Created
September 4, 2023 18:15
-
-
Save Alevsk/7ccff731d08281655b78d2505a2a1a39 to your computer and use it in GitHub Desktop.
This Website Is No Longer Running As The Root User: Replacing Docker With Podman
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - hosts: "{{ HOSTS }}" | |
| name: Install and configure podman and podman-compose | |
| become: yes | |
| tasks: | |
| - name: Installing podman and podman-compose | |
| ansible.builtin.apt: | |
| name: | |
| - podman | |
| - podman-compose | |
| state: latest | |
| update_cache: true | |
| - name: Enable systemctl podman-restart | |
| ansible.builtin.systemd: | |
| name: podman-restart | |
| enabled: yes | |
| state: started | |
| daemon_reload: true | |
| - name: Allow podman to pull images from docker.io registry | |
| ansible.builtin.blockinfile: | |
| path: "/etc/containers/registries.conf" | |
| backup: yes | |
| state: present | |
| create: yes | |
| block: | | |
| unqualified-search-registries = ["docker.io"] | |
| - name: Enable systemctl podman.socket for user | |
| become: no | |
| ansible.builtin.systemd: | |
| name: podman.socket | |
| enabled: yes | |
| scope: user | |
| state: started | |
| daemon_reload: true | |
| - name: Copy podman-restart.service to user systemd folder | |
| become: no | |
| ansible.builtin.copy: | |
| src: "/lib/systemd/system/podman-restart.service" | |
| dest: "/home/{{ ansible_user }}/.config/systemd/user/" | |
| - name: Enable systemctl podman-restart for user | |
| become: no | |
| ansible.builtin.systemd: | |
| name: podman-restart | |
| enabled: yes | |
| scope: user | |
| state: started | |
| daemon_reload: true | |
| - name: Check if user is lingering | |
| stat: | |
| path: "/var/lib/systemd/linger/{{ ansible_user }}" | |
| register: user_lingering | |
| - name: Enable lingering is needed | |
| command: "loginctl enable-linger {{ ansible_user }}" | |
| when: not user_lingering.stat.exists |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - hosts: "{{ HOSTS }}" | |
| name: Configure iptables for web server | |
| become: yes | |
| tasks: | |
| - name: Install iptables-persistent | |
| ansible.builtin.apt: | |
| name: | |
| - iptables-persistent | |
| state: latest | |
| update_cache: true | |
| - name: Start and enable persistent iptables service | |
| ansible.builtin.systemd: | |
| name: netfilter-persistent | |
| enabled: yes | |
| state: started | |
| - name: Port forward from port 80 to port 8080 | |
| ansible.builtin.iptables: | |
| table: nat | |
| chain: PREROUTING | |
| in_interface: eth0 | |
| protocol: tcp | |
| match: tcp | |
| destination_port: 80 | |
| jump: REDIRECT | |
| to_ports: 8080 | |
| comment: Redirect web traffic to port 8080 | |
| - name: Port forward from port 443 to port 8443 | |
| ansible.builtin.iptables: | |
| table: nat | |
| chain: PREROUTING | |
| in_interface: eth0 | |
| protocol: tcp | |
| match: tcp | |
| destination_port: 443 | |
| jump: REDIRECT | |
| to_ports: 8443 | |
| comment: Redirect web traffic to port 8443 | |
| - name: Port forward from port 81 to port 8081 | |
| ansible.builtin.iptables: | |
| table: nat | |
| chain: PREROUTING | |
| in_interface: eth0 | |
| protocol: tcp | |
| match: tcp | |
| destination_port: 81 | |
| jump: REDIRECT | |
| to_ports: 8081 | |
| comment: Redirect web traffic to port 8081 | |
| - name: Save current state of the firewall in system file | |
| community.general.iptables_state: | |
| state: saved | |
| path: /etc/iptables/rules.v4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment