77 lines
1.8 KiB
YAML
77 lines
1.8 KiB
YAML
#SPDX-License-Identifier: MIT-0
|
|
---
|
|
# tasks file for podman
|
|
|
|
- name: Install deps
|
|
ansible.builtin.dnf:
|
|
name: "{{ dnf_packages }}"
|
|
|
|
- name: Enable firewalld
|
|
ansible.builtin.systemd:
|
|
name: firewalld
|
|
enabled: true
|
|
state: started
|
|
|
|
- name: Add ports
|
|
ansible.posix.firewalld:
|
|
service: "{{ item }}"
|
|
state: enabled
|
|
permanent: true
|
|
immediate: true
|
|
loop: "{{ firewalld_services }}"
|
|
|
|
- name: Create unprivileged user {{ podman_user }}
|
|
ansible.builtin.user:
|
|
name: "{{ podman_user }}"
|
|
uid: "{{ podman_uid }}"
|
|
create_home: true
|
|
|
|
- name: Set subuid / subgid range for {{ podman_user }}
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ item }}"
|
|
line: "apps:1000000:65537"
|
|
loop:
|
|
- "/etc/subuid"
|
|
- "/etc/subgid"
|
|
notify:
|
|
- podman migrate
|
|
|
|
- name: Check linger
|
|
ansible.builtin.command:
|
|
cmd: "loginctl show-user {{ podman_user }}"
|
|
changed_when: false
|
|
register: linger_check
|
|
|
|
- name: Enable linger
|
|
ansible.builtin.command:
|
|
cmd: "loginctl enable-linger {{ podman_uid }}"
|
|
creates: "/var/lib/systemd/linger/{{ podman_user }}"
|
|
|
|
- name: Persist unprivileged port
|
|
ansible.posix.sysctl:
|
|
sysctl_file: /etc/sysctl.d/user_priv_ports.conf
|
|
name: net.ipv4.ip_unprivileged_port_start
|
|
value: "53"
|
|
sysctl_set: true
|
|
reload: true
|
|
|
|
- name: Install python package
|
|
ansible.builtin.command:
|
|
cmd: pip3 install podman-compose
|
|
creates: /usr/local/bin/podman-compose
|
|
|
|
- name: Remove memlock limit in pam_limits for {{ podman_user }}
|
|
community.general.pam_limits:
|
|
domain: "{{ podman_user }}"
|
|
limit_type: "-"
|
|
limit_item: memlock
|
|
value: unlimited
|
|
comment: unlimited memory lock for elasticsearch
|
|
|
|
- name: Ramp up nofile lmit for {{ podman_user }}
|
|
community.general.pam_limits:
|
|
domain: "{{ podman_user }}"
|
|
limit_type: "-"
|
|
limit_item: nofile
|
|
value: 65536
|