diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..fac1c60 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,5 @@ +# Changelog + +## 1.0.0 + +* Initial Release \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..8f26f0d --- /dev/null +++ b/README.md @@ -0,0 +1,60 @@ +# Ansible Collection - enbewe.uffd +Collecion to deploy [uffd (**U**ser**F**erwaltungs**F**ronten**d**)](https://git.cccv.de/uffd/uffd) as OAuth/OIDC authentication service. + +## Playbooks +### enbewe.uffd.build +Deploys the role `enbewe.uffd.build` to all hosts of the `uffd` group. + +### enbewe.uffd.deploy +Deploys the role `enbewe.uffd.uffd` to all hosts of the `uffd` group. + +## Roles +### enbewe.uffd.build +Creates the current image of uffd. The image is tagged with the current timestamp as well as 'latest'. +This role could probably replaced by some build- and publishing job. + +#### Optional Variables + +**uffd_build_tempdir** *(Default: '/tmp/podman-uffd-build')* +Path to use for building the uffd OCI container in. This path will be created as needed and removed again afterwards. + +**uffd_build_debian_version** *(Default: 'bullseye')* +The debian version name to use for the uffd container. + +**uffd_build_force_rebuild** *(Default: false)* +Flag to force the reduilding of the uffd container even if it already exists. + +**uffd_build_tag_latest** *(Default: true)* +Flag to disable tagging the built image as `latest`. + +### enbewe.uffd.uffd +Deploys uffd through a podman container. +Additionally deploys an nginx container as a HTTP server for static files as well as uWSGI proxy. + +#### Required variables + +**uffd_secret_key** +The secret key to use for uffd data. + +**uffd_initial_admin_user** +Name of the initial admin user. + +**uffd_initial_admin_pw** +Password of the initial admin user. + +**uffd_initial_admin_mail** +E-Mail address of the initial admin user. + +#### Optional Variables + +**uffd_podman_network** *(Default: 'uffd-net')* +Name of the podman network to use for uffd container and the nginx server. + +**uffd_conf_dir** *(Default: '/etc/uffd')* +The directory to use for config files. + +**uffd_static_files_volume** *(Default: 'uffd-static-files')* +The name of the podman volume to use for the static files of the uffd. + +**uffd_data_volume** *(Default: 'uffd-data')* +The name of the podman volume to use for the runtime data of uffd. diff --git a/galaxy.yml b/galaxy.yml new file mode 100644 index 0000000..ca8cc5f --- /dev/null +++ b/galaxy.yml @@ -0,0 +1,67 @@ +--- +### REQUIRED +# The namespace of the collection. This can be a company/brand/organization or product namespace under which all +# content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with +# underscores or numbers and cannot contain consecutive underscores +namespace: 'enbewe' + +# The name of the collection. Has the same character restrictions as 'namespace' +name: 'uffd' + +# The version of the collection. Must be compatible with semantic versioning +version: '1.0.0' + +# The path to the Markdown (.md) readme file. This path is relative to the root of the collection +readme: 'README.md' + +# A list of the collection's content authors. Can be just the name or in the format 'Full Name (url) +# @nicks:irc/im.site#channel' +authors: + - 'Nis Wechselberg ' + + +### OPTIONAL but strongly recommended +# A short summary description of the collection +description: 'Deployment tools for uffd oauth software' + +# Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only +# accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file' +license: + - 'MIT' + +# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character +# requirements as 'namespace' and 'name' +tags: + - 'linux' + +# Collections that this collection requires to be installed for it to be usable. The key of the dict is the +# collection label 'namespace.name'. The value is a version range +# L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version +# range specifiers can be set and are separated by ',' +dependencies: + containers.podman: '>=1.13.0' + +# The URL of the originating SCM repository +repository: 'https://git.enbewe.de/Coding/ansible-collection-uffd' + +# The URL to any online docs +# documentation: http://docs.example.com + +# The URL to the homepage of the collection/project +# homepage: http://example.com + +# The URL to the collection issue tracker +# issues: http://example.com/issue/tracker + +# A list of file glob-like patterns used to filter any files or directories that should not be included in the build +# artifact. A pattern is matched from the relative path of the file or directory of the collection directory. This +# uses 'fnmatch' to match the files or directories. Some directories and files like 'galaxy.yml', '*.pyc', '*.retry', +# and '.git' are always filtered. Mutually exclusive with 'manifest' +# build_ignore: [] + +# A dict controlling use of manifest directives used in building the collection artifact. The key 'directives' is a +# list of MANIFEST.in style +# L(directives,https://packaging.python.org/en/latest/guides/using-manifest-in/#manifest-in-commands). The key +# 'omit_default_directives' is a boolean that controls whether the default directives are used. Mutually exclusive +# with 'build_ignore' +# manifest: null diff --git a/meta/runtime.yml b/meta/runtime.yml new file mode 100644 index 0000000..d6c6f44 --- /dev/null +++ b/meta/runtime.yml @@ -0,0 +1,52 @@ +--- +# Collections must specify a minimum required ansible version to upload +# to galaxy +requires_ansible: '>=2.17.0' + +# Content that Ansible needs to load from another location or that has +# been deprecated/removed +# plugin_routing: +# action: +# redirected_plugin_name: +# redirect: ns.col.new_location +# deprecated_plugin_name: +# deprecation: +# removal_version: "4.0.0" +# warning_text: | +# See the porting guide on how to update your playbook to +# use ns.col.another_plugin instead. +# removed_plugin_name: +# tombstone: +# removal_version: "2.0.0" +# warning_text: | +# See the porting guide on how to update your playbook to +# use ns.col.another_plugin instead. +# become: +# cache: +# callback: +# cliconf: +# connection: +# doc_fragments: +# filter: +# httpapi: +# inventory: +# lookup: +# module_utils: +# modules: +# netconf: +# shell: +# strategy: +# terminal: +# test: +# vars: + +# Python import statements that Ansible needs to load from another location +# import_redirection: +# ansible_collections.ns.col.plugins.module_utils.old_location: +# redirect: ansible_collections.ns.col.plugins.module_utils.new_location + +# Groups of actions/modules that take a common set of options +# action_groups: +# group_name: +# - module1 +# - module2 diff --git a/playbooks/build.yml b/playbooks/build.yml new file mode 100644 index 0000000..b63f341 --- /dev/null +++ b/playbooks/build.yml @@ -0,0 +1,5 @@ +--- +- name: 'Build local uffd image' + hosts: 'uffd' + roles: + - 'enbewe.uffd.build' diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml new file mode 100644 index 0000000..2ba52f2 --- /dev/null +++ b/playbooks/deploy.yml @@ -0,0 +1,5 @@ +--- +- name: 'Deploy uffd service to matching host group' + hosts: 'uffd' + roles: + - 'enbewe.uffd.uffd' diff --git a/plugins/README.md b/plugins/README.md new file mode 100644 index 0000000..269a4c2 --- /dev/null +++ b/plugins/README.md @@ -0,0 +1,31 @@ +# Collections Plugins Directory + +This directory can be used to ship various plugins inside an Ansible collection. Each plugin is placed in a folder that +is named after the type of plugin it is in. It can also include the `module_utils` and `modules` directory that +would contain module utils and modules respectively. + +Here is an example directory of the majority of plugins currently supported by Ansible: + +``` +└── plugins + ├── action + ├── become + ├── cache + ├── callback + ├── cliconf + ├── connection + ├── filter + ├── httpapi + ├── inventory + ├── lookup + ├── module_utils + ├── modules + ├── netconf + ├── shell + ├── strategy + ├── terminal + ├── test + └── vars +``` + +A full list of plugin types can be found at [Working With Plugins](https://docs.ansible.com/ansible-core/2.17/plugins/plugins.html). diff --git a/roles/build/defaults/main.yml b/roles/build/defaults/main.yml new file mode 100644 index 0000000..8bbcca9 --- /dev/null +++ b/roles/build/defaults/main.yml @@ -0,0 +1,7 @@ +--- +uffd_build_tempdir: '/tmp/podman-uffd-build' +# We build with Debian bullseye, even though bookworm is out. +# uffd throws some errors with bookworm python, so some programs fail +uffd_build_debian_version: 'bullseye' +uffd_build_force_rebuild: false +uffd_build_tag_latests: true diff --git a/roles/build/files/cccv-archive-key.asc b/roles/build/files/cccv-archive-key.asc new file mode 100644 index 0000000..1dc3423 --- /dev/null +++ b/roles/build/files/cccv-archive-key.asc @@ -0,0 +1,41 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGEXIFwBDADRhAYP8td+AVcnbMkswu3SaF1FzqVldwQSHA0tVXpAw7wUtE9s +QEnbLE3cD//SEMQGzwr8LsMpnuWImcS5nk9gIc5p9M076tgyAeS4NFzbvaIpOZJL +V0VK2Q+o6fyaAriY5lb88pU3cR6uTJInwR5MgEki7RLCIjOPW/Nzvw8LdBhgtbJv +jW04IPI1gAiqSfPCjXY8z81JOSLhsk1ED8zrJ/kTWm4yIBbVLMhFu7Snz9UbbF2n +40dA9VydoxlVdjzH+AM7+Ga8FTYu4UivGO+5WFp+iWcoXLqmECSvW+H+Evy8ES9M +7QIkgGTXWsL3YrjrxcwOAu/dXhQVV9woDXWWQRwILNG2poSLUjmVuXMPKnofJpMO +34+n3dvaiPTp31YxTWhOSXdbO3e6Abpd+PKoXqaRy/HrulBuBRf+5/edDKLNVUC/ +tPqs61AL9cw6Jxx1vFdmmZm6RWK2CgVWPc9e3GPGfbZYuUBgOphhkJ+3yXRcc1sN +VRyc3Ve87OG6GiUAEQEAAbQgcGFja2FnZXMuY2Njdi5kZSA8aW5mcmFAY2Njdi5k +ZT6JAdQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQRVPlzDYknN +/1ubu7WpKBpvpuSJcQUCZPjPbAUJDUdK5QAKCRCpKBpvpuSJcVuFC/45TV/8Dvt8 +VTS2yoFUjpy0las7qm0fPNkazSVpMhQkxcEz/LysEr5sbc0jZIQZ1zD+rm0RfahM +g7vytTs/xqplgmIXOEPub6CPr+G1ZHgU5pHAc2DqFUR4z3pp37RNtFuhi0TyK0Pp +qVJgAg6/Hf9dkEIwI5orUTTDWhAvxz7wo7/3tb4fqkrWk/Fp0qM8kMEjYyh9/PSb +V4HfhJauXxzBx8T/Wc7TveGyRGVMYH29bK0SssDDvzGJD3Mxd/dXV4JYTk8sw//k +zQwN3lZ7SfsZR5rddRr/BpghdR1k451FdCj9iWF3v3p1TwN93AL6TQ6AF2aFykkB +1JWxockDlGrlRkk+0WiEOYvDUaBo3ppz4QhrO8TFrluGyifv2BNSFMKHdhkvF2IE +DRQles45+CmhgPxVw7qc69pLsXRxN/0BE5P6wNl8DGnk2ZYDlYW/vcosHYbeeRCp +OUpsKF6OSHXjCfMObuG6wYulFhMqrDHtLiD0e6fxWjATqoj+F6TX7Te5AY0EYRcg +XAEMAKNhLd8nN2AYPdqn/9OfTzXOFEoHMGFKVH9E9LRFEp7SXI0Phr+2gPsBEP13 +In0dGbvABRvywtTRih+3Jg/5QxyEDcVB0bbWK44XZLmShm9TYmJSqrW8sgOh2Nqi +2LcGroWg2crrd6t+HDmXFZVtiBRy/5Y7s5mqTM/byEvMnReczeTSlwmJHNLTOmME +tganIwmQxfbit99gxjjoz/sGqVxf59/Ytq8P6J+3LMt9ApmPFgK6wB0BAtTJGaOJ +rgSIVdNQ082laXQlHXKMguVKk8ivErzwsCs7ukxSVhIvfwgbM7WZfdM7l6h1ZhDr +mBBGGj+9Ag0mPHF3ycrh9fW43r8KYONbzQq0xtsE+WeOKPaFhMQ/dwv6d4Sn0gTV +crV++l6ut1DLlGHCZtSsB0z1LBUu4jMvpHwVfCeqZ4f5Al27oUhjTh3eoe184+VG +/M3nkh9C1wyvLBFo69AS+9VQSwnsWu/CXnWrzPZeX0KmbezNeNvwCbYgXIrEEWhy +XJgYLQARAQABiQG8BBgBCAAmAhsMFiEEVT5cw2JJzf9bm7u1qSgab6bkiXEFAmT4 +z18FCQ1HSukACgkQqSgab6bkiXFVagv+LFrGoHKm4woVvlWHWfanok/YsPyGFsvL +Ogz6U0nhRB5f3wSq9kl0t1esdyNsFGfz+E0fCzyAyML6dBzKv9uHp2+TtcdKLTQ1 +kSo/JdbMsva+/e8Y9OHmmv7pAFatLln7XXwa2cPiFRg0VkOQgByR1yEiGAyMIYL8 +VLAqdE6fywGLXE5k91+XZCFqKu90+XrtiJo2xy4RQ8C5u2WQWI0k5V/oGgTxOh/J +uhXzmU1Goeie4ukjZYdzwZjzzm2vY9LWfZRaRtkJ0itxNezYCtWEOKHvto5PqtT4 +thSsNuC9qQruh3itVykI7lZ9yxkOyuzqjFGKQDNcUlvnZHqdoKuW121/cgMXbAvz +HWHdY4cbc74obm8V8Gx4dX/GNFL868twzMVoBoEgQVA1PURz5Xu73RvWcBpOpYj0 +GP3nLdP3s2J9rAhrzS6K+MIHeEUnPi1MavRd4bROpnbJ32yvkSGWR55mWCpdCepj +JRWMzY9EoBOHB1PubZuzUNIUQeui1vyX +=uRc5 +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/roles/build/files/entrypoint.sh b/roles/build/files/entrypoint.sh new file mode 100644 index 0000000..6266dfa --- /dev/null +++ b/roles/build/files/entrypoint.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +echo "Copying static files ..." +cp -r /usr/share/uffd/uffd/static /var/www/uffd + +db_ready="false" +count=0 +while [ $count -lt 4 ] && [ "$db_ready" != "true" ] ;do + if uffd-admin db current >> /dev/null 2>&1 ;then + db_ready="true" + else + echo "Waiting for db to become ready..." + ((duration=2**$count)) + sleep $duration + ((count=$count+1)) + fi +done + +if [ "$db_ready" == "true" ] ;then + echo "Running datbase migrations ..." + uffd-admin db upgrade + + if [ -n "$UFFD_INITIAL_ADMIN_PW" ] && [ "$(uffd-admin user list)" == "" ]; then + echo "Creating groups and roles for initial admin user ..." + if ! uffd-admin group show 'uffd_admin' >> /dev/null 2>&1 ;then + uffd-admin group create 'uffd_admin' + fi + if ! uffd-admin group show 'uffd_access' >> /dev/null 2>&1 ;then + uffd-admin group create 'uffd_access' + fi + if ! uffd-admin role show 'uffd_admin' >> /dev/null 2>&1 ;then + uffd-admin role create 'uffd_admin' --add-group 'uffd_admin' --add-group 'uffd_access' + fi + if [ -z "$UFFD_INITIAL_ADMIN_USER" ] ;then + UFFD_INITIAL_ADMIN_USER='uffd_admin' + fi + if [ -z "$UFFD_INITIAL_ADMIN_MAIL" ] ;then + UFFD_INITIAL_ADMIN_MAIL='uffd_admin@localhost' + fi + echo "Creating initial admin user ..." + uffd-admin user create "$UFFD_INITIAL_ADMIN_USER" --password "$UFFD_INITIAL_ADMIN_PW" --mail "$UFFD_INITIAL_ADMIN_MAIL" --add-role 'uffd_admin' + fi +else + echo "WARNING: Database is not ready yet, skipping migration and initialization" +fi + +echo "Starting server ..." +runuser --preserve-environment -u uffd -- \ + uwsgi --ini /etc/uwsgi/apps-enabled/uffd.ini --socket 0.0.0.0:3031 --master --stats 0.0.0.0:9191 diff --git a/roles/build/files/uffd_2.3.1+git20241021T122809-98fe5690_all.deb b/roles/build/files/uffd_2.3.1+git20241021T122809-98fe5690_all.deb new file mode 100644 index 0000000..422f62e Binary files /dev/null and b/roles/build/files/uffd_2.3.1+git20241021T122809-98fe5690_all.deb differ diff --git a/roles/build/tasks/main.yml b/roles/build/tasks/main.yml new file mode 100644 index 0000000..ea95380 --- /dev/null +++ b/roles/build/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- name: 'Install required software' + become: true + ansible.builtin.apt: + name: 'podman' + state: 'present' + +# Build image to run uffd in +- name: 'Create temporary build directory' + become: true + ansible.builtin.file: + path: '{{ uffd_build_tempdir }}' + state: 'directory' + mode: 'u=rwx,g=rx,o=rx' + +- name: 'Copy static files for image' + become: true + ansible.builtin.copy: + src: '{{ item.file }}' + dest: '{{ uffd_build_tempdir }}/{{ item.file }}' + owner: 'root' + group: 'root' + mode: '{{ item.mode }}' + loop: + - file: 'cccv-archive-key.asc' + mode: 'u=rw,g=r,o=r' + - file: 'entrypoint.sh' + mode: 'u=rwx,g=rx,o=rx' + - file: 'uffd_2.3.1+git20241021T122809-98fe5690_all.deb' + mode: 'u=rw,g=r,o=r' + +- name: 'Copy templates for image' + become: true + ansible.builtin.template: + src: '{{ item.file }}' + dest: '{{ uffd_build_tempdir }}/{{ item.file }}' + owner: 'root' + group: 'root' + mode: '{{ item.mode }}' + loop: + - file: 'cccv-archive.list' + mode: 'u=rw,g=r,o=r' + - file: 'Containerfile' + mode: 'u=rw,g=r,o=r' + +- name: 'Create recent uffd image' + become: true + containers.podman.podman_image: + build: + cache: false + force_rm: true + rm: true + pull: false + push: false + force: '{{ uffd_build_force_rebuild }}' + name: 'uffd' + path: '{{ uffd_build_tempdir }}' + tag: '{{ ansible_date_time.iso8601_basic_short }}' + register: 'created_image_data' + +- name: 'Tag image as latest' + when: '{{ uffd_build_tag_latest }}' + become: true + containers.podman.podman_tag: + image: '{{ created_image_data.image[0].NamesHistory[0] }}' + target_names: + - 'uffd:latest' + register: 'created_image_data' + +- name: 'Cleanup temporary build directory' + become: true + ansible.builtin.file: + state: 'absent' + path: '{{ uffd_build_tempdir }}' diff --git a/roles/build/templates/Containerfile b/roles/build/templates/Containerfile new file mode 100644 index 0000000..f1c4d91 --- /dev/null +++ b/roles/build/templates/Containerfile @@ -0,0 +1,39 @@ +FROM docker.io/library/debian:{{ uffd_build_debian_version }}-slim +# Disable interactivity for debconf +ENV DEBIAN_FRONTEND=noninteractive +# Configure uwsgi parameters for running uffd as an app in there +ENV UWSGI_DEB_CONFNAMESPACE="app" +ENV UWSGI_DEB_CONFNAME="uffd" +# Prepare the package sources and install needed software +RUN apt-get -qq update && \ + apt-get -qq dist-upgrade && \ + apt-get -qq install ca-certificates +# Place the pacakge sources data in the image to download uffd +COPY cccv-archive-key.asc /etc/apt/trusted.gpg.d/ +COPY cccv-archive.list /etc/apt/sources.list.d/ +COPY uffd_2.3.1+git20241021T122809-98fe5690_all.deb /tmp/ + +# Install uffd from (new) package sources +RUN apt-get -qq update && \ + apt-get -qq install --no-install-recommends /tmp/uffd_2.3.1+git20241021T122809-98fe5690_all.deb && \ +# Create a "new" config from the inital config without the preset secret key + cat /etc/uffd/uffd.cfg | grep -v "SECRET_KEY=" > /etc/uffd/uffd.cfg.tmp && \ + mv /etc/uffd/uffd.cfg.tmp /etc/uffd/uffd.cfg && \ +# Create the needed paths for the app + mkdir --parents /var/www/uffd && \ + mkdir -p /run/uwsgi/app/uffd && \ + chown root:uffd /var/www/uffd + +COPY entrypoint.sh /entrypoint.sh + +USER uffd +USER root + +# Uffd application is exposed on port 3031 +EXPOSE 3031/tcp +# Statistics are exposed on port 9191 +EXPOSE 9191/tcp + +CMD bash /entrypoint.sh + +LABEL project="https://git.cccv.de/uffd/uffd" diff --git a/roles/build/templates/cccv-archive.list b/roles/build/templates/cccv-archive.list new file mode 100644 index 0000000..8ad6e71 --- /dev/null +++ b/roles/build/templates/cccv-archive.list @@ -0,0 +1 @@ +deb [signed-by=/etc/apt/trusted.gpg.d/cccv-archive-key.asc] https://packages.cccv.de/uffd {{ uffd_build_debian_version }} main diff --git a/roles/uffd/defaults/main.yml b/roles/uffd/defaults/main.yml new file mode 100644 index 0000000..76f0ad0 --- /dev/null +++ b/roles/uffd/defaults/main.yml @@ -0,0 +1,8 @@ +--- +uffd_podman_network: 'uffd-net' + +uffd_conf_dir: '/etc/uffd' +uffd_static_files_volume: 'uffd-static-files' +uffd_data_volume: 'uffd-data' + +uffd_image_name: 'localhost/uffd:latest' diff --git a/roles/uffd/handlers/main.yml b/roles/uffd/handlers/main.yml new file mode 100644 index 0000000..cc560e0 --- /dev/null +++ b/roles/uffd/handlers/main.yml @@ -0,0 +1,46 @@ +--- +- name: 'Reload uffd services' + become: true + ansible.builtin.service: + daemon_reload: true + +- name: 'Restart uffd network' + become: true + ansible.builtin.service: + name: '{{ uffd_podman_network }}-network' + state: 'restarted' + notify: + - 'Restart uffd container' + +- name: 'Restart uffd volumes' + become: true + ansible.builtin.service: + name: '{{ item }}-volume' + state: 'restarted' + loop: + - '{{ uffd_static_files_volume }}' + - '{{ uffd_data_volume }}' + notify: + - 'Restart uffd container' + +- name: 'Restart uffd container' + become: true + ansible.builtin.service: + name: 'uffd-app' + state: 'restarted' + notify: + - 'Restart uffd-nginx container' + +- name: 'Restart uffd-nginx image' + become: true + ansible.builtin.service: + name: 'uffd-nginx-image.service' + state: 'restarted' + notify: + - 'Restart uffd-nginx container' + +- name: 'Restart uffd-nginx container' + become: true + ansible.builtin.service: + name: 'uffd-nginx' + state: 'restarted' diff --git a/roles/uffd/tasks/main.yml b/roles/uffd/tasks/main.yml new file mode 100644 index 0000000..0d02ba9 --- /dev/null +++ b/roles/uffd/tasks/main.yml @@ -0,0 +1,116 @@ +--- +- name: 'Install required software' + become: true + ansible.builtin.apt: + name: 'podman' + state: 'present' + +- name: 'Prepare uffd network' + become: true + containers.podman.podman_network: + name: '{{ uffd_podman_network }}' + state: 'quadlet' + notify: + - 'Reload uffd services' + - 'Restart uffd network' + +- name: 'Prepare uffd volumes' + become: true + containers.podman.podman_volume: + name: '{{ item }}' + state: 'quadlet' + loop: + - '{{ uffd_static_files_volume }}' + - '{{ uffd_data_volume }}' + notify: + - 'Reload uffd services' + - 'Restart uffd volumes' + +- name: 'Create uffd config directory' + become: true + ansible.builtin.file: + path: '{{ uffd_conf_dir }}' + state: 'directory' + mode: 'u=rwx,g=rx,o=rx' + +- name: 'Generate uffd configuration' + become: true + ansible.builtin.template: + src: 'uffd.cfg.j2' + dest: '{{ uffd_conf_dir }}/uffd.cfg' + owner: 'root' + group: 'root' + mode: 'u=rw,g=r,o=r' + notify: 'Restart uffd container' + +- name: 'Create uffd container' + become: true + containers.podman.podman_container: + name: 'uffd-app' + image: '{{ uffd_image_name }}' + network: '{{ uffd_podman_network }}.network' + state: 'quadlet' + volume: + - '{{ uffd_static_files_volume }}.volume:/var/www/uffd' + - '{{ uffd_data_volume }}.volume:/var/lib/uffd' + - '{{ uffd_conf_dir }}/uffd.cfg:/etc/uffd/uffd.cfg:ro' + env: + UFFD_INITIAL_ADMIN_USER: '{{ uffd_initial_admin_user }}' + UFFD_INITIAL_ADMIN_PW: '{{ uffd_initial_admin_pw }}' + UFFD_INITIAL_ADMIN_MAIL: '{{ uffd_initial_admin_mail }}' + ports: [] + quadlet_options: | + [Install] + WantedBy=default.target + [Unit] + Requires={{ uffd_podman_network }}-network.service + Requires={{ uffd_static_files_volume }}-volume.service + Requires={{ uffd_data_volume }}-volume.service + After={{ uffd_podman_network }}-network.service + After={{ uffd_static_files_volume }}-volume.service + After={{ uffd_data_volume }}-volume.service + notify: + - 'Reload uffd services' + - 'Restart uffd container' + +- name: 'Define uffd-nginx image' + become: true + containers.podman.podman_image: + name: 'docker.io/library/nginx:latest' + quadlet_filename: 'uffd-nginx' + state: 'quadlet' + notify: + - 'Reload uffd services' + - 'Restart uffd-nginx image' + +- name: 'Write uffd-nginx config' + become: true + ansible.builtin.template: + src: 'nginx.conf.j2' + dest: '{{ uffd_conf_dir }}/nginx.conf' + owner: 'root' + group: 'root' + mode: 'u=rw,g=r,o=r' + notify: + - 'Restart uffd-nginx container' + +- name: 'Create uffd-nginx container' + become: true + containers.podman.podman_container: + name: 'uffd-nginx' + image: 'uffd-nginx.image' + network: '{{ uffd_podman_network }}.network' + state: 'quadlet' + volume: + - '{{ uffd_static_files_volume }}.volume:/var/www/uffd' + - '{{ uffd_conf_dir }}/nginx.conf:/etc/nginx/conf.d/default.conf:ro' + ports: [] + quadlet_options: | + [Install] + WantedBy=default.target + [Unit] + Requires=uffd-app.service + After=uffd-app.service + notify: + - 'Reload uffd services' + - 'Restart uffd-nginx container' diff --git a/roles/uffd/templates/nginx.conf.j2 b/roles/uffd/templates/nginx.conf.j2 new file mode 100644 index 0000000..289ea02 --- /dev/null +++ b/roles/uffd/templates/nginx.conf.j2 @@ -0,0 +1,13 @@ +server { + listen 80; + server_name _; + + location / { + uwsgi_pass uffd-app:3031; + include uwsgi_params; + } + + location /static { + alias /var/www/uffd/static; + } +} \ No newline at end of file diff --git a/roles/uffd/templates/uffd.cfg.j2 b/roles/uffd/templates/uffd.cfg.j2 new file mode 100644 index 0000000..74cf8c8 --- /dev/null +++ b/roles/uffd/templates/uffd.cfg.j2 @@ -0,0 +1,3 @@ +FLASK_ENV="production" +SQLALCHEMY_DATABASE_URI="sqlite:////var/lib/uffd/db.sqlite" +SECRET_KEY="{{ uffd_secret_key }}"