diff --git a/roles/podman/tasks/main.yml b/roles/podman/tasks/main.yml index 11fc9ad..f1494fb 100644 --- a/roles/podman/tasks/main.yml +++ b/roles/podman/tasks/main.yml @@ -1,11 +1,24 @@ -- name: Install base packages +# code: language=ansible + +- name: Install base packages from distro package manager become: true ansible.builtin.package: name: - - podman - - podman-docker + - fuse-overlayfs state: present +# http://ftp.us.debian.org/debian/pool/main/ +- name: Install packages from debian unstable repository + become: true + ansible.builtin.apt: + deb: "{{ item }}" + state: present + loop: + - http://ftp.us.debian.org/debian/pool/main/n/netavark/netavark_1.4.0-3_amd64.deb + - http://ftp.us.debian.org/debian/pool/main/a/aardvark-dns/aardvark-dns_1.4.0-3_amd64.deb + - http://ftp.us.debian.org/debian/pool/main/libp/libpod/podman_4.4.0+ds1-1_amd64.deb + - http://ftp.us.debian.org/debian/pool/main/libp/libpod/podman-docker_4.4.0+ds1-1_amd64.deb + - name: Add the 'containers' user become: true ansible.builtin.user: @@ -18,7 +31,7 @@ - name: Add admin pub keys to authorized_keys become: true - ansible.posix.authorized_keys: + ansible.posix.authorized_key: user: containers key: "{{ item }}" state: present @@ -39,7 +52,7 @@ become: true ansible.posix.sysctl: name: net.ipv4.ip_unprivileged_port_start - value: "80" + value: "20" sysctl_set: true - name: Enable podman socket @@ -65,13 +78,22 @@ dest: /etc/containers/containers.conf mode: 0644 -- name: Change podman default subnet +- name: Set podman default subnet into small /24 networks become: true ansible.builtin.lineinfile: path: /etc/containers/containers.conf regex: "^(.*)default_subnet = (.*)$" line: 'default_subnet = "172.16.0.0/24"' +- name: Force podman netavark network backend instead of CNI + become: true + ansible.builtin.lineinfile: + path: /etc/containers/containers.conf + regexp: "^(.*)network_backend = (.*)$" + insertafter: "\\[network\\]" + line: 'network_backend = "netavark"' + # If regular expressions are passed to both regexp and insertafter, insertafter is only honored if no match for regexp is found. + # - name: Reboot # become: true # ansible.builtin.reboot: