diff --git a/playbooks/teamspeak.yml b/playbooks/teamspeak.yml
index a044ee2..96ad08e 100644
--- a/playbooks/teamspeak.yml
+++ b/playbooks/teamspeak.yml
@@ -1,24 +1,12 @@
----
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
+- name: Install teamspeak3 server.
-- name: Install & configure Teamspeak
hosts: teamspeak
+
roles:
- - docker
- - docker_cleanup
- - traefik
- - teamspeak
+ - role: podman
+ become: true
+ tags:
+ - always
+ - podman
+ - role: teamspeak
+ become: true
diff --git a/roles/teamspeak/README.md b/roles/teamspeak/README.md
deleted file mode 100644
index f9c95f5..0000000
--- a/roles/teamspeak/README.md
+++ /dev/null
@@ -1,36 +0,0 @@
-Teamspeak
-=========
-
-This will setup a Teamspeak 3 server using their official docker container.
-
-Requirements
-------------
-
-You will need to have docker, docker-compose and, if using a redirection, traefik installed or declared as dependencies with their respective roles.
-
-**This role assumes that, if using the redirect setup, you have setup traefik with an endpoint called `websecure`.**
-
-Role Variables
---------------
-
-**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
-
-**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
-
-### Global variables, that are used:
-**Only needed with an enabled redirect and traefik:**
-
-- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
-- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
-
-Dependencies
-------------
-
-- docker
-- docker-compose
-- traefik (optional, needed when using the redirect)
-
-License
--------
-
-GPL-3.0-only
diff --git a/roles/teamspeak/defaults/main.yml b/roles/teamspeak/defaults/main.yml
index 913b03b..e7077b8 100644
--- a/roles/teamspeak/defaults/main.yml
+++ b/roles/teamspeak/defaults/main.yml
@@ -1,50 +1,17 @@
----
-# Default variables for the teamspeak role
+teamspeak_install_dir: "/srv/teamspeak"
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-# The install locations
-teamspeak_install_location: /srv/teamspeak
-teamspeak_data_location: "{{ teamspeak_install_location }}/data"
-
-# The docker image and version to use
-teamspeak_baseimage: docker.io/library/teamspeak
+teamspeak_containerimage: docker.io/library/teamspeak
# renovate: depName=docker.io/library/teamspeak
-teamspeak_version: 3.13.7
-teamspeak_image_version: "{{ teamspeak_version }}"
+teamspeak_image_tag: "3.13.7"
-# The SELinux level that should be applied to the container/data folder (default is omit and it will be unset)
teamspeak_selinux_level: "{{ omit }}"
-# The teamspeak ports that are exposed on the host (you still need to open the ports!)
+teamspeak_memory_low: 100m
+teamspeak_memory_high: 0
+teamspeak_swap_max: -1
+
teamspeak_voice_port: 9987
-teamspeak_file_port: 10011
-teamspeak_other_port: 30033
+teamspeak_filetransfer_port: 30033
-# Should a ts3server:// style redirect be enabled on the domain?
-teamspeak_traefik_redirect_enabled: false
-
-# The certresolver for traefik to use on this domain (only needed when the redirect is enabled)
-teamspeak_traefik_certresolver: letsencrypt_http
-
-# The domain under which the redirect should be applied (only needed when the redirect is enabled)
-teamspeak_traefik_domain: ts.example.com
-
-# IPv6 ULA config for the bridge network used by docker-ipv6-nat
-teamspeak_ipv6:
- enabled: false
- subnet: "fd9e:21a7:a92c:2323::/64"
+teamspeak_environment_vars:
+ TS3SERVER_LICENSE: accept
diff --git a/roles/teamspeak/handlers/main.yml b/roles/teamspeak/handlers/main.yml
new file mode 100644
index 0000000..10c1f17
--- /dev/null
+++ b/roles/teamspeak/handlers/main.yml
@@ -0,0 +1,14 @@
+- name: Apply new SELinux file context to filesystem.
+ ansible.builtin.command: "restorecon -irF {{ teamspeak_install_dir }}"
+ become: true
+ listen: "teamspeak selinux context changed"
+
+- name: Restart teamspeak service.
+ ansible.builtin.systemd:
+ state: restarted
+ name: teamspeak.service
+ daemon_reload: true
+ become: true
+ listen:
+ - "teamspeak service changed"
+ - "teamspeak selinux context changed"
diff --git a/roles/teamspeak/meta/main.yml b/roles/teamspeak/meta/main.yml
index e9647b9..3f90f1a 100644
--- a/roles/teamspeak/meta/main.yml
+++ b/roles/teamspeak/meta/main.yml
@@ -1,43 +1,21 @@
galaxy_info:
- author: saibotk
- description: "Deploys a teamspeak 3 server via docker."
+ author: histalek
+ description: Deploy teamspeak service with podman and systemd.
+
+ issue_tracker_url: https://git.histalek.de/histalek-de/infrastructure/-/issues
+
license: GPL-3.0-only
- min_ansible_version: "2.9"
- standalone: true
+
+ min_ansible_version: "2.10"
platforms:
- - name: EL
- versions:
- - all
- - name: GenericUNIX
- versions:
- - all
- name: Fedora
versions:
- - all
- - name: opensuse
- versions:
- - all
- - name: GenericBSD
- versions:
- - all
- - name: FreeBSD
- versions:
- - all
- - name: Ubuntu
- versions:
- - all
- - name: SLES
- versions:
- - all
- - name: GenericLinux
- versions:
- - all
- - name: Debian
- versions:
- - all
+ - "39"
+ - "40"
+
+ standalone: true
galaxy_tags: []
-dependencies:
- - role: docker
+dependencies: []
diff --git a/roles/teamspeak/tasks/main.yml b/roles/teamspeak/tasks/main.yml
index 2e307d5..5bee0d9 100644
--- a/roles/teamspeak/tasks/main.yml
+++ b/roles/teamspeak/tasks/main.yml
@@ -1,77 +1,73 @@
----
-# Tasks file for the teamspeak role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-- name: Update default SELinux contexts
+- name: Update default SELinux contexts.
community.general.sefcontext:
- target: "{{ item }}(/.*)?"
+ target: "{{ teamspeak_install_dir }}/data(/.*)?"
setype: "container_file_t"
selevel: "{{ teamspeak_selinux_level }}"
state: present
- with_items:
- - "{{ teamspeak_data_location }}"
become: true
+ notify: "teamspeak selinux context changed"
-- name: Create install directory
+- name: Create teamspeak install directory.
ansible.builtin.file:
- path: "{{ item }}"
+ path: "{{ teamspeak_install_dir }}"
+ owner: "root"
+ group: "root"
state: directory
mode: "0700"
- owner: "root"
- group: "root"
- with_items:
- - "{{ teamspeak_install_location }}"
- tags:
- - teamspeak
become: true
-- name: Create data directory
- ansible.builtin.file: # noqa risky-file-permissions # Container manages permissions on its own
- path: "{{ item }}"
- state: directory
- setype: "container_file_t"
- selevel: "{{ teamspeak_selinux_level }}"
- with_items:
- - "{{ teamspeak_data_location }}"
- tags:
- - teamspeak
+- name: Ensure teamspeak data directory exists.
+ block:
+ - name: Check teamspeak data directory path.
+ ansible.builtin.stat:
+ path: "{{ teamspeak_install_dir }}/data"
+ become: true
+ register: teamspeak_stat_data_dir
+ - name: Create teamspeak data directory.
+ ansible.builtin.file:
+ path: "{{ teamspeak_install_dir }}/data"
+ owner: "{{ teamspeak_stat_data_dir.stat.uid | default('root') }}"
+ group: "{{ teamspeak_stat_data_dir.stat.gid | default('root') }}"
+ state: directory
+ mode: "0700"
+ become: true
+
+- name: Open teamspeak ports.
+ ansible.posix.firewalld:
+ state: enabled
+ permanent: true
+ immediate: true
+ zone: public
+ port: "{{ item }}"
+ loop:
+ - "{{ teamspeak_voice_port }}/udp"
+ - "{{ teamspeak_filetransfer_port }}/tcp"
become: true
-- name: Deploy docker-compose.yml
- ansible.builtin.template:
- src: docker-compose.yml
- dest: "{{ teamspeak_install_location }}/docker-compose.yml"
- mode: "0600"
- owner: "root"
- group: "root"
- validate: docker compose -f %s config -q
- tags:
- - docker
- - teamspeak
- become: true
-
-- name: Compose teamspeak
- community.docker.docker_compose_v2:
+- name: Ensure container image is present on the host.
+ containers.podman.podman_image:
+ name: "{{ teamspeak_containerimage }}"
state: present
- project_src: "{{ teamspeak_install_location }}"
- pull: always
- remove_orphans: true
- tags:
- - docker
- - teamspeak
+ tag: "{{ teamspeak_image_tag }}"
+ become: true
+
+- name: Create teamspeak container file.
+ ansible.builtin.template:
+ src: teamspeak.container.j2
+ dest: "/etc/containers/systemd/teamspeak.container"
+ owner: "root"
+ group: "root"
+ mode: "0644"
+ become: true
+ notify: "teamspeak service changed"
+
+- name: Flush handlers
+ ansible.builtin.meta: flush_handlers
+
+- name: Ensure teamspeak service is started.
+ ansible.builtin.systemd:
+ state: started
+ enabled: true
+ name: teamspeak.service
+ daemon_reload: true
become: true
diff --git a/roles/teamspeak/templates/docker-compose.yml b/roles/teamspeak/templates/docker-compose.yml
deleted file mode 100644
index e2a742b..0000000
--- a/roles/teamspeak/templates/docker-compose.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-{{ ansible_managed | comment }}
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-version: '2.1'
-services:
- teamspeak:
- image: {{ teamspeak_baseimage }}:{{ teamspeak_image_version }}
- mem_limit: 100mb
- memswap_limit: 128mb
- security_opt:
- - no-new-privileges
-{% if teamspeak_selinux_level != omit %}
- - label=level:{{ teamspeak_selinux_level }}
-{% endif %}
- restart: always
- ports:
- - "0.0.0.0:{{ teamspeak_voice_port }}:9987/udp"
- - "0.0.0.0:{{ teamspeak_file_port }}:10011"
- - "0.0.0.0:{{ teamspeak_other_port }}:30033"
- volumes:
- - "{{ teamspeak_data_location }}:/var/ts3server/"
- environment:
- TS3SERVER_LICENSE: accept
- labels:
-{% if teamspeak_traefik_redirect_enabled %}
- - "traefik.enable=true"
- - "traefik.http.routers.teamspeak.rule=Host(`{{ teamspeak_traefik_domain }}`)"
- - "traefik.http.routers.teamspeak.entrypoints=websecure"
- - "traefik.http.routers.teamspeak.middlewares=ts3server-redirect"
- - "traefik.http.routers.teamspeak.tls.certresolver={{ teamspeak_traefik_certresolver }}"
- - "traefik.http.middlewares.ts3server-redirect.redirectscheme.scheme=ts3server"
-{% endif %}
- networks:
- teamspeak_network:
-
-networks:
- teamspeak_network:
- driver: bridge
-{% if teamspeak_ipv6 is defined and teamspeak_ipv6.enabled %}
- ipam:
- driver: default
- config:
- - subnet: {{ teamspeak_ipv6.subnet }}
- enable_ipv6: true
-{% endif %}
diff --git a/roles/teamspeak/templates/teamspeak.container.j2 b/roles/teamspeak/templates/teamspeak.container.j2
new file mode 100644
index 0000000..934c55e
--- /dev/null
+++ b/roles/teamspeak/templates/teamspeak.container.j2
@@ -0,0 +1,38 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description = Teamspeak server
+
+[Service]
+Restart = always
+RestartSec = 5s
+
+[Container]
+Image = {{ teamspeak_containerimage }}:{{ teamspeak_image_tag }}
+ContainerName = teamspeak
+
+AutoUpdate = registry
+LogDriver = journald
+
+NoNewPrivileges = true
+ReadOnly = true
+DropCapability = all
+AddCapability = CAP_CHOWN CAP_SETGID CAP_SETUID
+UserNS = auto:size=65535
+{% if teamspeak_selinux_level != omit %}
+SecurityLabelLevel = {{ teamspeak_selinux_level }}
+{% endif %}
+
+Environment = TS3SERVER_LICENSE=accept
+
+PublishPort = {{ teamspeak_voice_port }}:9987/udp
+PublishPort = {{ teamspeak_filetransfer_port }}:30033/udp
+
+Volume = {{ teamspeak_install_dir }}/data:/var/ts3server:U
+
+PodmanArgs = --memory={{ teamspeak_memory_high }}
+PodmanArgs = --memory-swap={{ teamspeak_swap_max }}
+PodmanArgs = --memory-reservation={{ teamspeak_memory_low }}
+
+[Install]
+WantedBy = default.target