- name: load minio secrets
  include_vars: '{{ item }}'
  with_first_found:
  - files:
    - vault/minio/{{ inventory_hostname }}
    skip: true
  tags:
  - always

- name: ensure minio group exists
  group:
    name: minio
    gid: 224
    system: true
    state: present
  tags:
  - user
  - group
- name: ensure minio user exists
  user:
    name: minio
    uid: 224
    group: minio
    system: true
    state: present
  tags:
  - user
  - group

- name: ensure minio storage path exists
  file:
    path: '{{ minio_storage_path }}'
    owner: minio
    group: minio
    mode: u=rwx,go=
    state: directory
    setype: container_file_t
  tags:
  - datadir

- name: ensure minio certs directory exists
  file:
    path: /etc/minio/certs
    owner: root
    group: minio
    mode: u=rwx,g=rx,o=
    setype: container_file_t
    state: directory
  tags:
  - cert
- name: ensure minio server certificate is present
  copy:
    src: '{{ item }}'
    dest: /etc/minio/certs/public.crt
    owner: root
    group: minio
    mode: u=rw,g=r,o=
    setype: container_file_t
  with_fileglob: certs/minio/{{ inventory_hostname }}.cer
  notify:
  - reload minio
  tags:
  - cert
- name: ensure minio server private key is present
  copy:
    src: '{{ item }}'
    dest: /etc/minio/certs/private.key
    owner: root
    group: minio
    mode: u=rw,g=r,o=
    setype: container_file_t
  diff: false
  with_fileglob: certs/minio/{{ inventory_hostname }}.key
  notify:
  - reload minio
  tags:
  - cert

- name: ensure minio environment is configured
  template:
    src: minio.env.j2
    dest: /etc/sysconfig/minio
    owner: root
    group: root
    mode: u=rw,go=
  notify:
  - restart minio
  tags:
  - config

- name: ensure minio.container systemd unit exists
  template:
    src: minio.container.j2
    dest: /etc/containers/systemd/minio.container
    owner: root
    group: root
    mode: u=rw,go=r
  notify:
  - reload systemd
  - restart minio
  tags:
  - systemd

- name: flush_handlers
  meta: flush_handlers
  tags:
  - always

- name: ensure minio.service is running
  systemd:
    name: minio.service
    state: started
  tags:
  - service

- name: ensure firewall is configured for minio
  firewalld:
    port: '{{ item }}/tcp'
    permanent: true
    immediate: true
    state: '{{ "enabled" if minio_allow_outside|d(true) else "disabled" }}'
  loop:
  - 9000
  - 9090
  when: host_uses_firewalld|d(true)|bool
  tags:
  - firewalld