Cockpit

This installs and sets up the Cockpit Web Console on compatible systems like RHEL, CentOS, Fedora, Debian, and Ubuntu.

Requirements

RHEL/CentOS 7.x needs to have the Extras repository enabled.

Collection requirements

This role needs the firewall and selinux roles from the fedora.linux_system_roles collection if you want to manage the firewall and SELinux settings. Check cockpit_manage_firewall and cockpit_manage_selinux in Role Variables.

If you're using cockpit from the fedora.linux_system_roles collection or from the Fedora RPM package, you’re all set.

To manage rpm-ostree systems, you must install additional collections. Use the command below:

ansible-galaxy collection install -vv -r meta/collection-requirements.yml

Role Variables

Here are the available variables for each distribution with their default values (see defaults/main.yml):

cockpit_packages

This variable lets you pick which Cockpit packages to install. You can choose your own or select from three sets: default, minimal, or full. If you don't specify this variable, default is used. The specific packages may differ based on the distribution and version.

For example, if you want specific Cockpit packages:

cockpit_packages:
  - cockpit-storaged
  - cockpit-podman

Using predefined package sets is recommended:

cockpit_packages: default
# which installs these:
# - cockpit
# - cockpit-networkmanager
# - cockpit-packagekit
# - cockpit-selinux
# - cockpit-storaged

cockpit_packages: minimal
# which installs these:
# - cockpit-system
# - cockpit-ws

cockpit_packages: full
# This option installs nearly all available Cockpit packages.

cockpit_enabled

cockpit_enabled: true

This is a boolean variable that controls whether Cockpit starts automatically on boot (default is true).

cockpit_started

cockpit_started: true

This boolean controls whether Cockpit should be running (default is true).

cockpit_config

cockpit_config:
  WebService:
    LoginTitle: "custom login screen title"
    MaxStartups: 20
  Session:
    IdleTimeout: 15
    Banner: "/etc/motd"

This is for setting options in /etc/cockpit/cockpit.conf. Existing settings will be replaced with this configuration.

cockpit_port

cockpit_port: 9090

Cockpit uses port 9090 by default. Change it here if needed.

cockpit_manage_firewall

cockpit_manage_firewall: false

This boolean determines if the cockpit role manages the firewall (default is false). It can only add ports, not remove them. This feature only works on RedHat systems.

cockpit_manage_selinux

cockpit_manage_selinux: false

This flag allows SELinux to be configured using the SELinux role. By default, Cockpit can only listen on port 9090 unless this is enabled.

cockpit_transactional_update_reboot_ok

cockpit_transactional_update_reboot_ok: true

If a reboot is needed for updates, this variable allows the role to proceed with the reboot or notify the user.

Certificate setup

By default, Cockpit creates a self-signed certificate on first start. It's best to customize this for production settings.

Use an existing certificate

If you already have a certificate for your server, point the cockpit_cert and cockpit_private_key options to it:

cockpit_cert: /path/to/server.crt
cockpit_private_key: /path/to/server.key

Generate a new certificate

To create a new certificate, use the cockpit_certificates variable.

Example for using an IdM-issued web server certificate:

- name: Install cockpit with Cockpit web server certificate
  include_role:
    name: linux-system-roles.cockpit
  vars:
    cockpit_certificates:
      - name: monger-cockpit
        dns: ['localhost', 'www.example.com']
        ca: ipa
        group: cockpit-ws

Example Playbooks

Simplest example for managing Cockpit:

---
- name: Manage cockpit
  hosts: fedora, rhel7, rhel8
  become: true
  roles:
    - linux-system-roles.cockpit

Another example with firewall configuration:

---
tasks:
  - name: Install RHEL/Fedora Web Console (Cockpit)
    include_role:
      name: linux-system-roles.cockpit
    vars:
      cockpit_packages: default

  - name: Configure Firewall for Web Console
    include_role:
      name: fedora.linux_system_roles.firewall
    vars:
      firewall:
        service: cockpit
        state: enabled

License

GPLv3