Joakim
846ab74f87
- Enable IP forwarding in security playbook (net.ipv4.ip_forward = 1) - Add podman network firewall rules to fix container DNS/HTTPS access - Implement systemd timer for reliable Nextcloud background job execution - Add database optimization tasks (indices, bigint conversion, mimetypes) - Configure maintenance window (04:00 UTC) and phone region (NO) - Add security headers (X-Robots-Tag, X-Permitted-Cross-Domain-Policies) - Create Nextcloud removal playbook for clean uninstall - Fix nftables interface matching (podman0 vs podman+) Root cause: nftables FORWARD chain blocked container egress traffic Solution: Explicit firewall rules for podman0 bridge interface
77 lines
2.6 KiB
YAML
77 lines
2.6 KiB
YAML
---
|
|
# =================================================================
|
|
# Podman Infrastructure Role - Simplified Configuration
|
|
# =================================================================
|
|
# Provides rootless container infrastructure for applications
|
|
# Applications manage their own service-specific users and deployments
|
|
|
|
# =================================================================
|
|
# Essential Configuration
|
|
# =================================================================
|
|
|
|
# Service Management
|
|
podman_service_enabled: true
|
|
podman_service_state: "started"
|
|
|
|
# Installation Configuration (Arch Linux optimized)
|
|
podman_install_optional: false # Trust pacman dependency management
|
|
|
|
# =================================================================
|
|
# Container Runtime Security
|
|
# =================================================================
|
|
|
|
# Rootless container configuration
|
|
podman_rootless: true
|
|
podman_systemd_security: true
|
|
|
|
# =================================================================
|
|
# Registry Configuration
|
|
# =================================================================
|
|
|
|
# Default container registries (secure, trusted sources)
|
|
podman_registries:
|
|
- docker.io
|
|
- quay.io
|
|
- ghcr.io
|
|
|
|
# Registry security settings
|
|
podman_registry_insecure: false
|
|
podman_registry_blocked: false
|
|
|
|
# =================================================================
|
|
# Network Configuration
|
|
# =================================================================
|
|
|
|
# Default networking (applications create their own networks)
|
|
podman_default_network: "bridge"
|
|
podman_network_security: true
|
|
|
|
# Trusted container subnets (allowed through firewall)
|
|
podman_trusted_subnets:
|
|
- "10.88.0.0/16"
|
|
|
|
# =================================================================
|
|
# Storage Configuration
|
|
# =================================================================
|
|
|
|
# Container storage settings
|
|
podman_storage_driver: "overlay"
|
|
podman_storage_security: true
|
|
|
|
# =================================================================
|
|
# Infrastructure Notes
|
|
# =================================================================
|
|
# This role provides minimal podman infrastructure
|
|
# Applications should manage their own configurations:
|
|
#
|
|
# Service-specific users:
|
|
# - Applications create users like: authentik, nextcloud, etc.
|
|
# - Each user gets isolated subuid/subgid ranges
|
|
# - Each user manages their own containers via systemd --user
|
|
#
|
|
# Container networking:
|
|
# - Applications create bridge networks for isolation
|
|
# - Host services accessed via host.containers.internal
|
|
# - Port publishing only to localhost for security
|
|
#
|
|
# Podman's built-in defaults are used for everything else |