From 65fcca88f5b5fa75fcb78efed365695921fb3551 Mon Sep 17 00:00:00 2001 From: irl Date: Wed, 3 Dec 2025 15:39:23 +0000 Subject: [PATCH 1/4] feat(podman_link): split up container networks for isolation Fixes: #4 --- roles/podman_link/tasks/main.yml | 2 ++ .../config/containers/systemd/bridge-whatsapp.container | 2 +- .../home/config/containers/systemd/bridge-worker.container | 2 ++ .../home/config/containers/systemd/channels.network | 2 ++ .../templates/home/config/containers/systemd/link.container | 2 ++ .../containers/systemd/opensearch-dashboards.container | 6 +++--- .../config/containers/systemd/signal-cli-rest-api.container | 2 +- .../home/config/containers/systemd/zammad-init.container | 2 +- .../config/containers/systemd/zammad-memcached.container | 2 +- .../home/config/containers/systemd/zammad-nginx.container | 2 +- .../config/containers/systemd/zammad-opensearch.container | 2 +- .../config/containers/systemd/zammad-postgresql.container | 2 +- .../config/containers/systemd/zammad-railsserver.container | 2 +- .../home/config/containers/systemd/zammad-redis.container | 2 +- .../config/containers/systemd/zammad-scheduler.container | 2 +- .../config/containers/systemd/zammad-websocket.container | 2 +- .../templates/home/config/containers/systemd/zammad.network | 2 ++ 17 files changed, 24 insertions(+), 14 deletions(-) create mode 100644 roles/podman_link/templates/home/config/containers/systemd/channels.network create mode 100644 roles/podman_link/templates/home/config/containers/systemd/zammad.network diff --git a/roles/podman_link/tasks/main.yml b/roles/podman_link/tasks/main.yml index b67d02f..4f7c2b6 100644 --- a/roles/podman_link/tasks/main.yml +++ b/roles/podman_link/tasks/main.yml @@ -177,8 +177,10 @@ owner: "{{ podman_link_podman_rootless_user }}" mode: "0400" with_items: + - channels.network - frontend.network - link.network + - zammad.network become: true notify: - Restart Link diff --git a/roles/podman_link/templates/home/config/containers/systemd/bridge-whatsapp.container b/roles/podman_link/templates/home/config/containers/systemd/bridge-whatsapp.container index da98075..9a2e04c 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/bridge-whatsapp.container +++ b/roles/podman_link/templates/home/config/containers/systemd/bridge-whatsapp.container @@ -7,7 +7,7 @@ Environment=BRIDGE_FRONTEND_URL=http://link:3000 ExposeHostPort=5000 Image=registry.gitlab.com/digiresilience/link/link-stack/bridge-whatsapp:{{ podman_link_stack_version }} Volume=/home/{{ podman_link_podman_rootless_user }}/bridge-whatsapp-data:/home/node/baileys:rw,Z -Network=link.network +Network=channels.network [Service] Restart=always diff --git a/roles/podman_link/templates/home/config/containers/systemd/bridge-worker.container b/roles/podman_link/templates/home/config/containers/systemd/bridge-worker.container index f916fc0..7ed34bc 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/bridge-worker.container +++ b/roles/podman_link/templates/home/config/containers/systemd/bridge-worker.container @@ -9,6 +9,8 @@ ContainerName=bridge-worker EnvironmentFile=common-bridge.env Image=registry.gitlab.com/digiresilience/link/link-stack/bridge-worker:{{ podman_link_stack_version }} Network=link.network +Network=channels.network +Network=zammad.network [Service] Restart=always diff --git a/roles/podman_link/templates/home/config/containers/systemd/channels.network b/roles/podman_link/templates/home/config/containers/systemd/channels.network new file mode 100644 index 0000000..7b886b1 --- /dev/null +++ b/roles/podman_link/templates/home/config/containers/systemd/channels.network @@ -0,0 +1,2 @@ +[Network] +NetworkName=channels diff --git a/roles/podman_link/templates/home/config/containers/systemd/link.container b/roles/podman_link/templates/home/config/containers/systemd/link.container index b0d5609..4cfd232 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/link.container +++ b/roles/podman_link/templates/home/config/containers/systemd/link.container @@ -16,6 +16,8 @@ EnvironmentFile=common-bridge.env ExposeHostPort=3000 Image=registry.gitlab.com/digiresilience/link/link-stack/link:{{ podman_link_stack_version }} Network=link.network +Network=channels.network +Network=zammad.network [Service] Restart=always diff --git a/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container b/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container index e23b0d4..0d0ac6d 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container +++ b/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container @@ -5,12 +5,12 @@ PartOf=link.target [Container] ContainerName=opensearch-dashboards -#Environment=OPENSEARCH_USERNAME=admin -#Environment=OPENSEARCH_PASSWORD={{ podman_link_opensearch_password }} +Environment=OPENSEARCH_USERNAME=admin +Environment=OPENSEARCH_PASSWORD={{ podman_link_opensearch_password }} Image=registry.gitlab.com/digiresilience/link/link-stack/opensearch-dashboards:{{ podman_link_stack_version }} PublishPort=127.0.0.1:5601:5601 #Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards-config.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml -Network=link.network +Network=zammad.network [Service] Restart=always diff --git a/roles/podman_link/templates/home/config/containers/systemd/signal-cli-rest-api.container b/roles/podman_link/templates/home/config/containers/systemd/signal-cli-rest-api.container index 37406ab..8332001 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/signal-cli-rest-api.container +++ b/roles/podman_link/templates/home/config/containers/systemd/signal-cli-rest-api.container @@ -10,7 +10,7 @@ Environment=SIGNAL_CLI_GID=1002 ExposeHostPort=8081 Image=registry.gitlab.com/digiresilience/link/link-stack/signal-cli-rest-api:{{ podman_link_stack_version }} Volume=/home/{{ podman_link_podman_rootless_user }}/signal-cli-rest-api-data:/home/.local/share/signal-cli:rw,Z -Network=link.network +Network=channels.network [Service] Restart=always diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-init.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-init.container index 27c7258..cfcc070 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-init.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-init.container @@ -10,7 +10,7 @@ Image=registry.gitlab.com/digiresilience/link/link-stack/zammad:{{ podman_link_s Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-config-nginx:/etc/nginx/sites-enabled:rw,z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-var:/opt/zammad/var:rw,z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-storage:/opt/zammad/storage:ro,z -Network=link.network +Network=zammad.network [Service] Restart=on-failure diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-memcached.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-memcached.container index 24f130f..91ef061 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-memcached.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-memcached.container @@ -5,7 +5,7 @@ PartOf=zammad-storage.target ContainerName=zammad-memcached Exec=memcached -m 256M Image=registry.gitlab.com/digiresilience/link/link-stack/memcached:{{ podman_link_stack_version }} -Network=link.network +Network=zammad.network ExposeHostPort=11211 [Service] diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container index 3f67689..f7c57f0 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container @@ -11,7 +11,7 @@ ExposeHostPort=8080 Image=registry.gitlab.com/digiresilience/link/link-stack/zammad:{{ podman_link_stack_version }} Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-config-nginx:/etc/nginx/sites-enabled:rw,z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-var:/opt/zammad/var:ro,z -Network=link.network +Network=zammad.network Network=frontend.network [Service] diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container index 432bd34..3f45ea1 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container @@ -20,7 +20,7 @@ PublishPort=127.0.0.1:9200:9200 PublishPort=127.0.0.1:9600:9600 Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-data:/usr/share/opensearch/data:rw,Z Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-config.yml:/usr/share/opensearch/config/opensearch-security/config.yml:rw,Z -Network=link.network +Network=zammad.network [Service] Restart=always diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container index f91ee46..db2513e 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-postgresql.container @@ -12,7 +12,7 @@ Image=registry.gitlab.com/digiresilience/link/link-stack/postgresql:{{ podman_li Volume=/home/{{ podman_link_podman_rootless_user }}/postgresql-data:/var/lib/postgresql/data:rw,Z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-data:/opt/zammad:rw,z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-backup:/var/tmp/zammad:ro,z -Network=link.network +Network=zammad.network [Service] Restart=always diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-railsserver.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-railsserver.container index e0849e1..de138c6 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-railsserver.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-railsserver.container @@ -12,7 +12,7 @@ Image=registry.gitlab.com/digiresilience/link/link-stack/zammad:{{ podman_link_s Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-var:/opt/zammad/var:rw,z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-storage:/opt/zammad/storage:rw,z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-database.yml:/opt/zammad/config/database.yml:ro,z -Network=link.network +Network=zammad.network [Service] Restart=always diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-redis.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-redis.container index e1bede8..00b00c6 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-redis.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-redis.container @@ -6,7 +6,7 @@ ContainerName=zammad-redis Environment=REDIS_PASSWORD={{ podman_link_zammad_redis_password }} Image=registry.gitlab.com/digiresilience/link/link-stack/redis:{{ podman_link_stack_version }} Volume=/home/{{ podman_link_podman_rootless_user }}/redis-data:/data:rw,Z -Network=link.network +Network=zammad.network [Service] Restart=always diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-scheduler.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-scheduler.container index 70c8a30..0a43f69 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-scheduler.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-scheduler.container @@ -9,7 +9,7 @@ Exec=zammad-scheduler Image=registry.gitlab.com/digiresilience/link/link-stack/zammad:{{ podman_link_stack_version }} Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-var:/opt/zammad/var:rw,z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-storage:/opt/zammad/storage:rw,z -Network=link.network +Network=zammad.network [Service] Restart=always diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-websocket.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-websocket.container index 8c4654d..1f1703c 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/zammad-websocket.container +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-websocket.container @@ -9,7 +9,7 @@ Exec=zammad-websocket Image=registry.gitlab.com/digiresilience/link/link-stack/zammad:{{ podman_link_stack_version }} Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-var:/opt/zammad/var:rw,z Volume=/home/{{ podman_link_podman_rootless_user }}/zammad-storage:/opt/zammad/storage:rw,z -Network=link.network +Network=zammad.network [Service] Restart=always diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad.network b/roles/podman_link/templates/home/config/containers/systemd/zammad.network new file mode 100644 index 0000000..3d68c3a --- /dev/null +++ b/roles/podman_link/templates/home/config/containers/systemd/zammad.network @@ -0,0 +1,2 @@ +[Network] +NetworkName=zammad From b6ddf7bcac4567755106812cbb3b4ca2e5e62bec Mon Sep 17 00:00:00 2001 From: irl Date: Wed, 3 Dec 2025 15:48:24 +0000 Subject: [PATCH 2/4] feat(podman_link): exclude more attachment types when indexing opensearch Ref: #8 --- roles/podman_link/tasks/main.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/roles/podman_link/tasks/main.yml b/roles/podman_link/tasks/main.yml index 4f7c2b6..4c43a60 100644 --- a/roles/podman_link/tasks/main.yml +++ b/roles/podman_link/tasks/main.yml @@ -317,6 +317,29 @@ become_user: "{{ podman_link_podman_rootless_user }}" changed_when: false +- name: Podman CDR Link | AUDIT | Check if specified attachment types are excluded from Opensearch indexing + containers.podman.podman_container_exec: + name: zammad-railsserver + argv: + - rails + - r + - "print Setting.get('es_attachment_ignore')" + become: true + become_user: "{{ podman_link_podman_rootless_user }}" + register: _podman_link_zammad_es_ssl_verify + changed_when: false + +- name: Podman CDR Link | PATCH | Configure Zammad to exclude specified attachment types from Opensearch indexing + containers.podman.podman_container_exec: + name: zammad-railsserver + argv: + - rails + - r + - "Setting.set('es_attachment_ignore', %w[.png .jpg .jpeg .mpeg .mpg .mov .bin .exe .box .mbox .avi .mp4 .mp3 unknown-filename unknown .webp .m4v .mkv ])" + become: true + become_user: "{{ podman_link_podman_rootless_user }}" + when: (_podman_link_zammad_es_ssl_verify.stdout | trim)[-199:] != "[\".png\", \".jpg\", \".jpeg\", \".mpeg\", \".mpg\", \".mov\", \".bin\", \".exe\", \".box\", \".mbox\", \".avi\", \".mp4\", \".mp3\", \"unknown-filename\", \"unknown\", \".webp\", \".m4v\", \".mkv\"]" + - name: Podman CDR Link | AUDIT | Check if Zammad wants to verify SSL connections to Opensearch containers.podman.podman_container_exec: name: zammad-railsserver From d6bc8a48a8fd210eea5ca349c6ee55fd12627ed2 Mon Sep 17 00:00:00 2001 From: irl Date: Thu, 4 Dec 2025 17:26:09 +0000 Subject: [PATCH 3/4] feat(podman_link): enable opensearch-dashboards Fixes: #5 --- roles/podman_link/tasks/main.yml | 12 +++++++ .../containers/systemd/common-zammad.env | 1 + .../config/containers/systemd/link.container | 4 +-- .../systemd/opensearch-dashboards.container | 6 ++-- .../templates/home/opensearch-dashboards.yml | 36 +++++++++++++++++++ 5 files changed, 54 insertions(+), 5 deletions(-) create mode 100644 roles/podman_link/templates/home/opensearch-dashboards.yml diff --git a/roles/podman_link/tasks/main.yml b/roles/podman_link/tasks/main.yml index 4c43a60..f336d99 100644 --- a/roles/podman_link/tasks/main.yml +++ b/roles/podman_link/tasks/main.yml @@ -68,6 +68,18 @@ notify: - Restart Link +# Opensearch Dashboards runs with UID/GID 1000 inside the container +- name: Podman CDR Link | PATCH | Install Opensearch Dashboards configuration + ansible.builtin.template: + src: home/opensearch-dashboards.yml + dest: "/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards.yml" + mode: "0400" + owner: "{{ _podman_link_user_subuid_start + 999 }}" + group: "{{ _podman_link_user_subgid_start + 999 }}" + become: true + notify: + - Restart Link + # Zammad runs with UID/GID 1000 inside the container - name: Podman CDR Link | PATCH | Install Zammad database configuration file ansible.builtin.template: diff --git a/roles/podman_link/templates/home/config/containers/systemd/common-zammad.env b/roles/podman_link/templates/home/config/containers/systemd/common-zammad.env index 92b144d..6f3b378 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/common-zammad.env +++ b/roles/podman_link/templates/home/config/containers/systemd/common-zammad.env @@ -10,3 +10,4 @@ ELASTICSEARCH_USER=admin ELASTICSEARCH_PASS={{ podman_link_opensearch_password }} ELASTICSEARCH_SCHEMA=https ELASTICSEARCH_REINDEX=false +TZ=Etc/UTC diff --git a/roles/podman_link/templates/home/config/containers/systemd/link.container b/roles/podman_link/templates/home/config/containers/systemd/link.container index 4cfd232..4494117 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/link.container +++ b/roles/podman_link/templates/home/config/containers/systemd/link.container @@ -7,8 +7,8 @@ PartOf=zammad-nginx.service ContainerName=link Environment=ZAMMAD_VIRTUAL_HOST={{ podman_link_web_hostname }} Environment=SETUP_MODE={{ podman_link_setup_mode }} -Environment=LEAFCUTTER_ENABLED={{ podman_link_leafcutter_enabled }} -Environment=LEAFCUTTER_DEFAULT_DASHBOARD_URL={{ podman_link_dashboard_url }} +Environment=LEAFCUTTER_ENABLED=false +Environment=LEAFCUTTER_DEFAULT_DASHBOARD_URL="" Environment=ZAMMAD_API_TOKEN={{ podman_link_zammad_api_token }} Environment=LINK_URL=https://localhost:3000/link Environment=ZAMMAD_URL=http://zammad-nginx:8080 diff --git a/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container b/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container index 0d0ac6d..6311b0c 100644 --- a/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container +++ b/roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container @@ -5,11 +5,11 @@ PartOf=link.target [Container] ContainerName=opensearch-dashboards -Environment=OPENSEARCH_USERNAME=admin -Environment=OPENSEARCH_PASSWORD={{ podman_link_opensearch_password }} +#Environment=OPENSEARCH_USERNAME=admin +#Environment=OPENSEARCH_PASSWORD={{ podman_link_opensearch_password }} Image=registry.gitlab.com/digiresilience/link/link-stack/opensearch-dashboards:{{ podman_link_stack_version }} PublishPort=127.0.0.1:5601:5601 -#Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards-config.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml +Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml:ro,Z Network=zammad.network [Service] diff --git a/roles/podman_link/templates/home/opensearch-dashboards.yml b/roles/podman_link/templates/home/opensearch-dashboards.yml new file mode 100644 index 0000000..3634911 --- /dev/null +++ b/roles/podman_link/templates/home/opensearch-dashboards.yml @@ -0,0 +1,36 @@ +--- +opensearch.hosts: [https://zammad-opensearch:9200] +opensearch.ssl.verificationMode: none +opensearch.requestHeadersAllowlist: + - "securitytenant" + - "Authorization" + - "x-forwarded-for" + - "x-forwarded-user" + - "x-forwarded-roles" +opensearch_security.auth.type: "proxy" +opensearch_security.proxycache.user_header: "x-forwarded-user" +opensearch_security.proxycache.roles_header: "x-forwarded-roles" +opensearch_security.multitenancy.enabled: true +opensearch_security.multitenancy.tenants.enable_global: true +opensearch_security.multitenancy.tenants.enable_private: true +opensearch_security.multitenancy.tenants.preferred: [Private, Global] +opensearch_security.cookie.secure: false +server.basePath: "/link/dashboards" +server.rewriteBasePath: false + +opensearch.username: "admin" +opensearch.password: "{{ podman_link_opensearch_password }}" + +server.host: "0.0.0.0" + +# New config that adds to or overrides existing one: +# +# server.port: 5601 +# server.name: "nextgen-dashboards" +# opensearch.hosts: ["https://aberdeen-opensearch:9200"] +# opensearch.ssl.verificationMode: certificate +# opensearch.ssl.certificateAuthorities: +# ["/usr/share/opensearch-dashboards/config/certs/ca.pem"] + +# opensearch.requestHeadersAllowlist: ["securitytenant", "Authorization"] +# opensearch_security.readonly_mode.roles: ["kibana_read_only"] \ No newline at end of file From e79576cd7300e89714ae2f13918f9fe51e493b86 Mon Sep 17 00:00:00 2001 From: irl Date: Thu, 4 Dec 2025 17:26:53 +0000 Subject: [PATCH 4/4] feat(podman_link): configure xfs quotas for channel container data directories --- roles/podman_link/tasks/main.yml | 58 ++++++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 10 deletions(-) diff --git a/roles/podman_link/tasks/main.yml b/roles/podman_link/tasks/main.yml index f336d99..d097863 100644 --- a/roles/podman_link/tasks/main.yml +++ b/roles/podman_link/tasks/main.yml @@ -108,16 +108,6 @@ - zammad-data - zammad-config-nginx -# Bridge/Link runs with UID/GID 1000 inside the container (because it's based on the node container) -- name: Podman CDR Link | PATCH | Create data directory for bridge-whatsapp - ansible.builtin.file: - path: "/home/{{ podman_link_podman_rootless_user }}/bridge-whatsapp-data" - owner: "{{ _podman_link_user_subuid_start + 999 }}" - group: "{{ _podman_link_user_subgid_start + 999 }}" - mode: "0700" - state: "directory" - become: true - # Postgres/Redis runs with UID/GID 999 inside the container # Postgres seems to want to set group permissions on the data directory, which is probably fine - name: Podman CDR Link | PATCH | Create data directory for PostgreSQL and Redis @@ -133,6 +123,16 @@ - redis-data - postgresql-data +# Bridge/Link runs with UID/GID 1000 inside the container (because it's based on the node container) +- name: Podman CDR Link | PATCH | Create data directory for bridge-whatsapp + ansible.builtin.file: + path: "/home/{{ podman_link_podman_rootless_user }}/bridge-whatsapp-data" + owner: "{{ _podman_link_user_subuid_start + 999 }}" + group: "{{ _podman_link_user_subgid_start + 999 }}" + mode: "0700" + state: "directory" + become: true + # We set the UID/GID to 1002 inside the signal-cli-rest-api container with environment variables - name: Podman CDR Link | PATCH | Create data directory for signal-cli-rest-api ansible.builtin.file: @@ -143,6 +143,44 @@ state: "directory" become: true +- name: Podman CDR Link | PATCH | Ensure a project is created for Signal and WhatsApp containers + ansible.builtin.lineinfile: + path: /etc/projid + line: "{{ item.name }}:{{ item.project_id }}" + owner: root + group: root + mode: "0644" + create: true + become: true + with_items: + - {"project_id": 11, "name": "signal"} + - {"project_id": 12, "name": "whatsapp"} + +- name: Podman CDR Link | PATCH | Ensure a project is mapped for Signal and WhatsApp container data directories + ansible.builtin.lineinfile: + path: /etc/projects + line: "{{ item.project_id }}:{{ item.path }}" + owner: root + group: root + mode: "0644" + create: true + become: true + with_items: + - {"project_id": 11, "path": "/home/{{ podman_link_podman_rootless_user }}/signal-cli-rest-api-data"} + - {"project_id": 12, "path": "/home/{{ podman_link_podman_rootless_user }}/bridge-whatsapp-data"} + +- name: Podman CDR Link | PATCH | Set project quotas of 3G each for Signal and WhatsApp container data directories + community.general.xfs_quota: + type: project + mountpoint: /home + name: "{{ item }}" + bsoft: 3g + bhard: 3g + state: present + with_items: + - signal + - whatsapp + - name: Podman CDR Link | PATCH | Install shared environment files ansible.builtin.template: src: "home/config/containers/systemd/{{ item }}"