Fix podman SSH key paths and add registry support

- Configure SELinux to permit nginx network connections

roles/podman/tasks/deploy.yml

@@ -65,7 +65,7 @@
 
 - name: Generate OpenSSH deploy keys for docker compose (podman) clones
   community.crypto.openssh_keypair:
-    path: "{{ podman_ssh_key_path }}/podman-id_{{ podman_repos_keytype }}"
+    path: "{{ podman_homedir }}/.ssh/podman-id_{{ podman_repos_keytype }}"
     type: "{{ podman_repos_keytype }}"
     comment: "{{ ansible_hostname }}-{{ podman_user }}-deploy-key"
     owner: "{{ podman_user }}"
@@ -105,7 +105,7 @@
         )
         else false
       }}
-    key_file: "{{ podman_ssh_key_path }}/podman-id_{{ podman_repos_keytype }}"
+    key_file: "{{ podman_homedir }}/.ssh/podman-id_{{ podman_repos_keytype }}"
   become: true
   become_user: "{{ podman_user }}"
   loop: "{{ podman_project }}"

roles/podman/tasks/login.yml

@@ -0,0 +1,20 @@
+- name: "Get UID for {{ podman_user.key }}"
+  ansible.builtin.getent:
+    database: passwd
+    key: "{{ podman_user.key }}"
+
+- name: Login to private Podman registry via Docker CLI
+  community.docker.docker_login:
+    registry_url: "{{ registry.key }}"
+    username: "{{ registry.value.username }}"
+    password: "{{ registry.value.password }}"
+    docker_host: "unix:///run/user/{{ podman_uid }}/podman/podman.sock"
+  vars:
+    podman_uid: "{{ ansible_facts.getent_passwd[podman_user.key][1] }}"
+  loop: "{{ podman_user.value | dict2items }}"
+  loop_control:
+    loop_var: registry
+    label: "{{ podman_user.key }} => {{ registry.key }}"
+  become: true
+  become_user: "{{ podman_user.key }}"
+  no_log: true

roles/podman/tasks/main.yml

@@ -105,6 +105,13 @@
     state: present
   when: podman_compose is defined
 
+- name: Login to private Podman registries with Docker CLI for each user
+  ansible.builtin.include_tasks: login.yml
+  loop: "{{ podman_login | dict2items }}"
+  loop_control:
+    loop_var: podman_user
+  when: podman_login is defined
+
 - name: Deploy Podman compose projects for each user
   ansible.builtin.include_tasks: deploy.yml
   vars:

roles/proxy/tasks/main.yml

@@ -41,6 +41,8 @@
     dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
     mode: "400"
   loop: "{{ proxy.servers }}"
+  loop_control:
+    label: "{{ item.domain }}"
   notify: reload_nginx
   register: nginx_sites
 
@@ -105,6 +107,16 @@
   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
   notify: reload_nginx
 
+- name: Enable httpd_can_network_connect to allow nginx network access
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: true
+  when:
+    - selinux is defined
+    - selinux is not false
+    - proxy is defined
+
 - name: Add HTTP and HTTPS firewall rule
   community.general.ufw:
     rule: allow