uumas/ansible-podman
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: uumas:b030d671b53b748d45c47772eacef53a2be6b14a
Branches Tags
uumas:main uumas:pinp
...
compare: uumas:accd5ece14e647f3db1acc5f0c8b949bd1c1a151
Branches Tags
uumas:pinp uumas:main

7 Commits
b030d671b5 ... accd5ece14

Author SHA1 Message Date
uumas
accd5ece14 small improvements 2026-02-13 02:00:55 +02:00
uumas
58ff2f6217 service: Add support for native sockets for http 2026-02-13 02:00:44 +02:00
uumas
4079b69338 Add gitignore for release archives 2026-02-12 20:05:09 +02:00
uumas
c7e26555b7 v0.1.1 2026-02-12 20:04:38 +02:00
uumas
07925caa95 Rename runtime.yaml to runtime.yml 2026-02-12 20:02:12 +02:00
uumas
de707b4e71 service: Add support for mariadb 2026-02-12 20:01:52 +02:00
uumas
0ee8e9b254 Add support for container devices 2026-01-24 17:12:57 +02:00
23 changed files with 131 additions and 15 deletions
Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
uumas-podman-*.tar.gz

2
galaxy.yml
View File

@@ -3,7 +3,7 @@ namespace: uumas
name: podman name: podman
description: Roles for installing services in podman containers description: Roles for installing services in podman containers
readme: README.md readme: README.md
version: 0.1.0 version: 0.1.1
repository: "https://git.uumas.fi/uumas/ansible-podman" repository: "https://git.uumas.fi/uumas/ansible-podman"
license_file: LICENSE license_file: LICENSE
authors: authors:

0
meta/runtime.yaml → meta/runtime.yml
View File

1
roles/container/defaults/main.yaml
View File

@@ -3,6 +3,7 @@ container_command: []
container_entrypoint: "" container_entrypoint: ""
container_user: "" container_user: ""
container_mounts: [] container_mounts: []
container_devices: []
container_publish_ports: [] container_publish_ports: []
container_networks: [] container_networks: []
container_ip: "" container_ip: ""

15
roles/container/meta/argument_specs.yaml
View File

@@ -92,6 +92,21 @@ argument_specs:
required: false required: false
default: [] default: []
container_devices:
description: List of devices to be added inside the container.
type: list
required: false
default: []
elements: dict
options:
source:
description: Device path on host
type: str
required: true
destination:
description: Device path inside the container. Defaults to same as host.
type: str
required: false
container_publish_ports: container_publish_ports:
description: "A list of published ports in docker format (<host listen address>:<host port>:<container port>)" description: "A list of published ports in docker format (<host listen address>:<host port>:<container port>)"
type: list type: list

1
roles/container/tasks/main.yaml
View File

@@ -48,6 +48,7 @@
entrypoint: "{{ container_entrypoint or omit }}" entrypoint: "{{ container_entrypoint or omit }}"
user: "{{ container_user or omit }}" user: "{{ container_user or omit }}"
mount: "{{ _container_mounts | map('items') | map('map', 'join', '=') | map('join', ',') }}" mount: "{{ _container_mounts | map('items') | map('map', 'join', '=') | map('join', ',') }}"
device: "{{ _container_devices }}"
network: "{{ _container_networks_with_ip }}" network: "{{ _container_networks_with_ip }}"
publish: "{{ container_publish_ports }}" publish: "{{ container_publish_ports }}"
secrets: "{{ _container_secrets }}" secrets: "{{ _container_secrets }}"

19
roles/container/vars/main.yaml
View File

@@ -49,6 +49,25 @@ _container_mounts: >-
| zip(_container_volume_mount_sources) | map('combine') | zip(_container_volume_mount_sources) | map('combine')
}} }}
_container_devices_withdefaults: >-
{{
container_devices
| map(attribute='source')
| map('community.general.dict_kv', 'destination')
| zip(container_devices)
| map('combine')
}}
_container_devices: >-
{{
_container_devices_withdefaults
| map(attribute='source')
| zip(
_container_devices_withdefaults
| map(attribute='destination')
)
| map('join', ':')
}}
_container_secrets: >- _container_secrets: >-
{{ {{
container_secrets container_secrets

5
roles/example/tasks/main.yml
View File

@@ -1,5 +1,5 @@
--- ---
- name: Hello world container - name: Hello world service
ansible.builtin.import_role: ansible.builtin.import_role:
name: service name: service
vars: vars:
@@ -27,6 +27,9 @@
- network-online.target - network-online.target
service_container_env: service_container_env:
TZ: "Etc/UTC" TZ: "Etc/UTC"
DB_HOST: hello-world-db
DB_USER: hello-world
DB_PASSWORD__FILE: /run/secrets/postgres
service_additional_containers: service_additional_containers:
- name: worker - name: worker
# image: "docker.io/library/hello-world:latest" # image: "docker.io/library/hello-world:latest"

2
roles/network/tasks/main.yaml
View File

@@ -9,7 +9,7 @@
ip_range: "{{ network_range if network_range | length > 0 else omit }}" ip_range: "{{ network_range if network_range | length > 0 else omit }}"
quadlet_options: >- quadlet_options: >-
{{ {{
['Options=parent=' ~ ansible_default_ipv4.interface] ['Options=parent=' ~ ansible_facts.default_ipv4.interface]
if network_driver == 'macvlan' else [] if network_driver == 'macvlan' else []
}} }}
notify: Restart network service {{ network_name }} notify: Restart network service {{ network_name }}

1
roles/podman/tasks/main.yaml
View File

@@ -10,6 +10,7 @@
name: podman-auto-update.timer name: podman-auto-update.timer
state: started state: started
enabled: true enabled: true
ignore_errors: "{{ ansible_check_mode }}"
- name: Login to registries - name: Login to registries
containers.podman.podman_login: containers.podman.podman_login:

1
roles/service/defaults/main.yaml
View File

@@ -13,6 +13,7 @@ service_container_additional_networks: []
service_container_user: "" service_container_user: ""
service_container_publish_ports: [] service_container_publish_ports: []
service_container_mounts: [] service_container_mounts: []
service_container_devices: []
service_container_secrets: [] service_container_secrets: []
service_container_env: {} service_container_env: {}

7
roles/service/handlers/main.yaml
View File

@@ -1,4 +1,11 @@
--- ---
- name: Restart socket for {{ service_name }}
ansible.builtin.systemd_service:
name: "{{ service_name }}.socket"
state: restarted
daemon_reload: true
ignore_errors: '{{ ansible_check_mode }}'
- name: Restart socat socket for {{ service_name }} - name: Restart socat socket for {{ service_name }}
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
name: "{{ service_name }}-socat.socket" name: "{{ service_name }}-socat.socket"

22
roles/service/meta/argument_specs.yaml
View File

@@ -28,8 +28,10 @@ argument_specs:
elements: str elements: str
service_container_http_port: service_container_http_port:
description: description:
- Port inside the container where http requests will be proxied to. - Port inside the container where http requests are proxied to.
- Required if service_domains is not empty. - >-
If set to 0, /run/{{ service_name }}.sock on the host is bind mounted to /run/{{ service_name }}.sock inside the container
and http requests are proxied to it.
type: int type: int
required: false required: false
default: 0 default: 0
@@ -169,6 +171,21 @@ argument_specs:
elements: str elements: str
required: false required: false
default: [] default: []
service_container_devices:
description: List of devices to be added inside the service main container.
type: list
required: false
default: []
elements: dict
options:
source:
description: Device path on host
type: str
required: true
destination:
description: Device path inside the container. Defaults to same as host.
type: str
required: false
service_container_secrets: service_container_secrets:
description: description:
- > - >
@@ -236,6 +253,7 @@ argument_specs:
type: str type: str
choices: choices:
- postgres - postgres
- mariadb
- none - none
required: false required: false
default: none default: none

13
roles/service/tasks/database.yaml
View File

@@ -1,22 +1,23 @@
--- ---
- name: Incude variables for database {{ service_database_type }}
ansible.builtin.include_vars:
file: database/{{ service_database_type }}.yaml
- name: Database container for {{ service_name }} - name: Database container for {{ service_name }}
ansible.builtin.import_role: ansible.builtin.import_role:
name: container name: container
vars: vars:
container_name: "{{ service_name }}-{{ service_database_type }}" # This doesn't use _service_database_name to allow container role handlers to work container_name: "{{ service_name }}-{{ service_database_type }}" # This doesn't use _service_database_name to allow container role handlers to work
container_image: "{{ service_postgres_image }}:{{ service_postgres_tag }}" container_image: "{{ _service_database_image }}"
container_mounts: container_mounts:
- type: volume - type: volume
source: "{{ _service_database_name }}" source: "{{ _service_database_name }}"
destination: /var/lib/postgresql/data destination: "{{ _service_database_mount_destination }}"
container_networks: "{{ _service_database_networks }}" container_networks: "{{ _service_database_networks }}"
container_ip: >- container_ip: >-
{{ service_container_ip | ansible.utils.ipmath(1) if _service_static_ip else '' }} {{ service_container_ip | ansible.utils.ipmath(1) if _service_static_ip else '' }}
container_secrets: container_secrets:
- name: "{{ _service_database_name }}" - name: "{{ _service_database_name }}"
target: "{{ service_database_type }}" target: "{{ service_database_type }}"
container_env: container_env: "{{ _service_database_env }}"
POSTGRES_USER: "{{ service_name | replace('-', '_') }}"
POSTGRES_PASSWORD_FILE: "/run/secrets/{{ service_database_type }}"
POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
container_auto_update: "{{ service_auto_update }}" container_auto_update: "{{ service_auto_update }}"

5
roles/service/tasks/main.yaml
View File

@@ -22,6 +22,10 @@
ansible.builtin.include_tasks: additional.yaml ansible.builtin.include_tasks: additional.yaml
when: _service_additional_containers | length > 0 when: _service_additional_containers | length > 0
- name: Native socket for {{ service_name }}
ansible.builtin.include_tasks: native_socket.yaml
when: _service_native_socket
- name: Main container for {{ service_name }} - name: Main container for {{ service_name }}
ansible.builtin.import_role: ansible.builtin.import_role:
name: container name: container
@@ -32,6 +36,7 @@
container_entrypoint: "{{ service_container_entrypoint }}" container_entrypoint: "{{ service_container_entrypoint }}"
container_user: "{{ service_container_user }}" container_user: "{{ service_container_user }}"
container_mounts: "{{ _service_container_mounts }}" container_mounts: "{{ _service_container_mounts }}"
container_devices: "{{ service_container_devices }}"
container_publish_ports: "{{ service_container_publish_ports }}" container_publish_ports: "{{ service_container_publish_ports }}"
container_networks: "{{ _service_container_networks }}" container_networks: "{{ _service_container_networks }}"
container_ip: "{{ service_container_ip }}" container_ip: "{{ service_container_ip }}"

7
roles/service/tasks/native_socket.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Socket for {{ service_name }}
ansible.builtin.template:
src: service.socket.j2
dest: /etc/systemd/system/{{ service_name }}.socket
mode: "0644"
notify: Restart socket for {{ service_name }}

2
roles/service/tasks/proxy.yaml
View File

@@ -11,7 +11,7 @@
vhost_id: "{{ service_name }}" vhost_id: "{{ service_name }}"
vhost_domains: "{{ service_domains }}" vhost_domains: "{{ service_domains }}"
vhost_proxy_target_netproto: unix vhost_proxy_target_netproto: unix
vhost_proxy_target_socket: "/run/{{ service_name }}-socat.sock" vhost_proxy_target_socket: "{{ _service_socket_path }}"
vhost_proxy_headers: "{{ _service_proxy_headers }}" vhost_proxy_headers: "{{ _service_proxy_headers }}"
vhost_proxy_auth_socket: "{{ _service_oauth2_socket }}" vhost_proxy_auth_socket: "{{ _service_oauth2_socket }}"
vhost_proxy_auth_uri: /oauth2/auth vhost_proxy_auth_uri: /oauth2/auth

6
roles/service/templates/service.socket.j2 Normal file
View File

@@ -0,0 +1,6 @@
# {{ ansible_managed }}
[Unit]
Description={{ service_name }} socket
[Socket]
ListenStream=/run/{{ service_name }}.sock

8
roles/service/vars/database/mariadb.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
_service_database_image: docker.io/library/mariadb:lts
_service_database_mount_destination: /var/lib/mysql
_service_database_env:
MARIADB_RANDOM_ROOT_PASSWORD: "1"
MARIADB_USER: "{{ service_name | replace('-', '_') }}"
MARIADB_DATABASE: "{{ service_name | replace('-', '_') }}"
MARIADB_PASSWORD_FILE: "/run/secrets/{{ service_database_type }}"

7
roles/service/vars/database/postgres.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
_service_database_image: "{{ service_postgres_image }}:{{ service_postgres_tag }}"
_service_database_mount_destination: /var/lib/postgresql/data
_service_database_env:
POSTGRES_USER: "{{ service_name | replace('-', '_') }}"
POSTGRES_PASSWORD_FILE: "/run/secrets/{{ service_database_type }}"
POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"

5
roles/service/vars/main/general.yaml
View File

@@ -5,8 +5,9 @@ _service_static_ip: "{{ service_container_ip | length > 0 }}"
_service_container_requires: >- _service_container_requires: >-
{{ {{
service_requires service_requires
+ ([_service_database_name + '.service'] if _service_setup_database else []) + ([_service_database_name ~ '.service'] if _service_setup_database else [])
+ ([service_name + '-redis.service'] if service_redis else []) + ([service_name ~ '-redis.service'] if service_redis else [])
+ ([service_name ~ '.socket'] if _service_native_socket else [])
}} }}
_service_container_wants: >- _service_container_wants: >-
{{ {{

11
roles/service/vars/main/mounts.yaml
View File

@@ -1,4 +1,9 @@
--- ---
_service_container_socket_mount:
type: bind
source: /run/{{ service_name }}
destination: /run/{{ service_name }}
_service_volume_mounts: "{{ service_container_mounts | selectattr('type', '==', 'volume') }}" _service_volume_mounts: "{{ service_container_mounts | selectattr('type', '==', 'volume') }}"
_service_template_mounts: "{{ service_container_mounts | selectattr('type', '==', 'template') }}" _service_template_mounts: "{{ service_container_mounts | selectattr('type', '==', 'template') }}"
_service_copy_mounts: "{{ service_container_mounts | selectattr('type', '==', 'copy') }}" _service_copy_mounts: "{{ service_container_mounts | selectattr('type', '==', 'copy') }}"
@@ -15,7 +20,11 @@ _service_container_volume_mounts: >-
) | ) |
map('combine') map('combine')
}} }}
_service_container_bind_mounts: "{{ service_container_mounts | selectattr('type', '==', 'bind') }}" _service_container_bind_mounts: >-
{{
service_container_mounts | selectattr('type', '==', 'bind') +
([ _service_container_socket_mount ] if _service_native_socket else [])
}}
_service_container_template_mounts: >- _service_container_template_mounts: >-
{{ {{
([{'readonly': true}] * _service_template_mounts | length) | ([{'readonly': true}] * _service_template_mounts | length) |

5
roles/service/vars/main/proxy.yaml
View File

@@ -1,4 +1,9 @@
--- ---
_service_native_socket: "{{ service_domains | length > 0 and service_container_http_port == 0 }}"
_service_socket_path: >-
/run/{{ service_name ~ ('-socat' if not _service_native_socket else '' ) }}.sock
_service_replacement_host_header: _service_replacement_host_header:
Host: "{{ service_name }}:{{ service_container_http_port }}" Host: "{{ service_name }}:{{ service_container_http_port }}"
_service_proxy_headers: "{{ _service_replacement_host_header if not service_proxy_pass_host_header else {} }}" _service_proxy_headers: "{{ _service_replacement_host_header if not service_proxy_pass_host_header else {} }}"