diff options
| author | spmfox <spmfox@foxwd.com> | 2024-08-27 17:34:55 -0400 |
|---|---|---|
| committer | spmfox <spmfox@foxwd.com> | 2024-08-27 17:34:55 -0400 |
| commit | 5ca4fbf2cfe781efedc7c078acaa826c6ad39b10 (patch) | |
| tree | 598ff2c8b51948091ffa1eb1fbb6ef6f7b26b776 /host.yml | |
| parent | 4aa6b11581718f66e711bf26fbb41e96fa3a4661 (diff) | |
converting to roles, converting from runlabels to quadlet ~ breaking change
Diffstat (limited to 'host.yml')
| -rw-r--r-- | host.yml | 118 |
1 files changed, 2 insertions, 116 deletions
@@ -1,120 +1,6 @@ - hosts: localhost become: true - vars: - shell_service_status_helper: | - echo "----systemd----" - systemctl --user list-units 'pod-*' -q - echo "" - systemctl --user list-units 'container-*' -q - echo "" - echo "----podman----" - podman pod list --sort status --format={{ '"{{.Status}} {{.Name}}"' }} - echo "" - podman container list --all --sort status --format={{ '"{{.State}} {{.Status}} {{.Names}}"' }} - echo "" tasks: - - name: Create containers user - ansible.builtin.user: - name: "containers" - - - name: Add bashrc for container service status on login - ansible.builtin.blockinfile: - path: "/home/containers/.bashrc" - owner: "containers" - group: "containers" - create: true - block: "{{ shell_service_status_helper }}" - - - name: Check if fish shell is installed - ansible.builtin.stat: - path: "/usr/bin/fish" - register: fish - - - name: Add fish config for container service status on login - ansible.builtin.blockinfile: - path: "/home/containers/.config/fish/conf.d/containers.fish" - owner: "containers" - group: "containers" - create: true - block: "{{ shell_service_status_helper }}" - when: fish.stat.exists - - - name: Fix permissions on /home/containers - ansible.builtin.file: - path: "/home/containers" - state: directory - owner: "containers" - group: "containers" - recurse: true - - - name: Install systemd-container and podman - ansible.builtin.package: - name: - - "systemd-container" - - "podman" - state: present - - - name: Confirm systemd-linger is set for containers user - ansible.builtin.stat: - path: "/var/lib/systemd/linger/containers" - register: linger - - - name: Set systemd-linger for containers user (if necessary) - ansible.builtin.shell: "loginctl enable-linger containers" - when: not linger.stat.exists - - - name: Unprivileged port block - block: - - name: Confirm port 80 and above is allowed for unprivileged use - ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80" - - rescue: - - name: Set sysctl parameter net.ipv4.ip_unprivileged_port_start=80 - ansible.builtin.lineinfile: - path: "/etc/sysctl.conf" - regexp: "^net.ipv4.ip_unprivileged_port_start=80" - line: "net.ipv4.ip_unprivileged_port_start=80" - - - name: Reload sysctl - ansible.builtin.shell: "sysctl -p /etc/sysctl.conf" - - - name: Confirm port 80 and above is allowed for unprivileged use - ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80" - tags: - - never - - unprivileged-ports - - - name: cPanel DNS-only block - block: - - name: Confirm if cpsrvd is not listening on http ports - ansible.builtin.shell: "whmapi1 get_tweaksetting key='disable_cphttpd' |grep 'value: 1' || /bin/true" - register: cpsrv_listen - - - name: Turn off cpsrvd listening on http ports (if necessary) - ansible.builtin.shell: "whmapi1 set_tweaksetting key='disable_cphttpd' value='1' ; /scripts/restartsrv_cpsrvd" - when: cpsrv_listen.stdout | length == 0 - - - name: Turn off firewalld - ansible.builtin.service: - name: "firewalld" - state: stopped - enabled: false - - - name: Create new tmp directory for podman - ansible.builtin.file: - path: "/var/containers/tmp" - owner: containers - group: containers - state: directory - - - name: Configure podman to use new tmp directory - ansible.builtin.blockinfile: - path: "/etc/containers/containers.conf" - create: true - block: | - [engine] - env = ["TMPDIR=/var/containers/tmp"] - tags: - - never - - cpanel-dnsonly + - ansible.builtin.import_role: + name: "host" |