---
- name: Install Podman and dependencies for rootless operation
  ansible.builtin.apt:
    pkg:
      - podman
      # Required for rootless operation
      - uidmap
      # Use the newer network backend instead of the default CNI backend
      - netavark
      # Required for rootless networking
      - slirp4netns
      # Next two are required for config management
      - systemd-container
      - polkitd

- name: Configure polkit for `machinectl` privilege escalation & config management
  ansible.builtin.template:
    src: machinectl.rules.j2
    dest: /etc/polkit-1/rules.d/50-machinectl.rules
    mode: "640"
    owner: root
    group: polkitd

- name: Create group for managing rootless Podman environments
  ansible.builtin.group:
    name: "{{ sce_cfg_group }}"
    state: present

- name: Add config management (Ansible) user to the rootless Podman managing group
  ansible.builtin.user:
    name: "{{ sce_cfg_user }}"
    groups: ["{{ sce_cfg_group }}"]
    append: true

- name: Create service account(s) for running rootless Podman containers under
  ansible.builtin.user:
    name: "{{ item }}"
    password_lock: true
    comment: "Rootless Podman service account"
    # By default, subordinate id's are only allocated automatically for non-system accounts
    system: false
    state: present
  loop: "{{ sce_service_accounts }}"