container: rework bind mount directory permissions, move from volume syntax to mount syntax, add single file template volumes

roles/container/tasks/database.yml

@@ -8,6 +8,7 @@
       POSTGRES_PASSWORD: "{{ database_passwords[docker_service_name] }}"
     db_container_data: /var/lib/postgresql/data
   when: docker_database == 'postgres'
+
 - name: Set mariadb container vars
   set_fact:
     db_container_image: mariadb:10
@@ -20,11 +21,13 @@
     db_container_data: /var/lib/mysql
     db_image_port: 3306
   when: docker_database == 'mariadb'
+
 - name: Set mongo container vars
   set_fact:
     db_container_image: 'mongo:latest'
     db_container_data: /data/db
   when: docker_database == 'mongo'
+
 - name: Set db published ports var
   set_fact:
     db_published_ports: ["127.0.0.1:{{ ports[docker_service_name].db }}:{{ db_image_port }}"]

roles/container/tasks/main.yml

@@ -57,8 +57,7 @@
     name: "{{ docker_service_name }}"
     image: "{{ container_image.image.Id }}"
     user: "{{ docker_user | default(omit) }}"
-    pull: "{{ dockerfile is not defined }}"
+    mounts: "{{ docker_volume_definition }}"
-    volumes: "{{ docker_volume_definition }}"
     published_ports: "{{ container_published_ports + docker_published_ports }}"
     labels: "{{ traefik_labels | default(omit) }}"
     env: "{{ docker_env | combine(docker_additional_env) }}"
@@ -68,11 +67,3 @@
     networks: "{{ container_networks | default(omit) }}"
     log_driver: local
   register: container_out
-
-- name: "Reset bind mount directory permissions"
-  file:
-    path: "{{ docker_mounts_dir }}/{{ item.name }}"
-    state: directory
-    mode: 0750
-  when: "docker_volume_type == 'bind' and item.name is defined"
-  loop: "{{ final_docker_volumes }}"

roles/container/tasks/volumes.yml

@@ -1,7 +1,9 @@
 ---
 
-- name: Bind mounts
+- name: Create directories and put files in them
-  when: "docker_volume_type == 'bind'"
+  when:
+    - docker_volumes | length > 0
+    - (docker_volume_type == 'bind') or (docker_volumes | selectattr('template', 'defined') | list | length > 0)
   block:
     - name: Create directory /opt/{{ docker_service + '/' + docker_service_suffix }}
       file:
@@ -25,31 +27,48 @@
       file:
         path: "{{ docker_mounts_dir }}"
         state: directory
-        mode: 0755
+        owner: "{{ user.uid | default(omit) }}"
+        group: "{{ user.group | default(omit) }}"
+        mode: 0700
+    - name: Define mounts directory owner
+      set_fact:
+        mount_owner: "{{ user.uid if docker_host_user else image_user | default('') }}"
+        mount_group: "{{ user.group if docker_host_user else '' }}"
 
     - name: "Create docker bind mount directories for {{ docker_service_name }}"
       file:
         path: "{{ docker_mounts_dir }}/{{ item.name }}"
         state: directory
-        owner: "{{ user.uid if item.set_owner is not defined or item.set_owner else omit | default(omit) }}"
+        owner: "{{ mount_owner if (item.set_owner is not defined or item.set_owner) and mount_owner | length > 0 else omit }}"
-        group: "{{ user.group if item.set_group is not defined or item.set_group else omit | default(omit) }}"
+        group: "{{ mount_group if (item.set_group is not defined or item.set_group) and mount_group | length > 0 else omit }}"
-        mode: 0750
       when: item.name is defined
       loop: "{{ docker_volumes }}"
     - name: Set docker_volume_definition for named binds
       set_fact:
-        docker_volume_definition: "{{ docker_volume_definition + [docker_mounts_dir + '/' + item.name + ':' + item.path] }}"
+        docker_volume_definition: "{{ docker_volume_definition + [{'source': docker_mounts_dir + '/' + item.name, 'target': item.path, 'type': 'bind'}] }}"
       when: item.name is defined
       loop: "{{ docker_volumes }}"
 
-- name: Set docker_volume_definition for src binds
+    - name: Template docker template mounts for {{ docker_service_name }}
-  set_fact:
+      template:
-    docker_volume_definition: "{{ docker_volume_definition + [item.src + ':' + item.path] }}"
+        src: "{{ item.template }}.j2"
-  when: item.src is defined
+        dest: "{{ docker_mounts_dir }}/{{ item.template }}"
-  loop: "{{ final_docker_volumes }}"
+      when: item.template is defined
+      loop: "{{ docker_volumes }}"
+    - name: Set docker_volume_definition for template mounts
+      set_fact:
+        docker_volume_definition: "{{ docker_volume_definition + [{'source': docker_mounts_dir + '/' + item.template, 'target': item.path, 'read_only': true}] }}"
+      when: item.template is defined
+      loop: "{{ docker_volumes }}"
 
 - name: Set docker_volume_definition for named volumes
   set_fact:
-    docker_volume_definition: "{{ docker_volume_definition + [item.name + ':' + item.path] }}"
+    docker_volume_definition: "{{ docker_volume_definition + [{'source': docker_service_name + '_' + item.name, 'target': item.path}] }}"
   when: docker_volume_type == 'named' and item.name is defined
   loop: "{{ final_docker_volumes }}"
+
+- name: Set docker_volume_definition for src binds
+  set_fact:
+    docker_volume_definition: "{{ docker_volume_definition + [{'source': item.src, 'target': item.path}] }}"
+  when: item.src is defined
+  loop: "{{ final_docker_volumes }}"