diff options
| author | spmfox <spmfox@foxwd.com> | 2024-08-29 15:33:54 -0400 |
|---|---|---|
| committer | spmfox <spmfox@foxwd.com> | 2024-08-29 15:33:54 -0400 |
| commit | 31bc4f2c269ce5c66cec4dfbd9a2ce7697d1dba0 (patch) | |
| tree | c9da4e957715e1d5e4a8f11b055f2c3ae2652159 /roles | |
| parent | 2453f089caff5963f0848321a4443990f6077298 (diff) | |
updating unprivileged-ports logic, updating containers variables, adding variable for the unprivileged-ports
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/containers/defaults/main.yml | 4 | ||||
| -rw-r--r-- | roles/containers/tasks/quadlet_create.yml | 4 | ||||
| -rw-r--r-- | roles/containers/tasks/quadlet_remove.yml | 2 | ||||
| -rw-r--r-- | roles/containers/tasks/quadlet_start.yml | 6 | ||||
| -rw-r--r-- | roles/containers/tasks/quadlet_stop.yml | 2 | ||||
| -rw-r--r-- | roles/host/defaults/main.yml | 1 | ||||
| -rw-r--r-- | roles/host/tasks/unprivileged-ports.yml | 26 |
7 files changed, 20 insertions, 25 deletions
diff --git a/roles/containers/defaults/main.yml b/roles/containers/defaults/main.yml index ade45f3..2a55101 100644 --- a/roles/containers/defaults/main.yml +++ b/roles/containers/defaults/main.yml @@ -1,6 +1,6 @@ -quadlet_path: "../../docs/sample-environment/wordpress/quadlet" +containers_quadlet_path: "../../docs/sample-environment/wordpress/quadlet" -quadlets: +containers_quadlets: - name: "wordpress-pod" file: "wordpress.pod" diff --git a/roles/containers/tasks/quadlet_create.yml b/roles/containers/tasks/quadlet_create.yml index ffbae8a..4098e5d 100644 --- a/roles/containers/tasks/quadlet_create.yml +++ b/roles/containers/tasks/quadlet_create.yml @@ -5,11 +5,11 @@ - name: Copy quadlet files into quadlet directory ansible.builtin.copy: - src: "{{ quadlet_path}}/{{ item.file }}" + src: "{{ containers_quadlet_path}}/{{ item.file }}" dest: "{{ lookup('env', 'HOME') }}/.config/containers/systemd/{{ item.file }}" loop_control: label: "{{ item.name }} -> {{ item.file }}" - loop: "{{ quadlets }}" + loop: "{{ containers_quadlets }}" register: quadlet_files - name: Reload systemd daemon diff --git a/roles/containers/tasks/quadlet_remove.yml b/roles/containers/tasks/quadlet_remove.yml index e6bc05b..4b12b68 100644 --- a/roles/containers/tasks/quadlet_remove.yml +++ b/roles/containers/tasks/quadlet_remove.yml @@ -4,7 +4,7 @@ state: "absent" loop_control: label: "{{ item.name }} -> {{ item.file }}" - loop: "{{ quadlets }}" + loop: "{{ containers_quadlets }}" register: quadlet_files - name: Reload systemd daemon diff --git a/roles/containers/tasks/quadlet_start.yml b/roles/containers/tasks/quadlet_start.yml index 5dcd39a..ade3da6 100644 --- a/roles/containers/tasks/quadlet_start.yml +++ b/roles/containers/tasks/quadlet_start.yml @@ -5,13 +5,13 @@ scope: "user" loop_control: label: "{{ item.name}}.service" - loop: "{{ quadlets }}" + loop: "{{ containers_quadlets }}" - name: Check for quadlet not in active or activating state ansible.builtin.shell: "systemctl --user is-active {{ item.name }}.service" loop_control: label: "{{ item.name}}.service: {{ quadlet_status.stdout }}" - loop: "{{ quadlets }}" + loop: "{{ containers_quadlets }}" register: quadlet_status failed_when: quadlet_status.stdout not in ['active', 'activating'] @@ -20,7 +20,7 @@ ansible.builtin.shell: "systemctl --user is-active {{ item.name }}.service" loop_control: label: "{{ item.name}}.service: {{ quadlet_status.stdout }}" - loop: "{{ quadlets }}" + loop: "{{ containers_quadlets }}" register: quadlet_status until: quadlet_status.stdout == 'active' delay: 2 diff --git a/roles/containers/tasks/quadlet_stop.yml b/roles/containers/tasks/quadlet_stop.yml index b8a83f3..07210ed 100644 --- a/roles/containers/tasks/quadlet_stop.yml +++ b/roles/containers/tasks/quadlet_stop.yml @@ -5,4 +5,4 @@ scope: "user" loop_control: label: "{{ item.name}}.service" - loop: "{{ quadlets }}" + loop: "{{ containers_quadlets }}" diff --git a/roles/host/defaults/main.yml b/roles/host/defaults/main.yml index c393dc8..14d2253 100644 --- a/roles/host/defaults/main.yml +++ b/roles/host/defaults/main.yml @@ -7,3 +7,4 @@ host_shell_login_helper: | echo "" host_containers_user: "containers" +host_unprivileged_ports_start: 80 diff --git a/roles/host/tasks/unprivileged-ports.yml b/roles/host/tasks/unprivileged-ports.yml index 003646a..b6afd29 100644 --- a/roles/host/tasks/unprivileged-ports.yml +++ b/roles/host/tasks/unprivileged-ports.yml @@ -1,17 +1,11 @@ -- name: Unprivileged port block - block: - - name: Confirm port 80 and above is allowed for unprivileged use - ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80" +- name: Set unprivileged ports sysctl parameter in /etc/sysctl.d/50-UnprivilegedPorts.conf + ansible.builtin.lineinfile: + path: "/etc/sysctl.d/50-UnprivilegedPorts.conf" + regexp: "^net.ipv4.ip_unprivileged_port_start=" + line: "net.ipv4.ip_unprivileged_port_start={{ host_unprivileged_ports_start }}" + create: true + register: sysctl - rescue: - - name: Set sysctl parameter net.ipv4.ip_unprivileged_port_start=80 - ansible.builtin.lineinfile: - path: "/etc/sysctl.conf" - regexp: "^net.ipv4.ip_unprivileged_port_start=80" - line: "net.ipv4.ip_unprivileged_port_start=80" - - - name: Reload sysctl - ansible.builtin.shell: "sysctl -p /etc/sysctl.conf" - - - name: Confirm port 80 and above is allowed for unprivileged use - ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80" +- name: Reload sysctl + ansible.builtin.shell: "sysctl -p /etc/sysctl.d/50-UnprivilegedPorts.conf" + when: sysctl.changed |