Enable gitea emails

.pre-commit-config.yaml

@@ -0,0 +1,14 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: trailing-whitespace
+      - id: check-added-large-files
+      - id: check-executables-have-shebangs
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-yaml
+        args:
+          - --allow-multiple-documents
+          - --unsafe
+      - id: end-of-file-fixer

README.md

@@ -8,4 +8,3 @@
 Variables prefixed by `vault_` are available by unlocking the vault with the master password
 
 # Basic config
-

ansible.cfg

@@ -1,2 +1,2 @@
 [defaults]
-inventory=./hosts.yml
+inventory=./hosts.yml

containers/act_runner/tasks.yml

@@ -0,0 +1,99 @@
+---
+- hosts: all
+  name: Gitea web server
+  tasks:
+    - name: Get containers UID
+      ansible.builtin.command: "id -u containers"
+      register: uid_containers
+      changed_when: uid_containers.rc != 0
+
+    - name: Stop running containers
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        state: stopped
+      loop:
+        - act_runner
+      failed_when: false
+
+    - name: Create podman volumes
+      containers.podman.podman_volume:
+        state: present
+        name: "{{ item }}"
+      become_user: containers
+      become: true
+      loop:
+        - act_runner
+
+    - name: Pull container images
+      become_user: containers
+      become: true
+      containers.podman.podman_image:
+        name: docker.io/{{ item }}
+      loop:
+        - gitea/act_runner:latest
+
+    - name: Change permission to act_runner folder
+      become_user: root
+      become: true
+      ansible.builtin.file:
+        path: /etc/act_runner
+        owner: containers
+        group: containers
+        mode: "0700"
+        state: directory
+
+    - name: Copy config directory
+      become_user: root
+      become: true
+      ansible.builtin.template:
+        src: "templates/{{ item }}.j2"
+        dest: "/etc/act_runner/{{ item }}"
+        owner: containers
+        group: containers
+        mode: "0600"
+      loop:
+        - configuration.yml
+
+    - name: Create act_runner instance
+      become_user: containers
+      become: true
+      containers.podman.podman_container:
+        name: act_runner
+        image: gitea/act_runner:latest
+        state: present
+        security_opt:
+          # - label=type:container_runtime_t
+          - label=disable
+        device:
+          - /dev/fuse
+        publish:
+          - "8088:8088"
+        volume:
+          - act_runner:/data:Z
+          - /etc/act_runner:/config:Z
+          - /run/user/{{ uid_containers.stdout }}/podman/podman.sock:/var/run/docker.sock:z
+        env:
+          GITEA_INSTANCE_URL: "{{ vault_act_runner_host }}"
+          GITEA_RUNNER_REGISTRATION_TOKEN: "{{ vault_act_runner_token }}"
+          GITEA_RUNNER_NAME: "{{ inventory_hostname_short }}"
+          CONFIG_FILE: "/config/configuration.yml"
+        generate_systemd:
+          path: /home/containers/.config/systemd/user/
+          restart_policy: on-failure
+          names: true
+          new: true
+
+    - name: Start containers at boot
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        enabled: true
+        state: started
+        daemon_reload: true
+      loop:
+        - act_runner

containers/act_runner/templates/configuration.yml.j2

@@ -0,0 +1,85 @@
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: {{ vault_act_runner_capacity }}
+  # Extra environment variables to run jobs.
+  #envs:
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  #env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `deamon`, will use labels in `.runner` file.
+  labels: [linux,self-hosted]
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: "{{ ansible_facts[vault_act_net_interface_name]['ipv4']['address'] }}"
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 8088
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: ""
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: [build_cache]
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: "-"
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

containers/collabora/tasks.yml

@@ -0,0 +1,107 @@
+# code: language=ansible
+
+---
+- hosts: all
+  name: Collabora CODE container
+  tasks:
+    - name: Stop running containers
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        state: stopped
+      loop:
+        - collabora
+      failed_when: false
+
+    # - name: Create podman volumes
+    #   containers.podman.podman_volume:
+    #     state: present
+    #     name: "{{ item }}"
+    #   become_user: containers
+    #   become: true
+    #   loop:
+    #     - collabora-config
+
+    - name: Create podman networks
+      containers.podman.podman_network:
+        name: "{{ item }}"
+        recreate: false
+        state: "present"
+      become_user: containers
+      become: true
+      loop:
+        - traefik-collabora
+        - nextcloud-collabora
+
+    - name: Pull container images
+      become_user: containers
+      become: true
+      containers.podman.podman_image:
+        name: docker.io/{{ item }}
+      loop:
+        - collabora/code:latest
+
+    - name: Add a collabora container
+      become_user: containers
+      become: true
+      containers.podman.podman_container:
+        name: collabora
+        image: docker.io/collabora/code:latest
+        state: present
+        network:
+          - traefik-collabora
+          - nextcloud-collabora
+        # volume:
+        #   - collabora-config:/etc/coolwsd:Z
+        label:
+          io.containers.autoupdate: "registry"
+          traefik.enable: "true"
+          traefik.http.routers.collabora.entrypoints: "https"
+          traefik.http.routers.collabora.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/collabora`) || Path(`/browser`))"
+          traefik.http.routers.collabora.tls: "true"
+          traefik.http.routers.collabora.tls.certresolver: "wildcard"
+          traefik.http.routers.collabora.service: "collabora"
+          traefik.http.services.collabora.loadbalancer.server.port: "9980"
+          traefik.docker.network: "traefik-collabora"
+        env:
+          domain: "chef\\.heaplab\\.deib\\.polimi\\.it"
+          aliasgroup1: "chef\\.heaplab\\.deib\\.polimi\\.it"
+          server_name: "chef.heaplab.deib.polimi.it"
+          username: "{{ vault_collabora_user }}"
+          password: "{{ vault_collabora_password }}"
+          extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:net.service_root=/collabora --o:net.server_name=chef.heaplab.deib.polimi.it/collabora"
+        generate_systemd:
+          path: /home/containers/.config/systemd/user/
+          restart_policy: on-failure
+          requires: [container-nextcloud.service, container-traefik.service]
+          names: true
+          new: true
+
+    - name: Change start and stop timeout limits
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: /home/containers/.config/systemd/user/container-collabora.service
+        section: Service
+        option: "{{ item }}"
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - TimeoutStartSec
+        - TimeoutStopSec
+
+    - name: Start containers at boot
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        enabled: true
+        state: started
+        daemon_reload: true
+      loop:
+        - collabora

containers/drone-runner/tasks.yml

@@ -4,6 +4,17 @@
 - hosts: all
   name: Drone CI runner agent
   tasks:
+    - name: Stop running containers
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        state: stopped
+      loop:
+        - drone-runner
+      failed_when: false
+
     - name: Get containers UID
       ansible.builtin.command: "id -u containers"
       register: uid_containers
@@ -50,12 +61,12 @@
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.routers.drone-runner.entrypoints: "https"
-          traefik.http.routers.drone-runner.rule: "PathPrefix(`/runner`)"
+          traefik.http.routers.drone-runner.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/ci-runner/`) || Path(`/ci-runner`))"
           traefik.http.routers.drone-runner.tls: "true"
           traefik.http.routers.drone-runner.tls.certresolver: "wildcard"
           traefik.http.routers.drone-runner.service: "drone-runner"
-          traefik.http.routers.drone-runner.middlewares: "drone-runner-prefixstrip@docker"
+          traefik.http.routers.drone-runner.middlewares: "force-trailing-slash@file,drone-runner-prefixstrip@docker"
-          traefik.http.middlewares.drone-runner-prefixstrip.stripprefix.prefixes: "/runner"
+          traefik.http.middlewares.drone-runner-prefixstrip.stripprefix.prefixes: "/ci-runner"
           traefik.http.services.drone-runner.loadbalancer.server.port: "3000"
           traefik.docker.network: "traefik-drone-runner"
         env:
@@ -76,6 +87,21 @@
           names: true
           new: true
 
+    - name: Change start and stop timeout limits
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: /home/containers/.config/systemd/user/container-drone-runner.service
+        section: Service
+        option: "{{ item }}"
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - TimeoutStartSec
+        - TimeoutStopSec
+
     - name: Start containers at boot
       become_user: containers
       become: true

containers/drone-server/tasks.yml

@@ -4,6 +4,17 @@
 - hosts: all
   name: Drone CI server coordinator
   tasks:
+    - name: Stop running containers
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        state: stopped
+      loop:
+        - drone-server
+      failed_when: false
+
     - name: Create podman volumes
       containers.podman.podman_volume:
         state: present
@@ -48,12 +59,12 @@
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.routers.drone-server.entrypoints: "https"
-          traefik.http.routers.drone-server.rule: "PathPrefix(`/drone`)"
+          traefik.http.routers.drone-server.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/ci/`) || Path(`/ci`))"
           traefik.http.routers.drone-server.tls: "true"
           traefik.http.routers.drone-server.tls.certresolver: "wildcard"
           traefik.http.routers.drone-server.service: "drone-server"
           traefik.http.routers.drone-server.middlewares: "drone-server-prefixstrip@docker"
-          traefik.http.middlewares.drone-server-prefixstrip.stripprefix.prefixes: "/drone"
+          traefik.http.middlewares.drone-server-prefixstrip.stripprefix.prefixes: "/ci"
           traefik.http.services.drone-server.loadbalancer.server.port: "80"
           traefik.docker.network: "traefik-drone"
         env:
@@ -63,7 +74,7 @@
           DRONE_GITEA_SERVER: "https://{{ inventory_hostname }}/git"
           DRONE_GIT_ALWAYS_AUTH: "false"
           DRONE_RPC_SECRET: "{{ vault_drone_rpc_secret }}"
-          DRONE_SERVER_HOST: "{{ inventory_hostname }}/drone"
+          DRONE_SERVER_HOST: "{{ inventory_hostname }}/ci"
           DRONE_SERVER_PROTO: "https"
           DRONE_AGENTS_ENABLED: "true"
           DRONE_LOGS_TEXT: "true"
@@ -74,9 +85,25 @@
         generate_systemd:
           path: /home/containers/.config/systemd/user/
           restart_policy: on-failure
+          requires: [container-traefik.service]
           names: true
           new: true
 
+    - name: Change start and stop timeout limits
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: /home/containers/.config/systemd/user/container-drone-server.service
+        section: Service
+        option: "{{ item }}"
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - TimeoutStartSec
+        - TimeoutStopSec
+
     - name: Start containers at boot
       become_user: containers
       become: true

containers/gitea/tasks.yml

@@ -4,6 +4,18 @@
 - hosts: all
   name: Gitea web server
   tasks:
+    - name: Stop running containers
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        state: stopped
+      loop:
+        - gitea
+        - db_gitea
+      failed_when: false
+
     - name: Permit traffic from any IP to ssh port
       become: true
       community.general.ufw:
@@ -51,7 +63,7 @@
         dest: /etc/gitea/mariadb/
         owner: containers
         group: containers
-        mode: 0600
+        mode: "0600"
 
     - name: Create mariadb instance
       become_user: containers
@@ -87,8 +99,8 @@
         name: gitea
         image: docker.io/gitea/gitea:latest
         state: present
-        ports:
+        publish:
-          - 22:22
+          - "22:22"
         network:
           - traefik-gitea
           - mariadb-gitea
@@ -100,11 +112,11 @@
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.routers.gitea.entrypoints: "https"
-          traefik.http.routers.gitea.rule: "PathPrefix(`/git`)"
+          traefik.http.routers.gitea.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/git/`) || Path(`/git`))"
           traefik.http.routers.gitea.tls: "true"
           traefik.http.routers.gitea.tls.certresolver: "wildcard"
           traefik.http.routers.gitea.service: "gitea"
-          traefik.http.routers.gitea.middlewares: "gitea-prefixstrip@docker"
+          traefik.http.routers.gitea.middlewares: "force-trailing-slash@file,gitea-prefixstrip@docker"
           traefik.http.middlewares.gitea-prefixstrip.stripprefix.prefixes: "/git"
           traefik.http.services.gitea.loadbalancer.server.port: "3000"
           traefik.docker.network: "traefik-gitea"
@@ -143,14 +155,46 @@
           GITEA__service__SIGNIN_VIEW: false
           GITEA__service__REGISTER_EMAIL_CONFIRM: true
           GITEA__service__ENABLE_CAPTCHA: true
+          GITEA__service__ENABLE_NOTIFY_MAIL: true
           GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE: false
           GITEA__ui__THEMES: "auto,gitea,arc-green,gitea-modern"
         generate_systemd:
           path: /home/containers/.config/systemd/user/
           restart_policy: on-failure
+          requires: [container-db_gitea.service, container-traefik.service]
           names: true
           new: true
 
+    - name: Change start and stop timeout limits
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: /home/containers/.config/systemd/user/container-gitea.service
+        section: Service
+        option: "{{ item }}"
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - TimeoutStartSec
+        - TimeoutStopSec
+
+    - name: Change start and stop timeout limits
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: /home/containers/.config/systemd/user/container-db_gitea.service
+        section: Service
+        option: "{{ item }}"
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - TimeoutStartSec
+        - TimeoutStopSec
+
     - name: Start containers at boot
       become_user: containers
       become: true

containers/heimdall/tasks.yml

@@ -0,0 +1,110 @@
+# code: language=ansible
+
+---
+- hosts: all
+  name: Heimdall landing page
+  tasks:
+    - name: Stop running containers
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        state: stopped
+      loop:
+        - heimdall
+      failed_when: false
+
+    - name: Create podman volumes
+      containers.podman.podman_volume:
+        state: present
+        name: "{{ item }}"
+      become_user: containers
+      become: true
+      loop:
+        - heimdall-config
+
+    - name: Create podman networks
+      containers.podman.podman_network:
+        name: "{{ item }}"
+        recreate: false
+        state: "present"
+      become_user: containers
+      become: true
+      loop:
+        - traefik-heimdall
+
+    - name: Pull an image
+      become_user: containers
+      become: true
+      containers.podman.podman_image:
+        name: lscr.io/linuxserver/heimdall:latest
+
+    - name: Add a heimdall container
+      become_user: containers
+      become: true
+      containers.podman.podman_container:
+        name: heimdall
+        image: lscr.io/linuxserver/heimdall:latest
+        state: present
+        network:
+          - traefik-heimdall
+        volume:
+          - heimdall-config:/config:Z
+        label:
+          io.containers.autoupdate: "registry"
+          traefik.enable: "true"
+
+          traefik.http.routers.heimdall.entrypoints: "https"
+          traefik.http.routers.heimdall.rule: "Host(`{{ vault_domain }}`)"
+          traefik.http.routers.heimdall.tls: "true"
+          traefik.http.routers.heimdall.tls.certresolver: "wildcard"
+          traefik.http.routers.heimdall.service: "heimdall"
+          traefik.http.services.heimdall.loadbalancer.server.port: "80"
+
+          traefik.http.routers.heimdall-settings.entrypoints: "https"
+          traefik.http.routers.heimdall-settings.rule: "Host(`{{ vault_domain }}`) && Path(`/settings`)"
+          traefik.http.routers.heimdall-settings.tls: "true"
+          traefik.http.routers.heimdall-settings.tls.certresolver: "wildcard"
+          traefik.http.routers.heimdall-settings.service: "heimdall"
+          traefik.http.routers.heimdall-settings.middlewares: "heimdall-auth@docker"
+          traefik.http.services.heimdall-settings.loadbalancer.server.port: "80"
+
+          traefik.http.middlewares.heimdall-auth.basicauth.users: "{{ vault_heimdall_basic_auth }}"
+
+          traefik.docker.network: "traefik-heimdall"
+        env:
+          TZ: "Europe/Rome"
+        generate_systemd:
+          path: /home/containers/.config/systemd/user/
+          restart_policy: on-failure
+          requires: [container-traefik.service]
+          names: true
+          new: true
+
+    - name: Change start and stop timeout limits
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: /home/containers/.config/systemd/user/container-heimdall.service
+        section: Service
+        option: "{{ item }}"
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - TimeoutStartSec
+        - TimeoutStopSec
+
+    - name: Start containers at boot
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        enabled: true
+        state: started
+        daemon_reload: true
+      loop:
+        - heimdall

containers/mattermost/tasks.yml

@@ -0,0 +1,183 @@
+# code: language=ansible
+
+---
+- hosts: all
+  name: Mattermost server
+  tasks:
+    - name: Stop running containers
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        state: stopped
+      loop:
+        - mattermost
+        - db_mattermost
+      failed_when: false
+
+    - name: Create podman volumes
+      containers.podman.podman_volume:
+        state: present
+        name: "{{ item }}"
+      become_user: containers
+      become: true
+      loop:
+        - mattermost-config
+        - mattermost-data
+        - mattermost-logs
+        - mattermost-plugins
+        - mattermost-clientplugins
+        - mattermost-bleveindexes
+        - mattermost-db
+
+    - name: Create podman networks
+      containers.podman.podman_network:
+        name: "{{ item }}"
+        recreate: false
+        state: "present"
+      become_user: containers
+      become: true
+      loop:
+        - traefik-mattermost
+        - postgres-mattermost
+
+    - name: Pull container images
+      become_user: containers
+      become: true
+      containers.podman.podman_image:
+        name: docker.io/{{ item }}
+      loop:
+        - mattermost/mattermost-team-edition:release-9
+        - postgres:13-alpine
+
+    - name: Create postgres instance
+      become_user: containers
+      become: true
+      containers.podman.podman_container:
+        name: db_mattermost
+        image: docker.io/postgres:13-alpine
+        state: present
+        volume:
+          - mattermost-db:/var/lib/postgresql/data/pgdata:Z
+        network:
+          - postgres-mattermost
+        env:
+          POSTGRES_DB: "{{ vault_mattermost_db_database }}"
+          POSTGRES_USER: "{{ vault_mattermost_db_user }}"
+          POSTGRES_PASSWORD: "{{ vault_mattermost_db_password }}"
+          PGDATA: /var/lib/postgresql/data/pgdata
+          TZ: "{{ vault_timezone }}"
+        security_opt:
+          - no-new-privileges=true
+        pids_limit: "100"
+        read_only: true
+        tmpfs:
+          "/tmp": "rw"
+          "/var/run/postgresql": "rw"
+        generate_systemd:
+          path: /home/containers/.config/systemd/user/
+          restart_policy: on-failure
+          names: true
+          new: true
+
+    - name: Add a mattermost container
+      become_user: containers
+      become: true
+      containers.podman.podman_container:
+        name: mattermost
+        image: docker.io/mattermost/mattermost-team-edition:release-9
+        state: present
+        network:
+          - traefik-mattermost
+          - postgres-mattermost
+        volume:
+          - mattermost-config:/mattermost/config:Z
+          - mattermost-data:/mattermost/data:Z
+          - mattermost-logs:/mattermost/logs:Z
+          - mattermost-plugins:/mattermost/plugins:Z
+          - mattermost-clientplugins:/mattermost/client/plugins:Z
+          - mattermost-bleveindexes:/mattermost/bleve-indexes:Z
+        security_opt:
+          - no-new-privileges=true
+        pids_limit: "100"
+        tmpfs:
+          "/tmp": "rw"
+        label:
+          io.containers.autoupdate: "registry"
+          traefik.enable: "true"
+          traefik.http.routers.mattermost.entrypoints: "https"
+          traefik.http.routers.mattermost.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/mattermost/`) || Path(`/mattermost`))"
+          traefik.http.routers.mattermost.tls: "true"
+          traefik.http.routers.mattermost.tls.certresolver: "wildcard"
+          traefik.http.routers.mattermost.service: "mattermost"
+          traefik.http.routers.mattermost.middlewares: "http-compress@file"
+          traefik.http.services.mattermost.loadbalancer.server.port: "8065"
+          traefik.http.services.mattermost.loadbalancer.passhostheader: "true"
+          traefik.udp.routers.mm-call-rtr.service: "mm-call-svc"
+          traefik.udp.routers.mm-call-rtr.entrypoints: "mmcalls"
+          traefik.udp.services.mm-call-svc.loadBalancer.server.port: "8443"
+          traefik.docker.network: "traefik-mattermost"
+        env:
+          TZ: "{{ vault_timezone }}"
+          # https://docs.mattermost.com/configure/environment-configuration-settings.html
+          MM_SQLSETTINGS_DRIVERNAME: "postgres"
+          MM_SQLSETTINGS_DATASOURCE: "postgres://{{ vault_mattermost_db_user }}:{{ vault_mattermost_db_password }}@db_mattermost:5432/{{ vault_mattermost_db_database }}?sslmode=disable&connect_timeout=10"
+          MM_BLEVESETTINGS_INDEXDIR: "/mattermost/bleve-indexes"
+          MM_SERVICESETTINGS_SITEURL: "https://{{ vault_domain }}/mattermost"
+          MM_EMAILSETTINGS_SMTPSERVER: "{{ vault_smtp_host }}"
+          MM_EMAILSETTINGS_SMTPPORT: "{{ vault_smtp_port }}"
+          MM_EMAILSETTINGS_ENABLESMTPAUTH: "false"
+          MM_EMAILSETTINGS_SMTPUSERNAME: "{{ vault_smtp_user }}"
+          MM_EMAILSETTINGS_SMTPPASSWORD: "{{ vault_smtp_password }}"
+          MM_EMAILSETTINGS_CONNECTIONSECURITY: "{{ vault_smtp_protocol }}"
+          MM_SERVICESETTINGS_ENABLESECURITYFIXALERT: "true"
+        generate_systemd:
+          path: /home/containers/.config/systemd/user/
+          restart_policy: on-failure
+          requires: [container-db_mattermost.service, container-traefik.service]
+          names: true
+          new: true
+
+    - name: Change start and stop timeout limits
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: /home/containers/.config/systemd/user/container-mattermost.service
+        section: Service
+        option: "{{ item }}"
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - TimeoutStartSec
+        - TimeoutStopSec
+
+    - name: Change start and stop timeout limits
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: /home/containers/.config/systemd/user/container-db_mattermost.service
+        section: Service
+        option: "{{ item }}"
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - TimeoutStartSec
+        - TimeoutStopSec
+
+    - name: Start containers at boot
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        enabled: true
+        state: started
+        daemon_reload: true
+      loop:
+        - mattermost
+        - db_mattermost

containers/nextcloud/files/systemd/nextcloudcron.service

@@ -1,6 +1,7 @@
 [Unit]
 Description=Nextcloud cron.php job
 Wants=nextcloudcron.timer
+Requires=container-nextcloud.service
 
 [Service]
 ExecStart=/bin/podman exec -u www-data nextcloud php -f /var/www/html/cron.php

containers/nextcloud/tasks.yml

@@ -4,6 +4,19 @@
 - hosts: all
   name: Nextcloud file sharing web service
   tasks:
+    - name: Stop running containers
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        state: stopped
+      loop:
+        - nextcloud
+        - redis_nextcloud
+        - db_nextcloud
+      failed_when: false
+
     - name: Pull container images
       become_user: containers
       become: true
@@ -35,7 +48,7 @@
         path: /etc/nextcloud
         owner: containers
         group: containers
-        mode: 0700
+        mode: "0700"
         state: directory
 
     - name: Copy nextcloud config directory
@@ -45,7 +58,7 @@
         dest: /etc/nextcloud/config/
         owner: containers
         group: containers
-        mode: 0600
+        mode: "0600"
 
     - name: Copy systemd service and timer
       become: true
@@ -55,7 +68,7 @@
         dest: "/home/containers/.config/systemd/user/"
         owner: containers
         group: containers
-        mode: 0644
+        mode: "0644"
 
     - name: Copy mariadb config directory
       become: true
@@ -64,7 +77,7 @@
         dest: /etc/nextcloud/mariadb/
         owner: containers
         group: containers
-        mode: 0600
+        mode: "0600"
 
     - name: Create podman networks
       containers.podman.podman_network:
@@ -77,6 +90,7 @@
         - traefik-nextcloud
         - mariadb-nextcloud
         - redis-nextcloud
+        - nextcloud-collabora
 
     - name: Create redis instance
       become_user: containers
@@ -139,18 +153,19 @@
           - traefik-nextcloud
           - mariadb-nextcloud
           - redis-nextcloud
+          - nextcloud-collabora
         label:
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.routers.nextcloud.entrypoints: "https"
-          traefik.http.routers.nextcloud.rule: "PathPrefix(`/cloud`)"
+          traefik.http.routers.nextcloud.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/cloud/`) || Path(`/cloud`))"
           traefik.http.routers.nextcloud.tls: "true"
           traefik.http.routers.nextcloud.tls.certresolver: "wildcard"
           traefik.http.routers.nextcloud.service: "nextcloud"
-          traefik.http.routers.nextcloud.middlewares: "nextcloud-prefixstrip,nextcloud-redirectregex,nextcloud-headers,http-compress@file"
+          traefik.http.routers.nextcloud.middlewares: "force-trailing-slash@file,nextcloud-prefixstrip,nextcloud-redirectregex,nextcloud-headers,http-compress@file"
           traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.permanent: "true"
-          traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex: "https://(.*)/cloud/.well-known/(card|cal)dav"
+          traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex: "https://(.*)/.well-known/(card|cal)dav"
-          traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement: "https://${1}/cloud/remote.php/dav/"
+          traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement: "https://${1}/remote.php/dav/"
           traefik.http.middlewares.nextcloud-headers.headers.stsSeconds: "31536000"
           traefik.http.middlewares.nextcloud-headers.headers.stsIncludeSubdomains: "true"
           traefik.http.middlewares.nextcloud-prefixstrip.stripprefix.prefixes: "/cloud"
@@ -168,18 +183,53 @@
           SMTP_SECURE: "{{ vault_smtp_protocol }}"
           SMTP_PORT: "{{ vault_smtp_port }}"
           SMTP_AUTHTYPE: "None"
-          SMTP_NAME: ""
+          SMTP_NAME: "{{ vault_smtp_auth_name }}"
-          SMTP_PASSWORD: ""
+          SMTP_PASSWORD: "{{ vault_smtp_password }}"
-          MAIL_FROM_ADDRESS: "nextcloud"
+          MAIL_FROM_ADDRESS: "{{ vault_smtp_from }}"
           MAIL_DOMAIN: "{{ vault_smtp_domain }}"
           TRUSTED_PROXIES: "traefik"
           OVERWRITEWEBROOT: "/cloud"
+          OVERWRITECLIURL: "https://{{ vault_domain }}/cloud"
+          OVERWRITEPROTOCOL: "https"
         generate_systemd:
           path: /home/containers/.config/systemd/user/
           restart_policy: on-failure
+          requires: [container-db_nextcloud.service, container-redis_nextcloud.service, container-traefik.service]
           names: true
           new: true
 
+    - name: Change start timeout limit
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: "/home/containers/.config/systemd/user/container-{{ item }}.service"
+        section: Service
+        option: TimeoutStartSec
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - nextcloud
+        - redis_nextcloud
+        - db_nextcloud
+
+    - name: Change stop timeout limit
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: "/home/containers/.config/systemd/user/container-{{ item }}.service"
+        section: Service
+        option: TimeoutStopSec
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - nextcloud
+        - redis_nextcloud
+        - db_nextcloud
+
     - name: Start containers at boot
       become_user: containers
       become: true

containers/portainer/tasks.yml

@@ -9,6 +9,17 @@
       register: uid_containers
       changed_when: uid_containers.rc != 0
 
+    - name: Stop running containers
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        state: stopped
+      loop:
+        - portainer
+      failed_when: false
+
     - name: Pull portainer image
       become_user: containers
       become: true
@@ -48,20 +59,36 @@
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.routers.portainer.entrypoints: "https"
-          traefik.http.routers.portainer.rule: "PathPrefix(`/portainer`)"
+          traefik.http.routers.portainer.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/portainer/`) || Path(`/portainer`))"
           traefik.http.routers.portainer.tls: "true"
           traefik.http.routers.portainer.tls.certresolver: "wildcard"
           traefik.http.routers.portainer.service: "portainer"
-          traefik.http.routers.portainer.middlewares: "portainer-prefixstrip@docker"
+          traefik.http.routers.portainer.middlewares: "force-trailing-slash@file,portainer-prefixstrip@docker"
           traefik.http.middlewares.portainer-prefixstrip.stripprefix.prefixes: "/portainer"
           traefik.http.services.portainer.loadbalancer.server.port: "9000"
           traefik.docker.network: "traefik-portainer"
         generate_systemd:
           path: /home/containers/.config/systemd/user/
           restart_policy: on-failure
+          requires: [container-traefik.service]
           names: true
           new: true
 
+    - name: Change start and stop timeout limits
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: /home/containers/.config/systemd/user/container-portainer.service
+        section: Service
+        option: "{{ item }}"
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - TimeoutStartSec
+        - TimeoutStopSec
+
     - name: Start containers at boot
       become_user: containers
       become: true

containers/traefik/files/conf/force_trailing_slash.yml

@@ -0,0 +1,15 @@
+http:
+  middlewares:
+    force-trailing-slash:
+      chain:
+        middlewares:
+          - add-trailing-slash
+          - strip-after-slash
+    add-trailing-slash:
+      redirectregex:
+        regex: "^(https?://[^/]+/[a-z0-9_]+)$"
+        replacement: "${1}/"
+        permanent: true
+    strip-after-slash:
+      stripprefixregex:
+        regex: "/[a-z0-9_]+"

containers/traefik/tasks.yml

@@ -9,6 +9,17 @@
       register: uid_containers
       changed_when: uid_containers.rc != 0
 
+    - name: Stop running containers
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        state: stopped
+      loop:
+        - traefik
+      failed_when: false
+
     - name: Permit traffic from any IP to http port
       become: true
       community.general.ufw:
@@ -27,6 +38,15 @@
         to_port: 443
         rule: allow
 
+    - name: Permit traffic from any IP to mattermost port
+      become: true
+      community.general.ufw:
+        direction: in
+        from_ip: any
+        proto: udp
+        to_port: 8443
+        rule: allow
+
     - name: Pull traefik image
       become_user: containers
       become: true
@@ -39,7 +59,7 @@
         path: /etc/traefik
         owner: containers
         group: containers
-        mode: 0700
+        mode: "0700"
         state: directory
 
     - name: Copy config directory
@@ -49,7 +69,7 @@
         dest: /etc/traefik/
         owner: containers
         group: containers
-        mode: 0600
+        mode: "0600"
 
     - name: Copy config files from templates
       become: true
@@ -58,7 +78,7 @@
         dest: "/etc/traefik/{{ item }}"
         owner: containers
         group: containers
-        mode: 0600
+        mode: "0600"
       loop:
         - traefik.yml
         - conf/cockpit.yml
@@ -75,6 +95,9 @@
         - traefik-portainer
         - traefik-nextcloud
         - traefik-gitea
+        - traefik-collabora
+        - traefik-heimdall
+        - traefik-mattermost
 
     - name: Create traefik instance
       become_user: containers
@@ -83,9 +106,10 @@
         name: traefik
         image: docker.io/traefik:latest
         state: present
-        ports:
+        publish:
-          - 80:80
+          - "80:80"
-          - 443:443
+          - "443:443"
+          - "8443:8443"
         security_opt:
           - label=type:container_runtime_t
         volume:
@@ -96,15 +120,17 @@
           - traefik-portainer
           - traefik-nextcloud
           - traefik-gitea
+          - traefik-collabora
+          - traefik-heimdall
+          - traefik-mattermost
         cap_add:
           - NET_ADMIN
         label:
           io.containers.autoupdate: "registry"
           traefik.enable: "true"
           traefik.http.middlewares.traefik-auth.basicauth.users: "{{ vault_traefik_basic_auth }}"
-          traefik.http.middlewares.traefik-prefixstrip.stripprefix.prefixes: "/traefik"
           traefik.http.routers.traefik.entrypoints: "https"
-          traefik.http.routers.traefik.rule: "PathPrefix(`/traefik`) || HeadersRegexp(`Referer`, `.*/traefik/.*`)"
+          traefik.http.routers.traefik.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/api/`) || Path(`/api`) || PathPrefix(`/dashboard/`) || Path(`/dashboard`))"
           traefik.http.routers.traefik.middlewares: "traefik-auth@docker"
           traefik.http.routers.traefik.tls: "true"
           traefik.http.routers.traefik.tls.certresolver: "wildcard"
@@ -116,6 +142,21 @@
           names: true
           new: true
 
+    - name: Change start and stop timeout limits
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: /home/containers/.config/systemd/user/container-traefik.service
+        section: Service
+        option: "{{ item }}"
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - TimeoutStartSec
+        - TimeoutStopSec
+
     - name: Start containers at boot
       become_user: containers
       become: true

containers/traefik/templates/conf/cockpit.yml.j2

@@ -1,22 +1,27 @@
 http:
   routers:
     cockpit:
-      rule: "PathPrefix(`/cockpit`)"
+      rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/admin/`) || Path(`/admin`))"
       entryPoints: https
       middlewares:
-        - cockpit-stripprefix
+        - drop-xforwarded-proto
       service: cockpit
       tls:
         certresolver: wildcard
 
   middlewares:
-    cockpit-stripprefix:
+    drop-xforwarded-proto:
-      stripPrefix:
+      headers:
-        prefixes:
+        customrequestheaders:
-          - "/cockpit"
+          X-Forwarded-Proto: ""
 
   services:
     cockpit:
       loadBalancer:
+        serversTransport: nocertverify
         servers:
-          - url: "http://127.0.0.1:9090"
+          - url: "https://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090/admin/"
+
+  serversTransports:
+    nocertverify:
+      insecureSkipVerify: true

containers/traefik/templates/traefik.yml.j2

@@ -21,6 +21,8 @@ entryPoints:
           permanent: true
   https:
     address: ":443"
+  mmcalls:
+    address: ":8443/udp"
 
 providers:
   docker:

containers/vikunja/tasks.yml

@@ -0,0 +1,154 @@
+---
+- name: Online project management tool
+  hosts: all
+  tasks:
+    - name: Stop running containers
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        state: stopped
+      loop:
+        - vikunja
+        - db_vikunja
+      failed_when: false
+
+    - name: Pull container images
+      become_user: containers
+      become: true
+      containers.podman.podman_image:
+        name: docker.io/{{ item }}
+      loop:
+        - vikunja/vikunja:latest
+        - mariadb:latest
+
+    - name: Create podman volumes
+      containers.podman.podman_volume:
+        state: present
+        name: "{{ item }}"
+      become_user: containers
+      become: true
+      loop:
+        - vikunja-data
+        - vikunja-db
+
+    - name: Create podman networks
+      containers.podman.podman_network:
+        name: "{{ item }}"
+        recreate: false
+        state: present
+      become_user: containers
+      become: true
+      loop:
+        - traefik-vikunja
+        - mariadb-vikunja
+
+    - name: Create mariadb instance
+      become_user: containers
+      become: true
+      containers.podman.podman_container:
+        name: db_vikunja
+        image: docker.io/mariadb:latest
+        state: present
+        volume:
+          - vikunja-db:/var/lib/mysql:Z
+        network:
+          - mariadb-vikunja
+        command:
+          - --character-set-server=utf8mb4
+          - --collation-server=utf8mb4_unicode_ci
+          - --max-connections=1000
+        env:
+          MARIADB_ROOT_PASSWORD: "{{ vault_vikunja_mariadb_root_password }}"
+          MARIADB_DATABASE: "{{ vault_vikunja_mariadb_database }}"
+          MARIADB_USER: "{{ vault_vikunja_mariadb_user }}"
+          MARIADB_PASSWORD: "{{ vault_vikunja_mariadb_password }}"
+          MARIADB_AUTO_UPGRADE: "true"
+        healthcheck: "mysqladmin ping --silent"
+        healthcheck_interval: 2s
+        generate_systemd:
+          path: /home/containers/.config/systemd/user/
+          restart_policy: on-failure
+          names: true
+          new: true
+
+    - name: Create vikunja instance
+      become_user: containers
+      become: true
+      containers.podman.podman_container:
+        name: vikunja
+        image: docker.io/vikunja/vikunja:latest
+        state: present
+        volume:
+          - vikunja-data:/app/vikunja/files:Z
+        network:
+          - traefik-vikunja
+          - mariadb-vikunja
+        env:
+          VIKUNJA_DATABASE_HOST: db_vikunja
+          VIKUNJA_DATABASE_PASSWORD: "{{ vault_vikunja_mariadb_password }}"
+          VIKUNJA_DATABASE_TYPE: mysql
+          VIKUNJA_DATABASE_USER: "{{ vault_vikunja_mariadb_user }}"
+          VIKUNJA_DATABASE_DATABASE: "{{ vault_vikunja_mariadb_database }}"
+          VIKUNJA_SERVICE_JWTSECRET: "{{ vault_vikunja_jwt_secret }}"
+          VIKUNJA_SERVICE_PUBLICURL: https://{{ vault_domain }}/vikunja/
+          VIKUNJA_FRONTEND_BASE: /vikunja/
+        label:
+          io.containers.autoupdate: registry
+          traefik.enable: "true"
+          traefik.http.routers.vikunja.entrypoints: https
+          traefik.http.routers.vikunja.rule: Host(`{{ vault_domain }}`)  && (PathPrefix(`/vikunja/`) || Path(`/vikunja`))
+          traefik.http.routers.vikunja.tls: "true"
+          traefik.http.routers.vikunja.tls.certresolver: wildcard
+          traefik.http.routers.vikunja.service: vikunja
+          traefik.http.services.vikunja.loadbalancer.server.port: "3456"
+          traefik.docker.network: traefik-vikunja
+        generate_systemd:
+          path: /home/containers/.config/systemd/user/
+          restart_policy: on-failure
+          names: true
+          new: true
+
+    - name: Change start and stop timeout limits
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: /home/containers/.config/systemd/user/container-vikunja.service
+        section: Service
+        option: "{{ item }}"
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - TimeoutStartSec
+        - TimeoutStopSec
+
+    - name: Change start and stop timeout limits
+      become_user: containers
+      become: true
+      community.general.ini_file:
+        path: /home/containers/.config/systemd/user/container-db_vikunja.service
+        section: Service
+        option: "{{ item }}"
+        value: 3600
+        mode: "0664"
+        state: "present"
+        no_extra_spaces: true
+      loop:
+        - TimeoutStartSec
+        - TimeoutStopSec
+
+    - name: Start containers at boot
+      become_user: containers
+      become: true
+      ansible.builtin.systemd:
+        scope: user
+        name: container-{{ item }}.service
+        enabled: true
+        state: started
+        daemon_reload: true
+      loop:
+        - db_vikunja
+        - vikunja

host_vars/chef.heaplab.deib.polimi.it.yml

@@ -1,69 +1,106 @@
 $ANSIBLE_VAULT;1.1;AES256
-39333532643966303936316430656133306365636266323238356465353438666664643735653036
+63626565393066343966323064646661383330623937613233616534313331363530613062643964
-3261393138663336613866633439333536386465653636620a383932323939323762643666646635
+3831383231313564376432303465376532623531643539610a663134386361353330626637626162
-38353038393234636430383864636461373530626238366630396165353430616233393936336233
+64373334373639663762343362646636303837376138393338643533363438616535623064323061
-3964396231643335320a376361623633646233343937663863613663323335316231643330396536
+6436343866336234350a313733383930366635646437383464353363643964346437323535333866
-34323464663065343531313639653238386666353036643337366635303737393933356464333432
+39636163666637326531336136653461636135363230663762613637666230353135616435393962
-34353031623163663234626637376632313434326634343361343633646335633530343264306562
+32383132313963623131313831326333656232656538336433633735633939636661383266396663
-34343834343564633032636537313964343864623434643131343464373431653262306535346563
+30653763333761623734383862326438626631643965376137663662643362663165306265633363
-33666631323264633136363164613763386662653666356131613931613237303439623638616461
+63636238336438643733633665613232306437396130663432366364613737653431653361653965
-35643530623665376631303932633031613737623034653262666439303839666665326136373630
+32373931633536656335396134313065666437666634343466653136343362343165366233383964
-33653137323437643138643234633330386565396635353831613461326363333862336636626338
+66663263316162626466646234623363616135663039393761373734663566623235343263323261
-39373064613936623563333734643837313066353761323435353761643566383533323962373133
+37646434373863303033386464343766323462643338396466363863356430616431343463326432
-39643461633035613239613265366131396461656361646434333535646366343230303666313732
+66376630663337386461663934393566393138353363376235343764363431323636653361343839
-63323565613339653537653332363436383633306363333330306132313338303466333466306565
+33353864653031633831383639633565616332373033333436636362393565306233326632373639
-39386464323230323561646464373232353863323961363664323436313862303563313234383632
+38316265303135366436643262653733663333383863386536343035366362643762646437306135
-64373036316235396330346434313635626262376435666134636663653337613561393337616635
+65663065366335656436633137316266643361643336613235613562633537313366343163376164
-32323238623831623933373066633032333831356131343639333665386335613435373433333661
+63663661383032343962666363393834626339333437313032303134643036646636333464353931
-61313234666261353464643066653331666561633835666135646236353533656137623465323162
+66356664623938333230616365316666653832393730616332376434336339363430366239656636
-66626531643961353366643866666463356530376661623164333964353562306465336237353937
+31323236666165623736376133393063323537326164386536633631313466653162663739376639
-64303635633562623964383966373865363135613438643165326637376239343566613739336462
+35376364653066396635396539316234313037356339363833396430353134356136666537363337
-33363537356262383866383838306631383865363830623162333964363333316438303233633037
+63343435363235386538636361343138363263663035653666656637333036666331343139373463
-61303537626364323638356632313563656463383632613736626133326131316362313263356637
+61666266636134366233633766623430633164636337653839663365343062616464323861363836
-61373237333038666361343036643633623334396435333634613532396465363738616664656561
+64613638626338353335633164613931363537356232373066323035393435373932633932663838
-34383730666463353932323432396330646566373662346364303231613063656237636164303263
+62303232643835303636323638653435343836383432313161306363303565356239663430376331
-33633565303366636132316239373731633563393231363365373639356265323465326563326538
+62323038616332663032366133656632663363623837333537366432643439353934346165623039
-62653834376232653636646664336565623137613434366662313738393261373165323764373736
+63306436653235646535333134643438656133323131333266656337396337353833313230653438
-37616435653033633634373364616630373163626162646336373532643030633863326562333333
+66313834656430323962653263643231396330313561613935336132646238366637633230323134
-30316433626565303366313036353836386564363936643238366137646666303932623764323461
+35346564383166636563366637643738353838636530303235616265306133336431393064646434
-34636566396137343261363630313239326464326437306666656233636139643439383739616637
+32363065633136326364336637656235316330323137633364383739633032366437373233376334
-30306534386663323761313530393737643536306131316363366335636437313335336164636334
+38663762643832373264383064333662376634633738383239343932353162343466393637343439
-30363336306336363837386663626461363465396235323861643664323664643139663537386363
+31353936366137623538393737316661666161633464343466306139323030653935343564396132
-66636134313661346465323066613934396566333033616462653831396134366234393735336132
+66653934326230326563643837333562333438303334623138623362323737313461373930666162
-31353037613136613232346631393433626339316539656236313661376662376630623233363831
+34656162313730663365373835366231383638623834653238326261616332333665393732383864
-35366131643334656532333634383364666461353133646563386138626266303339663662636335
+31646163346431373434323961633966623564363432306562663031626562353036613632666130
-66303835333631356665386133616666613337643538376164363334343934326264383533656431
+31656466333934663265656336313161643135346235663838383563333535623163396636613738
-66616362303230303932663931306661643066626638663537633566303862326365653435376230
+34376534386635393062306363343137336666656330343863623439316131353066353337383734
-61613230376462383530323063343366613561633130313736313236396433306439356532383262
+35306137353434333435313033636565653537306264636332646464306633666635616435663034
-38306565306637623733653235643362303737383533663739366632616437306162626661353362
+38653635383861343237616339306662663634653937663730376232306161306435333432343235
-31613932333039613063643666316635316363663236663836643539613364656131316138386332
+38626232613939623166623465353837663064396264643966383634343736353161346232373135
-61636135383430653535323734366437633830336462373162343634323935313235656439316361
+66303338376338663431373131653462343766376235653762343564383965333131353431356565
-63663230373330626331393863633461343434633736316166613033636134393837393564326364
+66313163343537343931306131373738383965356433323139333262363331663438316364343539
-63393231376435643836393233303536303434626530373363343664636634363366393463316137
+32373362613433633638306235383638313334633130326637613734393965633164646539396465
-63386163613839336132366363333965313737303838386465336331316232303561643233376666
+30356135666464353531643061346635386663366438656638646237366431366237616632363330
-37363130646230366264653965316436316238306231643663353936623932356462373538356536
+38646661396561643039336631333037313638653334666361383132323264323037633132353464
-35323739336432353664386236306364353236656330643965363461313732313838663464653834
+61306261353765386136313331623264633532363833343336313465333332663837303934313332
-35336166663033666139666234613131343030613066623363343837316464356137623436653263
+63633330313434353666616533663939383431303334616434303037643763383935633061643737
-63356564663362343062653964326138376663633562333764643830623931383566663831666661
+37376139656565633466633638303838623238363030363734323739643339633130633030346431
-64353632653130343839616233626638616537326138363438303661386138336163303266303233
+39373863376137376430313532623662633738666539663566316366356536613963323437636236
-62353138396461373739643864376261326662356466313932326534633135363639323065346166
+36396461646439326164623230303362636664303131326561383536653436316239643161313932
-64393931636432383437323931333633626538326334623361623837363538313766333433333333
+36393638666630383761303965666461326433393635306230333136343064633161373034656635
-64653062366366393533636333633337663034623737663766663762383863333561326637313431
+35386362316465366134386566656366616236326133366665366437616630346565353261613464
-34306132663061626166316562653063613964306232356264333264613031636434616430353530
+31633338623163626138663034346137356131333335333536386365373237333737653163333533
-64343762643832613937623834653763396430373438363531636339613038303064326665383038
+39373430633534636632356432313161636433393931303361366565353665633662313832646565
-32393364653330653965623938363132633865666665306262303234376334373238326130333939
+35633237663161313832613065326638356130306439643437613735643264373331653331373232
-31353462626365303031313965346538346237643331326362353032653731343764303864383133
+33383966363833376439333431303664323465383664383566656531663366383735383364663461
-64366461303665313562373463353961633732313631303439663432373533393064366130306266
+66623161623738343365356365303730656337373636333361376534356363366134333338366464
-61356332643161306135643838303863366364633239376165316338323162373631656266663062
+34366139636162613031313265306635663435396533633031316139356163613532363737313031
-34306539353262333964643062306564656435663861323861613738616436643266313730343739
+37393438653465323963343139383766373062666632343939316166646265393730343331386630
-36646662653032366230336463313333656436356661653838656233663638316661643866373865
+64616231386330386339656434346236376432376432383639363431666233336437623263663763
-66356332316338343565333035303932356334643163353139623138346235313639383363396338
+31363964313766386535646561656261633938656238303762633465373565633962626663336266
-30653866323962653132656133626539323862666433613063633730333766303763326163396530
+66313965613730643631376264343461633038616430326637633330313861363233363162623232
-64376461613930376364666439326163353061356630373463643839316263626661323139316131
+66363861383530373933326436373165383930316138633665663336663266626362386365653264
-36356130613032333531633831653061653165386533393933663935666439303935303634313732
+33376230376336393962313036393134316233316539393037323065643265633964306530656462
-35623731313030333264646465353066393534333934663535343130316637353765366264653564
+30383562653333323263613661393861643332656330633635333135616463336566353630666562
-33323834313834653034373163623132616633626337356461346361353732653339393163313139
+31646139326630343738653539373337356139653338306663353932623535626232636634393334
-65393535666234323832313865346635383433333839356364623065323933653332326134633331
+66323230393633646165633835653834373261353031356365643933303737313534383533663762
-35633664666330306234656638633933646539643866313162613539373131323962383363653566
+32643739646639656430663562393166626539353533656563393862353562336432373234656136
-38373662626136323463393630346134663936303963373065626331656130353066346666363564
+35343266356330306432346435363035336432636135663464393033353733393732356364613132
-62373431643133353536
+65353464616231653137373734323761396430363664643464353430646134656665633933623666
+62363535303265353533333335653061616230613163373361363336373337623131383563323938
+66643830363863616134343564343132346639323030396166383965336265396138636431666462
+62306333363136653462386633643637663262623638373833663030316539623566323461393536
+36656465353436336363623536376164373264643863666631353865643462663636636130376266
+32623435643631303836653262643031353630396261343666663237663436366664356639366532
+34353839373863646366366236623265346631343561666263346136326534353634613638336339
+36356131633464343565626539653738396334653564303563306131316539343438636265663736
+30306134333431366530666131616265336637396237626436326462363062313861633565346264
+34613432343938636232316466396565323038613931616361643561613862333638636163623532
+65393137636636303830376535396238336433626266313136616135323937303033396230303265
+34666461356339373061626434613366303664636337373362326237633834366263393938663963
+35363565643330313839653935393336663338316635636333353963333334616661393065373935
+36366265653835343363636237356433366164636664346633393239316539383565663561316136
+39623162363961623239346132623933303864373664343333393466343564393762646365346562
+65646563343865323261366335663765373364336266376431373536656366343539656466363939
+33303732383034346465633838623864623130653334666436623837636234356361663562306666
+31316166656638613137636435383733363365346230626130633564386433623931396264383265
+62396435376634383863663136343731386536326461643932303263656636656139316661613134
+33663666636664306539313537616261363933653037616364643637396234646431356262653566
+34336534306632373034623534363765376538323333386137626638363430633538353030343137
+66353235353731646333623562363065333533323734373765383562633337323962306430353635
+37333664643636643037393638316537386164613136393732653061616134316534383365303839
+33383731616365613031646534343733363037366235383131643564366239626563633132306163
+31306335323664303634333432666230626462393261393761646434616233666436326432373466
+32306164373936363937316530313564313262343164366539396135353639666138616364636239
+34306432653335653837383134623665663062663339633263366131633836326137333932313730
+38336638626262636535306235383437316333646362383265623931616235363034666231656239
+39396337633932356335386365313066363863376166303335396364376638303430336436323038
+63666361636630393562316465346334393963356130353564633437663731656234643264386137
+37386237646261656364643031326166313539663938363532643131633332306331623538353036
+35356136356234616330613636356137393665303065653763386563303938373162656438373333
+65393262613338363661646532306435343334343035363034636131366264373436633436333366
+33303531326433643866653961643839336464613036623961353661313534396334313533633963
+30386337653237386466383531623936306666326633393239353533396663393032626331323365
+33353433663663303331353633353634333164393065336231633930656335666538663464353837
+35353262623637303731303932356432313337643139383264336230383331323966393261376539
+3133

hosts.yml

@@ -1,3 +1,4 @@
 server:
   hosts:
     chef.heaplab.deib.polimi.it:
+      ansible_port: 24

roles/cockpit/files/10-globally-managed-devices.conf

@@ -0,0 +1,2 @@
+[keyfile]
+unmanaged-devices=none

roles/cockpit/tasks/main.yml

@@ -28,7 +28,30 @@
     dest: /etc/cockpit/cockpit.conf
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
+
+# https://cockpit-project.org/faq.html#error-message-about-being-offline
+- name: Allow NetworkManager to manage network interfaces
+  become_user: root
+  become: true
+  ansible.builtin.copy:
+    src: files/10-globally-managed-devices.conf
+    dest: /etc/NetworkManager/conf.d/
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: Set-up a dummy network interface faking internet connection
+  ansible.builtin.command: "nmcli con add type dummy con-name fake ifname fake0 ip4 1.2.3.4/24 gw4 1.2.3.1"
+
+- name: Permit traffic from any IP to cockpit socket
+  become: true
+  community.general.ufw:
+    direction: in
+    from_ip: any
+    proto: tcp
+    to_port: 9090
+    rule: allow
 
 # - name: Reboot
 #   become: true

roles/cockpit/templates/cockpit.conf.j2

@@ -1,4 +1,6 @@
 [WebService]
-Origins = http://{{ inventory_hostname }} ws://{{ inventory_hostname }} https://{{ inventory_hostname }} wss://{{ inventory_hostname }} http://{{ ansible_host }} ws://{{ ansible_host }} https://{{ ansible_host }} wss://{{ ansible_host }}
+Origins = https://{{ inventory_hostname }} wss://{{ inventory_hostname }}
 ProtocolHeader = X-Forwarded-Proto
-AllowUnencrypted=true
+UrlRoot=/admin
+LoginTitle=Heaplab Chef
+LoginTo=false

roles/podman/tasks/main.yml

@@ -65,6 +65,7 @@
     state: started
 
 - name: Enable podman auto-update timer
+  become_user: containers
   become: true
   ansible.builtin.systemd:
     name: podman-auto-update.timer
@@ -76,7 +77,7 @@
     remote_src: true
     src: /usr/share/containers/containers.conf
     dest: /etc/containers/containers.conf
-    mode: 0644
+    mode: "0644"
 
 - name: Set podman default subnet into small /24 networks
   become: true