mgmt/configuration/playbooks/final-podman-fix.yml

---
- name: Final Podman Permission Fix for Nomad
  hosts: all
  become: yes
  tasks:
    - name: Stop Nomad service
      systemd:
        name: nomad
        state: stopped

    - name: Install podman for nomad user (system-wide)
      package:
        name: podman
        state: present

    - name: Enable podman socket for nomad user
      systemd:
        name: podman.socket
        enabled: yes
        state: started
        scope: system
        daemon_reload: yes

    - name: Create nomad user podman configuration directory
      file:
        path: /home/nomad/.config/containers
        state: directory
        owner: nomad
        group: nomad
        mode: '0755'
        recurse: yes

    - name: Configure podman for nomad user to use system socket
      copy:
        content: |
          [containers]
          
          [engine]
          remote = true
          
          [service_destinations]
          [service_destinations.system]
          uri = "unix:///run/podman/podman.sock"          
        dest: /home/nomad/.config/containers/containers.conf
        owner: nomad
        group: nomad
        mode: '0644'

    - name: Update Nomad configuration to use system podman socket
      replace:
        path: /etc/nomad.d/nomad.hcl
        regexp: 'socket_path = "unix:///run/user/1001/podman/podman.sock"'
        replace: 'socket_path = "unix:///run/podman/podman.sock"'

    - name: Add nomad user to necessary groups
      user:
        name: nomad
        groups: 
          - podman
        append: yes

    - name: Create podman group if it doesn't exist
      group:
        name: podman
        state: present

    - name: Set proper permissions on system podman socket directory
      file:
        path: /run/podman
        state: directory
        mode: '0755'
        group: podman

    - name: Start Nomad service
      systemd:
        name: nomad
        state: started
        enabled: yes

    - name: Wait for Nomad to be ready
      wait_for:
        port: 4646
        timeout: 60

    - name: Wait for plugins to load
      pause:
        seconds: 20

    - name: Final verification - Check driver status
      shell: sudo -u nomad /usr/local/bin/nomad node status -self | grep -A 10 "Driver Status"
      register: final_driver_status
      failed_when: false

    - name: Display final driver status
      debug:
        var: final_driver_status.stdout_lines

    - name: Test podman access for nomad user
      shell: sudo -u nomad podman version
      register: podman_test
      failed_when: false

    - name: Display podman test result
      debug:
        var: podman_test.stdout_lines