diff options
Diffstat (limited to 'roles/host')
| -rw-r--r-- | roles/host/defaults/main.yml | 9 | ||||
| -rw-r--r-- | roles/host/files/check-network-online.service | 14 | ||||
| -rw-r--r-- | roles/host/tasks/cpanel-dnsonly.yml | 28 | ||||
| -rw-r--r-- | roles/host/tasks/linger.yml | 8 | ||||
| -rw-r--r-- | roles/host/tasks/main.yml | 19 | ||||
| -rw-r--r-- | roles/host/tasks/packages.yml | 6 | ||||
| -rw-r--r-- | roles/host/tasks/shell-helper.yml | 31 | ||||
| -rw-r--r-- | roles/host/tasks/systemd-user-network-check.yml | 20 | ||||
| -rw-r--r-- | roles/host/tasks/unprivileged-ports.yml | 17 | ||||
| -rw-r--r-- | roles/host/tasks/user.yml | 9 |
10 files changed, 161 insertions, 0 deletions
diff --git a/roles/host/defaults/main.yml b/roles/host/defaults/main.yml new file mode 100644 index 0000000..c393dc8 --- /dev/null +++ b/roles/host/defaults/main.yml @@ -0,0 +1,9 @@ +host_shell_login_helper: | + echo "----pods----" + podman pod list --sort status --format={{ '"{{.Status}} {{.Name}}"' }} + echo "" + echo "----containers----" + podman container list --all --sort status --format={{ '"{{.State}} {{.Status}} {{.Names}}"' }} + echo "" + +host_containers_user: "containers" diff --git a/roles/host/files/check-network-online.service b/roles/host/files/check-network-online.service new file mode 100644 index 0000000..afadbfe --- /dev/null +++ b/roles/host/files/check-network-online.service @@ -0,0 +1,14 @@ +#This is needed because user units cannot check or interact with system units such as network-online.target +#https://github.com/containers/podman/issues/22197 +#https://github.com/systemd/systemd/issues/3312 + +[Unit] +Description=Check for system level network-online.target (for users) + +[Service] +Type=oneshot +ExecStart=bash -c 'until systemctl is-active network-online.target; do sleep 1; done' +RemainAfterExit=yes + +[Install] +WantedBy=default.target diff --git a/roles/host/tasks/cpanel-dnsonly.yml b/roles/host/tasks/cpanel-dnsonly.yml new file mode 100644 index 0000000..dbb9062 --- /dev/null +++ b/roles/host/tasks/cpanel-dnsonly.yml @@ -0,0 +1,28 @@ +- name: Confirm if cpsrvd is not listening on http ports + ansible.builtin.shell: "whmapi1 get_tweaksetting key='disable_cphttpd' |grep 'value: 1' || /bin/true" + register: cpsrv_listen + +- name: Turn off cpsrvd listening on http ports (if necessary) + ansible.builtin.shell: "whmapi1 set_tweaksetting key='disable_cphttpd' value='1' ; /scripts/restartsrv_cpsrvd" + when: cpsrv_listen.stdout | length == 0 + +- name: Turn off firewalld + ansible.builtin.service: + name: "firewalld" + state: stopped + enabled: false + +- name: Create new tmp directory for podman + ansible.builtin.file: + path: "/var/containers/tmp" + owner: "{{ host_containers_user }}" + group: "{{ host_containers_user }}" + state: directory + +- name: Configure podman to use new tmp directory + ansible.builtin.blockinfile: + path: "/etc/containers/containers.conf" + create: true + block: | + [engine] + env = ["TMPDIR=/var/containers/tmp"] diff --git a/roles/host/tasks/linger.yml b/roles/host/tasks/linger.yml new file mode 100644 index 0000000..dffc6a7 --- /dev/null +++ b/roles/host/tasks/linger.yml @@ -0,0 +1,8 @@ +- name: Confirm systemd-linger is set for containers user + ansible.builtin.stat: + path: "/var/lib/systemd/linger/{{ host_containers_user }}" + register: linger + +- name: Set systemd-linger for containers user (if necessary) + ansible.builtin.shell: "loginctl enable-linger {{ host_containers_user }}" + when: not linger.stat.exists diff --git a/roles/host/tasks/main.yml b/roles/host/tasks/main.yml new file mode 100644 index 0000000..5b9dd6b --- /dev/null +++ b/roles/host/tasks/main.yml @@ -0,0 +1,19 @@ +- ansible.builtin.import_tasks: packages.yml + +- ansible.builtin.import_tasks: user.yml + +- ansible.builtin.import_tasks: linger.yml + +- ansible.builtin.import_tasks: shell-helper.yml + +- ansible.builtin.import_tasks: systemd-user-network-check.yml + +- ansible.builtin.import_tasks: unprivileged-ports.yml + tags: + - never + - unprivileged-ports + +- ansible.builtin.import_tasks: cpanel-dnsonly.yml + tags: + - never + - cpanel-dnsonly diff --git a/roles/host/tasks/packages.yml b/roles/host/tasks/packages.yml new file mode 100644 index 0000000..df78985 --- /dev/null +++ b/roles/host/tasks/packages.yml @@ -0,0 +1,6 @@ +- name: Install systemd-container and podman + ansible.builtin.package: + name: + - "systemd-container" + - "podman" + state: present diff --git a/roles/host/tasks/shell-helper.yml b/roles/host/tasks/shell-helper.yml new file mode 100644 index 0000000..e36784a --- /dev/null +++ b/roles/host/tasks/shell-helper.yml @@ -0,0 +1,31 @@ +- name: Add bashrc for container service status on login + ansible.builtin.blockinfile: + path: "/home/{{ host_containers_user }}/.bashrc" + owner: "{{ host_containers_user }}" + group: "{{ host_containers_user }}" + create: true + block: "{{ host_shell_login_helper }}" + +- name: Check if fish shell is installed + ansible.builtin.stat: + path: "/usr/bin/fish" + register: fish + +- name: Block for fish + block: + - name: Create fish config directory + ansible.builtin.file: + path: "/home/{{ host_containers_user }}/.config/fish/conf.d" + state: directory + owner: "{{ host_containers_user }}" + group: "{{ host_containers_user }}" + + - name: Add fish config for container service status on login + ansible.builtin.blockinfile: + path: "/home/{{ host_containers_user }}/.config/fish/conf.d/containers.fish" + owner: "{{ host_containers_user }}" + group: "{{ host_containers_user }}" + create: true + block: "{{ host_shell_login_helper }}" + when: fish.stat.exists + when: fish.stat.exists diff --git a/roles/host/tasks/systemd-user-network-check.yml b/roles/host/tasks/systemd-user-network-check.yml new file mode 100644 index 0000000..4c87f82 --- /dev/null +++ b/roles/host/tasks/systemd-user-network-check.yml @@ -0,0 +1,20 @@ +#This is a workaround so we can check for the network to come up before starting the quadlets +#https://github.com/containers/podman/issues/22197 +#https://github.com/systemd/systemd/issues/3312 + +- name: Copy check-network-online.service into systemd user service directory + ansible.builtin.copy: + src: "check-network-online.service" + dest: "/etc/systemd/user/check-network-online.service" + register: systemd + +- name: Reload systemd daemon + ansible.builtin.systemd_service: + daemon_reload: true + when: systemd.changed + +- name: Enable check-network-online.service for all users + ansible.builtin.systemd_service: + name: "check-network-online.service" + enabled: true + scope: "global" diff --git a/roles/host/tasks/unprivileged-ports.yml b/roles/host/tasks/unprivileged-ports.yml new file mode 100644 index 0000000..003646a --- /dev/null +++ b/roles/host/tasks/unprivileged-ports.yml @@ -0,0 +1,17 @@ +- name: Unprivileged port block + block: + - name: Confirm port 80 and above is allowed for unprivileged use + ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80" + + rescue: + - name: Set sysctl parameter net.ipv4.ip_unprivileged_port_start=80 + ansible.builtin.lineinfile: + path: "/etc/sysctl.conf" + regexp: "^net.ipv4.ip_unprivileged_port_start=80" + line: "net.ipv4.ip_unprivileged_port_start=80" + + - name: Reload sysctl + ansible.builtin.shell: "sysctl -p /etc/sysctl.conf" + + - name: Confirm port 80 and above is allowed for unprivileged use + ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80" diff --git a/roles/host/tasks/user.yml b/roles/host/tasks/user.yml new file mode 100644 index 0000000..40e9f4c --- /dev/null +++ b/roles/host/tasks/user.yml @@ -0,0 +1,9 @@ +- name: Create containers user + ansible.builtin.user: + name: "{{ host_containers_user }}" + +- name: Add containers user to systemd-journal group + ansible.builtin.user: + name: "{{ host_containers_user }}" + groups: "systemd-journal" + append: true |