ipsilon: Initial version of role

roles/ipsilon/handlers/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Rebuild ipsilon-container
+  ansible.builtin.command:
+    argv:
+      - podman
+      - build
+      - -t
+      - ipsilon
+      - /usr/local/src/docker-ipsilon
+  become: true
+  become_user: ipsilon
+  notify: Restart ipsilon-container
+
+- name: Restart ipsilon-container
+  ansible.builtin.systemd:
+    name: ipsilon-container
+    daemon_reload: true
+    state: restarted

roles/ipsilon/meta/main.yml

@@ -0,0 +1,5 @@
+---
+dependencies:
+  - {role: git}
+  - {role: nginx}
+  - {role: podman}

roles/ipsilon/tasks/main.yml

@@ -0,0 +1,74 @@
+---
+- name: Create group
+  ansible.builtin.group:
+    name: ipsilon
+
+- name: Create user
+  ansible.builtin.user:
+    name: ipsilon
+    comment: Podman Ipsilon
+    group: ipsilon
+    shell: /sbin/nologin
+
+- name: Enable user lingering
+  ansible.builtin.command:
+    argv:
+      - loginctl
+      - enable-linger
+      - ipsilon
+    creates: /var/lib/systemd/linger/ipsilon
+
+- name: Copy host key
+  ansible.builtin.copy:
+    dest: "{{ tls_private }}/ipsilon.key"
+    src: "{{ tls_private }}/{{ inventory_hostname }}.key"
+    mode: "0640"
+    owner: root
+    group: ipsilon
+    remote_src: true
+
+- name: Get container source
+  ansible.builtin.git:
+    dest: /usr/local/src/docker-ipsilon
+    repo: https://github.com/foo-sh/docker-ipsilon.git
+    update: true
+    version: master
+  notify: Rebuild ipsilon-container
+
+- name: Create service file
+  ansible.builtin.template:
+    dest: /etc/systemd/system/ipsilon-container.service
+    src: ipsilon-container.service.j2
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart ipsilon-container
+
+- name: Create service config
+  ansible.builtin.template:
+    dest: /etc/sysconfig/ipsilon-container
+    src: ipsilon-container.sysconfig.j2
+    mode: "0600"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart ipsilon-container
+
+- name: Enable service
+  ansible.builtin.service:
+    name: ipsilon-container
+    state: started
+    enabled: true
+
+- name: Copy nginx config
+  ansible.builtin.copy:
+    dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/ipsilon-container.conf"
+    content: |
+      location /ipsilon {
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host idp.foo.sh;
+        proxy_pass http://127.0.0.1:8011/;
+      }
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart nginx

roles/ipsilon/templates/ipsilon-container.service.j2

@@ -0,0 +1,21 @@
+[Unit]
+Description=Ipsilon Container
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+User=ipsilon
+EnvironmentFile=/etc/sysconfig/ipsilon-container
+ExecStart=/usr/bin/podman run \
+    --rm -p 127.0.0.1:8011:80 \
+    --name ipsilon \
+    --env LDAP_* --env IPSILON_*\
+    --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \
+    --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \
+    --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \
+    ipsilon:latest
+ExecStop=/usr/bin/podman stop --ignore ipsilon
+ExecStopPost=/usr/bin/podman rm -f --ignore ipsilon
+
+[Install]
+WantedBy=multi-user.target

roles/ipsilon/templates/ipsilon-container.sysconfig.j2

@@ -0,0 +1,10 @@
+LDAP_BASEDN="{{ ldap_basedn }}"
+IPSILON_DB_USER="ipsilon"
+IPSILON_DB_PASS="jFmMGUXsQgOuW9FE5ABX"
+IPSILON_DB_HOST="sqldb02.home.foo.sh"
+IPSILON_DB_USERPREFS="ipsilon"
+IPSILON_DB_TRANSACTIONS="ipsilon"
+IPSILON_DB_SESSIONS="ipsilon"
+IPSILON_DB_CA="/etc/ssl/certs/ca.crt"
+IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key"
+IPSILON_DB_CERT="/etc/ssl/certs/{{ inventory_hostname}}.crt"