homelab/roles/podman/tasks/main.yml

- name: Install Podman with Docker CLI tools
  ansible.builtin.apt:
    name: ["podman", "docker-cli", "docker-compose"]
    state: present

- name: Install GnuPG tools and trusted CA bundle
  ansible.builtin.apt:
    name: ["gnupg", "ca-certificates"]
    state: present
  when: podman_compose is defined

- name: Get podman user info for user namespace configuration
  ansible.builtin.getent:
    database: passwd
    key: "{{ item }}"
  loop: "{{ podman_compose.keys() | list }}"
  register: user_info
  loop_control:
    label: "{{ item }}"
  when: podman_compose is defined

- name: Configure /etc/subuid for rootless users
  ansible.builtin.lineinfile:
    path: "/etc/subuid"
    line:
      "{{ item.item }}:{{ 100000 +
      ((item.ansible_facts.getent_passwd[item.item][1] | int - 1000) * 65536)
      }}:65536"
    regexp: "^{{ item.item }}:"
    create: true
    backup: true
    mode: "0644"
  loop: "{{ user_info.results }}"
  loop_control:
    label: "{{ item.item }}"

- name: Configure /etc/subgid for rootless users
  ansible.builtin.lineinfile:
    path: "/etc/subgid"
    line:
      "{{ item.item }}:{{ 100000 +
      ((item.ansible_facts.getent_passwd[item.item][1] | int - 1000) * 65536)
      }}:65536"
    regexp: "^{{ item.item }}:"
    create: true
    backup: true
    mode: "0644"
  loop: "{{ user_info.results }}"
  loop_control:
    label: "{{ item.item }}"

- name: Enable lingering for podman compose user
  ansible.builtin.command:
    cmd: "loginctl enable-linger {{ item.item }}"
  changed_when: false
  loop: "{{ user_info.results }}"
  loop_control:
    label: "{{ item.item }}"

- name: Start and enable the Podman socket
  ansible.builtin.systemd:
    name: podman.socket
    state: started
    enabled: true
    scope: user
  vars:
    uid: "{{ item.ansible_facts.getent_passwd[item.item][1] }}"
  environment:
    XDG_RUNTIME_DIR: "/run/user/{{ uid }}"
    DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ uid }}/bus"
  become: true
  become_user: "{{ item.item }}"
  loop: "{{ user_info.results }}"
  loop_control:
    label: "{{ item.item }}"

- name: Create global containers config directory
  ansible.builtin.file:
    path: /etc/containers
    state: directory
    mode: "0755"

- name: Configure global containers.conf for rootless
  ansible.builtin.copy:
    content: |
      [engine]
      cgroup_manager = "cgroupfs"
      events_logger = "journald"
      runtime = "crun"
    dest: /etc/containers/containers.conf
    backup: true
    mode: "0644"

- name: Configure Docker CLI to use rootless Podman socket
  ansible.builtin.copy:
    src: files/docker-host.sh
    dest: /etc/profile.d/docker-host.sh
    owner: root
    group: root
    mode: '0755'

- name: Install git for repository cloning
  ansible.builtin.apt:
    name: git
    state: present
  when: podman_compose is defined

- name: Login to private Podman registries with Docker CLI for each user
  ansible.builtin.include_tasks: login.yml
  loop: "{{ podman_login | dict2items }}"
  loop_control:
    loop_var: podman_user
  when: podman_login is defined

- name: Stat rootless Podman directory
  ansible.builtin.stat:
    path: "/home/{{ compose_user.key }}/.local/share/containers"
  loop: "{{ podman_compose | dict2items }}"
  loop_control:
    loop_var: compose_user
    label: "{{ compose_user.key }}"
  register: podman_user_containers_stat
  when:
    - podman_compose is defined
    - selinux is defined
    - selinux is not false

- name: Create rootless Podman directory
  ansible.builtin.file:
    path: "/home/{{ item.compose_user.key }}/.local/share/containers"
    state: directory
    owner: "{{ item.compose_user.key }}"
    group: "{{ item.compose_user.key }}"
    mode: "700"
  loop: "{{ podman_user_containers_stat.results }}"
  loop_control:
    label: "{{ item.compose_user.key }}"
  when:
    - podman_compose is defined
    - selinux is defined
    - selinux is not false
    - not item.stat.exists

- name: Label rootless Podman directory
  ansible.builtin.command: >-
    restorecon -Rv /home/{{ item.compose_user.key }}/.local/share/containers
  loop: "{{ podman_user_containers_stat.results }}"
  loop_control:
    label: "/home/{{ item.compose_user.key }}/.local/share/containers"
  changed_when: true
  when:
    - podman_compose is defined
    - selinux is defined
    - selinux is not false
    - not item.stat.exists

- name: Stat Podman label directories
  ansible.builtin.stat:
    path: "{{ item.path }}"
  loop: "{{ podman_label }}"
  register: podman_label_stat
  loop_control:
    label: "{{ item.path }}"
  when:
    - podman_label is defined
    - selinux is defined
    - selinux is not false

- name: Create Podman label directories
  ansible.builtin.file:
    path: "{{ item.item.path }}"
    owner: "{{ item.item.owner | default(omit) }}"
    group: "{{ item.item.group | default(omit) }}"
    mode: "{{ item.item.mode | default('700') }}"
    state: directory
  loop: "{{ podman_label_stat.results }}"
  loop_control:
    label: "{{ item.item.path }}"
  when:
    - podman_label is defined
    - selinux is defined
    - selinux is not false
    - not item.stat.exists

- name: Set labels on Podman label directories
  ansible.builtin.command: "chcon {{ item.item.label }} {{ item.item.path }}"
  loop: "{{ podman_label_stat.results }}"
  changed_when: true
  loop_control:
    label: "{{ item.item.path }} => {{ item.item.label }}"
  when:
    - podman_label is defined
    - selinux is defined
    - selinux is not false
    - not item.stat.exists

- name: Deploy Podman compose projects for each user
  ansible.builtin.include_tasks: deploy.yml
  vars:
    podman_user: "{{ compose_user.key }}"
    podman_compose_config: "{{ compose_user.value }}"
  loop: "{{ podman_compose | dict2items }}"
  loop_control:
    loop_var: compose_user
  when: podman_compose is defined
  tags: podman_compose