converting to roles, converting from runlabels to quadlet ~ breaking change

author: spmfox <spmfox@foxwd.com> 2024-08-27 17:34:55 -0400
committer: spmfox <spmfox@foxwd.com> 2024-08-27 17:34:55 -0400
commit: 5ca4fbf2cfe781efedc7c078acaa826c6ad39b10 (patch)
tree: 598ff2c8b51948091ffa1eb1fbb6ef6f7b26b776 /roles/host/tasks
parent: 4aa6b11581718f66e711bf26fbb41e96fa3a4661 (diff)
8 files changed, 138 insertions, 0 deletions
diff --git a/roles/host/tasks/cpanel-dnsonly.yml b/roles/host/tasks/cpanel-dnsonly.yml
new file mode 100644
index 0000000..dbb9062
--- /dev/null
+++ b/roles/host/tasks/cpanel-dnsonly.yml
@@ -0,0 +1,28 @@
+- name: Confirm if cpsrvd is not listening on http ports
+  ansible.builtin.shell: "whmapi1 get_tweaksetting key='disable_cphttpd' |grep 'value: 1' || /bin/true"
+  register: cpsrv_listen
+
+- name: Turn off cpsrvd listening on http ports (if necessary)
+  ansible.builtin.shell: "whmapi1 set_tweaksetting key='disable_cphttpd' value='1' ; /scripts/restartsrv_cpsrvd"
+  when: cpsrv_listen.stdout | length == 0
+
+- name: Turn off firewalld
+  ansible.builtin.service:
+    name: "firewalld"
+    state: stopped
+    enabled: false
+
+- name: Create new tmp directory for podman
+  ansible.builtin.file:
+    path: "/var/containers/tmp"
+    owner: "{{ host_containers_user }}"
+    group: "{{ host_containers_user }}"
+    state: directory
+
+- name: Configure podman to use new tmp directory
+  ansible.builtin.blockinfile:
+    path: "/etc/containers/containers.conf"
+    create: true
+    block: |
+      [engine]
+      env = ["TMPDIR=/var/containers/tmp"]
diff --git a/roles/host/tasks/linger.yml b/roles/host/tasks/linger.yml
new file mode 100644
index 0000000..dffc6a7
--- /dev/null
+++ b/roles/host/tasks/linger.yml
@@ -0,0 +1,8 @@
+- name: Confirm systemd-linger is set for containers user
+  ansible.builtin.stat:
+    path: "/var/lib/systemd/linger/{{ host_containers_user }}"
+  register: linger
+
+- name: Set systemd-linger for containers user (if necessary)
+  ansible.builtin.shell: "loginctl enable-linger {{ host_containers_user }}"
+  when: not linger.stat.exists
diff --git a/roles/host/tasks/main.yml b/roles/host/tasks/main.yml
new file mode 100644
index 0000000..5b9dd6b
--- /dev/null
+++ b/roles/host/tasks/main.yml
@@ -0,0 +1,19 @@
+- ansible.builtin.import_tasks: packages.yml
+
+- ansible.builtin.import_tasks: user.yml
+
+- ansible.builtin.import_tasks: linger.yml
+
+- ansible.builtin.import_tasks: shell-helper.yml
+
+- ansible.builtin.import_tasks: systemd-user-network-check.yml
+
+- ansible.builtin.import_tasks: unprivileged-ports.yml
+  tags:
+    - never
+    - unprivileged-ports
+
+- ansible.builtin.import_tasks: cpanel-dnsonly.yml
+  tags:
+    - never
+    - cpanel-dnsonly
diff --git a/roles/host/tasks/packages.yml b/roles/host/tasks/packages.yml
new file mode 100644
index 0000000..df78985
--- /dev/null
+++ b/roles/host/tasks/packages.yml
@@ -0,0 +1,6 @@
+- name: Install systemd-container and podman
+  ansible.builtin.package:
+    name:
+      - "systemd-container"
+      - "podman"
+    state: present
diff --git a/roles/host/tasks/shell-helper.yml b/roles/host/tasks/shell-helper.yml
new file mode 100644
index 0000000..e36784a
--- /dev/null
+++ b/roles/host/tasks/shell-helper.yml
@@ -0,0 +1,31 @@
+- name: Add bashrc for container service status on login
+  ansible.builtin.blockinfile:
+    path: "/home/{{ host_containers_user }}/.bashrc"
+    owner: "{{ host_containers_user }}"
+    group: "{{ host_containers_user }}"
+    create: true
+    block: "{{ host_shell_login_helper }}"
+
+- name: Check if fish shell is installed
+  ansible.builtin.stat:
+    path: "/usr/bin/fish"
+  register: fish
+
+- name: Block for fish
+  block:
+    - name: Create fish config directory
+      ansible.builtin.file:
+        path: "/home/{{ host_containers_user }}/.config/fish/conf.d"
+        state: directory
+        owner: "{{ host_containers_user }}"
+        group: "{{ host_containers_user }}"
+
+    - name: Add fish config for container service status on login
+      ansible.builtin.blockinfile:
+        path: "/home/{{ host_containers_user }}/.config/fish/conf.d/containers.fish"
+        owner: "{{ host_containers_user }}"
+        group: "{{ host_containers_user }}"
+        create: true
+        block: "{{ host_shell_login_helper }}"
+      when: fish.stat.exists
+  when: fish.stat.exists
diff --git a/roles/host/tasks/systemd-user-network-check.yml b/roles/host/tasks/systemd-user-network-check.yml
new file mode 100644
index 0000000..4c87f82
--- /dev/null
+++ b/roles/host/tasks/systemd-user-network-check.yml
@@ -0,0 +1,20 @@
+#This is a workaround so we can check for the network to come up before starting the quadlets
+#https://github.com/containers/podman/issues/22197
+#https://github.com/systemd/systemd/issues/3312
+
+- name: Copy check-network-online.service into systemd user service directory
+  ansible.builtin.copy:
+    src: "check-network-online.service"
+    dest: "/etc/systemd/user/check-network-online.service"
+  register: systemd
+
+- name: Reload systemd daemon
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  when: systemd.changed
+
+- name: Enable check-network-online.service for all users
+  ansible.builtin.systemd_service:
+    name: "check-network-online.service"
+    enabled: true
+    scope: "global"
diff --git a/roles/host/tasks/unprivileged-ports.yml b/roles/host/tasks/unprivileged-ports.yml
new file mode 100644
index 0000000..003646a
--- /dev/null
+++ b/roles/host/tasks/unprivileged-ports.yml
@@ -0,0 +1,17 @@
+- name: Unprivileged port block
+  block:
+    - name: Confirm port 80 and above is allowed for unprivileged use
+      ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80"
+
+  rescue:
+    - name: Set sysctl parameter net.ipv4.ip_unprivileged_port_start=80
+      ansible.builtin.lineinfile:
+        path: "/etc/sysctl.conf"
+        regexp: "^net.ipv4.ip_unprivileged_port_start=80"
+        line: "net.ipv4.ip_unprivileged_port_start=80"
+
+    - name: Reload sysctl
+      ansible.builtin.shell: "sysctl -p /etc/sysctl.conf"
+
+    - name: Confirm port 80 and above is allowed for unprivileged use
+      ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80"
diff --git a/roles/host/tasks/user.yml b/roles/host/tasks/user.yml
new file mode 100644
index 0000000..40e9f4c
--- /dev/null
+++ b/roles/host/tasks/user.yml
@@ -0,0 +1,9 @@
+- name: Create containers user
+  ansible.builtin.user:
+    name: "{{ host_containers_user }}"
+
+- name: Add containers user to systemd-journal group
+  ansible.builtin.user:
+    name: "{{ host_containers_user }}"
+    groups: "systemd-journal"
+    append: true
author	spmfox <spmfox@foxwd.com>	2024-08-27 17:34:55 -0400
committer	spmfox <spmfox@foxwd.com>	2024-08-27 17:34:55 -0400
commit	5ca4fbf2cfe781efedc7c078acaa826c6ad39b10 (patch)
tree	598ff2c8b51948091ffa1eb1fbb6ef6f7b26b776 /roles/host/tasks
parent	4aa6b11581718f66e711bf26fbb41e96fa3a4661 (diff)