Move unit content to files/templates

Socket activation - preserve src ip
gitea: SSH port fix
2026-05-06 13:36:30 +03:00 · 2026-05-06 13:32:39 +03:00 · 2026-03-04 14:44:06 +02:00 · 2026-02-04 14:07:26 +02:00
6 changed files with 97 additions and 33 deletions
--- a/roles/infra/files/http.socket
+++ b/roles/infra/files/http.socket
@@ -0,0 +1,7 @@
 [Socket]
 ListenStream=80
 FileDescriptorName=http
 Service=traefik.service
 [Install]
 WantedBy=sockets.target
--- a/roles/infra/files/https.socket
+++ b/roles/infra/files/https.socket
@@ -0,0 +1,7 @@
 [Socket]
 ListenStream=443
 FileDescriptorName=https
 Service=traefik.service
 [Install]
 WantedBy=sockets.target
--- a/roles/infra/tasks/git.yml
+++ b/roles/infra/tasks/git.yml
@@ -22,7 +22,7 @@
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
-      - "222:22"
+      - "222:222"
    generate_systemd:
      new: true
      restart_policy: "always"
--- a/roles/infra/tasks/traefik.yml
+++ b/roles/infra/tasks/traefik.yml
@@ -2,6 +2,18 @@
 ---
 # tasks file for traefik
 - name: Create systemd user directory
  ansible.builtin.file:
    path: ~/.config/systemd/user
    state: directory
    mode: "0755"
 - name: Create podman quadlet directory
  ansible.builtin.file:
    path: ~/.config/containers/systemd
    state: directory
    mode: "0755"
 - name: Create acme file
  ansible.builtin.file:
    path: "~/{{ infra_acme.storage }}"
@@ -15,40 +27,54 @@
    enabled: true
    scope: user
- name: Create main traefik container
+- name: Stop legacy generated traefik service
  containers.podman.podman_container:
    name: traefik
    image: docker.io/library/traefik:latest
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    network:
      - podman
    security_opt:
      - "label=type:container_runtime_t"
    volumes:
      - "/run/user/1000/podman/podman.sock:/var/run/docker.sock:z"
      - "/home/apps/acme.json:/acme.json:z"
    command: >-
      --api.dashboard=true
      --api.insecure=true
      --certificatesresolvers.lets-encrypt.acme.email={{ infra_acme.email }}
      --certificatesresolvers.lets-encrypt.acme.storage=/{{ infra_acme.storage }}
      --certificatesresolvers.lets-encrypt.acme.tlschallenge=true
      --entrypoints.http.address=:80
      --entrypoints.http.http.redirections.entryPoint.to=https
      --entrypoints.http.http.redirections.entryPoint.scheme=https
      --entrypoints.https.address=:443
      --providers.docker=true
    generate_systemd:
      new: true
      restart_policy: "always"
      path: "~/.config/systemd/user/"
 - name: Activate traefik container service
  ansible.builtin.systemd_service:
    name: container-traefik.service
    state: stopped
    enabled: false
    scope: user
  failed_when: false
 - name: Remove legacy generated traefik service
  ansible.builtin.file:
    path: ~/.config/systemd/user/container-traefik.service
    state: absent
 - name: Install traefik http socket
  ansible.builtin.copy:
    src: http.socket
    dest: ~/.config/systemd/user/http.socket
    mode: "0644"
 - name: Install traefik https socket
  ansible.builtin.copy:
    src: https.socket
    dest: ~/.config/systemd/user/https.socket
    mode: "0644"
 - name: Install traefik quadlet
  ansible.builtin.template:
    src: traefik.container.j2
    dest: ~/.config/containers/systemd/traefik.container
    mode: "0644"
 - name: Reload systemd user units
  ansible.builtin.systemd_service:
    daemon_reload: true
    scope: user
 - name: Activate traefik sockets
  ansible.builtin.systemd_service:
    name: "{{ item }}"
    state: started
    enabled: true
    scope: user
  loop:
    - http.socket
    - https.socket
 - name: Activate traefik service
  ansible.builtin.systemd_service:
    name: traefik.service
    state: started
    scope: user
--- a/roles/infra/templates/traefik.container.j2
+++ b/roles/infra/templates/traefik.container.j2
@@ -0,0 +1,18 @@
 [Unit]
 After=podman.socket http.socket https.socket
 Requires=podman.socket http.socket https.socket
 [Service]
 Sockets=http.socket https.socket
 Restart=always
 [Container]
 ContainerName=traefik
 Image=docker.io/library/traefik:latest
 Exec=--api.dashboard=true --api.insecure=true --certificatesresolvers.lets-encrypt.acme.email={{ infra_acme.email }} --certificatesresolvers.lets-encrypt.acme.storage=/{{ infra_acme.storage }} --certificatesresolvers.lets-encrypt.acme.tlschallenge=true --entrypoints.http --entrypoints.http.http.redirections.entryPoint.to=https --entrypoints.http.http.redirections.entryPoint.scheme=https --entrypoints.https --providers.docker=true
 Network=podman
 Notify=true
 PublishPort=8080:8080
 SecurityLabelDisable=true
 Volume=%t/podman/podman.sock:/var/run/docker.sock
 Volume=%h/{{ infra_acme.storage }}:/{{ infra_acme.storage }}:Z
--- a/roles/podman/tasks/main.yml
+++ b/roles/podman/tasks/main.yml
@@ -6,6 +6,12 @@
  ansible.builtin.dnf:
    name: "{{ dnf_packages }}"
 - name: Enable autoupdate timer
  ansible.builtin.systemd:
    name: dnf-automatic.timer
    enabled: true
    state: started
 - name: Enable firewalld
  ansible.builtin.systemd:
    name: firewalld
Author	SHA1	Message	Date
Simonas Kareiva	228d9ea8a8	Move unit content to files/templates	2026-05-06 13:36:30 +03:00
Simonas Kareiva	d5b1d991ae	Socket activation - preserve src ip	2026-05-06 13:32:39 +03:00
Simonas Kareiva	e4acfcec47	gitea: SSH port fix	2026-03-04 14:44:06 +02:00
Simonas Kareiva	c644788275	Add dnf automatic updates	2026-02-04 14:07:26 +02:00