From 94d690c1b4713ff9134b5a4c3c17186d1c717340 Mon Sep 17 00:00:00 2001 From: CHAIR <95461636+RaneyDazed@users.noreply.github.com> Date: Mon, 8 Apr 2024 08:53:50 -0500 Subject: [PATCH] Add Cockpit role with default variables and tasks (#332) * Add Cockpit role with default variables and tasks * Add cockpit role to sandbox.yml. Yes, I remembered this time. * Refactor Traefik rules for dynamic domains. Remove comments. * Refined cockpit url config for HTTPS support Consolidated the creation of cockpit_web_url to uniformly enforce HTTPS, removing redundant http variant. * Fix Cockpit tasks and remove unnecessary code * Refactor Cockpit role with systemd and package subtasks Reorganized Cockpit Ansible role to improve maintainability. Introduced subtasks specific to systemd and package operations. These changes break down the main task file into smaller, more focused files, enhancing clarity and modularity. Adjusted the template for Cockpit's config to simplify URL setting and added service override capabilities. This restructuring allows better customization and control over the Cockpit installation process, with added options for VM support (WIP) and package holds reflecting more precise lifecycle management. * Enable Cockpit VM management Introduced conditional task inclusion for setting up a Cockpit VM environment. This change adds a new Ansible subtask to install and configure related packages and services only if the feature is enabled, improving modularity and adherence to the principle of optional feature provisioning. * remove trailing whitespace * Updated Cockpit deployment and package settings Tweaked file permissions for increased security and added a configuration to manage Cockpit's virtual machine package installations. VM package management now includes release unholding, backports installation, and re-holding to ensure stable and up-to-date functionality. * Refactor Cockpit role defaults Reorganized settings block. * Update owner and group in cockpit.yml.j2 task * Remove allow_downgrade option from package and vm tasks * Update cockpit.yml.j2 with correct format * Modify traefik template. Simplified Traefik routing by replacing the composite host rule with a single variable. * Optimize libvirt default network activation Added a check to determine if the libvirt default network is already active before attempting to start it, avoiding unnecessary attempts to start a network that is running. This enhancement streamlines the VM provisioning process and ensures the task is idempotent. * Enable Traefik in Cockpit configuration * Add check for 'cockpit_traefik' existence * Add conditional removal of cockpit_traefik template * Fix condition for cockpit_traefik_enabled variable * Update cockpit tasks to not run traefik tasks if not enabled * Remove Traefik configuration from main.yml * Update main.yml * Revert removal of traefik variables from `defaults/main.yml` * Update Traefik host rule in cockpit.yml.j2 --- roles/cockpit/defaults/main.yml | 68 ++++++++++++++++++ roles/cockpit/tasks/main.yml | 88 ++++++++++++++++++++++++ roles/cockpit/tasks/subtasks/package.yml | 41 +++++++++++ roles/cockpit/tasks/subtasks/systemd.yml | 44 ++++++++++++ roles/cockpit/tasks/subtasks/vm.yml | 56 +++++++++++++++ roles/cockpit/templates/cockpit.conf.j2 | 5 ++ roles/cockpit/templates/cockpit.yml.j2 | 25 +++++++ roles/cockpit/templates/listen.conf.j2 | 4 ++ roles/cockpit/templates/override.conf.j2 | 13 ++++ sandbox.yml | 1 + 10 files changed, 345 insertions(+) create mode 100644 roles/cockpit/defaults/main.yml create mode 100644 roles/cockpit/tasks/main.yml create mode 100644 roles/cockpit/tasks/subtasks/package.yml create mode 100644 roles/cockpit/tasks/subtasks/systemd.yml create mode 100644 roles/cockpit/tasks/subtasks/vm.yml create mode 100644 roles/cockpit/templates/cockpit.conf.j2 create mode 100644 roles/cockpit/templates/cockpit.yml.j2 create mode 100644 roles/cockpit/templates/listen.conf.j2 create mode 100644 roles/cockpit/templates/override.conf.j2 diff --git a/roles/cockpit/defaults/main.yml b/roles/cockpit/defaults/main.yml new file mode 100644 index 0000000000..790b0b0cf5 --- /dev/null +++ b/roles/cockpit/defaults/main.yml @@ -0,0 +1,68 @@ +######################################################################### +# Title: Sandbox: cockpit | Default Variables # +# Author(s): CHAIR/Raneydazed # +# URL: https://github.com/saltyorg/Sandbox # +# -- # +######################################################################### +# GNU General Public License v3.0 # +######################################################################### +--- +################################ +# Basics +################################ + +cockpit_name: cockpit + +################################ +# Settings +################################ + +cockpit_traefik_enabled: true +cockpit_vm_enabled: false +cockpit_service_after: docker.service +put_cockpit_dpkg_into_hold: true +put_cockpit_machines_dpkg_into_hold: true + +################################ +# Paths +################################ + +cockpit_paths_socket_location: "/etc/systemd/system/cockpit.socket.d/listen.conf" +cockpit_paths_socket_override_location: "/etc/systemd/system/cockpit.socket.d/override.conf" +cockpit_paths_config_location: "/etc/cockpit/cockpit.conf" +cockpit_paths_traefik_location: "/opt/traefik/cockpit.yml" +cockpit_paths_service_location: "/lib/systemd/system/cockpit.service" +cockpit_paths_override_location: "/etc/systemd/system/cockpit.service.d/override.conf" +cockpit_paths_folders_list: + - "/etc/systemd/system/cockpit.socket.d" + - "/etc/systemd/system/cockpit.service.d" + - "/etc/cockpit" + +################################ +# Web +################################ + +cockpit_web_subdomain: "{{ cockpit_name }}" +cockpit_web_domain: "{{ user.domain }}" +cockpit_web_port: "1337" +cockpit_web_url: "{{ 'https://' + (cockpit_web_subdomain + '.' + cockpit_web_domain + if (cockpit_web_subdomain | length > 0) + else cockpit_web_domain) }}" + +################################ +# DNS +################################ + +cockpit_dns_record: "{{ cockpit_web_subdomain }}" +cockpit_dns_zone: "{{ cockpit_web_domain }}" +cockpit_dns_proxy: "{{ dns.proxied }}" + +################################ +# Traefik +################################ + +cockpit_traefik_sso_middleware: "{{ traefik_default_sso_middleware }}" +cockpit_traefik_middleware_default: "{{ traefik_default_middleware }}" +cockpit_traefik_middleware_custom: "" +cockpit_traefik_certresolver: "{{ traefik_default_certresolver }}" +cockpit_traefik_api_enabled: false diff --git a/roles/cockpit/tasks/main.yml b/roles/cockpit/tasks/main.yml new file mode 100644 index 0000000000..bc98c56dce --- /dev/null +++ b/roles/cockpit/tasks/main.yml @@ -0,0 +1,88 @@ +######################################################################### +# Title: Sandbox: Cockpit Role # +# Author(s): CHAIR/Raneydazed # +# URL: https://github.com/saltyorg/Sandbox # +# -- # +######################################################################### +# GNU General Public License v3.0 # +######################################################################### +--- +- name: Add DNS record + ansible.builtin.include_tasks: "{{ resources_tasks_path }}/dns/tasker.yml" + vars: + dns_record: "{{ lookup('vars', role_name + '_dns_record') }}" + dns_zone: "{{ lookup('vars', role_name + '_dns_zone') }}" + dns_proxy: "{{ lookup('vars', role_name + '_dns_proxy') }}" + when: cockpit_traefik_enabled + +- name: Check if 'cockpit_socket' exists + ansible.builtin.stat: + path: "{{ cockpit_paths_socket_location }}" + register: cockpit_socket + +- name: Stop existing 'cockpit_socket' + ansible.builtin.systemd: + state: stopped + name: cockpit.socket + when: cockpit_socket.stat.exists + +- name: Check if 'cockpit_service' exists + ansible.builtin.stat: + path: "{{ cockpit_paths_service_location }}" + register: cockpit_service + +- name: Stop existing 'cockpit_service' + ansible.builtin.systemd: + state: stopped + name: cockpit.service + when: cockpit_service.stat.exists + +- name: Check if 'cockpit_traefik' exists + ansible.builtin.stat: + path: "{{ cockpit_paths_traefik_location }}" + register: cockpit_traefik + +- name: Remove cockpit_traefik template + ansible.builtin.file: + path: "{{ cockpit_paths_traefik_location }}" + state: absent + when: not cockpit_traefik_enabled + +- name: Create directories + ansible.builtin.include_tasks: "{{ resources_tasks_path }}/directories/create_directories.yml" + +- name: Import 'cockpit_traefik' Traefik Template + ansible.builtin.template: + src: cockpit.yml.j2 + dest: "{{ cockpit_paths_traefik_location }}" + mode: "664" + owner: "{{ user.name }}" + group: "{{ user.name }}" + force: true + when: cockpit_traefik_enabled + +- name: "Import Systemd Tasks" + ansible.builtin.include_tasks: "subtasks/systemd.yml" + +- name: "Import Package Tasks" + ansible.builtin.include_tasks: "subtasks/package.yml" + +- name: "Import VM Tasks" + ansible.builtin.include_tasks: "subtasks/vm.yml" + when: cockpit_vm_enabled + +- name: Load 'cockpit_socket' + ansible.builtin.systemd: + name: cockpit.socket + state: started + enabled: yes + daemon_reload: true + when: not continuous_integration + +- name: Load 'cockpit_service' + ansible.builtin.systemd: + name: cockpit.service + state: started + enabled: yes + daemon_reload: true + when: not continuous_integration diff --git a/roles/cockpit/tasks/subtasks/package.yml b/roles/cockpit/tasks/subtasks/package.yml new file mode 100644 index 0000000000..8a85b3245b --- /dev/null +++ b/roles/cockpit/tasks/subtasks/package.yml @@ -0,0 +1,41 @@ +######################################################################### +# Title: Sandbox: Cockpit | Package Tasks # +# Author(s): CHAIR/Raneydazed # +# URL: https://github.com/saltyorg/Sandbox # +# -- # +######################################################################### +# GNU General Public License v3.0 # +######################################################################### +--- +- name: Gather package facts + ansible.builtin.package_facts: + +- name: Package | Release 'cockpit' from hold + ansible.builtin.dpkg_selections: + name: "cockpit" + selection: install + when: ("cockpit" in ansible_facts.packages) + +- name: Package | Install 'cockpit' from backports + ansible.builtin.apt: + name: "cockpit" + default_release: "{{ ansible_distribution_release }}-backports" + state: latest + update_cache: true + +- name: Package | Put 'cockpit' into hold + ansible.builtin.dpkg_selections: + name: "cockpit" + selection: hold + when: put_cockpit_dpkg_into_hold + +- name: Package | Get 'cockpit' version + ansible.builtin.command: "cockpit-bridge --version" + register: cockpit_version + ignore_errors: true + changed_when: false + +- name: Package | Display 'cockpit' version + ansible.builtin.debug: + msg: "Cockpit version {{ cockpit_version.stdout.split()[1] }} installed." + when: cockpit_version is defined and cockpit_version.stdout is defined diff --git a/roles/cockpit/tasks/subtasks/systemd.yml b/roles/cockpit/tasks/subtasks/systemd.yml new file mode 100644 index 0000000000..cb8ed9a673 --- /dev/null +++ b/roles/cockpit/tasks/subtasks/systemd.yml @@ -0,0 +1,44 @@ +######################################################################### +# Title: Sandbox: Cockpit | Systemd Tasks # +# Author(s): CHAIR/Raneydazed # +# URL: https://github.com/saltyorg/Sandbox # +# -- # +######################################################################### +# GNU General Public License v3.0 # +######################################################################### +--- +- name: System | Import 'cockpit_config' + ansible.builtin.template: + src: cockpit.conf.j2 + dest: "{{ cockpit_paths_config_location }}" + mode: "0664" + owner: root + group: root + force: true + +- name: System | Import 'cockpit_socket' + ansible.builtin.template: + src: listen.conf.j2 + dest: "{{ cockpit_paths_socket_location }}" + mode: "0664" + owner: root + group: root + force: true + +- name: System | Import 'socket_override' + ansible.builtin.template: + src: override.conf.j2 + dest: "{{ cockpit_paths_socket_override_location }}" + mode: "0664" + owner: root + group: root + force: true + +- name: System | Import 'service_override' + ansible.builtin.template: + src: override.conf.j2 + dest: "{{ cockpit_paths_override_location }}" + mode: "0664" + owner: root + group: root + force: true diff --git a/roles/cockpit/tasks/subtasks/vm.yml b/roles/cockpit/tasks/subtasks/vm.yml new file mode 100644 index 0000000000..59b08885f5 --- /dev/null +++ b/roles/cockpit/tasks/subtasks/vm.yml @@ -0,0 +1,56 @@ +######################################################################### +# Title: Sandbox: Cockpit | VM Tasks # +# Author(s): CHAIR/Raneydazed # +# URL: https://github.com/saltyorg/Sandbox # +# -- # +######################################################################### +# GNU General Public License v3.0 # +######################################################################### +--- +- name: VM | Gather package facts + ansible.builtin.package_facts: + +- name: VM | Release 'cockpit-machines' from hold + ansible.builtin.dpkg_selections: + name: "cockpit-machines" + selection: install + when: ("cockpit-machines" in ansible_facts.packages) + +- name: VM | Install 'cockpit-machines' from backports + ansible.builtin.apt: + name: "cockpit-machines" + default_release: "{{ ansible_distribution_release }}-backports" + state: latest + update_cache: true + +- name: VM | Put 'cockpit-machines' into hold + ansible.builtin.dpkg_selections: + name: "cockpit-machines" + selection: hold + when: put_cockpit_machines_dpkg_into_hold + +- name: VM | Install necessary packages for Cockpit Machines + ansible.builtin.package: + name: + - qemu + - qemu-kvm + - libvirt-clients + - libvirt-daemon-system + - virtinst + - bridge-utils + - cracklib-runtime + - qemu-utils + - dnsmasq + state: latest + update_cache: true + +- name: VM | Check if default network in libvirt is active + ansible.builtin.command: + cmd: virsh net-info default + register: default_network_info + changed_when: false + +- name: VM | Start default network in libvirt + ansible.builtin.command: + cmd: virsh net-start default + when: not (default_network_info.stdout | regex_search('(Active:\\s*yes)', ignorecase=True)) diff --git a/roles/cockpit/templates/cockpit.conf.j2 b/roles/cockpit/templates/cockpit.conf.j2 new file mode 100644 index 0000000000..c409fc872e --- /dev/null +++ b/roles/cockpit/templates/cockpit.conf.j2 @@ -0,0 +1,5 @@ +[WebService] +Origins = {{ cockpit_web_url }} +ProtocolHeader = X-Forwarded-Proto +ForwardedForHeader = X-Forwarded-For +AllowUnencrypted = true diff --git a/roles/cockpit/templates/cockpit.yml.j2 b/roles/cockpit/templates/cockpit.yml.j2 new file mode 100644 index 0000000000..0b08ab9956 --- /dev/null +++ b/roles/cockpit/templates/cockpit.yml.j2 @@ -0,0 +1,25 @@ +http: + routers: + {{ cockpit_name }}-http: + entryPoints: + - "web" + rule: "{{ traefik_host_template }}" + middlewares: + {{ traefik_default_middleware_http.split(',') | to_nice_yaml | trim | indent(8) }} + service: "{{ cockpit_name }}" + {{ cockpit_name }}: + entryPoints: + - "websecure" + rule: "{{ traefik_host_template }}" + middlewares: + {{ traefik_middleware.split(',') | to_nice_yaml | trim | indent(8) }} + service: "{{ cockpit_name }}" + tls: + options: securetls@file + certResolver: {{ cockpit_traefik_certresolver }} + + services: + {{ cockpit_name }}: + loadBalancer: + servers: + - url: "http://172.19.0.1:{{ cockpit_web_port }}" diff --git a/roles/cockpit/templates/listen.conf.j2 b/roles/cockpit/templates/listen.conf.j2 new file mode 100644 index 0000000000..3e25a03738 --- /dev/null +++ b/roles/cockpit/templates/listen.conf.j2 @@ -0,0 +1,4 @@ +[Socket] +ListenStream= +ListenStream=172.19.0.1:{{ cockpit_web_port }} +FreeBind=yes diff --git a/roles/cockpit/templates/override.conf.j2 b/roles/cockpit/templates/override.conf.j2 new file mode 100644 index 0000000000..35d9dfdd19 --- /dev/null +++ b/roles/cockpit/templates/override.conf.j2 @@ -0,0 +1,13 @@ +# /etc/systemd/system/cockpit.service.d/override.conf +######################################################################### +# Title: Sandbox: Cockpit Override # +# Author(s): CHAIR/Raneydazed # +# URL: https://github.com/saltyorg/Sandbox # +# -- # +######################################################################### +# GNU General Public License v3.0 # +######################################################################### + +[Unit] +After={{ cockpit_service_after }} +Requires={{ cockpit_service_after }} diff --git a/sandbox.yml b/sandbox.yml index 7439118c9b..3afd5adada 100644 --- a/sandbox.yml +++ b/sandbox.yml @@ -33,6 +33,7 @@ - { role: calibre_web, tags: ['calibre-web'] } - { role: changedetection, tags: ['changedetection'] } - { role: cherry, tags: ['cherry'] } + - { role: cockpit, tags: ['cockpit'] } - { role: coder, tags: ['coder'] } - { role: codex, tags: ['codex'] } - { role: code_server, tags: ['code-server'] }