diff --git a/roles/container/defaults/main.yaml b/roles/container/defaults/main.yaml index 6c97b9f..574985f 100644 --- a/roles/container/defaults/main.yaml +++ b/roles/container/defaults/main.yaml @@ -7,7 +7,6 @@ container_devices: [] container_publish_ports: [] container_networks: [] container_hostname: "" -container_ip: "" container_secrets: [] container_env: {} container_auto_start: true diff --git a/roles/container/meta/argument_specs.yaml b/roles/container/meta/argument_specs.yaml index ca6c4b8..b6a3cac 100644 --- a/roles/container/meta/argument_specs.yaml +++ b/roles/container/meta/argument_specs.yaml @@ -118,17 +118,22 @@ argument_specs: type: list required: false default: [] - elements: str + elements: dict + options: + name: + description: Network name + type: str + required: true + ip: + description: Container IPv4 address in the network + type: str + required: false + default: "" container_hostname: description: Hostname to set inside the container. Available to other containers on the same network. type: str required: false default: "" - container_ip: - description: IPv4 address for the container in the first network defined in container_networks - type: str - required: false - default: "" container_secrets: description: A list of secrets available to the container as file or environment variable diff --git a/roles/container/tasks/main.yaml b/roles/container/tasks/main.yaml index 1eda5b7..da3e0e2 100644 --- a/roles/container/tasks/main.yaml +++ b/roles/container/tasks/main.yaml @@ -13,14 +13,13 @@ ansible.builtin.include_role: name: network vars: - network_name: "{{ network }}" - network_subnet: "{{ _container_network_subnet if network_index == 0 else '' }}" - network_range: "{{ _container_network_range if network_index == 0 else '' }}" - when: network_created_networks is not defined or network not in network_created_networks + network_name: "{{ network.name }}" + network_subnet: "{{ _container_network_subnet }}" + network_range: "{{ _container_network_range }}" + when: network_created_networks is not defined or network.name not in network_created_networks loop: "{{ container_networks }}" loop_control: loop_var: network - index_var: network_index - name: Create volumes for container {{ container_name }} ansible.builtin.include_role: @@ -49,7 +48,7 @@ user: "{{ container_user or omit }}" mount: "{{ _container_mounts | map('items') | map('map', 'join', '=') | map('join', ',') }}" device: "{{ _container_devices }}" - network: "{{ _container_networks_with_ip }}" + network: "{{ _container_networks }}" hostname: "{{ container_hostname or omit }}" publish: "{{ container_publish_ports }}" secrets: "{{ _container_secrets }}" diff --git a/roles/container/vars/main.yaml b/roles/container/vars/main/general.yaml similarity index 77% rename from roles/container/vars/main.yaml rename to roles/container/vars/main/general.yaml index 2422682..4313c76 100644 --- a/roles/container/vars/main.yaml +++ b/roles/container/vars/main/general.yaml @@ -1,33 +1,6 @@ --- _container_image: "{{ container_image | replace('/', '_') ~ '.image' }}" -_container_networks: "{{ container_networks | map('regex_replace', '$', '.network') }}" -_container_networks_with_ip: >- - {{ - [ - _container_networks[0] ~ ( - ':ip=' ~ container_ip if container_ip | length > 0 else '' - ) - ] - + _container_networks[1:] - }} -_container_network_subnet: >- - {{ container_ip | ansible.utils.ipsubnet(24) if container_ip | length > 0 else '' }} -_container_network_subnet_ranges: >- - {{ - [ - _container_network_subnet | ansible.utils.ipsubnet(25, 0), - _container_network_subnet | ansible.utils.ipsubnet(25, 1) - ] if container_ip | length > 0 else '' - }} -_container_network_range: >- - {{ - _container_network_subnet_ranges | - reject('ansible.utils.supernet_of', container_ip) | - first - if container_ip | length > 0 else '' - }} - _container_volumes: "{{ container_mounts | selectattr('type', '==', 'volume') }}" _container_mount_sources: "{{ container_mounts | map(attribute='source') }}" diff --git a/roles/container/vars/main/network.yaml b/roles/container/vars/main/network.yaml new file mode 100644 index 0000000..b74a97e --- /dev/null +++ b/roles/container/vars/main/network.yaml @@ -0,0 +1,27 @@ +--- +_container_networks: >- + {{ + container_networks + | map(attribute='name') + | map('regex_replace', '$', '.network') + | zip(container_networks | map(attribute='ip', default='')) + | map('reject', 'equalto', '') + | map('join', ':ip=') + }} + +_container_network_subnet: >- + {{ network.ip | ansible.utils.ipsubnet(24) if network.ip | default('') | length > 0 else '' }} +_container_network_subnet_ranges: >- + {{ + [ + _container_network_subnet | ansible.utils.ipsubnet(25, 0), + _container_network_subnet | ansible.utils.ipsubnet(25, 1) + ] if network.ip | default('') | length > 0 else [] + }} +_container_network_range: >- + {{ + _container_network_subnet_ranges | + reject('ansible.utils.supernet_of', network.ip) | + first + if network.ip | default('') | length > 0 else '' + }} diff --git a/roles/service/tasks/additional.yaml b/roles/service/tasks/additional.yaml index 25e1866..0e57f9a 100644 --- a/roles/service/tasks/additional.yaml +++ b/roles/service/tasks/additional.yaml @@ -12,7 +12,6 @@ container_devices: "{{ _service_additional_container.devices | default(service_container_devices) }}" container_publish_ports: "{{ _service_additional_container_publish_ports }}" container_networks: "{{ _service_additional_container_networks }}" - container_ip: "{{ _service_additional_container_ip }}" container_hostname: "{{ _service_additional_container.name | regex_replace('^' ~ service_name ~ '-', '') }}" container_secrets: "{{ _service_additional_container_secrets }}" container_env: "{{ _service_additional_container.env | default(service_container_env) }}" diff --git a/roles/service/tasks/database.yaml b/roles/service/tasks/database.yaml index 1ab6488..37b6b81 100644 --- a/roles/service/tasks/database.yaml +++ b/roles/service/tasks/database.yaml @@ -15,8 +15,6 @@ destination: "{{ _service_database_mount_destination }}" container_networks: "{{ _service_database_networks }}" container_hostname: "{{ service_database_type }}" - container_ip: >- - {{ service_container_ip | ansible.utils.ipmath(1) if _service_static_ip else '' }} container_secrets: "{{ _service_database_secrets }}" container_env: "{{ _service_database_env }}" container_auto_update: "{{ service_auto_update }}" diff --git a/roles/service/tasks/main.yaml b/roles/service/tasks/main.yaml index 8166656..7d19cdb 100644 --- a/roles/service/tasks/main.yaml +++ b/roles/service/tasks/main.yaml @@ -44,7 +44,6 @@ container_devices: "{{ service_container_devices }}" container_publish_ports: "{{ _service_container_publish_ports }}" container_networks: "{{ _service_container_networks }}" - container_ip: "{{ service_container_ip }}" container_secrets: "{{ _service_container_secrets }}" container_env: "{{ service_container_env }}" container_add_capabilities: "{{ service_container_add_capabilities }}" @@ -60,7 +59,7 @@ socat_service_name: "{{ service_name }}" socat_target_http_port: "{{ service_container_http_port }}" socat_container_ip: >- - {{ service_container_ip | ansible.utils.ipmath(3) if _service_static_ip else '' }} + {{ service_container_ip | ansible.utils.ipmath(257) if _service_static_ip else '' }} socat_auto_update: "{{ service_auto_update }}" - name: Socat for socket published ports of {{ service_name }} diff --git a/roles/service/tasks/oauth2_proxy.yaml b/roles/service/tasks/oauth2_proxy.yaml index 2d114b7..3590f16 100644 --- a/roles/service/tasks/oauth2_proxy.yaml +++ b/roles/service/tasks/oauth2_proxy.yaml @@ -11,7 +11,7 @@ - --cookie-secret-file - /run/secrets/cookie-secret container_networks: - - "{{ service_name }}-oauth2-proxy" + - name: "{{ service_name }}-oauth2-proxy" container_secrets: - name: "{{ service_name }}-oauth2-proxy-cookie-secret" length: 32 diff --git a/roles/service/tasks/redis.yaml b/roles/service/tasks/redis.yaml index 5aa63b4..f5e456d 100644 --- a/roles/service/tasks/redis.yaml +++ b/roles/service/tasks/redis.yaml @@ -6,8 +6,7 @@ container_name: "{{ service_name }}-redis" container_image: docker.io/valkey/valkey:alpine container_networks: - - "{{ service_name }}" + - name: "{{ service_name }}" + ip: "{{ service_container_ip | ansible.utils.ipmath(2) if _service_static_ip else '' }}" container_hostname: redis - container_ip: >- - {{ service_container_ip | ansible.utils.ipmath(2) if _service_static_ip else '' }} container_auto_update: "{{ service_auto_update }}" diff --git a/roles/service/vars/main/additional.yaml b/roles/service/vars/main/additional.yaml index da7db42..ac85d34 100644 --- a/roles/service/vars/main/additional.yaml +++ b/roles/service/vars/main/additional.yaml @@ -22,14 +22,21 @@ _service_additional_container_wants: >- _service_additional_container_networks: >- {{ - [service_name] - + service_container_additional_networks + [{ + 'name': service_name, + 'ip': + service_container_ip | ansible.utils.ipmath(20 + _service_additional_container_index) + if _service_static_ip else '' + }] + ( - _service_additional_container_publish_socket_ports - | map(attribute='name') - | map('regex_replace', '^', service_name ~ '-') - | map('regex_replace', '$', '-socat') - ) + service_container_additional_networks + + ( + _service_additional_container_publish_socket_ports + | map(attribute='name') + | map('regex_replace', '^', service_name ~ '-') + | map('regex_replace', '$', '-socat') + ) + ) | map('community.general.dict_kv', 'name') }} _service_additional_container_secrets: >- @@ -50,13 +57,6 @@ _service_additional_container_secrets: >- else _service_container_secrets }} -_service_additional_container_ip: >- - {{ - service_container_ip | - ansible.utils.ipmath(20 + _service_additional_container_index) - if _service_static_ip else '' - }} - _service_additional_container_publish_ports_with_defaults: >- {{ ([{ 'type': 'port', 'host_address': '0.0.0.0' }] * _service_additional_container.publish_ports | length) diff --git a/roles/service/vars/main/database.yaml b/roles/service/vars/main/database.yaml index 7271524..08b893b 100644 --- a/roles/service/vars/main/database.yaml +++ b/roles/service/vars/main/database.yaml @@ -3,8 +3,11 @@ _service_setup_database: "{{ service_database_type != 'none' }}" _service_database_name: "{{ service_name }}-{{ service_database_type }}" _service_database_networks: >- {{ - [service_name] + - service_database_additional_networks + [{ + 'name': service_name, + 'ip': service_container_ip | ansible.utils.ipmath(1) if _service_static_ip else '' + }] + + service_database_additional_networks | map('community.general.dict_kv', 'name') }} _service_database_secret: diff --git a/roles/service/vars/main/general.yaml b/roles/service/vars/main/general.yaml index c923134..ce46881 100644 --- a/roles/service/vars/main/general.yaml +++ b/roles/service/vars/main/general.yaml @@ -1,10 +1,20 @@ --- _service_container_networks: >- {{ - [service_name] - + service_container_additional_networks - + ([service_name ~ '-socat'] if service_container_http_port > 0 else []) - + (_service_container_publish_socket_ports | map(attribute='name') | map('regex_replace', '^', service_name ~ '-')) + [{ + 'name': service_name, + 'ip': service_container_ip + }] + + ( + [{ + 'name': service_name ~ '-socat', + 'ip': service_container_ip | ansible.utils.ipmath(256) if _service_static_ip else '' + }] if service_container_http_port > 0 else [] + ) + + ( + service_container_additional_networks + + (_service_container_publish_socket_ports | map(attribute='name') | map('regex_replace', '^', service_name ~ '-')) + ) | map('community.general.dict_kv', 'name') }} _service_static_ip: "{{ service_container_ip | length > 0 }}" diff --git a/roles/socat/tasks/main.yaml b/roles/socat/tasks/main.yaml index 9f509e5..718e5f2 100644 --- a/roles/socat/tasks/main.yaml +++ b/roles/socat/tasks/main.yaml @@ -18,8 +18,8 @@ - "TCP:{{ socat_target_container }}:{{ socat_target_http_port }}" container_user: nobody container_networks: - - "{{ socat_service_name }}-socat" - container_ip: "{{ socat_container_ip }}" + - name: "{{ socat_service_name }}-socat" + ip: "{{ socat_container_ip }}" container_requires: - "{{ socat_service_name }}-socat.socket" - "{{ socat_target_container }}.service"