Add Podman container infrastructure role for containerized services
- Implemented complete Podman infrastructure role following rick-infra patterns - Minimal installation approach: only install podman, trust Arch dependency management - Configured with crun runtime for optimal performance and security - Security-focused: HTTPS-only registries, rootless containers, systemd hardening - Registry support: docker.io, quay.io, ghcr.io with secure configurations - Ready for service-specific users with isolated container environments - Quadlet support for native systemd container management - Container-to-host networking via bridge networks with host gateway access - Foundation for future containerized services (Authentik, Nextcloud) - Maintains rick-infra philosophy: infrastructure provides foundation, apps manage specifics
This commit is contained in:
67
roles/podman/templates/containers.conf.j2
Normal file
67
roles/podman/templates/containers.conf.j2
Normal file
@@ -0,0 +1,67 @@
|
||||
# Podman Configuration - Generated by Ansible
|
||||
# rick-infra Podman Infrastructure Role
|
||||
#
|
||||
# Global podman configuration providing secure defaults
|
||||
# for containerized applications
|
||||
|
||||
# =================================================================
|
||||
# Container Engine Configuration
|
||||
# =================================================================
|
||||
|
||||
[engine]
|
||||
|
||||
# Container runtime (OCI compliant)
|
||||
# runtime = "runc" # Default, can be overridden to crun
|
||||
|
||||
# Network backend for container networking
|
||||
network_backend = "netavark"
|
||||
|
||||
# Default network for new containers
|
||||
default_network = "{{ podman_default_network }}"
|
||||
|
||||
# =================================================================
|
||||
# Storage Configuration
|
||||
# =================================================================
|
||||
|
||||
# Storage driver for container layers and images
|
||||
# driver = "{{ podman_storage_driver }}" # overlay is default
|
||||
|
||||
# =================================================================
|
||||
# Security Configuration
|
||||
# =================================================================
|
||||
|
||||
# Enable security features
|
||||
# seccomp_profile = "/usr/share/containers/seccomp.json"
|
||||
# apparmor_profile = "containers-default-0.14.5"
|
||||
|
||||
# =================================================================
|
||||
# Network Configuration
|
||||
# =================================================================
|
||||
|
||||
[network]
|
||||
|
||||
# Default subnet for new networks (applications override this)
|
||||
default_subnet = "10.88.0.0/16"
|
||||
default_subnet_pools = [
|
||||
{"base" = "10.89.0.0/16", "size" = 24},
|
||||
{"base" = "10.90.0.0/16", "size" = 24}
|
||||
]
|
||||
|
||||
# =================================================================
|
||||
# Service Integration
|
||||
# =================================================================
|
||||
|
||||
[service_destinations]
|
||||
|
||||
# Systemd integration for container services
|
||||
# Applications use this for quadlet deployment
|
||||
|
||||
# =================================================================
|
||||
# Infrastructure Notes
|
||||
# =================================================================
|
||||
# This configuration provides secure defaults for all containers
|
||||
# Applications should:
|
||||
# - Create service-specific users for container isolation
|
||||
# - Use quadlet files for systemd integration
|
||||
# - Create custom networks for multi-container applications
|
||||
# - Access host services via host.containers.internal
|
||||
35
roles/podman/templates/registries.conf.j2
Normal file
35
roles/podman/templates/registries.conf.j2
Normal file
@@ -0,0 +1,35 @@
|
||||
# Container Registry Configuration - Generated by Ansible
|
||||
# rick-infra Podman Infrastructure Role
|
||||
#
|
||||
# This configuration defines trusted container registries
|
||||
# for secure container image retrieval
|
||||
|
||||
# =================================================================
|
||||
# Registry Search Configuration
|
||||
# =================================================================
|
||||
|
||||
# Default registries to search when pulling unqualified image names
|
||||
# Images without a registry prefix will search these in order
|
||||
unqualified-search-registries = {{ podman_registries | to_json }}
|
||||
|
||||
{% for registry in podman_registries %}
|
||||
# =================================================================
|
||||
# {{ registry | title }} Registry Configuration
|
||||
# =================================================================
|
||||
|
||||
[[registry]]
|
||||
location = "{{ registry }}"
|
||||
insecure = {{ podman_registry_insecure | lower }}
|
||||
blocked = {{ podman_registry_blocked | lower }}
|
||||
|
||||
{% endfor %}
|
||||
|
||||
# =================================================================
|
||||
# Security Notes
|
||||
# =================================================================
|
||||
# All registries configured with:
|
||||
# - insecure: false (HTTPS required)
|
||||
# - blocked: false (registry accessible)
|
||||
#
|
||||
# Additional registries can be added by applications as needed
|
||||
# following the same security-first configuration pattern
|
||||
Reference in New Issue
Block a user