From 2014745501cbaefb1d17fbbde8bfb6275b67de9a Mon Sep 17 00:00:00 2001
From: Thomas Kleinendorst <thomas@kleinendorst.info>
Date: Sun, 28 Apr 2024 15:50:14 +0200
Subject: [PATCH] Add changedetection as a hosted service

---
 playbook.yml                                 |  1 +
 roles/actual/handlers/main.yml               |  5 --
 roles/actual/tasks/main.yml                  |  4 +-
 roles/changedetection/handlers/main.yml      |  7 +++
 roles/changedetection/tasks/main.yml         | 55 ++++++++++++++++++++
 roles/changedetection/vars/main/defaults.yml |  2 +
 roles/changedetection/vars/main/vault.yml    |  9 ++++
 roles/cloudflare-ddns/tasks/main.yml         |  2 +-
 roles/pi-hole/tasks/main.yml                 |  2 +-
 roles/user/tasks/main.yml                    |  2 +-
 roles/user/vars/main/defaults.yml            |  2 +-
 11 files changed, 80 insertions(+), 11 deletions(-)
 create mode 100644 roles/changedetection/handlers/main.yml
 create mode 100644 roles/changedetection/tasks/main.yml
 create mode 100644 roles/changedetection/vars/main/defaults.yml
 create mode 100644 roles/changedetection/vars/main/vault.yml

diff --git a/playbook.yml b/playbook.yml
index b5efb7d..5742ac6 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -17,6 +17,7 @@
     - role: cloudflare-ddns
     - role: nginx
     - role: actual
+    - role: changedetection
     - role: pi-hole
   vars:
     # devsec.hardening.ssh_hardening vars:
diff --git a/roles/actual/handlers/main.yml b/roles/actual/handlers/main.yml
index 292f833..d1c9fa4 100644
--- a/roles/actual/handlers/main.yml
+++ b/roles/actual/handlers/main.yml
@@ -1,9 +1,4 @@
 ---
-- name: Restart ufw
-  become: true
-  ansible.builtin.systemd:
-    name: ufw.service
-    state: restarted
 - name: Reload systemd (daemon-reload)
   become: true
   become_user: "{{ actual_username }}"
diff --git a/roles/actual/tasks/main.yml b/roles/actual/tasks/main.yml
index 6f9dee9..96734ea 100644
--- a/roles/actual/tasks/main.yml
+++ b/roles/actual/tasks/main.yml
@@ -1,11 +1,11 @@
 ---
-- name: Create a new user
+- name: Include user role
   ansible.builtin.include_role:
     name: user
   vars:
     user_username: "{{ actual_username }}"
     user_password: "{{ actual_password }}"
-    user_use_podman_restart: true
+    user_start_podman_restart: true
 - name: Create a directory for holding actual's (volume) data
   become: true
   become_user: "{{ actual_username }}"
diff --git a/roles/changedetection/handlers/main.yml b/roles/changedetection/handlers/main.yml
new file mode 100644
index 0000000..d1c9fa4
--- /dev/null
+++ b/roles/changedetection/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Reload systemd (daemon-reload)
+  become: true
+  become_user: "{{ actual_username }}"
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+    scope: user
diff --git a/roles/changedetection/tasks/main.yml b/roles/changedetection/tasks/main.yml
new file mode 100644
index 0000000..c568b7a
--- /dev/null
+++ b/roles/changedetection/tasks/main.yml
@@ -0,0 +1,55 @@
+---
+- name: Include user role
+  ansible.builtin.include_role:
+    name: user
+  vars:
+    user_username: "{{ changedetection_username }}"
+    user_password: "{{ changedetection_password }}"
+    user_start_podman_restart: true
+- name: Create a directory for holding changedetection's (volume) data
+  become: true
+  become_user: "{{ changedetection_username }}"
+  ansible.builtin.file:
+    path: "/home/{{ changedetection_username }}/changedetection_data"
+    state: directory
+    mode: '0700'
+- name: Gather facts on the changedetection container
+  become: true
+  become_user: "{{ changedetection_username }}"
+  containers.podman.podman_container_info:
+    name: changedetection-server
+  register: changedetection_server_container_info
+- name: Start the changedetection container with correct systemd linking
+  when: "'no such container' in changedetection_server_container_info.stderr"
+  become: true
+  become_user: "{{ changedetection_username }}"
+  block:
+    - name: Start the changedetection container
+      containers.podman.podman_container:
+        name: changedetection-server
+        image: docker.io/dgtlmoon/changedetection.io:0.45.21
+        restart_policy: always
+        publish:
+          - 127.0.0.1:5000:5000
+        volumes:
+          - "/home/{{ changedetection_username }}/changedetection_data:/datastore"
+        state: stopped
+        # For more information on the systemd startup service, see: https://linuxhandbook.com/autostart-podman-containers/
+        generate_systemd:
+          path: "/home/{{ changedetection_username }}/.config/systemd/user/"
+          restart_policy: always
+      notify: Reload systemd (daemon-reload)
+    - name: Flush handlers
+      ansible.builtin.meta: flush_handlers
+    - name: Enable the newly created systemd service for user
+      ansible.builtin.systemd:
+        name: container-changedetection-server.service
+        state: started
+        enabled: true
+        scope: user
+- name: Include simple-reverse-proxy role
+  ansible.builtin.include_role:
+    name: simple-reverse-proxy
+  vars:
+    simple_reverse_proxy_internal_port: 5000
+    simple_reverse_proxy_internal_subdomain: changedetection
diff --git a/roles/changedetection/vars/main/defaults.yml b/roles/changedetection/vars/main/defaults.yml
new file mode 100644
index 0000000..163fffc
--- /dev/null
+++ b/roles/changedetection/vars/main/defaults.yml
@@ -0,0 +1,2 @@
+---
+changedetection_username: changedetection
diff --git a/roles/changedetection/vars/main/vault.yml b/roles/changedetection/vars/main/vault.yml
new file mode 100644
index 0000000..9703da2
--- /dev/null
+++ b/roles/changedetection/vars/main/vault.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+65363334626534616562376362316134623034396333646361646230313864323562316666623065
+6464353838306530333366653932646163313963346265310a626664653234323765646338613666
+30363762326431656635623839623561346332326363646465343263663931303638623239623439
+6532353332613032390a616464306336313237396163353732363566303761393165643161633165
+35663362623034396638313738643937353765306262653136313438636239663333336636323765
+37313635386333323666303164333030616366316439653235353732616637613564623137316635
+65323965656665633738336632643463653862623836613265663335633336616264333364383438
+37383038393930656339
diff --git a/roles/cloudflare-ddns/tasks/main.yml b/roles/cloudflare-ddns/tasks/main.yml
index b19b1f2..d66549f 100644
--- a/roles/cloudflare-ddns/tasks/main.yml
+++ b/roles/cloudflare-ddns/tasks/main.yml
@@ -1,5 +1,5 @@
 ---
-- name: Create a new user
+- name: Include user role
   ansible.builtin.include_role:
     name: user
   vars:
diff --git a/roles/pi-hole/tasks/main.yml b/roles/pi-hole/tasks/main.yml
index 8208825..e84035d 100644
--- a/roles/pi-hole/tasks/main.yml
+++ b/roles/pi-hole/tasks/main.yml
@@ -5,7 +5,7 @@
   vars:
     user_username: "{{ pi_hole_username }}"
     user_password: "{{ pi_hole_password }}"
-    user_use_podman_restart: true
+    user_start_podman_restart: true
 - name: Create the /etc-pihole directory in the home directory (will be mounted to the container)
   become: true
   become_user: "{{ pi_hole_username }}"
diff --git a/roles/user/tasks/main.yml b/roles/user/tasks/main.yml
index a441c84..60dcd53 100644
--- a/roles/user/tasks/main.yml
+++ b/roles/user/tasks/main.yml
@@ -123,4 +123,4 @@
     state: started
     enabled: true
     scope: user
-  when: user_use_podman_restart
+  when: user_start_podman_restart
diff --git a/roles/user/vars/main/defaults.yml b/roles/user/vars/main/defaults.yml
index b061d78..50012e0 100644
--- a/roles/user/vars/main/defaults.yml
+++ b/roles/user/vars/main/defaults.yml
@@ -1,2 +1,2 @@
 ---
-user_use_podman_restart: false
+user_start_podman_restart: false