feat(roles/google_chrome): add headless Chrome backend for icingaweb2_module_pdfexport

CHANGELOG.md

@@ -34,8 +34,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+* **role:google_chrome**: New role. Installs Google Chrome together with the runtime libraries and fonts required for headless rendering, and sets up a socket-activated, hardened `chrome-headless` systemd stack (socket + `systemd-socket-proxyd` + the actual Chrome service, wired with `BindsTo`). Chrome is started on the first incoming connection and stopped again after `google_chrome__idle_timeout` seconds of inactivity, so no RAM is wasted while the backend is unused. The role also flips two SELinux booleans on enforcing hosts: `systemd_socket_proxyd_bind_any` so the socket unit can bind the listen port (on Rocky/RHEL 9 the default `9222` carries the `hplip_port_t` label, which would otherwise reject the bind), and `systemd_socket_proxyd_connect_any` so the proxy can reach Chrome on its non-standard backend port. Provides the headless browser backend that the Icinga Web 2 PDF Export Module talks to.
 * **role:sshd**: Add Debian 13 support.
 * **role:mirror**: Document the new per-repository `newest_only` subkey on `mirror__reposync_repos` entries. Defaults to `true` (only the newest version of each package is mirrored). Set to `false` for repositories that publish multiple versions in parallel, such as Icinga, where older versions must remain available.
+* **role:repo_google_chrome**: New role. Deploys the Google Chrome package repository for RHEL-based distributions, with the same `lfops__repo_mirror_url` / `lfops__repo_basic_auth_login` knobs as the other `repo_*` roles.
 * **role:repo_remi**: Add RHEL 10 / Rocky 10 support (new GPG key, repo templates, and module-stream tasks for EL 10).
 * **role:repo_remi**: Add `meta/argument_specs.yml` declaring the four user-facing variables (`repo_remi__basic_auth_login`, `repo_remi__enabled_php_version`, `repo_remi__enabled_redis_version`, `repo_remi__mirror_url`) so role-entry validation catches type mismatches and unknown variables. `repo_remi__basic_auth_login` is declared as `type: 'raw'` because its default in `defaults/main.yml` resolves to an empty string when no Bitwarden lookup is configured.
 * **role:monitoring_plugins, role:repo_monitoring_plugins**: Add SLES 15 and SLES 16 support. The roles now install the Linuxfabrik Monitoring Plugins from the SUSE channel of `repo.linuxfabrik.ch` and apply the SUSE-specific package version lock ([#245](https://github.com/Linuxfabrik/lfops/issues/245)).
@@ -63,6 +65,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+* **role:icingaweb2_module_pdfexport, playbooks/icingaweb2_module_pdfexport, playbooks/setup_icinga2_master**: The headless browser backend the module requires was not installed by any role and had to be configured manually, so fresh deployments ended up without working PDF export. The new `google_chrome` and `repo_google_chrome` roles now provide a hardened `chrome-headless.service`, and both `icingaweb2_module_pdfexport.yml` and `setup_icinga2_master.yml` wire them up with `*__skip_*` opt-out variables (in `setup_icinga2_master.yml` the defaults track the existing `icingaweb2_module_pdfexport__skip_role` flag). The role also gained `/etc/icingaweb2/modules/pdfexport/config.ini` deployment with four new variables (`icingaweb2_module_pdfexport__chrome_host`, `__chrome_port`, `__chrome_binary`, `__force_temp_storage`); by default it talks to the `chrome-headless.service` over the Chrome DevTools Protocol, falling back to a local Chrome binary only if `chrome_binary` is set explicitly.
 * **role:nextcloud**: The `nextcloud-update` script now owns the maintenance mode lifecycle itself instead of expecting callers to enable it beforehand. Previously, callers enabled maintenance mode before invoking the script (to protect the DB dump), which disables the LDAP user provider and causes the `before-update` export (`occ user:list`, `config:list`, `app:list`) to silently omit LDAP users. The script now assumes maintenance mode is **off** at start, runs the `before-update` export with apps loaded, lets `updater.phar` manage maintenance mode itself, and explicitly disables it again before `occ upgrade` and `occ app:update` (since `occ upgrade` does not turn it off on its own) — so all post-upgrade commands (`app:update`, `db:add-missing-*`, `db:convert-filecache-bigint`, the `after-update` export) also run with apps loaded. Callers must drop the manual `maintenance:mode --on` step from their pre-script workflow; the DB dump should rely on `--single-transaction` instead.
 
 * **roles**: Set `become: false` on tasks delegated to localhost across the collection. Previously these tasks inherited `become: true` from the playbook level and tried to call `sudo` on the Ansible controller, which fails on controllers without a passwordless sudo setup with `sudo: a password is required`. Affected are all `repo_*` roles, the `*_vm` cloud roles (`exoscale_vm`, `hetzner_vm`, `infomaniak_vm`), all `icingaweb2_module_*` roles that download artefacts, `monitoring_plugins`, `shared`, plus several others. Existing playbooks that were working without playbook-level `become: true` are unaffected ([#242](https://github.com/Linuxfabrik/lfops/issues/242)).

COMPATIBILITY.md

@@ -42,6 +42,7 @@ Which Ansible role is proven to run on which OS?
 | gitlab_ce                             |        |        |   x    |  (x)   |   (x)   |           |           |           |                                              |
 | glances                               |  (x)   |  (x)   |   x    |   x    |   (x)   |    (x)    |    (x)    |    (x)    |                                              |
 | glpi_agent                            |        |        |   x    |   x    |   (x)   |           |           |           |                                              |
+| google_chrome                         |        |        |   x    |   x    |   (x)   |           |           |           |                                              |
 | grafana                               |        |        |   x    |   x    |    x    |           |           |           |                                              |
 | grafana_grizzly                       |  (x)   |  (x)   |   x    |   x    |   (x)   |    (x)    |    (x)    |    (x)    |                                              |
 | grav                                  |        |        |   x    |  (x)   |   (x)   |           |           |           |                                              |
@@ -128,6 +129,7 @@ Which Ansible role is proven to run on which OS?
 | repo_epel                             |        |        |   x    |   x    |    x    |           |           |           |                                              |
 | repo_gitlab_ce                        |        |        |   x    |  (x)   |   (x)   |           |           |           |                                              |
 | repo_gitlab_runner                    |        |        |   x    |  (x)   |   (x)   |           |           |           |                                              |
+| repo_google_chrome                    |        |        |   x    |   x    |   (x)   |           |           |           |                                              |
 | repo_grafana                          |   x    |   x    |   x    |   x    |   (x)   |    (x)    |    (x)    |    (x)    |                                              |
 | repo_graylog                          |   x    |   x    |   x    |  (x)   |   (x)   |    (x)    |    (x)    |    (x)    |                                              |
 | repo_icinga                           |   x    |   x    |   x    |   x    |    x    |     x     |    (x)    |    (x)    |                                              |

playbooks/README.md

@@ -338,6 +338,15 @@ Calls the following roles (in order):
 * [glpi_agent](https://github.com/Linuxfabrik/lfops/tree/main/roles/glpi_agent)
 
 
+## google_chrome.yml
+
+Calls the following roles (in order):
+
+* [repo_epel](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_epel): `google_chrome__skip_repo_epel`
+* [repo_google_chrome](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_google_chrome): `google_chrome__skip_repo_google_chrome`
+* [google_chrome](https://github.com/Linuxfabrik/lfops/tree/main/roles/google_chrome)
+
+
 ## grafana.yml
 
 Calls the following roles (in order):
@@ -445,6 +454,9 @@ Calls the following roles (in order):
 
 Calls the following roles (in order):
 
+* [repo_epel](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_epel): `icingaweb2_module_pdfexport__skip_repo_epel`
+* [repo_google_chrome](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_google_chrome): `icingaweb2_module_pdfexport__skip_repo_google_chrome`
+* [google_chrome](https://github.com/Linuxfabrik/lfops/tree/main/roles/google_chrome): `icingaweb2_module_pdfexport__skip_google_chrome`
 * [icingaweb2_module_pdfexport](https://github.com/Linuxfabrik/lfops/tree/main/roles/icingaweb2_module_pdfexport)
 
 
@@ -840,6 +852,13 @@ Calls the following roles (in order):
 * [repo_gitlab_runner](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_gitlab_runner)
 
 
+## repo_google_chrome.yml
+
+Calls the following roles (in order):
+
+* [repo_google_chrome](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_google_chrome)
+
+
 ## repo_grafana.yml
 
 Calls the following roles (in order):
@@ -1097,6 +1116,8 @@ Calls the following roles (in order):
 * [icingaweb2_theme_linuxfabrik](https://github.com/Linuxfabrik/lfops/tree/main/roles/icingaweb2_theme_linuxfabrik): `setup_icinga2_master__icingaweb2_theme_linuxfabrik__skip_role`
 * [icingaweb2_module_incubator](https://github.com/Linuxfabrik/lfops/tree/main/roles/icingaweb2_module_incubator): `setup_icinga2_master__icingaweb2_module_incubator__skip_role`
 * [icingaweb2_module_jira](https://github.com/Linuxfabrik/lfops/tree/main/roles/icingaweb2_module_jira): `setup_icinga2_master__icingaweb2_module_jira__skip_role` (default: `true`)
+* [repo_google_chrome](https://github.com/Linuxfabrik/lfops/tree/main/roles/repo_google_chrome): `setup_icinga2_master__repo_google_chrome__skip_role` (default: tracks `icingaweb2_module_pdfexport__skip_role`)
+* [google_chrome](https://github.com/Linuxfabrik/lfops/tree/main/roles/google_chrome): `setup_icinga2_master__google_chrome__skip_role` (default: tracks `icingaweb2_module_pdfexport__skip_role`)
 * [icingaweb2_module_pdfexport](https://github.com/Linuxfabrik/lfops/tree/main/roles/icingaweb2_module_pdfexport): `setup_icinga2_master__icingaweb2_module_pdfexport__skip_role` (default: `true`)
 * [icingaweb2_module_vspheredb](https://github.com/Linuxfabrik/lfops/tree/main/roles/icingaweb2_module_vspheredb): `setup_icinga2_master__icingaweb2_module_vspheredb__skip_role` (default: `true`)
 * [icingaweb2_module_director](https://github.com/Linuxfabrik/lfops/tree/main/roles/icingaweb2_module_director): `setup_icinga2_master__icingaweb2_module_director__skip_role`

playbooks/all.yml

@@ -36,6 +36,7 @@
 - import_playbook: 'gitlab_ce.yml'
 - import_playbook: 'glances.yml'
 - import_playbook: 'glpi_agent.yml'
+- import_playbook: 'google_chrome.yml'
 - import_playbook: 'grafana.yml'
 - import_playbook: 'grafana_grizzly.yml'
 - import_playbook: 'haveged.yml'
@@ -101,6 +102,7 @@
 - import_playbook: 'repo_epel.yml'
 - import_playbook: 'repo_gitlab_ce.yml'
 - import_playbook: 'repo_gitlab_runner.yml'
+- import_playbook: 'repo_google_chrome.yml'
 - import_playbook: 'repo_grafana.yml'
 - import_playbook: 'repo_graylog.yml'
 - import_playbook: 'repo_icinga.yml'

playbooks/google_chrome.yml

@@ -0,0 +1,31 @@
+- name: 'Playbook linuxfabrik.lfops.google_chrome'
+  hosts:
+    - 'lfops_google_chrome'
+
+  pre_tasks:
+    - ansible.builtin.import_role:
+        name: 'shared'
+        tasks_from: 'log-start.yml'
+      tags:
+        - 'always'
+
+
+  roles:
+
+    - role: 'linuxfabrik.lfops.repo_epel'
+      when:
+        - 'not google_chrome__skip_repo_epel | d(false) | bool'
+
+    - role: 'linuxfabrik.lfops.repo_google_chrome'
+      when:
+        - 'not google_chrome__skip_repo_google_chrome | d(false) | bool'
+
+    - role: 'linuxfabrik.lfops.google_chrome'
+
+
+  post_tasks:
+    - ansible.builtin.import_role:
+        name: 'shared'
+        tasks_from: 'log-end.yml'
+      tags:
+        - 'always'

playbooks/icingaweb2_module_pdfexport.yml

@@ -12,6 +12,18 @@
 
   roles:
 
+    - role: 'linuxfabrik.lfops.repo_epel'
+      when:
+        - 'not icingaweb2_module_pdfexport__skip_repo_epel | d(false) | bool'
+
+    - role: 'linuxfabrik.lfops.repo_google_chrome'
+      when:
+        - 'not icingaweb2_module_pdfexport__skip_repo_google_chrome | d(false) | bool'
+
+    - role: 'linuxfabrik.lfops.google_chrome'
+      when:
+        - 'not icingaweb2_module_pdfexport__skip_google_chrome | d(false) | bool'
+
     - role: 'linuxfabrik.lfops.icingaweb2_module_pdfexport'
 
 

playbooks/repo_google_chrome.yml

@@ -0,0 +1,23 @@
+- name: 'Playbook linuxfabrik.lfops.repo_google_chrome'
+  hosts:
+    - 'lfops_repo_google_chrome'
+
+  pre_tasks:
+    - ansible.builtin.import_role:
+        name: 'shared'
+        tasks_from: 'log-start.yml'
+      tags:
+        - 'always'
+
+
+  roles:
+
+    - role: 'linuxfabrik.lfops.repo_google_chrome'
+
+
+  post_tasks:
+    - ansible.builtin.import_role:
+        name: 'shared'
+        tasks_from: 'log-end.yml'
+      tags:
+        - 'always'

playbooks/setup_icinga2_master.yml

@@ -7,6 +7,7 @@
 
     setup_icinga2_master__apache_httpd__skip_injections__internal_var: '{{ setup_icinga2_master__apache_httpd__skip_injections | d(setup_icinga2_master__apache_httpd__skip_role__internal_var) }}'
     setup_icinga2_master__apache_httpd__skip_role__internal_var: '{{ setup_icinga2_master__apache_httpd__skip_role | d(false) }}'
+    setup_icinga2_master__google_chrome__skip_role__internal_var: '{{ setup_icinga2_master__google_chrome__skip_role | d(setup_icinga2_master__icingaweb2_module_pdfexport__skip_role__internal_var) }}'
     setup_icinga2_master__grafana__skip_role__internal_var: '{{ setup_icinga2_master__grafana__skip_role | d(false) }}'
     setup_icinga2_master__grafana_grizzly__skip_injections__internal_var: '{{ setup_icinga2_master__grafana_grizzly__skip_injections | d(setup_icinga2_master__grafana_grizzly__skip_role__internal_var) }}'
     setup_icinga2_master__grafana_grizzly__skip_role__internal_var: '{{ setup_icinga2_master__grafana_grizzly__skip_role | d(false) }}'
@@ -58,6 +59,7 @@
     setup_icinga2_master__redis__skip_injections__internal_var: '{{ setup_icinga2_master__redis__skip_injections | d(setup_icinga2_master__redis__skip_role__internal_var) }}'
     setup_icinga2_master__redis__skip_role__internal_var: '{{ setup_icinga2_master__redis__skip_role | d(false) }}'
     setup_icinga2_master__repo_epel__skip_role__internal_var: '{{ setup_icinga2_master__repo_epel__skip_role | d(false) }}'
+    setup_icinga2_master__repo_google_chrome__skip_role__internal_var: '{{ setup_icinga2_master__repo_google_chrome__skip_role | d(setup_icinga2_master__icingaweb2_module_pdfexport__skip_role__internal_var) }}'
     setup_icinga2_master__repo_grafana__skip_role__internal_var: '{{ setup_icinga2_master__repo_grafana__skip_role | d(false) }}'
     setup_icinga2_master__repo_icinga__skip_role__internal_var: '{{ setup_icinga2_master__repo_icinga__skip_role | d(false) }}'
     setup_icinga2_master__repo_influxdb__skip_role__internal_var: '{{ setup_icinga2_master__repo_influxdb__skip_role | d(false) }}'
@@ -312,6 +314,14 @@
       when:
         - 'not setup_icinga2_master__icingaweb2_module_jira__skip_role__internal_var'
 
+    - role: 'linuxfabrik.lfops.repo_google_chrome'
+      when:
+        - 'not setup_icinga2_master__repo_google_chrome__skip_role__internal_var'
+
+    - role: 'linuxfabrik.lfops.google_chrome'
+      when:
+        - 'not setup_icinga2_master__google_chrome__skip_role__internal_var'
+
     - role: 'linuxfabrik.lfops.icingaweb2_module_pdfexport'
       when:
         - 'not setup_icinga2_master__icingaweb2_module_pdfexport__skip_role__internal_var'