Fix/minio own volume

environments/template/secrets/skeleton.yml

@@ -175,3 +175,6 @@ invite_private_key_pkcs8: |
   exUPAkqg7ZYNOJa+amGnPWMA1LT0LsIchvqNM9D0xX7PY6zWIH/NDS/yMfIwzcmn
   NVHeh6irTrXgMsuDg1f/rqid
   -----END PRIVATE KEY-----
+
+minio_passwords:
+  openconext: secret

roles/minio/README.md

@@ -0,0 +1,2 @@
+# TODO
+- option to remove users

roles/minio/defaults/main.yml

@@ -1,7 +1,14 @@
 ---
 minio_dir: /opt/openconext/minio
-minio_data_dir: "{{ minio_dir }}/data"
 minio_version: RELEASE.2025-05-24T17-08-30Z
-minio_data_dir_oncontainer: "/mnt/data"
 minio_root_user: "minioadmin"
+minio_data_dir_oncontainer: "/data"
 # minio_root_password get from vault
+minio_url_local: "http://127.0.0.1:9000"
+minio_alias: "openconext"
+minio_client_path: $HOME/minio-binaries
+minio_mc: "{{ minio_client_path }}/mc"
+minio_users:
+    - { name: 'openconext', password: "{{ minio_passwords.openconext }}" } # set passwords in vault
+minio_client_checksum: "sha256:01f866e9c5f9b87c2b09116fa5d7c06695b106242d829a8bb32990c00312e891"
+minio_client_version: "RELEASE.2025-08-13T08-35-41Z"

roles/minio/handlers/main.yml

@@ -8,4 +8,4 @@
     # https://docs.ansible.com/ansible/latest/collections/community/docker/docker_container_module.html#notes
     comparisons:
       '*': ignore
-  when: miniocontainer is success and miniocontainer is not change
+  when: minio_container is success and minio_container is not change

roles/minio/tasks/configure_container.yml

@@ -0,0 +1,75 @@
+---
+- name: Create minio files directory
+  ansible.builtin.file:
+    state: directory
+    path: "{{ minio_dir }}"
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: Place the serverapplication configfiles
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "{{ minio_dir }}/{{ item }}"
+    owner: root
+    group: root
+    mode: "0644"
+  with_items:
+    - config.env
+  notify: Restart minio
+
+- name: Create a docker volume
+  community.docker.docker_volume:
+    name: minio_data
+
+- name: Create and start the server container
+  community.docker.docker_container:
+    name: minio
+    image: quay.io/minio/minio:{{ minio_version }}
+    pull: true
+    restart_policy: "always"
+    state: started
+    env:
+      MINIO_CONFIG_ENV_FILE: "/etc/config.env"
+    ports:
+      # Publish container port 9000 for mc client commands
+      - "9000:9000"
+    networks:
+      - name: "loadbalancer"
+    mounts:
+      - source: "{{ minio_dir }}/config.env"
+        target: /etc/config.env
+        type: bind
+      - source: minio_data
+        target: "{{ minio_data_dir_oncontainer }}"
+        type: volume
+
+    command: server --console-address ":9090" {{ minio_data_dir_oncontainer }}
+    labels:
+      traefik.http.routers.minio.rule: "Host(`minio.{{ base_domain }}`)"
+      traefik.http.routers.minio.tls: "true"
+      traefik.http.routers.minio.service: "minio"
+      traefik.http.services.minio.loadbalancer.server.port: "9090"
+      traefik.http.routers.minioapi.rule: "Host(`minioapi.{{ base_domain }}`)"
+      traefik.http.routers.minioapi.tls: "true"
+      traefik.http.routers.minioapi.service: "minioapi"
+      traefik.http.services.minioapi.loadbalancer.server.port: "9000"
+      traefik.enable: "true"
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "curl",
+          "--fail",
+          "http://localhost:9000/minio/health/live"
+        ]
+      interval: 10s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+  register: minio_container
+
+- name: Show container debug info
+  ansible.builtin.debug:
+    msg: "{{ minio_container }}"
+    verbosity: 2

roles/minio/tasks/configure_minio_client.yml

@@ -0,0 +1,60 @@
+---
+- name: Configure minio client
+  block:
+
+  - name: Create directory for minio client
+    ansible.builtin.file:
+      path: "{{ minio_client_path }}"
+      state: directory
+      mode: '0700'
+
+  # without these checks (is mc there and is it the desired version) the download minio client task will fail if
+  # the version we have defined is non existent in the minio repository, so lets check those before we
+  # continue to our Download Minio Client
+
+  - name: Check for presence Minio Client
+    ansible.builtin.stat:
+      path: "{{ minio_mc }}"
+    register: minio_client_presence
+
+  - name: Check version Minio Client
+    ansible.builtin.shell:
+      cmd: "{{ minio_mc }} --version | head -1 | awk -F ' ' '{ print $3 }'"
+    args:
+      executable: /bin/bash
+    changed_when: false
+    register: minio_client_current_version
+
+  - name: Debug check version Minio Client
+    ansible.builtin.debug:
+      msg: "{{ minio_client_current_version }}"
+      verbosity: 2
+
+  - name: Download Minio Client
+    ansible.builtin.get_url:
+      url: "https://dl.min.io/client/mc/release/linux-amd64/mc.{{ minio_client_version }}"
+      dest: "{{ minio_mc }}"
+      mode: '0700'
+      checksum: "{{ minio_client_checksum }}"
+      backup: true # always nice to have a backup
+    when: not minio_client_presence.stat.exists or minio_client_current_version.stdout != minio_client_version
+
+  - name: Check if minio alias is set
+    ansible.builtin.command: "{{ minio_mc }} alias list {{ minio_alias }}"
+    changed_when: false
+    register: minio_alias_present
+    check_mode: false # always run its safe
+    failed_when: minio_alias_present.rc > 1 # rc 1 means alias not present thjats what we wanted to know
+
+  - name: Debug alias list
+    ansible.builtin.debug:
+      msg: "{{ minio_alias_present.rc }}" # stdout can contain password
+      verbosity: 2
+
+  - name: Configure minio connection alias
+    ansible.builtin.command: "{{ minio_mc }} alias set {{ minio_alias }} {{ minio_url_local }} {{ minio_root_user }} {{ minio_root_password }}"
+    register: alias_command
+    failed_when: '"Added `" + minio_alias + "` successfully" not in alias_command.stdout'
+    when: minio_alias_present.rc == 1
+
+  become: false # No mc client actions as root

roles/minio/tasks/configure_minio_server.yml

@@ -0,0 +1,2 @@
+---
+

roles/minio/tasks/create_users.yml

@@ -0,0 +1,25 @@
+- name: Check and create users
+  block:
+  - name: Check whether user is already configured
+    ansible.builtin.command: "{{ minio_mc }} admin user info {{ minio_alias }} {{ user.name }}"
+    register: minio_user_present
+    changed_when: false
+    ignore_errors: true
+    failed_when: minio_user_present.rc > 1 # rc 1 means alias not present thjats what we wanted to know
+
+  - name: create and configure users
+    when:
+      - minio_user_present.rc==1
+      - '"Unable to get user info" in minio_user_present.stderr'
+    block:
+      - name: Create users
+        ansible.builtin.command: "{{ minio_mc }} admin user add {{ minio_alias }} {{ user.name }} {{ user.password }}"
+        register: minio_add_user
+        changed_when: '"Added user `" + user.name + "` successfully" in minio_add_user.stdout'
+        no_log: true
+
+      - name: Attach read write policy
+        ansible.builtin.command: "{{ minio_mc }} admin policy attach {{ minio_alias }} readwrite --user={{ user.name }}"
+        register: minio_attach_user
+        changed_when: '"Added user `" + user.name + "` successfully" in minio_add_user.stdout'
+  become: false # No mc client actions as root

roles/minio/tasks/main.yml

@@ -1,70 +1,14 @@
----
-- name: Create minio files directory
-  ansible.builtin.file:
-    state: directory
-    path: "{{ minio_dir }}"
-    owner: root
-    group: root
-    mode: "0755"
+- name: Configure and start container
+  ansible.builtin.include_tasks: "configure_container.yml"
 
-- name: Create minio data directory
-  ansible.builtin.file:
-    state: directory
-    path: "{{ minio_data_dir }}"
-    owner: root
-    group: root
-    mode: "0755"
+- name: Configure minio client
+  ansible.builtin.include_tasks: "configure_minio_client.yml"
 
-- name: Place the serverapplication configfiles
-  ansible.builtin.template:
-    src: "{{ item }}.j2"
-    dest: /opt/openconext/minio/{{ item }}
-    owner: root
-    group: root
-    mode: "0644"
-  with_items:
-    - config.env
-  notify: Restart minio
+- name: Configure minio server
+  ansible.builtin.include_tasks: "configure_minio_server.yml"
 
-- name: Create and start the server container
-  community.docker.docker_container:
-    name: minio
-    image: quay.io/minio/minio:{{ minio_version }}
-    pull: true
-    restart_policy: "always"
-    state: started
-    env:
-      MINIO_CONFIG_ENV_FILE: "/etc/config.env"
-    networks:
-      - name: "loadbalancer"
-    mounts:
-      - source: "{{ minio_data_dir }}"
-        target: "{{ minio_data_dir_oncontainer }}"
-        type: bind
-      - source: "{{ minio_dir }}/config.env"
-        target: /etc/config.env
-        type: bind
-    command: server --console-address ":9090" {{ minio_data_dir_oncontainer }}
-    labels:
-      traefik.http.routers.minio.rule: "Host(`minio.{{ base_domain }}`)"
-      traefik.http.routers.minio.tls: "true"
-      traefik.http.routers.minio.service: "minio"
-      traefik.http.services.minio.loadbalancer.server.port: "9090"
-      traefik.http.routers.minioapi.rule: "Host(`minioapi.{{ base_domain }}`)"
-      traefik.http.routers.minioapi.tls: "true"
-      traefik.http.routers.minioapi.service: "minioapi"
-      traefik.http.services.minioapi.loadbalancer.server.port: "9000"
-      traefik.enable: "true"
-    healthcheck:
-      test:
-        [
-          "CMD",
-          "curl",
-          "--fail",
-          "http://localhost:9000/minio/health/live"
-        ]
-      interval: 10s
-      timeout: 10s
-      retries: 3
-      start_period: 10s
-  register: miniocontainer
+- name: Add minio users
+  ansible.builtin.include_tasks: "create_users.yml"
+  loop: "{{ minio_users }}"
+  loop_control:
+    loop_var: "user"

roles/minio/templates/config.env.j2

@@ -1,3 +1,2 @@
 MINIO_ROOT_USER={{ minio_root_user }}
-MINIO_ROOT_PASSWORD={{ minio_root_password }}
-MINIO_VOLUMES="{{ minio_data_dir_oncontainer }}"
+MINIO_ROOT_PASSWORD={{ minio_root_password }}