diff --git a/roles/matrix_authentication_service/templates/config.yaml.j2 b/roles/matrix_authentication_service/templates/config.yaml.j2 index e6490e6..0ebf64e 100644 --- a/roles/matrix_authentication_service/templates/config.yaml.j2 +++ b/roles/matrix_authentication_service/templates/config.yaml.j2 @@ -33,7 +33,7 @@ http: database: host: matrix-authentication-service-postgres username: matrix_authentication_service - password: "{{ _service_database_password }}" + password: "{{ service_podman_secrets['matrix-authentication-service-postgres'] }}" database: matrix_authentication_service secrets: diff --git a/roles/service/meta/argument_specs.yaml b/roles/service/meta/argument_specs.yaml index d363f13..f81007e 100644 --- a/roles/service/meta/argument_specs.yaml +++ b/roles/service/meta/argument_specs.yaml @@ -122,9 +122,16 @@ argument_specs: default: {} service_database_type: - description: > - Database type to set up. It will be run in a docker container accessible to the service at host -{{ service_database_type }} on the - default port. The database user will be {{ service_name }} and password will be available as the _service_database_password variable. + description: + - Database type to set up. + - > + It will be run in a docker container accessible to the service at + host {{ service_name }}-{{ service_database_type }} on the default port. + - The database user will be {{ service_name }} + - The password will be accessible as secret at /run/secrets/{{ service_name }}-{{ service_database_type }} + - > + The password will also be available as the + service_podman_secrets['{{ service_name }}-{{ service_database_type }}'] variable. type: str required: false choices: diff --git a/roles/service/tasks/database.yaml b/roles/service/tasks/database.yaml index 4887c13..b1fc241 100644 --- a/roles/service/tasks/database.yaml +++ b/roles/service/tasks/database.yaml @@ -1,8 +1,4 @@ --- -- name: Include database variables - ansible.builtin.include_vars: - file: database.yaml - - name: Database container for {{ service_name }} ansible.builtin.import_role: name: container @@ -22,14 +18,3 @@ POSTGRES_PASSWORD_FILE: "/run/secrets/{{ _service_database_name }}" POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C" container_auto_update: "{{ service_auto_update }}" - -- name: Get database secret info - containers.podman.podman_secret_info: - name: "{{ _service_database_name }}" - showsecret: true - register: _service_database_secret - -- name: Set database-related variables - ansible.builtin.set_fact: - _service_database_password: "{{ _service_database_secret.secrets[0].SecretData }}" - _service_container_requires: "{{ _service_container_requires + [_service_database_name + '.service'] }}" diff --git a/roles/service/tasks/main.yaml b/roles/service/tasks/main.yaml index bffb4c4..9dc818b 100644 --- a/roles/service/tasks/main.yaml +++ b/roles/service/tasks/main.yaml @@ -9,11 +9,11 @@ - name: Databse for {{ service_name }} ansible.builtin.include_tasks: database.yaml - when: "service_database_type != 'none'" + when: _service_setup_database - name: Secrets for {{ service_name }} ansible.builtin.include_tasks: secrets.yaml - when: service_container_secrets | length > 0 + when: _service_container_secrets | length > 0 - name: Mounts for {{ service_name }} ansible.builtin.include_tasks: mounts.yaml diff --git a/roles/service/vars/database.yaml b/roles/service/vars/database.yaml deleted file mode 100644 index f0375db..0000000 --- a/roles/service/vars/database.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -_service_database_name: "{{ service_name }}-{{ service_database_type }}" diff --git a/roles/service/vars/main.yaml b/roles/service/vars/main.yaml index b56bef3..2359025 100644 --- a/roles/service/vars/main.yaml +++ b/roles/service/vars/main.yaml @@ -2,6 +2,9 @@ _service_template_mounts: "{{ service_container_mounts | selectattr('type', '==', 'template') | list }}" _service_host_directory: "/srv/{{ service_name }}" +_service_setup_database: "{{ service_database_type != 'none' }}" +_service_database_name: "{{ service_name }}-{{ service_database_type }}" + _service_container_secrets: > {{ service_container_secrets @@ -11,6 +14,7 @@ _service_container_secrets: > | map('community.general.dict_kv', 'name') ) | map('combine') + + ([{'name': _service_database_name }] if _service_setup_database else []) }} _service_container_wants: "{{ service_wants + ([service_name + '-socat.socket'] if service_domains | length > 0 else []) }}"