Joakim
44584c68f1
- Deploy /etc/containers/auth.json with GHCR credentials - Support for private container image pulls - Credentials encrypted in Ansible vault - Used by devigo and other services pulling from private registries - Updated documentation with authentication setup
103 lines
2.9 KiB
YAML
103 lines
2.9 KiB
YAML
---
|
|
# Podman Infrastructure Role - Simplified Tasks
|
|
|
|
- name: Update package cache
|
|
pacman:
|
|
update_cache: yes
|
|
|
|
- name: Install crun as OCI runtime (faster than runc)
|
|
pacman:
|
|
name: crun
|
|
state: present
|
|
|
|
- name: Install Podman container runtime
|
|
pacman:
|
|
name: podman
|
|
state: present
|
|
|
|
- name: Verify podman installation
|
|
command: podman --version
|
|
register: podman_version_check
|
|
changed_when: false
|
|
|
|
- name: Create global containers configuration directory
|
|
file:
|
|
path: /etc/containers
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Configure global container registries
|
|
template:
|
|
src: registries.conf.j2
|
|
dest: /etc/containers/registries.conf
|
|
mode: '0644'
|
|
backup: yes
|
|
notify: restart podman
|
|
|
|
- name: Configure global podman settings
|
|
template:
|
|
src: containers.conf.j2
|
|
dest: /etc/containers/containers.conf
|
|
mode: '0644'
|
|
backup: yes
|
|
notify: restart podman
|
|
|
|
- name: Enable podman system service (if enabled)
|
|
systemd:
|
|
name: podman
|
|
enabled: "{{ podman_service_enabled }}"
|
|
state: "{{ podman_service_state }}"
|
|
daemon_reload: yes
|
|
when: podman_service_enabled
|
|
|
|
- name: Test podman functionality
|
|
command: podman info --format json
|
|
register: podman_info_result
|
|
changed_when: false
|
|
|
|
- name: Verify rootless podman configuration
|
|
command: podman system info
|
|
register: podman_system_info
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
# =================================================================
|
|
# Container Registry Authentication
|
|
# =================================================================
|
|
# Deploy system-wide authentication for private container registries
|
|
# Currently supports: GitHub Container Registry (ghcr.io)
|
|
|
|
- name: Deploy GitHub Container Registry authentication
|
|
copy:
|
|
content: |
|
|
{
|
|
"auths": {
|
|
"ghcr.io": {
|
|
"auth": "{{ (github_username + ':' + github_token) | b64encode }}"
|
|
}
|
|
}
|
|
}
|
|
dest: /etc/containers/auth.json
|
|
mode: '0600'
|
|
owner: root
|
|
group: root
|
|
when: github_username is defined and github_token is defined
|
|
no_log: true # Don't log sensitive authentication data
|
|
|
|
- name: Display Podman infrastructure status
|
|
debug:
|
|
msg: |
|
|
✅ Podman container infrastructure ready!
|
|
|
|
🐳 Version: {{ podman_version_check.stdout.split()[2] | default('unknown') }}
|
|
🔒 Security: Rootless container runtime enabled
|
|
📦 Registries: {{ podman_registries | join(', ') }}
|
|
🏗️ Storage: {{ 'overlay' if 'overlay' in podman_system_info.stdout else 'system default' }}
|
|
🔑 Auth: {{ 'GitHub Container Registry configured' if (github_username is defined and github_token is defined) else 'No private registry auth' }}
|
|
|
|
🚀 Ready for containerized applications!
|
|
|
|
📋 Next Steps:
|
|
- Applications should create service-specific users
|
|
- Each user gets isolated container environment
|
|
- Services deploy quadlet files for systemd integration |