uumas/ansible-podman
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

service: Better use podman secrets for database passwords

Browse Source
This commit is contained in:
uumas
2025-04-04 22:15:06 +03:00
parent 68b3dcb49c
commit 7b46279c63
6 changed files with 17 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/matrix_authentication_service/templates/config.yaml.j2
View File

@@ -33,7 +33,7 @@ http:
database: database:
host: matrix-authentication-service-postgres host: matrix-authentication-service-postgres
username: matrix_authentication_service username: matrix_authentication_service
password: "{{ _service_database_password }}" password: "{{ service_podman_secrets['matrix-authentication-service-postgres'] }}"
database: matrix_authentication_service database: matrix_authentication_service
secrets: secrets:

13
roles/service/meta/argument_specs.yaml
View File

@@ -122,9 +122,16 @@ argument_specs:
default: {} default: {}
service_database_type: service_database_type:
description: > description:
Database type to set up. It will be run in a docker container accessible to the service at host <service name>-{{ service_database_type }} on the - Database type to set up.
default port. The database user will be {{ service_name }} and password will be available as the _service_database_password variable. - >
It will be run in a docker container accessible to the service at
host {{ service_name }}-{{ service_database_type }} on the default port.
- The database user will be {{ service_name }}
- The password will be accessible as secret at /run/secrets/{{ service_name }}-{{ service_database_type }}
- >
The password will also be available as the
service_podman_secrets['{{ service_name }}-{{ service_database_type }}'] variable.
type: str type: str
required: false required: false
choices: choices:

15
roles/service/tasks/database.yaml
View File

@@ -1,8 +1,4 @@
--- ---
- name: Include database variables
ansible.builtin.include_vars:
file: database.yaml
- name: Database container for {{ service_name }} - name: Database container for {{ service_name }}
ansible.builtin.import_role: ansible.builtin.import_role:
name: container name: container
@@ -22,14 +18,3 @@
POSTGRES_PASSWORD_FILE: "/run/secrets/{{ _service_database_name }}" POSTGRES_PASSWORD_FILE: "/run/secrets/{{ _service_database_name }}"
POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C" POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
container_auto_update: "{{ service_auto_update }}" container_auto_update: "{{ service_auto_update }}"
- name: Get database secret info
containers.podman.podman_secret_info:
name: "{{ _service_database_name }}"
showsecret: true
register: _service_database_secret
- name: Set database-related variables
ansible.builtin.set_fact:
_service_database_password: "{{ _service_database_secret.secrets[0].SecretData }}"
_service_container_requires: "{{ _service_container_requires + [_service_database_name + '.service'] }}"

4
roles/service/tasks/main.yaml
View File

@@ -9,11 +9,11 @@
- name: Databse for {{ service_name }} - name: Databse for {{ service_name }}
ansible.builtin.include_tasks: database.yaml ansible.builtin.include_tasks: database.yaml
when: "service_database_type != 'none'" when: _service_setup_database
- name: Secrets for {{ service_name }} - name: Secrets for {{ service_name }}
ansible.builtin.include_tasks: secrets.yaml ansible.builtin.include_tasks: secrets.yaml
when: service_container_secrets | length > 0 when: _service_container_secrets | length > 0
- name: Mounts for {{ service_name }} - name: Mounts for {{ service_name }}
ansible.builtin.include_tasks: mounts.yaml ansible.builtin.include_tasks: mounts.yaml

2
roles/service/vars/database.yaml
View File

@@ -1,2 +0,0 @@
---
_service_database_name: "{{ service_name }}-{{ service_database_type }}"

4
roles/service/vars/main.yaml
View File

@@ -2,6 +2,9 @@
_service_template_mounts: "{{ service_container_mounts | selectattr('type', '==', 'template') | list }}" _service_template_mounts: "{{ service_container_mounts | selectattr('type', '==', 'template') | list }}"
_service_host_directory: "/srv/{{ service_name }}" _service_host_directory: "/srv/{{ service_name }}"
_service_setup_database: "{{ service_database_type != 'none' }}"
_service_database_name: "{{ service_name }}-{{ service_database_type }}"
_service_container_secrets: > _service_container_secrets: >
{{ {{
service_container_secrets service_container_secrets
@@ -11,6 +14,7 @@ _service_container_secrets: >
| map('community.general.dict_kv', 'name') | map('community.general.dict_kv', 'name')
) )
| map('combine') | map('combine')
+ ([{'name': _service_database_name }] if _service_setup_database else [])
}} }}
_service_container_wants: "{{ service_wants + ([service_name + '-socat.socket'] if service_domains | length > 0 else []) }}" _service_container_wants: "{{ service_wants + ([service_name + '-socat.socket'] if service_domains | length > 0 else []) }}"