Joakim
500224b5de
- Implemented complete Podman infrastructure role following rick-infra patterns - Minimal installation approach: only install podman, trust Arch dependency management - Configured with crun runtime for optimal performance and security - Security-focused: HTTPS-only registries, rootless containers, systemd hardening - Registry support: docker.io, quay.io, ghcr.io with secure configurations - Ready for service-specific users with isolated container environments - Quadlet support for native systemd container management - Container-to-host networking via bridge networks with host gateway access - Foundation for future containerized services (Authentik, Nextcloud) - Maintains rick-infra philosophy: infrastructure provides foundation, apps manage specifics
73 lines
2.5 KiB
YAML
73 lines
2.5 KiB
YAML
---
|
|
# =================================================================
|
|
# Podman Infrastructure Role - Simplified Configuration
|
|
# =================================================================
|
|
# Provides rootless container infrastructure for applications
|
|
# Applications manage their own service-specific users and deployments
|
|
|
|
# =================================================================
|
|
# Essential Configuration
|
|
# =================================================================
|
|
|
|
# Service Management
|
|
podman_service_enabled: true
|
|
podman_service_state: "started"
|
|
|
|
# Installation Configuration (Arch Linux optimized)
|
|
podman_install_optional: false # Trust pacman dependency management
|
|
|
|
# =================================================================
|
|
# Container Runtime Security
|
|
# =================================================================
|
|
|
|
# Rootless container configuration
|
|
podman_rootless: true
|
|
podman_systemd_security: true
|
|
|
|
# =================================================================
|
|
# Registry Configuration
|
|
# =================================================================
|
|
|
|
# Default container registries (secure, trusted sources)
|
|
podman_registries:
|
|
- docker.io
|
|
- quay.io
|
|
- ghcr.io
|
|
|
|
# Registry security settings
|
|
podman_registry_insecure: false
|
|
podman_registry_blocked: false
|
|
|
|
# =================================================================
|
|
# Network Configuration
|
|
# =================================================================
|
|
|
|
# Default networking (applications create their own networks)
|
|
podman_default_network: "bridge"
|
|
podman_network_security: true
|
|
|
|
# =================================================================
|
|
# Storage Configuration
|
|
# =================================================================
|
|
|
|
# Container storage settings
|
|
podman_storage_driver: "overlay"
|
|
podman_storage_security: true
|
|
|
|
# =================================================================
|
|
# Infrastructure Notes
|
|
# =================================================================
|
|
# This role provides minimal podman infrastructure
|
|
# Applications should manage their own configurations:
|
|
#
|
|
# Service-specific users:
|
|
# - Applications create users like: authentik, nextcloud, etc.
|
|
# - Each user gets isolated subuid/subgid ranges
|
|
# - Each user manages their own containers via systemd --user
|
|
#
|
|
# Container networking:
|
|
# - Applications create bridge networks for isolation
|
|
# - Host services accessed via host.containers.internal
|
|
# - Port publishing only to localhost for security
|
|
#
|
|
# Podman's built-in defaults are used for everything else |