#SPDX-License-Identifier: MIT-0
---
# tasks file for podman

- name: Install deps
  ansible.builtin.dnf:
    name: "{{ dnf_packages }}"

- name: Enable firewalld
  ansible.builtin.systemd:
    name: firewalld
    enabled: true
    state: started

- name: Add ports
  ansible.posix.firewalld:
    service: "{{ item }}"
    state: enabled
    permanent: true
    immediate: true
  loop: "{{ firewalld_services }}"

- name: Create unprivileged user {{ podman_user }}
  ansible.builtin.user:
    name: "{{ podman_user }}"
    uid: "{{ podman_uid }}"
    create_home: true

- name: Set subuid / subgid range for {{ podman_user }}
  ansible.builtin.lineinfile:
    path: "{{ item }}"
    line: "apps:1000000:65537"
  loop:
    - "/etc/subuid"
    - "/etc/subgid"
  notify:
    - podman migrate

- name: Check linger
  ansible.builtin.command:
    cmd: "loginctl show-user {{ podman_user }}"
  changed_when: false
  register: linger_check

- name: Enable linger
  ansible.builtin.command:
    cmd: "loginctl enable-linger {{ podman_uid }}"
    creates: "/var/lib/systemd/linger/{{ podman_user }}"

- name: Persist unprivileged port
  ansible.posix.sysctl:
    sysctl_file: /etc/sysctl.d/user_priv_ports.conf
    name: net.ipv4.ip_unprivileged_port_start
    value: "53"
    sysctl_set: true
    reload: true

- name: Install python package
  ansible.builtin.command:
    cmd: pip3 install podman-compose
    creates: /usr/local/bin/podman-compose

- name: Remove memlock limit in pam_limits for {{ podman_user }}
  community.general.pam_limits:
    domain: "{{ podman_user }}"
    limit_type: "-"
    limit_item: memlock
    value: unlimited
    comment: unlimited memory lock for elasticsearch

- name: Ramp up nofile lmit for {{ podman_user }}
  community.general.pam_limits:
    domain: "{{ podman_user }}"
    limit_type: "-"
    limit_item: nofile
    value: 65536