[First commit with podman setup]

2026-01-20 20:29:05 +01:00
parent 151eba6ffd
commit 7f760cf4a6
15 changed files with 262 additions and 294 deletions
--- a/podman.yml
+++ b/podman.yml
@@ -0,0 +1,138 @@
+- hosts: localtest
+  become: true
+  vars:
+    #! SECRETS
+    # vaultwarden_url: "{{ lookup('env', 'vaultwarden_url') }}"
+    # bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}"
+    # bw_client_password: "{{ lookup('env', 'bw_client_password') }}"
+    # bw_client_id: "{{ lookup('env', 'bw_client_id') }}"
+    # user_mail: "{{ lookup('env', 'mail') }}"
+    # user: "{{ lookup('env', 'username') }}"
+    # # Token full access gitea
+    # bw_requested_password_id: "{{ lookup('env', 'bw_requested_password_id') }}"
+    #! PODS
+    # podman_registries_conf:
+    #   aliases:
+    #     myregistry: quay.io
+    # podman_registry_username: test
+    # podman_registry_password: test
+    podman_create_host_directories: true
+    # podman_firewall:
+    #   - port: 8080-8081/tcp
+    #     state: enabled
+    #   - port: 12340/tcp
+    #     state: enabled
+    # podman_selinux_ports:
+    #   - ports: 8080-8081
+    #     setype: http_port_t
+    podman_kube_specs:
+      - state: started
+        run_as_user: bot
+        run_as_group: bot
+        kube_file_content:
+          apiVersion: v1
+          kind: Pod
+          metadata:
+            name: db
+          spec:
+            containers:
+              - name: db
+                image: docker.io/mysql:9
+                ports:
+                  - containerPort: 1234
+                    hostPort: 12340
+                volumeMounts:
+                  - mountPath: /var/lib/db:Z
+                    name: db
+            volumes:
+              - name: db
+                hostPath:
+                  path: /var/lib/db
+    # podman_secrets:
+    #   - name: mysql-root-password-container
+    #     state: present
+    #     skip_existing: true
+    #     data: "{{ root_password_from_vault }}"
+    #   - name: mysql-root-password-kube
+    #     state: present
+    #     skip_existing: true
+    #     data: |
+    #       apiVersion: v1
+    #       data:
+    #         password: "{{ root_password_from_vault | b64encode }}"
+    #       kind: Secret
+    #       metadata:
+    #         name: mysql-root-password-kube
+    #   - name: envoy-certificates
+    #     state: present
+    #     skip_existing: true
+    #     data: |
+    #       apiVersion: v1
+    #       data:
+    #         certificate.key: {{ key_from_vault | b64encode }}
+    #         certificate.pem: {{ cert_from_vault | b64encode }}
+    #       kind: Secret
+    #       metadata:
+    #         name: envoy-certificates
+      # - state: started
+      #   run_as_user: webapp
+      #   run_as_group: webapp
+      #   kube_file_src: /path/to/webapp.yml
+
+#! SECRETS
+  pre_tasks:
+    - name: Install Bitwarden CLI
+      ansible.builtin.command:
+        cmd: "{{ item }}"
+      delegate_to: localhost
+      loop: 
+        - apk add --no-cache nodejs npm
+        - npm install -g @bitwarden/cli 
+
+    - ansible.builtin.command:
+        cmd: bw logout
+      delegate_to: localhost
+      ignore_errors: true
+
+    - name: bitwarden token session 
+      ansible.builtin.shell: "{{ item }}"
+      environment:
+        BW_CLIENTID: "{{ bw_client_id }}"
+        BW_CLIENTSECRET: "{{ bw_client_secret }}"
+        BW_PASSWORD: "{{ bw_client_password }}"
+      loop:
+        - bw config server {{ vaultwarden_url }}
+        - bw login --apikey
+        - bw unlock --passwordenv BW_PASSWORD --raw
+      delegate_to: localhost
+      register: bw_session_result
+
+    - name: Get secret from Bitwarden
+      command:
+        argv:
+          - bw
+          - get
+          - password
+          - "{{ bw_requested_password_id }}"
+          - --session
+          - "{{ bw_session_result.results[-1].stdout | trim }}"
+      delegate_to: localhost
+      register: gitea_token_result
+      no_log: true
+      changed_when: false
+
+    # - name: Return all secrets from a path
+    #   ansible.builtin.debug: 
+    #     msg: "{{ gitea_token_result.stdout }}"
+    #   delegate_to: localhost
+
+    - ansible.builtin.set_fact:
+        gitea_token : "{{ gitea_token_result.stdout | trim }}"
+      no_log: true
+      delegate_to: localhost
+
+#! ROLES
+  roles:
+    #! By default, the files will be copied to or created in /etc/containers/systemd/$name.$type for root containers
+    #! and $HOME/.config/containers/systemd/$name.$type for rootless containers, on the managed node. 
+    - name: linux-system-roles.podman