podman

deploy.yml

@@ -39,13 +39,20 @@
 
 - name: docker
   hosts:
-    - suricata
     - caladan
     - narwhal
   become: true
   roles:
     - docker
 
+- name: podman
+  hosts:
+    - suricata
+  become: true
+  roles:
+    - podman
+  tags: podman
+
 - name: common roles
   hosts:
     - caladan

group_vars/all/main.yml

@@ -7,3 +7,5 @@ deb_arch_mapping: {
   "x86_64": "amd64",
   "i386": "i386"
 }
+
+main_user: rilla

hosts.yml

@@ -105,9 +105,9 @@ all:
           passno: "0"
 
         - src: "/dev/mapper/disk0"
-          path: "/var/lib/docker"
+          path: "/var/lib/containers"
           fstype: "btrfs"
-          opts: "subvol=docker,noatime"
+          opts: "subvol=containers,noatime"
           passno: "0"
 
       rpi_cfg:

roles/podman/tasks/alpine.yml

@@ -0,0 +1,44 @@
+---
+
+- name: install podman with apk
+  apk:
+    name:
+      - podman
+
+- name: enable cgroups v2
+  lineinfile:
+    path: /etc/rc.conf
+    line: 'rc_cgroup_mode="unified"'
+    regexp: '#?rc_cgroup_mode=".+"'
+
+- name: start and enable cgroups
+  service:
+    name: cgroups
+    state: started
+    enabled: true
+
+- name: set podman storage driver
+  lineinfile:
+    path: /etc/containers/storage.conf
+    line: 'driver = "{{ podman_storage_driver }}"'
+    regexp: '"driver = ".+"'
+
+- name: load tun module for rootless podman support
+  modprobe:
+    name: tun
+    state: present
+
+- name: tun module on startup
+  lineinfile:
+    path: /etc/modules
+    line: tun
+    insertafter: EOF
+
+- name: lines for podman rootless support on /etc/subuid and /etc/subgid
+  lineinfile:
+    path: "{{ item }}"
+    line: "{{ main_user }}:100000:65536"
+    insertafter: EOF
+  loop:
+    - /etc/subuid
+    - /etc/subgid

roles/podman/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+
+- name: 'alpine-specific podman things'
+  include_tasks: alpine.yml
+  when: ansible_distribution == "Alpine"

roles/podman/vars/main.yml

@@ -0,0 +1 @@
+podman_storage_driver: btrfs