51 lines
1.7 KiB
YAML
51 lines
1.7 KiB
YAML
---
|
|
- name: Install Podman and dependencies for rootless operation
|
|
ansible.builtin.apt:
|
|
pkg:
|
|
- podman
|
|
# Required for rootless operation
|
|
- uidmap
|
|
# Use the newer network backend instead of the default CNI backend
|
|
- netavark
|
|
# Required for rootless networking
|
|
- slirp4netns
|
|
# Next two are required for config management
|
|
- systemd-container
|
|
- polkitd
|
|
|
|
- name: Configure polkit for `machinectl` privilege escalation & config management
|
|
ansible.builtin.template:
|
|
src: machinectl.rules.j2
|
|
dest: /etc/polkit-1/rules.d/50-machinectl.rules
|
|
mode: "640"
|
|
owner: root
|
|
group: polkitd
|
|
|
|
- name: Create group for managing rootless Podman environments
|
|
ansible.builtin.group:
|
|
name: "{{ install_cfg_group }}"
|
|
system: true
|
|
state: present
|
|
|
|
- name: Add config management (Ansible) user to the rootless Podman managing group
|
|
ansible.builtin.user:
|
|
name: "{{ install_cfg_user }}"
|
|
groups: ["{{ install_cfg_group }}"]
|
|
append: true
|
|
|
|
- name: Create service account(s) for running rootless Podman containers under
|
|
ansible.builtin.user:
|
|
name: "{{ item }}"
|
|
password_lock: true
|
|
comment: "Rootless Podman service account"
|
|
# By default, subordinate id's are only allocated automatically for non-system accounts
|
|
system: false
|
|
state: present
|
|
loop: "{{ install_service_accounts }}"
|
|
|
|
# Needed to have containers start at host boot
|
|
- name: Ensure systemd user service manager will run without a login session for the Podman service account(s)
|
|
ansible.builtin.command:
|
|
cmd: loginctl enable-linger {{ item }}
|
|
creates: /var/lib/systemd/linger/{{ item }}
|
|
loop: "{{ install_service_accounts }}"
|