support for remote jobs, support for more host config, quadlet logic tweaking

9 files changed, 108 insertions, 6 deletions

diff --git a/roles/host/defaults/main.yml b/roles/host/defaults/main.yml
index b56535f..1e7f955 100644
--- a/roles/host/defaults/main.yml
+++ b/roles/host/defaults/main.yml
@@ -6,5 +6,7 @@ host_shell_login_helper: |
   podman container list --all --sort status --format={{ '"{{.State}} {{.Status}} {{.Names}}"' }}
   echo ""
 
-host_containers_user: "containers"
-host_unprivileged_port_start: 80
+host_containers_user: "{{ containers_user if containers_user is defined else 'containers' }}"
+host_patching: false
+host_patching_apply: false
+host_patching_reboot: "never"
diff --git a/roles/host/tasks/firewall.yml b/roles/host/tasks/firewall.yml
new file mode 100644
index 0000000..35138ff
--- /dev/null
+++ b/roles/host/tasks/firewall.yml
@@ -0,0 +1,17 @@
+- name: Modify firewall services
+  ansible.posix.firewalld:
+    service: "{{ item.service }}"
+    state: "{{ item.state }}"
+    permanent: true
+    immediate: true
+  loop: "{{ host_firewall.services }}"
+  when: host_firewall.services is defined
+
+- name: Modify firewall ports
+  ansible.posix.firewalld:
+    port: "{{ item.port }}"
+    state: "{{ item.state }}"
+    permanent: true
+    immediate: true
+  loop: "{{ host_firewall.ports }}"
+  when: host_firewall.ports is defined
diff --git a/roles/host/tasks/hostname.yml b/roles/host/tasks/hostname.yml
new file mode 100644
index 0000000..92184a2
--- /dev/null
+++ b/roles/host/tasks/hostname.yml
@@ -0,0 +1,4 @@
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ host_hostname }}"
+    use: "systemd"
diff --git a/roles/host/tasks/main.yml b/roles/host/tasks/main.yml
index 3b92a94..0a205da 100644
--- a/roles/host/tasks/main.yml
+++ b/roles/host/tasks/main.yml
@@ -1,3 +1,12 @@
+- ansible.builtin.import_tasks: hostname.yml
+  when: host_hostname is defined
+
+- ansible.builtin.import_tasks: timezone.yml
+  when: host_timezone is defined
+
+- ansible.builtin.import_tasks: mounts.yml
+  when: host_mounts is defined
+
 - ansible.builtin.import_tasks: packages.yml
 
 - ansible.builtin.import_tasks: user.yml
@@ -8,10 +17,14 @@
 
 - ansible.builtin.import_tasks: systemd-user-network-check.yml
 
+- ansible.builtin.import_tasks: firewall.yml
+  when: host_firewall is defined
+
 - ansible.builtin.import_tasks: unprivileged-port.yml
-  tags:
-    - never
-    - unprivileged-port
+  when: host_unprivileged_port_start is defined
+
+- ansible.builtin.import_tasks: patching.yml
+  when: host_patching | bool
 
 - ansible.builtin.import_tasks: cpanel-dnsonly.yml
   tags:
diff --git a/roles/host/tasks/mounts.yml b/roles/host/tasks/mounts.yml
new file mode 100644
index 0000000..05ddcc0
--- /dev/null
+++ b/roles/host/tasks/mounts.yml
@@ -0,0 +1,9 @@
+- name: Manage mounts
+  ansible.posix.mount:
+    path: "{{ item.path }}"
+    src: "{{ item.src }}"
+    fstype: "{{ item.fstype }}"
+    opts: "{{ item.opts }}"
+    state: "{{ item.state }}"
+  loop: "{{ host_mounts }}"
+  when: host_mounts is defined
diff --git a/roles/host/tasks/packages.yml b/roles/host/tasks/packages.yml
index df78985..c7c21cd 100644
--- a/roles/host/tasks/packages.yml
+++ b/roles/host/tasks/packages.yml
@@ -1,6 +1,13 @@
-- name: Install systemd-container and podman
+- name: Install systemd-container, podman
   ansible.builtin.package:
     name:
       - "systemd-container"
       - "podman"
     state: present
+
+- name: Manage additional packages
+  ansible.builtin.package:
+    name: "{{ item.name }}"
+    state: "{{ item.state }}"
+  loop: "{{ host_packages }}"
+  when: host_packages is defined
diff --git a/roles/host/tasks/patching.yml b/roles/host/tasks/patching.yml
new file mode 100644
index 0000000..35ec727
--- /dev/null
+++ b/roles/host/tasks/patching.yml
@@ -0,0 +1,46 @@
+- name: Block for RHEL 9
+  block:
+    - name: Install dnf-automatic
+      ansible.builtin.package:
+        name: "dnf-automatic"
+        state: "present"
+
+    - name: Configure /etc/dnf/automatic.conf for reboot
+      ansible.builtin.lineinfile:
+        path: "/etc/dnf/automatic.conf"
+        search_string: "reboot = "
+        line: "reboot = {{ host_patching_reboot }}"
+
+    - name: Enable and start dnf-automatic-install.timer
+      ansible.builtin.systemd:
+        name: "dnf-automatic-install.timer"
+        enabled: true
+        state: "started"
+  when:
+    - ansible_distribution_file_variety == "RedHat"
+    - ansible_distribution_major_version == "9"
+
+- name: Block for Fedora 41 and higher
+  block:
+    - name: Install dnf5-plugin-automatic
+      ansible.builtin.package:
+        name: "dnf5-plugin-automatic"
+        state: "present"
+
+    - name: Configure /etc/dnf/automatic.conf for reboot
+      ansible.builtin.blockinfile:
+        path: "/etc/dnf/automatic.conf"
+        create: true
+        block: |
+          [commands]
+          apply_updates = yes
+          reboot = {{ host_patching_reboot }}
+
+    - name: Enable and start dnf5-automatic.timer
+      ansible.builtin.systemd:
+        name: "dnf5-automatic.timer"
+        enabled: true
+        state: "started"
+  when:
+    - ansible_distribution == "Fedora"
+    - ansible_distribution_major_version |int >= 41
diff --git a/roles/host/tasks/timezone.yml b/roles/host/tasks/timezone.yml
new file mode 100644
index 0000000..06f27b9
--- /dev/null
+++ b/roles/host/tasks/timezone.yml
@@ -0,0 +1,3 @@
+- name: Set timezone
+  community.general.timezone:
+    name: "{{ host_timezone }}"
diff --git a/roles/host/tasks/user.yml b/roles/host/tasks/user.yml
index 40e9f4c..33d5d88 100644
--- a/roles/host/tasks/user.yml
+++ b/roles/host/tasks/user.yml
@@ -1,6 +1,7 @@
 - name: Create containers user
   ansible.builtin.user:
     name: "{{ host_containers_user }}"
+    shell: "{{ host_containers_user_shell | default(omit) }}"
 
 - name: Add containers user to systemd-journal group
   ansible.builtin.user: