[Unit]
Description=MinIO Object Storage
Wants=network.target
After=network.target
RequiresMountsFor={{ minio_storage_path }}

[Container]
Image={{ minio_container_image }}:{{ minio_version }}
Pull=never
Exec=server {% if minio_address|d %}--address {{ minio_address }} {% endif %}/data --certs-dir /certs
User=224
Group=224
EnvironmentFile=/etc/sysconfig/minio
Volume={{ minio_storage_path }}:/data:rw
Volume=/etc/minio/certs:/certs:ro,z
Network=host
NoNewPrivileges=yes

[Service]
ExecReload=/usr/bin/podman kill -s HUP --cidfile %t/%N.cid
TimeoutStartSec=5min
Restart=always
MemoryDenyWriteExecute=yes
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/etc/minio/certs
ReadWritePaths=/etc/containers/networks
ReadWritePaths=/run
ReadWritePaths=/var/lib/containers/storage
ReadWritePaths={{ minio_storage_path }}
RestrictRealtime=yes
RestrictSUIDSGID=yes
UMask=0077

[Install]
WantedBy=multi-user.target