Use rootful container with automatic namespace

diff --git a/infrastructure/roles/podman/tasks/main.yaml b/infrastructure/roles/podman/tasks/main.yaml
index e804aca393a754dff522191570aed15b542e8244..66be760a4c5e42e824e100bef45ee120492ec1d3 100644 (file)
--- a/infrastructure/roles/podman/tasks/main.yaml
+++ b/infrastructure/roles/podman/tasks/main.yaml
@@ -6,3 +6,13 @@
     name: podman-auto-update.timer
     enabled: true
     state: started
+- name: configure containers subuids
+  ansible.builtin.copy:
+    dest: /etc/subuid
+    content: |
+      containers:2147483647:2147483648
+- name: configure containers subgids
+  ansible.builtin.copy:
+    dest: /etc/subgid
+    content: |
+      containers:2147483647:2147483648

diff --git a/infrastructure/roles/vaultwarden/tasks/main.yaml b/infrastructure/roles/vaultwarden/tasks/main.yaml
index 96eb64f8eeb36eb0bf1b8613e0dc49197ffc05ea..313b48b1a317762f04b8d4c0b30f635fe6818a83 100644 (file)
--- a/infrastructure/roles/vaultwarden/tasks/main.yaml
+++ b/infrastructure/roles/vaultwarden/tasks/main.yaml
@@ -10,8 +10,9 @@
       Image=ghcr.io/dani-garcia/vaultwarden:latest
       Exec=/start.sh
       EnvironmentFile=vaultwarden.environment
-      Volume=/var/lib/vaultwarden/:/data/
+      Volume=/var/lib/vaultwarden/:/data/:idmap
       Network=host
+      UserNS=auto
 
       [Install]
       WantedBy=default.target
@@ -36,6 +37,8 @@
   ansible.builtin.file:
     name: /var/lib/vaultwarden
     state: directory
+  notify:
+    - restart quadlet
 - meta: flush_handlers
 - name: enable quadlet
   ansible.builtin.systemd_service: