ansible/roles/ipsilon/tasks/main.yml

---
- name: Create group
  ansible.builtin.group:
    name: ipsilon

- name: Create user
  ansible.builtin.user:
    name: ipsilon
    comment: Podman Ipsilon
    group: ipsilon
    shell: /sbin/nologin

- name: Enable user lingering
  ansible.builtin.command:
    argv:
      - loginctl
      - enable-linger
      - ipsilon
    creates: /var/lib/systemd/linger/ipsilon

- name: Copy host key
  ansible.builtin.copy:
    dest: "{{ tls_private }}/ipsilon.key"
    src: "{{ tls_private }}/{{ inventory_hostname }}.key"
    mode: "0640"
    owner: root
    group: ipsilon
    remote_src: true

- name: Copy OIDC key
  ansible.builtin.copy:
    dest: "{{ tls_private }}/openidc.key"
    src: "{{ ansible_private }}/files/ipsilon/openidc.key"
    mode: "0640"
    owner: root
    group: ipsilon
  notify: Restart ipsilon-container

- name: Fix SELinux contexts from config directory
  community.general.sefcontext:
    path: /etc/ipsilon(/.*)?
    setype: container_file_t
  when: ansible_selinux_python_present

- name: Get subuid number
  ansible.builtin.command:
    argv:
      - awk
      - "-F:"
      - '{ if ($1 == "ipsilon") print $2 + 899 }'
      - /etc/subuid
  changed_when: false
  register: subuid

- name: Get subgid number
  ansible.builtin.command:
    argv:
      - awk
      - "-F:"
      - '{ if ($1 == "ipsilon") print $2 + 899 }'
      - /etc/subgid
  changed_when: false
  register: subgid

- name: Create config directory
  ansible.builtin.file:
    path: /etc/ipsilon
    state: directory
    mode: "0750"
    owner: root
    group: ipsilon
    setype: _default

- name: Create OIDC static config
  ansible.builtin.template:
    dest: /etc/ipsilon/openidc-static.conf
    src: openidc-static.conf.j2
    mode: "0600"
    owner: "{{ subuid.stdout }}"
    group: "{{ subgid.stdout }}"
    setype: _default
  notify: Restart ipsilon-container

- name: Get container source
  ansible.builtin.git:
    dest: /usr/local/src/docker-ipsilon
    repo: https://github.com/foo-sh/docker-ipsilon.git
    update: true
    version: master
  notify: Rebuild ipsilon-container

- name: Create service file
  ansible.builtin.template:
    dest: /etc/systemd/system/ipsilon-container.service
    src: ipsilon-container.service.j2
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart ipsilon-container

- name: Create service config
  ansible.builtin.template:
    dest: /etc/sysconfig/ipsilon-container
    src: ipsilon-container.sysconfig.j2
    mode: "0600"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart ipsilon-container

- name: Enable service
  ansible.builtin.service:
    name: ipsilon-container
    state: started
    enabled: true

- name: Copy nginx config
  ansible.builtin.copy:
    dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/ipsilon-container.conf"
    content: |
      location /ipsilon {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host idp.foo.sh;
        proxy_pass http://127.0.0.1:8011/;
      }
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart nginx