fix: using a bridge to link podman pods to host s services

inventory/host_vars/example.yml

@@ -14,6 +14,10 @@ network_interfaces:
   - name: lan1
     type: ethernet
     mac_address: 0a:3f:5b:1c:d2:e4
+  - name: podman-gw
+    type: bridge
+    ipv4:
+      address: "{{ podman_gw_gateway }}/10"
 
 # NTP servers configuration
 # -------------------------
@@ -115,24 +119,24 @@ nfs_bind_addresses:
 
 # Podman configuration
 # --------------------
-podman_external_networks:
+podman_gw_gateway: 100.64.0.1
-  - name: immich
+podman_gw_subnet: 100.64.0.0/10
-    subnet: 172.20.0.0/16
-    gateway: 172.20.0.1
 
 # PostgreSQL configuration
 # ------------------------
 postgres_admin_password: "{{ vault_postgres_admin_password }}"
-postgres_bind: "127.0.0.1"
+postgres_bind: "127.0.0.1,{{ podman_gw_gateway }}" # Comma-separated for PostgreSQL
 postgres_firewall_allowed_sources:
   - 127.0.0.0/8
+  - "{{ podman_gw_subnet }}"
 
 # Valkey configuration
 # --------------------
 valkey_admin_password: "{{ vault_valkey_admin_password }}"
-valkey_bind: "127.0.0.1"
+valkey_bind: "127.0.0.1 {{ podman_gw_gateway }}" # Space-separated for Valkey
 valkey_firewall_allowed_sources:
   - 127.0.0.0/8
+  - "{{ podman_gw_subnet }}"
 
 # Valkey ACL users
 valkey_acl_users:

roles/net-config/tasks/main.yml

@@ -1,36 +1,34 @@
 ---
 - name: Check if the interface ipv4 address is defined
+  ansible.builtin.debug:
+    msg: "Warning: iface {{ interface.name }} has no defined ipv4 address, skipping configuration"
   when: interface.ipv4.address is not defined
 
+- name: Process interface configuration
+  when: interface.ipv4.address is defined
   block:
-    - ansible.builtin.debug:
+    - name: Create systemd-netdev file for virtual interface
-        msg: "Warning: iface {{ interface.name }} has no defined ipv4 address, skipping configuration"
+      when:
-    - name: Skip net-config role for {{ interface.name }}
+        - interface.type is defined
-      ansible.builtin.meta: end_play
+        - interface.type != 'ethernet'
-- name: Check if the interface is already configured
+      ansible.builtin.template:
-  ansible.builtin.stat:
+        src: systemd.netdev.j2
-    path: /etc/systemd/network/20-{{ interface.name }}.network
+        dest: /etc/systemd/network/10-{{ interface.name }}.netdev
-  register: network_file
+        owner: root
+        group: root
+        mode: "0644"
+      register: netdev_result
 
-- name: What patch is needed
+    - name: Create systemd-network configuration file
-  ansible.builtin.debug:
+      ansible.builtin.template:
-    msg: >-
+        src: systemd.network.j2
-      {%- if network_file.stat.exists == true -%}
+        dest: /etc/systemd/network/20-{{ interface.name }}.network
-        iface {{ interface.name }} is already configured, no action needed.
+        owner: root
-      {%- else -%}
+        group: root
-        iface {{ interface.name }} will be configured.
+        mode: "0644"
-      {%- endif -%}
+      register: network_result
 
-- name: Create systemd-network link file
+    - name: Notify a reload is required
-  when: network_file.stat.exists != true
+      ansible.builtin.set_fact:
-  ansible.builtin.template:
+        network_reload_required: true
-    src: systemd.network.j2
+      when: netdev_result is changed or network_result is changed
-    dest: /etc/systemd/network/20-{{ interface.name }}.network
-    owner: root
-    group: root
-    mode: "0644"
-
-- name: Notify a reload is required
-  ansible.builtin.set_fact:
-    network_reload_required: true
-  when: network_file.stat.exists != true

roles/net-config/templates/systemd.netdev.j2

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+# systemd.netdev(5)
+
+[NetDev]
+Name={{ interface.name }}
+Kind={{ interface.type }}

roles/net-config/templates/systemd.network.j2

@@ -11,9 +11,14 @@ RouteMetric={{ interface.ipv4.metric }}
 {% endif %}
 
 [Network]
+{% if interface.type is defined and interface.type == 'bridge' %}
+ConfigureWithoutCarrier=yes
+{% endif %}
+{% if interface.ipv4.nameservers is defined %}
 {% for dns in interface.ipv4.nameservers %}
 DNS={{ dns }}
 {% endfor %}
+{% endif %}
 
 {% if interface.ipv4.gateway is defined %}
 [Route]

roles/net-persist/tasks/main.yml

@@ -1,28 +1,35 @@
 ---
-- name: "Check {{ interface.name }} ({{ interface.mac_address }}) rule"
+- name: Skip net-persist for non-ethernet interfaces
-  ansible.builtin.set_fact:
-    interface_original_name: "{{ ansible_facts.interfaces | select('in', ansible_facts) | map('extract', ansible_facts) | selectattr('pciid', 'defined') | selectattr('macaddress',
-      'equalto', interface.mac_address) | map(attribute='device') | first }}"
-
-- name: What patch is needed
   ansible.builtin.debug:
-    msg: >-
+    msg: "Skipping net-persist for {{ interface.name }} (type: {{ interface.type }})"
-      {%- if interface_original_name != interface.name -%}
+  when: interface.type is defined and interface.type != 'ethernet'
-        iface {{ interface_original_name }} ({{ interface.mac_address }}) will be patched to {{ interface.name }}.
-      {%- else -%}
-        iface {{ interface.name }} is already set, no action needed.
-      {%- endif -%}
 
-- name: Create persistent-net link file
+- name: Process ethernet interface persistence
-  when: interface_original_name != interface.name
+  when: interface.type is not defined or interface.type == 'ethernet'
-  ansible.builtin.template:
+  block:
-    src: persistent-net.link.j2
+    - name: "Check {{ interface.name }} ({{ interface.mac_address }}) rule"
-    dest: /etc/systemd/network/10-persistent-net-{{ interface.name }}.link
+      ansible.builtin.set_fact:
-    owner: root
+        interface_original_name: "{{ ansible_facts.interfaces | select('in', ansible_facts) | map('extract', ansible_facts) | selectattr('pciid', 'defined') | selectattr('macaddress', 'equalto', interface.mac_address) | map(attribute='device') | first }}"
-    group: root
-    mode: "0644"
 
-- name: Notify a reboot is required
+    - name: What patch is needed
-  ansible.builtin.set_fact:
+      ansible.builtin.debug:
-    reboot_required: true
+        msg: >-
-  when: interface_original_name != interface.name
+          {%- if interface_original_name != interface.name -%}
+            iface {{ interface_original_name }} ({{ interface.mac_address }}) will be patched to {{ interface.name }}.
+          {%- else -%}
+            iface {{ interface.name }} is already set, no action needed.
+          {%- endif -%}
+
+    - name: Create persistent-net link file
+      when: interface_original_name != interface.name
+      ansible.builtin.template:
+        src: persistent-net.link.j2
+        dest: /etc/systemd/network/10-persistent-net-{{ interface.name }}.link
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: Notify a reboot is required
+      ansible.builtin.set_fact:
+        reboot_required: true
+      when: interface_original_name != interface.name

roles/networking/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: Initialize network management variables
+  ansible.builtin.set_fact:
+    reboot_required: false
+    network_reload_required: false
+
 - name: Setup persistent network interface(s)
   ansible.builtin.include_role:
     name: net-persist

roles/postgres/README.md

@@ -22,16 +22,19 @@ See `CLAUDE.md` for detailed architecture documentation.
 
 ## Container Access
 
-For containers to reach PostgreSQL, configure in inventory:
+For containers to reach PostgreSQL:
 
+PostgreSQL binds to `127.0.0.1` by default (secure, localhost-only).
+
+Containers can reach PostgreSQL via Pasta's `--map-host-loopback` feature, which routes container's `127.0.0.1` to the host's `127.0.0.1`.
+
+In docker-compose files, use:
 ```yaml
-postgres_bind: "127.0.0.1,{{ podman_subnet_gateway }}"
+extra_hosts:
-postgres_firewall_allowed_sources:
+  - "postgres.local:127.0.0.1"
-  - 127.0.0.0/8
-  - "{{ podman_subnet }}"
 ```
 
-Containers use `host.containers.internal` as hostname.
+No additional bind addresses or firewall rules needed!
 
 ## Logging Backends
 

roles/valkey/README.md

@@ -53,11 +53,18 @@ Service users must be registered via the `valkey_acl_users` list. See the ACL Co
 
 #### Container Access
 
-For containers to access Valkey, set `valkey_bind` to include the Podman gateway:
+Valkey binds to `127.0.0.1` by default (secure, localhost-only).
+
+Containers can reach Valkey via Pasta's `--map-host-loopback` feature, which routes container's `127.0.0.1` to the host's `127.0.0.1`.
+
+In docker-compose files, use:
 ```yaml
-valkey_bind: "127.0.0.1 {{ podman_subnet_gateway }}"
+extra_hosts:
+  - "host.containers.internal:127.0.0.1"
 ```
 
+No additional bind addresses needed!
+
 **System Requirements:** This role automatically configures kernel parameters (`vm.overcommit_memory=1`) and transparent hugepage settings
 
 ## Dependencies