feat(role): add standalone saiblog role

2025-01-20 00:17:53 +01:00 · 2025-01-20 00:17:53 +01:00 · 86e585eb10
commit 86e585eb10
parent a160541b04
7 changed files with 169 additions and 0 deletions
--- a/playbooks/saiblog.yml
+++ b/playbooks/saiblog.yml
@ -0,0 +1,17 @@
+- name: Install Saiblog.
+
+  hosts: saiblog
+
+  roles:
+    - role: podman
+      become: true
+      tags:
+        - always
+        - podman
+    - role: caddy
+      become: true
+      tags:
+        - always
+        - caddy
+    - role: saiblog
+      become: true
--- a/roles/saiblog/defaults/main.yml
+++ b/roles/saiblog/defaults/main.yml
@ -0,0 +1,13 @@
+saiblog_install_dir: "/opt/saiblog"
+
+saiblog_domain: saibotk.de
+
+saiblog_containerimage: git.sipsofcode.dev/saibotk-de/saiblog
+# renovate: depName=git.sipsofcode.dev/saibotk-de/saiblog
+saiblog_image_tag: "latest"
+
+saiblog_selinux_level: "{{ omit }}"
+
+saiblog_memory_low: 32m
+saiblog_memory_high: 0
+saiblog_swap_max: -1
--- a/roles/saiblog/handlers/main.yml
+++ b/roles/saiblog/handlers/main.yml
@ -0,0 +1,9 @@
+- name: Restart saiblog service.
+  ansible.builtin.systemd:
+    state: restarted
+    name: saiblog.service
+    daemon_reload: true
+  become: true
+  listen:
+    - "saiblog service changed"
+    - "saiblog selinux context changed"
--- a/roles/saiblog/meta/main.yml
+++ b/roles/saiblog/meta/main.yml
@ -0,0 +1,20 @@
+galaxy_info:
+  author: saibotk
+  description: Deploy saiblog with podman and systemd.
+
+  issue_tracker_url: https://git.sipsofcode.de/saibotk-de/infrastructure/issues
+
+  license: GPL-3.0-only
+
+  min_ansible_version: "2.10"
+
+  platforms:
+    - name: Fedora
+      versions:
+        - "41"
+
+  standalone: true
+
+  galaxy_tags: []
+
+dependencies: []
--- a/roles/saiblog/tasks/main.yml
+++ b/roles/saiblog/tasks/main.yml
@ -0,0 +1,51 @@
+- name: Create saiblog directories.
+  ansible.builtin.file:
+    path: "{{ saiblog_install_dir }}"
+    owner: "root"
+    group: "root"
+    mode: "0700"
+    state: directory
+  become: true
+
+- name: Add caddy config file.
+  block:
+    - name: Check caddy config dir.
+      ansible.builtin.stat:
+        path: "{{ caddy_install_dir }}/config"
+      become: true
+      register: caddy_stat_config_dir
+
+    - name: Template caddy config for saiblog.
+      ansible.builtin.template:
+        src: saiblog.caddy.j2
+        dest: "{{ caddy_install_dir }}/config/saiblog.caddy"
+        mode: "0600"
+        setype: "container_file_t"
+        selevel: "{{ caddy_selinux_level }}"
+        owner: "{{ caddy_stat_config_dir.stat.uid }}"
+        group: "{{ caddy_stat_config_dir.stat.gid }}"
+      notify: "caddy config changed"
+      become: true
+
+- name: Create saiblog container file.
+  ansible.builtin.template:
+    src: saiblog.container.j2
+    dest: /etc/containers/systemd/saiblog.container
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  notify: "saiblog service changed"
+
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Ensure saiblog services are started and enabled.
+  ansible.builtin.systemd:
+    state: started
+    enabled: true
+    name: "{{ item }}"
+    daemon_reload: true
+  loop:
+    - saiblog.service
+  become: true
--- a/roles/saiblog/templates/saiblog.caddy.j2
+++ b/roles/saiblog/templates/saiblog.caddy.j2
@ -0,0 +1,24 @@
+{{ ansible_managed | comment }}
+
+{{ saiblog_domain }} {
+    encode gzip
+
+    header {
+        # enable HSTS
+        Strict-Transport-Security "max-age=31536000; preload;"
+
+        # disable clients from sniffing the media type
+        X-Content-Type-Options nosniff
+
+        # clickjacking protection
+        X-Frame-Options DENY
+
+        # keep referrer data off of HTTP connections
+        Referrer-Policy no-referrer-when-downgrade
+
+        # Server name removing
+        -Server
+    }
+
+    reverse_proxy saiblog:8080
+}
--- a/roles/saiblog/templates/saiblog.container.j2
+++ b/roles/saiblog/templates/saiblog.container.j2
@ -0,0 +1,35 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description = Saiblog
+
+[Service]
+Restart = always
+RestartSec = 5s
+
+[Container]
+Image = {{ saiblog_containerimage }}:{{ saiblog_image_tag }}
+ContainerName = saiblog
+
+# AutoUpdate = registry
+LogDriver = journald
+
+ReadOnly = true
+NoNewPrivileges = true
+DropCapability = all
+UserNS = auto:size=65535
+{% if saiblog_selinux_level != omit %}
+SecurityLabelLevel = {{ saiblog_selinux_level }}
+{% endif %}
+
+Network = caddy.network
+
+Tmpfs = /var/cache/nginx:rw,noexec,nosuid,nodev,size=74m
+Tmpfs = /tmp:rw,noexec,nosuid,nodev,size=8m
+
+PodmanArgs = --memory={{ saiblog_memory_high }}
+PodmanArgs = --memory-swap={{ saiblog_swap_max }}
+PodmanArgs = --memory-reservation={{ saiblog_memory_low }}
+
+[Install]
+WantedBy = default.target