vypni/container-role
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

first commit

Browse source
This commit is contained in:
ronny 2024-11-19 10:44:58 +01:00
commit f702c9c45a
13 changed files with 309 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

60
tasks/create_container.yml Normal file
View file

@ -0,0 +1,60 @@
---
- name: Pull needed image for {{ item.name }} (rootless)
containers.podman.podman_image:
name: "{{ item.image }}"
force: true # there is no other way to say "newer" :-/
become: true
become_user: "{{ item.rootless_user }}"
when: not item.rootless_user == ""
register: image_pull
- name: Pull needed image for {{ item.name }}
containers.podman.podman_image:
name: "{{ item.image }}"
become: true
register: image_pull
when: image_pull is not defined
- name: Print image pull var
ansible.builtin.debug:
var: image_pull
tags:
- never
- debug
- name: Re-create container for {{ item.name }} (rootless)
containers.podman.podman_container:
name: "{{ item.name | mandatory(msg='Name of container is required.') }}"
image: "{{ item.image | mandatory(msg='Image is required.')}}"
publish: "{{ item.publish | default(omit) }}"
expose: "{{ item.expose | default(omit) }}"
env: "{{ item.env | default(omit) }}"
dns: "{{ item.dns | default(omit) }}"
volume: "{{ item.volume | default(omit) }}"
restart_policy: "{{ item.restart_policy | default('unless-stopped') }}"
recreate: "{{ item.recreate | default(omit) }}"
network: "{{ item.network | default(omit) }}"
state: "{{ item.state | default('started') }}"
when:
- image_pull is changed or not containers_force_restart == ""
- not item.rootless_user == ""
become: true
become_user: "{{ item.rootless_user }}"
- name: Re-create container
containers.podman.podman_container:
name: "{{ item.name | mandatory(msg='Name of container is required.') }}"
image: "{{ item.image | mandatory(msg='Image is required.')}}"
publish: "{{ item.publish | default(omit) }}"
expose: "{{ item.expose | default(omit) }}"
env: "{{ item.env | default(omit) }}"
dns: "{{ item.dns | default(omit) }}"
volume: "{{ item.volume | default(omit) }}"
restart_policy: "{{ item.restart_policy | default('unless-stopped') }}"
recreate: "{{ item.recreate | default(omit) }}"
network: "{{ item.network | default(omit) }}"
state: "{{ item.state | default('started') }}"
when:
- image_pull is changed or not containers_force_restart == ""
- item.rootless_user == "" or not item.rootless_user is defined
become: true

13
tasks/folder_structure.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: Create folder structure for {{ item.name }}
ansible.builtin.file:
path: "{{ volume | split(':') | first }}"
state: directory
mode: 0755
owner: "{{ item.rootless_user }}"
group: "{{ item.rootless_user }}"
loop: "{{ item.volume }}"
loop_control:
loop_var: volume
when: not item.volume == ""
become: true

39
tasks/lingering.yml Normal file
View file

@ -0,0 +1,39 @@
---
- name: Check if user is lingering for {{ item.name }}
ansible.builtin.stat:
path: "/var/lib/systemd/linger/{{ item.rootless_user }}"
register: lingering
when: not item.rootless_user == ""
- name: Enable lingering is needed for {{ item.name }}
ansible.builtin.command:
cmd: "loginctl enable-linger {{ item.rootless_user }}"
creates: /var/lib/systemd/linger/{{ item.rootless_user }}
register: lingeringchange
failed_when: lingeringchange.rc != 0
changed_when: lingeringchange.rc == 0
when:
- not lingering.stat.exists
- not item.rootless_user == ""
- name: Configure XDG_RUNTIME_DIR for {{ item.rootless_user }} for {{ item.name }}
ansible.builtin.lineinfile:
path: "/home/{{ item.rootless_user }}/.bash_profile"
line: export XDG_RUNTIME_DIR=/run/user/$UID
owner: "{{ item.rootless_user }}"
group: "{{ item.rootless_user }}"
create: yes
when: not item.rootless_user == ""
become_user: "{{ item.rootless_user }}"
become: true
- name: Configure DBUS_SESSION_BUS_ADDRESS for {{ item.rootless_user }} user for {{ item.name }}
ansible.builtin.lineinfile:
path: "/home/{{ item.rootless_user }}/.bash_profile"
line: export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$UID/bus
owner: "{{ item.rootless_user }}"
group: "{{ item.rootless_user }}"
create: yes
when: not item.rootless_user == ""
become_user: "{{ item.rootless_user }}"
become: true

21
tasks/main.yml Normal file
View file

@ -0,0 +1,21 @@
---
# tasks file for container
- name: Create users
include_tasks: user.yml
loop: "{{ containers }}"
- name: Prepare folders
include_tasks: folder_structure.yml
loop: "{{ containers }}"
- name: Network
include_tasks: network.yml
loop: "{{ containers }}"
- name: Lingering
include_tasks: lingering.yml
loop: "{{ containers }}"
- name: Deploy containers
include_tasks: create_container.yml
loop: "{{ containers }}"

28
tasks/network.yml Normal file
View file

@ -0,0 +1,28 @@
---
# TODO: This is from which port it start, so it's port -> till the end
# so if 53 is defined, then it allows all ports from 53 to end for users to use
# maybe redirect of ports would be better?
- name: Allow podman privileged ports for non root users for {{ item.name }}
ansible.posix.sysctl:
name: net.ipv4.ip_unprivileged_port_start
value: "{{ item.privileged_ports_start | int }}"
sysctl_file: /etc/sysctl.conf
sysctl_set: true
state: present
reload: true
when: item.privileged_ports_start is defined and not item.privileged_ports_start == ""
- name: Create a network (rootless)
containers.podman.podman_network:
name: "{{ item.network }}"
become: true
become_user: "{{ item.rootless_user }}"
when:
- not item.rootless_user == ""
- name: Create a network
containers.podman.podman_network:
name: "{{ item.network }}"
become: true
when:
- item.rootless_user == "" or not item.rootless_user is defined

11
tasks/user.yml Normal file
View file

@ -0,0 +1,11 @@
---
- name: Create user {{ item.rootless_user }} for {{ item.name }}
ansible.builtin.user:
name: "{{ item.rootless_user }}"
uid: "{{ item.rootless_userid | default(omit) }}"
shell: "/bin/false"
password: "!"
become: true
when: not item.rootless_user == ""
tags:
- user