|
6 | 6 | vars:
|
7 | 7 | clone_directory: "{{ clone_dir | default('~/LME') }}"
|
8 | 8 | install_user: "root"
|
| 9 | + tags: ['base', 'all'] |
9 | 10 |
|
10 | 11 | tasks:
|
11 | 12 | - name: Expand clone_directory path
|
|
94 | 95 | #directories
|
95 | 96 | user_config_dir: "/root/.config/containers"
|
96 | 97 | user_secrets_conf: "/root/.config/containers/containers.conf" # Update with actual path
|
| 98 | + user_storage_conf: "/root/.config/containers/storage.conf" # Update with actual path |
| 99 | + global_storage_conf: "/etc/containers/storage.conf" # Update with actual path |
97 | 100 | config_dir: "/etc/lme"
|
98 | 101 | user_vault_dir: "/etc/lme/vault" # Update with actual path
|
99 | 102 | password_file: "/etc/lme/pass.sh"
|
| 103 | + tags: ['base', 'all'] |
100 | 104 |
|
101 | 105 | tasks:
|
102 | 106 | - name: Create Vault password
|
|
196 | 200 | store = "cat > {{ user_vault_dir }}/$SECRET_ID && chmod 700 {{ user_vault_dir }}/$SECRET_ID && ansible-vault encrypt {{ user_vault_dir }}/$SECRET_ID"
|
197 | 201 | delete = "rm {{ user_vault_dir }}/$SECRET_ID"
|
198 | 202 | mode: '0600'
|
| 203 | + - name: setup root overlay-fs usage |
| 204 | + copy: |
| 205 | + dest: "{{ user_storage_conf }}" |
| 206 | + content: | |
| 207 | + [storage] |
| 208 | + driver = "overlay" |
| 209 | +
|
| 210 | + [storage.options.overlay] |
| 211 | + mount_program = "/usr/bin/fuse-overlayfs" |
| 212 | +
|
| 213 | + mode: '0600' |
| 214 | + |
| 215 | + - name: Create /etc/containers |
| 216 | + file: |
| 217 | + path: /etc/containers/ |
| 218 | + state: directory |
| 219 | + owner: "root" |
| 220 | + group: "root" |
| 221 | + mode: '0744' |
| 222 | + |
| 223 | + - name: setup global overlay-fs usage |
| 224 | + copy: |
| 225 | + dest: "{{ global_storage_conf }}" |
| 226 | + content: | |
| 227 | + [storage] |
| 228 | + driver = "overlay" |
| 229 | + runroot = "/run/containers/storage" |
| 230 | + graphroot = "/var/lib/containers/storage" |
| 231 | +
|
| 232 | + [storage.options.overlay] |
| 233 | + mount_program = "/usr/bin/fuse-overlayfs" |
| 234 | +
|
| 235 | + mode: '0600' |
199 | 236 |
|
200 | 237 | - name: Setup Nix
|
201 | 238 | hosts: localhost
|
202 | 239 | connection: local
|
203 |
| - become: no # Default to no privilege escalation |
| 240 | + become: no |
204 | 241 | vars:
|
205 | 242 | clone_directory: "{{ clone_dir | default('~/LME') }}"
|
206 | 243 | install_user: "{{ ansible_user_id }}"
|
| 244 | + tags: ['base', 'all'] |
207 | 245 | tasks:
|
208 |
| - |
209 | 246 | - name: Update apt cache
|
210 | 247 | apt:
|
211 | 248 | update_cache: yes
|
|
219 | 256 | - nix-bin
|
220 | 257 | - nix-setup-systemd
|
221 | 258 | - python3-pexpect
|
| 259 | + - fuse-overlayfs |
222 | 260 | state: present
|
223 | 261 | become: yes
|
224 | 262 |
|
|
237 | 275 | append: yes
|
238 | 276 | become: yes
|
239 | 277 |
|
240 |
| - - name: Restart Nix daemon |
241 |
| - command: systemctl restart nix-daemon |
242 |
| - become: yes |
243 |
| - |
244 | 278 | - name: Update PATH for Ansible execution
|
245 | 279 | set_fact:
|
246 | 280 | ansible_env: "{{ ansible_env | combine({'PATH': ansible_env.PATH ~ ':/nix/var/nix/profiles/default/bin'}) }}"
|
|
258 | 292 | create: yes
|
259 | 293 | become: yes
|
260 | 294 |
|
| 295 | + - name: Update PATH in user's bashrc |
| 296 | + lineinfile: |
| 297 | + path: "~/.bashrc" |
| 298 | + line: 'export PATH=$PATH:/nix/var/nix/profiles/default/bin' |
| 299 | + create: yes |
| 300 | + |
| 301 | + - name: Update PATH in root's bashrc |
| 302 | + lineinfile: |
| 303 | + path: "/root/.bashrc" |
| 304 | + line: 'export PATH=$PATH:/nix/var/nix/profiles/default/bin' |
| 305 | + create: yes |
| 306 | + become: yes |
| 307 | + |
| 308 | +- name: Setup Podman |
| 309 | + hosts: localhost |
| 310 | + connection: local |
| 311 | + become: no |
| 312 | + vars: |
| 313 | + clone_directory: "{{ clone_dir | default('~/LME') }}" |
| 314 | + install_user: "{{ ansible_user_id }}" |
| 315 | + tags: ['system', 'all'] |
| 316 | + |
| 317 | + handlers: |
| 318 | + - name: restart nix-daemon |
| 319 | + systemd: |
| 320 | + name: nix-daemon |
| 321 | + state: restarted |
| 322 | + daemon_reload: yes |
| 323 | + become: yes |
| 324 | + |
| 325 | + tasks: |
| 326 | + - name: Ensure Nix daemon is running |
| 327 | + systemd: |
| 328 | + name: nix-daemon |
| 329 | + state: started |
| 330 | + enabled: yes |
| 331 | + become: yes |
| 332 | + notify: restart nix-daemon |
| 333 | + |
| 334 | + - name: Wait for Nix daemon to be ready |
| 335 | + wait_for: |
| 336 | + timeout: 10 |
| 337 | + when: ansible_play_hosts_all.index(inventory_hostname) == 0 |
| 338 | + |
261 | 339 | - name: Install Podman using Nix
|
262 | 340 | command: nix-env -iA nixpkgs.podman
|
263 | 341 | become: yes
|
264 | 342 | environment:
|
265 | 343 | PATH: "{{ ansible_env.PATH }}"
|
| 344 | + register: podman_install |
| 345 | + retries: 3 |
| 346 | + delay: 5 |
| 347 | + until: podman_install is not failed |
266 | 348 |
|
267 | 349 | - name: Set sysctl limits
|
268 | 350 | command: "{{ clone_directory }}/scripts/set_sysctl_limits.sh"
|
|
280 | 362 | become: no # Default to no privilege escalation
|
281 | 363 | vars:
|
282 | 364 | clone_directory: "{{ clone_dir | default('~/LME') }}"
|
| 365 | + tags: ['system', 'all'] |
283 | 366 | tasks:
|
284 | 367 | #maybe check for each in the shell script below?
|
285 | 368 | - name: Register a variable, ignore errors and continue
|
|
318 | 401 | vars:
|
319 | 402 | clone_directory: "{{ clone_dir | default('~/LME') }}"
|
320 | 403 | install_user: "{{ ansible_user_id }}"
|
| 404 | + tags: ['system', 'all'] |
321 | 405 | tasks:
|
322 | 406 | - name: Enable linger for user
|
323 | 407 | command: "loginctl enable-linger {{ install_user }}"
|
|
367 | 451 | - name: Setup Containers for root
|
368 | 452 | hosts: localhost
|
369 | 453 | connection: local
|
370 |
| - become: no # Default to no privilege escalation |
| 454 | + become: no |
371 | 455 | vars:
|
372 | 456 | clone_directory: "{{ clone_dir | default('~/LME') }}"
|
| 457 | + tags: ['system', 'all'] |
373 | 458 | tasks:
|
374 |
| - |
375 | 459 | - name: Add Container Image policy file
|
376 | 460 | copy:
|
377 | 461 | content: |
|
|
386 | 470 | become: yes
|
387 | 471 |
|
388 | 472 | - name: Pull containers
|
389 |
| - command: "podman pull {{ item }}" |
| 473 | + shell: | |
| 474 | + export PATH=$PATH:/nix/var/nix/profiles/default/bin |
| 475 | + podman pull {{ item }} |
| 476 | + args: |
| 477 | + executable: /bin/bash |
390 | 478 | loop: "{{ lookup('file', clone_directory + '/config/containers.txt').splitlines() }}"
|
391 |
| - environment: |
392 |
| - PATH: "{{ ansible_env.PATH }}" |
393 | 479 | become: yes
|
394 | 480 |
|
395 | 481 | - name: Tag containers
|
396 |
| - command: "podman image tag {{ item }} {{ item.split('/')[-1].split(':')[0] }}:LME_LATEST" |
| 482 | + shell: | |
| 483 | + export PATH=$PATH:/nix/var/nix/profiles/default/bin |
| 484 | + podman image tag {{ item }} {{ item.split('/')[-1].split(':')[0] }}:LME_LATEST |
| 485 | + args: |
| 486 | + executable: /bin/bash |
397 | 487 | loop: "{{ lookup('file', clone_directory + '/config/containers.txt').splitlines() }}"
|
398 |
| - environment: |
399 |
| - PATH: "{{ ansible_env.PATH }}" |
400 | 488 | become: yes
|
401 | 489 |
|
402 | 490 | - name: Start lme.service
|
403 | 491 | hosts: localhost
|
404 | 492 | connection: local
|
405 | 493 | become: yes # Default to no privilege escalation
|
| 494 | + tags: ['system', 'all'] |
406 | 495 | tasks:
|
407 | 496 | - name: Reload systemd daemon
|
408 | 497 | systemd:
|
|
0 commit comments