roles/zwavejs2mqtt: Deploy Z2M using Podman

Home Assistant no longer recommends using the built-in libopenzwave
integration for communicating with Z-Wave devices.  Evidently, OpenZWave
is no longer maintained, and community efforts have shifted toward
Z-Wave JS.

Z-Wave JS is architecturally much different than the legacy Z-Wave
integration.  Instead of running the network controller inside the Home
Assistant process, a separate daemon communicates with the Z-Wave radio.
Home Assistant integrates with that daemon using a WebSockets API.  This
has the advantage of decoupling the network operation from the lifecycle
of the Home Assistant process: restarting Home Assistant (e.g. to load
new configuration changes) does not take the Z-Wave network offline.

ZwaveJS2Mqtt is a distribution of the Z-Wave JS daemon, as well as a
web-based user interface for configuring it.  Although its name implies
that it uses MQTT for communication, this feature is actually optional,
and the native WebSockets API can still be used for integration with
Home Assistant.

I decided to follow the same deployment pattern for ZwaveJS2Mqtt as for
Home Assistant itself: run the application from a container image using
Podman.  This of course simplifies the installation of the application
significantly, leaving most of that work up to the maintainer of the
container image.  Podman provides the container runtime, managing the
privileges, etc.  The systemd service unit starts Podman, configuring an
ephemeral container on each run.  The container uses the default network
namespace, avoiding the unnecessary overhead of port mapping.  It uses
Podman's "rootless" mode, via the `--uidmap` and `--gidmap` arguments,
mapping users inside the container, including root, to unprivileged
users on the host.  The Z-Wave radio, which is specified by the
`zwavejs_device` Ansible variable,  is passed into the container via the
`--device` argument.

homeassistant.yml

@@ -5,6 +5,8 @@
     tags: homeassistant
   - role: mosquitto
     tags: mosquitto
+  - role: zwavejs2mqtt
+    tags: zwavejs2mqtt
   tasks:
   - name: ensure homeassistant is running
     service:

roles/zwavejs2mqtt/defaults/main.yml

@@ -0,0 +1 @@
+zwavejs_device_container: /dev/ttyUSB0

roles/zwavejs2mqtt/handlers/main.yml

@@ -0,0 +1,6 @@
+- name: reload systemd
+  command: systemctl daemon-reload
+- name: restart zwavejs2mqtt
+  service:
+    name: zwavejs2mqtt
+    state: restarted

roles/zwavejs2mqtt/tasks/main.yml

@@ -0,0 +1,57 @@
+- name: ensure podman is installed
+  package:
+    name: '{{ zwavejs_podman_packages }}'
+    state: present
+  tags:
+  - install
+
+- name: ensure zwavejs user exists
+  user:
+    name: zwavejs
+    system: true
+    home: /var/lib/zwavejs
+    groups:
+    - dialout
+    createhome: false
+  register: zwavejs_user
+  tags:
+  - user
+
+- name: ensure zwavejs data directory exists
+  file:
+    path: /var/lib/zwavejs
+    owner: zwavejs
+    group: zwavejs
+    mode: '0755'
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure zwavejs2mqtt container image is available
+  podman_image:
+    name: docker.io/zwavejs/zwavejs2mqtt
+    tag: latest
+    state: present
+  notify:
+  - restart zwavejs2mqtt
+  tags:
+  - container-image
+  - container
+
+- name: ensure zwavejs2mqtt systemd unit is installed
+  template:
+    src: zwavejs2mqtt.service.j2
+    dest: /etc/systemd/system/zwavejs2mqtt.service
+    mode: '0644'
+  notify:
+  - reload systemd
+  - restart zwavejs2mqtt
+  tags:
+  - service
+  - systemd
+- name: ensure zwavejs2mqtt starts at boot
+  service:
+    name: zwavejs2mqtt
+    enabled: true
+  tags:
+  - service

roles/zwavejs2mqtt/templates/zwavejs2mqtt.service.j2

@@ -0,0 +1,26 @@
+[Unit]
+Description=Zwavejs2Mqtt
+
+[Service]
+Type=notify
+NotifyAccess=all
+ExecStartPre=/usr/bin/setfacl -m zwavejs:rw {{ zwavejs_device }}
+ExecStartPre=-/usr/bin/podman container rm --ignore -f zwavejs2mqtt
+ExecStart=/usr/bin/podman run \
+    --pull never \
+    --sdnotify=conmon --cgroups=no-conmon \
+    --rm \
+    --network=host \
+    --name zwavejs2mqtt \
+    -v /var/lib/zwavejs:/usr/src/app/store:Z \
+    --uidmap 0:{{ zwavejs_user.uid }}:1 \
+    --gidmap 0:{{ zwavejs_user.group }}:1 \
+    --uidmap 1:5000001:1024 \
+    --gidmap 1:5000001:1024 \
+    --device {{ zwavejs_device }}:{{ zwavejs_device_container}}:rw \
+    docker.io/zwavejs/zwavejs2mqtt:latest
+ProtectSystem=full
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

roles/zwavejs2mqtt/vars/main.yml

@@ -0,0 +1,2 @@
+zwavejs_podman_packages:
+- podman