-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy pathinstall-s3-service
executable file
·61 lines (51 loc) · 1.99 KB
/
install-s3-service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/bin/sh
# deploy this script with:
# ansible -i inventory -m include_role -a name=s3-systemd
set -eufx
SECRETS=/var/lib/cockpit-secrets
RUNC=$(which podman)
systemctl stop cockpit-s3.service || true
if [ -z "${DISABLE_TLS:-}" ]; then
CERT_VOLS="-v $SECRETS/s3-server/s3-server.key:/root/.minio/certs/private.key:ro -v $SECRETS/s3-server/s3-server.pem:/root/.minio/certs/public.crt:ro"
PORT=443
PROTOCOL=https
else
CERT_VOLS=""
PORT=80
PROTOCOL=http
fi
cat <<EOF > /etc/systemd/system/cockpit-s3.service
[Unit]
Description=Cockpit S3 image server
[Service]
Restart=always
RestartSec=60
ExecStartPre=-$RUNC rm -f cockpit-s3
ExecStartPre=/bin/sh -c 'dd if=/dev/urandom bs=12 count=1 status=none | base64 > /run/cockpit-s3.rootpassword.txt'
ExecStart=/bin/sh -xc "$RUNC run --name=cockpit-s3 --publish=$PORT:9000 -e MINIO_ROOT_USER=minioadmin -e MINIO_ROOT_PASSWORD=\$(cat /run/cockpit-s3.rootpassword.txt) $CERT_VOLS -v images-minio-data:/data:rw quay.io/minio/minio server /data"
ExecStartPost=/usr/local/lib/setup-s3.sh
ExecStartPost=/bin/rm -f /run/cockpit-s3.rootpassword.txt
ExecStop=$RUNC rm -f cockpit-s3
[Install]
WantedBy=multi-user.target
EOF
cat <<EOF > /usr/local/lib/setup-s3.sh
#!/bin/sh
set -eu
read s3user s3key < "$SECRETS/s3-keys/self-hosted"
$RUNC run --interactive --rm --network=host \
-v "$SECRETS"/webhook/ca.pem:/etc/pki/ca-trust/source/anchors/ca.pem:ro \
--entrypoint /bin/sh quay.io/minio/mc <<EOC
set -e
cat /etc/pki/ca-trust/source/anchors/ca.pem >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
until mc alias set minio ${PROTOCOL}://localhost minioadmin \$(cat /run/cockpit-s3.rootpassword.txt); do sleep 1; done
# this fails with non-zero as the directory already exists; that's fine
mc mb minio/images || true
mc policy set download minio/images
mc admin user add minio/ '\$s3user' '\$s3key'
mc admin policy attach minio/ readwrite --user '\$s3user'
EOC
EOF
chmod a+x /usr/local/lib/setup-s3.sh
systemctl daemon-reload
systemctl enable --now cockpit-s3.service