From 88345d6b265a007483ee94932fdc724d7d3fd264 Mon Sep 17 00:00:00 2001 From: spmfox Date: Sun, 27 Apr 2025 21:28:22 -0400 Subject: removing bastion cockpit, tweaking and commenting containerfile --- deploy.yml | 31 ------------------------------- templates/bootcblade.containerfile.j2 | 32 +++++++++++++++++--------------- 2 files changed, 17 insertions(+), 46 deletions(-) diff --git a/deploy.yml b/deploy.yml index a62e0a4..b24bf72 100644 --- a/deploy.yml +++ b/deploy.yml @@ -92,37 +92,6 @@ - { name: "bootcblade-rebuild.service", state: "stopped", enabled: false } - { name: "bootcblade-rebuild.timer", state: "started", enabled: true } - - name: Stop and disable (mask) bootc-fetch-apply-updates - ansible.builtin.systemd_service: - name: "{{ item }}" - state: "stopped" - enabled: false - masked: true - daemon-reload: true - loop: - - "bootc-fetch-apply-updates.timer" - - "bootc-fetch-apply-updates.service" - - - name: Generate quadlet file for cockpit-bastion - ansible.builtin.shell: "podman run --rm -it ghcr.io/containers/podlet -i podman run --rm -d --name cockpit-bastion -p 9090:9090 -v /etc/cockpit/ws-certs.d/:/etc/cockpit/ws-certs.d/:rw,Z quay.io/cockpit/ws" - register: cockpit_bastion_quadlet - - - name: Install quadlet file for cockpit-bastion - ansible.builtin.copy: - content: "{{ cockpit_bastion_quadlet.stdout }}" - dest: "/etc/containers/systemd/cockpit-bastion.container" - - - name: Create SSL certificate directory for cockpit-ws - ansible.builtin.file: - path: "/etc/cockpit/ws-certs.d" - state: directory - - - name: Start cockpit-bastion service - ansible.builtin.systemd_service: - name: "cockpit-bastion.service" - state: "started" - daemon-reload: true vars: ansible_user: "root" tags: configure - diff --git a/templates/bootcblade.containerfile.j2 b/templates/bootcblade.containerfile.j2 index 3a8a8f6..6815c66 100644 --- a/templates/bootcblade.containerfile.j2 +++ b/templates/bootcblade.containerfile.j2 @@ -4,24 +4,26 @@ ARG SKIP_ZFS={{ skip_zfs if skip_zfs is defined else 'False' }} ARG SKIP_KVM={{ skip_kvm if skip_kvm is defined else 'False' }} ARG SKIP_SHARES={{ skip_shares if skip_shares is defined else 'False' }} -# Create root homedir -RUN mkdir /var/roothome - -# Basic Tools -RUN dnf -y install git vim podman fish ansible wget dstat byobu smartmontools hdparm wireguard-tools NetworkManager-wifi rsync glances tree && \ +# Basic Configuration +RUN mkdir /var/roothome && \ +# System tools + dnf -y install firewalld git vim podman fish ansible wget dstat byobu smartmontools hdparm wireguard-tools NetworkManager-wifi rsync glances tree && \ +# btm dnf -y install `curl -s https://api.github.com/repos/ClementTsang/bottom/releases/latest | grep "browser_download" |grep -v musl |grep ".rpm" |awk -F '"' '{print $4}'` && \ - dnf -y install cockpit-bridge cockpit-podman cockpit-storaged cockpit-system cockpit-selinux cockpit-ostree cockpit-networkmanager && \ - dnf clean all - -# Allow sudo without password -RUN echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/wheel-passwordless-sudo - -# Firewall -RUN dnf -y install firewalld && \ +# Cockpit + dnf -y install cockpit-ws cockpit-bridge cockpit-podman cockpit-storaged cockpit-system cockpit-selinux cockpit-ostree cockpit-networkmanager cockpit-files && \ + dnf clean all && \ +# Enable services systemctl enable firewalld && \ + systemctl enable cockpit.socket && \ +# Disable and mask baked-in bootc services + systemctl disable bootc-fetch-apply-updates.timer && \ + systemctl mask bootc-fetch-apply-updates.service && \ +# Allow passwordless sudo + echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/wheel-passwordless-sudo && \ +# Configure firewall for cockpit and ssh access firewall-offline-cmd --add-service cockpit && \ - firewall-offline-cmd --add-service ssh && \ - dnf clean all + firewall-offline-cmd --add-service ssh # ZFS RUN if [ "$SKIP_ZFS" = "False" ]; then \ -- cgit