uumas/ansible-podman
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: uumas:0895fba761c1152f76dba0b3731935956c5be52a
Branches Tags
uumas:main
...
compare: uumas:5a154d3f17b644de2e65242c68f7a8bf52a5ed63
Branches Tags
uumas:main

7 Commits
0895fba761 ... 5a154d3f17

Author SHA1 Message Date
uumas
5a154d3f17 Move service_container_requires from set_fact to vars 2025-04-04 22:16:51 +03:00
uumas
3b354ef3b8 service: reformat postgres_tag description in argspec 2025-04-04 22:16:21 +03:00
uumas
7b46279c63 service: Better use podman secrets for database passwords 2025-04-04 22:16:08 +03:00
uumas
68b3dcb49c service: rename secrets return variable 2025-04-04 22:13:07 +03:00
uumas
9bb2b24948 Make randomly generated secret length configurable 2025-04-04 21:21:42 +03:00
uumas
335656a166 Use import_role where possible 2025-04-04 21:20:21 +03:00
uumas
4c44845a8b galaxy.yaml -> galaxy.yml 2025-03-31 03:16:12 +03:00
14 changed files with 46 additions and 41 deletions
Expand all files Collapse all files

0
galaxy.yaml → galaxy.yml
View File

5
roles/container/meta/argument_specs.yaml
View File

@@ -93,6 +93,11 @@ argument_specs:
- If the value is not explicitly set, it will not be changed if the secret already exists. - If the value is not explicitly set, it will not be changed if the secret already exists.
type: str type: str
required: false required: false
length:
description: Length of randomly generated string
type: int
required: false
defalut: 128
container_env: container_env:
description: A dict of environment variables for the container description: A dict of environment variables for the container

2
roles/container/tasks/secrets.yaml
View File

@@ -2,7 +2,7 @@
- name: Create secrets for container {{ container_name }} - name: Create secrets for container {{ container_name }}
containers.podman.podman_secret: containers.podman.podman_secret:
name: "{{ item.name }}" name: "{{ item.name }}"
data: "{{ item.value | default(lookup('community.general.random_string', special=false, length=128)) }}" data: "{{ item.value | default(lookup('community.general.random_string', special=false, length=item.length | default(128))) }}"
skip_existing: "{{ item.value is not defined }}" skip_existing: "{{ item.value is not defined }}"
no_log: true no_log: true
loop: "{{ container_secrets }}" loop: "{{ container_secrets }}"

2
roles/example/tasks/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
- name: Hello world container - name: Hello world container
ansible.builtin.include_role: ansible.builtin.import_role:
name: service name: service
vars: vars:
service_name: hello-world service_name: hello-world

2
roles/matrix_authentication_service/templates/config.yaml.j2
View File

@@ -33,7 +33,7 @@ http:
database: database:
host: matrix-authentication-service-postgres host: matrix-authentication-service-postgres
username: matrix_authentication_service username: matrix_authentication_service
password: "{{ _service_database_password }}" password: "{{ service_podman_secrets['matrix-authentication-service-postgres'] }}"
database: matrix_authentication_service database: matrix_authentication_service
secrets: secrets:

27
roles/service/meta/argument_specs.yaml
View File

@@ -93,7 +93,7 @@ argument_specs:
description: description:
- A list of secrets available to the service container in /run/secrets/<service name>-<secret name> - A list of secrets available to the service container in /run/secrets/<service name>-<secret name>
- > - >
A dict of secrets and their values (including autogenerated values) is available as `_service_podman_secrets` for use A dict of secrets and their values (including autogenerated values) is available as `service_podman_secrets` for use
in tepmlates or environment variables. This should only be used if the container doesn't support reading the secret from file in tepmlates or environment variables. This should only be used if the container doesn't support reading the secret from file
type: list type: list
required: false required: false
@@ -110,6 +110,11 @@ argument_specs:
- If the value is not explicitly set, it will not be changed if the secret already exists. - If the value is not explicitly set, it will not be changed if the secret already exists.
type: str type: str
required: false required: false
length:
description: Length of randomly generated string
type: int
required: false
default: 128
service_container_env: service_container_env:
description: A dict of environment variables for the service container(s) description: A dict of environment variables for the service container(s)
type: dict type: dict
@@ -117,9 +122,16 @@ argument_specs:
default: {} default: {}
service_database_type: service_database_type:
description: > description:
Database type to set up. It will be run in a docker container accessible to the service at host <service name>-{{ service_database_type }} on the - Database type to set up.
default port. The database user will be {{ service_name }} and password will be available as the _service_database_password variable. - >
It will be run in a docker container accessible to the service at
host {{ service_name }}-{{ service_database_type }} on the default port.
- The database user will be {{ service_name }}
- The password will be accessible as secret at /run/secrets/{{ service_name }}-{{ service_database_type }}
- >
The password will also be available as the
service_podman_secrets['{{ service_name }}-{{ service_database_type }}'] variable.
type: str type: str
required: false required: false
choices: choices:
@@ -127,9 +139,10 @@ argument_specs:
- none - none
default: none default: none
service_postgres_tag: service_postgres_tag:
description: > description:
Postgresql version to use. Can be debian (n) or alpine-based (n-alpine), where n can be major version like 14 or minor like 14.13. - Postgresql version to use.
Required if service_database_type is postgres. - Can be debian (n) or alpine-based (n-alpine), where n can be major version like 14 or minor like 14.13.
- Required if service_database_type is postgres, does nothing otherwise
type: str type: str
required: false required: false

17
roles/service/tasks/database.yaml
View File

@@ -1,10 +1,6 @@
--- ---
- name: Include database variables
ansible.builtin.include_vars:
file: database.yaml
- name: Database container for {{ service_name }} - name: Database container for {{ service_name }}
ansible.builtin.include_role: ansible.builtin.import_role:
name: container name: container
vars: vars:
container_name: "{{ service_name }}-{{ service_database_type }}" # This doesn't use _service_database_name to allow container role handlers to work container_name: "{{ service_name }}-{{ service_database_type }}" # This doesn't use _service_database_name to allow container role handlers to work
@@ -22,14 +18,3 @@
POSTGRES_PASSWORD_FILE: "/run/secrets/{{ _service_database_name }}" POSTGRES_PASSWORD_FILE: "/run/secrets/{{ _service_database_name }}"
POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C" POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
container_auto_update: "{{ service_auto_update }}" container_auto_update: "{{ service_auto_update }}"
- name: Get database secret info
containers.podman.podman_secret_info:
name: "{{ _service_database_name }}"
showsecret: true
register: _service_database_secret
- name: Set database-related variables
ansible.builtin.set_fact:
_service_database_password: "{{ _service_database_secret.secrets[0].SecretData }}"
_service_container_requires: "{{ _service_container_requires + [_service_database_name + '.service'] }}"

5
roles/service/tasks/main.yaml
View File

@@ -5,15 +5,14 @@
- name: Initialize variables - name: Initialize variables
ansible.builtin.set_fact: ansible.builtin.set_fact:
_service_container_mounts: [] _service_container_mounts: []
_service_container_requires: "{{ service_requires }}"
- name: Databse for {{ service_name }} - name: Databse for {{ service_name }}
ansible.builtin.include_tasks: database.yaml ansible.builtin.include_tasks: database.yaml
when: "service_database_type != 'none'" when: _service_setup_database
- name: Secrets for {{ service_name }} - name: Secrets for {{ service_name }}
ansible.builtin.include_tasks: secrets.yaml ansible.builtin.include_tasks: secrets.yaml
when: service_container_secrets | length > 0 when: _service_container_secrets | length > 0
- name: Mounts for {{ service_name }} - name: Mounts for {{ service_name }}
ansible.builtin.include_tasks: mounts.yaml ansible.builtin.include_tasks: mounts.yaml

2
roles/service/tasks/proxy.yaml
View File

@@ -7,7 +7,7 @@
notify: Restart socat socket for {{ service_name }} notify: Restart socat socket for {{ service_name }}
- name: Socat container for {{ service_name }} - name: Socat container for {{ service_name }}
ansible.builtin.include_role: ansible.builtin.import_role:
name: container name: container
vars: vars:
container_name: "{{ service_name }}-socat" container_name: "{{ service_name }}-socat"

4
roles/service/tasks/secrets.yaml
View File

@@ -1,6 +1,6 @@
--- ---
- name: Create secrets - name: Create secrets
ansible.builtin.include_role: ansible.builtin.import_role:
name: container name: container
tasks_from: secrets.yaml tasks_from: secrets.yaml
rolespec_validate: false # FIXME make proper validation possible rolespec_validate: false # FIXME make proper validation possible
@@ -16,7 +16,7 @@
- name: Store secrets in a variable for later - name: Store secrets in a variable for later
ansible.builtin.set_fact: ansible.builtin.set_fact:
_service_podman_secrets: > service_podman_secrets: >
{{ _service_podman_secret_info.secrets {{ _service_podman_secret_info.secrets
| map(attribute='Spec.Name') | map(attribute='Spec.Name')
| zip(_service_podman_secret_info.secrets | map(attribute='SecretData')) | zip(_service_podman_secret_info.secrets | map(attribute='SecretData'))

2
roles/service/vars/database.yaml
View File

@@ -1,2 +0,0 @@
---
_service_database_name: "{{ service_name }}-{{ service_database_type }}"

5
roles/service/vars/main.yaml
View File

@@ -2,6 +2,9 @@
_service_template_mounts: "{{ service_container_mounts | selectattr('type', '==', 'template') | list }}" _service_template_mounts: "{{ service_container_mounts | selectattr('type', '==', 'template') | list }}"
_service_host_directory: "/srv/{{ service_name }}" _service_host_directory: "/srv/{{ service_name }}"
_service_setup_database: "{{ service_database_type != 'none' }}"
_service_database_name: "{{ service_name }}-{{ service_database_type }}"
_service_container_secrets: > _service_container_secrets: >
{{ {{
service_container_secrets service_container_secrets
@@ -11,6 +14,8 @@ _service_container_secrets: >
| map('community.general.dict_kv', 'name') | map('community.general.dict_kv', 'name')
) )
| map('combine') | map('combine')
+ ([{'name': _service_database_name }] if _service_setup_database else [])
}} }}
_service_container_requires: "{{ service_requires + ([_service_database_name + '.service'] if _service_setup_database else []) }}"
_service_container_wants: "{{ service_wants + ([service_name + '-socat.socket'] if service_domains | length > 0 else []) }}" _service_container_wants: "{{ service_wants + ([service_name + '-socat.socket'] if service_domains | length > 0 else []) }}"

8
roles/synapse/tasks/main.yaml
View File

@@ -11,7 +11,7 @@
quiet: true quiet: true
- name: Synapse container - name: Synapse container
ansible.builtin.include_role: ansible.builtin.import_role:
name: service name: service
vars: vars:
service_name: synapse service_name: synapse
@@ -59,7 +59,7 @@
- matrix-authentication-service.service - matrix-authentication-service.service
- name: Matrix authentication service for synapse - name: Matrix authentication service for synapse
ansible.builtin.include_role: ansible.builtin.import_role:
name: matrix_authentication_service name: matrix_authentication_service
vars: vars:
matrix_authentication_service_additional_networks: matrix_authentication_service_additional_networks:
@@ -68,8 +68,8 @@
matrix_authentication_service_domain: "{{ synapse_mas_domain }}" matrix_authentication_service_domain: "{{ synapse_mas_domain }}"
matrix_authentication_service_homeserver_name: "{{ synapse_server_name }}" matrix_authentication_service_homeserver_name: "{{ synapse_server_name }}"
matrix_authentication_service_homeserver_address: http://synapse:8009 matrix_authentication_service_homeserver_address: http://synapse:8009
matrix_authentication_service_client_secret: "{{ _service_podman_secrets['synapse-mas-client-secret'] }}" matrix_authentication_service_client_secret: "{{ service_podman_secrets['synapse-mas-client-secret'] }}"
matrix_authentication_service_homeserver_secret: "{{ _service_podman_secrets['synapse-mas-homeserver-secret'] }}" matrix_authentication_service_homeserver_secret: "{{ service_podman_secrets['synapse-mas-homeserver-secret'] }}"
matrix_authentication_service_email_smtp_server: "{{ synapse_email_smtp_server }}" matrix_authentication_service_email_smtp_server: "{{ synapse_email_smtp_server }}"
matrix_authentication_service_email_smtp_user: "{{ synapse_email_smtp_user }}" matrix_authentication_service_email_smtp_user: "{{ synapse_email_smtp_user }}"

6
roles/synapse/templates/homeserver.yaml.j2
View File

@@ -29,7 +29,7 @@ database:
args: args:
host: synapse-postgres host: synapse-postgres
user: synapse user: synapse
password: "{{ _service_database_password }}" password: "{{ service_podman_secrets['synapse-postgres'] }}"
dbname: synapse dbname: synapse
caches: caches:
@@ -112,6 +112,6 @@ experimental_features:
issuer: http://matrix-authentication-service:8080/ issuer: http://matrix-authentication-service:8080/
client_id: 0000000000000000000SYNAPSE client_id: 0000000000000000000SYNAPSE
client_auth_method: client_secret_basic client_auth_method: client_secret_basic
client_secret: "{{ _service_podman_secrets['synapse-mas-client-secret'] }}" client_secret: "{{ service_podman_secrets['synapse-mas-client-secret'] }}"
admin_token: "{{ _service_podman_secrets['synapse-mas-homeserver-secret'] }}" admin_token: "{{ service_podman_secrets['synapse-mas-homeserver-secret'] }}"
account_management_url: "https://{{ synapse_mas_domain }}/account" account_management_url: "https://{{ synapse_mas_domain }}/account"