move to secrets, add pasta configuration

ansible/roles/services/files/bookstack/bookstack-db.container

@@ -0,0 +1,16 @@
+[Unit]
+Description=Bookstack database
+
+[Container]
+ContainerName=bookstack-db
+Image=lscr.io/linuxserver/mariadb:11.4.5
+Volume=/var/vol/bookstack/db:/config:Z
+Environment=PUID=1000
+Environment=PGID=1000
+Environment=TZ=Europe/Berlin
+Secret=mysql_root_pw,type=env,target=MYSQL_ROOT_PASSWORD
+Secret=mysql_database,type=env,target=MYSQL_DATABASE
+Secret=mysql_user,type=env,target=MYSQL_USER
+Secret=mysql_pw,type=env,target=MYSQL_PASSWORD
+AutoUpdate=registry
+Pod=bookstack.pod

ansible/roles/services/files/bookstack/bookstack-srv.container

@@ -12,11 +12,11 @@ Environment=APP_URL=https://bookstack.rohrschacht.de
 # APP_KEY must be a unique key. Generate your own by running
 # docker run -it --rm --entrypoint /bin/bash lscr.io/linuxserver/bookstack:latest appkey
 # You should keep the "base64:" part for the option value.
-Environment=APP_KEY={{ service_secrets.bookstack.app_key }}
+Secret=app_key,type=env,target=APP_KEY
 Environment=DB_HOST=127.0.0.1
 Environment=DB_PORT=3306
-Environment=DB_DATABASE={{ service_secrets.bookstack.mysql_database }}
-Environment=DB_USERNAME={{ service_secrets.bookstack.mysql_user }}
-Environment=DB_PASSWORD={{ service_secrets.bookstack.mysql_pw }}
+Secret=mysql_database,type=env,target=DB_DATABASE
+Secret=mysql_user,type=env,target=DB_USERNAME
+Secret=mysql_pw,type=env,target=DB_PASSWORD
 AutoUpdate=registry
 Pod=bookstack.pod

ansible/roles/services/files/gitea/gitea-db.container

@@ -7,7 +7,7 @@ Image=docker.io/postgres:14
 Volume=/var/vol/gitea/db:/var/lib/postgresql/data:Z
 Environment=LANG=en_US.utf8
 Environment=PGDATA=/var/lib/postgresql/data/pgdata
-Environment=POSTGRES_USER={{ service_secrets.gitea.pg_user }}
-Environment=POSTGRES_PASSWORD={{ service_secrets.gitea.pg_pw }}
+Secret=pg_user,type=env,target=POSTGRES_USER
+Secret=pg_pw,type=env,target=POSTGRES_PASSWORD
 AutoUpdate=registry
 Pod=gitea.pod

ansible/roles/services/files/gitea/gitea-srv.container

@@ -9,8 +9,8 @@ Environment=USER_UID=1000
 Environment=USER_GID=1000
 Environment=GITEA__database__DB_TYPE=postgres
 Environment=GITEA__database__DB_HOST=127.0.0.1:5432
-Environment=GITEA__database__DB_NAME={{ service_secrets.gitea.pg_db }}
-Environment=GITEA__database__DB_USER={{ service_secrets.gitea.pg_user }}
-Environment=GITEA__database__DB_PASSWD={{ service_secrets.gitea.pg_pw }}
+Secret=pg_db,type=env,target=GITEA__database__DB_NAME
+Secret=pg_user,type=env,target=GITEA__database__DB_USER
+Secret=pg_pw,type=env,target=GITEA__database__DB_PASSWD
 AutoUpdate=registry
 Pod=gitea.pod

ansible/roles/services/files/nextcloud/nextcloud-db.container

@@ -7,7 +7,7 @@ Image=docker.io/postgres:12
 Volume=/var/vol/nextcloud/db:/var/lib/postgresql/data:Z
 Environment=LANG=en_US.utf8
 Environment=PGDATA=/var/lib/postgresql/data/pgdata
-Environment=POSTGRES_USER={{ service_secrets.nextcloud.pg_user }}
-Environment=POSTGRES_PASSWORD={{ service_secrets.nextcloud.pg_pw }}
+Secret=pg_user,type=env,target=POSTGRES_USER
+Secret=pg_pw,type=env,target=POSTGRES_PASSWORD
 AutoUpdate=registry
 Pod=nextcloud.pod

ansible/roles/services/files/nextcloud/nextcloud-srv.container

@@ -9,8 +9,8 @@ Environment=USER_UID=1000
 Environment=USER_GID=1000
 Environment=PHP_MEMORY_LIMIT=4G
 Environment=POSTGRES_HOST=127.0.0.1:5432
-Environment=POSTGRES_DB={{ service_secrets.nextcloud.pg_db }}
-Environment=POSTGRES_USER={{ service_secrets.nextcloud.pg_user }}
-Environment=POSTGRES_PASSWORD={{ service_secrets.nextcloud.pg_pw }}
+Secret=pg_db,type=env,target=POSTGRES_DB
+Secret=pg_user,type=env,target=POSTGRES_USER
+Secret=pg_pw,type=env,target=POSTGRES_PASSWORD
 AutoUpdate=registry
 Pod=nextcloud.pod

ansible/roles/services/files/paperless/paperless-db.container

@@ -6,8 +6,8 @@ ContainerName=paperless-db
 Image=docker.io/postgres:17
 Volume=/var/vol/paperless/db:/var/lib/postgresql/data:Z
 Environment=LANG=en_US.utf8
-Environment=POSTGRES_DB={{ service_secrets.paperless.pg_db }}
-Environment=POSTGRES_USER={{ service_secrets.paperless.pg_user }}
-Environment=POSTGRES_PASSWORD={{ service_secrets.paperless.pg_pw }}
+Secret=pg_db,type=env,target=POSTGRES_DB
+Secret=pg_user,type=env,target=POSTGRES_USER
+Secret=pg_pw,type=env,target=POSTGRES_PASSWORD
 AutoUpdate=registry
 Pod=paperless.pod

ansible/roles/services/files/paperless/paperless-srv.container

@@ -9,16 +9,16 @@ Volume=/var/vol/paperless/media:/usr/src/paperless/media:Z
 Volume=/var/vol/paperless/export:/usr/src/paperless/export:Z
 Volume=/var/vol/paperless/consume:/usr/src/paperless/consume:Z
 Environment=PAPERLESS_URL=https://paperless.rohrschacht.de
-Environment=PAPERLESS_SECRET_KEY={{ service_secrets.paperless.secret_key }}
+Secret=secret_key,type=env,target=PAPERLESS_SECRET_KEY
 Environment=PAPERLESS_TIME_ZONE=Europe/Berlin
 Environment=PAPERLESS_OCR_LANGUAGE=deu
 Environment=PAPERLESS_OCR_LANGUAGES=eng
-Environment=PAPERLESS_ADMIN_USER={{ service_secrets.paperless.admin_user }}
-Environment=PAPERLESS_ADMIN_PASSWORD={{ service_secrets.paperless.admin_pw }}
+Secret=admin_user,type=env,target=PAPERLESS_ADMIN_USER
+Secret=admin_pw,type=env,target=PAPERLESS_ADMIN_PASSWORD
 Environment=PAPERLESS_REDIS=redis://127.0.0.1:6379
 Environment=PAPERLESS_DBHOST=127.0.0.1
-Environment=PAPERLESS_DBNAME={{ service_secrets.paperless.pg_db }}
-Environment=PAPERLESS_DBUSER={{ service_secrets.paperless.pg_user }}
-Environment=PAPERLESS_DBPASS={{ service_secrets.paperless.pg_pw }}
+Secret=pg_db,type=env,target=PAPERLESS_DBNAME
+Secret=pg_user,type=env,target=PAPERLESS_DBUSER
+Secret=pg_pw,type=env,target=PAPERLESS_DBPASS
 AutoUpdate=registry
 Pod=paperless.pod

ansible/roles/services/files/sgnarva/sgnarva-db.container

@@ -0,0 +1,13 @@
+[Unit]
+Description=SGNarva Wordpress database
+
+[Container]
+ContainerName=sgnarva-db
+Image=docker.io/mysql:8
+Volume=/var/vol/sgnarva/sgnarvadb:/var/lib/mysql:Z
+Secret=mysql_root_pw,type=env,target=MYSQL_ROOT_PASSWORD
+Secret=mysql_db,type=env,target=MYSQL_DATABASE
+Secret=mysql_user,type=env,target=MYSQL_USER
+Secret=mysql_pw,type=env,target=MYSQL_PASSWORD
+AutoUpdate=registry
+Pod=sgnarva.pod

ansible/roles/services/tasks/copy_quadlet_files.yml

@@ -8,14 +8,14 @@
     mode: '0755'
 
 - name: Copy Quadlet files to the user's systemd directory
-  with_fileglob: "../templates/{{ service_name }}/*.j2"
+  with_fileglob: "{{ service_name }}/*"
   loop_control:
-    loop_var: template_path
-  ansible.builtin.template:
-    src: "{{ template_path }}"
-    dest: "/home/{{ service_name }}/.config/containers/systemd/{{ template_path | basename | regex_replace('.j2', '') }}"
+    label: "{{ file_path | basename }}"
+    loop_var: file_path
+  ansible.builtin.copy:
+    src: "{{ file_path }}"
+    dest: "/home/{{ service_name }}/.config/containers/systemd/{{ file_path | basename }}"
     owner: "{{ service_name }}"
     group: "{{ service_name }}"
     mode: '0644'
-    remote_src: no
   register: quadlet_files_copied

ansible/roles/services/tasks/create_containers_conf.yml

@@ -0,0 +1,22 @@
+---
+- name: Remove pasta configuration if setting is off
+  ansible.builtin.file:
+    path: "/home/{{ service_name }}/.config/containers/containers.conf"
+    state: absent
+  when: enable_pasta_config is not defined or not enable_pasta_config
+
+- name: Ensure configuration path
+  ansible.builtin.file:
+    path: "/home/{{ service_name }}/.config/containers"
+    state: directory
+    owner: "{{ service_name }}"
+    group: "{{ service_name }}"
+    mode: '0755'
+  when: enable_pasta_config is defined and enable_pasta_config
+- name: Create pasta configuration
+  ansible.builtin.copy:
+    dest: "/home/{{ service_name }}/.config/containers/containers.conf"
+    content: |
+      [network]
+      pasta_options = ["-a", "10.0.2.0", "-n", "24", "-g", "10.0.2.2", "--dns-forward", "10.0.2.3"]
+  when: enable_pasta_config is defined and enable_pasta_config

ansible/roles/services/tasks/create_service_directories.yml

@@ -4,6 +4,7 @@
     path: "{{ btrfs_base_path }}/{{ service_name }}/{{ service_dir }}"
   loop: "{{ service_directories }}"
   loop_control:
+    label: "{{ service_name }}/{{ service_dir }}"
     loop_var: service_dir
   register: directory_stats
 

ansible/roles/services/tasks/enable_service.yml

@@ -1,6 +1,21 @@
+- name: Check if podman socket is active
+  ansible.builtin.command:
+    cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user is-active podman.socket' | grep -qv inactive"
+  become: yes
+  register: podman_socket_status
+  ignore_errors: yes
+  changed_when: false
+
+- name: Enable and start the podman socket if not active
+  ansible.builtin.command:
+    cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user enable --now podman.socket'"
+  become: yes
+  when: podman_socket_status.rc != 0
+
 - name: Check if service is already running
   ansible.builtin.command:
     cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user is-active {{ systemd_service_name }}' | grep -qv inactive"
+  become: yes
   register: service_status
   ignore_errors: yes
   changed_when: false
@@ -16,3 +31,17 @@
     cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user daemon-reload && systemctl --user restart {{ systemd_service_name }}'"
   become: yes
   when: service_status.rc == 0 and (quadlet_files_copied.changed or force_systemd_restart)
+
+- name: Check if podman auto updater timer is active
+  ansible.builtin.command:
+    cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user is-active podman-auto-update.timer' | grep -qv inactive"
+  become: yes
+  register: podman_auto_update_timer_status
+  ignore_errors: yes
+  changed_when: false
+
+- name: Enable and start the podman auto updater timer if not active
+  ansible.builtin.command:
+    cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user enable --now podman-auto-update.timer'"
+  become: yes
+  when: podman_auto_update_timer_status.rc != 0

ansible/roles/services/tasks/main.yml

@@ -4,6 +4,8 @@
 
 - name: Create users
   loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   include_tasks: create_user.yml
   vars:
     service_name: "{{ item.key }}"
@@ -16,32 +18,58 @@
 
 - name: Create Btrfs subvolume
   loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   include_tasks: create_btrfs_subvolume.yml
   vars:
     service_name: "{{ item.key }}"
 
 - name: Create service directories
   loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   include_tasks: create_service_directories.yml
   when: " item.value.service_directories is defined and item.value.service_directories | length > 0"
   vars:
     service_name: "{{ item.key }}"
     service_directories: "{{ item.value.service_directories }}"
 
+- name: Pasta configuration
+  loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  include_tasks: create_containers_conf.yml
+  vars:
+    service_name: "{{ item.key }}"
+
 - name: Enable linger for the user
   loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   include_tasks: enable_linger.yml
   vars:
     service_name: "{{ item.key }}"
 
+- name: Install Secrets
+  loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  include_tasks: secrets.yml
+  vars:
+    service_name: "{{ item.key }}"
+
 - name: Copy Quadlet files
   loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   include_tasks: copy_quadlet_files.yml
   vars:
     service_name: "{{ item.key }}"
 
 - name: Enable and start main service
   loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   include_tasks: enable_service.yml
   vars:
     service_name: "{{ item.key }}"

ansible/roles/services/tasks/secrets.yml

@@ -0,0 +1,11 @@
+- name: Install Secrets
+  become: true
+  become_user: "{{ service_name }}"
+  containers.podman.podman_secret:
+    name: "{{ secret.key }}"
+    state: present
+    data: "{{ secret.value }}"
+  loop: "{{ service_secrets.get(service_name) | default({}, true) | dict2items }}"
+  loop_control:
+    label: "{{ secret.key }}"
+    loop_var: secret

ansible/roles/services/templates/bookstack/bookstack-db.container.j2

@@ -1,16 +0,0 @@
-[Unit]
-Description=Bookstack database
-
-[Container]
-ContainerName=bookstack-db
-Image=lscr.io/linuxserver/mariadb:11.4.5
-Volume=/var/vol/bookstack/db:/config:Z
-Environment=PUID=1000
-Environment=PGID=1000
-Environment=TZ=Europe/Berlin
-Environment=MYSQL_ROOT_PASSWORD={{ service_secrets.bookstack.mysql_root_pw }}
-Environment=MYSQL_DATABASE={{ service_secrets.bookstack.mysql_database }}
-Environment=MYSQL_USER={{ service_secrets.bookstack.mysql_user }}
-Environment=MYSQL_PASSWORD={{ service_secrets.bookstack.mysql_pw }}
-AutoUpdate=registry
-Pod=bookstack.pod

ansible/roles/services/templates/sgnarva/sgnarva-db.container.j2

@@ -1,13 +0,0 @@
-[Unit]
-Description=SGNarva Wordpress database
-
-[Container]
-ContainerName=sgnarva-db
-Image=docker.io/mysql:8
-Volume=/var/vol/sgnarva/sgnarvadb:/var/lib/mysql:Z
-Environment=MYSQL_ROOT_PASSWORD={{ service_secrets.sgnarva.mysql_root_pw }}
-Environment=MYSQL_DATABASE={{ service_secrets.sgnarva.mysql_db }}
-Environment=MYSQL_USER={{ service_secrets.sgnarva.mysql_user }}
-Environment=MYSQL_PASSWORD={{ service_secrets.sgnarva.mysql_pw }}
-AutoUpdate=registry
-Pod=sgnarva.pod