aboutsummaryrefslogtreecommitdiff
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/containers/defaults/main.yml11
-rw-r--r--roles/containers/tasks/main.yml17
-rw-r--r--roles/containers/tasks/quadlet_create.yml22
-rw-r--r--roles/containers/tasks/quadlet_remove.yml14
-rw-r--r--roles/containers/tasks/quadlet_start.yml27
-rw-r--r--roles/containers/tasks/quadlet_stop.yml8
-rw-r--r--roles/host/defaults/main.yml9
-rw-r--r--roles/host/files/check-network-online.service14
-rw-r--r--roles/host/tasks/cpanel-dnsonly.yml28
-rw-r--r--roles/host/tasks/linger.yml8
-rw-r--r--roles/host/tasks/main.yml19
-rw-r--r--roles/host/tasks/packages.yml6
-rw-r--r--roles/host/tasks/shell-helper.yml31
-rw-r--r--roles/host/tasks/systemd-user-network-check.yml20
-rw-r--r--roles/host/tasks/unprivileged-ports.yml17
-rw-r--r--roles/host/tasks/user.yml9
16 files changed, 260 insertions, 0 deletions
diff --git a/roles/containers/defaults/main.yml b/roles/containers/defaults/main.yml
new file mode 100644
index 0000000..ade45f3
--- /dev/null
+++ b/roles/containers/defaults/main.yml
@@ -0,0 +1,11 @@
+quadlet_path: "../../docs/sample-environment/wordpress/quadlet"
+
+quadlets:
+ - name: "wordpress-pod"
+ file: "wordpress.pod"
+
+ - name: "wordpress-app"
+ file: "wordpress-app.container"
+
+ - name: "wordpress-db"
+ file: "wordpress-db.container"
diff --git a/roles/containers/tasks/main.yml b/roles/containers/tasks/main.yml
new file mode 100644
index 0000000..02ee577
--- /dev/null
+++ b/roles/containers/tasks/main.yml
@@ -0,0 +1,17 @@
+- ansible.builtin.import_tasks: quadlet_create.yml
+ tags:
+ - create
+
+- ansible.builtin.import_tasks: quadlet_start.yml
+ tags:
+ - start
+
+- ansible.builtin.import_tasks: quadlet_stop.yml
+ tags:
+ - never
+ - stop
+
+- ansible.builtin.import_tasks: quadlet_remove.yml
+ tags:
+ - never
+ - remove
diff --git a/roles/containers/tasks/quadlet_create.yml b/roles/containers/tasks/quadlet_create.yml
new file mode 100644
index 0000000..ffbae8a
--- /dev/null
+++ b/roles/containers/tasks/quadlet_create.yml
@@ -0,0 +1,22 @@
+- name: Create quadlet directory
+ ansible.builtin.file:
+ path: "{{ lookup('env', 'HOME') }}/.config/containers/systemd"
+ state: "directory"
+
+- name: Copy quadlet files into quadlet directory
+ ansible.builtin.copy:
+ src: "{{ quadlet_path}}/{{ item.file }}"
+ dest: "{{ lookup('env', 'HOME') }}/.config/containers/systemd/{{ item.file }}"
+ loop_control:
+ label: "{{ item.name }} -> {{ item.file }}"
+ loop: "{{ quadlets }}"
+ register: quadlet_files
+
+- name: Reload systemd daemon
+ ansible.builtin.systemd:
+ daemon_reload: true
+ scope: "user"
+ when: quadlet_files.changed
+
+- name: Check quadlet status
+ ansible.builtin.shell: "/usr/lib/systemd/system-generators/podman-system-generator --user --dryrun"
diff --git a/roles/containers/tasks/quadlet_remove.yml b/roles/containers/tasks/quadlet_remove.yml
new file mode 100644
index 0000000..e6bc05b
--- /dev/null
+++ b/roles/containers/tasks/quadlet_remove.yml
@@ -0,0 +1,14 @@
+- name: Remove quadlet files from quadlet directory
+ ansible.builtin.file:
+ path: "{{ lookup('env', 'HOME') }}/.config/containers/systemd/{{ item.file }}"
+ state: "absent"
+ loop_control:
+ label: "{{ item.name }} -> {{ item.file }}"
+ loop: "{{ quadlets }}"
+ register: quadlet_files
+
+- name: Reload systemd daemon
+ ansible.builtin.systemd:
+ daemon_reload: true
+ scope: "user"
+ when: quadlet_files.changed
diff --git a/roles/containers/tasks/quadlet_start.yml b/roles/containers/tasks/quadlet_start.yml
new file mode 100644
index 0000000..5dcd39a
--- /dev/null
+++ b/roles/containers/tasks/quadlet_start.yml
@@ -0,0 +1,27 @@
+- name: Start quadlet
+ ansible.builtin.systemd_service:
+ name: "{{ item.name }}"
+ state: "started"
+ scope: "user"
+ loop_control:
+ label: "{{ item.name}}.service"
+ loop: "{{ quadlets }}"
+
+- name: Check for quadlet not in active or activating state
+ ansible.builtin.shell: "systemctl --user is-active {{ item.name }}.service"
+ loop_control:
+ label: "{{ item.name}}.service: {{ quadlet_status.stdout }}"
+ loop: "{{ quadlets }}"
+ register: quadlet_status
+ failed_when: quadlet_status.stdout not in ['active', 'activating']
+
+
+- name: Wait for quadlet state to go active
+ ansible.builtin.shell: "systemctl --user is-active {{ item.name }}.service"
+ loop_control:
+ label: "{{ item.name}}.service: {{ quadlet_status.stdout }}"
+ loop: "{{ quadlets }}"
+ register: quadlet_status
+ until: quadlet_status.stdout == 'active'
+ delay: 2
+ retries: 25
diff --git a/roles/containers/tasks/quadlet_stop.yml b/roles/containers/tasks/quadlet_stop.yml
new file mode 100644
index 0000000..b8a83f3
--- /dev/null
+++ b/roles/containers/tasks/quadlet_stop.yml
@@ -0,0 +1,8 @@
+- name: Stop quadlet
+ ansible.builtin.systemd_service:
+ name: "{{ item.name }}"
+ state: "stopped"
+ scope: "user"
+ loop_control:
+ label: "{{ item.name}}.service"
+ loop: "{{ quadlets }}"
diff --git a/roles/host/defaults/main.yml b/roles/host/defaults/main.yml
new file mode 100644
index 0000000..c393dc8
--- /dev/null
+++ b/roles/host/defaults/main.yml
@@ -0,0 +1,9 @@
+host_shell_login_helper: |
+ echo "----pods----"
+ podman pod list --sort status --format={{ '"{{.Status}} {{.Name}}"' }}
+ echo ""
+ echo "----containers----"
+ podman container list --all --sort status --format={{ '"{{.State}} {{.Status}} {{.Names}}"' }}
+ echo ""
+
+host_containers_user: "containers"
diff --git a/roles/host/files/check-network-online.service b/roles/host/files/check-network-online.service
new file mode 100644
index 0000000..afadbfe
--- /dev/null
+++ b/roles/host/files/check-network-online.service
@@ -0,0 +1,14 @@
+#This is needed because user units cannot check or interact with system units such as network-online.target
+#https://github.com/containers/podman/issues/22197
+#https://github.com/systemd/systemd/issues/3312
+
+[Unit]
+Description=Check for system level network-online.target (for users)
+
+[Service]
+Type=oneshot
+ExecStart=bash -c 'until systemctl is-active network-online.target; do sleep 1; done'
+RemainAfterExit=yes
+
+[Install]
+WantedBy=default.target
diff --git a/roles/host/tasks/cpanel-dnsonly.yml b/roles/host/tasks/cpanel-dnsonly.yml
new file mode 100644
index 0000000..dbb9062
--- /dev/null
+++ b/roles/host/tasks/cpanel-dnsonly.yml
@@ -0,0 +1,28 @@
+- name: Confirm if cpsrvd is not listening on http ports
+ ansible.builtin.shell: "whmapi1 get_tweaksetting key='disable_cphttpd' |grep 'value: 1' || /bin/true"
+ register: cpsrv_listen
+
+- name: Turn off cpsrvd listening on http ports (if necessary)
+ ansible.builtin.shell: "whmapi1 set_tweaksetting key='disable_cphttpd' value='1' ; /scripts/restartsrv_cpsrvd"
+ when: cpsrv_listen.stdout | length == 0
+
+- name: Turn off firewalld
+ ansible.builtin.service:
+ name: "firewalld"
+ state: stopped
+ enabled: false
+
+- name: Create new tmp directory for podman
+ ansible.builtin.file:
+ path: "/var/containers/tmp"
+ owner: "{{ host_containers_user }}"
+ group: "{{ host_containers_user }}"
+ state: directory
+
+- name: Configure podman to use new tmp directory
+ ansible.builtin.blockinfile:
+ path: "/etc/containers/containers.conf"
+ create: true
+ block: |
+ [engine]
+ env = ["TMPDIR=/var/containers/tmp"]
diff --git a/roles/host/tasks/linger.yml b/roles/host/tasks/linger.yml
new file mode 100644
index 0000000..dffc6a7
--- /dev/null
+++ b/roles/host/tasks/linger.yml
@@ -0,0 +1,8 @@
+- name: Confirm systemd-linger is set for containers user
+ ansible.builtin.stat:
+ path: "/var/lib/systemd/linger/{{ host_containers_user }}"
+ register: linger
+
+- name: Set systemd-linger for containers user (if necessary)
+ ansible.builtin.shell: "loginctl enable-linger {{ host_containers_user }}"
+ when: not linger.stat.exists
diff --git a/roles/host/tasks/main.yml b/roles/host/tasks/main.yml
new file mode 100644
index 0000000..5b9dd6b
--- /dev/null
+++ b/roles/host/tasks/main.yml
@@ -0,0 +1,19 @@
+- ansible.builtin.import_tasks: packages.yml
+
+- ansible.builtin.import_tasks: user.yml
+
+- ansible.builtin.import_tasks: linger.yml
+
+- ansible.builtin.import_tasks: shell-helper.yml
+
+- ansible.builtin.import_tasks: systemd-user-network-check.yml
+
+- ansible.builtin.import_tasks: unprivileged-ports.yml
+ tags:
+ - never
+ - unprivileged-ports
+
+- ansible.builtin.import_tasks: cpanel-dnsonly.yml
+ tags:
+ - never
+ - cpanel-dnsonly
diff --git a/roles/host/tasks/packages.yml b/roles/host/tasks/packages.yml
new file mode 100644
index 0000000..df78985
--- /dev/null
+++ b/roles/host/tasks/packages.yml
@@ -0,0 +1,6 @@
+- name: Install systemd-container and podman
+ ansible.builtin.package:
+ name:
+ - "systemd-container"
+ - "podman"
+ state: present
diff --git a/roles/host/tasks/shell-helper.yml b/roles/host/tasks/shell-helper.yml
new file mode 100644
index 0000000..e36784a
--- /dev/null
+++ b/roles/host/tasks/shell-helper.yml
@@ -0,0 +1,31 @@
+- name: Add bashrc for container service status on login
+ ansible.builtin.blockinfile:
+ path: "/home/{{ host_containers_user }}/.bashrc"
+ owner: "{{ host_containers_user }}"
+ group: "{{ host_containers_user }}"
+ create: true
+ block: "{{ host_shell_login_helper }}"
+
+- name: Check if fish shell is installed
+ ansible.builtin.stat:
+ path: "/usr/bin/fish"
+ register: fish
+
+- name: Block for fish
+ block:
+ - name: Create fish config directory
+ ansible.builtin.file:
+ path: "/home/{{ host_containers_user }}/.config/fish/conf.d"
+ state: directory
+ owner: "{{ host_containers_user }}"
+ group: "{{ host_containers_user }}"
+
+ - name: Add fish config for container service status on login
+ ansible.builtin.blockinfile:
+ path: "/home/{{ host_containers_user }}/.config/fish/conf.d/containers.fish"
+ owner: "{{ host_containers_user }}"
+ group: "{{ host_containers_user }}"
+ create: true
+ block: "{{ host_shell_login_helper }}"
+ when: fish.stat.exists
+ when: fish.stat.exists
diff --git a/roles/host/tasks/systemd-user-network-check.yml b/roles/host/tasks/systemd-user-network-check.yml
new file mode 100644
index 0000000..4c87f82
--- /dev/null
+++ b/roles/host/tasks/systemd-user-network-check.yml
@@ -0,0 +1,20 @@
+#This is a workaround so we can check for the network to come up before starting the quadlets
+#https://github.com/containers/podman/issues/22197
+#https://github.com/systemd/systemd/issues/3312
+
+- name: Copy check-network-online.service into systemd user service directory
+ ansible.builtin.copy:
+ src: "check-network-online.service"
+ dest: "/etc/systemd/user/check-network-online.service"
+ register: systemd
+
+- name: Reload systemd daemon
+ ansible.builtin.systemd_service:
+ daemon_reload: true
+ when: systemd.changed
+
+- name: Enable check-network-online.service for all users
+ ansible.builtin.systemd_service:
+ name: "check-network-online.service"
+ enabled: true
+ scope: "global"
diff --git a/roles/host/tasks/unprivileged-ports.yml b/roles/host/tasks/unprivileged-ports.yml
new file mode 100644
index 0000000..003646a
--- /dev/null
+++ b/roles/host/tasks/unprivileged-ports.yml
@@ -0,0 +1,17 @@
+- name: Unprivileged port block
+ block:
+ - name: Confirm port 80 and above is allowed for unprivileged use
+ ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80"
+
+ rescue:
+ - name: Set sysctl parameter net.ipv4.ip_unprivileged_port_start=80
+ ansible.builtin.lineinfile:
+ path: "/etc/sysctl.conf"
+ regexp: "^net.ipv4.ip_unprivileged_port_start=80"
+ line: "net.ipv4.ip_unprivileged_port_start=80"
+
+ - name: Reload sysctl
+ ansible.builtin.shell: "sysctl -p /etc/sysctl.conf"
+
+ - name: Confirm port 80 and above is allowed for unprivileged use
+ ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80"
diff --git a/roles/host/tasks/user.yml b/roles/host/tasks/user.yml
new file mode 100644
index 0000000..40e9f4c
--- /dev/null
+++ b/roles/host/tasks/user.yml
@@ -0,0 +1,9 @@
+- name: Create containers user
+ ansible.builtin.user:
+ name: "{{ host_containers_user }}"
+
+- name: Add containers user to systemd-journal group
+ ansible.builtin.user:
+ name: "{{ host_containers_user }}"
+ groups: "systemd-journal"
+ append: true
generated by cgit (git 2.34.1) at 2025-12-06 09:23:39 +0000