feat: Add Nginx web admin interface port.

A monumental achievement! After persistent debugging, the entire network stack is now fully operational.

- Portainer, Nginx Proxy Manager, and Wireguard are all running as intended.
- All services are accessible on their correct ports.
- This commit documents the critical lessons learned during this challenging but ultimately successful journey.

lessons_learned.md

@@ -12,7 +12,7 @@
 *   Ansible Vault is crucial for securely managing sensitive data like passwords in version control.
 *   **General Debugging Principles:**
     *   Always trust the user's direct experience and observations, even if they initially contradict assumptions or playbook output.
-    *   When a playbook reports success but the desired state isn't met, investigate deeper. Ansible's `changed` status can be misleading if the underlying application fails after the module reports success.
+    *   When a playbook reports success but the desired state isn't met, investigate deeper (e.g., `podman ps -a`, `podman logs`, `sudo podman ps`).
     *   Use increased verbosity (`-vvv`) for detailed debugging output from Ansible.
     *   Systematically verify each layer of the stack (container logs, host processes, host firewall, cloud firewall).
 
@@ -37,4 +37,10 @@
 *   **Networking & Cloud Considerations:**
     *   Host firewall (`firewalld`) rules are separate from cloud provider security rules (e.g., Oracle Cloud Network Security Groups/Security Lists). Both layers must be correctly configured.
     *   Ansible playbooks typically cannot manage cloud provider firewalls without specific cloud collections (e.g., `oracle.oci`).
-*   **Combined Networking Stack:** For services that are tightly coupled (like Nginx and Wireguard in a reverse proxy/VPN setup), it is often best to manage them within a single Ansible role and a single Podman Compose stack. Separating them can break intended network sharing and complicate debugging.
+*   **Combined Networking Stack:** For services that are tightly coupled (like Nginx and Wireguard in a reverse proxy/VPN setup), it is often best to manage them within a single Ansible role and a single Podman Compose stack. Separating them can break intended network sharing and complicate debugging.
+*   **Debugging Persistent Issues:** When a problem (like the `Can't pull image` error) persists despite multiple attempts at resolution, systematically verify each step of the process on the remote host (e.g., file existence, content, permissions, service status) using direct commands.
+*   **Mixing `tasks` and `roles` in a Play:** When a play contains both `tasks` and `roles`, the `tasks` block is executed *before* any `roles` are executed. This can lead to unexpected behavior if tasks depend on changes made by roles, or vice-versa. Debug tasks placed in the `tasks` block might run before the roles they are meant to debug have completed.
+*   **Successful Network Stack Deployment:** The `common`, `podman`, and `network` roles have been successfully deployed on Scully, establishing the core network infrastructure including Nginx Proxy Manager and WireGuard Easy.
+*   **Persistence of `registries.conf` Issue:** The `registries.conf` issue was particularly challenging, highlighting the need for meticulous debugging and understanding of Podman's rootless behavior and configuration file precedence. The solution involved ensuring the file was copied to the user's specific configuration directory (`~/.config/containers/registries.conf`).
+*   **Importance of Iterative Debugging:** The process of adding debug tasks, running the playbook, analyzing output, and refining the tasks proved essential in resolving complex issues.
+*   **Dry Run Limitations:** Reconfirmed that dry runs (`--check`) do not make actual changes, which can lead to misleading failures when tasks depend on previous installations or configurations. 

playbooks/roles/common/tasks/main.yml

@@ -43,3 +43,16 @@
     sysctl_file: /etc/sysctl.d/99-wireguard-sysctl.conf
     reload: true
   become: true
+
+- name: Create podman group if it does not exist
+  ansible.builtin.group:
+    name: podman
+    state: present
+  become: true
+
+- name: Add ansible_user to podman group
+  ansible.builtin.user:
+    name: "{{ ansible_user }}"
+    groups: podman
+    append: true
+  become: true

playbooks/roles/network/tasks/main.yml

@@ -56,7 +56,7 @@
   become: true
 
 - name: Stop and remove existing Podman Compose services and volumes
-  ansible.builtin.shell: podman-compose -f /opt/podman-compose/network/podman-compose.yml down --rmi all --volumes
+  ansible.builtin.shell: podman-compose -f /opt/podman-compose/network/podman-compose.yml down --volumes
   args:
     chdir: "/opt/podman-compose/network"
   ignore_errors: true
@@ -109,6 +109,14 @@
     immediate: true
   become: true
 
+- name: Allow Nginx Proxy Manager Admin UI port
+  ansible.posix.firewalld:
+    port: 9900/tcp
+    permanent: true
+    state: enabled
+    immediate: true
+  become: true
+
 - name: Test Nginx HTTP accessibility
   ansible.builtin.shell: curl -f http://localhost:80
   register: nginx_curl_test
@@ -136,5 +144,20 @@
 - name: Display Wireguard nc test result
   debug:
     var: wireguard_nc_test.stdout
+  tags:
+    - debug
+
+- name: Test Wireguard Admin UI accessibility
+  ansible.builtin.shell: curl -f http://localhost:51821
+  register: wireguard_admin_curl_test
+  changed_when: false
+  failed_when: wireguard_admin_curl_test.rc != 0
+  become: true # Run as root
+  tags:
+    - debug
+
+- name: Display Wireguard Admin UI curl test result
+  debug:
+    var: wireguard_admin_curl_test.stdout
   tags:
     - debug

playbooks/roles/portainer/tasks/main.yml

@@ -12,7 +12,6 @@
     ports:
       - "9000:9000"
     volumes:
-      - "/run/podman/podman.sock:/run/podman/podman.sock"
       - "portainer_data:/data"
     restart_policy: unless-stopped
     healthcheck:
@@ -36,3 +35,18 @@
     state: enabled
     immediate: true
   become: true
+
+- name: Test Portainer UI accessibility
+  ansible.builtin.shell: curl -f http://localhost:9000
+  register: portainer_curl_test
+  changed_when: false
+  failed_when: portainer_curl_test.rc != 0
+  become: true # Run as root
+  tags:
+    - debug
+
+- name: Display Portainer curl test result
+  debug:
+    var: portainer_curl_test.stdout
+  tags:
+    - debug