From ebc55ad9d890924416bc421215f092a551fb0ff1 Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Wed, 2 Nov 2022 19:36:59 +0100 Subject: [PATCH] Move rproxy mounts to use _data --- .../user/container-rproxy-certbot.service.j2 | 13 ++++++++++++- .../user/container-rproxy-nginx.service.j2 | 19 ++++++++++++++++++- .../service-user/01-user.d/data/rproxy.yml | 8 ++++++++ .../service-deploy/service.d/rproxy.yml | 6 ------ 4 files changed, 38 insertions(+), 8 deletions(-) diff --git a/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-certbot.service.j2 b/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-certbot.service.j2 index 85ff2ce..f76d4ea 100644 --- a/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-certbot.service.j2 +++ b/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-certbot.service.j2 @@ -8,6 +8,17 @@ Environment=PODMAN_SYSTEMD_UNIT=%n TimeoutStopSec=70 ExecStartPre=/bin/rm -f %t/container-rproxy-certbot.pid %t/container-rproxy-certbot.ctr-id ExecStartPre=/usr/bin/podman pull docker.io/certbot/certbot -ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-rproxy-certbot.pid --cidfile %t/container-rproxy-certbot.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-rproxy.pod-id --replace -v /etc/resolv.conf:/etc/resolv.conf:ro -v /var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt:/etc/letsencrypt -v var-lib-letsencrypt:/var/lib/letsencrypt -v ./.config/pod-rproxy/html:/var/www/html --name=pod-rproxy-certbot docker.io/certbot/certbot --non-interactive renew +ExecStart=/usr/bin/podman run \ + --conmon-pidfile %t/container-rproxy-certbot.pid \ + --cidfile %t/container-rproxy-certbot.ctr-id \ + --cgroups=no-conmon \ + --pod-id-file %t/pod-rproxy.pod-id \ + --replace \ + -v /etc/resolv.conf:/etc/resolv.conf:ro \ + -v /var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt/_data:/etc/letsencrypt \ + -v var-lib-letsencrypt:/var/lib/letsencrypt \ + -v var-www-html:/var/www/html \ + --name=pod-rproxy-certbot \ + docker.io/certbot/certbot --non-interactive renew ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-rproxy-certbot.ctr-id Type=oneshot diff --git a/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-nginx.service.j2 b/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-nginx.service.j2 index c54aaf1..c851fb6 100644 --- a/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-nginx.service.j2 +++ b/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-nginx.service.j2 @@ -12,7 +12,24 @@ Environment=PODMAN_SYSTEMD_UNIT=%n Restart=on-failure TimeoutStopSec=70 ExecStartPre=/bin/rm -f %t/container-rproxy-nginx.pid %t/container-rproxy-nginx.ctr-id -ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-rproxy-nginx.pid --cidfile %t/container-rproxy-nginx.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-rproxy.pod-id --replace --label "io.containers.autoupdate=image" -dt {{ service_rproxy_hosts }} -v /etc/resolv.conf:/etc/resolv.conf:ro -v ./.config/pod-rproxy/nginx.conf:/etc/nginx/nginx.conf:ro -v ./.config/pod-rproxy/nginx-conf.d:/etc/nginx/conf.d:ro -v ./.config/pod-rproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro -v /var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt:/etc/letsencrypt:ro -v var-lib-letsencrypt:/var/lib/letsencrypt:ro -v ./.config/pod-rproxy/html:/var/www/html --name=pod-rproxy-nginx docker.io/library/nginx +ExecStart=/usr/bin/podman run \ + --conmon-pidfile %t/container-rproxy-nginx.pid \ + --cidfile %t/container-rproxy-nginx.ctr-id \ + --cgroups=no-conmon \ + --pod-id-file %t/pod-rproxy.pod-id \ + --replace \ + --label "io.containers.autoupdate=image" \ + -dt \ + {{ service_rproxy_hosts }} \ + -v /etc/resolv.conf:/etc/resolv.conf:ro \ + -v ./.config/pod-rproxy/nginx.conf:/etc/nginx/nginx.conf:ro \ + -v ./.config/pod-rproxy/nginx-conf.d:/etc/nginx/conf.d:ro \ + -v ./.config/pod-rproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \ + -v /var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt/_data:/etc/letsencrypt:ro \ + -v var-lib-letsencrypt:/var/lib/letsencrypt:ro \ + -v var-www-html:/var/www/html \ + --name=pod-rproxy-nginx \ + docker.io/library/nginx ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-rproxy-nginx.ctr-id -t 10 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-rproxy-nginx.ctr-id PIDFile=%t/container-rproxy-nginx.pid diff --git a/playbooks/tasks/services/b-user/service-user/01-user.d/data/rproxy.yml b/playbooks/tasks/services/b-user/service-user/01-user.d/data/rproxy.yml index 9f93ca6..e440369 100644 --- a/playbooks/tasks/services/b-user/service-user/01-user.d/data/rproxy.yml +++ b/playbooks/tasks/services/b-user/service-user/01-user.d/data/rproxy.yml @@ -13,3 +13,11 @@ owner: "{{ service_user_name }}" group: "{{ service_user_name }}" mode: 0755 + +- name: Create etc-letsencrypt/_data directory for user {{ service_user_name }} + file: + path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}/etc-letsencrypt/_data" + state: directory + owner: "{{ service_user_name }}" + group: "{{ service_user_name }}" + mode: 0755 diff --git a/playbooks/tasks/services/c-deploy/service-deploy/service.d/rproxy.yml b/playbooks/tasks/services/c-deploy/service-deploy/service.d/rproxy.yml index 4b3fe5b..33e76d1 100644 --- a/playbooks/tasks/services/c-deploy/service-deploy/service.d/rproxy.yml +++ b/playbooks/tasks/services/c-deploy/service-deploy/service.d/rproxy.yml @@ -8,12 +8,6 @@ mode: 0644 register: rproxy_synchronise - - name: Create html directory for letsencrypt - file: - path: "{{ service_home }}/.config/{{ service_user_name }}/html" - state: directory - mode: 0755 - - name: Generate Diffie Hellman ephemeral parameters command: openssl dhparam --out /{{ service_home }}/.config/{{ service_user_name}}/dhparam.pem 4096 args: