2023-02-07 12:58:14 +00:00
|
|
|
# code: language=ansible
|
|
|
|
|
|
|
|
- name: Install base packages from distro package manager
|
2023-02-01 17:34:56 +00:00
|
|
|
become: true
|
2023-02-06 09:11:03 +00:00
|
|
|
ansible.builtin.package:
|
2023-02-01 17:34:56 +00:00
|
|
|
name:
|
2023-02-07 12:58:14 +00:00
|
|
|
- fuse-overlayfs
|
|
|
|
state: present
|
|
|
|
|
|
|
|
# http://ftp.us.debian.org/debian/pool/main/
|
|
|
|
- name: Install packages from debian unstable repository
|
|
|
|
become: true
|
|
|
|
ansible.builtin.apt:
|
|
|
|
deb: "{{ item }}"
|
2023-02-01 17:34:56 +00:00
|
|
|
state: present
|
2023-02-07 12:58:14 +00:00
|
|
|
loop:
|
|
|
|
- http://ftp.us.debian.org/debian/pool/main/n/netavark/netavark_1.4.0-3_amd64.deb
|
|
|
|
- http://ftp.us.debian.org/debian/pool/main/a/aardvark-dns/aardvark-dns_1.4.0-3_amd64.deb
|
|
|
|
- http://ftp.us.debian.org/debian/pool/main/libp/libpod/podman_4.4.0+ds1-1_amd64.deb
|
|
|
|
- http://ftp.us.debian.org/debian/pool/main/libp/libpod/podman-docker_4.4.0+ds1-1_amd64.deb
|
2023-02-01 17:34:56 +00:00
|
|
|
|
|
|
|
- name: Add the 'containers' user
|
|
|
|
become: true
|
2023-02-06 09:11:03 +00:00
|
|
|
ansible.builtin.user:
|
2023-02-01 17:34:56 +00:00
|
|
|
name: containers
|
2023-02-06 09:11:03 +00:00
|
|
|
password: "!"
|
|
|
|
system: false
|
2023-02-01 17:34:56 +00:00
|
|
|
shell: /bin/bash
|
2023-02-06 09:11:03 +00:00
|
|
|
comment: User running unprivileged containers
|
|
|
|
state: present
|
|
|
|
|
|
|
|
- name: Add admin pub keys to authorized_keys
|
|
|
|
become: true
|
2023-02-07 12:58:14 +00:00
|
|
|
ansible.posix.authorized_key:
|
2023-02-06 09:11:03 +00:00
|
|
|
user: containers
|
|
|
|
key: "{{ item }}"
|
|
|
|
state: present
|
|
|
|
loop: "{{ vault_containers_authorized_keys }}"
|
2023-02-01 17:34:56 +00:00
|
|
|
|
|
|
|
- name: Check if user is lingering
|
2023-02-06 09:11:03 +00:00
|
|
|
ansible.builtin.stat:
|
2023-02-01 17:34:56 +00:00
|
|
|
path: "/var/lib/systemd/linger/containers"
|
|
|
|
register: user_lingering
|
|
|
|
|
|
|
|
- name: Enable lingering is needed
|
|
|
|
become: true
|
2023-02-06 09:11:03 +00:00
|
|
|
ansible.builtin.command: "loginctl enable-linger containers"
|
2023-02-01 17:34:56 +00:00
|
|
|
when:
|
|
|
|
- not user_lingering.stat.exists
|
|
|
|
|
|
|
|
- name: Allow unprivileged users to open ports
|
|
|
|
become: true
|
|
|
|
ansible.posix.sysctl:
|
|
|
|
name: net.ipv4.ip_unprivileged_port_start
|
2023-02-07 12:58:14 +00:00
|
|
|
value: "20"
|
2023-02-06 09:11:03 +00:00
|
|
|
sysctl_set: true
|
2023-02-01 17:34:56 +00:00
|
|
|
|
|
|
|
- name: Enable podman socket
|
|
|
|
become: true
|
|
|
|
become_user: containers
|
|
|
|
ansible.builtin.systemd:
|
|
|
|
scope: user
|
|
|
|
name: podman.socket
|
2023-02-06 09:11:03 +00:00
|
|
|
enabled: true
|
2023-02-01 17:34:56 +00:00
|
|
|
state: started
|
|
|
|
|
|
|
|
- name: Enable podman auto-update timer
|
2023-08-01 08:26:21 +00:00
|
|
|
become_user: containers
|
2023-02-01 17:34:56 +00:00
|
|
|
become: true
|
|
|
|
ansible.builtin.systemd:
|
|
|
|
name: podman-auto-update.timer
|
2023-02-06 09:11:03 +00:00
|
|
|
enabled: true
|
2023-02-01 17:34:56 +00:00
|
|
|
|
|
|
|
- name: Copy default containers config file
|
|
|
|
become: true
|
|
|
|
ansible.builtin.copy:
|
2023-02-06 09:11:03 +00:00
|
|
|
remote_src: true
|
2023-02-01 17:34:56 +00:00
|
|
|
src: /usr/share/containers/containers.conf
|
|
|
|
dest: /etc/containers/containers.conf
|
|
|
|
mode: 0644
|
|
|
|
|
2023-02-07 12:58:14 +00:00
|
|
|
- name: Set podman default subnet into small /24 networks
|
2023-02-01 17:34:56 +00:00
|
|
|
become: true
|
2023-02-06 09:11:03 +00:00
|
|
|
ansible.builtin.lineinfile:
|
2023-02-01 17:34:56 +00:00
|
|
|
path: /etc/containers/containers.conf
|
2023-02-03 17:01:06 +00:00
|
|
|
regex: "^(.*)default_subnet = (.*)$"
|
2023-02-01 17:34:56 +00:00
|
|
|
line: 'default_subnet = "172.16.0.0/24"'
|
|
|
|
|
2023-02-07 12:58:14 +00:00
|
|
|
- name: Force podman netavark network backend instead of CNI
|
|
|
|
become: true
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
path: /etc/containers/containers.conf
|
|
|
|
regexp: "^(.*)network_backend = (.*)$"
|
|
|
|
insertafter: "\\[network\\]"
|
|
|
|
line: 'network_backend = "netavark"'
|
|
|
|
# If regular expressions are passed to both regexp and insertafter, insertafter is only honored if no match for regexp is found.
|
|
|
|
|
2023-02-06 09:11:03 +00:00
|
|
|
# - name: Reboot
|
|
|
|
# become: true
|
|
|
|
# ansible.builtin.reboot:
|