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no
[Install]
WantedBy=multi-user.target
# Built for ${project.name}-${project.version} (${project.name})

View file

@ -54,7 +54,7 @@ Port {{ ssh_listen_port }}
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PasswordAuthentication {{ ssh_password_authentication }}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
@ -120,5 +120,4 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
PasswordAuthentication {{ ssh_password_authentication }}
PermitRootLogin {{ ssh_permit_root_login }}