From fb3608fa6ee495c0e8e5e0c28e30de79b19729fa Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:44:30 +0000 Subject: [PATCH] ipsilon: Initial version of role --- roles/ipsilon/handlers/main.yml | 18 +++++ roles/ipsilon/meta/main.yml | 5 ++ roles/ipsilon/tasks/main.yml | 74 +++++++++++++++++++ .../templates/ipsilon-container.service.j2 | 21 ++++++ .../templates/ipsilon-container.sysconfig.j2 | 10 +++ 5 files changed, 128 insertions(+) create mode 100644 roles/ipsilon/handlers/main.yml create mode 100644 roles/ipsilon/meta/main.yml create mode 100644 roles/ipsilon/tasks/main.yml create mode 100644 roles/ipsilon/templates/ipsilon-container.service.j2 create mode 100644 roles/ipsilon/templates/ipsilon-container.sysconfig.j2 diff --git a/roles/ipsilon/handlers/main.yml b/roles/ipsilon/handlers/main.yml new file mode 100644 index 0000000..072010a --- /dev/null +++ b/roles/ipsilon/handlers/main.yml @@ -0,0 +1,18 @@ +--- +- name: Rebuild ipsilon-container + ansible.builtin.command: + argv: + - podman + - build + - -t + - ipsilon + - /usr/local/src/docker-ipsilon + become: true + become_user: ipsilon + notify: Restart ipsilon-container + +- name: Restart ipsilon-container + ansible.builtin.systemd: + name: ipsilon-container + daemon_reload: true + state: restarted diff --git a/roles/ipsilon/meta/main.yml b/roles/ipsilon/meta/main.yml new file mode 100644 index 0000000..b8e2a3e --- /dev/null +++ b/roles/ipsilon/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - {role: git} + - {role: nginx} + - {role: podman} diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml new file mode 100644 index 0000000..deadb3d --- /dev/null +++ b/roles/ipsilon/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- name: Create group + ansible.builtin.group: + name: ipsilon + +- name: Create user + ansible.builtin.user: + name: ipsilon + comment: Podman Ipsilon + group: ipsilon + shell: /sbin/nologin + +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - ipsilon + creates: /var/lib/systemd/linger/ipsilon + +- name: Copy host key + ansible.builtin.copy: + dest: "{{ tls_private }}/ipsilon.key" + src: "{{ tls_private }}/{{ inventory_hostname }}.key" + mode: "0640" + owner: root + group: ipsilon + remote_src: true + +- name: Get container source + ansible.builtin.git: + dest: /usr/local/src/docker-ipsilon + repo: https://github.com/foo-sh/docker-ipsilon.git + update: true + version: master + notify: Rebuild ipsilon-container + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/ipsilon-container.service + src: ipsilon-container.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart ipsilon-container + +- name: Create service config + ansible.builtin.template: + dest: /etc/sysconfig/ipsilon-container + src: ipsilon-container.sysconfig.j2 + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart ipsilon-container + +- name: Enable service + ansible.builtin.service: + name: ipsilon-container + state: started + enabled: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/ipsilon-container.conf" + content: | + location /ipsilon { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host idp.foo.sh; + proxy_pass http://127.0.0.1:8011/; + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx diff --git a/roles/ipsilon/templates/ipsilon-container.service.j2 b/roles/ipsilon/templates/ipsilon-container.service.j2 new file mode 100644 index 0000000..0560343 --- /dev/null +++ b/roles/ipsilon/templates/ipsilon-container.service.j2 @@ -0,0 +1,21 @@ +[Unit] +Description=Ipsilon Container +Wants=network-online.target +After=network-online.target + +[Service] +User=ipsilon +EnvironmentFile=/etc/sysconfig/ipsilon-container +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8011:80 \ + --name ipsilon \ + --env LDAP_* --env IPSILON_*\ + --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ + --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ + --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ + ipsilon:latest +ExecStop=/usr/bin/podman stop --ignore ipsilon +ExecStopPost=/usr/bin/podman rm -f --ignore ipsilon + +[Install] +WantedBy=multi-user.target diff --git a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 new file mode 100644 index 0000000..6d0b562 --- /dev/null +++ b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 @@ -0,0 +1,10 @@ +LDAP_BASEDN="{{ ldap_basedn }}" +IPSILON_DB_USER="ipsilon" +IPSILON_DB_PASS="jFmMGUXsQgOuW9FE5ABX" +IPSILON_DB_HOST="sqldb02.home.foo.sh" +IPSILON_DB_USERPREFS="ipsilon" +IPSILON_DB_TRANSACTIONS="ipsilon" +IPSILON_DB_SESSIONS="ipsilon" +IPSILON_DB_CA="/etc/ssl/certs/ca.crt" +IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key" +IPSILON_DB_CERT="/etc/ssl/certs/{{ inventory_hostname}}.crt"