diff --git a/chef.yml b/chef.yml index cf2d791..d7f2647 100644 --- a/chef.yml +++ b/chef.yml @@ -1,8 +1,9 @@ - hosts: chef.heaplab.deib.polimi.it + name: Base configuration of OS pre_tasks: - name: Update system become: true - package: + ansible.builtin.package: name: "*" state: latest # noqa package-latest - name: Set hostname @@ -10,10 +11,10 @@ ansible.builtin.hostname: name: chef use: systemd - #- name: Reboot - # become: true - # reboot: - + # - name: Reboot + # become: true + # ansible.builtin.reboot: + roles: - auto-updates - base-os diff --git a/containers/traefik/tasks.yml b/containers/traefik/tasks.yml index 6c8694d..8173638 100644 --- a/containers/traefik/tasks.yml +++ b/containers/traefik/tasks.yml @@ -9,7 +9,7 @@ - name: Permit traffic from any IP to http port become: true - ansible.builtin.ufw: + community.general.ufw: direction: in from_ip: any proto: tcp @@ -18,7 +18,7 @@ - name: Permit traffic from any IP to https port become: true - ansible.builtin.ufw: + community.general.ufw: direction: in from_ip: any proto: tcp diff --git a/roles/base-os/tasks/main.yml b/roles/base-os/tasks/main.yml index 089b8b5..27f8bd6 100644 --- a/roles/base-os/tasks/main.yml +++ b/roles/base-os/tasks/main.yml @@ -1,6 +1,6 @@ - name: Install base packages become: true - package: + ansible.builtin.package: name: - htop - tmux @@ -9,4 +9,3 @@ - python3 - acl state: present - diff --git a/roles/cockpit/tasks/main.yml b/roles/cockpit/tasks/main.yml index 2ab2b00..b7cf091 100644 --- a/roles/cockpit/tasks/main.yml +++ b/roles/cockpit/tasks/main.yml @@ -1,6 +1,6 @@ - name: Install base packages become: true - package: + ansible.builtin.package: name: - cockpit - cockpit-bridge @@ -16,10 +16,10 @@ become: true ansible.builtin.systemd: name: cockpit.socket - enabled: yes + enabled: true state: started -- name: Copy cockpit configuration +- name: Copy cockpit configuration become: true ansible.builtin.template: src: cockpit.conf.j2 @@ -28,6 +28,6 @@ group: root mode: 0644 -#- name: Reboot -# become: true -# reboot: \ No newline at end of file +# - name: Reboot +# become: true +# ansible.builtin.reboot: diff --git a/roles/enable-cgroup-v2/tasks/main.yml b/roles/enable-cgroup-v2/tasks/main.yml index 015b16b..47adbdd 100644 --- a/roles/enable-cgroup-v2/tasks/main.yml +++ b/roles/enable-cgroup-v2/tasks/main.yml @@ -1,9 +1,10 @@ - name: Check if cgroup v2 is available ansible.builtin.command: grep cgroup2 /proc/filesystems register: cgroup2_present + changed_when: cgroup2_present.rc != 0 - name: Enable cgroup v2 ansible.builtin.command: 'grubby --update-kernel=ALL --add-args="systemd.unified_cgroup_hierarchy=1"' become: true when: - - cgroup2_present.rc != 0 \ No newline at end of file + - cgroup2_present.rc != 0 diff --git a/roles/podman/tasks/main.yml b/roles/podman/tasks/main.yml index df73b43..11fc9ad 100644 --- a/roles/podman/tasks/main.yml +++ b/roles/podman/tasks/main.yml @@ -1,6 +1,6 @@ - name: Install base packages become: true - package: + ansible.builtin.package: name: - podman - podman-docker @@ -8,18 +8,30 @@ - name: Add the 'containers' user become: true - user: + ansible.builtin.user: name: containers + password: "!" + system: false shell: /bin/bash + comment: User running unprivileged containers + state: present + +- name: Add admin pub keys to authorized_keys + become: true + ansible.posix.authorized_keys: + user: containers + key: "{{ item }}" + state: present + loop: "{{ vault_containers_authorized_keys }}" - name: Check if user is lingering - stat: + ansible.builtin.stat: path: "/var/lib/systemd/linger/containers" register: user_lingering - name: Enable lingering is needed become: true - command: "loginctl enable-linger containers" + ansible.builtin.command: "loginctl enable-linger containers" when: - not user_lingering.stat.exists @@ -28,7 +40,7 @@ ansible.posix.sysctl: name: net.ipv4.ip_unprivileged_port_start value: "80" - sysctl_set: yes + sysctl_set: true - name: Enable podman socket become: true @@ -36,30 +48,30 @@ ansible.builtin.systemd: scope: user name: podman.socket - enabled: yes + enabled: true state: started - name: Enable podman auto-update timer become: true ansible.builtin.systemd: name: podman-auto-update.timer - enabled: yes + enabled: true - name: Copy default containers config file become: true ansible.builtin.copy: - remote_src: yes + remote_src: true src: /usr/share/containers/containers.conf dest: /etc/containers/containers.conf mode: 0644 - name: Change podman default subnet become: true - lineinfile: + ansible.builtin.lineinfile: path: /etc/containers/containers.conf regex: "^(.*)default_subnet = (.*)$" line: 'default_subnet = "172.16.0.0/24"' -#- name: Reboot -# become: true -# reboot: \ No newline at end of file +# - name: Reboot +# become: true +# ansible.builtin.reboot: