Move service_container_requires from set_fact to vars

service: reformat postgres_tag description in argspec
service: Better use podman secrets for database passwords
2025-04-04 22:16:51 +03:00 · 2025-04-04 22:16:21 +03:00 · 2025-04-04 22:16:08 +03:00 · 2025-04-04 22:13:07 +03:00 · 2025-04-04 21:21:42 +03:00 · 2025-04-04 21:20:21 +03:00
14 changed files with 46 additions and 41 deletions
--- a/galaxy.yaml
+++ b/galaxy.yaml
--- a/roles/container/meta/argument_specs.yaml
+++ b/roles/container/meta/argument_specs.yaml
@@ -93,6 +93,11 @@ argument_specs:
              - If the value is not explicitly set, it will not be changed if the secret already exists.
            type: str
            required: false
+          length:
+            description: Length of randomly generated string
+            type: int
+            required: false
+            defalut: 128

      container_env:
        description: A dict of environment variables for the container
--- a/roles/container/tasks/secrets.yaml
+++ b/roles/container/tasks/secrets.yaml
@@ -2,7 +2,7 @@
 - name: Create secrets for container {{ container_name }}
  containers.podman.podman_secret:
    name: "{{ item.name }}"
-    data: "{{ item.value | default(lookup('community.general.random_string', special=false, length=128)) }}"
+    data: "{{ item.value | default(lookup('community.general.random_string', special=false, length=item.length | default(128))) }}"
    skip_existing: "{{ item.value is not defined }}"
  no_log: true
  loop: "{{ container_secrets }}"
--- a/roles/example/tasks/main.yml
+++ b/roles/example/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: Hello world container
-  ansible.builtin.include_role:
+  ansible.builtin.import_role:
    name: service
  vars:
    service_name: hello-world
--- a/roles/matrix_authentication_service/templates/config.yaml.j2
+++ b/roles/matrix_authentication_service/templates/config.yaml.j2
@@ -33,7 +33,7 @@ http:
 database:
  host: matrix-authentication-service-postgres
  username: matrix_authentication_service
-  password: "{{ _service_database_password }}"
+  password: "{{ service_podman_secrets['matrix-authentication-service-postgres'] }}"
  database: matrix_authentication_service

 secrets: 
--- a/roles/service/meta/argument_specs.yaml
+++ b/roles/service/meta/argument_specs.yaml
@@ -93,7 +93,7 @@ argument_specs:
        description:
          - A list of secrets available to the service container in /run/secrets/<service name>-<secret name>
          - >
-            A dict of secrets and their values (including autogenerated values) is available as `_service_podman_secrets` for use
+            A dict of secrets and their values (including autogenerated values) is available as `service_podman_secrets` for use
            in tepmlates or environment variables. This should only be used if the container doesn't support reading the secret from file
        type: list
        required: false
@@ -110,6 +110,11 @@ argument_specs:
              - If the value is not explicitly set, it will not be changed if the secret already exists.
            type: str
            required: false
+          length:
+            description: Length of randomly generated string
+            type: int
+            required: false
+            default: 128
      service_container_env:
        description: A dict of environment variables for the service container(s)
        type: dict
@@ -117,9 +122,16 @@ argument_specs:
        default: {}

      service_database_type:
-        description: >
-          Database type to set up. It will be run in a docker container accessible to the service at host <service name>-{{ service_database_type }} on the
-          default port. The database user will be {{ service_name }} and password will be available as the _service_database_password variable.
+        description:
+          - Database type to set up.
+          - >
+            It will be run in a docker container accessible to the service at
+            host {{ service_name }}-{{ service_database_type }} on the default port.
+          - The database user will be {{ service_name }}
+          - The password will be accessible as secret at /run/secrets/{{ service_name }}-{{ service_database_type }}
+          - >
+            The password will also be available as the
+            service_podman_secrets['{{ service_name }}-{{ service_database_type }}'] variable.
        type: str
        required: false
        choices:
@@ -127,9 +139,10 @@ argument_specs:
          - none
        default: none
      service_postgres_tag:
-        description: >
-          Postgresql version to use. Can be debian (n) or alpine-based (n-alpine), where n can be major version like 14 or minor like 14.13.
-          Required if service_database_type is postgres.
+        description:
+          - Postgresql version to use.
+          - Can be debian (n) or alpine-based (n-alpine), where n can be major version like 14 or minor like 14.13.
+          - Required if service_database_type is postgres, does nothing otherwise
        type: str
        required: false

--- a/roles/service/tasks/database.yaml
+++ b/roles/service/tasks/database.yaml
@@ -1,10 +1,6 @@
 ---
- name: Include database variables
-  ansible.builtin.include_vars:
-    file: database.yaml
-
 - name: Database container for {{ service_name }}
-  ansible.builtin.include_role:
+  ansible.builtin.import_role:
    name: container
  vars:
    container_name: "{{ service_name }}-{{ service_database_type }}" # This doesn't use _service_database_name to allow container role handlers to work
@@ -22,14 +18,3 @@
      POSTGRES_PASSWORD_FILE: "/run/secrets/{{ _service_database_name }}"
      POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
    container_auto_update: "{{ service_auto_update }}"
-
- name: Get database secret info
-  containers.podman.podman_secret_info:
-    name: "{{ _service_database_name }}"
-    showsecret: true
-  register: _service_database_secret
-
- name: Set database-related variables
-  ansible.builtin.set_fact:
-    _service_database_password: "{{ _service_database_secret.secrets[0].SecretData }}"
-    _service_container_requires: "{{ _service_container_requires + [_service_database_name + '.service'] }}"
--- a/roles/service/tasks/main.yaml
+++ b/roles/service/tasks/main.yaml
@@ -5,15 +5,14 @@
 - name: Initialize variables
  ansible.builtin.set_fact:
    _service_container_mounts: []
-    _service_container_requires: "{{ service_requires }}"

 - name: Databse for {{ service_name }}
  ansible.builtin.include_tasks: database.yaml
-  when: "service_database_type != 'none'"
+  when: _service_setup_database

 - name: Secrets for {{ service_name }}
  ansible.builtin.include_tasks: secrets.yaml
-  when: service_container_secrets | length > 0
+  when: _service_container_secrets | length > 0

 - name: Mounts for {{ service_name }}
  ansible.builtin.include_tasks: mounts.yaml
--- a/roles/service/tasks/proxy.yaml
+++ b/roles/service/tasks/proxy.yaml
@@ -7,7 +7,7 @@
  notify: Restart socat socket for {{ service_name }}

 - name: Socat container for {{ service_name }}
-  ansible.builtin.include_role:
+  ansible.builtin.import_role:
    name: container
  vars:
    container_name: "{{ service_name }}-socat"
--- a/roles/service/tasks/secrets.yaml
+++ b/roles/service/tasks/secrets.yaml
@@ -1,6 +1,6 @@
 ---
 - name: Create secrets
-  ansible.builtin.include_role:
+  ansible.builtin.import_role:
    name: container
    tasks_from: secrets.yaml
    rolespec_validate: false # FIXME make proper validation possible
@@ -16,7 +16,7 @@

 - name: Store secrets in a variable for later
  ansible.builtin.set_fact:
-    _service_podman_secrets: >
+    service_podman_secrets: >
      {{ _service_podman_secret_info.secrets
        | map(attribute='Spec.Name')
        | zip(_service_podman_secret_info.secrets | map(attribute='SecretData'))
--- a/roles/service/vars/database.yaml
+++ b/roles/service/vars/database.yaml
@@ -1,2 +0,0 @@
---
-_service_database_name: "{{ service_name }}-{{ service_database_type }}"
--- a/roles/service/vars/main.yaml
+++ b/roles/service/vars/main.yaml
@@ -2,6 +2,9 @@
 _service_template_mounts: "{{ service_container_mounts | selectattr('type', '==', 'template') | list }}"
 _service_host_directory: "/srv/{{ service_name }}"

+_service_setup_database: "{{ service_database_type != 'none' }}"
+_service_database_name: "{{ service_name }}-{{ service_database_type }}"
+
 _service_container_secrets: >
  {{
    service_container_secrets
@@ -11,6 +14,8 @@ _service_container_secrets: >
        | map('community.general.dict_kv', 'name')
        )
      | map('combine')
+    + ([{'name': _service_database_name }] if _service_setup_database else [])
  }}

+_service_container_requires: "{{ service_requires + ([_service_database_name + '.service'] if _service_setup_database else []) }}"
 _service_container_wants: "{{ service_wants + ([service_name + '-socat.socket'] if service_domains | length > 0 else []) }}"
--- a/roles/synapse/tasks/main.yaml
+++ b/roles/synapse/tasks/main.yaml
@@ -11,7 +11,7 @@
    quiet: true

 - name: Synapse container
-  ansible.builtin.include_role:
+  ansible.builtin.import_role:
    name: service
  vars:
    service_name: synapse
@@ -59,7 +59,7 @@
      - matrix-authentication-service.service

 - name: Matrix authentication service for synapse
-  ansible.builtin.include_role:
+  ansible.builtin.import_role:
    name: matrix_authentication_service
  vars:
    matrix_authentication_service_additional_networks:
@@ -68,8 +68,8 @@
    matrix_authentication_service_domain: "{{ synapse_mas_domain }}"
    matrix_authentication_service_homeserver_name: "{{ synapse_server_name }}"
    matrix_authentication_service_homeserver_address: http://synapse:8009
-    matrix_authentication_service_client_secret: "{{ _service_podman_secrets['synapse-mas-client-secret'] }}"
-    matrix_authentication_service_homeserver_secret: "{{ _service_podman_secrets['synapse-mas-homeserver-secret'] }}"
+    matrix_authentication_service_client_secret: "{{ service_podman_secrets['synapse-mas-client-secret'] }}"
+    matrix_authentication_service_homeserver_secret: "{{ service_podman_secrets['synapse-mas-homeserver-secret'] }}"

    matrix_authentication_service_email_smtp_server: "{{ synapse_email_smtp_server }}"
    matrix_authentication_service_email_smtp_user: "{{ synapse_email_smtp_user }}"
--- a/roles/synapse/templates/homeserver.yaml.j2
+++ b/roles/synapse/templates/homeserver.yaml.j2
@@ -29,7 +29,7 @@ database:
  args:
    host: synapse-postgres
    user: synapse
-    password: "{{ _service_database_password }}"
+    password: "{{ service_podman_secrets['synapse-postgres'] }}"
    dbname: synapse

 caches:
@@ -112,6 +112,6 @@ experimental_features:
    issuer: http://matrix-authentication-service:8080/
    client_id: 0000000000000000000SYNAPSE
    client_auth_method: client_secret_basic
-    client_secret: "{{ _service_podman_secrets['synapse-mas-client-secret'] }}"
-    admin_token: "{{ _service_podman_secrets['synapse-mas-homeserver-secret'] }}"
+    client_secret: "{{ service_podman_secrets['synapse-mas-client-secret'] }}"
+    admin_token: "{{ service_podman_secrets['synapse-mas-homeserver-secret'] }}"
    account_management_url: "https://{{ synapse_mas_domain }}/account"
Author	SHA1	Message	Date
uumas	5a154d3f17	Move service_container_requires from set_fact to vars	2025-04-04 22:16:51 +03:00
uumas	3b354ef3b8	service: reformat postgres_tag description in argspec	2025-04-04 22:16:21 +03:00
uumas	7b46279c63	service: Better use podman secrets for database passwords	2025-04-04 22:16:08 +03:00
uumas	68b3dcb49c	service: rename secrets return variable	2025-04-04 22:13:07 +03:00
uumas	9bb2b24948	Make randomly generated secret length configurable	2025-04-04 21:21:42 +03:00
uumas	335656a166	Use import_role where possible	2025-04-04 21:20:21 +03:00
uumas	4c44845a8b	galaxy.yaml -> galaxy.yml	2025-03-31 03:16:12 +03:00