joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Podman container infrastructure role for containerized services

Browse Source 
- Implemented complete Podman infrastructure role following rick-infra patterns
- Minimal installation approach: only install podman, trust Arch dependency management
- Configured with crun runtime for optimal performance and security
- Security-focused: HTTPS-only registries, rootless containers, systemd hardening
- Registry support: docker.io, quay.io, ghcr.io with secure configurations
- Ready for service-specific users with isolated container environments
- Quadlet support for native systemd container management
- Container-to-host networking via bridge networks with host gateway access
- Foundation for future containerized services (Authentik, Nextcloud)
- Maintains rick-infra philosophy: infrastructure provides foundation, apps manage specifics
This commit is contained in:
Joakim
2025-11-20 22:11:44 +01:00
parent 3b062edeb6
commit 500224b5de
8 changed files with 483 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
roles/podman/templates/registries.conf.j2 Normal file
View File

@@ -0,0 +1,35 @@
# Container Registry Configuration - Generated by Ansible
# rick-infra Podman Infrastructure Role
#
# This configuration defines trusted container registries
# for secure container image retrieval
# =================================================================
# Registry Search Configuration
# =================================================================
# Default registries to search when pulling unqualified image names
# Images without a registry prefix will search these in order
unqualified-search-registries = {{ podman_registries | to_json }}
{% for registry in podman_registries %}
# =================================================================
# {{ registry | title }} Registry Configuration
# =================================================================
[[registry]]
location = "{{ registry }}"
insecure = {{ podman_registry_insecure | lower }}
blocked = {{ podman_registry_blocked | lower }}
{% endfor %}
# =================================================================
# Security Notes
# =================================================================
# All registries configured with:
# - insecure: false (HTTPS required)
# - blocked: false (registry accessible)
#
# Additional registries can be added by applications as needed
# following the same security-first configuration pattern