feature/podman-setup #20

Merged

mixel merged 8 commits from feature/podman-setup into main 2026-06-01 23:57:25 +02:00

Conversation 0 Commits 8 Files changed 38 +492 -61

mixel commented 2026-06-01 23:57:19 +02:00

Owner

Copy link

No description provided.

mixel added 8 commits 2026-06-01 23:57:19 +02:00

first 3 stages of podman installation 0999b6fa88

refactor: consolidate SSH key management into single source of truth ... 39b23c3899

Replace single ssh_public_key (string) with ssh_public_keys (list) across
all OpenTofu modules so multiple machines can be provisioned from day one.
OpenTofu now writes the keys to ansible/group_vars/all/ssh_keys.yml on
every apply, removing the vault dependency for a non-secret value.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat: disable SSH password authentication in common role ... 2e19f813b3

Ensures all managed hosts enforce key-only SSH access via sshd_config.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

refactor: switch Podman to rootful mode for unprivileged LXC ... a21440cf19

Rootless Podman fails inside unprivileged Proxmox LXC because subuid
ranges starting at 100000 are outside the container's UID space (0-65535).
Rootful Podman avoids user namespaces entirely; the LXC itself provides
isolation (LXC root maps to ~UID 100000 on the Proxmox host).

Removes service user, subuid config, lingering, and user-scoped systemd.
Adds podman-quadlet role for deploying system-scope quadlet services.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat: add Pi-hole DNS ad-blocker as rootful Podman quadlet ... 961a50b73d

Deploys Pi-hole v6 via systemd quadlet on Podman hosts tagged 'pihole'.
Admin password injected via Podman secret (FTLCONF_webserver_api_password).
State backed up to NFS via state-backup role.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix: correct OpenTofu module refs, remove ssh_pwauth, re-encrypt .env ... 9c71633431

- module.pihole -> module.LXC.pihole (ha.tf, inventory.tf)
- Remove ssh_pwauth: false from cloud-init (now managed by Ansible common)
- Re-encrypt .env after renaming ssh_public_key -> ssh_public_keys

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

add ssh:forget task to delete hosts entries in case of opentofu destroy fcf536c6df

fix: correct stale variables, dead handlers, and redundant role ... 1e42710da7

- .env.example: ssh_public_key → ssh_public_keys (match renamed var)
- pihole handlers: remove rootless leftover, fix to rootful scope: system
- podman-host handler: rename restart → reload (it's a daemon-reload, not a restart)
- site.yml: remove redundant common role from Podman play (already runs in first play)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

mixel merged commit db62b84a9c into main 2026-06-01 23:57:25 +02:00

mixel deleted branch feature/podman-setup 2026-06-01 23:57:25 +02:00

mixel referenced this pull request from a commit 2026-06-01 23:57:26 +02:00

Merge pull request 'feature/podman-setup' (#20) from feature/podman-setup into main

mixel referenced this pull request from a commit 2026-06-02 12:37:10 +02:00

Merge pull request 'feature/podman-setup' (#20) from feature/podman-setup into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

mixel/infrastructure!20

No description provided.