HEAPLab/chef-recipes
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: HEAPLab:7926457cda261abdc0df46af3fcf4f618f0f9402
Branches Tags
HEAPLab:main
..
compare: HEAPLab:main
Branches Tags
HEAPLab:main

21 Commits
7926457cda ... main

Author SHA1 Message Date
Francesco Antognazza
19a76f7af1 Enable gitea emails 2025-07-17 19:34:31 +02:00
Francesco Antognazza
1fdd3818b7 [MATTERMOST] allow unencrypted authentication 2025-03-25 15:29:13 +01:00
Francesco Antognazza
ee108bd190 Downgrade MM to release 9 as subpath (URL prefix) are not entirely supported in release 10 2024-09-26 11:23:33 +02:00
Francesco Antognazza
976079c4ab Add mattermost service 2024-09-25 20:13:38 +02:00
Francesco Antognazza
3628e853d1 Fix incorrect definition of multiple URL prefix paths in a traefik rule 2024-09-25 15:20:35 +02:00
Francesco Antognazza
2fd17c1319 Specify dependency of containers 2024-04-12 14:12:01 +02:00
Francesco Antognazza
2e1ca1d1b6 Increase start and stop timeout limits 2024-04-12 14:11:55 +02:00
Francesco Antognazza
377113c098 Fix connection to act cache internal server 2023-08-23 12:18:04 +02:00
Francesco Antognazza
a0aaf0e5a5 Do not fail playbook on first run 2023-08-01 10:59:37 +02:00
Francesco Antognazza
92fc0ffb1c Add github CI runner for gitea 2023-08-01 10:57:16 +02:00
Francesco Antognazza
a8b33418d2 Fix illegal octal number representation 2023-08-01 10:42:11 +02:00
Francesco Antognazza
6ae079a032 Fix podman auto-update timer not enabled for 'containers' user 2023-08-01 10:42:10 +02:00
Francesco Antognazza
2ee7378075 Add container dependency in systemd service 2023-04-17 14:44:23 +02:00
Francesco Antognazza
111326755b Add suggested fix for offline message in cockpit 2023-04-17 14:43:31 +02:00
Francesco Antognazza
c47fe10369 Increase systemd start timeout to 1h due to slow disk I/O 2023-04-17 14:40:34 +02:00
Francesco Antognazza
3e63bed204 Add pre-commit hooks 2023-04-06 11:09:24 +02:00
Francesco Antognazza
1cfcc001e5 Minor customization to cockpit's login page 2023-04-06 11:07:39 +02:00
Francesco Antognazza
231c9e62cc Update vault 2023-04-06 10:57:48 +02:00
Francesco Antognazza
e77ebd9042 Update URL root paths to drone CI server and runner dashboards 2023-04-06 10:57:34 +02:00
Francesco Antognazza
8ca0cf3727 Fix reverse proxy to cockpit dashboard 2023-04-06 10:56:26 +02:00
Francesco Antognazza
302d75066f Use port 24 for SSH connection to the host 2023-04-06 10:55:39 +02:00
24 changed files with 870 additions and 113 deletions
Expand all files Collapse all files

14
.pre-commit-config.yaml Normal file
View File

@@ -0,0 +1,14 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: trailing-whitespace
- id: check-added-large-files
- id: check-executables-have-shebangs
- id: check-json
- id: check-merge-conflict
- id: check-yaml
args:
- --allow-multiple-documents
- --unsafe
- id: end-of-file-fixer

1
README.md
View File

@@ -8,4 +8,3 @@
Variables prefixed by `vault_` are available by unlocking the vault with the master password
# Basic config

2
ansible.cfg
View File

@@ -1,2 +1,2 @@
[defaults]
inventory=./hosts.yml
inventory=./hosts.yml

99
containers/act_runner/tasks.yml Normal file
View File

@@ -0,0 +1,99 @@
---
- hosts: all
name: Gitea web server
tasks:
- name: Get containers UID
ansible.builtin.command: "id -u containers"
register: uid_containers
changed_when: uid_containers.rc != 0
- name: Stop running containers
become_user: containers
become: true
ansible.builtin.systemd:
scope: user
name: container-{{ item }}.service
state: stopped
loop:
- act_runner
failed_when: false
- name: Create podman volumes
containers.podman.podman_volume:
state: present
name: "{{ item }}"
become_user: containers
become: true
loop:
- act_runner
- name: Pull container images
become_user: containers
become: true
containers.podman.podman_image:
name: docker.io/{{ item }}
loop:
- gitea/act_runner:latest
- name: Change permission to act_runner folder
become_user: root
become: true
ansible.builtin.file:
path: /etc/act_runner
owner: containers
group: containers
mode: "0700"
state: directory
- name: Copy config directory
become_user: root
become: true
ansible.builtin.template:
src: "templates/{{ item }}.j2"
dest: "/etc/act_runner/{{ item }}"
owner: containers
group: containers
mode: "0600"
loop:
- configuration.yml
- name: Create act_runner instance
become_user: containers
become: true
containers.podman.podman_container:
name: act_runner
image: gitea/act_runner:latest
state: present
security_opt:
# - label=type:container_runtime_t
- label=disable
device:
- /dev/fuse
publish:
- "8088:8088"
volume:
- act_runner:/data:Z
- /etc/act_runner:/config:Z
- /run/user/{{ uid_containers.stdout }}/podman/podman.sock:/var/run/docker.sock:z
env:
GITEA_INSTANCE_URL: "{{ vault_act_runner_host }}"
GITEA_RUNNER_REGISTRATION_TOKEN: "{{ vault_act_runner_token }}"
GITEA_RUNNER_NAME: "{{ inventory_hostname_short }}"
CONFIG_FILE: "/config/configuration.yml"
generate_systemd:
path: /home/containers/.config/systemd/user/
restart_policy: on-failure
names: true
new: true
- name: Start containers at boot
become_user: containers
become: true
ansible.builtin.systemd:
scope: user
name: container-{{ item }}.service
enabled: true
state: started
daemon_reload: true
loop:
- act_runner

85
containers/act_runner/templates/configuration.yml.j2 Normal file
View File

@@ -0,0 +1,85 @@
# Example configuration file, it's safe to copy this as the default config file without any modification.
# You don't have to copy this file to your instance,
# just run `./act_runner generate-config > config.yaml` to generate a config file.
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: info
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: {{ vault_act_runner_capacity }}
# Extra environment variables to run jobs.
#envs:
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
#env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `deamon`, will use labels in `.runner` file.
labels: [linux,self-hosted]
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: "{{ ansible_facts[vault_act_net_interface_name]['ipv4']['address'] }}"
# The port of the cache server.
# 0 means to use a random available port.
port: 8088
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: ""
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: [build_cache]
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: "-"
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

24
containers/collabora/tasks.yml
View File

@@ -13,6 +13,7 @@
state: stopped
loop:
- collabora
failed_when: false
# - name: Create podman volumes
# containers.podman.podman_volume:
@@ -49,8 +50,6 @@
name: collabora
image: docker.io/collabora/code:latest
state: present
cap_add:
- MKNOD
network:
- traefik-collabora
- nextcloud-collabora
@@ -60,7 +59,7 @@
io.containers.autoupdate: "registry"
traefik.enable: "true"
traefik.http.routers.collabora.entrypoints: "https"
traefik.http.routers.collabora.rule: "Host(`{{ vault_domain }}`) && PathPrefix(`/collabora`,`/browser`)"
traefik.http.routers.collabora.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/collabora`) || Path(`/browser`))"
traefik.http.routers.collabora.tls: "true"
traefik.http.routers.collabora.tls.certresolver: "wildcard"
traefik.http.routers.collabora.service: "collabora"
@@ -69,15 +68,32 @@
env:
domain: "chef\\.heaplab\\.deib\\.polimi\\.it"
aliasgroup1: "chef\\.heaplab\\.deib\\.polimi\\.it"
server_name: "chef.heaplab.deib.polimi.it"
username: "{{ vault_collabora_user }}"
password: "{{ vault_collabora_password }}"
extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:net.service_root=/collabora"
extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:net.service_root=/collabora --o:net.server_name=chef.heaplab.deib.polimi.it/collabora"
generate_systemd:
path: /home/containers/.config/systemd/user/
restart_policy: on-failure
requires: [container-nextcloud.service, container-traefik.service]
names: true
new: true
- name: Change start and stop timeout limits
become_user: containers
become: true
community.general.ini_file:
path: /home/containers/.config/systemd/user/container-collabora.service
section: Service
option: "{{ item }}"
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- TimeoutStartSec
- TimeoutStopSec
- name: Start containers at boot
become_user: containers
become: true

20
containers/drone-runner/tasks.yml
View File

@@ -13,6 +13,7 @@
state: stopped
loop:
- drone-runner
failed_when: false
- name: Get containers UID
ansible.builtin.command: "id -u containers"
@@ -60,12 +61,12 @@
io.containers.autoupdate: "registry"
traefik.enable: "true"
traefik.http.routers.drone-runner.entrypoints: "https"
traefik.http.routers.drone-runner.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/runner/`) || Path(`/runner`))"
traefik.http.routers.drone-runner.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/ci-runner/`) || Path(`/ci-runner`))"
traefik.http.routers.drone-runner.tls: "true"
traefik.http.routers.drone-runner.tls.certresolver: "wildcard"
traefik.http.routers.drone-runner.service: "drone-runner"
traefik.http.routers.drone-runner.middlewares: "force-trailing-slash@file,drone-runner-prefixstrip@docker"
traefik.http.middlewares.drone-runner-prefixstrip.stripprefix.prefixes: "/runner"
traefik.http.middlewares.drone-runner-prefixstrip.stripprefix.prefixes: "/ci-runner"
traefik.http.services.drone-runner.loadbalancer.server.port: "3000"
traefik.docker.network: "traefik-drone-runner"
env:
@@ -86,6 +87,21 @@
names: true
new: true
- name: Change start and stop timeout limits
become_user: containers
become: true
community.general.ini_file:
path: /home/containers/.config/systemd/user/container-drone-runner.service
section: Service
option: "{{ item }}"
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- TimeoutStartSec
- TimeoutStopSec
- name: Start containers at boot
become_user: containers
become: true

25
containers/drone-server/tasks.yml
View File

@@ -13,6 +13,7 @@
state: stopped
loop:
- drone-server
failed_when: false
- name: Create podman volumes
containers.podman.podman_volume:
@@ -58,12 +59,12 @@
io.containers.autoupdate: "registry"
traefik.enable: "true"
traefik.http.routers.drone-server.entrypoints: "https"
traefik.http.routers.drone-server.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/drone/`) || Path(`/drone`))"
traefik.http.routers.drone-server.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/ci/`) || Path(`/ci`))"
traefik.http.routers.drone-server.tls: "true"
traefik.http.routers.drone-server.tls.certresolver: "wildcard"
traefik.http.routers.drone-server.service: "drone-server"
traefik.http.routers.drone-server.middlewares: "force-trailing-slash@file,drone-server-prefixstrip@docker"
traefik.http.middlewares.drone-server-prefixstrip.stripprefix.prefixes: "/drone"
traefik.http.routers.drone-server.middlewares: "drone-server-prefixstrip@docker"
traefik.http.middlewares.drone-server-prefixstrip.stripprefix.prefixes: "/ci"
traefik.http.services.drone-server.loadbalancer.server.port: "80"
traefik.docker.network: "traefik-drone"
env:
@@ -73,7 +74,7 @@
DRONE_GITEA_SERVER: "https://{{ inventory_hostname }}/git"
DRONE_GIT_ALWAYS_AUTH: "false"
DRONE_RPC_SECRET: "{{ vault_drone_rpc_secret }}"
DRONE_SERVER_HOST: "{{ inventory_hostname }}/drone"
DRONE_SERVER_HOST: "{{ inventory_hostname }}/ci"
DRONE_SERVER_PROTO: "https"
DRONE_AGENTS_ENABLED: "true"
DRONE_LOGS_TEXT: "true"
@@ -84,9 +85,25 @@
generate_systemd:
path: /home/containers/.config/systemd/user/
restart_policy: on-failure
requires: [container-traefik.service]
names: true
new: true
- name: Change start and stop timeout limits
become_user: containers
become: true
community.general.ini_file:
path: /home/containers/.config/systemd/user/container-drone-server.service
section: Service
option: "{{ item }}"
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- TimeoutStartSec
- TimeoutStopSec
- name: Start containers at boot
become_user: containers
become: true

35
containers/gitea/tasks.yml
View File

@@ -14,6 +14,7 @@
loop:
- gitea
- db_gitea
failed_when: false
- name: Permit traffic from any IP to ssh port
become: true
@@ -62,7 +63,7 @@
dest: /etc/gitea/mariadb/
owner: containers
group: containers
mode: 0600
mode: "0600"
- name: Create mariadb instance
become_user: containers
@@ -154,14 +155,46 @@
GITEA__service__SIGNIN_VIEW: false
GITEA__service__REGISTER_EMAIL_CONFIRM: true
GITEA__service__ENABLE_CAPTCHA: true
GITEA__service__ENABLE_NOTIFY_MAIL: true
GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE: false
GITEA__ui__THEMES: "auto,gitea,arc-green,gitea-modern"
generate_systemd:
path: /home/containers/.config/systemd/user/
restart_policy: on-failure
requires: [container-db_gitea.service, container-traefik.service]
names: true
new: true
- name: Change start and stop timeout limits
become_user: containers
become: true
community.general.ini_file:
path: /home/containers/.config/systemd/user/container-gitea.service
section: Service
option: "{{ item }}"
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- TimeoutStartSec
- TimeoutStopSec
- name: Change start and stop timeout limits
become_user: containers
become: true
community.general.ini_file:
path: /home/containers/.config/systemd/user/container-db_gitea.service
section: Service
option: "{{ item }}"
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- TimeoutStartSec
- TimeoutStopSec
- name: Start containers at boot
become_user: containers
become: true

17
containers/heimdall/tasks.yml
View File

@@ -13,6 +13,7 @@
state: stopped
loop:
- heimdall
failed_when: false
- name: Create podman volumes
containers.podman.podman_volume:
@@ -77,9 +78,25 @@
generate_systemd:
path: /home/containers/.config/systemd/user/
restart_policy: on-failure
requires: [container-traefik.service]
names: true
new: true
- name: Change start and stop timeout limits
become_user: containers
become: true
community.general.ini_file:
path: /home/containers/.config/systemd/user/container-heimdall.service
section: Service
option: "{{ item }}"
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- TimeoutStartSec
- TimeoutStopSec
- name: Start containers at boot
become_user: containers
become: true

183
containers/mattermost/tasks.yml Normal file
View File

@@ -0,0 +1,183 @@
# code: language=ansible
---
- hosts: all
name: Mattermost server
tasks:
- name: Stop running containers
become_user: containers
become: true
ansible.builtin.systemd:
scope: user
name: container-{{ item }}.service
state: stopped
loop:
- mattermost
- db_mattermost
failed_when: false
- name: Create podman volumes
containers.podman.podman_volume:
state: present
name: "{{ item }}"
become_user: containers
become: true
loop:
- mattermost-config
- mattermost-data
- mattermost-logs
- mattermost-plugins
- mattermost-clientplugins
- mattermost-bleveindexes
- mattermost-db
- name: Create podman networks
containers.podman.podman_network:
name: "{{ item }}"
recreate: false
state: "present"
become_user: containers
become: true
loop:
- traefik-mattermost
- postgres-mattermost
- name: Pull container images
become_user: containers
become: true
containers.podman.podman_image:
name: docker.io/{{ item }}
loop:
- mattermost/mattermost-team-edition:release-9
- postgres:13-alpine
- name: Create postgres instance
become_user: containers
become: true
containers.podman.podman_container:
name: db_mattermost
image: docker.io/postgres:13-alpine
state: present
volume:
- mattermost-db:/var/lib/postgresql/data/pgdata:Z
network:
- postgres-mattermost
env:
POSTGRES_DB: "{{ vault_mattermost_db_database }}"
POSTGRES_USER: "{{ vault_mattermost_db_user }}"
POSTGRES_PASSWORD: "{{ vault_mattermost_db_password }}"
PGDATA: /var/lib/postgresql/data/pgdata
TZ: "{{ vault_timezone }}"
security_opt:
- no-new-privileges=true
pids_limit: "100"
read_only: true
tmpfs:
"/tmp": "rw"
"/var/run/postgresql": "rw"
generate_systemd:
path: /home/containers/.config/systemd/user/
restart_policy: on-failure
names: true
new: true
- name: Add a mattermost container
become_user: containers
become: true
containers.podman.podman_container:
name: mattermost
image: docker.io/mattermost/mattermost-team-edition:release-9
state: present
network:
- traefik-mattermost
- postgres-mattermost
volume:
- mattermost-config:/mattermost/config:Z
- mattermost-data:/mattermost/data:Z
- mattermost-logs:/mattermost/logs:Z
- mattermost-plugins:/mattermost/plugins:Z
- mattermost-clientplugins:/mattermost/client/plugins:Z
- mattermost-bleveindexes:/mattermost/bleve-indexes:Z
security_opt:
- no-new-privileges=true
pids_limit: "100"
tmpfs:
"/tmp": "rw"
label:
io.containers.autoupdate: "registry"
traefik.enable: "true"
traefik.http.routers.mattermost.entrypoints: "https"
traefik.http.routers.mattermost.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/mattermost/`) || Path(`/mattermost`))"
traefik.http.routers.mattermost.tls: "true"
traefik.http.routers.mattermost.tls.certresolver: "wildcard"
traefik.http.routers.mattermost.service: "mattermost"
traefik.http.routers.mattermost.middlewares: "http-compress@file"
traefik.http.services.mattermost.loadbalancer.server.port: "8065"
traefik.http.services.mattermost.loadbalancer.passhostheader: "true"
traefik.udp.routers.mm-call-rtr.service: "mm-call-svc"
traefik.udp.routers.mm-call-rtr.entrypoints: "mmcalls"
traefik.udp.services.mm-call-svc.loadBalancer.server.port: "8443"
traefik.docker.network: "traefik-mattermost"
env:
TZ: "{{ vault_timezone }}"
# https://docs.mattermost.com/configure/environment-configuration-settings.html
MM_SQLSETTINGS_DRIVERNAME: "postgres"
MM_SQLSETTINGS_DATASOURCE: "postgres://{{ vault_mattermost_db_user }}:{{ vault_mattermost_db_password }}@db_mattermost:5432/{{ vault_mattermost_db_database }}?sslmode=disable&connect_timeout=10"
MM_BLEVESETTINGS_INDEXDIR: "/mattermost/bleve-indexes"
MM_SERVICESETTINGS_SITEURL: "https://{{ vault_domain }}/mattermost"
MM_EMAILSETTINGS_SMTPSERVER: "{{ vault_smtp_host }}"
MM_EMAILSETTINGS_SMTPPORT: "{{ vault_smtp_port }}"
MM_EMAILSETTINGS_ENABLESMTPAUTH: "false"
MM_EMAILSETTINGS_SMTPUSERNAME: "{{ vault_smtp_user }}"
MM_EMAILSETTINGS_SMTPPASSWORD: "{{ vault_smtp_password }}"
MM_EMAILSETTINGS_CONNECTIONSECURITY: "{{ vault_smtp_protocol }}"
MM_SERVICESETTINGS_ENABLESECURITYFIXALERT: "true"
generate_systemd:
path: /home/containers/.config/systemd/user/
restart_policy: on-failure
requires: [container-db_mattermost.service, container-traefik.service]
names: true
new: true
- name: Change start and stop timeout limits
become_user: containers
become: true
community.general.ini_file:
path: /home/containers/.config/systemd/user/container-mattermost.service
section: Service
option: "{{ item }}"
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- TimeoutStartSec
- TimeoutStopSec
- name: Change start and stop timeout limits
become_user: containers
become: true
community.general.ini_file:
path: /home/containers/.config/systemd/user/container-db_mattermost.service
section: Service
option: "{{ item }}"
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- TimeoutStartSec
- TimeoutStopSec
- name: Start containers at boot
become_user: containers
become: true
ansible.builtin.systemd:
scope: user
name: container-{{ item }}.service
enabled: true
state: started
daemon_reload: true
loop:
- mattermost
- db_mattermost

1
containers/nextcloud/files/systemd/nextcloudcron.service
View File

@@ -1,6 +1,7 @@
[Unit]
Description=Nextcloud cron.php job
Wants=nextcloudcron.timer
Requires=container-nextcloud.service
[Service]
ExecStart=/bin/podman exec -u www-data nextcloud php -f /var/www/html/cron.php

46
containers/nextcloud/tasks.yml
View File

@@ -15,6 +15,7 @@
- nextcloud
- redis_nextcloud
- db_nextcloud
failed_when: false
- name: Pull container images
become_user: containers
@@ -47,7 +48,7 @@
path: /etc/nextcloud
owner: containers
group: containers
mode: 0700
mode: "0700"
state: directory
- name: Copy nextcloud config directory
@@ -57,7 +58,7 @@
dest: /etc/nextcloud/config/
owner: containers
group: containers
mode: 0600
mode: "0600"
- name: Copy systemd service and timer
become: true
@@ -67,7 +68,7 @@
dest: "/home/containers/.config/systemd/user/"
owner: containers
group: containers
mode: 0644
mode: "0644"
- name: Copy mariadb config directory
become: true
@@ -76,7 +77,7 @@
dest: /etc/nextcloud/mariadb/
owner: containers
group: containers
mode: 0600
mode: "0600"
- name: Create podman networks
containers.podman.podman_network:
@@ -182,8 +183,8 @@
SMTP_SECURE: "{{ vault_smtp_protocol }}"
SMTP_PORT: "{{ vault_smtp_port }}"
SMTP_AUTHTYPE: "None"
SMTP_NAME: ""
SMTP_PASSWORD: ""
SMTP_NAME: "{{ vault_smtp_auth_name }}"
SMTP_PASSWORD: "{{ vault_smtp_password }}"
MAIL_FROM_ADDRESS: "{{ vault_smtp_from }}"
MAIL_DOMAIN: "{{ vault_smtp_domain }}"
TRUSTED_PROXIES: "traefik"
@@ -193,9 +194,42 @@
generate_systemd:
path: /home/containers/.config/systemd/user/
restart_policy: on-failure
requires: [container-db_nextcloud.service, container-redis_nextcloud.service, container-traefik.service]
names: true
new: true
- name: Change start timeout limit
become_user: containers
become: true
community.general.ini_file:
path: "/home/containers/.config/systemd/user/container-{{ item }}.service"
section: Service
option: TimeoutStartSec
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- nextcloud
- redis_nextcloud
- db_nextcloud
- name: Change stop timeout limit
become_user: containers
become: true
community.general.ini_file:
path: "/home/containers/.config/systemd/user/container-{{ item }}.service"
section: Service
option: TimeoutStopSec
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- nextcloud
- redis_nextcloud
- db_nextcloud
- name: Start containers at boot
become_user: containers
become: true

17
containers/portainer/tasks.yml
View File

@@ -18,6 +18,7 @@
state: stopped
loop:
- portainer
failed_when: false
- name: Pull portainer image
become_user: containers
@@ -69,9 +70,25 @@
generate_systemd:
path: /home/containers/.config/systemd/user/
restart_policy: on-failure
requires: [container-traefik.service]
names: true
new: true
- name: Change start and stop timeout limits
become_user: containers
become: true
community.general.ini_file:
path: /home/containers/.config/systemd/user/container-portainer.service
section: Service
option: "{{ item }}"
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- TimeoutStartSec
- TimeoutStopSec
- name: Start containers at boot
become_user: containers
become: true

36
containers/traefik/tasks.yml
View File

@@ -18,6 +18,7 @@
state: stopped
loop:
- traefik
failed_when: false
- name: Permit traffic from any IP to http port
become: true
@@ -37,6 +38,15 @@
to_port: 443
rule: allow
- name: Permit traffic from any IP to mattermost port
become: true
community.general.ufw:
direction: in
from_ip: any
proto: udp
to_port: 8443
rule: allow
- name: Pull traefik image
become_user: containers
become: true
@@ -49,7 +59,7 @@
path: /etc/traefik
owner: containers
group: containers
mode: 0700
mode: "0700"
state: directory
- name: Copy config directory
@@ -59,7 +69,7 @@
dest: /etc/traefik/
owner: containers
group: containers
mode: 0600
mode: "0600"
- name: Copy config files from templates
become: true
@@ -68,7 +78,7 @@
dest: "/etc/traefik/{{ item }}"
owner: containers
group: containers
mode: 0600
mode: "0600"
loop:
- traefik.yml
- conf/cockpit.yml
@@ -87,6 +97,7 @@
- traefik-gitea
- traefik-collabora
- traefik-heimdall
- traefik-mattermost
- name: Create traefik instance
become_user: containers
@@ -98,6 +109,7 @@
publish:
- "80:80"
- "443:443"
- "8443:8443"
security_opt:
- label=type:container_runtime_t
volume:
@@ -110,6 +122,7 @@
- traefik-gitea
- traefik-collabora
- traefik-heimdall
- traefik-mattermost
cap_add:
- NET_ADMIN
label:
@@ -117,7 +130,7 @@
traefik.enable: "true"
traefik.http.middlewares.traefik-auth.basicauth.users: "{{ vault_traefik_basic_auth }}"
traefik.http.routers.traefik.entrypoints: "https"
traefik.http.routers.traefik.rule: "Host(`{{ vault_domain }}`) && PathPrefix(`/api`,`/dashboard`)"
traefik.http.routers.traefik.rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/api/`) || Path(`/api`) || PathPrefix(`/dashboard/`) || Path(`/dashboard`))"
traefik.http.routers.traefik.middlewares: "traefik-auth@docker"
traefik.http.routers.traefik.tls: "true"
traefik.http.routers.traefik.tls.certresolver: "wildcard"
@@ -129,6 +142,21 @@
names: true
new: true
- name: Change start and stop timeout limits
become_user: containers
become: true
community.general.ini_file:
path: /home/containers/.config/systemd/user/container-traefik.service
section: Service
option: "{{ item }}"
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- TimeoutStartSec
- TimeoutStopSec
- name: Start containers at boot
become_user: containers
become: true

11
containers/traefik/templates/conf/cockpit.yml.j2
View File

@@ -1,20 +1,15 @@
http:
routers:
cockpit:
rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/cockpit/`) || Path(`/cockpit`))"
rule: "Host(`{{ vault_domain }}`) && (PathPrefix(`/admin/`) || Path(`/admin`))"
entryPoints: https
middlewares:
- force-trailing-slash
- drop-xforwarded-proto
service: cockpit
tls:
certresolver: wildcard
middlewares:
cockpit-stripprefix:
stripPrefix:
prefixes:
- "/cockpit"
drop-xforwarded-proto:
headers:
customrequestheaders:
@@ -25,8 +20,8 @@ http:
loadBalancer:
serversTransport: nocertverify
servers:
- url: "https://{{ vault_domain }}:9090"
- url: "https://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090/admin/"
serversTransports:
nocertverify:
insecureSkipVerify: true
insecureSkipVerify: true

2
containers/traefik/templates/traefik.yml.j2
View File

@@ -21,6 +21,8 @@ entryPoints:
permanent: true
https:
address: ":443"
mmcalls:
address: ":8443/udp"
providers:
docker:

154
containers/vikunja/tasks.yml Normal file
View File

@@ -0,0 +1,154 @@
---
- name: Online project management tool
hosts: all
tasks:
- name: Stop running containers
become_user: containers
become: true
ansible.builtin.systemd:
scope: user
name: container-{{ item }}.service
state: stopped
loop:
- vikunja
- db_vikunja
failed_when: false
- name: Pull container images
become_user: containers
become: true
containers.podman.podman_image:
name: docker.io/{{ item }}
loop:
- vikunja/vikunja:latest
- mariadb:latest
- name: Create podman volumes
containers.podman.podman_volume:
state: present
name: "{{ item }}"
become_user: containers
become: true
loop:
- vikunja-data
- vikunja-db
- name: Create podman networks
containers.podman.podman_network:
name: "{{ item }}"
recreate: false
state: present
become_user: containers
become: true
loop:
- traefik-vikunja
- mariadb-vikunja
- name: Create mariadb instance
become_user: containers
become: true
containers.podman.podman_container:
name: db_vikunja
image: docker.io/mariadb:latest
state: present
volume:
- vikunja-db:/var/lib/mysql:Z
network:
- mariadb-vikunja
command:
- --character-set-server=utf8mb4
- --collation-server=utf8mb4_unicode_ci
- --max-connections=1000
env:
MARIADB_ROOT_PASSWORD: "{{ vault_vikunja_mariadb_root_password }}"
MARIADB_DATABASE: "{{ vault_vikunja_mariadb_database }}"
MARIADB_USER: "{{ vault_vikunja_mariadb_user }}"
MARIADB_PASSWORD: "{{ vault_vikunja_mariadb_password }}"
MARIADB_AUTO_UPGRADE: "true"
healthcheck: "mysqladmin ping --silent"
healthcheck_interval: 2s
generate_systemd:
path: /home/containers/.config/systemd/user/
restart_policy: on-failure
names: true
new: true
- name: Create vikunja instance
become_user: containers
become: true
containers.podman.podman_container:
name: vikunja
image: docker.io/vikunja/vikunja:latest
state: present
volume:
- vikunja-data:/app/vikunja/files:Z
network:
- traefik-vikunja
- mariadb-vikunja
env:
VIKUNJA_DATABASE_HOST: db_vikunja
VIKUNJA_DATABASE_PASSWORD: "{{ vault_vikunja_mariadb_password }}"
VIKUNJA_DATABASE_TYPE: mysql
VIKUNJA_DATABASE_USER: "{{ vault_vikunja_mariadb_user }}"
VIKUNJA_DATABASE_DATABASE: "{{ vault_vikunja_mariadb_database }}"
VIKUNJA_SERVICE_JWTSECRET: "{{ vault_vikunja_jwt_secret }}"
VIKUNJA_SERVICE_PUBLICURL: https://{{ vault_domain }}/vikunja/
VIKUNJA_FRONTEND_BASE: /vikunja/
label:
io.containers.autoupdate: registry
traefik.enable: "true"
traefik.http.routers.vikunja.entrypoints: https
traefik.http.routers.vikunja.rule: Host(`{{ vault_domain }}`) && (PathPrefix(`/vikunja/`) || Path(`/vikunja`))
traefik.http.routers.vikunja.tls: "true"
traefik.http.routers.vikunja.tls.certresolver: wildcard
traefik.http.routers.vikunja.service: vikunja
traefik.http.services.vikunja.loadbalancer.server.port: "3456"
traefik.docker.network: traefik-vikunja
generate_systemd:
path: /home/containers/.config/systemd/user/
restart_policy: on-failure
names: true
new: true
- name: Change start and stop timeout limits
become_user: containers
become: true
community.general.ini_file:
path: /home/containers/.config/systemd/user/container-vikunja.service
section: Service
option: "{{ item }}"
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- TimeoutStartSec
- TimeoutStopSec
- name: Change start and stop timeout limits
become_user: containers
become: true
community.general.ini_file:
path: /home/containers/.config/systemd/user/container-db_vikunja.service
section: Service
option: "{{ item }}"
value: 3600
mode: "0664"
state: "present"
no_extra_spaces: true
loop:
- TimeoutStartSec
- TimeoutStopSec
- name: Start containers at boot
become_user: containers
become: true
ansible.builtin.systemd:
scope: user
name: container-{{ item }}.service
enabled: true
state: started
daemon_reload: true
loop:
- db_vikunja
- vikunja

184
host_vars/chef.heaplab.deib.polimi.it.yml
View File

@@ -1,80 +1,106 @@
$ANSIBLE_VAULT;1.1;AES256
38343663613164616165313862356365343939336537653566313831623633613732336635313164
3633356634376334643136323431306261366134376637360a323339346463373637373965336337
63663130636364633334626237613430313833386165646231353639346466393535623838353337
6463303161343630640a343433383465343432323032653861366233363761343931353764343236
65613763653334353461363966663832366632363565656537646366346637623837366663346464
33656634373163306537393631633239626432643963646534323739633266373130363535613136
61353933666130363765643965623030623737386264636632386635626266323563613133663165
63316438623732613361333136353230313763396463363233633266393862333238363331363231
33343963626533623931306637353236323065616631363633623433366634346331316637393565
39643564333065353866616566643436383630666439623730376561663831376566363132316230
61663938366566653165383636343138366437636361663764643939636233343532373131346361
66363433656338316434646166666331323538393139623632613837333933353932333464613134
36396232333461353930623935613364343333356133396530653330323963653665386461383664
38666433623135316161326661336561376262363361376135613035306532626238633262616234
64336330386565663034333662373331343931323937646436323666633439333864363061386164
65623338396637303162373331346430613233396362613465356631316566346239326132396464
32626639656238666565636537663365316630653535656137303234653032363865396633656435
33373662623565303062346637363134393161313237656139356361653163393536386563636261
38386463646634336263623032653433336334326666376166653739656165343965613466663238
31376534383065366635386563656334623232383730626663393765663834613862656139656464
62373062633539396632323536373039313031366637653464313735656534336239343838316464
65366538663464353064353864346432383866313935626633633434636436653863393735626639
32626332316439326661623233333032356362373537663366633538313761616435366639346230
30633234616331336631336431633037633066616237623736663661313464303934373565663136
31353265386237363031323262393232353766303763626565666438643339336235393936366230
32623636386334326235663061623236393066326666326337343635616366313436626662316237
34636661396139373863663130386631333437643665333631616234333730623032376237646432
34396631613766346630333831643035393538356234343134313466386335633539623335373265
30626330303939653362353364376331643638336137616133326532336638633639326261313164
37353638306138343939326632393634623432383531346466643931343839666137383637643930
35646531656235396137626535323162396163323330646535663639656136346165356434363065
36636165373031376639623866373264613035353439643837623536326439336638646530316531
62343130326461636231626531636436663162396361633264633031373865623830326461313935
31353831303838346436373935613765646638373861346435393566333438383239393465643535
32316539623362383661643363336236346331346335623938653530613866333231643130353530
61633936623061646533613938353763343137623037363639393836306531333739383537343933
35353034373563633437326530616138336438333930326536616630356231316430613035643932
66663134613234356237363632393762356463383133353034323132376266636465313966316536
32353731343862306562396435653231376666363931636234323330383763613565303361646339
31333033653764333932373965613563356131373432393933643666653735633939316237353061
38653363626233353161363134333834363663303530343938313261666632356234326531313238
62356161343230646633633531333738376335396539626431373732313833613539343531623066
32303237363161396439623131656163626132303765326461306632323435343063653563656334
65613830653335386662663031653839363934656437343730303065396363636537346237306138
30316131613865393861383639663161303734336133346262383365323666623237386262663337
35663637393032633764623635343466363366316536643539306339363130316238633630336362
35393230393436393436383537646163613334363130336163636230633639623738623766666537
35356432326666663539313337306230313937616332653134346136363236383036653462363031
38643432356534396466656261373762633132363833663561613636316435666463343135393363
65623063626564313131383534313661356637396166383930643936303337666437643861323931
38333238373866336433356561626561306330313034626233616533663866613930383735393336
61666339636466376633643731303065333337656162396634343032623939656231633838613136
66386233663231616638616163363430636233346465636461313864343436323664316638636132
66376466343662343938356537333730646265393032613738393832646364323737363437343538
31666436666664353161626462316161326262363166373835653462643935356465386132656233
64613839353235663564633765653936306261303639343265653765633131666366363930643634
35333039326130656234626135663031343839336633373564333930313134383630646566386261
65306237353235333865643666353064383663663234386233666164313461633738396465366139
36646335663461303736646362343534623334366134303138323535656635316433356230663137
39633939613563353761376339633031623531633262326164326630343239633434666665386566
36633039653161316135353463373331373937393864643338643633656530313431646530303737
65386337323235663263306163616136363030363634373536366331646439336264366664613664
36323235363838653062313863663864336262646236653466313534663461636637303434333362
62653364316535393237383864646237633064656337393932383038623331633738343235323333
32646333316432623733646437383836376666626139623261386635333433373536613435396136
34393033663332303634616261333236383565653934303437396134623130383836643035386638
37616561353130656439373863656466636361646234363337343766613938323836373866656666
66663035333032616262313734323536616331633337346333343634643064643862663030653434
64633939623731633232363734306137616434373466396561313961663931373162333138373533
33393562363632383665633938316139623238376536316332376663313661316361633337383431
34316337643664363462636364666637623036323861636231373539643134633937366166376233
32663730316230626337396165333034313637373435623933313966386330633634646134323865
65383636376632373363306430653039353039393738646133393635383038366662393634346265
37623931343664383665666130656432613038343830383531613435333336313362343333663831
35313734326666396566633132663735373162323937323064336133636264313338373462386339
39636635353130646237323834393963396238653633623161653539636263316534636461363437
64656463613565636231336635613937383537393561353463343530376238623532366335366430
35363739666335343436643433376432633762623661376161373539633662323633643939316134
663339383635626333363365323634623535
63626565393066343966323064646661383330623937613233616534313331363530613062643964
3831383231313564376432303465376532623531643539610a663134386361353330626637626162
64373334373639663762343362646636303837376138393338643533363438616535623064323061
6436343866336234350a313733383930366635646437383464353363643964346437323535333866
39636163666637326531336136653461636135363230663762613637666230353135616435393962
32383132313963623131313831326333656232656538336433633735633939636661383266396663
30653763333761623734383862326438626631643965376137663662643362663165306265633363
63636238336438643733633665613232306437396130663432366364613737653431653361653965
32373931633536656335396134313065666437666634343466653136343362343165366233383964
66663263316162626466646234623363616135663039393761373734663566623235343263323261
37646434373863303033386464343766323462643338396466363863356430616431343463326432
66376630663337386461663934393566393138353363376235343764363431323636653361343839
33353864653031633831383639633565616332373033333436636362393565306233326632373639
38316265303135366436643262653733663333383863386536343035366362643762646437306135
65663065366335656436633137316266643361643336613235613562633537313366343163376164
63663661383032343962666363393834626339333437313032303134643036646636333464353931
66356664623938333230616365316666653832393730616332376434336339363430366239656636
31323236666165623736376133393063323537326164386536633631313466653162663739376639
35376364653066396635396539316234313037356339363833396430353134356136666537363337
63343435363235386538636361343138363263663035653666656637333036666331343139373463
61666266636134366233633766623430633164636337653839663365343062616464323861363836
64613638626338353335633164613931363537356232373066323035393435373932633932663838
62303232643835303636323638653435343836383432313161306363303565356239663430376331
62323038616332663032366133656632663363623837333537366432643439353934346165623039
63306436653235646535333134643438656133323131333266656337396337353833313230653438
66313834656430323962653263643231396330313561613935336132646238366637633230323134
35346564383166636563366637643738353838636530303235616265306133336431393064646434
32363065633136326364336637656235316330323137633364383739633032366437373233376334
38663762643832373264383064333662376634633738383239343932353162343466393637343439
31353936366137623538393737316661666161633464343466306139323030653935343564396132
66653934326230326563643837333562333438303334623138623362323737313461373930666162
34656162313730663365373835366231383638623834653238326261616332333665393732383864
31646163346431373434323961633966623564363432306562663031626562353036613632666130
31656466333934663265656336313161643135346235663838383563333535623163396636613738
34376534386635393062306363343137336666656330343863623439316131353066353337383734
35306137353434333435313033636565653537306264636332646464306633666635616435663034
38653635383861343237616339306662663634653937663730376232306161306435333432343235
38626232613939623166623465353837663064396264643966383634343736353161346232373135
66303338376338663431373131653462343766376235653762343564383965333131353431356565
66313163343537343931306131373738383965356433323139333262363331663438316364343539
32373362613433633638306235383638313334633130326637613734393965633164646539396465
30356135666464353531643061346635386663366438656638646237366431366237616632363330
38646661396561643039336631333037313638653334666361383132323264323037633132353464
61306261353765386136313331623264633532363833343336313465333332663837303934313332
63633330313434353666616533663939383431303334616434303037643763383935633061643737
37376139656565633466633638303838623238363030363734323739643339633130633030346431
39373863376137376430313532623662633738666539663566316366356536613963323437636236
36396461646439326164623230303362636664303131326561383536653436316239643161313932
36393638666630383761303965666461326433393635306230333136343064633161373034656635
35386362316465366134386566656366616236326133366665366437616630346565353261613464
31633338623163626138663034346137356131333335333536386365373237333737653163333533
39373430633534636632356432313161636433393931303361366565353665633662313832646565
35633237663161313832613065326638356130306439643437613735643264373331653331373232
33383966363833376439333431303664323465383664383566656531663366383735383364663461
66623161623738343365356365303730656337373636333361376534356363366134333338366464
34366139636162613031313265306635663435396533633031316139356163613532363737313031
37393438653465323963343139383766373062666632343939316166646265393730343331386630
64616231386330386339656434346236376432376432383639363431666233336437623263663763
31363964313766386535646561656261633938656238303762633465373565633962626663336266
66313965613730643631376264343461633038616430326637633330313861363233363162623232
66363861383530373933326436373165383930316138633665663336663266626362386365653264
33376230376336393962313036393134316233316539393037323065643265633964306530656462
30383562653333323263613661393861643332656330633635333135616463336566353630666562
31646139326630343738653539373337356139653338306663353932623535626232636634393334
66323230393633646165633835653834373261353031356365643933303737313534383533663762
32643739646639656430663562393166626539353533656563393862353562336432373234656136
35343266356330306432346435363035336432636135663464393033353733393732356364613132
65353464616231653137373734323761396430363664643464353430646134656665633933623666
62363535303265353533333335653061616230613163373361363336373337623131383563323938
66643830363863616134343564343132346639323030396166383965336265396138636431666462
62306333363136653462386633643637663262623638373833663030316539623566323461393536
36656465353436336363623536376164373264643863666631353865643462663636636130376266
32623435643631303836653262643031353630396261343666663237663436366664356639366532
34353839373863646366366236623265346631343561666263346136326534353634613638336339
36356131633464343565626539653738396334653564303563306131316539343438636265663736
30306134333431366530666131616265336637396237626436326462363062313861633565346264
34613432343938636232316466396565323038613931616361643561613862333638636163623532
65393137636636303830376535396238336433626266313136616135323937303033396230303265
34666461356339373061626434613366303664636337373362326237633834366263393938663963
35363565643330313839653935393336663338316635636333353963333334616661393065373935
36366265653835343363636237356433366164636664346633393239316539383565663561316136
39623162363961623239346132623933303864373664343333393466343564393762646365346562
65646563343865323261366335663765373364336266376431373536656366343539656466363939
33303732383034346465633838623864623130653334666436623837636234356361663562306666
31316166656638613137636435383733363365346230626130633564386433623931396264383265
62396435376634383863663136343731386536326461643932303263656636656139316661613134
33663666636664306539313537616261363933653037616364643637396234646431356262653566
34336534306632373034623534363765376538323333386137626638363430633538353030343137
66353235353731646333623562363065333533323734373765383562633337323962306430353635
37333664643636643037393638316537386164613136393732653061616134316534383365303839
33383731616365613031646534343733363037366235383131643564366239626563633132306163
31306335323664303634333432666230626462393261393761646434616233666436326432373466
32306164373936363937316530313564313262343164366539396135353639666138616364636239
34306432653335653837383134623665663062663339633263366131633836326137333932313730
38336638626262636535306235383437316333646362383265623931616235363034666231656239
39396337633932356335386365313066363863376166303335396364376638303430336436323038
63666361636630393562316465346334393963356130353564633437663731656234643264386137
37386237646261656364643031326166313539663938363532643131633332306331623538353036
35356136356234616330613636356137393665303065653763386563303938373162656438373333
65393262613338363661646532306435343334343035363034636131366264373436633436333366
33303531326433643866653961643839336464613036623961353661313534396334313533633963
30386337653237386466383531623936306666326633393239353533396663393032626331323365
33353433663663303331353633353634333164393065336231633930656335666538663464353837
35353262623637303731303932356432313337643139383264336230383331323966393261376539
3133

1
hosts.yml
View File

@@ -1,3 +1,4 @@
server:
hosts:
chef.heaplab.deib.polimi.it:
ansible_port: 24

2
roles/cockpit/files/10-globally-managed-devices.conf Normal file
View File

@@ -0,0 +1,2 @@
[keyfile]
unmanaged-devices=none

16
roles/cockpit/tasks/main.yml
View File

@@ -28,7 +28,21 @@
dest: /etc/cockpit/cockpit.conf
owner: root
group: root
mode: 0644
mode: "0644"
# https://cockpit-project.org/faq.html#error-message-about-being-offline
- name: Allow NetworkManager to manage network interfaces
become_user: root
become: true
ansible.builtin.copy:
src: files/10-globally-managed-devices.conf
dest: /etc/NetworkManager/conf.d/
owner: root
group: root
mode: "0644"
- name: Set-up a dummy network interface faking internet connection
ansible.builtin.command: "nmcli con add type dummy con-name fake ifname fake0 ip4 1.2.3.4/24 gw4 1.2.3.1"
- name: Permit traffic from any IP to cockpit socket
become: true

5
roles/cockpit/templates/cockpit.conf.j2
View File

@@ -1,3 +1,6 @@
[WebService]
Origins = http://{{ inventory_hostname }} ws://{{ inventory_hostname }} https://{{ inventory_hostname }} wss://{{ inventory_hostname }} http://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090 ws://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090 https://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090 wss://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090
Origins = https://{{ inventory_hostname }} wss://{{ inventory_hostname }}
ProtocolHeader = X-Forwarded-Proto
UrlRoot=/admin
LoginTitle=Heaplab Chef
LoginTo=false

3
roles/podman/tasks/main.yml
View File

@@ -65,6 +65,7 @@
state: started
- name: Enable podman auto-update timer
become_user: containers
become: true
ansible.builtin.systemd:
name: podman-auto-update.timer
@@ -76,7 +77,7 @@
remote_src: true
src: /usr/share/containers/containers.conf
dest: /etc/containers/containers.conf
mode: 0644
mode: "0644"
- name: Set podman default subnet into small /24 networks
become: true