From 4ee18820d48e56a637c24765afaf777153d93210 Mon Sep 17 00:00:00 2001
From: "pulsar89.5" <pulsar89.5@ykn.fr>
Date: Mon, 17 Mar 2025 01:59:03 +0100
Subject: [PATCH] fix: Review CoreOS compatibility

---
 README.md                 |  2 +-
 defaults/main.yml         | 27 +++++++++++++
 handlers/main.yml         |  6 +--
 meta/.galaxy_install_info |  2 -
 meta/main.yml             |  2 +-
 tasks/containers.yml      | 25 ++++++++++++
 tasks/installation.yml    |  7 ++++
 tasks/main.yml            | 80 ++++++---------------------------------
 tasks/pods.yml            | 25 ++++++++++++
 tasks/prepare.yml         | 49 ++++++++++++++++++++++++
 10 files changed, 150 insertions(+), 75 deletions(-)
 delete mode 100644 meta/.galaxy_install_info
 create mode 100644 tasks/containers.yml
 create mode 100644 tasks/installation.yml
 create mode 100644 tasks/pods.yml
 create mode 100644 tasks/prepare.yml

diff --git a/README.md b/README.md
index 206486b..6a552ba 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # role_podman
 
-Deploy podman pods and containers on CoreOS instance.
+Deploy podman, manage pods and containers.
 
 ## Variables
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 71eb4f1..4e08014 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,7 +1,34 @@
 ---
 # defaults file for podman
 
+# Packages to install to run podman
+podman_packages:
+  - crun
+  - podman
+  - systemd-container
+#  - dbus-user-session
+##  - containernetworking-dnsname
+#  - containernetworking-plugins
+##  - containernetworking-podman-machine
+#  - dbus-user-session
+#  - passt
+#  - podman
+#  - podman-aardvark-dns
+#  - podman-docker
+#  - podman-gvproxy
+#  - podman-netavark
+#  - python3-podman-compose
+#  - uidmap
+#  - systemd-container
+
+# Dedicated user
+podman_user: podman
+
+# Enable container auto-update
 podman_auto_update: true
 
+# Define pods
 podman_pods: []
+
+# Define containers
 podman_containers: []
diff --git a/handlers/main.yml b/handlers/main.yml
index 2c6375d..a57cacd 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,11 +1,11 @@
 ---
-# handlers file for exim4
+# handlers file for podman
 
 - name: Set default permissions on volumes folders
   ansible.builtin.file:
     path: "{{ item.path }}"
-    owner: root
-    group: root
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
   become: true
   loop: "{{ folders.results | selectattr('changed', 'equalto', true) }}"
   loop_control:
diff --git a/meta/.galaxy_install_info b/meta/.galaxy_install_info
deleted file mode 100644
index e18572d..0000000
--- a/meta/.galaxy_install_info
+++ /dev/null
@@ -1,2 +0,0 @@
-install_date: lun. 21 oct. 2024 11:22:51
-version: master
diff --git a/meta/main.yml b/meta/main.yml
index 08dd360..ed161c5 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,7 +1,7 @@
 galaxy_info:
   namespace: ykn
   author: pulsar89.5
-  description: Rôle de déploiement de podman
+  description: Deploy podman, manage pods and containers
 
   license: GPL-3.0-or-later
 
diff --git a/tasks/containers.yml b/tasks/containers.yml
new file mode 100644
index 0000000..2ba73d2
--- /dev/null
+++ b/tasks/containers.yml
@@ -0,0 +1,25 @@
+---
+# tasks file for podman
+
+- name: Deploy containers
+  containers.podman.podman_container: "{{ container }}"
+  become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ podman_containers }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: deployed_containers
+  vars:
+    container: "{{ podman_containers_defaults | ansible.builtin.combine(item) }}"
+
+- name: Start or restart containers
+  ansible.builtin.systemd_service:
+    name: "{{ item.item.name }}.service"
+    state: "{{ 'restarted' if item.changed else 'started' }}"
+    daemon_reload: true
+    scope: user
+  become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ deployed_containers.results }}"
+  loop_control:
+    label: "{{ item.item.name }}"
diff --git a/tasks/installation.yml b/tasks/installation.yml
new file mode 100644
index 0000000..98aa58f
--- /dev/null
+++ b/tasks/installation.yml
@@ -0,0 +1,7 @@
+---
+# tasks file for dnsmasq
+
+- name: Install podman
+  ansible.builtin.apt:
+    name: "{{ podman_packages }}"
+  become: true
diff --git a/tasks/main.yml b/tasks/main.yml
index c52242d..30b28eb 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,74 +1,18 @@
 ---
 # tasks file for podman
 
-- name: Ensure podman.service is started
-  ansible.builtin.systemd_service:
-    name: podman.service
-    state: started
-    enabled: true
-    masked: false
-    daemon_reload: true
-  become: true
+- name: Import installation tasks
+  ansible.builtin.import_tasks:
+    file: installation.yml
 
-- name: Create subvolumes paths
-  ansible.builtin.file:
-    path: "{{ item.1 | split(':') | first }}"
-    state: directory
-    mode: u=rwX,g=rX,o=rX
-  become: true
-  loop: "{{ q('ansible.builtin.subelements', podman_containers, 'volumes', {'skip_missing': True}) }}"
-  loop_control:
-    label: "{{ item.0.name }}"
-  register: folders
-  notify: Set default permissions on volumes folders
+- name: Import instance preparation tasks
+  ansible.builtin.import_tasks:
+    file: prepare.yml
 
-- name: Exécuter les handlers
-  ansible.builtin.meta: flush_handlers
+- name: Import pods management tasks
+  ansible.builtin.import_tasks:
+    file: pods.yml
 
-- name: Deploy pods
-  containers.podman.podman_pod: "{{ pod }}"
-  become: true
-  loop: "{{ podman_pods }}"
-  loop_control:
-    label: "{{ item.name }}"
-  register: deployed_pods
-  vars:
-    pod: "{{ podman_pods_defaults | ansible.builtin.combine(item) }}"
-
-- name: Start or restart pods
-  ansible.builtin.systemd_service:
-    name: "{{ item.item.name }}-pod.service"
-    state: "{{ 'restarted' if item.changed else 'started' }}"
-    daemon_reload: true
-  become: true
-  loop: "{{ deployed_pods.results }}"
-  loop_control:
-    label: "{{ item.item.name }}"
-
-- name: Deploy containers
-  containers.podman.podman_container: "{{ container }}"
-  become: true
-  loop: "{{ podman_containers }}"
-  loop_control:
-    label: "{{ item.name }}"
-  register: deployed_containers
-  vars:
-    container: "{{ podman_containers_defaults | ansible.builtin.combine(item) }}"
-
-- name: Start or restart containers
-  ansible.builtin.systemd_service:
-    name: "{{ item.item.name }}.service"
-    state: "{{ 'restarted' if item.changed else 'started' }}"
-    daemon_reload: true
-  become: true
-  loop: "{{ deployed_containers.results }}"
-  loop_control:
-    label: "{{ item.item.name }}"
-
-- name: Enable containers auto-update service
-  ansible.builtin.systemd_service:
-    name: podman-auto-update.timer
-    daemon_reload: true
-    enabled: true
-  when: podman_auto_update
-  become: true
+- name: Import containers management tasks
+  ansible.builtin.import_tasks:
+    file: containers.yml
diff --git a/tasks/pods.yml b/tasks/pods.yml
new file mode 100644
index 0000000..58e7196
--- /dev/null
+++ b/tasks/pods.yml
@@ -0,0 +1,25 @@
+---
+# tasks file for podman
+
+- name: Deploy pods
+  containers.podman.podman_pod: "{{ pod }}"
+  become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ podman_pods }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: deployed_pods
+  vars:
+    pod: "{{ podman_pods_defaults | ansible.builtin.combine(item) }}"
+
+- name: Start or restart pods
+  ansible.builtin.systemd_service:
+    name: "{{ item.item.name }}-pod.service"
+    state: "{{ 'restarted' if item.changed else 'started' }}"
+    daemon_reload: true
+    scope: user
+  become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ deployed_pods.results }}"
+  loop_control:
+    label: "{{ item.item.name }}"
diff --git a/tasks/prepare.yml b/tasks/prepare.yml
new file mode 100644
index 0000000..cc2652e
--- /dev/null
+++ b/tasks/prepare.yml
@@ -0,0 +1,49 @@
+---
+# tasks file for podman
+
+- name: Create dedicated group
+  ansible.builtin.group:
+    name: "{{ podman_user }}"
+  become: true
+
+- name: Create dedicated user
+  ansible.builtin.user:
+    name: "{{ podman_user }}"
+    comment: Dedicated Podman user
+    password_lock: true
+    shell: /bin/bash
+    group: podman
+  become: true
+
+- name: Disable global podman auto-update
+  ansible.builtin.systemd_service:
+    name: podman-auto-update.timer
+    enabled: false
+  become: true
+
+- name: Enable containers auto-update service
+  ansible.builtin.command:
+    cmd: systemctl --user --machine={{ podman_user }}@ start podman-auto-update.timer
+  when: podman_auto_update
+  become: true
+
+- name: Enable lingering for podman user
+  ansible.builtin.command:
+    cmd: loginctl enable-linger {{ podman_user }}
+    creates: /var/lib/systemd/linger/podman
+  become: true
+
+- name: Create subvolumes paths
+  ansible.builtin.file:
+    path: "{{ item.1 | split(':') | first }}"
+    state: directory
+    mode: u=rwX,g=rX,o=rX
+  become: true
+  loop: "{{ q('ansible.builtin.subelements', podman_containers, 'volumes', {'skip_missing': True}) }}"
+  loop_control:
+    label: "{{ item.0.name }}"
+  register: folders
+  notify: Set default permissions on volumes folders
+
+- name: Execute handlers
+  ansible.builtin.meta: flush_handlers