toallab-automation/roles/ikke_t.podman_container_systemd/tasks/main.yml

---

- name: check if service file exists already
  stat:
    path: "{{ service_files_dir }}/{{ service_name }}"
  register: service_file_before_template

- name: do tasks when "{{ service_name }}" state is "running"
  block:

  - name: ensure podman is installed
    package:
      name: podman
      state: installed
    when: not skip_podman_install

  - name: check user exists
    user:
      name: "{{ container_run_as_user }}"

  - name: check if user is in subuid file
    lineinfile:
      line: '\1'
      path: /etc/subuid
      regexp: "^({{ container_run_as_user }}:.*)"
      backrefs: yes
    check_mode: yes
    register: uid_has
    ignore_errors: true
    when: container_run_as_user != 'root'

  - name: check if group is in subgid file
    lineinfile:
      line: '\1'
      path: /etc/subgid
      regexp: "^({{ container_run_as_group }}:.*)"
      backrefs: yes
    check_mode: yes
    register: gid_has
    ignore_errors: true
    when: container_run_as_group != 'root'

  - name: ensure user is in subuid file, if it was missing
    lineinfile:
      path: /etc/subuid
      regexp: "^{{ container_run_as_user }}:.*"
      line: "{{ container_run_as_user }}:305536:65536"
      create: yes
      mode: '0644'
      owner: root
      group: root
    when: uid_has.changed and container_run_as_user != 'root'

  - name: ensure group is in subgid file, if it was missing
    lineinfile:
      path: /etc/subgid
      regexp: "^{{ container_run_as_group }}:.*"
      line: "{{ container_run_as_group }}:305536:65536"
      create: yes
      mode: '0644'
      owner: root
      group: root
    when: gid_has.changed and container_run_as_group != 'root'

  - name: running single container, get image Id if it exists and we are root
    # XXX podman doesn't work through sudo for non root users, so skip preload if user
    # https://github.com/containers/libpod/issues/5570
    # command: podman inspect -f {{.Id}} "{{ container_image }}"
    command: "podman image inspect -f '{{ '{{' }}.Id{{ '}}' }}' {{ container_image }}"
    register: pre_pull_id
    ignore_errors: yes
    when: container_image is defined and container_run_as_user == 'root'

  - name: running single container, ensure we have up to date container image
    command: "podman pull {{ container_image }}"
    become: yes
    become_user: "{{ container_run_as_user }}"
    when: container_image is defined and container_run_as_user == 'root'

  - name: running single container, get image Id if it exists
    command: "podman image inspect -f '{{ '{{' }}.Id{{ '}}' }}'  {{ container_image }}"
    become: yes
    become_user: "{{ container_run_as_user }}"
    register: post_pull_id
    when: container_image is defined and container_run_as_user == 'root'

  - name: force restart after image change
    debug: msg="image has changed"
    changed_when: True
    notify: restart service
    when:
      - container_run_as_user == 'root'
      - container_image is defined
      - pre_pull_id.stdout != post_pull_id.stdout
      - pre_pull_id is succeeded

  # XXX remove above comparison if future podman tells image changed.

  - name: seems we use several container images, ensure all are up to date
    command: "podman pull {{ item }}"
    become: yes
    become_user: "{{ container_run_as_user }}"
    when: container_image_list is defined
    with_items: "{{ container_image_list }}"

  - name: if running pod, ensure configuration file exists
    stat:
      path: "{{ container_pod_yaml }}"
    register: pod_file
    when: container_pod_yaml is defined
  - name: fail if pod configuration file is missing
    fail:
      msg: "Error: Asking to run pod, but pod definition yaml file is missing: {{ container_pod_yaml }}"
    when:
      - container_pod_yaml is defined
      - not pod_file.stat.exists

  - name: "create systemd service file for container: {{ container_name }}"
    template:
      src: systemd-service-single.j2
      dest: "{{ service_files_dir }}/{{ service_name }}"
      owner: root
      group: root
      mode: 0644
    notify: reload systemctl
    register: service_file
    when: container_image is defined

  - name: "create systemd service file for pod: {{ container_name }}"
    template:
      src: systemd-service-pod.j2
      dest: "{{ service_files_dir }}/{{ service_name }}"
      owner: root
      group: root
      mode: 0644
    notify:
      - reload systemctl
      - start service
    register: service_file
    when: container_image_list is defined

  - name: ensure "{{ service_name }}" is enabled at boot, and systemd reloaded
    systemd:
      name: "{{ service_name }}"
      enabled: yes
      daemon_reload: yes

  - name: ensure "{{ service_name }}" is running
    service:
      name: "{{ service_name }}"
      state: started
    when: not service_file_before_template.stat.exists

  - name: "ensure {{ service_name }} is restarted due config change"
    debug: msg="config has changed:"
    changed_when: True
    notify: restart service
    when:
      - service_file_before_template.stat.exists
      - service_file.changed

  when: container_state == "running"

- name: configure firewall if container_firewall_ports is defined
  block:

  - name: set firewall ports state to enabled when container state is running
    set_fact:
      fw_state: enabled
    when: container_state == "running"

  - name: set firewall ports state to disabled when container state is not running
    set_fact:
      fw_state: disabled
    when: container_state != "running"

  - name: ensure firewalld is installed
    tags: firewall
    package: name=firewalld state=installed

  - name: ensure firewall service is running
    tags: firewall
    service: name=firewalld state=started

  - name: ensure container's exposed ports firewall state
    tags: firewall
    firewalld:
      port: "{{ item }}"
      permanent: yes
      immediate: yes
      state: "{{ fw_state }}"
    with_items: "{{ container_firewall_ports }}"

  when: container_firewall_ports is defined


- name: do cleanup stuff when container_state is "absent"
  block:

  - name: ensure "{{ service_name }}" is disabled at boot
    service:
      name: "{{ service_name }}"
      enabled: false
    when:
      - service_file_before_template.stat.exists

  - name: ensure "{{ service_name }}" is stopped
    service:
      name: "{{ service_name }}"
      state: stopped
      enabled: no
    when:
      - service_file_before_template.stat.exists

  - name: clean up systemd service file
    file:
      path: "{{ service_files_dir }}/{{ service_name }}"
      state: absent
    notify: reload systemctl

  - name: clean up pod configuration file
    file:
      path: "{{ container_pod_yaml }}"
      state: absent
    when: container_pod_yaml is defined

  when: container_state == "absent"