Add Podman container infrastructure role for containerized services

- Implemented complete Podman infrastructure role following rick-infra patterns
- Minimal installation approach: only install podman, trust Arch dependency management
- Configured with crun runtime for optimal performance and security
- Security-focused: HTTPS-only registries, rootless containers, systemd hardening
- Registry support: docker.io, quay.io, ghcr.io with secure configurations
- Ready for service-specific users with isolated container environments
- Quadlet support for native systemd container management
- Container-to-host networking via bridge networks with host gateway access
- Foundation for future containerized services (Authentik, Nextcloud)
- Maintains rick-infra philosophy: infrastructure provides foundation, apps manage specifics

roles/podman/defaults/main.yml

@@ -0,0 +1,73 @@
+---
+# =================================================================
+# Podman Infrastructure Role - Simplified Configuration  
+# =================================================================
+# Provides rootless container infrastructure for applications
+# Applications manage their own service-specific users and deployments
+
+# =================================================================
+# Essential Configuration
+# =================================================================
+
+# Service Management
+podman_service_enabled: true
+podman_service_state: "started"
+
+# Installation Configuration (Arch Linux optimized)
+podman_install_optional: false  # Trust pacman dependency management
+
+# =================================================================
+# Container Runtime Security
+# =================================================================
+
+# Rootless container configuration
+podman_rootless: true
+podman_systemd_security: true
+
+# =================================================================
+# Registry Configuration
+# =================================================================
+
+# Default container registries (secure, trusted sources)
+podman_registries:
+  - docker.io
+  - quay.io
+  - ghcr.io
+
+# Registry security settings
+podman_registry_insecure: false
+podman_registry_blocked: false
+
+# =================================================================
+# Network Configuration
+# =================================================================
+
+# Default networking (applications create their own networks)
+podman_default_network: "bridge"
+podman_network_security: true
+
+# =================================================================
+# Storage Configuration
+# =================================================================
+
+# Container storage settings
+podman_storage_driver: "overlay"
+podman_storage_security: true
+
+# =================================================================
+# Infrastructure Notes
+# =================================================================
+# This role provides minimal podman infrastructure
+# Applications should manage their own configurations:
+#
+# Service-specific users:
+# - Applications create users like: authentik, nextcloud, etc.
+# - Each user gets isolated subuid/subgid ranges
+# - Each user manages their own containers via systemd --user
+#
+# Container networking:
+# - Applications create bridge networks for isolation
+# - Host services accessed via host.containers.internal
+# - Port publishing only to localhost for security
+#
+# Podman's built-in defaults are used for everything else