Initial import; migrate some roles from irl.wip

2025-10-31 22:36:32 +00:00 · 2025-10-31 22:36:32 +00:00 · 2ba6c6691b
commit 2ba6c6691b
44 changed files with 1573 additions and 0 deletions
--- a/roles/podman_nginx/defaults/main.yml
+++ b/roles/podman_nginx/defaults/main.yml
@ -0,0 +1,10 @@
+---
+podman_nginx_additional_hostnames: []
+podman_nginx_certbot_testing: false
+# podman_nginx_frontend_network:
+podman_nginx_podman_rootless_user: nginx
+# podman_nginx_primary_hostname:
+# podman_nginx_systemd_service_slice:
+# podman_nginx_systemd_service_target:
+podman_nginx_systemd_service_requires: []
+podman_nginx_additional_volumes: []
--- a/roles/podman_nginx/handlers/main.yml
+++ b/roles/podman_nginx/handlers/main.yml
@ -0,0 +1,18 @@
+---
+- name: Restart certbot-renew
+  ansible.builtin.systemd_service:
+    name: certbot-renew
+    state: started
+    scope: user
+    daemon_reload: true
+  become: true
+  become_user: "{{ podman_nginx_podman_rootless_user }}"
+
+- name: Restart nginx
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: restarted
+    scope: user
+    daemon_reload: true
+  become: true
+  become_user: "{{ podman_nginx_podman_rootless_user }}"
--- a/roles/podman_nginx/tasks/main.yml
+++ b/roles/podman_nginx/tasks/main.yml
@ -0,0 +1,111 @@
+---
+- name: Podman Nginx | PATCH | Create service configuration directories
+  ansible.builtin.file:
+    path: "/home/{{ podman_nginx_podman_rootless_user }}/{{ item }}"
+    state: directory
+    owner: "{{ podman_nginx_podman_rootless_user }}"
+    group: "{{ podman_nginx_podman_rootless_user }}"
+    mode: "0755"
+  become: true
+  with_items:
+    - .config/systemd/user
+    - certbot/conf
+    - certbot/www
+    - nginx
+
+- name: Podman Nginx | PATCH | Install podman quadlet for rootless podman user
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "/home/{{ podman_nginx_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
+    owner: "{{ podman_nginx_podman_rootless_user }}"
+    mode: "0400"
+  with_items:
+    - certbot-renew.container
+    - nginx.container
+  notify:
+    - "Restart {{ item | split('.') | first }}"
+  become: true
+
+- name: Podman Nginx | PATCH | Install certbot renewal timer for rootless podman user
+  ansible.builtin.template:
+    src: "certbot-renew.timer"
+    dest: "/home/{{ podman_nginx_podman_rootless_user }}/.config/systemd/user/certbot-renew.timer"
+    owner: "{{ podman_nginx_podman_rootless_user }}"
+    mode: "0400"
+  become: true
+
+- name: Podman Nginx | AUDIT | Verify quadlets are correctly defined
+  ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
+  register: podman_nginx_quadlet_result
+  ignore_errors: true
+  changed_when: false
+  become: true
+  become_user: "{{ podman_nginx_podman_rootless_user }}"
+
+- name: Podman Nginx | AUDIT | Check if certificate exists
+  ansible.builtin.stat:
+    path: "/home/{{ podman_nginx_podman_rootless_user }}/certbot/conf/live/{{ podman_nginx_primary_hostname }}/fullchain.pem"
+  register: podman_nginx_cert_stat
+  become: true
+  become_user: "{{ podman_nginx_podman_rootless_user }}"
+
+- name: Podman Nginx | PATCH | Create temporary nginx configuration (no https)
+  ansible.builtin.template:
+    src: nginx.conf
+    dest: "/home/{{ podman_nginx_podman_rootless_user }}/nginx/nginx.conf"
+    owner: "{{ podman_nginx_podman_rootless_user }}"
+    group: "{{ podman_nginx_podman_rootless_user }}"
+    mode: "0644"
+  become: true
+  when: not podman_nginx_cert_stat.stat.exists
+
+- name: Podman Nginx | PATCH | Start nginx
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: started
+    scope: user
+    daemon_reload: true
+  become: true
+  become_user: "{{ podman_nginx_podman_rootless_user }}"
+
+- name: Podman Nginx | PATCH | Run certbot container to create certificate
+  ansible.builtin.command:
+    cmd: >
+      podman run --name certbot-generate
+      --rm
+      --volume /home/{{ podman_nginx_podman_rootless_user }}/certbot/www:/var/www/certbot:rw,z
+      --volume /home/{{ podman_nginx_podman_rootless_user }}/certbot/conf:/etc/letsencrypt:rw,z
+      docker.io/certbot/certbot:latest
+      certonly
+      --register-unsafely-without-email
+      --agree-tos
+      --webroot
+      --webroot-path /var/www/certbot/
+      -d "{{ podman_nginx_primary_hostname }}"
+      {% for hostname in podman_nginx_additional_hostnames %} -d "{{ hostname }}"{% endfor %}
+      {% if podman_nginx_certbot_testing %} --test-cert{% endif %}
+  when: not podman_nginx_cert_stat.stat.exists
+  become: true
+  become_user: "{{ podman_nginx_podman_rootless_user }}"
+
+- name: Podman Nginx | AUDIT | Check if certificate exists
+  ansible.builtin.stat:
+    path: "/home/{{ podman_nginx_podman_rootless_user }}/certbot/conf/live/{{ podman_nginx_primary_hostname }}/fullchain.pem"
+  register: podman_nginx_cert_stat
+  become: true
+  become_user: "{{ podman_nginx_podman_rootless_user }}"
+
+- name: Podman Nginx | AUDIT | Assert that certificate exists now
+  ansible.builtin.assert:
+    that:
+      - podman_nginx_cert_stat.stat.exists
+    fail_msg: "Failed to get a Lets Encrypt certificate."
+
+- name: Podman Nginx | PATCH | Start certbot renewal timer
+  ansible.builtin.systemd_service:
+    name: "certbot-renew.timer"
+    state: started
+    enabled: true
+    scope: user
+  become: true
+  become_user: "{{ podman_nginx_podman_rootless_user }}"
--- a/roles/podman_nginx/templates/certbot-renew.container
+++ b/roles/podman_nginx/templates/certbot-renew.container
@ -0,0 +1,13 @@
+[Unit]
+Description=Run certbot renew
+
+[Container]
+AutoUpdate=registry
+ContainerName=certbot-renew
+Exec=renew
+Image=docker.io/certbot/certbot:latest
+Volume=/home/{{ podman_nginx_podman_rootless_user }}/certbot/www:/var/www/certbot:z
+Volume=/home/{{ podman_nginx_podman_rootless_user }}/certbot/conf:/etc/letsencrypt:z
+
+[Service]
+Restart=no
--- a/roles/podman_nginx/templates/certbot-renew.timer
+++ b/roles/podman_nginx/templates/certbot-renew.timer
@ -0,0 +1,9 @@
+[Unit]
+Description=Timer for certbot renewals
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/roles/podman_nginx/templates/nginx.conf
+++ b/roles/podman_nginx/templates/nginx.conf
@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ podman_nginx_primary_hostname }};
+    server_tokens off;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://{{ podman_nginx_primary_hostname }}$request_uri;
+    }
+}
--- a/roles/podman_nginx/templates/nginx.container
+++ b/roles/podman_nginx/templates/nginx.container
@ -0,0 +1,34 @@
+[Unit]
+{% for req in podman_nginx_systemd_service_requires %}
+Requires={{ req }}.service
+After={{ req }}.service
+{% endfor %}
+{% if podman_nginx_systemd_service_target is defined %}
+PartOf={{ podman_nginx_systemd_service_target }}
+{% endif %}
+
+[Container]
+ContainerName=nginx
+Image=docker.io/nginx:1
+{% if podman_nginx_frontend_network is defined %}Network={{ podman_nginx_frontend_network }}.network{% endif +%}
+PublishPort=80:80
+PublishPort=443:443
+Volume=/home/{{ podman_nginx_podman_rootless_user }}/certbot/www:/var/www/certbot/:ro,z
+Volume=/home/{{ podman_nginx_podman_rootless_user }}/certbot/conf/:/etc/letsencrypt/:ro,z
+Volume=/home/{{ podman_nginx_podman_rootless_user }}/nginx:/etc/nginx/conf.d/:ro,z
+
+{% for item in podman_nginx_additional_volumes %}
+Volume={{ item.src }}:{{ item.dest }}:{{ item.options }}
+{% endfor %}
+
+[Service]
+RuntimeMaxSec=604800
+Restart=always
+{% if podman_nginx_systemd_service_slice is defined %}
+Slice={{ podman_nginx_systemd_service_slice }}
+{% endif %}
+{% if podman_nginx_systemd_service_target is defined %}
+
+[Install]
+WantedBy=default.target
+{% endif %}