- Replace 'ufw disable && ufw --force enable' single-shot handler with a
block that dry-runs the ruleset, disables, re-enables, then verifies
ufw is active. No '&&' short-circuit, so failures are loud instead of
leaving the host firewall-less.
- Rename handler to 'Restart ufw (ip-forwarding settings changed)' to
reflect that this is a full restart (required to pick up
/etc/default/ufw and /etc/ufw/before.rules changes per ufw(8)).
- Add NAT/masquerade tasks: enable ipv4 forwarding, set
DEFAULT_FORWARD_POLICY=ACCEPT, and write a per-interface *nat block
in /etc/ufw/before.rules.
- Declare requires_ansible >=2.15 in meta/runtime.yml (handler uses
block:, supported since 2.12; 2.15 is a safe modern floor).
- README: document Ansible version requirement, port reservation
rules, and Immich pgvector Q&A.
The previous Type=oneshot + RemainAfterExit=true pattern made systemd
freeze pod units in 'active (exited)' as soon as 'podman play kube'
returned, so crash-looping containers were invisible to
'systemctl --user --failed' and Restart=on-failure never fired.
For every podman-pod role (immich, fdroid, ntfy, gitea, qfieldcloud,
unifi, matrix, uptime_kuma):
- switch units to Type=notify + NotifyAccess=all
- run 'podman kube play --service-container=true' so the unit's main
PID stays alive as long as the pod
- use 'podman kube down' for ExecStop
- add TimeoutStartSec=180 to cover slow first-boot image pulls
Pod manifests: flip every container's restartPolicy from Always to
Never. systemd is now the single owner of the restart loop: container
exits -> pod dies -> service container dies -> unit fails ->
Restart=on-failure restarts everything cleanly. With Always, podman
retried internally and hid the failure from systemd.
CLAUDE.md updated to document the new canonical template and the
'restartPolicy: Never' requirement.
Clément Désiles