rick-infra/roles/podman/tasks/main.yml

---
# Podman Infrastructure Role - Simplified Tasks

- name: Update package cache
  pacman:
    update_cache: yes

- name: Install crun as OCI runtime (faster than runc)
  pacman:
    name: crun
    state: present

- name: Install Podman container runtime
  pacman:
    name: podman
    state: present

- name: Verify podman installation
  command: podman --version
  register: podman_version_check
  changed_when: false

- name: Create global containers configuration directory
  file:
    path: /etc/containers
    state: directory
    mode: '0755'

- name: Configure global container registries
  template:
    src: registries.conf.j2
    dest: /etc/containers/registries.conf
    mode: '0644'
    backup: yes
  notify: restart podman

- name: Configure global podman settings
  template:
    src: containers.conf.j2
    dest: /etc/containers/containers.conf
    mode: '0644'
    backup: yes
  notify: restart podman

- name: Create default podman network with DNS enabled
  command: podman network create podman --subnet 10.88.0.0/16
  register: podman_network_create
  changed_when: "'podman' in podman_network_create.stdout"
  failed_when: 
    - podman_network_create.rc != 0
    - "'already exists' not in podman_network_create.stderr"

- name: Deploy podman firewall rules
  template:
    src: podman.nft.j2
    dest: /etc/nftables.d/10-podman.nft
    mode: '0644'
    backup: yes
  notify: reload nftables

- name: Enable podman system service (if enabled)
  systemd:
    name: podman
    enabled: "{{ podman_service_enabled }}"
    state: "{{ podman_service_state }}"
    daemon_reload: yes
  when: podman_service_enabled

- name: Test podman functionality
  command: podman info --format json
  register: podman_info_result
  changed_when: false

- name: Verify rootless podman configuration
  command: podman system info
  register: podman_system_info
  changed_when: false
  failed_when: false

# =================================================================
# Container Registry Authentication
# =================================================================
# Deploy system-wide authentication for private container registries
# Currently supports: GitHub Container Registry (ghcr.io)

- name: Deploy GitHub Container Registry authentication
  copy:
    content: |
      {
        "auths": {
          "ghcr.io": {
            "auth": "{{ (github_username + ':' + github_token) | b64encode }}"
          }
        }
      }
    dest: /etc/containers/auth.json
    mode: '0600'
    owner: root
    group: root
  when: github_username is defined and github_token is defined
  no_log: true  # Don't log sensitive authentication data

- name: Display Podman infrastructure status
  debug:
    msg: |
      ✅ Podman container infrastructure ready!
      
      🐳 Version: {{ podman_version_check.stdout.split()[2] | default('unknown') }}
      🔒 Security: Rootless container runtime enabled
      📦 Registries: {{ podman_registries | join(', ') }}
      🏗️ Storage: {{ 'overlay' if 'overlay' in podman_system_info.stdout else 'system default' }}
      🔑 Auth: {{ 'GitHub Container Registry configured' if (github_username is defined and github_token is defined) else 'No private registry auth' }}
      
      🚀 Ready for containerized applications!
      
      📋 Next Steps:
      - Applications should create service-specific users
      - Each user gets isolated container environment
      - Services deploy quadlet files for systemd integration