ansible-collection-core/roles/podman_host/tasks/main.yml

---
- name: Podman Host | AUDIT | Ensure the rootless users are defined and are not root
  ansible.builtin.assert:
    that:
      - podman_host_rootless_users | length > 0
      - '"root" not in podman_host_rootless_users'

- name: Podman Host | PATCH | Install Podman
  ansible.builtin.dnf:
    name:
      - podman
      - container-selinux
      - shadow-utils-subid  # for getsubids
    state: latest
  become: true

- name: Podman Host | AUDIT | Ensure that users exist and have subids configured
  ansible.builtin.include_tasks:
    file: check_users.yml
  vars:
    _podman_host_rootless_user: "{{ item }}"
  with_items: "{{ podman_host_rootless_users }}"

- name: Podman Host | PATCH | Set unprivileged port minimum
  ansible.posix.sysctl:
    name: net.ipv4.ip_unprivileged_port_start
    value: "{{ podman_host_minimum_unpriv_port }}"
    sysctl_set: true
    sysctl_file: /etc/sysctl.d/zzz-podman-unpriv-port.conf
    reload: true
  become: true

- name: Podman Host | PATCH | Set XDG_RUNTIME_DIR in .bash_profile for rootless users
  ansible.builtin.lineinfile:
    path: "/home/{{ item }}/.bash_profile"
    line: "export XDG_RUNTIME_DIR=/run/user/$(id -u)"
  become: true
  become_user: "{{ item }}"
  with_items: "{{ podman_host_rootless_users }}"

- name: Podman Host | PATCH | Enable linger for rootless users
  ansible.builtin.command:
    argv:
      - /usr/bin/loginctl
      - enable-linger
      - "{{ item }}"
    creates: "/var/lib/systemd/linger/{{ item }}"
  become: true
  with_items: "{{ podman_host_rootless_users }}"

- name: Podman Host | PATCH | Create users quadlets directory
  ansible.builtin.file:
    path: "/home/{{ item }}/.config/containers/systemd"
    state: directory
    owner: "{{ item }}"
    group: "{{ item }}"
    mode: "0700"
  with_items: "{{ podman_host_rootless_users }}"
  become: true

- name: Podman Host | PATCH | Enable podman auto update timer for users
  ansible.builtin.systemd_service:
    name: podman-auto-update.timer
    scope: user
    state: started
    enabled: true
  become: true
  become_user: "{{ item }}"
  with_items: "{{ podman_host_rootless_users }}"
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`---`
feat(podman_host): do not create local users and assume a user exists For SR2's usage, these users will exist because they have been created in FreeIPA along with their subids. 2025-11-08 20:57:43 +00:00			`- name: Podman Host \| AUDIT \| Ensure the rootless users are defined and are not root`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`ansible.builtin.assert:`
			`that:`
			`- podman_host_rootless_users \| length > 0`
			`- '"root" not in podman_host_rootless_users'`

feat(podman_host): do not create local users and assume a user exists For SR2's usage, these users will exist because they have been created in FreeIPA along with their subids. 2025-11-08 20:57:43 +00:00			`- name: Podman Host \| PATCH \| Install Podman`
			`ansible.builtin.dnf:`
			`name:`
			`- podman`
			`- container-selinux`
			`- shadow-utils-subid # for getsubids`
			`state: latest`
			`become: true`

			`- name: Podman Host \| AUDIT \| Ensure that users exist and have subids configured`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`ansible.builtin.include_tasks:`
feat(podman_host): do not create local users and assume a user exists For SR2's usage, these users will exist because they have been created in FreeIPA along with their subids. 2025-11-08 20:57:43 +00:00			`file: check_users.yml`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`vars:`
			`_podman_host_rootless_user: "{{ item }}"`
			`with_items: "{{ podman_host_rootless_users }}"`

			`- name: Podman Host \| PATCH \| Set unprivileged port minimum`
			`ansible.posix.sysctl:`
			`name: net.ipv4.ip_unprivileged_port_start`
			`value: "{{ podman_host_minimum_unpriv_port }}"`
			`sysctl_set: true`
			`sysctl_file: /etc/sysctl.d/zzz-podman-unpriv-port.conf`
			`reload: true`
			`become: true`

feat(podman_host): do not create local users and assume a user exists For SR2's usage, these users will exist because they have been created in FreeIPA along with their subids. 2025-11-08 20:57:43 +00:00			`- name: Podman Host \| PATCH \| Set XDG_RUNTIME_DIR in .bash_profile for rootless users`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`ansible.builtin.lineinfile:`
			`path: "/home/{{ item }}/.bash_profile"`
			`line: "export XDG_RUNTIME_DIR=/run/user/$(id -u)"`
			`become: true`
			`become_user: "{{ item }}"`
			`with_items: "{{ podman_host_rootless_users }}"`

			`- name: Podman Host \| PATCH \| Enable linger for rootless users`
			`ansible.builtin.command:`
			`argv:`
			`- /usr/bin/loginctl`
			`- enable-linger`
			`- "{{ item }}"`
			`creates: "/var/lib/systemd/linger/{{ item }}"`
			`become: true`
			`with_items: "{{ podman_host_rootless_users }}"`

			`- name: Podman Host \| PATCH \| Create users quadlets directory`
			`ansible.builtin.file:`
			`path: "/home/{{ item }}/.config/containers/systemd"`
			`state: directory`
			`owner: "{{ item }}"`
			`group: "{{ item }}"`
			`mode: "0700"`
			`with_items: "{{ podman_host_rootless_users }}"`
			`become: true`

			`- name: Podman Host \| PATCH \| Enable podman auto update timer for users`
			`ansible.builtin.systemd_service:`
			`name: podman-auto-update.timer`
			`scope: user`
			`state: started`
			`enabled: true`
			`become: true`
			`become_user: "{{ item }}"`
			`with_items: "{{ podman_host_rootless_users }}"`