moved ddns, partkeepr, hass to podman, selinux

ansible/roles/podman/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+partkeepr_path: "{{ podman_volumes }}/partkeepr"
+hass_path: "{{ podman_volumes }}/hass"

ansible/roles/podman/files/automations.yaml

@@ -0,0 +1,41 @@
+- id: '1649042254031'
+  alias: Office Lights Morning
+  description: ''
+  trigger:
+  - platform: time
+    at: '10:30:00'
+  condition: []
+  action:
+  - type: turn_on
+    device_id: 04a5b4bea0caafe63bca3fb31c49091b
+    entity_id: light.bastian_s_office_lights
+    domain: light
+    brightness_pct: 100
+  mode: single
+- id: '1649042299713'
+  alias: Office Lights Evening
+  description: ''
+  trigger:
+  - platform: time
+    at: '17:00:00'
+  condition: []
+  action:
+  - type: turn_on
+    device_id: 04a5b4bea0caafe63bca3fb31c49091b
+    entity_id: light.bastian_s_office_lights
+    domain: light
+    brightness_pct: 1
+  mode: single
+- id: '1649042328061'
+  alias: Office Lights Off
+  description: ''
+  trigger:
+  - platform: time
+    at: '20:00:00'
+  condition: []
+  action:
+  - type: turn_off
+    device_id: 04a5b4bea0caafe63bca3fb31c49091b
+    entity_id: light.bastian_s_office_lights
+    domain: light
+  mode: single

ansible/roles/podman/files/configuration.yaml

@@ -0,0 +1,19 @@
+# Configure a default setup of Home Assistant (frontend, api, etc)
+default_config:
+
+# Text to speech
+tts:
+  - platform: google_translate
+api:
+http:
+  use_x_forwarded_for: true
+  trusted_proxies:
+    - 127.0.0.1
+    - 172.0.0.0/8
+
+homeassistant:
+  time_zone: America/New_York
+  media_dirs:
+    media: /share
+
+automation: !include automations.yaml

ansible/roles/podman/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: restorecon podman
+  become: true
+  ansible.builtin.command: |
+    restorecon -Frv {{ podman_home }}
+  tags:
+    - podman
+    - selinux

ansible/roles/podman/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: common

ansible/roles/podman/tasks/container-awsddns.yml

@@ -0,0 +1,25 @@
+---
+- name: create awsddns server container
+  become: true
+  become_user: "{{ podman_user }}"
+  diff: false
+  containers.podman.podman_container:
+    name: awsddns
+    image: docker.io/bdebyl/awsddns
+    recreate: false
+    restart: true
+    restart_policy: on-failure
+    log_driver: journald
+    env:
+      AWS_ZONE_ID: "{{ aws_zone_id }}"
+      AWS_ZONE_HOSTNAME: "{{ aws_zone_hostname }}"
+      AWS_ACCESS_KEY_ID: "{{ aws_access_key_id }}"
+      AWS_SECRET_ACCESS_KEY: "{{ aws_secret_access_key }}"
+      AWS_DEFAULT_REGION: "{{ aws_default_region }}"
+  tags: ddns
+
+- name: create systemd startup job for awsddns
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: awsddns
+  tags: ddns

ansible/roles/podman/tasks/container-hass.yml

@@ -0,0 +1,57 @@
+---
+- name: create home-assistant host directory volumes
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0755
+  notify: restorecon podman
+  with_items:
+    - "{{ hass_path }}/media"
+    - "{{ hass_path }}/config"
+  tags: hass
+
+- name: copy configuration and automations
+  become: true
+  ansible.builtin.copy:
+    src: "files/{{ item }}"
+    dest: "{{ hass_path }}/config/{{ item }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+  notify: restorecon podman
+  with_items:
+    - configuration.yaml
+    - automations.yaml
+  tags: hass
+
+- meta: flush_handlers
+  tags: hass
+
+- name: create home-assistant server container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: hass
+    image: ghcr.io/home-assistant/home-assistant:stable
+    recreate: false
+    restart: true
+    restart_policy: on-failure
+    log_driver: journald
+    cap_add:
+      - CAP_NET_RAW
+      - CAP_NET_BIND_SERVICE
+    volumes:
+      - "{{ hass_path }}/config:/config"
+      - "{{ hass_path }}/media:/share"
+    ports:
+      - "8123:8123"
+  tags: hass
+
+- name: create systemd startup job for hass
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: hass
+  tags: hass

ansible/roles/podman/tasks/container-partkeepr.yml

@@ -0,0 +1,95 @@
+---
+- name: create required partkeepr volumes
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0755
+  notify: restorecon podman
+  with_items:
+    - "{{ partkeepr_path }}/mysql"
+  tags: partkeepr
+
+- meta: flush_handlers
+  tags: partkeepr
+
+- name: create partkeepr network
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_network:
+    name: partkeepr
+  tags: partkeepr
+
+- name: create partkeepr-db container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: partkeepr-db
+    image: docker.io/mariadb:10.0
+    recreate: false
+    restart: false
+    restart_policy: on-failure
+    log_driver: journald
+    network:
+      - partkeepr
+    env:
+      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
+      MYSQL_DATABASE: partkeepr
+      MYSQL_USER: partkeepr
+      MYSQL_PASSWORD: "{{ partkeepr_mysql_password }}"
+    volumes:
+      - "{{ partkeepr_path }}/mysql:/var/lib/mysql"
+  tags: partkeepr
+
+- name: create systemd startup job for partkeepr-db
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: partkeepr-db
+  tags: partkeepr
+
+- name: create partkeepr container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: partkeepr
+    image: docker.io/mhubig/partkeepr:latest
+    recreate: false
+    restart: false
+    restart_policy: on-failure
+    log_driver: journald
+    network:
+      - partkeepr
+    ports:
+      - "8081:80"
+  tags: partkeepr
+
+- name: create systemd startup job for partkeepr
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: partkeepr
+  tags: partkeepr
+
+- name: create partkeepr-cron container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: partkeepr-cron
+    image: docker.io/mhubig/partkeepr:latest
+    entrypoint: ""
+    command: >
+      bash -c "crontab /etc/cron.d/partkeepr && cron -f"
+    recreate: false
+    restart: true
+    restart_policy: on-failure
+    log_driver: journald
+    network:
+      - partkeepr
+  tags: partkeepr
+
+- name: create systemd startup job for partkeepr-cron
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: partkeepr-cron
+  tags: partkeepr

ansible/roles/podman/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- import_tasks: podman.yml
+- import_tasks: container-awsddns.yml
+- import_tasks: container-partkeepr.yml
+- import_tasks: container-hass.yml

ansible/roles/podman/tasks/podman.yml

@@ -0,0 +1,58 @@
+---
+- name: create podman user
+  become: true
+  ansible.builtin.user:
+    name: "{{ podman_user }}"
+    comment: Rootless podman user
+    shell: /sbin/nologin
+    home: "{{ podman_home }}"
+  tags: podman
+
+- name: check if podman user lingering enabled
+  become: true
+  ansible.builtin.stat:
+    path: "/var/lib/systemd/linger/{{ podman_user }}"
+  register: user_lingering
+  tags: podman
+
+- name: enable podman user lingering
+  become: true
+  become_user: "{{ podman_user }}"
+  ansible.builtin.command: |
+    loginctl enable-linger {{ podman_user }}
+  when:
+    - not user_lingering.stat.exists
+  tags: podman
+
+- name: selinux context for podman directories
+  become: true
+  community.general.sefcontext:
+    target: "{{ item.target }}(/.*)?"
+    setype: "{{ item.setype }}"
+    state: present
+  notify: restorecon podman
+  with_items:
+    - { target: "{{ podman_home }}", setype: "user_home_dir_t" }
+    - { target: "{{ podman_path }}", setype: "container_file_t" }
+  tags:
+    - podman
+    - selinux
+
+- name: create podman system directories
+  become: true
+  become_user: "{{ podman_user }}"
+  ansible.builtin.file:
+    path: "{{ podman_home }}/{{ item }}"
+    state: directory
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0755
+  notify: restorecon podman
+  with_items:
+    - ".config/systemd/user"
+    - "{{ podman_containers }}"
+    - "{{ podman_volumes }}"
+  tags: podman
+
+- meta: flush_handlers
+  tags: podman

ansible/roles/podman/tasks/systemd-generate.yml

@@ -0,0 +1,17 @@
+---
+- name: create systemd startup job for {{ container_name }}
+  become: true
+  become_user: "{{ podman_user }}"
+  ansible.builtin.shell: |
+    podman generate systemd {{ container_name }} > {{ podman_home}}/.config/systemd/user/{{ container_name }}.service
+  tags: systemd
+
+- name: enable systemd startup job for {{ container_name }}
+  become: true
+  become_user: "{{ podman_user }}"
+  ansible.builtin.systemd:
+    name: "{{ container_name }}.service"
+    daemon_reload: true
+    enabled: true
+    scope: user
+  tags: systemd