From 745fd321ea2cca6fa88bf09a133401dc823df115 Mon Sep 17 00:00:00 2001
From: "pulsar89.5" <pulsar89.5@ykn.fr>
Date: Thu, 27 Feb 2025 15:18:25 +0100
Subject: [PATCH] feat: Switch to CoreOS

---
 README.md                 | 114 ++++++++++++++++----------------------
 defaults/main.yml         |  20 +------
 handlers/main.yml         |  34 +++---------
 meta/.galaxy_install_info |   2 +
 meta/main.yml             |   4 +-
 tasks/configuration.yml   |  82 ---------------------------
 tasks/installation.yml    |  47 ----------------
 tasks/main.yml            |  76 +++++++++++++++++++++++--
 templates/rsyslog.conf.j2 |   9 ---
 vars/main.yml             |  12 ++++
 10 files changed, 143 insertions(+), 257 deletions(-)
 create mode 100644 meta/.galaxy_install_info
 delete mode 100644 tasks/configuration.yml
 delete mode 100644 tasks/installation.yml
 delete mode 100644 templates/rsyslog.conf.j2
 create mode 100644 vars/main.yml

diff --git a/README.md b/README.md
index 1be3086..206486b 100644
--- a/README.md
+++ b/README.md
@@ -1,82 +1,66 @@
 # role_podman
 
-Rôle de déploiement de podman.
-
-## Pré-requis
-
-Ce rôle créer un utilisateur dédié via [cet autre rôle](https://gitea.ykn.fr/ansible/role_users) dont il est dépendant.
-L'utilisation de ce rôle et de sa dépendance dans un playbook nécessite d'utilise ansible-galaxy en lui indiquant un fichier dont le contenu est le suivant :
-
-```bash
-$ cd playbook_podman
-$ tee requirements.yml <<EOF
----
-
-roles:
-  - name: users
-    scm: git
-    src: ssh://gitea@git.ykn.fr:12393/ansible/role_users.git
-    version: alpha
-
-  - name: podman
-    scm: git
-    src: ssh://gitea@git.ykn.fr:12393/ansible/role_podman.git
-    version: alpha
-EOF
-$ ansible-galaxy install -fr requirements.yml
-```
+Deploy podman pods and containers on CoreOS instance.
 
 ## Variables
 
-### podman_configure_rsyslog
+### podman_auto_update
 
-Désactive les messages du programme *podman* et des programmes dans les conteneurs si ils portent le nom du conteneur.
+Status of the automatic container update service.
 
-<span style="text-decoration: underline">Valeur par défaut:</span> `true` (activé, `false` pour désactiver)
+<span style="text-decoration: underline">Default value:</span> `true
+
+### podman_pods
+
+List of dictionnaries to define pods ([see ansible documentation](https://docs.ansible.com/ansible/latest/collections/containers/podman/podman_pod_module.html)).
+
+<span style="text-decoration: underline">Default value:</span> none
 
 ### podman_containers
 
-Définition des conteneurs à déployer.
+List of dictionnaries to define containers ([see ansible documentation](https://docs.ansible.com/ansible/latest/collections/containers/podman/podman_container_module.html#ansible-collections-containers-podman-podman-container-module)).
 
-<span style="text-decoration: underline">Valeur par défaut:</span> *aucune*
+<span style="text-decoration: underline">Default value:</span> none
 
-## Utilisation
+## Usage
 
-Définir la variable `podman_containers` dans un fichier sous `host_vars` ou `group_vars` :
-
-```bash
-$ tee host_vars/lxd_podman_host.yml <<EOF
----
+To deploy *wg-easy* container:
 
+```yml
+# BEGIN role_podman
 podman_containers:
-  - image: docker.io/wallabag/wallabag:latest
-    name: wallbag
-    userns: keep-id
+  - image: "ghcr.io/wg-easy/wg-easy:latest"
+    name: wg-easy
+    publish:
+      - "51820:51820/udp"
+      - "51821:51821/tcp"
     volumes:
-      - wallbag-data:/var/www/wallabag/data
-      - wallbag-image:/var/www/wallabag/web/assets/images
-    ports:
-      - 80:80/tcp
-    environment_vars:
-      - SYMFONY__ENV__DOMAIN_NAME=https://wallbag.ykn.fr
-```
-
-Il est également possible de définir l'utilisateur via la variable `user`, comme ceci :
-
-```bash
-$ tee host_vars/lxd_podman_host.yml <<EOF
----
-
-podman_containers:
-  - image: docker.io/wallabag/wallabag:latest
-    name: wallbag
-    user: un_utilisateur
-    userns: keep-id
-    volumes:
-      - wallbag-data:/var/www/wallabag/data
-      - wallbag-image:/var/www/wallabag/web/assets/images
-    ports:
-      - 80:80/tcp
-    environment_vars:
-      - SYMFONY__ENV__DOMAIN_NAME=https://wallbag.ykn.fr
+      - "/srv/wg-easy:/etc/wireguard"
+    env:
+      LANG: fr
+      PORT: 51821
+      UI_CHART_TYPE: 2
+      PASSWORD_HASH: <secret>
+      WG_HOST: noun.ykn.fr
+      WG_PORT: 51820
+      WG_PERSISTENT_KEEPALIVE: 25
+      WG_DEFAULT_DNS: ""
+      WG_ALLOWED_IPS: 192.168.84.0/24
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+      - SYS_MODULE
+    sysctl:
+      net.ipv4.ip_forward: 1
+      net.ipv4.conf.all.src_valid_mark: 1
+    quadlet_options:
+      - AutoUpdate=registry
+      - |-
+        [Service]
+        Restart=on-failure
+        TimeoutStartSec=900
+      - |-
+        [Install]
+        WantedBy=default.target
+# END role_podman
 ```
diff --git a/defaults/main.yml b/defaults/main.yml
index d8dfc5a..71eb4f1 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,25 +1,7 @@
 ---
 # defaults file for podman
 
-podman_configure_rsyslog: true
-podman_fix_pasta: true
-
-podman_ssh_host: "{{ inventory_hostname }}"
-podman_ssh_port: 22
-
 podman_auto_update: true
 
+podman_pods: []
 podman_containers: []
-# Exemple:
-#  - image: docker.io/wallabag/wallabag:latest
-#    name: wallbag
-#    userns: keep-id
-#    commands:
-#       - echo toto
-#    volumes:
-#      - wallbag-data:/var/www/wallabag/data
-#      - wallbag-image:/var/www/wallabag/web/assets/images
-#    ports:
-#      - 80:80/tcp
-#    environment_vars:
-#      - SYMFONY__ENV__DOMAIN_NAME=https://wallbag.ykn.fr
diff --git a/handlers/main.yml b/handlers/main.yml
index 05778e4..e3f346e 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,32 +1,12 @@
 ---
 # handlers file for exim4
 
-# source: https://github.com/containers/buildah/issues/5440#issuecomment-2028911573
-- name: Corriger le problème passt VS pasta
+- name: Set default permissions on volumes folders
   ansible.builtin.file:
-    state: hard
-    force: true
-    src: /usr/bin/passt
-    dest: /usr/bin/pasta
-  when: podman_fix_pasta
-  become: true
-
-- name: Redémarrer l'instance
-  ansible.builtin.reboot:
-  become: true
-
-- name: Attendre que le port SSH soit ouvert
-  ansible.builtin.wait_for:
-    host: "{{ podman_ssh_host }}"
-    port: "{{ podman_ssh_port }}"
-    search_regex: OpenSSH
-    delay: 30
-    timeout: 900
-    sleep: 10
-  delegate_to: 127.0.0.1
-
-- name: Redémarrer rsyslog.service
-  ansible.builtin.systemd:
-    state: restarted
-    name: rsyslog.service
+    path: "{{ item.path }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
   become: true
+  loop: "{{ folders.results | selectattr('changed', 'equalto', true) }}"
+  loop_control:
+    label: "{{ item.path }}"
diff --git a/meta/.galaxy_install_info b/meta/.galaxy_install_info
new file mode 100644
index 0000000..e18572d
--- /dev/null
+++ b/meta/.galaxy_install_info
@@ -0,0 +1,2 @@
+install_date: lun. 21 oct. 2024 11:22:51
+version: master
diff --git a/meta/main.yml b/meta/main.yml
index 9c61001..08dd360 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -8,8 +8,8 @@ galaxy_info:
   min_ansible_version: '2.1'
 
   platforms:
-    - name: Debian
+    - name: CoreOS
       versions:
-        - bookworm
+        - 41
 
 dependencies: []
diff --git a/tasks/configuration.yml b/tasks/configuration.yml
deleted file mode 100644
index 901b946..0000000
--- a/tasks/configuration.yml
+++ /dev/null
@@ -1,82 +0,0 @@
----
-# tasks file for podman
-
-- name: Activer le lingering
-  ansible.builtin.command:
-    cmd: "loginctl enable-linger {{ container_user }}"
-    creates: /var/lib/systemd/linger/{{ container_user }}
-  become: true
-  loop: "{{ podman_containers }}"
-  loop_control:
-    label: "{{ item.name }}"
-  vars:
-    container_user: "podman-{{ item.user | default(item.name) }}"
-
-- name: Créer les dossiers des volumes
-  ansible.builtin.file:
-    path: "{{ item.1 | split(':') | first }}"
-    state: directory
-    owner: "{{ container_user }}"
-    group: "{{ container_user }}"
-    mode: u=rwX,g=rX,o=rX
-  become: true
-  loop: "{{ q('ansible.builtin.subelements', podman_containers, 'volumes', {'skip_missing': True}) }}"
-  loop_control:
-    label: "{{ item.0.name }}"
-  vars:
-    container_user: "podman-{{ item.0.user | default(item.0.name) }}"
-
-- name: Déployer les conteneurs
-  containers.podman.podman_container:
-    hostname: "{{ item.hostname | default(inventory_hostname) }}"
-    name: "{{ item.name }}"
-    image: "{{ item.image }}"
-    state: quadlet
-    device: "{{ item.device | default(omit) }}"
-    ports: "{{ item.ports | default(omit) }}"
-    volumes: "{{ item.volumes | default(omit) }}"
-    userns: "{{ item.userns | default(omit) }}"
-    mount: "{{ item.mount | default(omit) }}"
-    publish: "{{ item.publish | default(omit) }}"
-    env: "{{ item.env | default(omit) }}"
-    quadlet_options: "{{ item.quadlet_options | default(omit) }}"
-    sysctl: "{{ item.sysctl | default(omit) }}"
-    cap_add: "{{ item.cap_add | default(omit) }}"
-    recreate: true
-  become: true
-  become_user: "{{ container_user }}"
-  register: deploy_container
-  loop: "{{ podman_containers }}"
-  loop_control:
-    label: "{{ item.name }}"
-  vars:
-    container_user: "podman-{{ item.user | default(item.name) }}"
-
-- name: Démarrer ou redémarrer le conteneur
-  ansible.builtin.systemd_service:
-    name: "{{ item.item.name }}.service"
-    state: "{{ 'restarted' if item.changed else 'started' }}"
-    daemon_reload: true
-    scope: user
-  become: true
-  become_user: "{{ container_user }}"
-  loop: "{{ deploy_container.results }}"
-  loop_control:
-    label: "{{ item.item.name }}"
-  vars:
-    container_user: "podman-{{ item.item.user | default(item.item.name) }}"
-
-- name: Activer le service de mise à jour automatique
-  ansible.builtin.systemd_service:
-    name: podman-auto-update.timer
-    daemon_reload: true
-    enabled: true
-    scope: user
-  when: podman_auto_update
-  become: true
-  become_user: "{{ container_user }}"
-  loop: "{{ deploy_container.results }}"
-  loop_control:
-    label: "{{ item.item.name }}"
-  vars:
-    container_user: "podman-{{ item.item.user | default(item.item.name) }}"
diff --git a/tasks/installation.yml b/tasks/installation.yml
deleted file mode 100644
index 0313371..0000000
--- a/tasks/installation.yml
+++ /dev/null
@@ -1,47 +0,0 @@
----
-# tasks file for podman
-
-- name: Installer les paquets
-  ansible.builtin.apt:
-    name:
-      - dbus-user-session
-      - containernetworking-dnsname
-      - containernetworking-plugins
-      - containernetworking-podman-machine
-      - dbus-user-session
-      - passt
-      - podman
-      - podman-aardvark-dns
-      - podman-docker
-      - podman-gvproxy
-      - podman-netavark
-      - python3-podman-compose
-      - uidmap
-      - systemd-container
-    install_recommends: true
-    state: present
-  become: true
-  notify:
-    - Corriger le problème passt VS pasta
-    - Redémarrer l'instance
-    - Attendre que le port SSH soit ouvert
-
-- name: Exécuter les handlers
-  ansible.builtin.meta: flush_handlers
-
-- name: Déployer la configuration de rsyslog
-  ansible.builtin.template:
-    src: templates/rsyslog.conf.j2
-    dest: /etc/rsyslog.d/10-podman.conf
-    owner: root
-    group: root
-    mode: u=rw,g=r,o=r
-  when: podman_configure_rsyslog
-  become: true
-  notify: Redémarrer rsyslog.service
-
-- name: Désactiver le service de mise à jour automatique pour root
-  ansible.builtin.systemd_service:
-    name: podman-auto-update.timer
-    enabled: false
-  become: true
diff --git a/tasks/main.yml b/tasks/main.yml
index 33151b9..c52242d 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,10 +1,74 @@
 ---
 # tasks file for podman
 
-- name: Importer les tâches d'installation
-  ansible.builtin.import_tasks:
-    file: installation.yml
+- name: Ensure podman.service is started
+  ansible.builtin.systemd_service:
+    name: podman.service
+    state: started
+    enabled: true
+    masked: false
+    daemon_reload: true
+  become: true
 
-- name: Importer les tâches de configuration
-  ansible.builtin.import_tasks:
-    file: configuration.yml
+- name: Create subvolumes paths
+  ansible.builtin.file:
+    path: "{{ item.1 | split(':') | first }}"
+    state: directory
+    mode: u=rwX,g=rX,o=rX
+  become: true
+  loop: "{{ q('ansible.builtin.subelements', podman_containers, 'volumes', {'skip_missing': True}) }}"
+  loop_control:
+    label: "{{ item.0.name }}"
+  register: folders
+  notify: Set default permissions on volumes folders
+
+- name: Exécuter les handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Deploy pods
+  containers.podman.podman_pod: "{{ pod }}"
+  become: true
+  loop: "{{ podman_pods }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: deployed_pods
+  vars:
+    pod: "{{ podman_pods_defaults | ansible.builtin.combine(item) }}"
+
+- name: Start or restart pods
+  ansible.builtin.systemd_service:
+    name: "{{ item.item.name }}-pod.service"
+    state: "{{ 'restarted' if item.changed else 'started' }}"
+    daemon_reload: true
+  become: true
+  loop: "{{ deployed_pods.results }}"
+  loop_control:
+    label: "{{ item.item.name }}"
+
+- name: Deploy containers
+  containers.podman.podman_container: "{{ container }}"
+  become: true
+  loop: "{{ podman_containers }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: deployed_containers
+  vars:
+    container: "{{ podman_containers_defaults | ansible.builtin.combine(item) }}"
+
+- name: Start or restart containers
+  ansible.builtin.systemd_service:
+    name: "{{ item.item.name }}.service"
+    state: "{{ 'restarted' if item.changed else 'started' }}"
+    daemon_reload: true
+  become: true
+  loop: "{{ deployed_containers.results }}"
+  loop_control:
+    label: "{{ item.item.name }}"
+
+- name: Enable containers auto-update service
+  ansible.builtin.systemd_service:
+    name: podman-auto-update.timer
+    daemon_reload: true
+    enabled: true
+  when: podman_auto_update
+  become: true
diff --git a/templates/rsyslog.conf.j2 b/templates/rsyslog.conf.j2
deleted file mode 100644
index bfbada3..0000000
--- a/templates/rsyslog.conf.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-# {{ ansible_managed }}
-
-# Don't log podman
-:programname, contains, "podman" stop
-
-# Don't log progams inside podman container
-{% for container in podman_containers %}
-:programname, contains, "{{ container.name }}" stop
-{% endfor %}
diff --git a/vars/main.yml b/vars/main.yml
new file mode 100644
index 0000000..80ca54f
--- /dev/null
+++ b/vars/main.yml
@@ -0,0 +1,12 @@
+---
+
+podman_pods_defaults: []
+
+podman_containers_defaults:
+  state: quadlet
+  recreate: true
+  quadlet_options:
+    - "AutoUpdate=registry"
+    - |
+      [Install]
+      WantedBy=default.target