chef-recipes/roles/podman/tasks/main.yml

101 lines
2.8 KiB
YAML
Raw Normal View History

# code: language=ansible
- name: Install base packages from distro package manager
2023-02-01 17:34:56 +00:00
become: true
2023-02-06 09:11:03 +00:00
ansible.builtin.package:
2023-02-01 17:34:56 +00:00
name:
- fuse-overlayfs
state: present
# http://ftp.us.debian.org/debian/pool/main/
- name: Install packages from debian unstable repository
become: true
ansible.builtin.apt:
deb: "{{ item }}"
2023-02-01 17:34:56 +00:00
state: present
loop:
- http://ftp.us.debian.org/debian/pool/main/n/netavark/netavark_1.4.0-3_amd64.deb
- http://ftp.us.debian.org/debian/pool/main/a/aardvark-dns/aardvark-dns_1.4.0-3_amd64.deb
- http://ftp.us.debian.org/debian/pool/main/libp/libpod/podman_4.4.0+ds1-1_amd64.deb
- http://ftp.us.debian.org/debian/pool/main/libp/libpod/podman-docker_4.4.0+ds1-1_amd64.deb
2023-02-01 17:34:56 +00:00
- name: Add the 'containers' user
become: true
2023-02-06 09:11:03 +00:00
ansible.builtin.user:
2023-02-01 17:34:56 +00:00
name: containers
2023-02-06 09:11:03 +00:00
password: "!"
system: false
2023-02-01 17:34:56 +00:00
shell: /bin/bash
2023-02-06 09:11:03 +00:00
comment: User running unprivileged containers
state: present
- name: Add admin pub keys to authorized_keys
become: true
ansible.posix.authorized_key:
2023-02-06 09:11:03 +00:00
user: containers
key: "{{ item }}"
state: present
loop: "{{ vault_containers_authorized_keys }}"
2023-02-01 17:34:56 +00:00
- name: Check if user is lingering
2023-02-06 09:11:03 +00:00
ansible.builtin.stat:
2023-02-01 17:34:56 +00:00
path: "/var/lib/systemd/linger/containers"
register: user_lingering
- name: Enable lingering is needed
become: true
2023-02-06 09:11:03 +00:00
ansible.builtin.command: "loginctl enable-linger containers"
2023-02-01 17:34:56 +00:00
when:
- not user_lingering.stat.exists
- name: Allow unprivileged users to open ports
become: true
ansible.posix.sysctl:
name: net.ipv4.ip_unprivileged_port_start
value: "20"
2023-02-06 09:11:03 +00:00
sysctl_set: true
2023-02-01 17:34:56 +00:00
- name: Enable podman socket
become: true
become_user: containers
ansible.builtin.systemd:
scope: user
name: podman.socket
2023-02-06 09:11:03 +00:00
enabled: true
2023-02-01 17:34:56 +00:00
state: started
- name: Enable podman auto-update timer
become_user: containers
2023-02-01 17:34:56 +00:00
become: true
ansible.builtin.systemd:
name: podman-auto-update.timer
2023-02-06 09:11:03 +00:00
enabled: true
2023-02-01 17:34:56 +00:00
- name: Copy default containers config file
become: true
ansible.builtin.copy:
2023-02-06 09:11:03 +00:00
remote_src: true
2023-02-01 17:34:56 +00:00
src: /usr/share/containers/containers.conf
dest: /etc/containers/containers.conf
mode: 0644
- name: Set podman default subnet into small /24 networks
2023-02-01 17:34:56 +00:00
become: true
2023-02-06 09:11:03 +00:00
ansible.builtin.lineinfile:
2023-02-01 17:34:56 +00:00
path: /etc/containers/containers.conf
2023-02-03 17:01:06 +00:00
regex: "^(.*)default_subnet = (.*)$"
2023-02-01 17:34:56 +00:00
line: 'default_subnet = "172.16.0.0/24"'
- name: Force podman netavark network backend instead of CNI
become: true
ansible.builtin.lineinfile:
path: /etc/containers/containers.conf
regexp: "^(.*)network_backend = (.*)$"
insertafter: "\\[network\\]"
line: 'network_backend = "netavark"'
# If regular expressions are passed to both regexp and insertafter, insertafter is only honored if no match for regexp is found.
2023-02-06 09:11:03 +00:00
# - name: Reboot
# become: true
# ansible.builtin.reboot: