rick-infra/roles/podman/templates/containers.conf.j2

# Podman Configuration - Generated by Ansible
# rick-infra Podman Infrastructure Role
#
# Global podman configuration providing secure defaults
# for containerized applications

# =================================================================
# Container Engine Configuration
# =================================================================

[engine]

# Container runtime (OCI compliant)
# runtime = "runc"  # Default, can be overridden to crun

# Network backend for container networking
network_backend = "netavark"

# Default network for new containers
default_network = "{{ podman_default_network }}"

# For signing into ghcr.io
auth_file = "/etc/containers/auth.json"

# =================================================================
# Storage Configuration  
# =================================================================

# Storage driver for container layers and images
# driver = "{{ podman_storage_driver }}"  # overlay is default

# =================================================================
# Security Configuration
# =================================================================

# Enable security features
# seccomp_profile = "/usr/share/containers/seccomp.json"
# apparmor_profile = "containers-default-0.14.5"

# =================================================================
# Network Configuration
# =================================================================

[network]

# Default subnet for new networks (applications override this)
default_subnet = "10.88.0.0/16"
default_subnet_pools = [
    {"base" = "10.89.0.0/16", "size" = 24},
    {"base" = "10.90.0.0/16", "size" = 24}
]

# =================================================================
# Service Integration
# =================================================================

[service_destinations]

# Systemd integration for container services
# Applications use this for quadlet deployment

# =================================================================
# Infrastructure Notes
# =================================================================
# This configuration provides secure defaults for all containers
# Applications should:
# - Create service-specific users for container isolation
# - Use quadlet files for systemd integration  
# - Create custom networks for multi-container applications
# - Access host services via host.containers.internal