veza/infra/ansible/roles/minio_distributed/tasks/main.yml

# minio_distributed role — installs MinIO server (versioned), drops
# the systemd unit pointing at all 4 nodes via MINIO_VOLUMES, starts
# the cluster. Idempotent.
#
# After every node converges, a one-shot init task on the FIRST node
# in `minio_nodes` creates the prod bucket + applies versioning +
# lifecycle. Running it on a single node is sufficient — MinIO
# replicates bucket metadata across the erasure set.
---
- name: Vault placeholders are overridden in non-lab envs
  ansible.builtin.assert:
    that:
      - minio_root_user != "CHANGE_ME_VAULT"
      - minio_root_password != "CHANGE_ME_VAULT_PASSWORD"
    fail_msg: |
      minio_root_user / minio_root_password still hold placeholder
      values. Provide them via group_vars/minio_ha.vault.yml (encrypted)
      before applying this role to staging or prod.      
  when: (deploy_env | default("lab")) != "lab"
  tags: [minio, assert]

- name: Ensure minio user
  ansible.builtin.user:
    name: minio
    system: true
    home: "{{ minio_data_path }}"
    shell: /usr/sbin/nologin
    create_home: true
  tags: [minio, install]

- name: Ensure data + config directories
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: minio
    group: minio
    mode: "0750"
  loop:
    - "{{ minio_data_path }}"
    - "{{ minio_etc }}"
  tags: [minio, install]

- name: Check installed MinIO version
  ansible.builtin.stat:
    path: "/usr/local/bin/minio-{{ minio_version }}"
  register: minio_installed
  tags: [minio, install]

- name: Download MinIO server binary (versioned)
  ansible.builtin.get_url:
    url: "https://dl.min.io/server/minio/release/linux-{{ minio_arch }}/archive/minio.{{ minio_version }}"
    dest: "/usr/local/bin/minio-{{ minio_version }}"
    mode: "0755"
    owner: root
    group: root
  when: not minio_installed.stat.exists
  tags: [minio, install]

- name: Symlink /usr/local/bin/minio → versioned binary
  ansible.builtin.file:
    src: "/usr/local/bin/minio-{{ minio_version }}"
    dest: /usr/local/bin/minio
    state: link
    force: true
  notify: Restart minio
  tags: [minio, install]

- name: Check installed mc client version
  ansible.builtin.stat:
    path: "/usr/local/bin/mc-{{ minio_mc_version }}"
  register: mc_installed
  tags: [minio, install]

- name: Download mc client (versioned, used by bucket init task)
  ansible.builtin.get_url:
    url: "https://dl.min.io/client/mc/release/linux-{{ minio_arch }}/archive/mc.{{ minio_mc_version }}"
    dest: "/usr/local/bin/mc-{{ minio_mc_version }}"
    mode: "0755"
    owner: root
    group: root
  when: not mc_installed.stat.exists
  tags: [minio, install]

- name: Symlink /usr/local/bin/mc → versioned binary
  ansible.builtin.file:
    src: "/usr/local/bin/mc-{{ minio_mc_version }}"
    dest: /usr/local/bin/mc
    state: link
    force: true
  tags: [minio, install]

- name: Render /etc/default/minio
  ansible.builtin.template:
    src: minio.env.j2
    dest: /etc/default/minio
    owner: root
    group: minio
    mode: "0640"
  notify: Restart minio
  tags: [minio, config]

- name: Render systemd unit
  ansible.builtin.template:
    src: minio.service.j2
    dest: /etc/systemd/system/minio.service
    owner: root
    group: root
    mode: "0644"
  notify: Restart minio
  tags: [minio, service]

- name: Enable + start minio
  ansible.builtin.systemd:
    name: minio
    state: started
    enabled: true
    daemon_reload: true
  tags: [minio, service]

# -----------------------------------------------------------------------
# Bucket + lifecycle init — runs once, on the first node only. The
# erasure-coded cluster syncs metadata across nodes so we don't need
# to repeat this everywhere.
# -----------------------------------------------------------------------
- name: Wait for MinIO API to accept connections (every node)
  ansible.builtin.wait_for:
    host: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
    port: "{{ minio_port }}"
    timeout: 60
  tags: [minio, init]

- name: Render lifecycle policy
  ansible.builtin.template:
    src: lifecycle.json.j2
    dest: "{{ minio_etc }}/lifecycle.json"
    owner: root
    group: minio
    mode: "0640"
  when: inventory_hostname == groups['minio_nodes'][0]
  tags: [minio, init]

- name: Configure mc alias for the local cluster
  ansible.builtin.command:
    cmd: >-
      /usr/local/bin/mc alias set veza-local
      http://localhost:{{ minio_port }}
      {{ minio_root_user }} {{ minio_root_password }}      
  changed_when: false
  no_log: true
  when: inventory_hostname == groups['minio_nodes'][0]
  tags: [minio, init]

- name: Create the prod bucket if it doesn't exist
  ansible.builtin.command:
    cmd: /usr/local/bin/mc mb --ignore-existing veza-local/{{ minio_bucket_tracks }}
  register: mc_mb
  changed_when: "'Bucket created successfully' in mc_mb.stdout"
  when: inventory_hostname == groups['minio_nodes'][0]
  tags: [minio, init]

- name: Enable versioning on the prod bucket
  ansible.builtin.command:
    cmd: /usr/local/bin/mc version enable veza-local/{{ minio_bucket_tracks }}
  changed_when: false
  when: inventory_hostname == groups['minio_nodes'][0]
  tags: [minio, init]

- name: Apply lifecycle policy
  ansible.builtin.command:
    cmd: >-
      /usr/local/bin/mc ilm import
      veza-local/{{ minio_bucket_tracks }}
      < {{ minio_etc }}/lifecycle.json      
  args:
    executable: /bin/bash
  changed_when: false
  when: inventory_hostname == groups['minio_nodes'][0]
  tags: [minio, init]