Initial configuration

.gitignore

@@ -0,0 +1,3 @@
+*.tfstate
+.envrc
+.vault_pass

ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+inventory=./hosts.yml

chef.yml

@@ -0,0 +1,22 @@
+- hosts: chef.heaplab.deib.polimi.it
+  pre_tasks:
+    - name: Update system
+      become: true
+      package:
+        name: "*"
+        state: latest # noqa package-latest
+    - name: Set hostname
+      become: true
+      ansible.builtin.hostname:
+        name: chef
+        use: systemd
+    #- name: Reboot
+    #  become: true
+    #  reboot:
+  
+  roles:
+    - auto-updates
+    - base-os
+    - enable-cgroup-v2
+    - podman
+    - cockpit

host_vars/chef.heaplab.deib.polimi.it.yml

@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+32343034633264623731343331633532386339663738613633326331306539616466643037343137
+3763393033366666333434363339326437663763366233660a336665313232363961366631306361
+35393863343061616561636662366230636563646465303836346137373734316331353763363435
+3634613832626665350a336463376431383232336538613136353465356637653433636434343163
+3733

hosts.yml

@@ -0,0 +1,4 @@
+server:
+  hosts:
+    chef.heaplab.deib.polimi.it:
+      ansible_host: 131.175.120.208

roles/base-os/tasks/main.yml

@@ -0,0 +1,11 @@
+- name: Install base packages
+  become: true
+  package:
+    name:
+      - htop
+      - tmux
+      - git
+      - nano
+      - python3
+    state: present
+

roles/cockpit/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: Install base packages
+  become: true
+  package:
+    name:
+      - cockpit
+      - cockpit-bridge
+      - cockpit-machines
+      - cockpit-navigator
+      - cockpit-packagekit
+      - cockpit-podman
+      - cockpit-storaged
+      - cockpit-system
+      - cockpit-ws
+    state: present
+
+- name: Enable cockpit
+  become: true
+  ansible.builtin.systemd:
+    name: cockpit.socket
+    enabled: yes
+    state: started
+
+- name: Copy cockpit configuration 
+  become: true
+  ansible.builtin.template:
+    src: cockpit.conf.j2
+    dest: /etc/cockpit/cockpit.conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Reboot
+  become: true
+  reboot:

roles/cockpit/templates/cockpit.conf.j2

@@ -0,0 +1,4 @@
+[WebService]
+Origins = http://{{ inventory_hostname }} ws://{{ inventory_hostname }} https://{{ inventory_hostname }} wss://{{ inventory_hostname }} http://10.0.0.160 ws://10.0.0.160 https://10.0.0.160 wss://10.0.0.160
+ProtocolHeader = X-Forwarded-Proto
+AllowUnencrypted=true

roles/enable-cgroup-v2/tasks/main.yml

@@ -0,0 +1,9 @@
+- name: Check if cgroup v2 is available
+  ansible.builtin.command: grep cgroup2 /proc/filesystems
+  register: cgroup2_present
+
+- name: Enable cgroup v2
+  ansible.builtin.command: 'grubby --update-kernel=ALL --add-args="systemd.unified_cgroup_hierarchy=1"'
+  become: true
+  when:
+    - cgroup2_present.rc != 0

roles/podman/tasks/main.yml

@@ -0,0 +1,67 @@
+- name: Install base packages
+  become: true
+  package:
+    name:
+      - podman
+      - podman-docker
+    state: present
+
+- name: Add the 'containers' user
+  become: true
+  user:
+    name: containers
+    shell: /bin/bash
+
+- name: Check if user is lingering
+  stat:
+    path: "/var/lib/systemd/linger/containers"
+  register: user_lingering
+
+- name: Enable lingering is needed
+  become: true
+  command: "loginctl enable-linger containers"
+  when:
+    - not user_lingering.stat.exists
+
+- name: Allow unprivileged users to open ports
+  become: true
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_unprivileged_port_start
+    value: "80"
+    sysctl_set: yes
+
+- name: Enable podman socket
+  become: true
+  become_user: containers
+  ansible.builtin.systemd:
+    scope: user
+    name: podman.socket
+    enabled: yes
+    state: started
+
+- name: Enable podman auto-update timer
+  become: true
+  become_user: containers
+  ansible.builtin.systemd:
+    scope: user
+    name: podman-auto-update.timer
+    enabled: yes
+
+- name: Copy default containers config file
+  become: true
+  ansible.builtin.copy:
+    remote_src: yes
+    src: /usr/share/containers/containers.conf
+    dest: /etc/containers/containers.conf
+    mode: 0644
+
+- name: Change podman default subnet
+  become: true
+  lineinfile:
+    path: /etc/containers/containers.conf
+    regex: "^#default_subnet*$"
+    line: 'default_subnet = "172.16.0.0/24"'
+
+- name: Reboot
+  become: true
+  reboot: