Enable SELinux deployment in dev config
This commit is contained in:
@@ -16,6 +16,38 @@
|
||||
policy: "{{ selinux.policy | default('default') }}"
|
||||
when: selinux is defined and selinux is not false
|
||||
|
||||
- name: Check for GRUB
|
||||
ansible.builtin.stat:
|
||||
path: /etc/default/grub
|
||||
register: grub_config
|
||||
when: selinux is defined and selinux is not false
|
||||
|
||||
- name: Check if SELinux is already activated in GRUB
|
||||
ansible.builtin.command: grep -q 'security=selinux' /etc/default/grub
|
||||
register: selinux_grub
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
when:
|
||||
- selinux is defined
|
||||
- selinux is not false
|
||||
- grub_config.stat.exists
|
||||
|
||||
- name: Activate SELinux
|
||||
ansible.builtin.command: selinux-activate
|
||||
changed_when: true
|
||||
when:
|
||||
- selinux is defined
|
||||
- selinux is not false
|
||||
- grub_config.stat.exists
|
||||
- selinux_grub.rc != 0
|
||||
register: selinux_activated
|
||||
|
||||
- name: Reboot after SELinux activation
|
||||
ansible.builtin.reboot:
|
||||
when:
|
||||
- selinux_activated is changed
|
||||
- base_allow_reboot
|
||||
|
||||
- name: Install GPG
|
||||
ansible.builtin.apt:
|
||||
name: gpg
|
||||
|
||||
@@ -112,6 +112,88 @@
|
||||
loop_var: podman_user
|
||||
when: podman_login is defined
|
||||
|
||||
- name: Stat rootless Podman directory
|
||||
ansible.builtin.stat:
|
||||
path: "/home/{{ compose_user.key }}/.local/share/containers"
|
||||
loop: "{{ podman_compose | dict2items }}"
|
||||
loop_control:
|
||||
loop_var: compose_user
|
||||
label: "{{ compose_user.key }}"
|
||||
register: podman_user_containers_stat
|
||||
when:
|
||||
- podman_compose is defined
|
||||
- selinux is defined
|
||||
- selinux is not false
|
||||
|
||||
- name: Create rootless Podman directory
|
||||
ansible.builtin.file:
|
||||
path: "/home/{{ item.compose_user.key }}/.local/share/containers"
|
||||
state: directory
|
||||
owner: "{{ item.compose_user.key }}"
|
||||
group: "{{ item.compose_user.key }}"
|
||||
mode: "700"
|
||||
loop: "{{ podman_user_containers_stat.results }}"
|
||||
loop_control:
|
||||
label: "{{ item.compose_user.key }}"
|
||||
when:
|
||||
- podman_compose is defined
|
||||
- selinux is defined
|
||||
- selinux is not false
|
||||
- not item.stat.exists
|
||||
|
||||
- name: Label rootless Podman directory
|
||||
ansible.builtin.command: >-
|
||||
restorecon -Rv /home/{{ item.compose_user.key }}/.local/share/containers
|
||||
loop: "{{ podman_user_containers_stat.results }}"
|
||||
loop_control:
|
||||
label: "/home/{{ item.compose_user.key }}/.local/share/containers"
|
||||
changed_when: true
|
||||
when:
|
||||
- podman_compose is defined
|
||||
- selinux is defined
|
||||
- selinux is not false
|
||||
- not item.stat.exists
|
||||
|
||||
- name: Stat Podman label directories
|
||||
ansible.builtin.stat:
|
||||
path: "{{ item.path }}"
|
||||
loop: "{{ podman_label }}"
|
||||
register: podman_label_stat
|
||||
loop_control:
|
||||
label: "{{ item.path }}"
|
||||
when:
|
||||
- podman_label is defined
|
||||
- selinux is defined
|
||||
- selinux is not false
|
||||
|
||||
- name: Create Podman label directories
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.item.path }}"
|
||||
owner: "{{ item.item.owner | default(omit) }}"
|
||||
group: "{{ item.item.group | default(omit) }}"
|
||||
mode: "{{ item.item.mode | default('700') }}"
|
||||
state: directory
|
||||
loop: "{{ podman_label_stat.results }}"
|
||||
loop_control:
|
||||
label: "{{ item.item.path }}"
|
||||
when:
|
||||
- podman_label is defined
|
||||
- selinux is defined
|
||||
- selinux is not false
|
||||
- not item.stat.exists
|
||||
|
||||
- name: Set labels on Podman label directories
|
||||
ansible.builtin.command: "chcon {{ item.item.label }} {{ item.item.path }}"
|
||||
loop: "{{ podman_label_stat.results }}"
|
||||
changed_when: true
|
||||
loop_control:
|
||||
label: "{{ item.item.path }} => {{ item.item.label }}"
|
||||
when:
|
||||
- podman_label is defined
|
||||
- selinux is defined
|
||||
- selinux is not false
|
||||
- not item.stat.exists
|
||||
|
||||
- name: Deploy Podman compose projects for each user
|
||||
ansible.builtin.include_tasks: deploy.yml
|
||||
vars:
|
||||
|
||||
@@ -10,18 +10,17 @@
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: Check for cached dhparams.pem file
|
||||
- name: Check if environment is vagrant
|
||||
ansible.builtin.stat:
|
||||
path: "{{ proxy_cached_dhparams_pem }}"
|
||||
register: dhparams_file
|
||||
path: /home/vagrant
|
||||
register: vagrant_home
|
||||
|
||||
- name: Copy cached dhparams.pem to /etc/ssl/
|
||||
ansible.builtin.copy:
|
||||
src: "{{ proxy_cached_dhparams_pem }}"
|
||||
- name: Download Mozilla's standard DH params (dev only)
|
||||
ansible.builtin.get_url:
|
||||
url: https://ssl-config.mozilla.org/ffdhe4096.txt
|
||||
dest: /etc/ssl/dhparams.pem
|
||||
mode: "600"
|
||||
remote_src: true
|
||||
when: dhparams_file.stat.exists
|
||||
when: vagrant_home.stat.exists
|
||||
|
||||
- name: Generate DH Parameters
|
||||
community.crypto.openssl_dhparam:
|
||||
|
||||
Reference in New Issue
Block a user