From 429bbc528fa6e61e1e86af854a0fb5d659b18946 Mon Sep 17 00:00:00 2001
From: Denis Nutiu <denis.nutiu@gmail.com>
Date: Wed, 5 Feb 2025 19:39:03 +0200
Subject: [PATCH] work on peertube ansible playbook

---
 peertube-server/.idea/.gitignore              |  8 +++
 .../inspectionProfiles/profiles_settings.xml  |  6 ++
 peertube-server/.idea/modules.xml             |  8 +++
 peertube-server/.idea/peertube-server.iml     |  8 +++
 peertube-server/.idea/vcs.xml                 |  6 ++
 peertube-server/Makefile                      |  9 +++
 peertube-server/inventory.ini                 |  5 ++
 peertube-server/playbook.yaml                 | 66 +++++++++++++++++++
 peertube-server/templates/cil/peertube.cil    | 23 +++++++
 peertube-server/templates/cil/postgres.cil    | 11 ++++
 .../templates/firewall/peertube.xml           |  7 ++
 peertube-server/variables.yaml                |  9 +++
 12 files changed, 166 insertions(+)
 create mode 100644 peertube-server/.idea/.gitignore
 create mode 100644 peertube-server/.idea/inspectionProfiles/profiles_settings.xml
 create mode 100644 peertube-server/.idea/modules.xml
 create mode 100644 peertube-server/.idea/peertube-server.iml
 create mode 100644 peertube-server/.idea/vcs.xml
 create mode 100644 peertube-server/Makefile
 create mode 100644 peertube-server/inventory.ini
 create mode 100644 peertube-server/playbook.yaml
 create mode 100644 peertube-server/templates/cil/peertube.cil
 create mode 100644 peertube-server/templates/cil/postgres.cil
 create mode 100644 peertube-server/templates/firewall/peertube.xml
 create mode 100644 peertube-server/variables.yaml

diff --git a/peertube-server/.idea/.gitignore b/peertube-server/.idea/.gitignore
new file mode 100644
index 0000000..13566b8
--- /dev/null
+++ b/peertube-server/.idea/.gitignore
@@ -0,0 +1,8 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
diff --git a/peertube-server/.idea/inspectionProfiles/profiles_settings.xml b/peertube-server/.idea/inspectionProfiles/profiles_settings.xml
new file mode 100644
index 0000000..105ce2d
--- /dev/null
+++ b/peertube-server/.idea/inspectionProfiles/profiles_settings.xml
@@ -0,0 +1,6 @@
+<component name="InspectionProjectProfileManager">
+  <settings>
+    <option name="USE_PROJECT_PROFILE" value="false" />
+    <version value="1.0" />
+  </settings>
+</component>
\ No newline at end of file
diff --git a/peertube-server/.idea/modules.xml b/peertube-server/.idea/modules.xml
new file mode 100644
index 0000000..fd0ff19
--- /dev/null
+++ b/peertube-server/.idea/modules.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/peertube-server.iml" filepath="$PROJECT_DIR$/.idea/peertube-server.iml" />
+    </modules>
+  </component>
+</project>
\ No newline at end of file
diff --git a/peertube-server/.idea/peertube-server.iml b/peertube-server/.idea/peertube-server.iml
new file mode 100644
index 0000000..d0876a7
--- /dev/null
+++ b/peertube-server/.idea/peertube-server.iml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="PYTHON_MODULE" version="4">
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>
\ No newline at end of file
diff --git a/peertube-server/.idea/vcs.xml b/peertube-server/.idea/vcs.xml
new file mode 100644
index 0000000..6c0b863
--- /dev/null
+++ b/peertube-server/.idea/vcs.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$/.." vcs="Git" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/peertube-server/Makefile b/peertube-server/Makefile
new file mode 100644
index 0000000..4aec0e9
--- /dev/null
+++ b/peertube-server/Makefile
@@ -0,0 +1,9 @@
+install:
+	sudo dnf install ansible
+	ansible-galaxy collection install community.general
+	ansible-galaxy collection install containers.podman
+	ansible-galaxy collection install ansible.posix
+list-hosts:
+	ansible-inventory -i inventory.ini --list
+run:
+	ansible-playbook -i inventory.ini playbook.yaml --ask-become-pass
\ No newline at end of file
diff --git a/peertube-server/inventory.ini b/peertube-server/inventory.ini
new file mode 100644
index 0000000..3998aed
--- /dev/null
+++ b/peertube-server/inventory.ini
@@ -0,0 +1,5 @@
+[nuculabs]
+legion.nuculabs.com ansible_user=dnutiu
+
+[local]
+localhost ansible_connection=local
\ No newline at end of file
diff --git a/peertube-server/playbook.yaml b/peertube-server/playbook.yaml
new file mode 100644
index 0000000..6379320
--- /dev/null
+++ b/peertube-server/playbook.yaml
@@ -0,0 +1,66 @@
+- name: Create directory and templated file
+  hosts: nuculabs
+  become: yes
+  become_method: sudo
+  vars_files:
+    - variables.yaml
+
+  tasks:
+    # Create necessary directories.
+    - name: Create PeerTube data directory
+      ansible.builtin.file:
+        path: "/{{ peertube.data_directory }}"
+        state: directory
+        mode: '0755'
+      ignore_errors: true
+    - name: Create PeerTube config directory
+      ansible.builtin.file:
+        path: "/{{ peertube.config_directory }}"
+        state: directory
+        mode: '0754'
+      ignore_errors: true
+    - name: Create PostgresSQL directory
+      ansible.builtin.file:
+        path: "/{{ postgres.postgres_directory }}"
+        state: directory
+        mode: '0754'
+      ignore_errors: true
+    # Ensure dependencies are installed
+    - name: Ensure Podman is installed
+      ansible.builtin.package:
+        name: podman
+        state: present
+    - name: Ensure Udica is installed
+      ansible.builtin.package:
+        name: udica
+        state: present
+    - name: Ensure container-selinux is installed
+      ansible.builtin.package:
+        name: container-selinux
+        state: present
+    # Pull docker images
+    - name: Pull PeerTube image
+      containers.podman.podman_image:
+        name: "{{ peertube.image_name }}"
+        state: present
+    - name: Pull Postgres image
+      containers.podman.podman_image:
+        name: "{{ postgres.image_name }}"
+        state: present
+    - name: Pull Redis image
+      containers.podman.podman_image:
+        name: "{{ redis.image_name }}"
+        state: present
+    # Load SELinux policies
+    - name: Add firewall ports
+      block:
+        - name: Create a firewalld service file (if it doesn't exist)
+          ansible.posix.firewalld:
+            src: ./templates/firewall/peertube.xml
+            dest: /etc/firewalld/services/peertube.xml
+            state: enabled
+            notify: reload firewalld
+  handlers:
+    - name: reload firewalld
+      ansible.posix.firewalld:
+        state: reloaded
\ No newline at end of file
diff --git a/peertube-server/templates/cil/peertube.cil b/peertube-server/templates/cil/peertube.cil
new file mode 100644
index 0000000..3032b80
--- /dev/null
+++ b/peertube-server/templates/cil/peertube.cil
@@ -0,0 +1,23 @@
+(block peertube
+    (blockinherit container)
+    (blockinherit restricted_net_container)
+    (allow process process ( capability ( chown dac_override fowner fsetid kill net_bind_service setfcap setgid setpcap setuid sys_chroot ))) 
+
+    (allow process flash_port_t ( tcp_socket (  name_bind ))) 
+    (allow process http_port_t ( tcp_socket (  name_bind ))) 
+    (allow process unreserved_port_t (tcp_socket (name_connect) ) )
+    (allow process cifs_t (dir (setattr)))
+    (allow process redis_port_t (tcp_socket (name_connect)))
+    (allow process smtp_port_t (tcp_socket (name_connect)))
+    (allow process postgresql_port_t (tcp_socket (name_connect)))
+
+
+    (allow process container_file_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) 
+    (allow process container_file_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) 
+    (allow process container_file_t ( fifo_file ( getattr read write append ioctl lock open ))) 
+    (allow process container_file_t ( sock_file ( append getattr open read write ))) 
+    (allow process user_home_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) 
+    (allow process user_home_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) 
+    (allow process user_home_t ( fifo_file ( getattr read write append ioctl lock open ))) 
+    (allow process user_home_t ( sock_file ( append getattr open read write ))) 
+)
diff --git a/peertube-server/templates/cil/postgres.cil b/peertube-server/templates/cil/postgres.cil
new file mode 100644
index 0000000..c4b5ce8
--- /dev/null
+++ b/peertube-server/templates/cil/postgres.cil
@@ -0,0 +1,11 @@
+(block postgres
+    (blockinherit container)
+    (blockinherit restricted_net_container)
+    (allow process process ( capability ( chown dac_override fowner fsetid kill net_bind_service setfcap setgid setpcap setuid sys_chroot )))
+
+    (allow process postgresql_port_t ( tcp_socket (  name_bind )))
+    (allow process user_home_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
+    (allow process user_home_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))
+    (allow process user_home_t ( fifo_file ( getattr read write append ioctl lock open )))
+    (allow process user_home_t ( sock_file ( append getattr open read write )))
+)
\ No newline at end of file
diff --git a/peertube-server/templates/firewall/peertube.xml b/peertube-server/templates/firewall/peertube.xml
new file mode 100644
index 0000000..391f154
--- /dev/null
+++ b/peertube-server/templates/firewall/peertube.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>PeerTube Service</short>
+  <description>PeerTube is a federated video sharing platform.</description>
+  <port protocol="tcp" port="{{ 1935 }}" />
+  <port protocol="tcp" port="{{ 9000 }}" />
+  </service>
diff --git a/peertube-server/variables.yaml b/peertube-server/variables.yaml
new file mode 100644
index 0000000..3f0b56f
--- /dev/null
+++ b/peertube-server/variables.yaml
@@ -0,0 +1,9 @@
+peertube:
+  data_directory: "/peertube/data"
+  config_directory: "/peertube/config"
+  image_name: "docker.io/chocobozzz/peertube:v7.0.1-bookworm"
+postgres:
+  postgres_directory: "/peertube/postgres"
+  image_name: "docker.io/postgres:13-alpine"
+redis:
+  image_name: "docker.io/redis:6-alpine"
\ No newline at end of file