Add Cockpit role with default variables and tasks (saltyorg#332)

* Add Cockpit role with default variables and tasks

* Add cockpit role to sandbox.yml. Yes, I remembered this time.

* Refactor Traefik rules for dynamic domains. Remove comments.

* Refined cockpit url config for HTTPS support

Consolidated the creation of cockpit_web_url to uniformly enforce HTTPS, removing redundant http variant.

* Fix Cockpit tasks and remove unnecessary code

* Refactor Cockpit role with systemd and package subtasks

Reorganized Cockpit Ansible role to improve maintainability. Introduced subtasks specific to systemd and package operations. These changes break down the main task file into smaller, more focused files, enhancing clarity and modularity. Adjusted the template for Cockpit's config to simplify URL setting and added service override capabilities. This restructuring allows better customization and control over the Cockpit installation process, with added options for VM support (WIP) and package holds reflecting more precise lifecycle management.

* Enable Cockpit VM management

Introduced conditional task inclusion for setting up a Cockpit VM environment. This change adds a new Ansible subtask to install and configure related packages and services only if the feature is enabled, improving modularity and adherence to the principle of optional feature provisioning.

* remove trailing whitespace

* Updated Cockpit deployment and package settings

Tweaked file permissions for increased security and added a configuration to manage Cockpit's virtual machine package installations. VM package management now includes release unholding, backports installation, and re-holding to ensure stable and up-to-date functionality.

* Refactor Cockpit role defaults

Reorganized settings block.

* Update owner and group in cockpit.yml.j2 task

* Remove allow_downgrade option from package and vm tasks

* Update cockpit.yml.j2 with correct format

* Modify traefik template.

Simplified Traefik routing by replacing the composite host rule with a single variable.

* Optimize libvirt default network activation

Added a check to determine if the libvirt default network is already active before attempting to start it, avoiding unnecessary attempts to start a network that is running. This enhancement streamlines the VM provisioning process and ensures the task is idempotent.

* Enable Traefik in Cockpit configuration

* Add check for 'cockpit_traefik' existence

* Add conditional removal of cockpit_traefik template

* Fix condition for cockpit_traefik_enabled variable

* Update cockpit tasks to not run  traefik tasks if not enabled

* Remove Traefik configuration from main.yml

* Update main.yml

* Revert removal of traefik variables from `defaults/main.yml`

* Update Traefik host rule in cockpit.yml.j2

roles/cockpit/defaults/main.yml

@@ -0,0 +1,68 @@
+#########################################################################
+# Title:            Sandbox: cockpit | Default Variables                #
+# Author(s):        CHAIR/Raneydazed                                    #
+# URL:              https://github.com/saltyorg/Sandbox                 #
+# --                                                                    #
+#########################################################################
+#                   GNU General Public License v3.0                     #
+#########################################################################
+---
+################################
+# Basics
+################################
+
+cockpit_name: cockpit
+
+################################
+# Settings
+################################
+
+cockpit_traefik_enabled: true
+cockpit_vm_enabled: false
+cockpit_service_after: docker.service
+put_cockpit_dpkg_into_hold: true
+put_cockpit_machines_dpkg_into_hold: true
+
+################################
+# Paths
+################################
+
+cockpit_paths_socket_location: "/etc/systemd/system/cockpit.socket.d/listen.conf"
+cockpit_paths_socket_override_location: "/etc/systemd/system/cockpit.socket.d/override.conf"
+cockpit_paths_config_location: "/etc/cockpit/cockpit.conf"
+cockpit_paths_traefik_location: "/opt/traefik/cockpit.yml"
+cockpit_paths_service_location: "/lib/systemd/system/cockpit.service"
+cockpit_paths_override_location: "/etc/systemd/system/cockpit.service.d/override.conf"
+cockpit_paths_folders_list:
+  - "/etc/systemd/system/cockpit.socket.d"
+  - "/etc/systemd/system/cockpit.service.d"
+  - "/etc/cockpit"
+
+################################
+# Web
+################################
+
+cockpit_web_subdomain: "{{ cockpit_name }}"
+cockpit_web_domain: "{{ user.domain }}"
+cockpit_web_port: "1337"
+cockpit_web_url: "{{ 'https://' + (cockpit_web_subdomain + '.' + cockpit_web_domain
+                  if (cockpit_web_subdomain | length > 0)
+                  else cockpit_web_domain) }}"
+
+################################
+# DNS
+################################
+
+cockpit_dns_record: "{{ cockpit_web_subdomain }}"
+cockpit_dns_zone: "{{ cockpit_web_domain }}"
+cockpit_dns_proxy: "{{ dns.proxied }}"
+
+################################
+# Traefik
+################################
+
+cockpit_traefik_sso_middleware: "{{ traefik_default_sso_middleware }}"
+cockpit_traefik_middleware_default: "{{ traefik_default_middleware }}"
+cockpit_traefik_middleware_custom: ""
+cockpit_traefik_certresolver: "{{ traefik_default_certresolver }}"
+cockpit_traefik_api_enabled: false

roles/cockpit/tasks/main.yml

@@ -0,0 +1,88 @@
+#########################################################################
+# Title:         Sandbox: Cockpit Role                                  #
+# Author(s):     CHAIR/Raneydazed                                       #
+# URL:           https://github.com/saltyorg/Sandbox                    #
+# --                                                                    #
+#########################################################################
+#                   GNU General Public License v3.0                     #
+#########################################################################
+---
+- name: Add DNS record
+  ansible.builtin.include_tasks: "{{ resources_tasks_path }}/dns/tasker.yml"
+  vars:
+    dns_record: "{{ lookup('vars', role_name + '_dns_record') }}"
+    dns_zone: "{{ lookup('vars', role_name + '_dns_zone') }}"
+    dns_proxy: "{{ lookup('vars', role_name + '_dns_proxy') }}"
+  when: cockpit_traefik_enabled
+
+- name: Check if 'cockpit_socket' exists
+  ansible.builtin.stat:
+    path: "{{ cockpit_paths_socket_location }}"
+  register: cockpit_socket
+
+- name: Stop existing 'cockpit_socket'
+  ansible.builtin.systemd:
+    state: stopped
+    name: cockpit.socket
+  when: cockpit_socket.stat.exists
+
+- name: Check if 'cockpit_service' exists
+  ansible.builtin.stat:
+    path: "{{ cockpit_paths_service_location }}"
+  register: cockpit_service
+
+- name: Stop existing 'cockpit_service'
+  ansible.builtin.systemd:
+    state: stopped
+    name: cockpit.service
+  when: cockpit_service.stat.exists
+
+- name: Check if 'cockpit_traefik' exists
+  ansible.builtin.stat:
+    path: "{{ cockpit_paths_traefik_location }}"
+  register: cockpit_traefik
+
+- name: Remove cockpit_traefik template
+  ansible.builtin.file:
+    path: "{{ cockpit_paths_traefik_location }}"
+    state: absent
+  when: not cockpit_traefik_enabled
+
+- name: Create directories
+  ansible.builtin.include_tasks: "{{ resources_tasks_path }}/directories/create_directories.yml"
+
+- name: Import 'cockpit_traefik' Traefik Template
+  ansible.builtin.template:
+    src: cockpit.yml.j2
+    dest: "{{ cockpit_paths_traefik_location }}"
+    mode: "664"
+    owner: "{{ user.name }}"
+    group: "{{ user.name }}"
+    force: true
+  when: cockpit_traefik_enabled
+
+- name: "Import Systemd Tasks"
+  ansible.builtin.include_tasks: "subtasks/systemd.yml"
+
+- name: "Import Package Tasks"
+  ansible.builtin.include_tasks: "subtasks/package.yml"
+
+- name: "Import VM Tasks"
+  ansible.builtin.include_tasks: "subtasks/vm.yml"
+  when: cockpit_vm_enabled
+
+- name: Load 'cockpit_socket'
+  ansible.builtin.systemd:
+    name: cockpit.socket
+    state: started
+    enabled: yes
+    daemon_reload: true
+  when: not continuous_integration
+
+- name: Load 'cockpit_service'
+  ansible.builtin.systemd:
+    name: cockpit.service
+    state: started
+    enabled: yes
+    daemon_reload: true
+  when: not continuous_integration

roles/cockpit/tasks/subtasks/package.yml

@@ -0,0 +1,41 @@
+#########################################################################
+# Title:         Sandbox: Cockpit | Package Tasks                       #
+# Author(s):     CHAIR/Raneydazed                                       #
+# URL:           https://github.com/saltyorg/Sandbox                    #
+# --                                                                    #
+#########################################################################
+#                   GNU General Public License v3.0                     #
+#########################################################################
+---
+- name: Gather package facts
+  ansible.builtin.package_facts:
+
+- name: Package | Release 'cockpit' from hold
+  ansible.builtin.dpkg_selections:
+    name: "cockpit"
+    selection: install
+  when: ("cockpit" in ansible_facts.packages)
+
+- name: Package | Install 'cockpit' from backports
+  ansible.builtin.apt:
+    name: "cockpit"
+    default_release: "{{ ansible_distribution_release }}-backports"
+    state: latest
+    update_cache: true
+
+- name: Package | Put 'cockpit' into hold
+  ansible.builtin.dpkg_selections:
+    name: "cockpit"
+    selection: hold
+  when: put_cockpit_dpkg_into_hold
+
+- name: Package | Get 'cockpit' version
+  ansible.builtin.command: "cockpit-bridge --version"
+  register: cockpit_version
+  ignore_errors: true
+  changed_when: false
+
+- name: Package | Display 'cockpit' version
+  ansible.builtin.debug:
+    msg: "Cockpit version {{ cockpit_version.stdout.split()[1] }} installed."
+  when: cockpit_version is defined and cockpit_version.stdout is defined

roles/cockpit/tasks/subtasks/systemd.yml

@@ -0,0 +1,44 @@
+#########################################################################
+# Title:         Sandbox: Cockpit | Systemd Tasks                       #
+# Author(s):     CHAIR/Raneydazed                                       #
+# URL:           https://github.com/saltyorg/Sandbox                    #
+# --                                                                    #
+#########################################################################
+#                   GNU General Public License v3.0                     #
+#########################################################################
+---
+- name: System | Import 'cockpit_config'
+  ansible.builtin.template:
+    src: cockpit.conf.j2
+    dest: "{{ cockpit_paths_config_location }}"
+    mode: "0664"
+    owner: root
+    group: root
+    force: true
+
+- name: System | Import 'cockpit_socket'
+  ansible.builtin.template:
+    src: listen.conf.j2
+    dest: "{{ cockpit_paths_socket_location }}"
+    mode: "0664"
+    owner: root
+    group: root
+    force: true
+
+- name: System | Import 'socket_override'
+  ansible.builtin.template:
+    src: override.conf.j2
+    dest: "{{ cockpit_paths_socket_override_location }}"
+    mode: "0664"
+    owner: root
+    group: root
+    force: true
+
+- name: System | Import 'service_override'
+  ansible.builtin.template:
+    src: override.conf.j2
+    dest: "{{ cockpit_paths_override_location }}"
+    mode: "0664"
+    owner: root
+    group: root
+    force: true

roles/cockpit/tasks/subtasks/vm.yml

@@ -0,0 +1,56 @@
+#########################################################################
+# Title:         Sandbox: Cockpit | VM Tasks                            #
+# Author(s):     CHAIR/Raneydazed                                       #
+# URL:           https://github.com/saltyorg/Sandbox                    #
+# --                                                                    #
+#########################################################################
+#                   GNU General Public License v3.0                     #
+#########################################################################
+---
+- name: VM | Gather package facts
+  ansible.builtin.package_facts:
+
+- name: VM | Release 'cockpit-machines' from hold
+  ansible.builtin.dpkg_selections:
+    name: "cockpit-machines"
+    selection: install
+  when: ("cockpit-machines" in ansible_facts.packages)
+
+- name: VM | Install 'cockpit-machines' from backports
+  ansible.builtin.apt:
+    name: "cockpit-machines"
+    default_release: "{{ ansible_distribution_release }}-backports"
+    state: latest
+    update_cache: true
+
+- name: VM | Put 'cockpit-machines' into hold
+  ansible.builtin.dpkg_selections:
+    name: "cockpit-machines"
+    selection: hold
+  when: put_cockpit_machines_dpkg_into_hold
+
+- name: VM | Install necessary packages for Cockpit Machines
+  ansible.builtin.package:
+    name:
+      - qemu
+      - qemu-kvm
+      - libvirt-clients
+      - libvirt-daemon-system
+      - virtinst
+      - bridge-utils
+      - cracklib-runtime
+      - qemu-utils
+      - dnsmasq
+    state: latest
+    update_cache: true
+
+- name: VM | Check if default network in libvirt is active
+  ansible.builtin.command:
+    cmd: virsh net-info default
+  register: default_network_info
+  changed_when: false
+
+- name: VM | Start default network in libvirt
+  ansible.builtin.command:
+    cmd: virsh net-start default
+  when: not (default_network_info.stdout | regex_search('(Active:\\s*yes)', ignorecase=True))

roles/cockpit/templates/cockpit.conf.j2

@@ -0,0 +1,5 @@
+[WebService]
+Origins = {{ cockpit_web_url }}
+ProtocolHeader = X-Forwarded-Proto
+ForwardedForHeader = X-Forwarded-For
+AllowUnencrypted = true

roles/cockpit/templates/cockpit.yml.j2

@@ -0,0 +1,25 @@
+http:
+  routers:
+    {{ cockpit_name }}-http:
+      entryPoints:
+        - "web"
+      rule: "{{ traefik_host_template }}"
+      middlewares:
+        {{ traefik_default_middleware_http.split(',') | to_nice_yaml | trim | indent(8) }}
+      service: "{{ cockpit_name }}"
+    {{ cockpit_name }}:
+      entryPoints:
+        - "websecure"
+      rule: "{{ traefik_host_template }}"
+      middlewares:
+        {{ traefik_middleware.split(',') | to_nice_yaml | trim | indent(8) }}
+      service: "{{ cockpit_name }}"
+      tls:
+        options: securetls@file
+        certResolver: {{ cockpit_traefik_certresolver }}
+
+  services:
+    {{ cockpit_name }}:
+      loadBalancer:
+        servers:
+          - url: "http://172.19.0.1:{{ cockpit_web_port }}"

roles/cockpit/templates/listen.conf.j2

@@ -0,0 +1,4 @@
+[Socket]
+ListenStream=
+ListenStream=172.19.0.1:{{ cockpit_web_port }}
+FreeBind=yes

roles/cockpit/templates/override.conf.j2

@@ -0,0 +1,13 @@
+# /etc/systemd/system/cockpit.service.d/override.conf
+#########################################################################
+# Title:         Sandbox: Cockpit Override                              #
+# Author(s):     CHAIR/Raneydazed                                       #
+# URL:           https://github.com/saltyorg/Sandbox                    #
+# --                                                                    #
+#########################################################################
+#                   GNU General Public License v3.0                     #
+#########################################################################
+
+[Unit]
+After={{ cockpit_service_after }}
+Requires={{ cockpit_service_after }}

sandbox.yml

@@ -33,6 +33,7 @@
     - { role: calibre_web, tags: ['calibre-web'] }
     - { role: changedetection, tags: ['changedetection'] }
     - { role: cherry, tags: ['cherry'] }
+    - { role: cockpit, tags: ['cockpit'] }
     - { role: coder, tags: ['coder'] }
     - { role: codex, tags: ['codex'] }
     - { role: code_server, tags: ['code-server'] }