Joakim
500224b5de
- Implemented complete Podman infrastructure role following rick-infra patterns - Minimal installation approach: only install podman, trust Arch dependency management - Configured with crun runtime for optimal performance and security - Security-focused: HTTPS-only registries, rootless containers, systemd hardening - Registry support: docker.io, quay.io, ghcr.io with secure configurations - Ready for service-specific users with isolated container environments - Quadlet support for native systemd container management - Container-to-host networking via bridge networks with host gateway access - Foundation for future containerized services (Authentik, Nextcloud) - Maintains rick-infra philosophy: infrastructure provides foundation, apps manage specifics
67 lines
2.3 KiB
Django/Jinja
67 lines
2.3 KiB
Django/Jinja
# Podman Configuration - Generated by Ansible
|
|
# rick-infra Podman Infrastructure Role
|
|
#
|
|
# Global podman configuration providing secure defaults
|
|
# for containerized applications
|
|
|
|
# =================================================================
|
|
# Container Engine Configuration
|
|
# =================================================================
|
|
|
|
[engine]
|
|
|
|
# Container runtime (OCI compliant)
|
|
# runtime = "runc" # Default, can be overridden to crun
|
|
|
|
# Network backend for container networking
|
|
network_backend = "netavark"
|
|
|
|
# Default network for new containers
|
|
default_network = "{{ podman_default_network }}"
|
|
|
|
# =================================================================
|
|
# Storage Configuration
|
|
# =================================================================
|
|
|
|
# Storage driver for container layers and images
|
|
# driver = "{{ podman_storage_driver }}" # overlay is default
|
|
|
|
# =================================================================
|
|
# Security Configuration
|
|
# =================================================================
|
|
|
|
# Enable security features
|
|
# seccomp_profile = "/usr/share/containers/seccomp.json"
|
|
# apparmor_profile = "containers-default-0.14.5"
|
|
|
|
# =================================================================
|
|
# Network Configuration
|
|
# =================================================================
|
|
|
|
[network]
|
|
|
|
# Default subnet for new networks (applications override this)
|
|
default_subnet = "10.88.0.0/16"
|
|
default_subnet_pools = [
|
|
{"base" = "10.89.0.0/16", "size" = 24},
|
|
{"base" = "10.90.0.0/16", "size" = 24}
|
|
]
|
|
|
|
# =================================================================
|
|
# Service Integration
|
|
# =================================================================
|
|
|
|
[service_destinations]
|
|
|
|
# Systemd integration for container services
|
|
# Applications use this for quadlet deployment
|
|
|
|
# =================================================================
|
|
# Infrastructure Notes
|
|
# =================================================================
|
|
# This configuration provides secure defaults for all containers
|
|
# Applications should:
|
|
# - Create service-specific users for container isolation
|
|
# - Use quadlet files for systemd integration
|
|
# - Create custom networks for multi-container applications
|
|
# - Access host services via host.containers.internal |