fix: Review CoreOS compatibility

README.md

@@ -1,54 +1,14 @@
 # role_podman
 
-Install podman and manage pods and containers.
+Deploy podman, manage pods and containers.
-
-## Pre-requisite
-
-The podman user (`podman_user`) must be created before executing this role.
 
 ## Variables
 
-### podman_packages
-
-List of packages to install in order to use podman.
-
-<span style="text-decoration: underline">Default value:</span> `["catatonit", "dbus-user-session", "passt", "podman", "podman-docker", "uidmap", "systemd-container"]`
-
-### podman_fix_pasta
-
-On bookworm, we need to fix pasta to use podman ([see here](https://github.com/containers/buildah/issues/5440#issuecomment-2028911573)).
-
-<span style="text-decoration: underline">Default value:</span> `false`
-
-### podman_user
-
-Users with container configuration.
-
-<span style="text-decoration: underline">Default value:</span> `podman`
-
-### podman_configure_rsyslog
-
-Status of messages from the *podman* binary and from binaries in containers if they're equalto the container name.
-
-<span style="text-decoration: underline">Default value:</span> `true`
-
-### podman_ssh_host
-
-Host to be tested for instance availability.
-
-<span style="text-decoration: underline">Default value:</span> `{{ inventory_hostname }}`
-
-### podman_ssh_port
-
-Port to be tested for instance availability.
-
-<span style="text-decoration: underline">Default value:</span> `22`
-
 ### podman_auto_update
 
 Status of the automatic container update service.
 
-<span style="text-decoration: underline">Default value:</span> `true`
+<span style="text-decoration: underline">Default value:</span> `true
 
 ### podman_pods
 
@@ -62,28 +22,45 @@ List of dictionnaries to define containers ([see ansible documentation](https://
 
 <span style="text-decoration: underline">Default value:</span> none
 
-## Extras
+## Usage
 
-It's possible to use this role with the alvistack repository by setting the variables to the following values:
+To deploy *wg-easy* container:
 
-```yaml
+```yml
 # BEGIN role_podman
-podman_packages:
+podman_containers:
-  - catatonit
+  - image: "ghcr.io/wg-easy/wg-easy:latest"
-  - dbus-user-session
+    name: wg-easy
-  - containernetworking-dnsname
+    publish:
-  - containernetworking-plugins
+      - "51820:51820/udp"
-  - containernetworking-podman-machine
+      - "51821:51821/tcp"
-  - passt
+    volumes:
-  - podman
+      - "/srv/wg-easy:/etc/wireguard"
-  - podman-aardvark-dns
+    env:
-  - podman-docker
+      LANG: fr
-  - podman-gvproxy
+      PORT: 51821
-  - podman-netavark
+      UI_CHART_TYPE: 2
-  - python3-podman-compose
+      PASSWORD_HASH: <secret>
-  - uidmap
+      WG_HOST: noun.ykn.fr
-  - systemd-container
+      WG_PORT: 51820
-
+      WG_PERSISTENT_KEEPALIVE: 25
-podman_fix_pasta: true
+      WG_DEFAULT_DNS: ""
+      WG_ALLOWED_IPS: 192.168.84.0/24
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+      - SYS_MODULE
+    sysctl:
+      net.ipv4.ip_forward: 1
+      net.ipv4.conf.all.src_valid_mark: 1
+    quadlet_options:
+      - AutoUpdate=registry
+      - |-
+        [Service]
+        Restart=on-failure
+        TimeoutStartSec=900
+      - |-
+        [Install]
+        WantedBy=default.target
 # END role_podman
 ```

defaults/main.yml

@@ -1,24 +1,22 @@
 ---
 # defaults file for podman
 
+# Packages to install to run podman
 podman_packages:
-  - catatonit
   - dbus-user-session
   - passt
   - podman
-  - podman-docker
-  - uidmap
   - systemd-container
-podman_fix_pasta: false
+  - uidmap
 
+# Dedicated user
 podman_user: podman
 
-podman_configure_rsyslog: true
+# Enable container auto-update
-
-podman_ssh_host: "{{ inventory_hostname }}"
-podman_ssh_port: 22
-
 podman_auto_update: true
 
+# Define pods
 podman_pods: []
+
+# Define containers
 podman_containers: []

handlers/main.yml

@@ -1,5 +1,5 @@
 ---
-# handlers file for exim4
+# handlers file for podman
 
 - name: Set default permissions on volumes folders
   ansible.builtin.file:
@@ -10,36 +10,3 @@
   loop: "{{ folders.results | selectattr('changed', 'equalto', true) }}"
   loop_control:
     label: "{{ item.path }}"
-
-# source: https://github.com/containers/buildah/issues/5440#issuecomment-2028911573
-- name: Fix passt VS pasta
-  ansible.builtin.file:
-    state: hard
-    src: /usr/bin/passt
-    dest: /usr/bin/pasta
-    owner: root
-    group: root
-    mode: u=rw,g=r,o=r
-    force: true
-  when: podman_fix_pasta
-  become: true
-
-- name: Restart instance
-  ansible.builtin.reboot:
-  become: true
-
-- name: Wait SSH is ready
-  ansible.builtin.wait_for:
-    host: "{{ podman_ssh_host }}"
-    port: "{{ podman_ssh_port }}"
-    search_regex: OpenSSH
-    delay: 30
-    timeout: 900
-    sleep: 10
-  delegate_to: 127.0.0.1
-
-- name: Restart rsyslog.service
-  ansible.builtin.systemd:
-    state: restarted
-    name: rsyslog.service
-  become: true

meta/.galaxy_install_info

@@ -1,2 +0,0 @@
-install_date: lun. 21 oct. 2024 11:22:51
-version: master

meta/main.yml

@@ -1,15 +1,15 @@
 galaxy_info:
   namespace: ykn
   author: pulsar89.5
-  description: Rôle de déploiement de podman
+  description: Deploy podman, manage pods and containers
 
   license: GPL-3.0-or-later
 
   min_ansible_version: '2.1'
 
   platforms:
-    - name: Debian
+    - name: CoreOS
       versions:
-        - sid
+        - 41
 
 dependencies: []

tasks/configuration.yml

@@ -1,79 +0,0 @@
----
-# tasks file for podman
-
-- name: Enable lingering for podman user
-  ansible.builtin.command:
-    cmd: "loginctl enable-linger {{ podman_user }}"
-    creates: /var/lib/systemd/linger/podman
-  become: true
-
-- name: Create subvolumes paths
-  ansible.builtin.file:
-    path: "{{ item.1 | split(':') | first }}"
-    state: directory
-    mode: u=rwX,g=rX,o=rX
-  become: true
-  loop: "{{ q('ansible.builtin.subelements', podman_containers, 'volumes', {'skip_missing': True}) }}"
-  loop_control:
-    label: "{{ item.0.name }}"
-  register: folders
-  notify: Set default permissions on volumes folders
-
-- name: Exécuter les handlers
-  ansible.builtin.meta: flush_handlers
-
-- name: Deploy pods
-  containers.podman.podman_pod: "{{ pod }}"
-  become: true
-  become_user: "{{ podman_user }}"
-  loop: "{{ podman_pods }}"
-  loop_control:
-    label: "{{ item.name }}"
-  register: deployed_pods
-  vars:
-    pod: "{{ podman_pods_defaults | ansible.builtin.combine(item) }}"
-
-- name: Start or restart pods
-  ansible.builtin.systemd_service:
-    name: "{{ item.item.name }}-pod.service"
-    state: "{{ 'restarted' if item.changed else 'started' }}"
-    daemon_reload: true
-    scope: user
-  become: true
-  become_user: "{{ podman_user }}"
-  loop: "{{ deployed_pods.results }}"
-  loop_control:
-    label: "{{ item.item.name }}"
-
-- name: Deploy containers
-  containers.podman.podman_container: "{{ container }}"
-  become: true
-  become_user: "{{ podman_user }}"
-  loop: "{{ podman_containers }}"
-  loop_control:
-    label: "{{ item.name }}"
-  register: deployed_containers
-  vars:
-    container: "{{ podman_containers_defaults | ansible.builtin.combine(item) }}"
-
-- name: Start or restart containers
-  ansible.builtin.systemd_service:
-    name: "{{ item.item.name }}.service"
-    state: "{{ 'restarted' if item.changed else 'started' }}"
-    daemon_reload: true
-    scope: user
-  become: true
-  become_user: "{{ podman_user }}"
-  loop: "{{ deployed_containers.results }}"
-  loop_control:
-    label: "{{ item.item.name }}"
-
-- name: Enable containers auto-update service
-  ansible.builtin.systemd_service:
-    name: podman-auto-update.timer
-    daemon_reload: true
-    enabled: true
-    scope: user
-  when: podman_auto_update
-  become: true
-  become_user: "{{ podman_user }}"

tasks/containers.yml

@@ -0,0 +1,25 @@
+---
+# tasks file for podman
+
+- name: Deploy containers
+  containers.podman.podman_container: "{{ container }}"
+  become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ podman_containers }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: deployed_containers
+  vars:
+    container: "{{ podman_containers_defaults | ansible.builtin.combine(item) }}"
+
+- name: Start or restart containers
+  ansible.builtin.systemd_service:
+    name: "{{ item.item.name }}.service"
+    state: "{{ 'restarted' if item.changed else 'started' }}"
+    daemon_reload: true
+    scope: user
+  become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ deployed_containers.results }}"
+  loop_control:
+    label: "{{ item.item.name }}"

tasks/installation.yml

@@ -1,33 +1,7 @@
 ---
-# tasks file for podman
+# tasks file for dnsmasq
 
-- name: Installer les paquets
+- name: Install podman
   ansible.builtin.apt:
     name: "{{ podman_packages }}"
-    install_recommends: true
-    state: present
-  become: true
-  notify:
-    - Fix passt VS pasta
-    - Restart instance
-    - Wait SSH is ready
-
-- name: Exécuter les handlers
-  ansible.builtin.meta: flush_handlers
-
-- name: Déployer la configuration de rsyslog
-  ansible.builtin.template:
-    src: templates/rsyslog.conf.j2
-    dest: /etc/rsyslog.d/10-podman.conf
-    owner: root
-    group: root
-    mode: u=rw,g=r,o=r
-  when: podman_configure_rsyslog
-  become: true
-  notify: Restart rsyslog.service
-
-- name: Désactiver le service de mise à jour automatique pour root
-  ansible.builtin.systemd_service:
-    name: podman-auto-update.timer
-    enabled: false
   become: true

tasks/main.yml

@@ -5,6 +5,14 @@
   ansible.builtin.import_tasks:
     file: installation.yml
 
-- name: Import configuration tasks
+- name: Import instance preparation tasks
   ansible.builtin.import_tasks:
-    file: configuration.yml
+    file: prepare.yml
+
+- name: Import pods management tasks
+  ansible.builtin.import_tasks:
+    file: pods.yml
+
+- name: Import containers management tasks
+  ansible.builtin.import_tasks:
+    file: containers.yml

tasks/pods.yml

@@ -0,0 +1,25 @@
+---
+# tasks file for podman
+
+- name: Deploy pods
+  containers.podman.podman_pod: "{{ pod }}"
+  become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ podman_pods }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: deployed_pods
+  vars:
+    pod: "{{ podman_pods_defaults | ansible.builtin.combine(item) }}"
+
+- name: Start or restart pods
+  ansible.builtin.systemd_service:
+    name: "{{ item.item.name }}-pod.service"
+    state: "{{ 'restarted' if item.changed else 'started' }}"
+    daemon_reload: true
+    scope: user
+  become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ deployed_pods.results }}"
+  loop_control:
+    label: "{{ item.item.name }}"

tasks/prepare.yml

@@ -0,0 +1,49 @@
+---
+# tasks file for podman
+
+- name: Create dedicated group
+  ansible.builtin.group:
+    name: "{{ podman_user }}"
+  become: true
+
+- name: Create dedicated user
+  ansible.builtin.user:
+    name: "{{ podman_user }}"
+    comment: Dedicated Podman user
+    password_lock: true
+    shell: /bin/bash
+    group: podman
+  become: true
+
+- name: Disable global podman auto-update
+  ansible.builtin.systemd_service:
+    name: podman-auto-update.timer
+    enabled: false
+  become: true
+
+- name: Enable containers auto-update service
+  ansible.builtin.command:
+    cmd: systemctl --user --machine={{ podman_user }}@ start podman-auto-update.timer
+  when: podman_auto_update
+  become: true
+
+- name: Enable lingering for podman user
+  ansible.builtin.command:
+    cmd: loginctl enable-linger {{ podman_user }}
+    creates: /var/lib/systemd/linger/podman
+  become: true
+
+- name: Create subvolumes paths
+  ansible.builtin.file:
+    path: "{{ item.1 | split(':') | first }}"
+    state: directory
+    mode: u=rwX,g=rX,o=rX
+  become: true
+  loop: "{{ q('ansible.builtin.subelements', podman_containers, 'volumes', {'skip_missing': True}) }}"
+  loop_control:
+    label: "{{ item.0.name }}"
+  register: folders
+  notify: Set default permissions on volumes folders
+
+- name: Execute handlers
+  ansible.builtin.meta: flush_handlers

templates/rsyslog.conf.j2

@@ -1,9 +0,0 @@
-# {{ ansible_managed }}
-
-# Don't log podman
-:programname, contains, "podman" stop
-
-# Don't log progams inside podman container
-{% for container in podman_containers %}
-:programname, contains, "{{ container.name }}" stop
-{% endfor %}