Deploy mastodon v0.1

roles/podman/tasks/main.yml

@@ -0,0 +1,76 @@
+#SPDX-License-Identifier: MIT-0
+---
+# tasks file for podman
+
+- name: Install deps
+  ansible.builtin.dnf:
+    name: "{{ dnf_packages }}"
+
+- name: Enable firewalld
+  ansible.builtin.systemd:
+    name: firewalld
+    enabled: true
+    state: started
+
+- name: Add ports
+  ansible.posix.firewalld:
+    service: "{{ item }}"
+    state: enabled
+    permanent: true
+    immediate: true
+  loop: "{{ firewalld_services }}"
+
+- name: Create unprivileged user {{ podman_user }}
+  ansible.builtin.user:
+    name: "{{ podman_user }}"
+    uid: "{{ podman_uid }}"
+    create_home: true
+
+- name: Set subuid / subgid range for {{ podman_user }}
+  ansible.builtin.lineinfile:
+    path: "{{ item }}"
+    line: "apps:1000000:65537"
+  loop:
+    - "/etc/subuid"
+    - "/etc/subgid"
+  notify:
+    - podman migrate
+
+- name: Check linger
+  ansible.builtin.command:
+    cmd: "loginctl show-user {{ podman_user }}"
+  changed_when: false
+  register: linger_check
+
+- name: Enable linger
+  ansible.builtin.command:
+    cmd: "loginctl enable-linger {{ podman_uid }}"
+    creates: "/var/lib/systemd/linger/{{ podman_user }}"
+
+- name: Persist unprivileged port
+  ansible.posix.sysctl:
+    sysctl_file: /etc/sysctl.d/user_priv_ports.conf
+    name: net.ipv4.ip_unprivileged_port_start
+    value: "53"
+    sysctl_set: true
+    reload: true
+
+- name: Install python package
+  ansible.builtin.command:
+    cmd: pip3 install podman-compose
+    creates: /usr/local/bin/podman-compose
+
+- name: Remove memlock limit in pam_limits for {{ podman_user }}
+  community.general.pam_limits:
+    domain: "{{ podman_user }}"
+    limit_type: "-"
+    limit_item: memlock
+    value: unlimited
+    comment: unlimited memory lock for elasticsearch
+
+- name: Ramp up nofile lmit for {{ podman_user }}
+  community.general.pam_limits:
+    domain: "{{ podman_user }}"
+    limit_type: "-"
+    limit_item: nofile
+    value: 65536