rick-infra/roles/podman/README.md

# Podman Infrastructure Role

This role provides Podman container infrastructure for the rick-infra project, following the same patterns established by the PostgreSQL and Valkey infrastructure roles.

## Overview

**Podman** is a daemonless container engine for developing, managing, and running OCI containers and pods on Linux systems. This role establishes the foundational container infrastructure that containerized application services can build upon.

Podman is deployed as a system-level infrastructure service that provides container runtime capabilities for service-specific users to utilize.

## Features

- **Daemonless architecture**: No background daemon required, improved security
- **Rootless containers**: Applications run containers as dedicated users  
- **OCI compliance**: Full Docker compatibility with enhanced security
- **Systemd integration**: Native systemd integration via quadlet files
- **Security-focused**: crun runtime, secure registries, restrictive defaults
- **Infrastructure pattern**: Matches PostgreSQL/Valkey role architecture

## Architecture

### **Container Runtime Stack:**
- **Podman**: Container engine and CLI
- **crun**: Fast, lightweight OCI runtime (instead of runc)
- **netavark**: Modern container networking
- **aardvark-dns**: Container DNS resolution
- **conmon**: Container monitoring
- **catatonit**: Container init process

### **Registry Configuration:**
- **docker.io**: Docker Hub (primary)
- **quay.io**: Red Hat Quay
- **ghcr.io**: GitHub Container Registry

All registries configured with HTTPS-only, no insecure connections allowed.

## Application Integration

Applications should create service-specific users and manage their own container deployments:

### **Service-Specific User Pattern:**
```yaml
# Example from future authentik role
- name: Create authentik user
  user:
    name: authentik
    system: yes
    shell: /bin/bash
    home: /var/lib/authentik
    create_home: yes

- name: Configure rootless podman for authentik
  lineinfile:
    path: "{{ item.file }}"
    line: "authentik:{{ item.start }}:{{ item.count }}"
  loop:
    - { file: /etc/subuid, start: 100000, count: 65536 }
    - { file: /etc/subgid, start: 100000, count: 65536 }
```

### **Quadlet Integration:**
```yaml
# Deploy quadlet files to user systemd directory
- name: Deploy container quadlets
  template:
    src: "{{ item }}.j2"
    dest: "/var/lib/authentik/.config/containers/systemd/{{ item }}"
    owner: authentik
    group: authentik
  loop:
    - authentik.pod
    - authentik-server.container
    - authentik-worker.container
```

### **Container-to-Host Connectivity:**
```ini
# Pod quadlet with host access
[Pod]
Network=service-internal
AddHost=host.containers.internal:host-gateway
PublishPort=127.0.0.1:9000:9000/tcp
```

```bash
# Environment variables for host service access
DATABASE_HOST=host.containers.internal
REDIS_HOST=host.containers.internal
```

## Configuration

### **Default Settings:**
```yaml
# Service management
podman_service_enabled: true
podman_service_state: "started"

# Registry configuration
podman_registries:
  - docker.io
  - quay.io  
  - ghcr.io

# Security settings
podman_rootless: true
podman_systemd_security: true
```

All settings use secure defaults and can be overridden in host_vars if needed.

## Dependencies

This is an infrastructure role with no dependencies. Applications that need containers should declare this role as a dependency:

```yaml
# roles/authentik/meta/main.yml
dependencies:
  - role: postgresql
  - role: valkey
  - role: podman        # Container infrastructure
  - role: caddy
```

## Service Management

```bash
# System service (API endpoint)
sudo systemctl status podman
sudo systemctl status podman.socket

# Container functionality  
sudo podman --version
sudo podman run --rm hello-world

# User containers (example with authentik user)
sudo -u authentik systemctl --user status authentik-pod
sudo -u authentik podman ps -a
```

## Container User Isolation

Each containerized service gets:
- **Dedicated system user** (e.g., `authentik`, `nextcloud`)
- **Isolated subuid/subgid ranges** (100000+65536 IDs per service)  
- **Private container storage** in user home directory
- **User systemd session** for container service management
- **Network isolation** via custom bridge networks

## File Locations

- **Global configuration**: `/etc/containers/`
  - `registries.conf` - Registry settings
  - `containers.conf` - Global podman settings
- **User containers**: `/var/lib/{service}/`
  - `.config/containers/systemd/` - Quadlet files
  - `.config/systemd/user/` - Generated systemd services
  - `.local/share/containers/` - Container storage

## Security

- **Rootless operation**: All containers run as unprivileged users
- **Registry security**: HTTPS-only, trusted registries
- **Runtime security**: crun with security features enabled
- **Network isolation**: Custom networks, no privileged networking
- **Storage isolation**: Per-user container storage
- **Systemd integration**: Full systemd security features available

## Integration with Host Services

Containerized applications access host services (PostgreSQL, Valkey) via:
- **Bridge networking** with host gateway access
- **Host mapping**: `host.containers.internal` → host IP
- **Localhost binding**: Host services remain on 127.0.0.1
- **Standard ports**: No port conflicts, containers use bridge networks

## Notes

This role follows the rick-infra infrastructure pattern where foundational services (Podman, PostgreSQL, Valkey) are provided as host-level infrastructure, and applications manage their own specific usage patterns and user isolation rather than sharing a common container user.

**Architecture Benefits:**
- Clear separation between infrastructure and applications
- Service-level isolation and security
- Native systemd integration for all containers
- Familiar management patterns consistent with native services