diff --git a/ansible_vm/comfy_stuff/group_vars/all.yml b/ansible_vm/comfy_stuff/group_vars/all.yml
index 993686f..bbeaca3 100644
--- a/ansible_vm/comfy_stuff/group_vars/all.yml
+++ b/ansible_vm/comfy_stuff/group_vars/all.yml
@@ -1,5 +1,7 @@
 # Variables for comfy_stuff playbook
 
+vm_username: anon
+
 installed_gems:
   - bundler
   - rake
diff --git a/ansible_vm/comfy_stuff/playbook.yml b/ansible_vm/comfy_stuff/playbook.yml
index 0491e81..508f1cb 100644
--- a/ansible_vm/comfy_stuff/playbook.yml
+++ b/ansible_vm/comfy_stuff/playbook.yml
@@ -12,6 +12,8 @@
         state: present
     - import_tasks: tasks/go.yml
       tags: go
+    - import_tasks: tasks/podman.yml
+      tags: podman
     - import_tasks: tasks/ruby.yml
       tags: ruby
     - name: Ensure shell for anon is bash (for Ansible compatibility)
diff --git a/ansible_vm/comfy_stuff/tasks/podman.yml b/ansible_vm/comfy_stuff/tasks/podman.yml
new file mode 100644
index 0000000..ebfb4b4
--- /dev/null
+++ b/ansible_vm/comfy_stuff/tasks/podman.yml
@@ -0,0 +1,71 @@
+---
+
+- name: Install Podman and helpers
+  apt:
+    name:
+      - podman
+      - podman-docker
+      - slirp4netns
+      - fuse-overlayfs
+    state: present
+    update_cache: yes
+  become: true
+  tags: podman
+
+- name: Ensure the group "podman" exists
+  ansible.builtin.group:
+    name: podman
+    state: present
+  tags: podman
+
+- name: Ensure user can run Podman without sudo (add {{ vm_username }} to podman group)
+  user:
+    name: "{{ vm_username }}"
+    groups: podman
+    append: yes
+  become: true
+  tags: podman
+
+- name: Ensure systemd user instance for podman is enabled
+  become: true
+  systemd:
+    name: podman.socket
+    scope: system
+    enabled: yes
+    state: started
+  tags: podman
+
+- name: Install DBus packages required by Podman user services
+  apt:
+    name:
+      - dbus-user-session
+      - dbus-x11
+    state: present
+    update_cache: yes
+  become: true
+  tags: podman
+
+- name: Check lingering status for anon
+  command: loginctl show-user anon
+  register: linger_status
+  changed_when: false
+
+- name: Enable systemd lingering for anon
+  become: true
+  command: loginctl enable-linger anon
+  when: "'Linger=yes' not in linger_status.stdout"
+  register: enable_linger
+  changed_when: true # ensure Ansible marks this as 'changed' when executed
+  tags: podman
+
+- name: Reboot if lingering was just enabled
+  become: true
+  reboot:
+    msg: "Rebooting because lingering was just enabled for user anon"
+    connect_timeout: 5
+    reboot_timeout: 600
+    pre_reboot_delay: 0
+    post_reboot_delay: 10
+    test_command: whoami
+  when: enable_linger is defined and enable_linger.changed | default(false)
+  tags: podman