Use rootful container with automatic namespace

author: alex <alex@pdp7.net> 2025-10-12 16:23:17 +0200
committer: alex <alex@pdp7.net> 2025-10-12 16:23:17 +0200
commit: ab49cf6758e55c4b9b7fecdfad2f947345a7c231 (patch)
tree: 6bfd50f58ee0232c9e82bf34227741e831206f77
parent: 139f3768ba55c1e7426b498f841f369f799ceb28 (diff)
2 files changed, 14 insertions, 1 deletions
diff --git a/infrastructure/roles/podman/tasks/main.yaml b/infrastructure/roles/podman/tasks/main.yaml
index e804aca..66be760 100644
--- a/infrastructure/roles/podman/tasks/main.yaml
+++ b/infrastructure/roles/podman/tasks/main.yaml
@@ -6,3 +6,13 @@
     name: podman-auto-update.timer
     enabled: true
     state: started
+- name: configure containers subuids
+  ansible.builtin.copy:
+    dest: /etc/subuid
+    content: |
+      containers:2147483647:2147483648
+- name: configure containers subgids
+  ansible.builtin.copy:
+    dest: /etc/subgid
+    content: |
+      containers:2147483647:2147483648
diff --git a/infrastructure/roles/vaultwarden/tasks/main.yaml b/infrastructure/roles/vaultwarden/tasks/main.yaml
index 96eb64f..313b48b 100644
--- a/infrastructure/roles/vaultwarden/tasks/main.yaml
+++ b/infrastructure/roles/vaultwarden/tasks/main.yaml
@@ -10,8 +10,9 @@
       Image=ghcr.io/dani-garcia/vaultwarden:latest
       Exec=/start.sh
       EnvironmentFile=vaultwarden.environment
-      Volume=/var/lib/vaultwarden/:/data/
+      Volume=/var/lib/vaultwarden/:/data/:idmap
       Network=host
+      UserNS=auto
 
       [Install]
       WantedBy=default.target
@@ -36,6 +37,8 @@
   ansible.builtin.file:
     name: /var/lib/vaultwarden
     state: directory
+  notify:
+    - restart quadlet
 - meta: flush_handlers
 - name: enable quadlet
   ansible.builtin.systemd_service:
author	alex <alex@pdp7.net>	2025-10-12 16:23:17 +0200
committer	alex <alex@pdp7.net>	2025-10-12 16:23:17 +0200
commit	ab49cf6758e55c4b9b7fecdfad2f947345a7c231 (patch)
tree	6bfd50f58ee0232c9e82bf34227741e831206f77
parent	139f3768ba55c1e7426b498f841f369f799ceb28 (diff)