156 lines
5.5 KiB
YAML
156 lines
5.5 KiB
YAML
- name: Create system user for {{ service_name }}
|
|
user:
|
|
name: "{{ service_user_name }}"
|
|
create_home: yes
|
|
home: "{{ service_home }}"
|
|
system: yes
|
|
register: user_create
|
|
|
|
- name: Set default shell for for {{ service_user_name }}
|
|
user:
|
|
name: "{{ service_user_name }}"
|
|
shell: "{{ '/usr/bin/rbash' if service_name=='rproxy' else '/usr/sbin/nologin' }}"
|
|
|
|
- name: Ensure the home directory belongs to the user {{ service_user_name }}
|
|
file:
|
|
path: "{{ service_home }}"
|
|
state: directory
|
|
owner: "{{ service_user_name }}"
|
|
group: "{{ service_user_name }}"
|
|
recurse: yes
|
|
|
|
- name: Configure subuids and subgids for user {{ service_user_name }}
|
|
shell: |
|
|
export NEW_SUBUID=$(($(tail -1 /etc/subuid | awk -F ":" '{print $2}')+65536))
|
|
export NEW_SUBGID=$(($(tail -1 /etc/subgid | awk -F ":" '{print $2}')+65536))
|
|
usermod --add-subuids ${NEW_SUBUID}-$((${NEW_SUBUID}+65535)) \
|
|
--add-subgids ${NEW_SUBGID}-$((${NEW_SUBGID}+65535)) \
|
|
{{ service_user_name }}
|
|
when:
|
|
user_create is changed
|
|
|
|
- name: Ensure XDG_RUNTIME_DIR is set for user {{ service_user_name }}
|
|
shell: |
|
|
echo '\nexport XDG_RUNTIME_DIR=/run/user/$(id -u)' >> \
|
|
{{ service_home }}/.bashrc
|
|
when:
|
|
user_create is changed
|
|
|
|
- name: Enable lingering for user {{ service_user_name }}
|
|
command: loginctl enable-linger {{ service_user_name }}
|
|
when:
|
|
user_create is changed
|
|
|
|
- name: Create container directory for user {{ service_user_name }}
|
|
file:
|
|
path: "/var/lib/{{ ansible_hostname }}/containers/{{ service_user_name }}"
|
|
state: directory
|
|
owner: "{{ service_user_name }}"
|
|
group: "{{ service_user_name }}"
|
|
mode: 0755
|
|
|
|
- name: Create volume data directory for user {{ service_user_name }}
|
|
file:
|
|
path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}"
|
|
state: directory
|
|
owner: "{{ service_user_name }}"
|
|
group: "{{ service_user_name }}"
|
|
mode: 0755
|
|
|
|
- block:
|
|
- name: Create configuration directory for user {{ service_user_name }}
|
|
file:
|
|
path: "{{ service_home }}/.config"
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: Create container configuration directory for user {{ service_user_name }}
|
|
file:
|
|
path: "{{ service_home }}/.config/containers"
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: Configure storage.conf for user {{ service_user_name }}
|
|
template:
|
|
src: "./filesystem/common/var/lib/_hostname/home/_service_user_name/.config/containers/storage.conf.j2"
|
|
dest: "{{ service_home }}/.config/containers/storage.conf"
|
|
mode: 0644
|
|
register: user_containers_storage
|
|
|
|
- name: Configure containers.conf for user {{ service_user_name }}
|
|
template:
|
|
src: "./filesystem/common/var/lib/_hostname/home/_service_user_name/.config/containers/containers.conf.j2"
|
|
dest: "{{ service_home }}/.config/containers/containers.conf"
|
|
mode: 0644
|
|
register: user_containers_containers
|
|
|
|
- name: Reset podman
|
|
shell: "cd $HOME; yes | podman system reset"
|
|
when:
|
|
user_containers_storage is changed or
|
|
user_containers_containers is changed
|
|
|
|
- name: Create systemd directory for user {{ service_user_name }}
|
|
file:
|
|
path: "{{ service_home }}/.config/systemd"
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: Create systemd service directory for user {{ service_user_name }}
|
|
file:
|
|
path: "{{ service_home }}/.config/systemd/user"
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: Copy systemd auto-update service for user {{ service_user_name }}
|
|
copy:
|
|
src: "/usr/lib/systemd/system/podman-auto-update.service"
|
|
dest: "{{ service_home }}/.config/systemd/user/podman-auto-update.service"
|
|
remote_src: yes
|
|
register: user_systemd_podman_auto_update_service_file
|
|
|
|
- name: Copy systemd auto-update timer for user {{ service_user_name }}
|
|
copy:
|
|
src: "/usr/lib/systemd/system/podman-auto-update.timer"
|
|
dest: "{{ service_home }}/.config/systemd/user/podman-auto-update.timer"
|
|
remote_src: yes
|
|
register: user_systemd_podman_auto_update_timer_file
|
|
|
|
- name: Copy systemd image prune service for user {{ service_user_name }}
|
|
copy:
|
|
src: "./filesystem/common/var/lib/_hostname/home/_service_user_name/.config/systemd/user/podman-image-prune.service"
|
|
dest: "{{ service_home }}/.config/systemd/user/podman-image-prune.service"
|
|
register: user_systemd_podman_image_prune_service_file
|
|
|
|
- name: Copy systemd image prune timer for user {{ service_user_name }}
|
|
copy:
|
|
src: "./filesystem/common/var/lib/_hostname/home/_service_user_name/.config/systemd/user/podman-image-prune.timer"
|
|
dest: "{{ service_home }}/.config/systemd/user/podman-image-prune.timer"
|
|
register: user_systemd_podman_image_prune_timer_file
|
|
|
|
- name: SystemD daemon reload
|
|
systemd:
|
|
daemon_reload: true
|
|
scope: user
|
|
when:
|
|
user_systemd_podman_auto_update_service_file is changed or
|
|
user_systemd_podman_auto_update_timer_file is changed or
|
|
user_systemd_podman_image_prune_service_file is changed or
|
|
user_systemd_podman_image_prune_timer_file is changed
|
|
|
|
- name: Enable podman auto-update
|
|
systemd:
|
|
name: podman-auto-update.timer
|
|
enabled: yes
|
|
state: started
|
|
scope: user
|
|
|
|
- name: Enable podman image prune
|
|
systemd:
|
|
name: podman-image-prune.timer
|
|
enabled: yes
|
|
state: started
|
|
scope: user
|
|
|
|
become_user: "{{ service_user_name }}"
|