feat: Move from Debian to Fedora

This reverts commit 81b51cfcba.

README.md

@@ -1,82 +1,66 @@
 # role_podman
 
-Rôle de déploiement de podman.
-
-## Pré-requis
-
-Ce rôle créer un utilisateur dédié via [cet autre rôle](https://gitea.ykn.fr/ansible/role_users) dont il est dépendant.
-L'utilisation de ce rôle et de sa dépendance dans un playbook nécessite d'utilise ansible-galaxy en lui indiquant un fichier dont le contenu est le suivant :
-
-```bash
-$ cd playbook_podman
-$ tee requirements.yml <<EOF
----
-
-roles:
-  - name: users
-    scm: git
-    src: ssh://gitea@git.ykn.fr:12393/ansible/role_users.git
-    version: alpha
-
-  - name: podman
-    scm: git
-    src: ssh://gitea@git.ykn.fr:12393/ansible/role_podman.git
-    version: alpha
-EOF
-$ ansible-galaxy install -fr requirements.yml
-```
+Deploy podman, manage pods and containers.
 
 ## Variables
 
-### podman_configure_rsyslog
+### podman_auto_update
 
-Désactive les messages du programme *podman* et des programmes dans les conteneurs si ils portent le nom du conteneur.
+Status of the automatic container update service.
 
-<span style="text-decoration: underline">Valeur par défaut:</span> `true` (activé, `false` pour désactiver)
+<span style="text-decoration: underline">Default value:</span> `true
+
+### podman_pods
+
+List of dictionnaries to define pods ([see ansible documentation](https://docs.ansible.com/ansible/latest/collections/containers/podman/podman_pod_module.html)).
+
+<span style="text-decoration: underline">Default value:</span> none
 
 ### podman_containers
 
-Définition des conteneurs à déployer.
+List of dictionnaries to define containers ([see ansible documentation](https://docs.ansible.com/ansible/latest/collections/containers/podman/podman_container_module.html#ansible-collections-containers-podman-podman-container-module)).
 
-<span style="text-decoration: underline">Valeur par défaut:</span> *aucune*
+<span style="text-decoration: underline">Default value:</span> none
 
-## Utilisation
+## Usage
 
-Définir la variable `podman_containers` dans un fichier sous `host_vars` ou `group_vars` :
-
-```bash
-$ tee host_vars/lxd_podman_host.yml <<EOF
----
+To deploy *wg-easy* container:
 
+```yml
+# BEGIN role_podman
 podman_containers:
-  - image: docker.io/wallabag/wallabag:latest
-    name: wallbag
-    userns: keep-id
+  - image: "ghcr.io/wg-easy/wg-easy:latest"
+    name: wg-easy
+    publish:
+      - "51820:51820/udp"
+      - "51821:51821/tcp"
     volumes:
-      - wallbag-data:/var/www/wallabag/data
-      - wallbag-image:/var/www/wallabag/web/assets/images
-    ports:
-      - 80:80/tcp
-    environment_vars:
-      - SYMFONY__ENV__DOMAIN_NAME=https://wallbag.ykn.fr
-```
-
-Il est également possible de définir l'utilisateur via la variable `user`, comme ceci :
-
-```bash
-$ tee host_vars/lxd_podman_host.yml <<EOF
----
-
-podman_containers:
-  - image: docker.io/wallabag/wallabag:latest
-    name: wallbag
-    user: un_utilisateur
-    userns: keep-id
-    volumes:
-      - wallbag-data:/var/www/wallabag/data
-      - wallbag-image:/var/www/wallabag/web/assets/images
-    ports:
-      - 80:80/tcp
-    environment_vars:
-      - SYMFONY__ENV__DOMAIN_NAME=https://wallbag.ykn.fr
+      - "/srv/wg-easy:/etc/wireguard"
+    env:
+      LANG: fr
+      PORT: 51821
+      UI_CHART_TYPE: 2
+      PASSWORD_HASH: <secret>
+      WG_HOST: noun.ykn.fr
+      WG_PORT: 51820
+      WG_PERSISTENT_KEEPALIVE: 25
+      WG_DEFAULT_DNS: ""
+      WG_ALLOWED_IPS: 192.168.84.0/24
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+      - SYS_MODULE
+    sysctl:
+      net.ipv4.ip_forward: 1
+      net.ipv4.conf.all.src_valid_mark: 1
+    quadlet_options:
+      - AutoUpdate=registry
+      - |-
+        [Service]
+        Restart=on-failure
+        TimeoutStartSec=900
+      - |-
+        [Install]
+        WantedBy=default.target
+# END role_podman
 ```

defaults/main.yml

@@ -1,17 +1,22 @@
 ---
 # defaults file for podman
 
-podman_configure_rsyslog: true
+# Packages to install to run podman
+podman_packages:
+  - podman
+  - policycoreutils-python-utils # to manage SELinux
 
-podman_containers: []
-# Exemple:
-#  - image: docker.io/wallabag/wallabag:latest
-#    name: wallbag
-#    userns: keep-id
-#    volumes:
-#      - wallbag-data:/var/www/wallabag/data
-#      - wallbag-image:/var/www/wallabag/web/assets/images
-#    ports:
-#      - 80:80/tcp
-#    environment_vars:
-#      - SYMFONY__ENV__DOMAIN_NAME=https://wallbag.ykn.fr
+# Dedicated user
+podman_user: podman
+podman_user_homedir: /home/{{ podman_user }}
+
+# Enable container auto-update
+podman_auto_update: true
+
+# List of quadlets to deploy
+podman_quadlets: []
+# Example:
+# podman_quadlets:
+#   - uptime-kuma.network
+#   - uptime-kuma.container
+#   - signal-cli-rest-api.container

handlers/main.yml

@@ -1,8 +1,23 @@
 ---
-# handlers file for exim4
+# handlers file for podman
 
-- name: Redémarrer rsyslog.service
-  ansible.builtin.systemd:
-    state: restarted
-    name: rsyslog.service
+- name: Start or restart quadlets
+  ansible.builtin.systemd_service:
+    name: "{{ unit }}"
+    state: "{{ 'restarted' if item.changed else 'started' }}"
+    daemon_reload: true
+    enabled: true
+    scope: user
   become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ deployed_quadlets.results }}"
+  loop_control:
+    label: "{{ unit }}"
+  vars:
+    unit: >-
+      {{
+        item.item.filename | default(item.item) | ansible.builtin.basename |
+        ansible.builtin.regex_replace('\.container$', '.service') |
+        ansible.builtin.regex_replace('\.network$', '-network.service') |
+        ansible.builtin.regex_replace('\.volume$', '-volume.service')
+      }}

meta/main.yml

@@ -1,15 +1,15 @@
 galaxy_info:
   namespace: ykn
   author: pulsar89.5
-  description: Rôle de déploiement de podman
+  description: Deploy podman quadlets
 
   license: GPL-3.0-or-later
 
   min_ansible_version: '2.1'
 
   platforms:
-    - name: Debian
+    - name: Fedora
       versions:
-        - sid
+        - "43"
 
 dependencies: []

tasks/config.yml

@@ -0,0 +1,45 @@
+---
+# tasks file for podman
+
+- name: Disable global podman auto-update
+  ansible.builtin.systemd_service:
+    name: podman-auto-update.timer
+    enabled: false
+  become: true
+
+- name: Enable lingering for podman user
+  ansible.builtin.command:
+    cmd: "{{ item }}"
+    creates: /var/lib/systemd/linger/{{ podman_user }}
+  become: true
+  loop:
+    - sudo systemctl --machine={{ podman_user }}@.host --user daemon-reload
+    - loginctl enable-linger {{ podman_user }}
+
+- name: Enable containers auto-update service
+  ansible.builtin.systemd_service:
+    name: podman-auto-update.timer
+    state: started
+    daemon_reload: true
+    scope: user
+  when: podman_auto_update
+  become: true
+  become_user: "{{ podman_user }}"
+
+- name: Create podman user directory tree
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: "{{ item.mode }}"
+    state: directory
+  become: true
+  loop:
+    - path: "{{ podman_user_homedir }}/.config"
+      mode: u=rwX,g=,o=
+    - path: "{{ podman_user_homedir }}/.config/containers"
+      mode: u=rwX,g=rX,o=rX
+    - path: "{{ podman_user_homedir }}/.config/containers/systemd"
+      mode: u=rwX,g=rX,o=rX
+  loop_control:
+    label: "{{ item.path }}"

tasks/configuration.yml

@@ -1,48 +0,0 @@
----
-# tasks file for podman
-
-- name: Créer l'utilisateur dédié
-  ansible.builtin.include_role:
-    name: users
-  vars:
-    users:
-      - name: "{{ container_user }}"
-        comment: Dedicated Podman user ({{ container.name }})
-        update_password: on_create
-        password_lock: true
-        shell: /bin/bash
-
-- name: Créer le chemin de stockage des définitions
-  ansible.builtin.file:
-    path: "{{ container_basepath }}"
-    state: directory
-    owner: "{{ container_user }}"
-    group: "{{ container_user }}"
-    mode: u=rwX,g=rwX,o=
-  become: true
-
-- name: Déployer le conteneur
-  ansible.builtin.template:
-    src: podman-quadlet.container.j2 
-    dest: "{{ container_basepath }}/{{ container_filename }}"
-    owner: "{{ container_user }}"
-    group: "{{ container_user }}"
-    mode: u=rw,g=rw,o=
-  become: true
-  register: deploy_container
-
-- name: Activer le lingering
-  ansible.builtin.command:
-   cmd: "loginctl enable-linger {{ container_user }}"
-   creates: /var/lib/systemd/linger/{{ container_user }}
-  become: true
-
-- name: Démarrer ou redémarrer le conteneur
-  ansible.builtin.systemd_service:
-    name: "{{ container_filename | replace('.container', '.service') }}"
-    state: "{{ 'restarted' if deploy_container.changed else 'started' }}"
-    enabled: true
-    daemon_reload: true
-    scope: user
-  become: true
-  become_user: "{{ container_user }}"

tasks/installation.yml

@@ -1,24 +0,0 @@
----
-# tasks file for podman
-
-- name: Installer les paquets
-  ansible.builtin.apt:
-    name:
-      - dbus-user-session
-      - podman
-      - rootlesskit
-      - slirp4netns
-      - systemd-container
-    state: present
-  become: true
-
-- name: Déployer la configuration de rsyslog
-  ansible.builtin.template:
-    src: templates/rsyslog.conf.j2
-    dest: /etc/rsyslog.d/10-podman.conf
-    owner: root
-    group: root
-    mode: u=rw,g=r,o=r
-  when: podman_configure_rsyslog
-  become: true
-  notify: Redémarrer rsyslog.service

tasks/main.yml

@@ -1,18 +1,17 @@
 ---
 # tasks file for podman
 
-- name: Importer les tâches d'installation
-  tags: installation
-  ansible.builtin.import_tasks: installation.yml
+- name: Import prepare tasks
+  ansible.builtin.import_tasks:
+    file: prepare.yml
 
-- name: Importer les tâches de configuration
-  tags: configuration
-  ansible.builtin.include_tasks: configuration.yml
-  loop: "{{ podman_containers }}"
-  loop_control:
-    label: "{{ container.name }}"
-    loop_var: container
-  vars:
-    container_user: "podman-{{ container.user | default(container.name) }}"
-    container_basepath: "/home/{{ container_user }}/.config/containers/systemd"
-    container_filename: "podman-{{ container.name }}.container"
+- name: Import configuration tasks
+  ansible.builtin.import_tasks:
+    file: config.yml
+
+- name: Import management tasks
+  ansible.builtin.import_tasks:
+    file: manage.yml
+
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

tasks/manage.yml

@@ -0,0 +1,64 @@
+---
+# tasks file for podman
+
+#- name: List current quadlets
+#  ansible.builtin.find:
+#    paths: "{{ podman_user_homedir }}/.config/containers/systemd"
+#  become: true
+#  register: current_quadlets
+#
+#- name: Extract list of undefined quadlets
+#  ansible.builtin.set_fact:
+#    podman_quadlets_undefined: >-
+#      {{
+#        current_quadlets.files |
+#        map(attribute='path') |
+#        map('ansible.builtin.basename') |
+#        ansible.builtin.difference(podman_qualets_filenames)
+#      }}
+#  vars:
+#    podman_qualets_filenames: "{{ podman_quadlets | map('ansible.builtin.basename') }}"
+#
+#- name: Stop unwanted quadlets
+#  ansible.builtin.systemd_service:
+#    name: "{{ unit }}"
+#    state: stopped
+#    daemon_reload: true
+#    scope: user
+#  become: true
+#  become_user: "{{ podman_user }}"
+#  loop: "{{ podman_quadlets_undefined }}"
+#  loop_control:
+#    label: "{{ unit }}"
+#  vars:
+#    unit: >-
+#      {{
+#        item | ansible.builtin.basename |
+#        ansible.builtin.regex_replace('\.container$', '.service') |
+#        ansible.builtin.regex_replace('\.network$', '-network.service') |
+#        ansible.builtin.regex_replace('\.volume$', '-volume.service')
+#      }}
+#
+#- name: Remove undefined quadlets
+#  ansible.builtin.file:
+#    path: "{{ podman_user_homedir }}/.config/containers/systemd/{{ item }}"
+#    state: absent
+#  become: true
+#  loop: "{{ podman_quadlets_undefined }}"
+
+- name: Deploy quadlets
+  ansible.builtin.template:
+    src: "{{ item.template | default(item) }}.j2"
+    dest: "{{ podman_user_homedir }}/.config/containers/systemd/{{ item.filename | default(item) | ansible.builtin.basename }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: u=rw,g=r,o=
+  become: true
+  loop: "{{ podman_quadlets }}"
+  loop_control:
+    label: "{{ item.filename | default(item) }}"
+  register: deployed_quadlets
+  notify: Start or restart quadlets
+
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

tasks/prepare.yml

@@ -0,0 +1,22 @@
+---
+# tasks file for podman
+
+- name: Install packages
+  ansible.builtin.dnf:
+    name: "{{ podman_packages }}"
+  become: true
+
+- name: Create dedicated group
+  ansible.builtin.group:
+    name: "{{ podman_user }}"
+  become: true
+
+- name: Create dedicated user
+  ansible.builtin.user:
+    name: "{{ podman_user }}"
+    comment: Dedicated Podman user
+    home: "{{ podman_user_homedir }}"
+    password_lock: true
+    shell: /bin/bash
+    group: podman
+  become: true

templates/podman-quadlet.container.j2

@@ -1,46 +0,0 @@
-# {{ ansible_managed }}
-
-[Unit]
-Description=Podman container: {{ container.name }}
-{% for extra in container.get('unit_extras', []) %}
-{{ extra }}
-{% endfor %}
-
-[Container]
-HostName={{ inventory_hostname }}
-
-Image={{ container.image }}
-ContainerName={{ container.name }}
-
-{% if container.get('userns', '') | length > 0 %}
-UserNS={{ container.userns }}
-{% endif %}
-
-AutoUpdate=registry
-
-{% for volume in container.get('volumes', []) %}
-Volume={{ volume }}
-{% endfor %}
-
-{% for mount in container.get('mounts', []) %}
-{% if mount.get('options', []) | length > 0 %}
-Mount=type={{ mount.type }},src={{ mount.source }},dst={{ mount.destination }},{{ mount.options | join(',') }}
-{% else %}
-Mount=type={{ mount.type }},src={{ mount.source }},dst={{ mount.destination }}
-{% endif %}
-{% endfor %}
-
-{% for port in container.get('ports', []) %}
-PublishPort={{ port }}
-{% endfor %}
-
-{% for environment in container.get('environment_vars', []) %}
-Environment={{ environment }}
-{% endfor %}
-
-[Service]
-Restart=on-failure
-TimeoutStartSec=900
-
-[Install]
-WantedBy=default.target

templates/rsyslog.conf.j2

@@ -1,9 +0,0 @@
-# {{ ansible_managed }}
-
-# Don't log podman
-:programname, contains, "podman" stop
-
-# Don't log progams inside podman container
-{% for container in podman_containers %}
-:programname, contains, "{{ container.name }}" stop
-{% endfor %}