WIP: feat(docker): add support for redhat targets

galaxy.yml

@@ -1,27 +1,21 @@
 namespace: finallycoffee
 name: base
-version: 0.3.0
+version: 0.2.1
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
-description: >-2
+description: Roles for base services which are common dependencies other services like databases
-  Roles for base services which are core functionality like managing packages
-  and ssh or common dependencies other services like databases
 dependencies:
   "community.docker": "^4.2.0"
-  "community.general": "^10.0.0"
 license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'
 repository: https://git.finally.coffee/finallycoffee/base
 issues: https://codeberg.org/finallycoffee/ansible-collection-base/issues
 tags:
-  - bootstrap
-  - ssh
-  - mosh
   - docker
   - lego
   - minio
   - nginx
   - restic
-  - user_management
+  - docker

playbooks/docker_registry.yml

@@ -1,16 +0,0 @@
----
-- name: Manage docker registry credentials
-  hosts: "{{ docker_hosts | default('docker', true) }}"
-  become: "{{ docker_become | default(false) }}"
-  gather_facts: "{{ docker_registry_gather_facts | default(true) }}"
-  tasks:
-    - name: Manage docker registry credentials
-      community.docker.docker_login:
-        registry_url: "{{ docker_registry.registry }}"
-        username: "{{ docker_registry.username | default(omit) }}"
-        password: "{{ docker_registry.password | default(omit) }}"
-        state: "{{ docker_registry.state | default('present') }}"
-      loop: "{{ docker_registries | default([], true) }}"
-      loop_control:
-        loop_var: "docker_registry"
-        label: "{{ docker_registry.username}}@{{ docker_registry.registry }}"

playbooks/mosh.yml

@@ -1,6 +0,0 @@
----
-- name: Manage and configure mosh
-  hosts: "{{ mosh_hosts | default('mosh', true) }}"
-  become: "{{ mosh_become | default(true) }}"
-  roles:
-    - role: finallycoffee.base.mosh

playbooks/openssh.yml

@@ -1,7 +0,0 @@
----
-- name: Ensure openssh is installed and configured
-  hosts: "{{ openssh_target | default('openssh') }}"
-  become: "{{ openssh_become | default(true) }}"
-  gather_facts: "{{ openssh_gather_facts | default(true) }}"
-  roles:
-    - role: finallycoffee.base.openssh

roles/docker/defaults/main/rhel.yml

@@ -0,0 +1,34 @@
+---
+docker_rhel_repo_name: "docker-ce-stable"
+docker_rhel_repo_description: "Docker CE Stable - $basearch"
+docker_rhel_repo_url: "https://download.docker.com/linux/rhel/$releasever/$basearch/stable"
+docker_rhel_repo_validate_certs: true
+docker_rhel_repo_gpg_check: true
+docker_rhel_repo_gpg_key: "https://download.docker.com/linux/rhel/gpg"
+
+docker_rhel_cli_package: "docker-ce-cli"
+docker_rhel_plugin_buildx_package: "docker-buildx-plugin"
+docker_rhel_plugin_compose_package: "docker-compose-plugin"
+docker_rhel_base_packages:
+  - "docker-ce"
+  - "docker-ce-cli"
+  - "containerd.io"
+docker_rhel_packages: >-2
+  {{
+    docker_fedora_base_packages
+    + (docker_plugin_buildx_enable | default(false)
+      | ternary([ docker_rhel_plugin_buildx_package ], []))
+    + (docker_plugin_compose_enable | default(false)
+      | ternary([ docker_rhel_plugin_compose_package ], []))
+  }}
+docker_rhel_legacy_packages:
+  - "docker"
+  - "docker-client"
+  - "docker-client-latest"
+  - "docker-common"
+  - "docker-latest"
+  - "docker-latest-logrotate"
+  - "docker-logrotate"
+  - "docker-engine"
+  - "podman"
+  - "runc"

roles/docker/tasks/install-redhat.yml

@@ -0,0 +1,21 @@
+---
+- name: Ensure legacy docker packages are removed
+  ansible.builtin.dnf:
+    name: "{{ docker_rhel_legacy_packages }}"
+    state: absent
+  when: docker_remove_legacy_packages
+
+- name: Add dnf repository for docker
+  ansible.builtin.yum_repository:
+    name: "{{ docker_rhel_repo_name }}"
+    description: "{{ docker_rhel_repo_description }}"
+    baseurl: "{{ docker_rhel_repo_url }}"
+    validate_certs: "{{ docker_rhel_repo_validate_certs }}"
+    gpgkey: "{{ docker_rhel_repo_gpg_key }}"
+    gpgcheck: "{{ docker_rhel_repo_gpg_check }}"
+    state: "{{ docker_state }}"
+
+- name: Install dnf packages for docker
+  ansible.builtin.dnf:
+    name: "{{ docker_rhel_packages }}"
+    state: "{{ docker_state }}"

roles/docker/vars/main.yml

@@ -2,3 +2,5 @@
 docker_supported_oses:
   - 'debian'
   - 'fedora'
+docker_supported_os_families:
+  - 'rhel'

roles/lego/files/lego_run.sh

@@ -8,10 +8,8 @@ if [[ -n "${LEGO_HTTP_FALLBACK_PORT:-}" ]]; then
     echo "nc not found (in PATH), exiting"
     exit 1
   fi
-  set +e
+  nc -z 127.0.0.1 $LEGO_HTTP_PORT;
-  nc_exit_code=$(nc -z 127.0.0.1 $LEGO_HTTP_PORT);
+  if [[ $? -eq 0 ]]; then
-  set -e
-  if [[ $nc_exit_code -eq 0 ]]; then
       LEGO_HTTP_PORT=$LEGO_HTTP_FALLBACK_PORT
   fi
 fi

roles/lego/tasks/main.yml

@@ -107,7 +107,6 @@
       {{ entry.key }}={{ entry.value }}
       {% endfor %}
     dest: "{{ lego_base_path }}/{{ lego_instance }}.conf"
-  register: lego_env_file_info
 
 - name: Ensure timer unit is templated
   ansible.builtin.template:
@@ -121,7 +120,6 @@
     src: "lego_run.sh"
     dest: "{{ lego_base_path }}/run.sh"
     mode: "0755"
-  register: lego_handler_script_info
 
 - name: Ensure per-instance base path is created
   ansible.builtin.file:
@@ -161,18 +159,7 @@
     name: "{{ lego_systemd_timer_name }}"
     state: "started"
 
-- name: Check if certificates are present
-  ansible.builtin.find:
-    path: "{{ lego_instance_path }}/certificates"
-    recurse: false
-    file_type: "file"
-  register: lego_certificate_info
-
 - name: Ensure systemd service is started once to obtain the certificate
   ansible.builtin.systemd_service:
     name: "{{ lego_systemd_service_name }}"
     state: "started"
-  when: >-2
-    lego_handler_script_info.changed
-    or lego_env_file_info.changed
-    or lego_certificate_info.files | default([]) | length == 0

roles/minio/defaults/main/container.yml

@@ -1,7 +1,7 @@
 ---
 minio_container_name: minio
 minio_container_image_name: "docker.io/minio/minio"
-minio_container_image_tag: "RELEASE.2025-04-22T22-12-26Z"
+minio_container_image_tag: "RELEASE.2025-04-08T15-41-24Z"
 minio_container_image: "{{ minio_container_image_name }}:{{ minio_container_image_tag }}"
 minio_container_networks: []
 minio_container_ports: []

roles/mosh/README.md

@@ -1,4 +0,0 @@
-# `finallycoffee.base.mosh`
-
-Installs [`mosh`](https://mosh.org/#), a remote 'mobile shell' which supports
-roaming and re-uses SSH for the authentication layer.

roles/mosh/defaults/main/main.yml

@@ -1,2 +0,0 @@
----
-mosh_state: present

roles/mosh/defaults/main/packages.yml

@@ -1,15 +0,0 @@
----
-mosh_debian_packages:
-  - "mosh"
-  - "openssh-server"
-mosh_fedora_packages:
-  - "mosh"
-  - "openssh-server"
-mosh_archlinux_packages:
-  - "mosh"
-  - "openssh"
-
-mosh_packages:
-  debian: "{{ mosh_debian_packages }}"
-  fedora: "{{ mosh_fedora_packages }}"
-  archlinux: "{{ mosh_archlinux_packages }}"

roles/mosh/tasks/install.yml

@@ -1,30 +0,0 @@
----
-- name: Ensure mosh is {{ mosh_state }} (dnf)
-  ansible.builtin.dnf:
-    name: "{{ mosh_packages[_key] }}"
-    state: "{{ mosh_state }}"
-  when:
-    - ansible_facts['pkg_mgr'] in ['dnf', 'dnf5']
-    - _key in mosh_packages.keys()
-  vars:
-    _key: "{{ ansible_distribution | lower }}"
-
-- name: Ensure mosh is {{ mosh_state }} (apt)
-  ansible.builtin.apt:
-    package: "{{ mosh_packages[_key] }}"
-    state: "{{ mosh_state }}"
-  when:
-    - ansible_facts['pkg_mgr'] in ['apt']
-    - _key in mosh_packages.keys()
-  vars:
-    _key: "{{ ansible_distribution | lower }}"
-
-- name: Ensure mosh is {{ mosh_state }} (pacman)
-  community.general.pacman:
-    name: "{{ mosh_packages[_key] }}"
-    state: "{{ mosh_state }}"
-  when:
-    - ansible_facts['pkg_mgr'] in ['pacman']
-    - _key in mosh_packages.keys()
-  vars:
-    _key: "{{ ansible_distribution | lower }}"

roles/mosh/tasks/main.yml

@@ -1,11 +0,0 @@
----
-- name: Ensure 'mosh_state' is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Invalid state '{{ mosh_state }}' for 'mosh_state'!
-      Allowed states are {{ mosh_states | join(', ') }}.
-  when: mosh_state not in mosh_states
-
-- name: Ensure mosh is {{ mosh_state }}
-  ansible.builtin.include_tasks:
-    file: "install.yml"

roles/mosh/vars/main.yml

@@ -1,4 +0,0 @@
----
-mosh_states:
-  - "present"
-  - "absent"

roles/nginx/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-nginx_version: "1.28.0"
+nginx_version: "1.27.5"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"

roles/openssh/README.md

@@ -1,13 +0,0 @@
-# `finallycoffee.base.openssh`
-
-Ansible role to manage and configure openssh and it's components (like `sshd`).
-
-Currently supports `fedora` and `debian` linux distributions.
-
-## `sshd`
-
-To configure `sshd`, see the [`defaults/main/sshd.yml`](defaults/main/sshd.yml),
-where snake\_cased config keys for `/etc/ssh/sshd_config` are available in
-the `openssh_sshd_config_` namespace.
-
-To add your own config on top, simply use key-value syntax in `openssh_sshd_config`.

roles/openssh/defaults/main/main.yml

@@ -1,3 +0,0 @@
----
-openssh_state: 'present'
-openssh_sshd_config_file: "/etc/ssh/sshd_config"

roles/openssh/defaults/main/packages.yml

@@ -1,8 +0,0 @@
----
-openssh_packages:
-  fedora: "{{ openssh_fedora_packages }}"
-  debian: "{{ openssh_debian_packages }}"
-openssh_fedora_packages:
-  - "openssh-server"
-openssh_debian_packages:
-  - "openssh-server"

roles/openssh/defaults/main/sshd.yml

@@ -1,33 +0,0 @@
----
-openssh_sshd_enable: true
-openssh_sshd_config_pubkey_authentication: true
-openssh_sshd_config_password_authentication: false
-openssh_sshd_config_challenge_response_authentication: false
-openssh_sshd_config_permit_root_login: false
-
-# Limits
-openssh_sshd_config_max_sessions: ~
-openssh_sshd_config_max_startups: ~
-
-# Hardening
-openssh_sshd_config_protocol: 2
-openssh_sshd_config_x11_forwarding: false
-openssh_sshd_config_allow_agent_forwarding: false
-openssh_sshd_config_allow_tcp_forwarding: false
-
-openssh_sshd_default_config:
-  PubkeyAuthentication: "{{ openssh_sshd_config_pubkey_authentication }}"
-  PasswordAuthentication: "{{ openssh_sshd_config_password_authentication }}"
-  ChallengeResponseAuthentication: >-2
-    {{ openssh_sshd_config_challenge_response_authentication }}
-  PermitRootLogin: "{{ openssh_sshd_config_permit_root_login }}"
-  MaxSessions: "{{ openssh_sshd_config_max_sessions }}"
-  MaxStartups: "{{ openssh_sshd_config_max_startups }}"
-  Protocol: "{{ openssh_sshd_config_protocol }}"
-  X11Forwarding: "{{ openssh_sshd_config_x11_forwarding }}"
-  AllowAgentForwarding: "{{ openssh_sshd_config_allow_agent_forwarding }}"
-  AllowTcpForwarding: "{{ openssh_sshd_config_allow_tcp_forwarding }}"
-
-openssh_sshd_merged_config: >-2
-  {{ openssh_sshd_default_config | default({}, true)
-     | combine(openssh_sshd_config | default({}, true)) }}

roles/openssh/defaults/main/systemd.yml

@@ -1,2 +0,0 @@
----
-openssh_sshd_systemd_service_name: "sshd.service"

roles/openssh/handlers/main.yml

@@ -1,7 +0,0 @@
----
-- name: Ensure sshd is reloaded
-  ansible.builtin.systemd_service:
-    name: "{{ openssh_sshd_systemd_service_name }}"
-    state: "reloaded"
-  when: ansible_facts['service_mgr'] == 'systemd'
-  listen: openssh_sshd_reload

roles/openssh/tasks/configure-sshd.yml

@@ -1,28 +0,0 @@
----
-- name: Configure sshd
-  ansible.builtin.lineinfile:
-    path: "{{ openssh_sshd_config_file }}"
-    regexp: "{{ openssh_sshd_config_regexp }}"
-    line: "{{ openssh_sshd_config_line }}"
-    firstmatch: true
-    state: present
-    validate: "sshd -Tf %s"
-  loop: "{{ openssh_sshd_merged_config | dict2items }}"
-  loop_control:
-    loop_var: "tuple"
-    label: "{{ tuple.key }}"
-  notify:
-    - openssh_sshd_reload
-  vars:
-    openssh_sshd_config_regexp: "^\\s*#?\\s*{{ tuple.key }}"
-    openssh_sshd_config_line: >-2
-      {{ openssh_sshd_config_line_commented }}{{ tuple.key }} {{ openssh_sshd_config_value }}
-    openssh_sshd_config_value_is_none: "{{ tuple.value is none }}"
-    openssh_sshd_config_line_commented: >-2
-      {{ openssh_sshd_config_value_is_none | ternary('#', '') }}
-    openssh_sshd_config_value: >-2
-      {{ (tuple.value is boolean) | ternary(
-           tuple.value | ternary('yes', 'no'),
-           tuple.value
-         )
-      }}

roles/openssh/tasks/install.yml

@@ -1,16 +0,0 @@
----
-- name: Ensure openssh server package is {{ openssh_state }} (dnf)
-  ansible.builtin.dnf:
-    name: "{{ openssh_packages[ansible_distribution | lower] }}"
-    state: "{{ openssh_state }}"
-  when:
-    - ansible_facts['pkg_mgr'] in ['dnf', 'dnf5']
-    - ansible_distribution | lower in openssh_packages.keys()
-
-- name: Ensure openssh server package is {{ openssh_state }} (apt)
-  ansible.builtin.apt:
-    package: "{{ openssh_packages[ansible_distribution | lower] }}"
-    state: "{{ openssh_state }}"
-  when:
-    - ansible_facts['pkg_mgr'] in ['apt']
-    - ansible_distribution | lower in openssh_packages.keys()

roles/openssh/tasks/main.yml

@@ -1,15 +0,0 @@
----
-- name: Ensure 'openssh_state' is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Invalid value '{{ openssh_state }}' for 'openssh_state'.
-      Valid values are {{ openssh_states | join(', ') }}!
-  when: openssh_state not in openssh_states
-
-- name: Ensure openssh is {{ openssh_state }}
-  ansible.builtin.include_tasks:
-    file: "install.yml"
-
-- name: Ensure sshd is configured
-  ansible.builtin.include_tasks:
-    file: "configure-sshd.yml"

roles/openssh/vars/main.yml

@@ -1,4 +0,0 @@
----
-openssh_states:
-  - "present"
-  - "absent"