Skip to content

Instantly share code, notes, and snippets.

@Alevsk
Created September 4, 2023 18:15
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
This Website Is No Longer Running As The Root User: Replacing Docker With Podman
- hosts: "{{ HOSTS }}"
name: Install and configure podman and podman-compose
become: yes
tasks:
- name: Installing podman and podman-compose
ansible.builtin.apt:
name:
- podman
- podman-compose
state: latest
update_cache: true
- name: Enable systemctl podman-restart
ansible.builtin.systemd:
name: podman-restart
enabled: yes
state: started
daemon_reload: true
- name: Allow podman to pull images from docker.io registry
ansible.builtin.blockinfile:
path: "/etc/containers/registries.conf"
backup: yes
state: present
create: yes
block: |
unqualified-search-registries = ["docker.io"]
- name: Enable systemctl podman.socket for user
become: no
ansible.builtin.systemd:
name: podman.socket
enabled: yes
scope: user
state: started
daemon_reload: true
- name: Copy podman-restart.service to user systemd folder
become: no
ansible.builtin.copy:
src: "/lib/systemd/system/podman-restart.service"
dest: "/home/{{ ansible_user }}/.config/systemd/user/"
- name: Enable systemctl podman-restart for user
become: no
ansible.builtin.systemd:
name: podman-restart
enabled: yes
scope: user
state: started
daemon_reload: true
- name: Check if user is lingering
stat:
path: "/var/lib/systemd/linger/{{ ansible_user }}"
register: user_lingering
- name: Enable lingering is needed
command: "loginctl enable-linger {{ ansible_user }}"
when: not user_lingering.stat.exists
- hosts: "{{ HOSTS }}"
name: Configure iptables for web server
become: yes
tasks:
- name: Install iptables-persistent
ansible.builtin.apt:
name:
- iptables-persistent
state: latest
update_cache: true
- name: Start and enable persistent iptables service
ansible.builtin.systemd:
name: netfilter-persistent
enabled: yes
state: started
- name: Port forward from port 80 to port 8080
ansible.builtin.iptables:
table: nat
chain: PREROUTING
in_interface: eth0
protocol: tcp
match: tcp
destination_port: 80
jump: REDIRECT
to_ports: 8080
comment: Redirect web traffic to port 8080
- name: Port forward from port 443 to port 8443
ansible.builtin.iptables:
table: nat
chain: PREROUTING
in_interface: eth0
protocol: tcp
match: tcp
destination_port: 443
jump: REDIRECT
to_ports: 8443
comment: Redirect web traffic to port 8443
- name: Port forward from port 81 to port 8081
ansible.builtin.iptables:
table: nat
chain: PREROUTING
in_interface: eth0
protocol: tcp
match: tcp
destination_port: 81
jump: REDIRECT
to_ports: 8081
comment: Redirect web traffic to port 8081
- name: Save current state of the firewall in system file
community.general.iptables_state:
state: saved
path: /etc/iptables/rules.v4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment