aboutsummaryrefslogtreecommitdiff
path: root/roles/host/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/host/tasks')
-rw-r--r--roles/host/tasks/cpanel-dnsonly.yml28
-rw-r--r--roles/host/tasks/linger.yml8
-rw-r--r--roles/host/tasks/main.yml19
-rw-r--r--roles/host/tasks/packages.yml6
-rw-r--r--roles/host/tasks/shell-helper.yml31
-rw-r--r--roles/host/tasks/systemd-user-network-check.yml20
-rw-r--r--roles/host/tasks/unprivileged-ports.yml17
-rw-r--r--roles/host/tasks/user.yml9
8 files changed, 138 insertions, 0 deletions
diff --git a/roles/host/tasks/cpanel-dnsonly.yml b/roles/host/tasks/cpanel-dnsonly.yml
new file mode 100644
index 0000000..dbb9062
--- /dev/null
+++ b/roles/host/tasks/cpanel-dnsonly.yml
@@ -0,0 +1,28 @@
+- name: Confirm if cpsrvd is not listening on http ports
+ ansible.builtin.shell: "whmapi1 get_tweaksetting key='disable_cphttpd' |grep 'value: 1' || /bin/true"
+ register: cpsrv_listen
+
+- name: Turn off cpsrvd listening on http ports (if necessary)
+ ansible.builtin.shell: "whmapi1 set_tweaksetting key='disable_cphttpd' value='1' ; /scripts/restartsrv_cpsrvd"
+ when: cpsrv_listen.stdout | length == 0
+
+- name: Turn off firewalld
+ ansible.builtin.service:
+ name: "firewalld"
+ state: stopped
+ enabled: false
+
+- name: Create new tmp directory for podman
+ ansible.builtin.file:
+ path: "/var/containers/tmp"
+ owner: "{{ host_containers_user }}"
+ group: "{{ host_containers_user }}"
+ state: directory
+
+- name: Configure podman to use new tmp directory
+ ansible.builtin.blockinfile:
+ path: "/etc/containers/containers.conf"
+ create: true
+ block: |
+ [engine]
+ env = ["TMPDIR=/var/containers/tmp"]
diff --git a/roles/host/tasks/linger.yml b/roles/host/tasks/linger.yml
new file mode 100644
index 0000000..dffc6a7
--- /dev/null
+++ b/roles/host/tasks/linger.yml
@@ -0,0 +1,8 @@
+- name: Confirm systemd-linger is set for containers user
+ ansible.builtin.stat:
+ path: "/var/lib/systemd/linger/{{ host_containers_user }}"
+ register: linger
+
+- name: Set systemd-linger for containers user (if necessary)
+ ansible.builtin.shell: "loginctl enable-linger {{ host_containers_user }}"
+ when: not linger.stat.exists
diff --git a/roles/host/tasks/main.yml b/roles/host/tasks/main.yml
new file mode 100644
index 0000000..5b9dd6b
--- /dev/null
+++ b/roles/host/tasks/main.yml
@@ -0,0 +1,19 @@
+- ansible.builtin.import_tasks: packages.yml
+
+- ansible.builtin.import_tasks: user.yml
+
+- ansible.builtin.import_tasks: linger.yml
+
+- ansible.builtin.import_tasks: shell-helper.yml
+
+- ansible.builtin.import_tasks: systemd-user-network-check.yml
+
+- ansible.builtin.import_tasks: unprivileged-ports.yml
+ tags:
+ - never
+ - unprivileged-ports
+
+- ansible.builtin.import_tasks: cpanel-dnsonly.yml
+ tags:
+ - never
+ - cpanel-dnsonly
diff --git a/roles/host/tasks/packages.yml b/roles/host/tasks/packages.yml
new file mode 100644
index 0000000..df78985
--- /dev/null
+++ b/roles/host/tasks/packages.yml
@@ -0,0 +1,6 @@
+- name: Install systemd-container and podman
+ ansible.builtin.package:
+ name:
+ - "systemd-container"
+ - "podman"
+ state: present
diff --git a/roles/host/tasks/shell-helper.yml b/roles/host/tasks/shell-helper.yml
new file mode 100644
index 0000000..e36784a
--- /dev/null
+++ b/roles/host/tasks/shell-helper.yml
@@ -0,0 +1,31 @@
+- name: Add bashrc for container service status on login
+ ansible.builtin.blockinfile:
+ path: "/home/{{ host_containers_user }}/.bashrc"
+ owner: "{{ host_containers_user }}"
+ group: "{{ host_containers_user }}"
+ create: true
+ block: "{{ host_shell_login_helper }}"
+
+- name: Check if fish shell is installed
+ ansible.builtin.stat:
+ path: "/usr/bin/fish"
+ register: fish
+
+- name: Block for fish
+ block:
+ - name: Create fish config directory
+ ansible.builtin.file:
+ path: "/home/{{ host_containers_user }}/.config/fish/conf.d"
+ state: directory
+ owner: "{{ host_containers_user }}"
+ group: "{{ host_containers_user }}"
+
+ - name: Add fish config for container service status on login
+ ansible.builtin.blockinfile:
+ path: "/home/{{ host_containers_user }}/.config/fish/conf.d/containers.fish"
+ owner: "{{ host_containers_user }}"
+ group: "{{ host_containers_user }}"
+ create: true
+ block: "{{ host_shell_login_helper }}"
+ when: fish.stat.exists
+ when: fish.stat.exists
diff --git a/roles/host/tasks/systemd-user-network-check.yml b/roles/host/tasks/systemd-user-network-check.yml
new file mode 100644
index 0000000..4c87f82
--- /dev/null
+++ b/roles/host/tasks/systemd-user-network-check.yml
@@ -0,0 +1,20 @@
+#This is a workaround so we can check for the network to come up before starting the quadlets
+#https://github.com/containers/podman/issues/22197
+#https://github.com/systemd/systemd/issues/3312
+
+- name: Copy check-network-online.service into systemd user service directory
+ ansible.builtin.copy:
+ src: "check-network-online.service"
+ dest: "/etc/systemd/user/check-network-online.service"
+ register: systemd
+
+- name: Reload systemd daemon
+ ansible.builtin.systemd_service:
+ daemon_reload: true
+ when: systemd.changed
+
+- name: Enable check-network-online.service for all users
+ ansible.builtin.systemd_service:
+ name: "check-network-online.service"
+ enabled: true
+ scope: "global"
diff --git a/roles/host/tasks/unprivileged-ports.yml b/roles/host/tasks/unprivileged-ports.yml
new file mode 100644
index 0000000..003646a
--- /dev/null
+++ b/roles/host/tasks/unprivileged-ports.yml
@@ -0,0 +1,17 @@
+- name: Unprivileged port block
+ block:
+ - name: Confirm port 80 and above is allowed for unprivileged use
+ ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80"
+
+ rescue:
+ - name: Set sysctl parameter net.ipv4.ip_unprivileged_port_start=80
+ ansible.builtin.lineinfile:
+ path: "/etc/sysctl.conf"
+ regexp: "^net.ipv4.ip_unprivileged_port_start=80"
+ line: "net.ipv4.ip_unprivileged_port_start=80"
+
+ - name: Reload sysctl
+ ansible.builtin.shell: "sysctl -p /etc/sysctl.conf"
+
+ - name: Confirm port 80 and above is allowed for unprivileged use
+ ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80"
diff --git a/roles/host/tasks/user.yml b/roles/host/tasks/user.yml
new file mode 100644
index 0000000..40e9f4c
--- /dev/null
+++ b/roles/host/tasks/user.yml
@@ -0,0 +1,9 @@
+- name: Create containers user
+ ansible.builtin.user:
+ name: "{{ host_containers_user }}"
+
+- name: Add containers user to systemd-journal group
+ ansible.builtin.user:
+ name: "{{ host_containers_user }}"
+ groups: "systemd-journal"
+ append: true
generated by cgit (git 2.34.1) at 2025-12-06 08:44:01 +0000