From 7792cac0c7df2d72785bac8752ae4d236545ff3b Mon Sep 17 00:00:00 2001
From: irl <iain@learmonth.me>
Date: Sat, 8 Nov 2025 20:57:43 +0000
Subject: [PATCH] feat(podman_host): do not create local users and assume a
 user exists

For SR2's usage, these users will exist because they have been created
in FreeIPA along with their subids.
---
 roles/podman_host/tasks/check_users.yml | 51 +++++++++----------------
 roles/podman_host/tasks/main.yml        | 32 +++++++---------
 2 files changed, 31 insertions(+), 52 deletions(-)

diff --git a/roles/podman_host/tasks/check_users.yml b/roles/podman_host/tasks/check_users.yml
index 7ce0ddd..4520729 100644
--- a/roles/podman_host/tasks/check_users.yml
+++ b/roles/podman_host/tasks/check_users.yml
@@ -1,41 +1,26 @@
 ---
 - name: Podman Host | AUDIT | Gather rootless user facts
-  ansible.builtin.user:
-    name: "{{ _podman_host_rootless_user }}"
+  ansible.builtin.getent:
+    database: passwd
+    key: "{{ _podman_host_rootless_user }}"
   register: _podman_host_rootless_user_facts
 
-- name: Podman Host | AUDIT | Resolve name of user's primary group
-  ansible.builtin.getent:
-    database: group
-    key: "{{ _podman_host_rootless_user_facts.group }}"
-  register: _podman_host_rootless_user_group
+- debug:
+    msg: "{{ _podman_host_rootless_user_facts }}"
 
-- name: Podman Host | AUDIT | Check if user is in subuid file
-  ansible.builtin.lineinfile:
-    path: /etc/subuid
-    regexp: '^{{ _podman_host_rootless_user }}:.*$'
-    state: absent
-  register: _podman_host_uid_line_found
-  check_mode: true
-  failed_when: false
-  changed_when: false
-
-- name: Podman Host | AUDIT | Check if group is in subgid file
-  ansible.builtin.lineinfile:
-    path: /etc/subgid
-    regexp: '^{{ _podman_host_rootless_user_group.ansible_facts.getent_group | first }}:.*$'
-    state: absent
-  register: _podman_host_gid_line_found
-  check_mode: true
-  failed_when: false
-  changed_when: false
-
-- name: Podman Host | AUDIT | Assert that user is in subuid file exactly once
+- name: Podman Host | AUDIT | Ensure the rootless user exists
   ansible.builtin.assert:
     that:
-      - _podman_host_uid_line_found.found == 1
+      - _podman_host_rootless_user in _podman_host_rootless_user_facts.ansible_facts.getent_passwd.keys()
+    fail_msg: "User '{{ _podman_host_rootless_user }}' does not exist on this host."
+
+- name: Podman Host | AUDIT | Ensure the rootless user has subuids defined
+  ansible.builtin.command:
+    cmd: "getsubids {{ _podman_host_rootless_user }}"
+  changed_when: false
+
+- name: Podman Host | AUDIT | Ensure the rootless user has subgids defined
+  ansible.builtin.command:
+    cmd: "getsubids -g {{ _podman_host_rootless_user }}"
+  changed_when: false
 
-- name: Podman Host | AUDIT | Assert that group is in subgid file exactly once
-  ansible.builtin.assert:
-    that:
-      - _podman_host_gid_line_found.found == 1
diff --git a/roles/podman_host/tasks/main.yml b/roles/podman_host/tasks/main.yml
index 2e9b601..26c6cdc 100644
--- a/roles/podman_host/tasks/main.yml
+++ b/roles/podman_host/tasks/main.yml
@@ -1,13 +1,22 @@
 ---
-- name: Podman Host | PRELIM | Ensure the rootless users are defined and are not root
+- name: Podman Host | AUDIT | Ensure the rootless users are defined and are not root
   ansible.builtin.assert:
     that:
       - podman_host_rootless_users | length > 0
       - '"root" not in podman_host_rootless_users'
 
-- name: Podman Host | AUDIT | Ensure that subuid and subgid are defined for the users
+- name: Podman Host | PATCH | Install Podman
+  ansible.builtin.dnf:
+    name:
+      - podman
+      - container-selinux
+      - shadow-utils-subid  # for getsubids
+    state: latest
+  become: true
+
+- name: Podman Host | AUDIT | Ensure that users exist and have subids configured
   ansible.builtin.include_tasks:
-    file: check_subid.yml
+    file: check_users.yml
   vars:
     _podman_host_rootless_user: "{{ item }}"
   with_items: "{{ podman_host_rootless_users }}"
@@ -21,17 +30,10 @@
     reload: true
   become: true
 
-- name: Podman Host | PATCH | Create users for rootless podman
-  ansible.builtin.user:
-    name: "{{ item }}"
-  become: true
-  with_items: "{{ podman_host_rootless_users }}"
-
-- name: Podman Host | PATCH | Set XDG_RUNTIME_DIR in .profile for rootless users
+- name: Podman Host | PATCH | Set XDG_RUNTIME_DIR in .bash_profile for rootless users
   ansible.builtin.lineinfile:
     path: "/home/{{ item }}/.bash_profile"
     line: "export XDG_RUNTIME_DIR=/run/user/$(id -u)"
-    create: false
   become: true
   become_user: "{{ item }}"
   with_items: "{{ podman_host_rootless_users }}"
@@ -46,14 +48,6 @@
   become: true
   with_items: "{{ podman_host_rootless_users }}"
 
-- name: Podman Host | PATCH | Install Podman
-  ansible.builtin.dnf:
-    name:
-      - podman
-      - container-selinux
-    state: latest
-  become: true
-
 - name: Podman Host | PATCH | Create users quadlets directory
   ansible.builtin.file:
     path: "/home/{{ item }}/.config/containers/systemd"