From 31bc4f2c269ce5c66cec4dfbd9a2ce7697d1dba0 Mon Sep 17 00:00:00 2001
From: spmfox <spmfox@foxwd.com>
Date: Thu, 29 Aug 2024 15:33:54 -0400
Subject: updating unprivileged-ports logic, updating containers variables,
 adding variable for the unprivileged-ports

---
 roles/containers/defaults/main.yml        |  4 ++--
 roles/containers/tasks/quadlet_create.yml |  4 ++--
 roles/containers/tasks/quadlet_remove.yml |  2 +-
 roles/containers/tasks/quadlet_start.yml  |  6 +++---
 roles/containers/tasks/quadlet_stop.yml   |  2 +-
 roles/host/defaults/main.yml              |  1 +
 roles/host/tasks/unprivileged-ports.yml   | 26 ++++++++++----------------
 7 files changed, 20 insertions(+), 25 deletions(-)

diff --git a/roles/containers/defaults/main.yml b/roles/containers/defaults/main.yml
index ade45f3..2a55101 100644
--- a/roles/containers/defaults/main.yml
+++ b/roles/containers/defaults/main.yml
@@ -1,6 +1,6 @@
-quadlet_path: "../../docs/sample-environment/wordpress/quadlet"
+containers_quadlet_path: "../../docs/sample-environment/wordpress/quadlet"
 
-quadlets:
+containers_quadlets:
   - name: "wordpress-pod"
     file: "wordpress.pod"
 
diff --git a/roles/containers/tasks/quadlet_create.yml b/roles/containers/tasks/quadlet_create.yml
index ffbae8a..4098e5d 100644
--- a/roles/containers/tasks/quadlet_create.yml
+++ b/roles/containers/tasks/quadlet_create.yml
@@ -5,11 +5,11 @@
 
 - name: Copy quadlet files into quadlet directory
   ansible.builtin.copy:
-    src: "{{ quadlet_path}}/{{ item.file }}"
+    src: "{{ containers_quadlet_path}}/{{ item.file }}"
     dest: "{{ lookup('env', 'HOME') }}/.config/containers/systemd/{{ item.file }}"
   loop_control:
     label: "{{ item.name }} -> {{ item.file }}"
-  loop: "{{ quadlets }}"
+  loop: "{{ containers_quadlets }}"
   register: quadlet_files
 
 - name: Reload systemd daemon
diff --git a/roles/containers/tasks/quadlet_remove.yml b/roles/containers/tasks/quadlet_remove.yml
index e6bc05b..4b12b68 100644
--- a/roles/containers/tasks/quadlet_remove.yml
+++ b/roles/containers/tasks/quadlet_remove.yml
@@ -4,7 +4,7 @@
     state: "absent"
   loop_control:
     label: "{{ item.name }} -> {{ item.file }}"
-  loop: "{{ quadlets }}"
+  loop: "{{ containers_quadlets }}"
   register: quadlet_files
 
 - name: Reload systemd daemon
diff --git a/roles/containers/tasks/quadlet_start.yml b/roles/containers/tasks/quadlet_start.yml
index 5dcd39a..ade3da6 100644
--- a/roles/containers/tasks/quadlet_start.yml
+++ b/roles/containers/tasks/quadlet_start.yml
@@ -5,13 +5,13 @@
     scope: "user"
   loop_control:
     label: "{{ item.name}}.service"
-  loop: "{{ quadlets }}"
+  loop: "{{ containers_quadlets }}"
 
 - name: Check for quadlet not in active or activating state
   ansible.builtin.shell: "systemctl --user is-active {{ item.name }}.service"
   loop_control:
     label: "{{ item.name}}.service: {{ quadlet_status.stdout }}"
-  loop: "{{ quadlets }}"
+  loop: "{{ containers_quadlets }}"
   register: quadlet_status
   failed_when: quadlet_status.stdout not in ['active', 'activating']
 
@@ -20,7 +20,7 @@
   ansible.builtin.shell: "systemctl --user is-active {{ item.name }}.service"
   loop_control:
     label: "{{ item.name}}.service: {{ quadlet_status.stdout }}"
-  loop: "{{ quadlets }}"
+  loop: "{{ containers_quadlets }}"
   register: quadlet_status
   until: quadlet_status.stdout == 'active'
   delay: 2
diff --git a/roles/containers/tasks/quadlet_stop.yml b/roles/containers/tasks/quadlet_stop.yml
index b8a83f3..07210ed 100644
--- a/roles/containers/tasks/quadlet_stop.yml
+++ b/roles/containers/tasks/quadlet_stop.yml
@@ -5,4 +5,4 @@
     scope: "user"
   loop_control:
     label: "{{ item.name}}.service"
-  loop: "{{ quadlets }}"
+  loop: "{{ containers_quadlets }}"
diff --git a/roles/host/defaults/main.yml b/roles/host/defaults/main.yml
index c393dc8..14d2253 100644
--- a/roles/host/defaults/main.yml
+++ b/roles/host/defaults/main.yml
@@ -7,3 +7,4 @@ host_shell_login_helper: |
   echo ""
 
 host_containers_user: "containers"
+host_unprivileged_ports_start: 80
diff --git a/roles/host/tasks/unprivileged-ports.yml b/roles/host/tasks/unprivileged-ports.yml
index 003646a..b6afd29 100644
--- a/roles/host/tasks/unprivileged-ports.yml
+++ b/roles/host/tasks/unprivileged-ports.yml
@@ -1,17 +1,11 @@
-- name: Unprivileged port block
-  block:
-    - name: Confirm port 80 and above is allowed for unprivileged use
-      ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80"
+- name: Set unprivileged ports sysctl parameter in /etc/sysctl.d/50-UnprivilegedPorts.conf
+  ansible.builtin.lineinfile:
+    path: "/etc/sysctl.d/50-UnprivilegedPorts.conf"
+    regexp: "^net.ipv4.ip_unprivileged_port_start="
+    line: "net.ipv4.ip_unprivileged_port_start={{ host_unprivileged_ports_start }}"
+    create: true
+  register: sysctl
 
-  rescue:
-    - name: Set sysctl parameter net.ipv4.ip_unprivileged_port_start=80
-      ansible.builtin.lineinfile:
-        path: "/etc/sysctl.conf"
-        regexp: "^net.ipv4.ip_unprivileged_port_start=80"
-        line: "net.ipv4.ip_unprivileged_port_start=80"
-
-    - name: Reload sysctl
-      ansible.builtin.shell: "sysctl -p /etc/sysctl.conf"
-
-    - name: Confirm port 80 and above is allowed for unprivileged use
-      ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80"
+- name: Reload sysctl
+  ansible.builtin.shell: "sysctl -p /etc/sysctl.d/50-UnprivilegedPorts.conf"
+  when: sysctl.changed
-- 
cgit