theforeman · pablomh · Feb 18, 2026
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -110,7 +110,7 @@ jobs:
           ./foremanctl deploy --add-feature foreman_azure_rm --add-feature foreman_google
       - name: Run tests
         run: |
-          ./forge test --pytest-args="--certificate-source=${{ matrix.certificate_source }} --database-mode=${{ matrix.database }}"
+          ./forge test --pytest-args="--certificate-source=${{ matrix.certificate_source }} --database-mode=${{ matrix.database }} --user=foremanctl"
       - name: Run smoker
         run: |
           ./forge smoker
@@ -219,7 +219,7 @@ jobs:
           ./foremanctl deploy --add-feature foreman_azure_rm --add-feature foreman_google
       - name: Stop services
         run:
-          vagrant ssh quadlet -- sudo systemctl stop foreman.target
+          vagrant ssh quadlet -- sudo systemctl --machine=foremanctl@ --user stop foreman.target
       - name: Configure upgrade version
         run: |
           sed -i '/container_tag_stream:/ s/:.*/: "${{ matrix.upgrade_to }}"/' src/vars/images.yml
@@ -231,7 +231,7 @@ jobs:
           ./foremanctl deploy
       - name: Run tests
         run: |
-          ./forge test
+          ./forge test --pytest-args="--user=foremanctl"
       - name: Generate sos reports
         if: ${{ always() }}
         run: ./forge sos

diff --git a/development/playbooks/deploy-dev/deploy-dev.yaml b/development/playbooks/deploy-dev/deploy-dev.yaml
@@ -1,4 +1,14 @@
 ---
+- name: Setup rootless user environment
+  hosts: "{{ target_host if target_host is defined and target_host != '' else 'quadlet' }}"
+  become: true
+  roles:
+    - role: rootless_user
+  tasks:
+    - name: Map rootless_user_xdg_runtime_dir to foremanctl namespace
+      ansible.builtin.set_fact:
+        foremanctl_xdg_runtime_dir: "{{ rootless_user_xdg_runtime_dir }}"
+
 - name: Deploy Foreman Development Environment
   hosts: "{{ target_host if target_host is defined and target_host != '' else 'quadlet' }}"
   become: true

diff --git a/development/playbooks/remote-database/remote-database.yaml b/development/playbooks/remote-database/remote-database.yaml
@@ -1,10 +1,22 @@
 ---
+- name: Setup rootless user environment
+  hosts:
+    - database
+  become: true
+  roles:
+    - role: rootless_user
+  tasks:
+    - name: Map rootless_user_xdg_runtime_dir to foremanctl namespace
+      ansible.builtin.set_fact:
+        foremanctl_xdg_runtime_dir: "{{ rootless_user_xdg_runtime_dir }}"
+
 - name: Setup remote database
   hosts:
     - database
   become: true
   vars_files:
     - "../../../src/vars/database.yml"
+    - "../../../src/vars/base.yaml"
   roles:
     - role: pre_install
     - role: postgresql
diff --git a/docs/certificates.md b/docs/certificates.md
@@ -42,15 +42,19 @@ foremanctl deploy --certificate-source=installer
 After deployment, certificates are available at:
 
 **Default Source:**
-- CA Certificate: `/root/certificates/certs/ca.crt`
-- Server Certificate: `/root/certificates/certs/<hostname>.crt`
-- Client Certificate: `/root/certificates/certs/<hostname>-client.crt`
+- CA Certificate: `/var/lib/foremanctl/certificates/certs/ca.crt`
+- Server Certificate: `/var/lib/foremanctl/certificates/certs/<hostname>.crt`
+- Client Certificate: `/var/lib/foremanctl/certificates/certs/<hostname>-client.crt`
 
 **Installer Source:**
 - CA Certificate: `/root/ssl-build/katello-default-ca.crt`
 - Server Certificate: `/root/ssl-build/<hostname>/<hostname>-apache.crt`
 - Client Certificate: `/root/ssl-build/<hostname>/<hostname>-foreman-client.crt`
 
+**Note for Rootless Deployments:**
+- Default certificates are owned by `foremanctl:foremanctl` user and group
+- Installer certificates remain in `/root/ssl-build/` with group ownership and permissions automatically configured during deployment to allow the `foremanctl` user to read them
+
 ### Current Limitations
 
 - Only supports single hostname (no multiple DNS names)
@@ -99,16 +103,18 @@ Certificate paths are defined in source-specific variable files:
 
 **Default Source (`src/vars/default_certificates.yml`):**
 ```yaml
+certificates_ca_directory: /var/lib/foremanctl/certificates
 ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
 server_certificate: "{{ certificates_ca_directory }}/certs/{{ ansible_facts['fqdn'] }}.crt"
 client_certificate: "{{ certificates_ca_directory }}/certs/{{ ansible_facts['fqdn'] }}-client.crt"
 ```
 
 **Installer Source (`src/vars/installer_certificates.yml`):**
 ```yaml
-ca_certificate: "/root/ssl-build/katello-default-ca.crt"
-server_certificate: "/root/ssl-build/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-apache.crt"
-client_certificate: "/root/ssl-build/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-foreman-client.crt"
+certificates_ca_directory: /root/ssl-build
+ca_certificate: "{{ certificates_ca_directory }}/katello-default-ca.crt"
+server_certificate: "{{ certificates_ca_directory }}/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-apache.crt"
+client_certificate: "{{ certificates_ca_directory }}/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-foreman-client.crt"
 ```
 
 #### Integration with Deployment
@@ -138,12 +144,14 @@ The `certificate_checks` role uses `foreman-certificate-check` binary to validat
 
 **Directory Structure:**
 ```
-/root/certificates/
+/var/lib/foremanctl/certificates/
 ├── certs/           # Public certificates
 ├── private/         # Private keys and passwords
 └── requests/        # Certificate signing requests
 ```
 
+All certificate files and directories are owned by `foremanctl:foremanctl` to support rootless Podman deployments.
+
 **OpenSSL Configuration:**
 - Custom configuration template supports SAN extensions
 - Single DNS entry per certificate: `subjectAltName = DNS:{{ certificates_hostname }}`

diff --git a/src/playbooks/deploy/deploy.yaml b/src/playbooks/deploy/deploy.yaml
@@ -1,5 +1,16 @@
 ---
-- name: Setup quadlet demo machine
+- name: Setup rootless user environment
+  hosts:
+    - quadlet
+  become: true
+  roles:
+    - role: rootless_user
+  tasks:
+    - name: Map rootless_user_xdg_runtime_dir to foremanctl namespace
+      ansible.builtin.set_fact:
+        foremanctl_xdg_runtime_dir: "{{ rootless_user_xdg_runtime_dir }}"
+
+- name: Deploy Foreman services
   hosts:
     - quadlet
   become: true

diff --git a/src/playbooks/migrate-to-rootless/metadata.obsah.yaml b/src/playbooks/migrate-to-rootless/metadata.obsah.yaml
@@ -0,0 +1,15 @@
+---
+help: |
+  Migrate existing rootful Foreman deployment to rootless
+
+  WARNING: This is a destructive operation that will:
+  - Stop all running services
+  - Transfer ownership of data volumes
+  - Remove system-scoped systemd units
+  - Recreate everything in user scope
+
+  PREREQUISITES:
+  - Backup all data before running this migration
+  - Ensure no active users or operations are running
+  - Test this in a non-production environment first
+...