Add GitHub Container Registry authentication to Podman role

- Deploy /etc/containers/auth.json with GHCR credentials
- Support for private container image pulls
- Credentials encrypted in Ansible vault
- Used by devigo and other services pulling from private registries
- Updated documentation with authentication setup

roles/podman/README.md

@@ -34,6 +34,27 @@ Podman is deployed as a system-level infrastructure service that provides contai
 
 All registries configured with HTTPS-only, no insecure connections allowed.
 
+### **Private Registry Authentication:**
+For private container images (e.g., from GitHub Container Registry), this role deploys authentication credentials:
+
+- **Auth file**: `/etc/containers/auth.json` (system-wide, for root containers)
+- **Permissions**: 0600 (root:root only)
+- **Credentials**: Stored encrypted in Ansible Vault
+- **Automatic**: Quadlet containers automatically use authentication when pulling images
+
+**Configuration:**
+```yaml
+# In group_vars/production/vault.yml (encrypted)
+vault_github_username: "your-username"
+vault_github_token: "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+# In group_vars/production/main.yml
+github_username: "{{ vault_github_username }}"
+github_token: "{{ vault_github_token }}"
+```
+
+When these variables are defined, the role automatically deploys authentication for ghcr.io.
+
 ## Application Integration
 
 Applications should create service-specific users and manage their own container deployments:

roles/podman/tasks/main.yml

@@ -61,6 +61,29 @@
   changed_when: false
   failed_when: false
 
+# =================================================================
+# Container Registry Authentication
+# =================================================================
+# Deploy system-wide authentication for private container registries
+# Currently supports: GitHub Container Registry (ghcr.io)
+
+- name: Deploy GitHub Container Registry authentication
+  copy:
+    content: |
+      {
+        "auths": {
+          "ghcr.io": {
+            "auth": "{{ (github_username + ':' + github_token) | b64encode }}"
+          }
+        }
+      }
+    dest: /etc/containers/auth.json
+    mode: '0600'
+    owner: root
+    group: root
+  when: github_username is defined and github_token is defined
+  no_log: true  # Don't log sensitive authentication data
+
 - name: Display Podman infrastructure status
   debug:
     msg: |
@@ -70,6 +93,7 @@
       🔒 Security: Rootless container runtime enabled
       📦 Registries: {{ podman_registries | join(', ') }}
       🏗️ Storage: {{ 'overlay' if 'overlay' in podman_system_info.stdout else 'system default' }}
+      🔑 Auth: {{ 'GitHub Container Registry configured' if (github_username is defined and github_token is defined) else 'No private registry auth' }}
       
       🚀 Ready for containerized applications!
       

roles/podman/templates/containers.conf.j2

@@ -19,6 +19,9 @@ network_backend = "netavark"
 # Default network for new containers
 default_network = "{{ podman_default_network }}"
 
+# For signing into ghcr.io
+auth_file = "/etc/containers/auth.json"
+
 # =================================================================
 # Storage Configuration  
 # =================================================================
@@ -64,4 +67,4 @@ default_subnet_pools = [
 # - Create service-specific users for container isolation
 # - Use quadlet files for systemd integration  
 # - Create custom networks for multi-container applications
-# - Access host services via host.containers.internal
+# - Access host services via host.containers.internal