moved nginx, graylog to podman

ansible/roles/podman/tasks/configuration-nginx-http.yml

@@ -0,0 +1,95 @@
+---
+- name: create required nginx volumes
+  become: true
+  ansible.builtin.file:
+    path: "{{ nginx_path }}/etc"
+    state: directory
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0755
+  notify: restorecon podman
+  tags: http
+
+- name: setup nginx base configuration
+  become: true
+  ansible.builtin.template:
+    src: templates/nginx/nginx.conf.j2
+    dest: "{{ nginx_path }}/etc/nginx.conf"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags: http
+
+- name: create required nginx files
+  become: true
+  ansible.builtin.copy:
+    src: "files/nginx/{{ item }}"
+    dest: "{{ nginx_path }}/etc/{{ item }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+  loop:
+    - mime.types
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags: http
+
+- name: setup nginx directories
+  become: true
+  ansible.builtin.file:
+    path: "{{ nginx_path }}/etc/{{ item }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    state: directory
+    mode: 0755
+  notify: restorecon podman
+  loop:
+    - sites-enabled
+    - sites-available
+  tags: http
+
+- name: template nginx http sites-available
+  become: true
+  ansible.builtin.template:
+    src: "templates/nginx/sites/{{ item }}.j2"
+    dest: "{{ nginx_path }}/etc/sites-available/{{ item }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+  loop:
+    - "{{ ci_server_name }}.http.conf"
+    #- "{{ pi_server_name }}.conf"
+    - "{{ home_server_name }}.conf"
+    - "{{ assistant_server_name }}.conf"
+    - "{{ video_server_name }}.conf"
+    - "{{ parts_server_name }}.conf"
+    - "{{ logs_server_name }}.conf"
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags: http
+
+- name: enable desired nginx http sites
+  become: true
+  ansible.builtin.file:
+    src: "../sites-available/{{ item }}"
+    dest: "{{ nginx_path }}/etc/sites-enabled/{{ item }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    state: link
+  loop:
+    - "{{ ci_server_name }}.http.conf"
+    #- "{{ pi_server_name }}.conf"
+    - "{{ parts_server_name }}.conf"
+    - "{{ home_server_name }}.conf"
+    - "{{ assistant_server_name }}.conf"
+    - "{{ video_server_name }}.conf"
+    - "{{ logs_server_name }}.conf"
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags: http

ansible/roles/podman/tasks/configuration-nginx-https.yml

@@ -0,0 +1,58 @@
+---
+- name: create nginx ssl directory
+  become: true
+  ansible.builtin.file:
+    path: "{{ nginx_path }}/etc/ssl"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+    state: directory
+  tags: https
+
+- name: stat dhparam
+  become: true
+  ansible.builtin.stat:
+    path: "{{ nginx_path }}/etc/ssl/dhparam.pem"
+  register: dhparam
+  tags: https
+
+- name: generate openssl dhparam for nginx
+  become: true
+  ansible.builtin.command: |
+    openssl dhparam -out {{ nginx_path }}/ssl/dhparam.pem 2048
+  when: not dhparam.stat.exists
+  args:
+    creates: "{{ nginx_path }}/ssl/dhparam.pem"
+  tags: https
+
+- name: template nginx https sites-available
+  become: true
+  ansible.builtin.template:
+    src: "templates/nginx/sites/{{ item }}.j2"
+    dest: "{{ nginx_path }}/etc/sites-available/{{ item }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+  loop:
+    - "{{ ci_server_name }}.https.conf"
+    - "{{ parts_server_name }}.https.conf"
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags: https
+
+- name: enable desired nginx https sites
+  become: true
+  ansible.builtin.file:
+    src: "../sites-available/{{ item }}"
+    dest: "{{ nginx_path }}/etc/sites-enabled/{{ item }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    state: link
+  loop:
+    - "{{ ci_server_name }}.https.conf"
+    - "{{ parts_server_name }}.https.conf"
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags: https

ansible/roles/podman/tasks/configuration-nginx-modsec.yml

@@ -0,0 +1,107 @@
+---
+- name: create nginx/conf directory
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+  loop:
+    - "{{ nginx_conf_path }}"
+    - "{{ modsec_rules_path }}"
+  notify: restorecon podman
+  tags: modsec
+
+- name: create modsec_includes.conf
+  become: true
+  ansible.builtin.copy:
+    src: files/nginx/modsec_includes.conf
+    dest: "{{ nginx_path }}/etc/modsec_includes.conf"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags: modsec
+
+- name: clone coreruleset and modsecurity
+  become: true
+  ansible.builtin.git:
+    repo: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    update: "{{ update_modsec | default(false) }}"
+    force: true
+    version: "{{ item.ver }}"
+  loop: "{{ modsec_git_urls }}"
+  tags: modsec
+
+- name: setup modsec and coreruleset configs
+  become: true
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    force: "{{ update_modsec | default(false) }}"
+    mode: 0644
+    remote_src: true
+  loop: "{{ modsec_conf_links }}"
+  notify: restorecon podman
+  tags: modsec
+
+- name: setup coreruleset rules
+  become: true
+  ansible.builtin.copy:
+    src: "{{ crs_rules_path }}/{{ item.name }}.conf"
+    dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    force: "{{ update_modsec | default(false) }}"
+    mode: 0644
+    remote_src: true
+  when: item.enabled
+  loop: "{{ crs_rule_links }}"
+  notify: restorecon podman
+  tags:
+    - modsec
+    - modsec_rules
+
+- name: setup coreruleset data
+  become: true
+  ansible.builtin.copy:
+    src: "{{ crs_rules_path }}/{{ item }}.data"
+    dest: "{{ modsec_rules_path }}/{{ item }}.data"
+    force: "{{ update_modsec | default(false) }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+    remote_src: true
+  loop: "{{ crs_data_links }}"
+  notify: restorecon podman
+  tags:
+    - modsec
+    - modsec_rules
+
+- name: whitelist local ip addresses
+  become: true
+  ansible.builtin.lineinfile:
+    path: "{{ modsec_crs_before_rule_conf }}"
+    regexp: "{{ modsec_whitelist_local_re }}"
+    line: "{{ modsec_whitelist_local }}"
+  notify: restart nginx
+  tags:
+    - modsec
+    - modsec_rules
+    - modsec_whitelist
+
+- name: activate mod-security
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/nginx/modsecurity.conf
+    regexp: "{{ item.regex }}"
+    line: "{{ item.line }}"
+  loop: "{{ modsec_conf_replaces }} "
+  notify: restart_nginx
+  tags: modsec

ansible/roles/podman/tasks/configuration-nginx.yml

@@ -0,0 +1,22 @@
+---
+- name: create letsencrypt shared root srv directory
+  become: true
+  ansible.builtin.file:
+    path: /srv/http/letsencrypt
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+    state: directory
+  tags:
+    - ssl
+    - https
+
+- import_tasks: configuration-nginx-http.yml
+- import_tasks: configuration-nginx-https.yml
+- import_tasks: configuration-nginx-modsec.yml
+
+- meta: flush_handlers
+  tags:
+    - http
+    - modsec
+    - modsec_rules

ansible/roles/podman/tasks/container-drone.yml

@@ -8,7 +8,7 @@
     group: "{{ podman_user }}"
     mode: 0755
   notify: restorecon podman
-  with_items:
+  loop:
     - "{{ drone_path }}/data"
   tags: drone
 
@@ -20,12 +20,14 @@
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: drone
-    image: docker.io/drone/drone:latest
+    image: docker.io/drone/drone:2.11.1
     recreate: false
     restart: true
     restart_policy: on-failure
     log_driver: journald
     env:
+      DRONE_LOGS_DEBUG: "true"
+      DRONE_RPC_DEBUG: "true"
       DRONE_GITHUB_CLIENT_ID: "{{ drone_gh_client_id }}"
       DRONE_GITHUB_CLIENT_SECRET: "{{ drone_gh_client_sec }}"
       DRONE_GIT_ALWAYS_AUTH: "true"
@@ -39,12 +41,18 @@
       - "8080:80"
   tags: drone
 
+- name: create systemd startup job for drone
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: drone
+  tags: drone
+
 - name: create drone-ci worker container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: drone-runner
-    image: docker.io/80x86/drone-runner-podman:latest
+    image: docker.io/drone/drone-runner-docker:1.8.1
     recreate: false
     restart: true
     restart_policy: on-failure
@@ -55,7 +63,13 @@
       DRONE_RPC_PROTO: "{{ drone_server_proto }}"
       DRONE_RUNNER_CAPACITY: "{{ drone_runner_capacity }}"
     volumes:
-      - /run/user/1002/podman/podman.sock:/run/podman/podman.sock
+      - "/run/user/1002/podman/podman.sock:/var/run/docker.sock"
     ports:
       - "3000:3000"
   tags: drone
+
+- name: create systemd startup job for drone-runner
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: drone-runner
+  tags: drone

ansible/roles/podman/tasks/container-graylog.yml

@@ -0,0 +1,128 @@
+---
+- name: create required graylog volumes
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ podman_subuid.stdout }}"
+    group: "{{ podman_user }}"
+    mode: 0755
+  notify: restorecon podman
+  loop:
+    - "{{ graylog_path }}/mongo"
+    - "{{ graylog_path }}/elastic"
+    - "{{ graylog_path }}/conf"
+    - "{{ graylog_path }}/bin"
+  tags: graylog
+
+- name: copy configuration files
+  become: true
+  ansible.builtin.copy:
+    src: "files/graylog/{{ item.src }}"
+    dest: "{{ graylog_path }}/{{ item.dest }}"
+    owner: "{{ podman_subuid.stdout }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+  loop:
+    - src: "graylogctl"
+      dest: "bin/graylogctl"
+    - src: "graylog.conf"
+      dest: "conf/graylog.conf"
+  notify: restorecon podman
+  tags: graylog
+
+- name: unshare chown the elastic volume
+  become: true
+  become_user: "{{ podman_user }}"
+  ansible.builtin.command: |
+    podman unshare chown -R 1000:1000 {{ graylog_path }}/elastic
+  tags: graylog
+
+- meta: flush_handlers
+  tags: graylog
+
+- name: create graylog mongodb container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: graylog-mongo
+    image: docker.io/mongo:4.2
+    recreate: false
+    restart: false
+    restart_policy: on-failure
+    network:
+      - shared
+    volumes:
+      - "{{ graylog_path }}/mongo:/data/db"
+  tags: graylog
+
+- name: create systemd startup job for graylog-mongo
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: graylog-mongo
+  tags: graylog
+
+- name: create graylog elasticsearch container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: graylog-elastic
+    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
+    recreate: true
+    restart: false
+    restart_policy: on-failure
+    network:
+      - shared
+    volumes:
+      - "{{ graylog_path }}/elastic:/usr/share/elasticsearch/data"
+    env:
+      http.host: "0.0.0.0"
+      transport.host: "localhost"
+      network.host: "0.0.0.0"
+      cluster.name: "graylog"
+      ES_JAVA_OPTS: "-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx2048m"
+  tags: graylog
+
+- name: create systemd startup job for graylog-elastic
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: graylog-elastic
+  tags: graylog
+
+- name: create graylog container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: graylog
+    image: docker.io/graylog/graylog:4.2
+    recreate: false
+    restart: true
+    restart_policy: on-failure
+    sysctl:
+      net.ipv6.conf.all.disable_ipv6: 1
+      net.ipv6.conf.default.disable_ipv6: 1
+    network:
+      - shared
+      - host
+    volumes:
+      - "{{ graylog_path }}/conf:/usr/share/graylog/data/config"
+      - "{{ graylog_path }}/bin:/usr/share/graylog/bin"
+    env:
+      GRAYLOG_PASSWORD_SECRET: "{{ graylog_secret }}"
+      GRAYLOG_ROOT_PASSWORD_SHA2: "{{ graylog_root_pass_sha2 }}"
+      GRAYLOG_HTTP_EXTERNAL_URI: http://{{ ansible_default_ipv4.address }}:9000/
+      GRAYLOG_HTTP_BIND_ADDRESS: 0.0.0.0:9000
+      GRAYLOG_MONGODB_URI: mongodb://graylog-mongo/graylog
+      GRAYLOG_ELASTICSEARCH_HOSTS: http://graylog-elastic:9200
+    ports:
+      - "{{ graylog_port }}:9000"
+      - "{{ syslog_udp_default }}:{{ syslog_udp_default }}/udp"
+      - "{{ syslog_udp_unifi }}:{{ syslog_udp_unifi }}/udp"
+      - "{{ syslog_udp_error }}:{{ syslog_udp_error }}/udp"
+  tags: graylog
+
+- name: create systemd startup job for graylog
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: graylog
+  tags: graylog

ansible/roles/podman/tasks/container-hass.yml

@@ -8,7 +8,7 @@
     group: "{{ podman_user }}"
     mode: 0755
   notify: restorecon podman
-  with_items:
+  loop:
     - "{{ hass_path }}/media"
     - "{{ hass_path }}/config"
   tags: hass
@@ -22,7 +22,7 @@
     group: "{{ podman_user }}"
     mode: 0644
   notify: restorecon podman
-  with_items:
+  loop:
     - configuration.yaml
     - automations.yaml
   tags: hass

ansible/roles/podman/tasks/container-nginx.yml

@@ -0,0 +1,25 @@
+---
+- name: create nginx container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: nginx
+    image: docker.io/owasp/modsecurity:nginx
+    entrypoint: ""
+    command: ["nginx", "-g", "daemon off;"]
+    recreate: false
+    restart: true
+    restart_policy: on-failure:3
+    log_driver: journald
+    network:
+      - host
+    cap_add:
+      - CAP_NET_BIND_SERVICE
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - "{{ nginx_path }}/etc:/etc/nginx:ro"
+      - "/srv/http/letsencrypt:/srv/http/letsencrypt:z"
+      - "/etc/letsencrypt:/etc/letsencrypt:ro"
+  tags: nginx

ansible/roles/podman/tasks/container-partkeepr.yml

@@ -8,20 +8,13 @@
     group: "{{ podman_user }}"
     mode: 0755
   notify: restorecon podman
-  with_items:
+  loop:
     - "{{ partkeepr_path }}/mysql"
   tags: partkeepr
 
 - meta: flush_handlers
   tags: partkeepr
 
-- name: create partkeepr network
-  become: true
-  become_user: "{{ podman_user }}"
-  containers.podman.podman_network:
-    name: partkeepr
-  tags: partkeepr
-
 - name: create partkeepr-db container
   become: true
   become_user: "{{ podman_user }}"
@@ -33,7 +26,7 @@
     restart_policy: on-failure
     log_driver: journald
     network:
-      - partkeepr
+      - shared
     env:
       MYSQL_RANDOM_ROOT_PASSWORD: "yes"
       MYSQL_DATABASE: partkeepr
@@ -54,13 +47,13 @@
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: partkeepr
-    image: docker.io/mhubig/partkeepr:latest
+    image: docker.io/bdebyl/partkeepr:0.1.10
     recreate: false
     restart: false
     restart_policy: on-failure
     log_driver: journald
     network:
-      - partkeepr
+      - shared
     ports:
       - "8081:80"
   tags: partkeepr
@@ -70,26 +63,3 @@
   vars:
     container_name: partkeepr
   tags: partkeepr
-
-- name: create partkeepr-cron container
-  become: true
-  become_user: "{{ podman_user }}"
-  containers.podman.podman_container:
-    name: partkeepr-cron
-    image: docker.io/mhubig/partkeepr:latest
-    entrypoint: ""
-    command: >
-      bash -c "crontab /etc/cron.d/partkeepr && cron -f"
-    recreate: false
-    restart: true
-    restart_policy: on-failure
-    log_driver: journald
-    network:
-      - partkeepr
-  tags: partkeepr
-
-- name: create systemd startup job for partkeepr-cron
-  include_tasks: systemd-generate.yml
-  vars:
-    container_name: partkeepr-cron
-  tags: partkeepr

ansible/roles/podman/tasks/firewall.yml

@@ -0,0 +1,17 @@
+---
+- name: set required podman firewall rules
+  become: true
+  ansible.posix.firewalld:
+    port: "{{ item }}"
+    permanent: true
+    state: enabled
+  loop:
+    - 80/tcp
+    - 443/tcp
+    - "{{ syslog_udp_default }}/udp"
+    - "{{ syslog_udp_error }}/udp"
+    - "{{ syslog_udp_unifi }}/udp"
+  notify: restart firewalld
+  tags:
+    - firewall
+    - http

ansible/roles/podman/tasks/main.yml

@@ -1,6 +1,10 @@
 ---
 - import_tasks: podman.yml
+- import_tasks: configuration-nginx.yml
+- import_tasks: firewall.yml
 - import_tasks: container-awsddns.yml
 - import_tasks: container-drone.yml
 - import_tasks: container-hass.yml
 - import_tasks: container-partkeepr.yml
+- import_tasks: container-nginx.yml
+- import_tasks: container-graylog.yml

ansible/roles/podman/tasks/podman.yml

@@ -8,6 +8,28 @@
     home: "{{ podman_home }}"
   tags: podman
 
+- name: set ulimits for podman user
+  become: true
+  community.general.pam_limits:
+    domain: podman
+    limit_type: "{{ item.type }}"
+    limit_item: "{{ item.name }}"
+    value: "{{ item.value }}"
+  loop:
+    - name: memlock
+      type: soft
+      value: "unlimited"
+    - name: memlock
+      type: hard
+      value: "unlimited"
+    - name: nofile
+      type: soft
+      value: 39693561
+    - name: memlock
+      type: hard
+      value: 39693561
+  tags: podman
+
 - name: check if podman user lingering enabled
   become: true
   ansible.builtin.stat:
@@ -31,7 +53,7 @@
     setype: "{{ item.setype }}"
     state: present
   notify: restorecon podman
-  with_items:
+  loop:
     - { target: "{{ podman_home }}", setype: "user_home_dir_t" }
     - { target: "{{ podman_path }}", setype: "container_file_t" }
   tags:
@@ -42,17 +64,41 @@
   become: true
   become_user: "{{ podman_user }}"
   ansible.builtin.file:
-    path: "{{ podman_home }}/{{ item }}"
+    path: "{{ item }}"
     state: directory
     owner: "{{ podman_user }}"
     group: "{{ podman_user }}"
     mode: 0755
   notify: restorecon podman
-  with_items:
-    - ".config/systemd/user"
+  loop:
+    - "{{ podman_home }}/.config/systemd/user"
     - "{{ podman_containers }}"
     - "{{ podman_volumes }}"
   tags: podman
 
 - meta: flush_handlers
   tags: podman
+
+- name: create podman shared network
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_network:
+    name: shared
+  tags: podman
+
+- name: allow unprivileged ports to lower number
+  become: true
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_unprivileged_port_start
+    value: "80"
+    sysctl_set: true
+    state: present
+    reload: true
+  tags: podman
+
+- name: fetch subuid of {{ podman_user }}
+  become: true
+  ansible.builtin.shell: |
+    cat /etc/subuid | awk -F':' '/{{ podman_user }}/{ print $2 }' | head -n 1
+  register: podman_subuid
+  tags: always