refacto: Rewriting for Debian Sid

README.md

@@ -1,14 +1,54 @@
 # role_podman
 
-Deploy podman, manage pods and containers.
+Install podman and manage pods and containers.
+
+## Pre-requisite
+
+The podman user (`podman_user`) must be created before executing this role.
 
 ## Variables
 
+### podman_packages
+
+List of packages to install in order to use podman.
+
+<span style="text-decoration: underline">Default value:</span> `["catatonit", "dbus-user-session", "passt", "podman", "podman-docker", "uidmap", "systemd-container"]`
+
+### podman_fix_pasta
+
+On bookworm, we need to fix pasta to use podman ([see here](https://github.com/containers/buildah/issues/5440#issuecomment-2028911573)).
+
+<span style="text-decoration: underline">Default value:</span> `false`
+
+### podman_user
+
+Users with container configuration.
+
+<span style="text-decoration: underline">Default value:</span> `podman`
+
+### podman_configure_rsyslog
+
+Status of messages from the *podman* binary and from binaries in containers if they're equalto the container name.
+
+<span style="text-decoration: underline">Default value:</span> `true`
+
+### podman_ssh_host
+
+Host to be tested for instance availability.
+
+<span style="text-decoration: underline">Default value:</span> `{{ inventory_hostname }}`
+
+### podman_ssh_port
+
+Port to be tested for instance availability.
+
+<span style="text-decoration: underline">Default value:</span> `22`
+
 ### podman_auto_update
 
 Status of the automatic container update service.
 
-<span style="text-decoration: underline">Default value:</span> `true
+<span style="text-decoration: underline">Default value:</span> `true`
 
 ### podman_pods
 
@@ -22,45 +62,28 @@ List of dictionnaries to define containers ([see ansible documentation](https://
 
 <span style="text-decoration: underline">Default value:</span> none
 
-## Usage
+## Extras
 
-To deploy *wg-easy* container:
+It's possible to use this role with the alvistack repository by setting the variables to the following values:
 
-```yml
+```yaml
 # BEGIN role_podman
-podman_containers:
+podman_packages:
-  - image: "ghcr.io/wg-easy/wg-easy:latest"
+  - catatonit
-    name: wg-easy
+  - dbus-user-session
-    publish:
+  - containernetworking-dnsname
-      - "51820:51820/udp"
+  - containernetworking-plugins
-      - "51821:51821/tcp"
+  - containernetworking-podman-machine
-    volumes:
+  - passt
-      - "/srv/wg-easy:/etc/wireguard"
+  - podman
-    env:
+  - podman-aardvark-dns
-      LANG: fr
+  - podman-docker
-      PORT: 51821
+  - podman-gvproxy
-      UI_CHART_TYPE: 2
+  - podman-netavark
-      PASSWORD_HASH: <secret>
+  - python3-podman-compose
-      WG_HOST: noun.ykn.fr
+  - uidmap
-      WG_PORT: 51820
+  - systemd-container
-      WG_PERSISTENT_KEEPALIVE: 25
+
-      WG_DEFAULT_DNS: ""
+podman_fix_pasta: true
-      WG_ALLOWED_IPS: 192.168.84.0/24
-    cap_add:
-      - NET_ADMIN
-      - NET_RAW
-      - SYS_MODULE
-    sysctl:
-      net.ipv4.ip_forward: 1
-      net.ipv4.conf.all.src_valid_mark: 1
-    quadlet_options:
-      - AutoUpdate=registry
-      - |-
-        [Service]
-        Restart=on-failure
-        TimeoutStartSec=900
-      - |-
-        [Install]
-        WantedBy=default.target
 # END role_podman
 ```

defaults/main.yml

@@ -1,22 +1,24 @@
 ---
 # defaults file for podman
 
-# Packages to install to run podman
 podman_packages:
+  - catatonit
   - dbus-user-session
   - passt
   - podman
-  - systemd-container
+  - podman-docker
   - uidmap
+  - systemd-container
+podman_fix_pasta: false
 
-# Dedicated user
 podman_user: podman
 
-# Enable container auto-update
+podman_configure_rsyslog: true
+
+podman_ssh_host: "{{ inventory_hostname }}"
+podman_ssh_port: 22
+
 podman_auto_update: true
 
-# Define pods
 podman_pods: []
-
-# Define containers
 podman_containers: []

handlers/main.yml

@@ -1,5 +1,5 @@
 ---
-# handlers file for podman
+# handlers file for exim4
 
 - name: Set default permissions on volumes folders
   ansible.builtin.file:
@@ -10,3 +10,36 @@
   loop: "{{ folders.results | selectattr('changed', 'equalto', true) }}"
   loop_control:
     label: "{{ item.path }}"
+
+# source: https://github.com/containers/buildah/issues/5440#issuecomment-2028911573
+- name: Fix passt VS pasta
+  ansible.builtin.file:
+    state: hard
+    src: /usr/bin/passt
+    dest: /usr/bin/pasta
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+    force: true
+  when: podman_fix_pasta
+  become: true
+
+- name: Restart instance
+  ansible.builtin.reboot:
+  become: true
+
+- name: Wait SSH is ready
+  ansible.builtin.wait_for:
+    host: "{{ podman_ssh_host }}"
+    port: "{{ podman_ssh_port }}"
+    search_regex: OpenSSH
+    delay: 30
+    timeout: 900
+    sleep: 10
+  delegate_to: 127.0.0.1
+
+- name: Restart rsyslog.service
+  ansible.builtin.systemd:
+    state: restarted
+    name: rsyslog.service
+  become: true

meta/.galaxy_install_info

@@ -0,0 +1,2 @@
+install_date: lun. 21 oct. 2024 11:22:51
+version: master

meta/main.yml

@@ -1,15 +1,15 @@
 galaxy_info:
   namespace: ykn
   author: pulsar89.5
-  description: Deploy podman, manage pods and containers
+  description: Rôle de déploiement de podman
 
   license: GPL-3.0-or-later
 
   min_ansible_version: '2.1'
 
   platforms:
-    - name: CoreOS
+    - name: Debian
       versions:
-        - 41
+        - sid
 
 dependencies: []

tasks/configuration.yml

@@ -0,0 +1,79 @@
+---
+# tasks file for podman
+
+- name: Enable lingering for podman user
+  ansible.builtin.command:
+    cmd: "loginctl enable-linger {{ podman_user }}"
+    creates: /var/lib/systemd/linger/podman
+  become: true
+
+- name: Create subvolumes paths
+  ansible.builtin.file:
+    path: "{{ item.1 | split(':') | first }}"
+    state: directory
+    mode: u=rwX,g=rX,o=rX
+  become: true
+  loop: "{{ q('ansible.builtin.subelements', podman_containers, 'volumes', {'skip_missing': True}) }}"
+  loop_control:
+    label: "{{ item.0.name }}"
+  register: folders
+  notify: Set default permissions on volumes folders
+
+- name: Exécuter les handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Deploy pods
+  containers.podman.podman_pod: "{{ pod }}"
+  become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ podman_pods }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: deployed_pods
+  vars:
+    pod: "{{ podman_pods_defaults | ansible.builtin.combine(item) }}"
+
+- name: Start or restart pods
+  ansible.builtin.systemd_service:
+    name: "{{ item.item.name }}-pod.service"
+    state: "{{ 'restarted' if item.changed else 'started' }}"
+    daemon_reload: true
+    scope: user
+  become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ deployed_pods.results }}"
+  loop_control:
+    label: "{{ item.item.name }}"
+
+- name: Deploy containers
+  containers.podman.podman_container: "{{ container }}"
+  become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ podman_containers }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: deployed_containers
+  vars:
+    container: "{{ podman_containers_defaults | ansible.builtin.combine(item) }}"
+
+- name: Start or restart containers
+  ansible.builtin.systemd_service:
+    name: "{{ item.item.name }}.service"
+    state: "{{ 'restarted' if item.changed else 'started' }}"
+    daemon_reload: true
+    scope: user
+  become: true
+  become_user: "{{ podman_user }}"
+  loop: "{{ deployed_containers.results }}"
+  loop_control:
+    label: "{{ item.item.name }}"
+
+- name: Enable containers auto-update service
+  ansible.builtin.systemd_service:
+    name: podman-auto-update.timer
+    daemon_reload: true
+    enabled: true
+    scope: user
+  when: podman_auto_update
+  become: true
+  become_user: "{{ podman_user }}"

tasks/containers.yml

@@ -1,25 +0,0 @@
----
-# tasks file for podman
-
-- name: Deploy containers
-  containers.podman.podman_container: "{{ container }}"
-  become: true
-  become_user: "{{ podman_user }}"
-  loop: "{{ podman_containers }}"
-  loop_control:
-    label: "{{ item.name }}"
-  register: deployed_containers
-  vars:
-    container: "{{ podman_containers_defaults | ansible.builtin.combine(item) }}"
-
-- name: Start or restart containers
-  ansible.builtin.systemd_service:
-    name: "{{ item.item.name }}.service"
-    state: "{{ 'restarted' if item.changed else 'started' }}"
-    daemon_reload: true
-    scope: user
-  become: true
-  become_user: "{{ podman_user }}"
-  loop: "{{ deployed_containers.results }}"
-  loop_control:
-    label: "{{ item.item.name }}"

tasks/installation.yml

@@ -1,7 +1,33 @@
 ---
-# tasks file for dnsmasq
+# tasks file for podman
 
-- name: Install podman
+- name: Installer les paquets
   ansible.builtin.apt:
     name: "{{ podman_packages }}"
+    install_recommends: true
+    state: present
+  become: true
+  notify:
+#    - Fix passt VS pasta
+#    - Restart instance
+#    - Wait SSH is ready
+
+- name: Exécuter les handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Déployer la configuration de rsyslog
+  ansible.builtin.template:
+    src: templates/rsyslog.conf.j2
+    dest: /etc/rsyslog.d/10-podman.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  when: podman_configure_rsyslog
+  become: true
+  notify: Restart rsyslog.service
+
+- name: Désactiver le service de mise à jour automatique pour root
+  ansible.builtin.systemd_service:
+    name: podman-auto-update.timer
+    enabled: false
   become: true

tasks/main.yml

@@ -5,14 +5,6 @@
   ansible.builtin.import_tasks:
     file: installation.yml
 
-- name: Import instance preparation tasks
+- name: Import configuration tasks
   ansible.builtin.import_tasks:
-    file: prepare.yml
+    file: configuration.yml
-
-- name: Import pods management tasks
-  ansible.builtin.import_tasks:
-    file: pods.yml
-
-- name: Import containers management tasks
-  ansible.builtin.import_tasks:
-    file: containers.yml

tasks/pods.yml

@@ -1,25 +0,0 @@
----
-# tasks file for podman
-
-- name: Deploy pods
-  containers.podman.podman_pod: "{{ pod }}"
-  become: true
-  become_user: "{{ podman_user }}"
-  loop: "{{ podman_pods }}"
-  loop_control:
-    label: "{{ item.name }}"
-  register: deployed_pods
-  vars:
-    pod: "{{ podman_pods_defaults | ansible.builtin.combine(item) }}"
-
-- name: Start or restart pods
-  ansible.builtin.systemd_service:
-    name: "{{ item.item.name }}-pod.service"
-    state: "{{ 'restarted' if item.changed else 'started' }}"
-    daemon_reload: true
-    scope: user
-  become: true
-  become_user: "{{ podman_user }}"
-  loop: "{{ deployed_pods.results }}"
-  loop_control:
-    label: "{{ item.item.name }}"

tasks/prepare.yml

@@ -1,49 +0,0 @@
----
-# tasks file for podman
-
-- name: Create dedicated group
-  ansible.builtin.group:
-    name: "{{ podman_user }}"
-  become: true
-
-- name: Create dedicated user
-  ansible.builtin.user:
-    name: "{{ podman_user }}"
-    comment: Dedicated Podman user
-    password_lock: true
-    shell: /bin/bash
-    group: podman
-  become: true
-
-- name: Disable global podman auto-update
-  ansible.builtin.systemd_service:
-    name: podman-auto-update.timer
-    enabled: false
-  become: true
-
-- name: Enable containers auto-update service
-  ansible.builtin.command:
-    cmd: systemctl --user --machine={{ podman_user }}@ start podman-auto-update.timer
-  when: podman_auto_update
-  become: true
-
-- name: Enable lingering for podman user
-  ansible.builtin.command:
-    cmd: loginctl enable-linger {{ podman_user }}
-    creates: /var/lib/systemd/linger/podman
-  become: true
-
-- name: Create subvolumes paths
-  ansible.builtin.file:
-    path: "{{ item.1 | split(':') | first }}"
-    state: directory
-    mode: u=rwX,g=rX,o=rX
-  become: true
-  loop: "{{ q('ansible.builtin.subelements', podman_containers, 'volumes', {'skip_missing': True}) }}"
-  loop_control:
-    label: "{{ item.0.name }}"
-  register: folders
-  notify: Set default permissions on volumes folders
-
-- name: Execute handlers
-  ansible.builtin.meta: flush_handlers

templates/rsyslog.conf.j2

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+# Don't log podman
+:programname, contains, "podman" stop
+
+# Don't log progams inside podman container
+{% for container in podman_containers %}
+:programname, contains, "{{ container.name }}" stop
+{% endfor %}