containers: Reload podman network on firewalld reload

firewalld reload causes the podman network rules to be removed. It is
being tracked at containers/podman#5431. In
the mean time, add a workaround service to rebuild the rules when
firewalld is started or reloaded.

files/containers/podman-firewalld-reload.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Redo podman NAT rules after firewalld starts or reloads
+Documentation=https://github.com/containers/podman/issues/5431
+Wants=dbus.service
+After=dbus.service
+
+[Service]
+Type=simple
+Environment=LC_CTYPE=C.utf8
+ExecStart=/bin/bash -c "dbus-monitor --profile --system 'type=signal,sender=org.freedesktop.DBus,path=/org/freedesktop/DBus,interface=org.freedesktop.DBus,member=NameAcquired,arg0=org.fedoraproject.FirewallD1' 'type=signal,path=/org/fedoraproject/FirewallD1,interface=org.fedoraproject.FirewallD1,member=Reloaded' | sed -u '/^#/d' | while read -r type timestamp serial sender destination path interface member _junk; do if [[ $type = '#'* ]]; then continue; elif [[ $interface = org.freedesktop.DBus && $member = NameAcquired ]]; then echo 'firewalld started'; podman network reload --all; elif [[ $interface = org.fedoraproject.FirewallD1 && $member = Reloaded ]]; then echo 'firewalld reloaded'; podman network reload --all; fi; done"
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

manifests/base/containers.pp

@@ -56,11 +56,19 @@
       content => "[Service]\nDelegate=yes\n",
       notify  => Nest::Lib::Systemd_reload['containers'],
     ;
+
+    '/etc/systemd/system/podman-firewalld-reload.service':
+      source => 'puppet:///modules/nest/containers/podman-firewalld-reload.service',
+      notify  => Nest::Lib::Systemd_reload['containers'],
+    ;
   }
   ->
   nest::lib::systemd_reload { 'containers': }
   ->
-  service { 'podman.socket':
+  service { [
+    'podman.socket',
+    'podman-firewalld-reload',
+  ]:
     enable => true,
   }