diff --git a/roles/minio/tasks/deploy.yml b/roles/minio/tasks/deploy.yml
index 6a88152..7391786 100644
--- a/roles/minio/tasks/deploy.yml
+++ b/roles/minio/tasks/deploy.yml
@@ -102,6 +102,8 @@
 
 - name: flush_handlers
   meta: flush_handlers
+  tags:
+  - always
 
 - name: ensure minio.service is running
   systemd:
diff --git a/roles/minio/templates/minio.container.j2 b/roles/minio/templates/minio.container.j2
index eb1847f..5d22c29 100644
--- a/roles/minio/templates/minio.container.j2
+++ b/roles/minio/templates/minio.container.j2
@@ -2,6 +2,7 @@
 Description=MinIO Object Storage
 Wants=network-online.target
 After=network-online.target
+RequiresMountsFor={{ minio_storage_path }}
 
 [Container]
 Image={{ minio_container_image }}:{{ minio_version }}
@@ -27,6 +28,9 @@ ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectProc=invisible
 ProtectSystem=strict
+ReadWritePaths=/etc/minio/certs
+ReadWritePaths=/etc/containers/networks
+ReadWritePaths=/run
 ReadWritePaths=/var/lib/containers/storage
 ReadWritePaths={{ minio_storage_path }}
 RestrictRealtime=yes