fix: podman integration

roles/gitea/tasks/main.yml

@@ -134,6 +134,12 @@
   become: false
   become_user: "{{ ansible_user }}"
 
+- name: Provision TLS certificate for Gitea
+  ansible.builtin.include_tasks: "{{ role_path }}/../nginx/tasks/certbot.yml"
+  vars:
+    certbot_hostname: "{{ gitea_nginx_hostname }}"
+  when: gitea_nginx_enabled
+
 - name: Deploy nginx vhost configuration for Gitea
   ansible.builtin.template:
     src: nginx-vhost.conf.j2

roles/gitea/templates/gitea.service.j2

@@ -5,7 +5,7 @@ Description=Gitea Git Service
 Type=oneshot
 RemainAfterExit=true
 WorkingDirectory={{ podman_projects_dir | default('/opt/podman') }}/gitea
-ExecStart=/usr/bin/podman play kube --replace gitea.yaml
+ExecStart=/usr/bin/podman play kube --replace --network=pasta:--map-host-loopback={{ podman_gw_gateway }} gitea.yaml
 ExecStop=/usr/bin/podman play kube --down gitea.yaml
 Restart=on-failure
 RestartSec=10

roles/immich/defaults/main.yml

@@ -9,13 +9,13 @@ immich_upload_location: "{{ podman_projects_dir }}/immich/data/upload"
 immich_postgres_db_name: immich
 immich_postgres_user: immich
 # immich_postgres_password: ""  # Intentionally undefined - role will fail if not set
-# immich_postgres_host: ""  # Must be set in inventory (e.g., podman_gw_gateway)
+# immich_postgres_host: ""  # Must be set in inventory (e.g., "{{ podman_gw_gateway }}" to reach host postgres)
 immich_postgres_port: 5432
 
 # Valkey configuration (REQUIRED password - must be set explicitly)
 immich_valkey_user: immich
 # immich_valkey_password: ""  # Intentionally undefined - role will fail if not set
-# immich_valkey_host: ""  # Must be set in inventory (e.g., podman_gw_gateway)
+# immich_valkey_host: ""  # Must be set in inventory (e.g., "{{ podman_gw_gateway }}" to reach host valkey)
 immich_valkey_port: 6379
 immich_valkey_db: 0 # Dedicated database number for isolation (0-15)
 

roles/immich/tasks/main.yml

@@ -57,6 +57,18 @@
     - earthdistance
     - vector
 
+- name: Update PostgreSQL extensions to latest available version
+  community.postgresql.postgresql_query:
+    login_db: "{{ immich_postgres_db_name }}"
+    query: "ALTER EXTENSION {{ item }} UPDATE"
+  become: false
+  become_user: "{{ postgres_admin_user | default('postgres') }}"
+  loop:
+    - cube
+    - earthdistance
+    - vector
+  changed_when: false
+
 - name: Grant schema permissions to Immich user
   community.postgresql.postgresql_privs:
     login_db: "{{ immich_postgres_db_name }}"
@@ -144,6 +156,12 @@
   become: false
   become_user: "{{ ansible_user }}"
 
+- name: Provision TLS certificate for Immich
+  ansible.builtin.include_tasks: "{{ role_path }}/../nginx/tasks/certbot.yml"
+  vars:
+    certbot_hostname: "{{ immich_nginx_hostname }}"
+  when: immich_nginx_enabled
+
 - name: Deploy nginx vhost configuration for Immich
   ansible.builtin.template:
     src: nginx-vhost.conf.j2

roles/immich/templates/immich.service.j2

@@ -5,7 +5,7 @@ Description=Immich Media Server
 Type=oneshot
 RemainAfterExit=true
 WorkingDirectory={{ podman_projects_dir | default('/opt/podman') }}/immich
-ExecStart=/usr/bin/podman play kube --replace immich.yaml
+ExecStart=/usr/bin/podman play kube --replace --network=pasta:--map-host-loopback={{ podman_gw_gateway }} immich.yaml
 ExecStop=/usr/bin/podman play kube --down immich.yaml
 Restart=on-failure
 RestartSec=10

roles/immich/templates/immich.yaml.j2

@@ -5,9 +5,6 @@ metadata:
   name: immich
   labels:
     app: immich
-  annotations:
-    io.podman.annotations.network.mode: bridge
-    io.podman.annotations.network.name: podman-gw
 spec:
   containers:
     - name: server

roles/ntfy/templates/ntfy.service.j2

@@ -5,7 +5,7 @@ Description=Ntfy Notification Service
 Type=oneshot
 RemainAfterExit=true
 WorkingDirectory={{ podman_projects_dir | default('/opt/podman') }}/ntfy
-ExecStart=/usr/bin/podman play kube --replace ntfy.yaml
+ExecStart=/usr/bin/podman play kube --replace --network=pasta:--map-host-loopback={{ podman_gw_gateway }} ntfy.yaml
 ExecStop=/usr/bin/podman play kube --down ntfy.yaml
 Restart=on-failure
 RestartSec=10

roles/podman/defaults/main.yml

@@ -18,3 +18,8 @@ podman_log_driver: journald
 # k8s-file driver settings (only used when podman_log_driver: k8s-file)
 podman_log_max_size: 10mb # Max size per log file before rotation
 podman_log_max_files: 5 # Max number of rotated log files to keep
+
+# Host gateway address exposed inside rootless containers (pasta --map-host-loopback)
+# Containers can connect to this address to reach services bound to host loopback.
+# Pasta translates the destination to 127.0.0.1 on the host side.
+podman_gw_gateway: 100.64.0.1

roles/podman/templates/containers.conf.j2

@@ -29,5 +29,12 @@ runtime = "{{ podman_runtime }}"
 network_backend = "netavark"
 
 [network]
-# Default rootless network command (pasta for better performance)
+# Default rootless network command (pasta for better performance).
+# Note: default_rootless_network_cmd only accepts the mode name ("pasta" or
+# "slirp4netns"). Extra pasta arguments must be set via pasta_options below;
+# the "pasta:--arg=value" syntax is only valid for the CLI --network= flag.
 default_rootless_network_cmd = "pasta"
+
+# --map-host-loopback exposes the host's loopback to containers via {{ podman_gw_gateway }}.
+# Containers connecting to {{ podman_gw_gateway }} reach host services bound to 127.0.0.1.
+pasta_options = ["--map-host-loopback", "{{ podman_gw_gateway }}"]