Enable SELinux deployment in dev config

dev/host_vars/podman.yml

@@ -4,7 +4,7 @@
 selinux:
   state: enforcing
 
-base_allow_reboot: false
+base_allow_reboot: true
 base_manage_network: false
 
 root_gpgkeys:
@@ -27,35 +27,34 @@ scripts:
 
 proxy:
   servers:
-    - domain: cloud.local.krislamo.org
+    - domain: music.local.krislamo.org
-      proxy_pass: http://127.0.0.1:8000
+      proxy_pass: http://127.0.0.1:4533
 
 ################
 #### podman ####
 ################
 
+podman_label:
+  - path: /home/vagrant/navidrome
+    label: system_u:object_r:container_file_t:s0
+    owner: vagrant
+    group: vagrant
+
 podman_compose:
   vagrant:
     root: /opt/oci
     trusted_keys:
       - id: 42A3A92C5DA0F3E5F71A3710105B748C1362EB96
     compose:
-      - name: traefik
+      - name: navidrome
-        url: https://github.com/krislamo/traefik
+        url: https://github.com/krislamo/navidrome
-        version: d7197ddd5b7019c60faf5d164e555b6374972d40
+        version: 305f92cff143c0d497d21277145f605d9da830de
         enabled: true
         accept_newhostkey: true # Consider verifying manually instead
         env:
           VERSION: latest
-          SOCKET: /run/user/1000/podman/podman.sock
+          BASEURL: https://music.local.krislamo.org
-          DASHBOARD: true
+          MUSIC: /home/vagrant/navidrome
-      - name: nextcloud
+          LASTFM_ENABLED: "false"
-        url: https://github.com/krislamo/nextcloud
+          LASTFM_APIKEY: "n/a"
-        version: 245c91a22fa75e5dde1d423e88540529a4fa4f27
+          LASTFM_SECRET: "n/a"
-        enabled: true
-        env:
-          VERSION: latest
-          DOMAIN: cloud.local.krislamo.org
-          DATA: /opt/oci/nextcloud/data/
-          REDIS_VERSION: latest
-          REDIS_PASSWORD: changeme

roles/base/tasks/system.yml

@@ -16,6 +16,38 @@
     policy: "{{ selinux.policy | default('default') }}"
   when: selinux is defined and selinux is not false
 
+- name: Check for GRUB
+  ansible.builtin.stat:
+    path: /etc/default/grub
+  register: grub_config
+  when: selinux is defined and selinux is not false
+
+- name: Check if SELinux is already activated in GRUB
+  ansible.builtin.command: grep -q 'security=selinux' /etc/default/grub
+  register: selinux_grub
+  changed_when: false
+  failed_when: false
+  when:
+    - selinux is defined
+    - selinux is not false
+    - grub_config.stat.exists
+
+- name: Activate SELinux
+  ansible.builtin.command: selinux-activate
+  changed_when: true
+  when:
+    - selinux is defined
+    - selinux is not false
+    - grub_config.stat.exists
+    - selinux_grub.rc != 0
+  register: selinux_activated
+
+- name: Reboot after SELinux activation
+  ansible.builtin.reboot:
+  when:
+    - selinux_activated is changed
+    - base_allow_reboot
+
 - name: Install GPG
   ansible.builtin.apt:
     name: gpg

roles/podman/tasks/main.yml

@@ -112,6 +112,88 @@
     loop_var: podman_user
   when: podman_login is defined
 
+- name: Stat rootless Podman directory
+  ansible.builtin.stat:
+    path: "/home/{{ compose_user.key }}/.local/share/containers"
+  loop: "{{ podman_compose | dict2items }}"
+  loop_control:
+    loop_var: compose_user
+    label: "{{ compose_user.key }}"
+  register: podman_user_containers_stat
+  when:
+    - podman_compose is defined
+    - selinux is defined
+    - selinux is not false
+
+- name: Create rootless Podman directory
+  ansible.builtin.file:
+    path: "/home/{{ item.compose_user.key }}/.local/share/containers"
+    state: directory
+    owner: "{{ item.compose_user.key }}"
+    group: "{{ item.compose_user.key }}"
+    mode: "700"
+  loop: "{{ podman_user_containers_stat.results }}"
+  loop_control:
+    label: "{{ item.compose_user.key }}"
+  when:
+    - podman_compose is defined
+    - selinux is defined
+    - selinux is not false
+    - not item.stat.exists
+
+- name: Label rootless Podman directory
+  ansible.builtin.command: >-
+    restorecon -Rv /home/{{ item.compose_user.key }}/.local/share/containers
+  loop: "{{ podman_user_containers_stat.results }}"
+  loop_control:
+    label: "/home/{{ item.compose_user.key }}/.local/share/containers"
+  changed_when: true
+  when:
+    - podman_compose is defined
+    - selinux is defined
+    - selinux is not false
+    - not item.stat.exists
+
+- name: Stat Podman label directories
+  ansible.builtin.stat:
+    path: "{{ item.path }}"
+  loop: "{{ podman_label }}"
+  register: podman_label_stat
+  loop_control:
+    label: "{{ item.path }}"
+  when:
+    - podman_label is defined
+    - selinux is defined
+    - selinux is not false
+
+- name: Create Podman label directories
+  ansible.builtin.file:
+    path: "{{ item.item.path }}"
+    owner: "{{ item.item.owner | default(omit) }}"
+    group: "{{ item.item.group | default(omit) }}"
+    mode: "{{ item.item.mode | default('700') }}"
+    state: directory
+  loop: "{{ podman_label_stat.results }}"
+  loop_control:
+    label: "{{ item.item.path }}"
+  when:
+    - podman_label is defined
+    - selinux is defined
+    - selinux is not false
+    - not item.stat.exists
+
+- name: Set labels on Podman label directories
+  ansible.builtin.command: "chcon {{ item.item.label }} {{ item.item.path }}"
+  loop: "{{ podman_label_stat.results }}"
+  changed_when: true
+  loop_control:
+    label: "{{ item.item.path }} => {{ item.item.label }}"
+  when:
+    - podman_label is defined
+    - selinux is defined
+    - selinux is not false
+    - not item.stat.exists
+
 - name: Deploy Podman compose projects for each user
   ansible.builtin.include_tasks: deploy.yml
   vars:

roles/proxy/tasks/main.yml

@@ -10,18 +10,17 @@
     state: started
     enabled: true
 
-- name: Check for cached dhparams.pem file
+- name: Check if environment is vagrant
   ansible.builtin.stat:
-    path: "{{ proxy_cached_dhparams_pem }}"
+    path: /home/vagrant
-  register: dhparams_file
+  register: vagrant_home
 
-- name: Copy cached dhparams.pem to /etc/ssl/
+- name: Download Mozilla's standard DH params (dev only)
-  ansible.builtin.copy:
+  ansible.builtin.get_url:
-    src: "{{ proxy_cached_dhparams_pem }}"
+    url: https://ssl-config.mozilla.org/ffdhe4096.txt
     dest: /etc/ssl/dhparams.pem
     mode: "600"
-    remote_src: true
+  when: vagrant_home.stat.exists
-  when: dhparams_file.stat.exists
 
 - name: Generate DH Parameters
   community.crypto.openssl_dhparam: