From 676f7e2f3eaa6144a22a5f1959bcfae2460435c7 Mon Sep 17 00:00:00 2001
From: Francesco Antognazza <francesco.antognazza@polimi.it>
Date: Wed, 1 Feb 2023 18:34:56 +0100
Subject: [PATCH] Initial configuration

---
 .gitignore                                |  3 +
 ansible.cfg                               |  2 +
 chef.yml                                  | 22 ++++++++
 group_vars/all.yml                        |  0
 host_vars/chef.heaplab.deib.polimi.it.yml |  6 ++
 hosts.yml                                 |  4 ++
 roles/auto-updates/tasks/main.yml         |  0
 roles/base-os/tasks/main.yml              | 11 ++++
 roles/cockpit/tasks/main.yml              | 34 ++++++++++++
 roles/cockpit/templates/cockpit.conf.j2   |  4 ++
 roles/enable-cgroup-v2/tasks/main.yml     |  9 +++
 roles/podman/tasks/main.yml               | 67 +++++++++++++++++++++++
 12 files changed, 162 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 ansible.cfg
 create mode 100644 chef.yml
 create mode 100644 group_vars/all.yml
 create mode 100644 host_vars/chef.heaplab.deib.polimi.it.yml
 create mode 100644 hosts.yml
 create mode 100644 roles/auto-updates/tasks/main.yml
 create mode 100644 roles/base-os/tasks/main.yml
 create mode 100644 roles/cockpit/tasks/main.yml
 create mode 100644 roles/cockpit/templates/cockpit.conf.j2
 create mode 100644 roles/enable-cgroup-v2/tasks/main.yml
 create mode 100644 roles/podman/tasks/main.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..8659e6f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+*.tfstate
+.envrc
+.vault_pass
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..54f6985
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,2 @@
+[defaults]
+inventory=./hosts.yml
\ No newline at end of file
diff --git a/chef.yml b/chef.yml
new file mode 100644
index 0000000..cf2d791
--- /dev/null
+++ b/chef.yml
@@ -0,0 +1,22 @@
+- hosts: chef.heaplab.deib.polimi.it
+  pre_tasks:
+    - name: Update system
+      become: true
+      package:
+        name: "*"
+        state: latest # noqa package-latest
+    - name: Set hostname
+      become: true
+      ansible.builtin.hostname:
+        name: chef
+        use: systemd
+    #- name: Reboot
+    #  become: true
+    #  reboot:
+  
+  roles:
+    - auto-updates
+    - base-os
+    - enable-cgroup-v2
+    - podman
+    - cockpit
diff --git a/group_vars/all.yml b/group_vars/all.yml
new file mode 100644
index 0000000..e69de29
diff --git a/host_vars/chef.heaplab.deib.polimi.it.yml b/host_vars/chef.heaplab.deib.polimi.it.yml
new file mode 100644
index 0000000..d18a645
--- /dev/null
+++ b/host_vars/chef.heaplab.deib.polimi.it.yml
@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+32343034633264623731343331633532386339663738613633326331306539616466643037343137
+3763393033366666333434363339326437663763366233660a336665313232363961366631306361
+35393863343061616561636662366230636563646465303836346137373734316331353763363435
+3634613832626665350a336463376431383232336538613136353465356637653433636434343163
+3733
diff --git a/hosts.yml b/hosts.yml
new file mode 100644
index 0000000..001b5b1
--- /dev/null
+++ b/hosts.yml
@@ -0,0 +1,4 @@
+server:
+  hosts:
+    chef.heaplab.deib.polimi.it:
+      ansible_host: 131.175.120.208
diff --git a/roles/auto-updates/tasks/main.yml b/roles/auto-updates/tasks/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/base-os/tasks/main.yml b/roles/base-os/tasks/main.yml
new file mode 100644
index 0000000..c615d81
--- /dev/null
+++ b/roles/base-os/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: Install base packages
+  become: true
+  package:
+    name:
+      - htop
+      - tmux
+      - git
+      - nano
+      - python3
+    state: present
+
diff --git a/roles/cockpit/tasks/main.yml b/roles/cockpit/tasks/main.yml
new file mode 100644
index 0000000..f888158
--- /dev/null
+++ b/roles/cockpit/tasks/main.yml
@@ -0,0 +1,34 @@
+- name: Install base packages
+  become: true
+  package:
+    name:
+      - cockpit
+      - cockpit-bridge
+      - cockpit-machines
+      - cockpit-navigator
+      - cockpit-packagekit
+      - cockpit-podman
+      - cockpit-storaged
+      - cockpit-system
+      - cockpit-ws
+    state: present
+
+- name: Enable cockpit
+  become: true
+  ansible.builtin.systemd:
+    name: cockpit.socket
+    enabled: yes
+    state: started
+
+- name: Copy cockpit configuration 
+  become: true
+  ansible.builtin.template:
+    src: cockpit.conf.j2
+    dest: /etc/cockpit/cockpit.conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Reboot
+  become: true
+  reboot:
\ No newline at end of file
diff --git a/roles/cockpit/templates/cockpit.conf.j2 b/roles/cockpit/templates/cockpit.conf.j2
new file mode 100644
index 0000000..0f78089
--- /dev/null
+++ b/roles/cockpit/templates/cockpit.conf.j2
@@ -0,0 +1,4 @@
+[WebService]
+Origins = http://{{ inventory_hostname }} ws://{{ inventory_hostname }} https://{{ inventory_hostname }} wss://{{ inventory_hostname }} http://10.0.0.160 ws://10.0.0.160 https://10.0.0.160 wss://10.0.0.160
+ProtocolHeader = X-Forwarded-Proto
+AllowUnencrypted=true
\ No newline at end of file
diff --git a/roles/enable-cgroup-v2/tasks/main.yml b/roles/enable-cgroup-v2/tasks/main.yml
new file mode 100644
index 0000000..015b16b
--- /dev/null
+++ b/roles/enable-cgroup-v2/tasks/main.yml
@@ -0,0 +1,9 @@
+- name: Check if cgroup v2 is available
+  ansible.builtin.command: grep cgroup2 /proc/filesystems
+  register: cgroup2_present
+
+- name: Enable cgroup v2
+  ansible.builtin.command: 'grubby --update-kernel=ALL --add-args="systemd.unified_cgroup_hierarchy=1"'
+  become: true
+  when:
+    - cgroup2_present.rc != 0
\ No newline at end of file
diff --git a/roles/podman/tasks/main.yml b/roles/podman/tasks/main.yml
new file mode 100644
index 0000000..1c049b9
--- /dev/null
+++ b/roles/podman/tasks/main.yml
@@ -0,0 +1,67 @@
+- name: Install base packages
+  become: true
+  package:
+    name:
+      - podman
+      - podman-docker
+    state: present
+
+- name: Add the 'containers' user
+  become: true
+  user:
+    name: containers
+    shell: /bin/bash
+
+- name: Check if user is lingering
+  stat:
+    path: "/var/lib/systemd/linger/containers"
+  register: user_lingering
+
+- name: Enable lingering is needed
+  become: true
+  command: "loginctl enable-linger containers"
+  when:
+    - not user_lingering.stat.exists
+
+- name: Allow unprivileged users to open ports
+  become: true
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_unprivileged_port_start
+    value: "80"
+    sysctl_set: yes
+
+- name: Enable podman socket
+  become: true
+  become_user: containers
+  ansible.builtin.systemd:
+    scope: user
+    name: podman.socket
+    enabled: yes
+    state: started
+
+- name: Enable podman auto-update timer
+  become: true
+  become_user: containers
+  ansible.builtin.systemd:
+    scope: user
+    name: podman-auto-update.timer
+    enabled: yes
+
+- name: Copy default containers config file
+  become: true
+  ansible.builtin.copy:
+    remote_src: yes
+    src: /usr/share/containers/containers.conf
+    dest: /etc/containers/containers.conf
+    mode: 0644
+
+- name: Change podman default subnet
+  become: true
+  lineinfile:
+    path: /etc/containers/containers.conf
+    regex: "^#default_subnet*$"
+    line: 'default_subnet = "172.16.0.0/24"'
+
+- name: Reboot
+  become: true
+  reboot:
\ No newline at end of file