refacto: Rewriting for Debian Sid

2025-01-03 18:04:57 +01:00
13 changed files with 257 additions and 241 deletions
--- a/README.md
+++ b/README.md
@@ -1,14 +1,54 @@
 # role_podman
-Deploy podman, manage pods and containers.
+Install podman and manage pods and containers.
 ## Pre-requisite
 The podman user (`podman_user`) must be created before executing this role.
 ## Variables
 ### podman_packages
 List of packages to install in order to use podman.
 <span style="text-decoration: underline">Default value:</span> `["catatonit", "dbus-user-session", "passt", "podman", "podman-docker", "uidmap", "systemd-container"]`
 ### podman_fix_pasta
 On bookworm, we need to fix pasta to use podman ([see here](https://github.com/containers/buildah/issues/5440#issuecomment-2028911573)).
 <span style="text-decoration: underline">Default value:</span> `false`
 ### podman_user
 Users with container configuration.
 <span style="text-decoration: underline">Default value:</span> `podman`
 ### podman_configure_rsyslog
 Status of messages from the *podman* binary and from binaries in containers if they're equalto the container name.
 <span style="text-decoration: underline">Default value:</span> `true`
 ### podman_ssh_host
 Host to be tested for instance availability.
 <span style="text-decoration: underline">Default value:</span> `{{ inventory_hostname }}`
 ### podman_ssh_port
 Port to be tested for instance availability.
 <span style="text-decoration: underline">Default value:</span> `22`
 ### podman_auto_update
 Status of the automatic container update service.
-<span style="text-decoration: underline">Default value:</span> `true
+<span style="text-decoration: underline">Default value:</span> `true`
 ### podman_pods
@@ -22,45 +62,28 @@ List of dictionnaries to define containers ([see ansible documentation](https://
 <span style="text-decoration: underline">Default value:</span> none
-## Usage
+## Extras
-To deploy *wg-easy* container:
+It's possible to use this role with the alvistack repository by setting the variables to the following values:
-```yml
+```yaml
 # BEGIN role_podman
-podman_containers:
+podman_packages:
-  - image: "ghcr.io/wg-easy/wg-easy:latest"
+  - catatonit
-    name: wg-easy
+  - dbus-user-session
-    publish:
+  - containernetworking-dnsname
-      - "51820:51820/udp"
+  - containernetworking-plugins
-      - "51821:51821/tcp"
+  - containernetworking-podman-machine
-    volumes:
+  - passt
-      - "/srv/wg-easy:/etc/wireguard"
+  - podman
-    env:
+  - podman-aardvark-dns
-      LANG: fr
+  - podman-docker
-      PORT: 51821
+  - podman-gvproxy
-      UI_CHART_TYPE: 2
+  - podman-netavark
-      PASSWORD_HASH: <secret>
+  - python3-podman-compose
-      WG_HOST: noun.ykn.fr
+  - uidmap
-      WG_PORT: 51820
+  - systemd-container
-      WG_PERSISTENT_KEEPALIVE: 25
+
-      WG_DEFAULT_DNS: ""
+podman_fix_pasta: true
      WG_ALLOWED_IPS: 192.168.84.0/24
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
    sysctl:
      net.ipv4.ip_forward: 1
      net.ipv4.conf.all.src_valid_mark: 1
    quadlet_options:
      - AutoUpdate=registry
      - |-
        [Service]
        Restart=on-failure
        TimeoutStartSec=900
      - |-
        [Install]
        WantedBy=default.target
 # END role_podman
 ```
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,24 +1,24 @@
 ---
 # defaults file for podman
 # Packages to install to run podman
 podman_packages:
  - catatonit
  - dbus-user-session
  - passt
  - podman
-  - policycoreutils-python-utils # to manage SELinux
+  - podman-docker
  - uidmap
  - systemd-container
 podman_fix_pasta: false
 # Dedicated user
 podman_user: podman
 podman_user_homedir: /home/{{ podman_user }}
-# Enable container auto-update
+podman_configure_rsyslog: true
 podman_ssh_host: "{{ inventory_hostname }}"
 podman_ssh_port: 22
 podman_auto_update: true
-# List of quadlets to deploy
+podman_pods: []
-podman_quadlets_rootless: []
+podman_containers: []
 # Example:
 # podman_quadlets:
 #   - uptime-kuma.network
 #   - uptime-kuma.container
 #   - signal-cli-rest-api.container
 podman_quadlets_rootful: []
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,42 +1,45 @@
 ---
-# handlers file for podman
+# handlers file for exim4
- name: Start or restart rootless quadlets
+- name: Set default permissions on volumes folders
-  ansible.builtin.systemd_service:
+  ansible.builtin.file:
-    name: "{{ unit }}"
+    path: "{{ item.path }}"
-    state: "{{ 'restarted' if item.changed else 'started' }}"
+    owner: "{{ podman_user }}"
-    daemon_reload: true
+    group: "{{ podman_user }}"
    enabled: true
    scope: user
  become: true
-  become_user: "{{ podman_user }}"
+  loop: "{{ folders.results | selectattr('changed', 'equalto', true) }}"
  loop: "{{ deployed_quadlets_rootless.results }}"
  loop_control:
-    label: "{{ unit }}"
+    label: "{{ item.path }}"
  vars:
    unit: >-
      {{
        item.item | ansible.builtin.basename |
        ansible.builtin.regex_replace('\.container$', '.service') |
        ansible.builtin.regex_replace('\.network$', '-network.service') |
        ansible.builtin.regex_replace('\.volume$', '-volume.service')
      }}
- name: Start or restart rootful quadlets
+# source: https://github.com/containers/buildah/issues/5440#issuecomment-2028911573
-  ansible.builtin.systemd_service:
+- name: Fix passt VS pasta
-    name: "{{ unit }}"
+  ansible.builtin.file:
-    state: "{{ 'restarted' if item.changed else 'started' }}"
+    state: hard
-    daemon_reload: true
+    src: /usr/bin/passt
-    enabled: true
+    dest: /usr/bin/pasta
    owner: root
    group: root
    mode: u=rw,g=r,o=r
    force: true
  when: podman_fix_pasta
  become: true
 - name: Restart instance
  ansible.builtin.reboot:
  become: true
 - name: Wait SSH is ready
  ansible.builtin.wait_for:
    host: "{{ podman_ssh_host }}"
    port: "{{ podman_ssh_port }}"
    search_regex: OpenSSH
    delay: 30
    timeout: 900
    sleep: 10
  delegate_to: 127.0.0.1
 - name: Restart rsyslog.service
  ansible.builtin.systemd:
    state: restarted
    name: rsyslog.service
  become: true
  loop: "{{ deployed_quadlets_rootful.results }}"
  loop_control:
    label: "{{ unit }}"
  vars:
    unit: >-
      {{
        item.item | ansible.builtin.basename |
        ansible.builtin.regex_replace('\.container$', '.service') |
        ansible.builtin.regex_replace('\.network$', '-network.service') |
        ansible.builtin.regex_replace('\.volume$', '-volume.service')
      }}
--- a/meta/.galaxy_install_info
+++ b/meta/.galaxy_install_info
@@ -0,0 +1,2 @@
 install_date: lun. 21 oct. 2024 11:22:51
 version: master
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,15 +1,15 @@
 galaxy_info:
  namespace: ykn
  author: pulsar89.5
-  description: Deploy podman quadlets
+  description: Rôle de déploiement de podman
  license: GPL-3.0-or-later
  min_ansible_version: '2.1'
  platforms:
-    - name: Fedora
+    - name: Debian
      versions:
-        - "43"
+        - sid
 dependencies: []
--- a/tasks/config.yml
+++ b/tasks/config.yml
@@ -1,54 +0,0 @@
 ---
 # tasks file for podman
 - name: Create dedicated group
  ansible.builtin.group:
    name: "{{ podman_user }}"
  become: true
 - name: Create dedicated user
  ansible.builtin.user:
    name: "{{ podman_user }}"
    comment: Dedicated Podman user
    home: "{{ podman_user_homedir }}"
    password_lock: true
    shell: /bin/bash
    group: podman
  become: true
 - name: Enable lingering for podman user
  ansible.builtin.command:
    cmd: "{{ item }}"
    creates: /var/lib/systemd/linger/{{ podman_user }}
  become: true
  loop:
    - sudo systemctl --machine={{ podman_user }}@.host --user daemon-reload
    - loginctl enable-linger {{ podman_user }}
 - name: Enable containers auto-update service
  ansible.builtin.systemd_service:
    name: podman-auto-update.timer
    state: started
    daemon_reload: true
    scope: user
  when: podman_auto_update
  become: true
  become_user: "{{ podman_user }}"
 - name: Create podman user directory tree
  ansible.builtin.file:
    path: "{{ item.path }}"
    owner: "{{ podman_user }}"
    group: "{{ podman_user }}"
    mode: "{{ item.mode }}"
    state: directory
  become: true
  loop:
    - path: "{{ podman_user_homedir }}/.config"
      mode: u=rwX,g=,o=
    - path: "{{ podman_user_homedir }}/.config/containers"
      mode: u=rwX,g=rX,o=rX
    - path: "{{ podman_user_homedir }}/.config/containers/systemd"
      mode: u=rwX,g=rX,o=rX
  loop_control:
    label: "{{ item.path }}"
--- a/tasks/configuration.yml
+++ b/tasks/configuration.yml
@@ -0,0 +1,79 @@
 ---
 # tasks file for podman
 - name: Enable lingering for podman user
  ansible.builtin.command:
    cmd: "loginctl enable-linger {{ podman_user }}"
    creates: /var/lib/systemd/linger/podman
  become: true
 - name: Create subvolumes paths
  ansible.builtin.file:
    path: "{{ item.1 | split(':') | first }}"
    state: directory
    mode: u=rwX,g=rX,o=rX
  become: true
  loop: "{{ q('ansible.builtin.subelements', podman_containers, 'volumes', {'skip_missing': True}) }}"
  loop_control:
    label: "{{ item.0.name }}"
  register: folders
  notify: Set default permissions on volumes folders
 - name: Exécuter les handlers
  ansible.builtin.meta: flush_handlers
 - name: Deploy pods
  containers.podman.podman_pod: "{{ pod }}"
  become: true
  become_user: "{{ podman_user }}"
  loop: "{{ podman_pods }}"
  loop_control:
    label: "{{ item.name }}"
  register: deployed_pods
  vars:
    pod: "{{ podman_pods_defaults | ansible.builtin.combine(item) }}"
 - name: Start or restart pods
  ansible.builtin.systemd_service:
    name: "{{ item.item.name }}-pod.service"
    state: "{{ 'restarted' if item.changed else 'started' }}"
    daemon_reload: true
    scope: user
  become: true
  become_user: "{{ podman_user }}"
  loop: "{{ deployed_pods.results }}"
  loop_control:
    label: "{{ item.item.name }}"
 - name: Deploy containers
  containers.podman.podman_container: "{{ container }}"
  become: true
  become_user: "{{ podman_user }}"
  loop: "{{ podman_containers }}"
  loop_control:
    label: "{{ item.name }}"
  register: deployed_containers
  vars:
    container: "{{ podman_containers_defaults | ansible.builtin.combine(item) }}"
 - name: Start or restart containers
  ansible.builtin.systemd_service:
    name: "{{ item.item.name }}.service"
    state: "{{ 'restarted' if item.changed else 'started' }}"
    daemon_reload: true
    scope: user
  become: true
  become_user: "{{ podman_user }}"
  loop: "{{ deployed_containers.results }}"
  loop_control:
    label: "{{ item.item.name }}"
 - name: Enable containers auto-update service
  ansible.builtin.systemd_service:
    name: podman-auto-update.timer
    daemon_reload: true
    enabled: true
    scope: user
  when: podman_auto_update
  become: true
  become_user: "{{ podman_user }}"
--- a/tasks/installation.yml
+++ b/tasks/installation.yml
@@ -0,0 +1,33 @@
 ---
 # tasks file for podman
 - name: Installer les paquets
  ansible.builtin.apt:
    name: "{{ podman_packages }}"
    install_recommends: true
    state: present
  become: true
  notify:
 #    - Fix passt VS pasta
 #    - Restart instance
 #    - Wait SSH is ready
 - name: Exécuter les handlers
  ansible.builtin.meta: flush_handlers
 - name: Déployer la configuration de rsyslog
  ansible.builtin.template:
    src: templates/rsyslog.conf.j2
    dest: /etc/rsyslog.d/10-podman.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  when: podman_configure_rsyslog
  become: true
  notify: Restart rsyslog.service
 - name: Désactiver le service de mise à jour automatique pour root
  ansible.builtin.systemd_service:
    name: podman-auto-update.timer
    enabled: false
  become: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,25 +1,10 @@
 ---
 # tasks file for podman
- name: Install packages
+- name: Import installation tasks
-  ansible.builtin.dnf:
+  ansible.builtin.import_tasks:
-    name: "{{ podman_packages }}"
+    file: installation.yml
  become: true
 - name: Import configuration tasks
  ansible.builtin.import_tasks:
-    file: config.yml
+    file: configuration.yml
  when: podman_quadlets_rootless | length > 0
 - name: Import management tasks for rootless quadlets
  ansible.builtin.import_tasks:
    file: manage_rootless.yml
  when: podman_quadlets_rootless | length > 0
 - name: Import management tasks for rootful quadlets
  ansible.builtin.import_tasks:
    file: manage_rootful.yml
  when: podman_quadlets_rootful | length > 0
 - name: Flush handlers
  ansible.builtin.meta: flush_handlers
--- a/tasks/manage_rootful.yml
+++ b/tasks/manage_rootful.yml
@@ -1,17 +0,0 @@
 ---
 # tasks file for podman
 - name: Deploy rootful quadlets
  ansible.builtin.template:
    src: "{{ item }}.j2"
    dest: "/etc/containers/systemd/{{ item | ansible.builtin.basename }}"
    owner: root
    group: root
    mode: u=rw,g=r,o=
  become: true
  loop: "{{ podman_quadlets_rootful }}"
  register: deployed_quadlets_rootful
  notify: Start or restart rootful quadlets
 - name: Flush handlers
  ansible.builtin.meta: flush_handlers
--- a/tasks/manage_rootless.yml
+++ b/tasks/manage_rootless.yml
@@ -1,59 +0,0 @@
 ---
 # tasks file for podman
 - name: List current rootless quadlets
  ansible.builtin.find:
    paths: "{{ podman_user_homedir }}/.config/containers/systemd"
  become: true
  register: current_quadlets
 - name: Extract list of undefined quadlets
  ansible.builtin.set_fact:
    podman_quadlets_undefined: >-
      {{
        current_quadlets.files |
        map(attribute='path') |
        map('ansible.builtin.basename') |
        ansible.builtin.difference(podman_qualets_filenames)
      }}
  vars:
    podman_qualets_filenames: "{{ podman_quadlets_rootless | map('ansible.builtin.basename') }}"
 - name: Stop unwanted rootless quadlets
  ansible.builtin.systemd_service:
    name: "{{ unit }}"
    state: stopped
    daemon_reload: true
    scope: user
  become: true
  become_user: "{{ podman_user }}"
  loop: "{{ podman_quadlets_undefined }}"
  loop_control:
    label: "{{ unit }}"
  vars:
    unit: >-
      {{
        item | ansible.builtin.basename |
        ansible.builtin.regex_replace('\.container$', '.service') |
        ansible.builtin.regex_replace('\.network$', '-network.service') |
        ansible.builtin.regex_replace('\.volume$', '-volume.service')
      }}
 - name: Remove undefined rootless quadlets
  ansible.builtin.file:
    path: "{{ podman_user_homedir }}/.config/containers/systemd/{{ item }}"
    state: absent
  become: true
  loop: "{{ podman_quadlets_undefined }}"
 - name: Deploy rootless quadlets
  ansible.builtin.template:
    src: "{{ item }}.j2"
    dest: "{{ podman_user_homedir }}/.config/containers/systemd/{{ item | ansible.builtin.basename }}"
    owner: "{{ podman_user }}"
    group: "{{ podman_user }}"
    mode: u=rw,g=r,o=
  become: true
  loop: "{{ podman_quadlets_rootless }}"
  register: deployed_quadlets_rootless
  notify: Start or restart rootless quadlets
--- a/templates/rsyslog.conf.j2
+++ b/templates/rsyslog.conf.j2
@@ -0,0 +1,9 @@
 # {{ ansible_managed }}
 # Don't log podman
 :programname, contains, "podman" stop
 # Don't log progams inside podman container
 {% for container in podman_containers %}
 :programname, contains, "{{ container.name }}" stop
 {% endfor %}
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -0,0 +1,12 @@
 ---
 podman_pods_defaults: []
 podman_containers_defaults:
  state: quadlet
  recreate: true
  quadlet_options:
    - "AutoUpdate=registry"
    - |
      [Install]
      WantedBy=default.target
		`@@ -0,0 +1,2 @@`
							`install_date: lun. 21 oct. 2024 11:22:51`
							`version: master`