major cleanup of ansible tasks in podman role

ansible/roles/podman/files/sshpass_cron/crontab

@@ -1,4 +1,4 @@
-0 5 * * * sshpass -f /mnt/unifi-pass ssh -o 'StrictHostKeyChecking=no' ubnt@Garage.localdomain 'reboot'
+0 5 * * * sshpass -f /mnt/unifi-pass ssh -o 'StrictHostKeyChecking=no' ubnt@192.168.1.254 'reboot'
-15 5 * * * sshpass -f /mnt/unifi-pass ssh -o 'StrictHostKeyChecking=no' ubnt@LivingRoom.localdomain 'reboot'
+15 5 * * * sshpass -f /mnt/unifi-pass ssh -o 'StrictHostKeyChecking=no' ubnt@192.168.1.253 'reboot'
-30 5 * * * sshpass -f /mnt/unifi-pass ssh -o 'StrictHostKeyChecking=no' ubnt@FrontYard.localdomain 'reboot'
+30 5 * * * sshpass -f /mnt/unifi-pass ssh -o 'StrictHostKeyChecking=no' ubnt@192.168.1.252 'reboot'
-45 5 * * * sshpass -f /mnt/unifi-pass ssh -o 'StrictHostKeyChecking=no' ubnt@Office.localdomain 'reboot'
+45 5 * * * sshpass -f /mnt/unifi-pass ssh -o 'StrictHostKeyChecking=no' ubnt@192.168.1.251 'reboot'

ansible/roles/podman/tasks/container-awsddns.yml

@@ -1,13 +1,16 @@
 ---
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: awsddns
+    container_image: "{{ image }}"
+
 - name: create home.bdebyl.net awsddns server container
   become: true
   become_user: "{{ podman_user }}"
   diff: false
   containers.podman.podman_container:
     name: awsddns
-    image: docker.io/bdebyl/awsddns:1.0.34
+    image: "{{ image }}"
-    recreate: false
-    restart: true
     restart_policy: on-failure:3
     log_driver: journald
     env:
@@ -17,13 +20,16 @@
       AWS_ACCESS_KEY_ID: "{{ aws_access_key_id }}"
       AWS_SECRET_ACCESS_KEY: "{{ aws_secret_access_key }}"
       AWS_DEFAULT_REGION: "{{ aws_default_region }}"
-  tags: ddns
 
 - name: create systemd startup job for awsddns
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: awsddns
-  tags: ddns
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: awsddns-skudak
+    container_image: "{{ image }}"
 
 - name: create wiki.skudakrennsport.com awsddns server container
   become: true
@@ -31,9 +37,7 @@
   diff: false
   containers.podman.podman_container:
     name: awsddns-skudak
-    image: docker.io/bdebyl/awsddns:1.0.34
+    image: "{{ image }}"
-    recreate: false
-    restart: true
     restart_policy: on-failure:3
     log_driver: journald
     env:
@@ -43,10 +47,8 @@
       AWS_ACCESS_KEY_ID: "{{ aws_skudak_access_key_id }}"
       AWS_SECRET_ACCESS_KEY: "{{ aws_skudak_secret_access_key }}"
       AWS_DEFAULT_REGION: "{{ aws_default_region }}"
-  tags: ddns
 
 - name: create systemd startup job for awsddns-skudak
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: awsddns
-  tags: ddns

ansible/roles/podman/tasks/container-bookstack.yml

@@ -12,11 +12,9 @@
     - "{{ bookstack_path }}/mysql"
     - "{{ bookstack_path }}/public"
     - "{{ bookstack_path }}/storage"
-  tags: bookstack
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
-  tags: bookstack
 
 - name: unshare chown the bookstack upload volumes
   become: true
@@ -24,16 +22,18 @@
   changed_when: false
   ansible.builtin.command: |
     podman unshare chown -R 33:33 {{ bookstack_path }}/public {{ bookstack_path }}/storage
-  tags: bookstack
 
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: bookstack-db
+    container_image: "{{ db_image }}"
+    
 - name: create bookstack-db container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: bookstack-db
-    image: docker.io/mysql:5.7.21
+    image: "{{ db_image }}"
-    recreate: false
-    restart: false
     restart_policy: on-failure:3
     log_driver: journald
     network:
@@ -46,22 +46,23 @@
       MYSQL_PASSWORD: "{{ bookstack_db_pass }}"
     volumes:
       - "{{ bookstack_path }}/mysql:/var/lib/mysql"
-  tags: bookstack
 
 - name: create systemd startup job for bookstack-db
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: bookstack-db
-  tags: bookstack
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: bookstack
+    container_image: "{{ image }}"
 
 - name: create bookstack container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: bookstack
-    image: docker.io/solidnerd/bookstack:23.6
+    image: "{{ image }}"
-    recreate: true
-    restart: false
     restart_policy: on-failure:3
     log_driver: journald
     network:
@@ -85,10 +86,8 @@
     volumes:
       - "{{ bookstack_path }}/public:/var/www/bookstack/public/uploads"
       - "{{ bookstack_path }}/storage:/var/www/bookstack/storage/uploads"
-  tags: bookstack
 
 - name: create systemd startup job for bookstack
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: bookstack
-  tags: bookstack

ansible/roles/podman/tasks/container-cloud.yml

@@ -13,7 +13,6 @@
     - "{{ cloud_path }}/config"
     - "{{ cloud_path }}/data"
     - "{{ cloud_path }}/mysql"
-  tags: cloud
 
 - name: unshare chown the nextcloud volumes
   become: true
@@ -21,14 +20,12 @@
   changed_when: false
   ansible.builtin.command: |
     podman unshare chown -R 33:33 {{ cloud_path }}/data {{ cloud_path}}/config
-  tags: cloud
 
 - name: get user/group id from unshare
   become: true
   ansible.builtin.stat:
     path: "{{ cloud_path }}/data"
   register: cloud_owner
-  tags: cloud
 
 - name: mount cloud cifs
   become: true
@@ -38,20 +35,21 @@
     fstype: cifs
     opts: "username=cloud,password={{ cloud_cifs_pass }},uid={{ cloud_owner.stat.uid }},gid={{ cloud_owner.stat.uid }}"
     state: mounted
-  tags: cloud
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
-  tags: cloud
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: cloud-db
+    container_image: "{{ db_image }}"
 
 - name: create cloud-db container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: cloud-db
-    image: docker.io/mariadb:10.5
+    image: "{{ db_image }}"
-    recreate: false
-    restart: false
     restart_policy: on-failure:3
     log_driver: journald
     network:
@@ -63,22 +61,23 @@
       MYSQL_USER: cloud
     volumes:
       - "{{ cloud_path }}/mysql:/var/lib/mysql"
-  tags: cloud
 
 - name: create systemd startup job for cloud-db
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: cloud-db
-  tags: cloud
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: cloud
+    container_image: "{{ image }}"
 
 - name: create cloud container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: cloud
-    image: docker.io/nextcloud:24.0.5-apache
+    image: "{{ image }}"
-    recreate: false
-    restart: false
     restart_policy: on-failure:3
     log_driver: journald
     network:
@@ -94,10 +93,8 @@
       - "{{ cloud_path }}/config:/var/www/html/config"
     ports:
       - "8089:80"
-  tags: cloud
 
 - name: create systemd startup job for cloud
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: cloud
-  tags: cloud

ansible/roles/podman/tasks/container-drone.yml

@@ -10,20 +10,21 @@
   notify: restorecon podman
   loop:
     - "{{ drone_path }}/data"
-  tags: drone
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
-  tags: drone
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: drone
+    container_image: "{{ image }}"
 
 - name: create drone-ci server container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: drone
-    image: docker.io/drone/drone:2.16.0
+    image: "{{ image }}"
-    recreate: true
-    restart: true
     restart_policy: on-failure:3
     log_driver: journald
     network:
@@ -41,22 +42,23 @@
       - "{{ drone_path }}/data:/data"
     ports:
       - "8080:80"
-  tags: drone
 
 - name: create systemd startup job for drone
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: drone
-  tags: drone
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: drone-runner
+    container_image: "{{ runner_image }}"
 
 - name: create drone-ci worker container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: drone-runner
-    image: docker.io/drone/drone-runner-docker:1.8.3
+    image: "{{ runner_image }}"
-    recreate: false
-    restart: true
     restart_policy: on-failure:3
     log_driver: journald
     network:
@@ -70,10 +72,8 @@
       - "/run/user/1002/podman/podman.sock:/var/run/docker.sock"
     ports:
       - "3000:3000"
-  tags: drone
 
 - name: create systemd startup job for drone-runner
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: drone-runner
-  tags: drone

ansible/roles/podman/tasks/container-factorio.yml

@@ -10,7 +10,6 @@
   notify: restorecon podman
   loop:
     - "{{ factorio_path }}"
-  tags: factorio
 
 - name: unshare chown the elastic volume
   become: true
@@ -18,20 +17,21 @@
   changed_when: false
   ansible.builtin.command: |
     podman unshare chown -R 845:845 {{ factorio_path }}
-  tags: factorio
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
-  tags: factorio
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: factorio
+    container_image: "{{ image }}"
 
 - name: create factorio server container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: factorio
-    image: docker.io/factoriotools/factorio:1.1.80
+    image: "{{ image }}"
-    recreate: true
-    restart: true
     restart_policy: on-failure:3
     log_driver: journald
     volumes:
@@ -39,10 +39,8 @@
     ports:
       - 34197:34197/udp
       - 27015:27015/tcp
-  tags: factorio
 
 - name: create systemd startup job for factorio
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: factorio
-  tags: factorio

ansible/roles/podman/tasks/container-fulfillr.yml

@@ -1,5 +1,5 @@
 ---
-- import_tasks: podman-ecr-login.yml
+- import_tasks: ecr/podman-ecr-login.yml
 
 - name: create fulfillr host directory volumes
   become: true
@@ -12,7 +12,6 @@
   notify: restorecon podman
   loop:
     - "{{ fulfillr_path }}"
-  tags: fulfillr
 
 - name: template fulfillr config
   become: true
@@ -26,32 +25,31 @@
     - production.json
   notify:
     - restorecon podman
-  tags: fulfillr
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
-  tags: fulfillr
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: fulfillr
+    container_image: "{{ image }}"
 
 - name: create fulfillr server container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: fulfillr
-    image: "{{ aws_ecr_endpoint }}/fulfillr:20230711.1654"
+    image: "{{ image }}"
     image_strict: true
     command: --config /config/production.json
-    recreate: true
-    restart: true
     restart_policy: on-failure:3
     log_driver: journald
     volumes:
       - "{{ fulfillr_path }}:/config"
     ports:
       - 9054:8080/tcp
-  tags: fulfillr
 
 - name: create systemd startup job for fulfillr
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: fulfillr
-  tags: fulfillr

ansible/roles/podman/tasks/container-graylog.yml

@@ -13,7 +13,6 @@
     - "{{ graylog_path }}/elastic"
     - "{{ graylog_path }}/conf"
     - "{{ graylog_path }}/bin"
-  tags: graylog
 
 - name: copy configuration files
   become: true
@@ -29,7 +28,6 @@
     - src: "graylog.conf"
       dest: "conf/graylog.conf"
   notify: restorecon podman
-  tags: graylog
 
 - name: unshare chown the elastic volume
   become: true
@@ -37,41 +35,43 @@
   changed_when: false
   ansible.builtin.command: |
     podman unshare chown -R 1000:1000 {{ graylog_path }}/elastic
-  tags: graylog
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
-  tags: graylog
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: graylog-mongo
+    container_image: "{{ db_image }}"
 
 - name: create graylog mongodb container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: graylog-mongo
-    image: docker.io/mongo:4.2
+    image: "{{ db_image }}"
-    recreate: false
-    restart: false
     restart_policy: on-failure:3
     network:
       - shared
     volumes:
       - "{{ graylog_path }}/mongo:/data/db"
-  tags: graylog
 
 - name: create systemd startup job for graylog-mongo
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: graylog-mongo
-  tags: graylog
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: graylog-elastic
+    container_image: "{{ es_image }}"
 
 - name: create graylog elasticsearch container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: graylog-elastic
-    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
+    image: "{{ es_image }}" 
-    recreate: false
-    restart: false
     restart_policy: on-failure:3
     network:
       - shared
@@ -83,22 +83,23 @@
       network.host: "0.0.0.0"
       cluster.name: "graylog"
       ES_JAVA_OPTS: "-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx2048m"
-  tags: graylog
 
 - name: create systemd startup job for graylog-elastic
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: graylog-elastic
-  tags: graylog
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: graylog
+    container_image: "{{ image }}"
 
 - name: create graylog container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: graylog
-    image: docker.io/graylog/graylog:4.3.11
+    image: "{{ image }}"
-    recreate: true
-    restart: true
     restart_policy: on-failure:3
     sysctl:
       net.ipv6.conf.all.disable_ipv6: 1
@@ -120,10 +121,8 @@
       - "{{ syslog_udp_default }}:{{ syslog_udp_default }}/udp"
       - "{{ syslog_udp_unifi }}:{{ syslog_udp_unifi }}/udp"
       - "{{ syslog_udp_error }}:{{ syslog_udp_error }}/udp"
-  tags: graylog
 
 - name: create systemd startup job for graylog
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: graylog
-  tags: graylog

ansible/roles/podman/tasks/container-hass.yml

@@ -11,7 +11,6 @@
   loop:
     - "{{ hass_path }}/media"
     - "{{ hass_path }}/config"
-  tags: hass
 
 - name: copy configuration and automations
   become: true
@@ -25,20 +24,21 @@
   loop:
     - configuration.yaml
     - automations.yaml
-  tags: hass
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
-  tags: hass
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: hass
+    container_image: "{{ image }}"
 
 - name: create home-assistant server container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: hass
-    image: ghcr.io/home-assistant/home-assistant:stable
+    image: "{{ image }}" 
-    recreate: false
-    restart: true
     restart_policy: on-failure:3
     log_driver: journald
     cap_add:
@@ -49,10 +49,8 @@
       - "{{ hass_path }}/media:/share"
     ports:
       - "8123:8123"
-  tags: hass
 
 - name: create systemd startup job for hass
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: hass
-  tags: hass

ansible/roles/podman/tasks/container-nginx.yml

@@ -1,14 +1,17 @@
 ---
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: nginx
+    container_image: "{{ image }}"
+
 - name: create nginx container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: nginx
-    image: docker.io/owasp/modsecurity:nginx
+    image: "{{ image }}"
     entrypoint: ""
     command: ["nginx", "-g", "daemon off;"]
-    recreate: false
-    restart: true
     restart_policy: on-failure:3
     log_driver: journald
     network:
@@ -22,10 +25,8 @@
       - "{{ nginx_path }}/etc:/etc/nginx:ro"
       - "/srv/http/letsencrypt:/srv/http/letsencrypt:z"
       - "/etc/letsencrypt:/etc/letsencrypt:ro"
-  tags: nginx
 
 - name: create systemd startup job for nginx
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: nginx
-  tags: nginx

ansible/roles/podman/tasks/container-partkeepr.yml

@@ -10,20 +10,21 @@
   notify: restorecon podman
   loop:
     - "{{ partkeepr_path }}/mysql"
-  tags: partkeepr
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
-  tags: partkeepr
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: partkeepr-db
+    container_image: "{{ db_image }}"
 
 - name: create partkeepr-db container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: partkeepr-db
-    image: docker.io/mariadb:10.0
+    image: "{{ db_image }}"
-    recreate: false
-    restart: false
     restart_policy: on-failure:3
     log_driver: journald
     network:
@@ -35,32 +36,31 @@
       MYSQL_PASSWORD: "{{ partkeepr_mysql_password }}"
     volumes:
       - "{{ partkeepr_path }}/mysql:/var/lib/mysql"
-  tags: partkeepr
 
 - name: create systemd startup job for partkeepr-db
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: partkeepr-db
-  tags: partkeepr
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: partkeepr
+    container_image: "{{ image }}"
 
 - name: create partkeepr container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: partkeepr
-    image: docker.io/bdebyl/partkeepr:0.1.10
+    image: "{{ image }}"
-    recreate: false
-    restart: false
     restart_policy: on-failure:3
     log_driver: journald
     network:
       - shared
     ports:
       - "8081:80"
-  tags: partkeepr
 
 - name: create systemd startup job for partkeepr
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: partkeepr
-  tags: partkeepr

ansible/roles/podman/tasks/container-photos.yml

@@ -11,11 +11,9 @@
   loop:
     - "{{ photos_path }}/mysql"
     - "{{ photos_path }}/storage"
-  tags: photos
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
-  tags: photos
 
 - name: mount photos cifs
   become: true
@@ -25,16 +23,18 @@
     fstype: cifs
     opts: "username=photos,password={{ photos_cifs_pass }},uid={{ podman_subuid.stdout }},gid={{ podman_subuid.stdout }}"
     state: mounted
-  tags: photos
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: photos-db
+    container_image: "{{ db_image }}"
 
 - name: create photos-db container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: photos-db
-    image: docker.io/mariadb:10.8
+    image: "{{ db_image }}"
-    recreate: false
-    restart: false
     restart_policy: on-failure:3
     log_driver: journald
     network:
@@ -47,22 +47,23 @@
       MYSQL_PASSWORD: "{{ photos_db_pass }}"
     volumes:
       - "{{ photos_path }}/mysql:/var/lib/mysql"
-  tags: photos
 
 - name: create systemd startup job for photos-db
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: photos-db
-  tags: photos
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: photos
+    container_image: "{{ image }}"
 
 - name: create photos container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: photos
-    image: docker.io/photoprism/photoprism:230625-ce
+    image: "{{ image }}"
-    recreate: false
-    restart: false
     restart_policy: on-failure:3
     log_driver: journald
     network:
@@ -99,10 +100,8 @@
       - "{{ photos_path }}/storage:/photoprism/"
     ports:
       - "8088:2342"
-  tags: photos
 
 - name: create systemd startup job for photos
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: photos
-  tags: photos

ansible/roles/podman/tasks/container-pihole.yml

@@ -1,81 +0,0 @@
----
-- name: create required pihole volumes
-  become: true
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: directory
-    owner: "{{ podman_subuid.stdout }}"
-    mode: 0755
-  notify: restorecon podman
-  loop:
-    - "{{ pihole_path }}/config"
-    - "{{ pihole_path }}/dnsmasq"
-    - "/srv/http/letsencrypt"
-  tags: pihole
-
-- name: flush handlers
-  ansible.builtin.meta: flush_handlers
-  tags: pihole
-
-- name: create pihole container
-  become: true
-  become_user: "{{ podman_user }}"
-  containers.podman.podman_container:
-    name: pihole
-    image: docker.io/pihole/pihole:2022.04.3
-    recreate: false
-    restart: true
-    restart_policy: on-failure:3
-    log_driver: journald
-    cap_add:
-      - CAP_NET_BIND_SERVICE
-      - NET_ADMIN
-    env:
-      DNSMASQ_USER: "root"
-      INTERFACE: "tap0"
-      PIHOLE_UID: 0
-      TZ: "America/New_York"
-      VIRTUAL_HOST: "{{ pi_server_name }}"
-      WEBPASSWORD: "{{ pihole_password }}"
-    volumes:
-      - "{{ pihole_path }}/config:/etc/pihole"
-      - "{{ pihole_path }}/dnsmasq:/etc/dnsmasq.d"
-    ports:
-      - 1153:53/udp
-      - 1153:53/tcp
-      - 8082:80
-  tags: pihole
-
-- name: create systemd startup job for pihole
-  include_tasks: systemd-generate.yml
-  vars:
-    container_name: pihole
-  tags: pihole
-
-- name: Redirect DNS, DHCP, HTTP and HTTPS to pihole
-  become: true
-  ansible.builtin.iptables:
-    table: nat
-    chain: PREROUTING
-    in_interface: eno1
-    protocol: "{{ item }}"
-    match: "{{ item }}"
-    destination_port: 53
-    jump: REDIRECT
-    to_ports: 1153
-    comment: Redirect DNS traffic to port 1153
-  loop:
-    - udp
-    - tcp
-  tags:
-    - pihole
-    - firewall
-
-- name: Save state of iptables for IPv4
-  become: true
-  community.general.iptables_state:
-    state: saved
-    path: /etc/sysconfig/iptables
-  tags:
-    - pihole
-    - firewall

ansible/roles/podman/tasks/container-sshpass-cron.yml

@@ -10,7 +10,6 @@
   notify: restorecon podman
   loop:
     - "{{ sshpass_cron_path }}"
-  tags: sshpass_cron
 
 - name: copy sshpass_cron crontab
   become: true
@@ -24,7 +23,6 @@
     - crontab
   notify:
     - restorecon podman
-  tags: sshpass_cron
 
 - name: create sshpass_cron password file
   become: true
@@ -36,29 +34,29 @@
     mode: 0400
   notify:
     - restorecon podman
-  tags: sshpass_cron
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
-  tags: sshpass_cron
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: sshpass_cron
+    container_image: "{{ image }}"
 
 - name: create sshpass_cron container
   become: true
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: sshpass_cron
-    image: docker.io/bdebyl/sshpass-cron:1.0.9
+    image: "{{ image }}"
-    image_strict: true
-    recreate: true
-    restart: true
     restart_policy: on-failure:3
     log_driver: journald
     volumes:
       - "{{ sshpass_cron_path }}:/mnt"
-  tags: sshpass_cron
+    env:
+      TZ: "America/New_York"
 
 - name: create systemd startup job for sshpass_cron
-  include_tasks: systemd-generate.yml
+  include_tasks: podman/systemd-generate.yml
   vars:
     container_name: sshpass_cron
-  tags: sshpass_cron

ansible/roles/podman/tasks/ecr/podman-ecr-login.yml

@@ -1,25 +1,21 @@
 ---
 - name: fetch aws ecr auth token
   become: true
-  become_user: podman
+  become_user: "{{ podman_user }}"
   shell: |
     aws ecr get-authorization-token --region us-east-1
   register: ecr_command
-  tags: always
 
 - set_fact:
     ecr_authorization_data: "{{ (ecr_command.stdout | from_json).authorizationData[0] }}"
-  tags: always
 
 - set_fact:
     ecr_credentials: "{{ (ecr_authorization_data.authorizationToken | b64decode).split(':') }}"
-  tags: always
 
 - name: podman login to AWS ECR
   become: true
-  become_user: podman
+  become_user: "{{ podman_user }}"
   containers.podman.podman_login:
     registry: "{{ aws_ecr_endpoint }}"
     username: "{{ ecr_credentials[0] }}"
-    password: "{{ ecr_credentials[1] }}"
+    password: "{{ ecr_credentials[1] }}"
-  tags: always

ansible/roles/podman/tasks/main.yml

@@ -1,17 +1,71 @@
 ---
 - import_tasks: podman.yml
-- import_tasks: configuration-nginx.yml
 - import_tasks: firewall.yml
+
 - import_tasks: container-awsddns.yml
+  vars:
+    image: docker.io/bdebyl/awsddns:1.0.34
+  tags: ddns
+
 - import_tasks: container-drone.yml
+  vars:
+    runner_image: docker.io/drone/drone-runner-docker:1.8.3
+    image: docker.io/drone/drone:2.16.0
+  tags: drone
+
 - import_tasks: container-hass.yml
+  vars:
+    image: ghcr.io/home-assistant/home-assistant:stable
+  tags: hass
+
 - import_tasks: container-partkeepr.yml
+  vars:
+    db_image: docker.io/library/mariadb:10.0
+    image: docker.io/bdebyl/partkeepr:0.1.10
+  tags: partkeepr
+
 - import_tasks: container-graylog.yml
-- import_tasks: container-pihole.yml
+  vars:
+    db_image: docker.io/library/mongo:4.2
+    es_image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
+    image: docker.io/graylog/graylog:4.3.11
+  tags: graylog
+
 - import_tasks: container-bookstack.yml
+  vars:
+    db_image: docker.io/library/mysql:5.7.21
+    image: docker.io/solidnerd/bookstack:23.6
+  tags: bookstack
+
 - import_tasks: container-photos.yml
+  vars:
+    db_image: docker.io/library/mariadb:10.8
+    image: docker.io/photoprism/photoprism:230625-ce
+  tags: photos
+
 - import_tasks: container-cloud.yml
+  vars:
+    db_image: docker.io/library/mariadb:10.5
+    image: docker.io/library/nextcloud:24.0.5-apache
+  tags: cloud
+
 - import_tasks: container-fulfillr.yml
+  vars:
+    image: "{{ aws_ecr_endpoint }}/fulfillr:20230711.1654"
+  tags: fulfillr
+
+- import_tasks: configuration-nginx.yml
 - import_tasks: container-nginx.yml
-- import_tasks: container-factorio.yml
+  vars:
+    image: docker.io/owasp/modsecurity:nginx
+  tags: nginx
+
 - import_tasks: container-sshpass-cron.yml
+  vars:
+    image: docker.io/bdebyl/sshpass-cron:1.0.11
+  tags: sshpass_cron
+
+- import_tasks: container-factorio.yml
+  vars:
+    image: docker.io/factoriotools/factorio:1.1.80
+  tags: factorio

ansible/roles/podman/tasks/podman/podman-check.yml

@@ -0,0 +1,20 @@
+---
+- name: get container info
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container_info:
+    name: "{{ container_name }}"
+  register: container
+
+- name: check
+  debug:
+    msg: "image '{{ container.containers[0]['ImageName'] }}' not equivalent to '{{ container_image }}'!"
+  when: container.containers[0]["ImageName"] != container_image
+
+- name: delete container if necessary
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: "{{ container_name }}"
+    state: absent
+  when: container.containers[0]["ImageName"] != container_image