ansible-collection-wip/roles/podman_link/tasks/main.yml

---
- name: create service configuration directories
  ansible.builtin.file:
    path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}"
    state: directory
    owner: "{{ podman_link_podman_rootless_user }}"
    group: "{{ podman_link_podman_rootless_user }}"
    mode: "0755"
  become: true
  with_items:
    - zammad-storage
    - zammad-var
    - zammad-backup
    - zammad-data
    - signal-cli-rest-api-data
    - bridge-postgresql-data
    - bridge-whatsapp-data
    - redis-data
    - postgresql-data

- name: create configuration directories where containers need to execute scripts
  ansible.builtin.file:
    path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}"
    state: directory
    owner: "{{ podman_link_podman_rootless_user }}"
    group: "{{ podman_link_podman_rootless_user }}"
    mode: "0777"
  become: true
  with_items:
    - zammad-config-nginx
    - opensearch-data

- name: install zammad railsserver database configuration file
  ansible.builtin.template:
    src: "{{ item }}"
    dest: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}"
    owner: "{{ podman_link_podman_rootless_user }}"
    group: "{{ podman_link_podman_rootless_user }}"
    mode: "0444"
  become: true
  with_items:
    - zammad-database.yml

- name: install env configuration files
  ansible.builtin.template:
    src: "{{ item }}"
    dest: "/home/{{ podman_link_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_link_podman_rootless_user }}"
    mode: "0600"
  become: true
  with_items:
    - common-zammad.env
    - common-bridge.env

- name: Set sysctl settings for elasticsearch
  sysctl:
    name: vm.max_map_count
    value: '262144'
    state: present
  become: true

- name: Set vm.overcommit_memory for Memcached
  sysctl:
    name: vm.overcommit_memory
    value: '1'
    state: present
  become: true

- name: install opensearch config
  ansible.builtin.copy:
    src: templates/opensearch-config.yml
    dest: "/home/{{ podman_link_podman_rootless_user }}/opensearch-config.yml"
    mode: "0444"
    owner: "{{ podman_link_podman_rootless_user }}"
    group: "{{ podman_link_podman_rootless_user }}"
  become: true

- name: install podman quadlet for rootless podman user
  ansible.builtin.template:
    src: "{{ item }}"
    dest: "/home/{{ podman_link_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_link_podman_rootless_user }}"
    mode: "0400"
  with_items:
    - link.container
    - zammad-opensearch.container
    - opensearch-dashboards.container
    - bridge-worker.container
    - bridge-postgresql.container
    - bridge-whatsapp.container
    - signal-cli-rest-api.container
    - zammad-init.container
    - zammad-nginx.container
    - zammad-railsserver.container
    - zammad-scheduler.container
    - zammad-postgresql.container
    - zammad-websocket.container
    - zammad-redis.container
    - zammad-memcached.container
  become: true


- name: install network quadlets for rootless podman user
  ansible.builtin.template:
    src: "{{ item }}"
    dest: "/home/{{ podman_link_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_link_podman_rootless_user }}"
    mode: "0400"
  with_items:
    - frontend.network
    - link.network
  become: true

- name: verify quadlets are correctly defined
  ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
  register: podman_link_quadlet_result
  ignore_errors: true
  changed_when: false
  become: true
  become_user: "{{ podman_link_podman_rootless_user }}"

- name: assert that the quadlet verification succeeded
  ansible.builtin.assert:
    that:
      - podman_link_quadlet_result.rc == 0
    fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets."

#- name: set up nginx
#  ansible.builtin.include_role:
#    name: irl.wip.podman_nginx
#  vars:
#    podman_nginx_frontend_network: frontend
#    podman_nginx_podman_rootless_user: "{{ podman_link_podman_rootless_user }}"
#    podman_nginx_primary_hostname: "{{ podman_link_web_hostname }}"
#    podman_nginx_systemd_service_slice: "link.slice"
#    podman_nginx_systemd_service_requires: ["zammad-nginx"]
#
#
#- name: create nginx configuration file
#  ansible.builtin.template:
#    src: nginx.conf
#    dest: "/home/{{ podman_link_podman_rootless_user }}/nginx/nginx.conf"
#    owner: "{{ podman_link_podman_rootless_user }}"
#    group: "{{ podman_link_podman_rootless_user }}"
#    mode: "0644"
#  become: true

- name: install services slice for rootless podman user
  ansible.builtin.template:
    src: "link.slice"
    dest: "/home/{{ podman_link_podman_rootless_user }}/.config/systemd/user/link.slice"
    owner: "{{ podman_link_podman_rootless_user }}"
    group:  "{{ podman_link_podman_rootless_user }}"
    mode: "0655"
  become: true

- name: make sure services are started on boot
  ansible.builtin.systemd_service:
    name: "link.slice"
    enabled: true
    state: started
    daemon_reload: true
    scope: user
  become: true
  become_user: "{{ podman_link_podman_rootless_user }}"
  notify:
    - "restart link.slice"


- name: set es verify false
  ansible.builtin.shell: >
    podman exec zammad-railsserver rails r "Setting.set('es_ssl_verify', false)"
  become: true
  become_user: "{{ podman_link_podman_rootless_user }}"
  notify:
    - "restart link.slice"
  register: es_ssl_result
  retries: 20
  delay: 5
  until: es_ssl_result.rc == 0

- name: Run OpenSearch setup script
  ansible.builtin.shell: |
    podman exec zammad-opensearch /bin/sh -c '
      if [ ! -f /tmp/.securityadmin_done ]; then
        chmod +x /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh && \
        /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
          -cd /usr/share/opensearch/config/opensearch-security/ \
          -icl \
          -key /usr/share/opensearch/config/kirk-key.pem \
          -cert /usr/share/opensearch/config/kirk.pem \
          -cacert /usr/share/opensearch/config/root-ca.pem \
          -nhnv && \
        touch /tmp/.securityadmin_done
      fi
    '
  become: true
  become_user: "{{ podman_link_podman_rootless_user }}"
  register: securityadmin_scipt_result
  retries: 20
  delay: 5
  until: securityadmin_scipt_result.rc == 0
  notify:
    - "restart link.slice"

- name: set up nginx
  ansible.builtin.include_role:
    name: irl.wip.podman_nginx
  vars:
    podman_nginx_frontend_network: frontend
    podman_nginx_podman_rootless_user: "{{ podman_link_podman_rootless_user }}"
    podman_nginx_primary_hostname: "{{ podman_link_web_hostname }}"
    podman_nginx_systemd_service_slice: link.slice
    podman_nginx_systemd_service_requires: ["zammad-nginx"]
#    podman_nginx_additional_volumes:
#      - src: "/home/{{ podman_cleaninsights_podman_rootless_user }}/matomo"
#        dest: "/var/www/html"
#        options: "ro"

- name: create nginx configuration file
  ansible.builtin.template:
    src: nginx.conf
    dest: "/home/{{ podman_link_podman_rootless_user }}/nginx/nginx.conf"
    owner: "{{ podman_link_podman_rootless_user }}"
    group: "{{ podman_link_podman_rootless_user }}"
    mode: "0644"
  become: true
  notify:
    - "restart link.slice"
Feat: add link role 2025-08-25 10:12:25 +01:00			`---`
			`- name: create service configuration directories`
			`ansible.builtin.file:`
			`path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}"`
			`state: directory`
			`owner: "{{ podman_link_podman_rootless_user }}"`
			`group: "{{ podman_link_podman_rootless_user }}"`
			`mode: "0755"`
			`become: true`
			`with_items:`
			`- zammad-storage`
			`- zammad-var`
			`- zammad-backup`
			`- zammad-data`
			`- signal-cli-rest-api-data`
			`- bridge-postgresql-data`
			`- bridge-whatsapp-data`
			`- redis-data`
			`- postgresql-data`

			`- name: create configuration directories where containers need to execute scripts`
			`ansible.builtin.file:`
			`path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}"`
			`state: directory`
			`owner: "{{ podman_link_podman_rootless_user }}"`
			`group: "{{ podman_link_podman_rootless_user }}"`
			`mode: "0777"`
			`become: true`
			`with_items:`
			`- zammad-config-nginx`
			`- opensearch-data`

			`- name: install zammad railsserver database configuration file`
			`ansible.builtin.template:`
			`src: "{{ item }}"`
			`dest: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}"`
			`owner: "{{ podman_link_podman_rootless_user }}"`
			`group: "{{ podman_link_podman_rootless_user }}"`
			`mode: "0444"`
			`become: true`
			`with_items:`
			`- zammad-database.yml`

			`- name: install env configuration files`
			`ansible.builtin.template:`
			`src: "{{ item }}"`
			`dest: "/home/{{ podman_link_podman_rootless_user }}/.config/containers/systemd/{{ item }}"`
			`owner: "{{ podman_link_podman_rootless_user }}"`
			`mode: "0600"`
			`become: true`
			`with_items:`
			`- common-zammad.env`
			`- common-bridge.env`

			`- name: Set sysctl settings for elasticsearch`
			`sysctl:`
			`name: vm.max_map_count`
			`value: '262144'`
			`state: present`
			`become: true`

			`- name: Set vm.overcommit_memory for Memcached`
			`sysctl:`
			`name: vm.overcommit_memory`
			`value: '1'`
			`state: present`
			`become: true`

			`- name: install opensearch config`
			`ansible.builtin.copy:`
			`src: templates/opensearch-config.yml`
			`dest: "/home/{{ podman_link_podman_rootless_user }}/opensearch-config.yml"`
			`mode: "0444"`
			`owner: "{{ podman_link_podman_rootless_user }}"`
			`group: "{{ podman_link_podman_rootless_user }}"`
			`become: true`

			`- name: install podman quadlet for rootless podman user`
			`ansible.builtin.template:`
			`src: "{{ item }}"`
			`dest: "/home/{{ podman_link_podman_rootless_user }}/.config/containers/systemd/{{ item }}"`
			`owner: "{{ podman_link_podman_rootless_user }}"`
			`mode: "0400"`
			`with_items:`
			`- link.container`
			`- zammad-opensearch.container`
			`- opensearch-dashboards.container`
			`- bridge-worker.container`
			`- bridge-postgresql.container`
			`- bridge-whatsapp.container`
			`- signal-cli-rest-api.container`
			`- zammad-init.container`
			`- zammad-nginx.container`
			`- zammad-railsserver.container`
			`- zammad-scheduler.container`
			`- zammad-postgresql.container`
			`- zammad-websocket.container`
			`- zammad-redis.container`
			`- zammad-memcached.container`
			`become: true`


			`- name: install network quadlets for rootless podman user`
			`ansible.builtin.template:`
			`src: "{{ item }}"`
			`dest: "/home/{{ podman_link_podman_rootless_user }}/.config/containers/systemd/{{ item }}"`
			`owner: "{{ podman_link_podman_rootless_user }}"`
			`mode: "0400"`
			`with_items:`
			`- frontend.network`
			`- link.network`
			`become: true`

			`- name: verify quadlets are correctly defined`
			`ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user`
			`register: podman_link_quadlet_result`
			`ignore_errors: true`
			`changed_when: false`
			`become: true`
			`become_user: "{{ podman_link_podman_rootless_user }}"`

			`- name: assert that the quadlet verification succeeded`
			`ansible.builtin.assert:`
			`that:`
			`- podman_link_quadlet_result.rc == 0`
			`fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets."`

			`#- name: set up nginx`
			`# ansible.builtin.include_role:`
			`# name: irl.wip.podman_nginx`
			`# vars:`
			`# podman_nginx_frontend_network: frontend`
			`# podman_nginx_podman_rootless_user: "{{ podman_link_podman_rootless_user }}"`
			`# podman_nginx_primary_hostname: "{{ podman_link_web_hostname }}"`
			`# podman_nginx_systemd_service_slice: "link.slice"`
			`# podman_nginx_systemd_service_requires: ["zammad-nginx"]`
			`#`
			`#`
			`#- name: create nginx configuration file`
			`# ansible.builtin.template:`
			`# src: nginx.conf`
			`# dest: "/home/{{ podman_link_podman_rootless_user }}/nginx/nginx.conf"`
			`# owner: "{{ podman_link_podman_rootless_user }}"`
			`# group: "{{ podman_link_podman_rootless_user }}"`
			`# mode: "0644"`
			`# become: true`

			`- name: install services slice for rootless podman user`
			`ansible.builtin.template:`
			`src: "link.slice"`
			`dest: "/home/{{ podman_link_podman_rootless_user }}/.config/systemd/user/link.slice"`
			`owner: "{{ podman_link_podman_rootless_user }}"`
			`group: "{{ podman_link_podman_rootless_user }}"`
			`mode: "0655"`
			`become: true`

			`- name: make sure services are started on boot`
			`ansible.builtin.systemd_service:`
			`name: "link.slice"`
			`enabled: true`
			`state: started`
			`daemon_reload: true`
			`scope: user`
			`become: true`
			`become_user: "{{ podman_link_podman_rootless_user }}"`
			`notify:`
			`- "restart link.slice"`


			`- name: set es verify false`
			`ansible.builtin.shell: >`
			`podman exec zammad-railsserver rails r "Setting.set('es_ssl_verify', false)"`
			`become: true`
			`become_user: "{{ podman_link_podman_rootless_user }}"`
			`notify:`
			`- "restart link.slice"`
			`register: es_ssl_result`
			`retries: 20`
			`delay: 5`
			`until: es_ssl_result.rc == 0`

			`- name: Run OpenSearch setup script`
			`ansible.builtin.shell: \|`
			`podman exec zammad-opensearch /bin/sh -c '`
			`if [ ! -f /tmp/.securityadmin_done ]; then`
			`chmod +x /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh && \`
			`/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \`
			`-cd /usr/share/opensearch/config/opensearch-security/ \`
			`-icl \`
			`-key /usr/share/opensearch/config/kirk-key.pem \`
			`-cert /usr/share/opensearch/config/kirk.pem \`
			`-cacert /usr/share/opensearch/config/root-ca.pem \`
			`-nhnv && \`
			`touch /tmp/.securityadmin_done`
			`fi`
			`'`
			`become: true`
			`become_user: "{{ podman_link_podman_rootless_user }}"`
			`register: securityadmin_scipt_result`
			`retries: 20`
			`delay: 5`
			`until: securityadmin_scipt_result.rc == 0`
			`notify:`
			`- "restart link.slice"`

			`- name: set up nginx`
			`ansible.builtin.include_role:`
			`name: irl.wip.podman_nginx`
			`vars:`
			`podman_nginx_frontend_network: frontend`
			`podman_nginx_podman_rootless_user: "{{ podman_link_podman_rootless_user }}"`
			`podman_nginx_primary_hostname: "{{ podman_link_web_hostname }}"`
			`podman_nginx_systemd_service_slice: link.slice`
			`podman_nginx_systemd_service_requires: ["zammad-nginx"]`
			`# podman_nginx_additional_volumes:`
			`# - src: "/home/{{ podman_cleaninsights_podman_rootless_user }}/matomo"`
			`# dest: "/var/www/html"`
			`# options: "ro"`

			`- name: create nginx configuration file`
			`ansible.builtin.template:`
			`src: nginx.conf`
			`dest: "/home/{{ podman_link_podman_rootless_user }}/nginx/nginx.conf"`
			`owner: "{{ podman_link_podman_rootless_user }}"`
			`group: "{{ podman_link_podman_rootless_user }}"`
			`mode: "0644"`
			`become: true`
			`notify:`
			`- "restart link.slice"`