feat(role): add standalone saiblog role

2025-01-20 00:17:53 +01:00 · 2025-01-20 00:17:53 +01:00 · 86e585eb10
commit 86e585eb10
parent a160541b04
7 changed files with 169 additions and 0 deletions
--- a/playbooks/saiblog.yml
+++ b/playbooks/saiblog.yml
@ -0,0 +1,17 @@
 - name: Install Saiblog.
  hosts: saiblog
  roles:
    - role: podman
      become: true
      tags:
        - always
        - podman
    - role: caddy
      become: true
      tags:
        - always
        - caddy
    - role: saiblog
      become: true
--- a/roles/saiblog/defaults/main.yml
+++ b/roles/saiblog/defaults/main.yml
@ -0,0 +1,13 @@
 saiblog_install_dir: "/opt/saiblog"
 saiblog_domain: saibotk.de
 saiblog_containerimage: git.sipsofcode.dev/saibotk-de/saiblog
 # renovate: depName=git.sipsofcode.dev/saibotk-de/saiblog
 saiblog_image_tag: "latest"
 saiblog_selinux_level: "{{ omit }}"
 saiblog_memory_low: 32m
 saiblog_memory_high: 0
 saiblog_swap_max: -1
--- a/roles/saiblog/handlers/main.yml
+++ b/roles/saiblog/handlers/main.yml
@ -0,0 +1,9 @@
 - name: Restart saiblog service.
  ansible.builtin.systemd:
    state: restarted
    name: saiblog.service
    daemon_reload: true
  become: true
  listen:
    - "saiblog service changed"
    - "saiblog selinux context changed"
--- a/roles/saiblog/meta/main.yml
+++ b/roles/saiblog/meta/main.yml
@ -0,0 +1,20 @@
 galaxy_info:
  author: saibotk
  description: Deploy saiblog with podman and systemd.
  issue_tracker_url: https://git.sipsofcode.de/saibotk-de/infrastructure/issues
  license: GPL-3.0-only
  min_ansible_version: "2.10"
  platforms:
    - name: Fedora
      versions:
        - "41"
  standalone: true
  galaxy_tags: []
 dependencies: []
--- a/roles/saiblog/tasks/main.yml
+++ b/roles/saiblog/tasks/main.yml
@ -0,0 +1,51 @@
 - name: Create saiblog directories.
  ansible.builtin.file:
    path: "{{ saiblog_install_dir }}"
    owner: "root"
    group: "root"
    mode: "0700"
    state: directory
  become: true
 - name: Add caddy config file.
  block:
    - name: Check caddy config dir.
      ansible.builtin.stat:
        path: "{{ caddy_install_dir }}/config"
      become: true
      register: caddy_stat_config_dir
    - name: Template caddy config for saiblog.
      ansible.builtin.template:
        src: saiblog.caddy.j2
        dest: "{{ caddy_install_dir }}/config/saiblog.caddy"
        mode: "0600"
        setype: "container_file_t"
        selevel: "{{ caddy_selinux_level }}"
        owner: "{{ caddy_stat_config_dir.stat.uid }}"
        group: "{{ caddy_stat_config_dir.stat.gid }}"
      notify: "caddy config changed"
      become: true
 - name: Create saiblog container file.
  ansible.builtin.template:
    src: saiblog.container.j2
    dest: /etc/containers/systemd/saiblog.container
    owner: "root"
    group: "root"
    mode: "0644"
  become: true
  notify: "saiblog service changed"
 - name: Flush handlers
  ansible.builtin.meta: flush_handlers
 - name: Ensure saiblog services are started and enabled.
  ansible.builtin.systemd:
    state: started
    enabled: true
    name: "{{ item }}"
    daemon_reload: true
  loop:
    - saiblog.service
  become: true
--- a/roles/saiblog/templates/saiblog.caddy.j2
+++ b/roles/saiblog/templates/saiblog.caddy.j2
@ -0,0 +1,24 @@
 {{ ansible_managed | comment }}
 {{ saiblog_domain }} {
    encode gzip
    header {
        # enable HSTS
        Strict-Transport-Security "max-age=31536000; preload;"
        # disable clients from sniffing the media type
        X-Content-Type-Options nosniff
        # clickjacking protection
        X-Frame-Options DENY
        # keep referrer data off of HTTP connections
        Referrer-Policy no-referrer-when-downgrade
        # Server name removing
        -Server
    }
    reverse_proxy saiblog:8080
 }
--- a/roles/saiblog/templates/saiblog.container.j2
+++ b/roles/saiblog/templates/saiblog.container.j2
@ -0,0 +1,35 @@
 {{ ansible_managed | comment }}
 [Unit]
 Description = Saiblog
 [Service]
 Restart = always
 RestartSec = 5s
 [Container]
 Image = {{ saiblog_containerimage }}:{{ saiblog_image_tag }}
 ContainerName = saiblog
 # AutoUpdate = registry
 LogDriver = journald
 ReadOnly = true
 NoNewPrivileges = true
 DropCapability = all
 UserNS = auto:size=65535
 {% if saiblog_selinux_level != omit %}
 SecurityLabelLevel = {{ saiblog_selinux_level }}
 {% endif %}
 Network = caddy.network
 Tmpfs = /var/cache/nginx:rw,noexec,nosuid,nodev,size=74m
 Tmpfs = /tmp:rw,noexec,nosuid,nodev,size=8m
 PodmanArgs = --memory={{ saiblog_memory_high }}
 PodmanArgs = --memory-swap={{ saiblog_swap_max }}
 PodmanArgs = --memory-reservation={{ saiblog_memory_low }}
 [Install]
 WantedBy = default.target