MUST be invoked before any work involving: quadlet generation, volume backing, tunnels (Tailscale/Cloudflare), deploy overlays, or production deployment configuration.
Deployment configuration for container services: quadlet file generation details, per-volume backing configuration, tunnel configuration for external access, and per-machine deploy overlays.
| Action | Command | Description |
|---|---|---|
| Configure deployment | ov config <image> | Generate .container file + save deploy.yml |
| Configure instance | ov config <image> -i <instance> | Generate instance-specific quadlet + deploy entry |
| Configure volume backing | ov config <image> --bind name | Set volume as host bind mount |
| Provision data | ov config <image> --seed | Auto-provision data layers into bind mounts (default) |
| Deploy status | ov deploy status | Audit deploy.yml vs quadlet sync |
| Show overrides | ov deploy show [image] | Display deploy.yml contents |
| Show instance overrides | ov deploy show <image> -i <instance> | Display instance-specific overrides |
| Import config | ov deploy import <files> | Merge files into deploy.yml |
| Reset config | ov deploy reset [image] | Remove deploy.yml overrides |
| Reset instance config | ov deploy reset <image> -i <instance> | Remove instance overrides |
| Push to registry | ov image build --push | Multi-platform push |
For service lifecycle commands (start/stop/status/logs/update/remove), see /ov:service. For VM deployment, see /ov:vm. For encrypted storage, see /ov:enc.
User-level systemd services via podman quadlet. Generated by ov config.
Path: ~/.config/containers/systemd/ov-<image>.container (or ov-<image>-<instance>.container with -i).
Contents include:
[Container] section: image reference, container name, port mappings, volumes, environment[Service] section: restart policy, lifecycle hooks[Install] section: WantedBy=default.target (omitted for encrypted services without keyring backend)PodmanArgs= for security settings (privileged, capabilities, devices)Volume= for named volumes and plain bind mountsEnvironment= / EnvironmentFile= for env varsExecStartPost= / ExecStopPost= for tunnel commandsService name: ov-<image>.service. Container name: ov-<image>. Entrypoint: determined by build.yml init: section for the configured init system. Encrypted volumes are mounted via ExecStartPre=ov config mount in the quadlet, which creates transient ov-enc-<image>-<volume>.scope units for each encrypted volume. These scope units are independent of the container service — they survive stop/restart (see /ov:enc). With Secret Service backend: auto-starts after login (ExecStartPre waits for keyring unlock, TimeoutStartSec=0). With KeePass or no backend: requires ov start (no WantedBy=default.target).
Layer and image-level security settings become PodmanArgs= in the quadlet file:
privileged: true -> PodmanArgs=--privilegedcap_add -> PodmanArgs=--cap-add=<CAP>devices -> PodmanArgs=--device=<DEV>security_opt -> PodmanArgs=--security-opt=<OPT>Source: ov/security.go, ov/quadlet.go.
When engine.build=docker, ov config auto-detects if the image is missing from podman and transfers via docker save | podman load. ov update re-transfers if needed.
Source: ov/quadlet.go (generation), ov/commands.go (command structs).
Expose services outside the container host via tunnels. Tunnel config lives exclusively in deploy.yml — it is NOT in image.yml or OCI image labels. ov config setup persists tunnel config automatically via saveDeployState.
Exposes a port to your Tailscale network only. No FQDN needed -- Tailscale handles TLS automatically. Any port works for tailnet-only serve.