service: Add support for service postgres containers

roles/container/README.md

@@ -0,0 +1 @@
+Sets up podman container with systemd units (quadlet)

roles/container/defaults/main.yaml

@@ -4,6 +4,7 @@ container_user: ""
 container_mounts: []
 container_publish_ports: []
 container_networks: []
+container_secrets: []
 container_env: {}
 container_auto_start: true
 container_auto_update: true

roles/container/meta/argument_specs.yaml

@@ -1,7 +1,7 @@
 ---
 argument_specs:
   main:
-    short_description: Sets up podman container with systemd units (quadlet)
+    description: Sets up podman container with systemd units (quadlet)
     options:
       container_name:
         description: Name of the container. Must be unique within a host.
@@ -66,6 +66,24 @@ argument_specs:
         required: false
         default: []
         elements: str
+      container_secrets:
+        description: A list of secrets available to the container in /run/secrets/<secret name>
+        type: list
+        required: false
+        default: []
+        elements: dict
+        options:
+          name:
+            description: Name of the secret
+            type: str
+            required: true
+          value:
+            description:
+              - Value of the secret. Defaults to a 128-character random string containing alphanumeric characters.
+              - If the value is not explicitly set, it will not be changed if the secret already exists.
+            type: str
+            required: false
+
       container_env:
         description: A dict of environment variables for the container
         type: dict

roles/container/tasks/main.yaml

@@ -8,6 +8,13 @@
   loop_control:
     loop_var: network
 
+- name: Create secrets for container {{ container_name }}
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.value | default(lookup('community.general.random_string', special=false, length=128)) }}"
+    skip_existing: "{{ item.value is not defined }}"
+  loop: "{{ container_secrets }}"
+
 - name: Create container service {{ container_name }}
   ansible.builtin.template:
     src: container.j2

roles/container/templates/container.j2

@@ -30,6 +30,9 @@ Network={{ network }}.network
 {% for port in container_publish_ports %}
 PublishPort={{ port }}
 {% endfor %}
+{% for secret in container_secrets %}
+Secret={{ secret.name }}
+{% endfor %}
 {% for key, value in container_env.items() %}
 Environment={{ key }}={{ value }}
 {% endfor %}

roles/example/README.md

@@ -0,0 +1 @@
+Sets up a hello world podman container. This role can be used as a template for other roles using the container role.

roles/example/meta/argument_specs.yml

@@ -0,0 +1,11 @@
+---
+argument_specs:
+  main:
+    description: "Sets up a hello world podman container. This role can be used as a template for other roles using the container role."
+    options:
+      example_domains:
+        description: A list of domains the container should listen on
+        type: list
+        required: false
+        default: []
+        elements: str

roles/example/tasks/main.yml

@@ -0,0 +1,33 @@
+---
+- name: Hello world container
+  ansible.builtin.include_role:
+    name: service
+  vars:
+    service_name: hello-world
+    service_container_image: "docker.io/library/hello-world:latest"
+    service_container_mounts:
+      - type: volume
+        source: config
+        destination: /config
+      - type: bind
+        source: /media/hello-world
+        destination: /media
+      - type: bind
+        source: /etc/locale.conf
+        destination: /etc/locale.conf
+        readonly: true
+    service_container_http_port: 8080
+    service_domains: "{{ example_domains }}"
+    service_container_publish_ports:
+      - "127.0.0.1:8080:8080"
+      - "0.0.0.0:4443:8043"
+    service_requires:
+      - network-online.target
+    service_container_env:
+      TZ: "Etc/UTC"
+    service_additional_containers:
+      - name: worker
+        # image: "docker.io/library/hello-world:latest"
+        mounts: []
+        publish_ports: []
+        # env: {}

roles/network/README.md

@@ -0,0 +1 @@
+Sets up podman network with systemd unit (quadlet)

roles/network/meta/argument_specs.yaml

@@ -1,7 +1,7 @@
 ---
 argument_specs:
   main:
-    short_description: Sets up podman network with systemd unit (quadlet)
+    description: Sets up podman network with systemd unit (quadlet)
     options:
       network_name:
         description: Name of the network. Must be unique within a host.

roles/podman/README.md

@@ -0,0 +1 @@
+Installs podman

roles/podman/meta/argument_specs.yaml

@@ -1,5 +1,5 @@
 ---
 argument_specs:
   main:
-    short_description: Installs podman
+    description: Installs podman
     options: {}

roles/service/README.md

@@ -0,0 +1 @@
+Sets up a service in podman container(s)

roles/service/defaults/main.yaml

@@ -5,6 +5,8 @@ service_container_publish_ports: []
 service_container_mounts: []
 service_container_env: {}
 
+service_database_type: none
+
 service_additional_containers: []
 
 service_requires: []

roles/service/meta/argument_specs.yaml

@@ -1,7 +1,7 @@
 ---
 argument_specs:
   main:
-    short_description: Sets up a service in podman container(s)
+    description: Sets up a service in podman container(s)
     options:
       service_name:
         description: Name of the service.
@@ -13,6 +13,7 @@ argument_specs:
         type: list
         required: false
         default: []
+        elements: str
       service_container_http_port:
         description:
           - Port inside the container where http requests will be proxied to.
@@ -29,6 +30,7 @@ argument_specs:
         type: list
         required: false
         default: []
+        elements: str
       service_container_mounts:
         description: List of bind mounts or volumes to be mounted inside the service container(s).
         type: list
@@ -65,6 +67,23 @@ argument_specs:
         required: false
         default: {}
 
+      service_database_type:
+        description: >
+          Database type to set up. It will be run in a docker container accessible to the service at host <service name>-{{ service_database_type }} on the
+          default port. The database user will be {{ service_name }} and password will be available as the _service_database_password variable.
+        type: str
+        required: false
+        choices:
+          - postgres
+          - none
+        default: none
+      service_postgres_tag:
+        description: >
+          Postgresql version to use. Can be debian (n) or alpine-based (n-alpine), where n can be major version like 14 or minor like 14.13.
+          Required if service_database_type is postgres.
+        type: str
+        required: false
+
       service_additional_containers:
         description:
           - List of additional containers for the sercice.
@@ -125,6 +144,7 @@ argument_specs:
             type: list
             required: false
             default: []
+            elements: str
           env:
             description: A dict of environment variables for the container
             type: dict

roles/service/tasks/database.yaml

@@ -0,0 +1,34 @@
+---
+- name: Set database name
+  ansible.builtin.set_fact:
+    _service_database_name: "{{ service_name }}-{{ service_database_type }}"
+
+- name: Database container for {{ service_name }}
+  ansible.builtin.include_role:
+    name: container
+  vars:
+    container_name: "{{ service_name }}-{{ service_database_type }}" # This doesn't use _service_database_name to allow container role handlers to work
+    container_image: "docker.io/library/postgres:{{ service_postgres_tag }}"
+    container_mounts:
+      - type: volume
+        source: "{{ _service_database_name }}"
+        destination: /var/lib/postgresql/data
+    container_networks:
+      - "{{ service_name }}"
+    container_secrets:
+      - name: "{{ _service_database_name }}"
+    container_env:
+      POSTGRES_USER: "{{ service_name | replace('-', '_') }}"
+      POSTGRES_PASSWORD_FILE: "/run/secrets/{{ _service_database_name }}"
+    container_auto_update: "{{ service_auto_update }}"
+
+- name: Get database secret info
+  containers.podman.podman_secret_info:
+    name: "{{ _service_database_name }}"
+    showsecret: true
+  register: _service_database_secret
+
+- name: Set database-related variables
+  ansible.builtin.set_fact:
+    _service_database_password: "{{ _service_database_secret.secrets[0].SecretData }}"
+    _service_container_requires: "{{ _service_container_requires + [_service_database_name + '.service'] }}"

roles/service/tasks/main.yaml

@@ -1,8 +1,20 @@
 ---
+- name: Validate inputs
+  ansible.builtin.import_tasks: validation.yaml
+
+- name: Initialize variables
+  ansible.builtin.set_fact:
+    _service_container_mounts: []
+    _service_container_requires: "{{ service_requires }}"
+
 - name: Mounts for {{ service_name }}
   ansible.builtin.include_tasks: mounts.yaml
   when: service_container_mounts | length > 0
 
+- name: Databse for {{ service_name }}
+  ansible.builtin.include_tasks: database.yaml
+  when: "service_database_type != 'none'"
+
 - name: Main container for {{ service_name }}
   ansible.builtin.include_role:
     name: container
@@ -14,7 +26,7 @@
     container_networks:
       - "{{ service_name }}"
     container_env: "{{ service_container_env }}"
-    container_requires: "{{ service_requires }}"
+    container_requires: "{{ _service_container_requires }}"
     container_wants: "{{ [service_name + '-socat.socket'] if service_domains | length > 0 else [] }}"
     container_auto_update: "{{ service_auto_update }}"
 

roles/service/tasks/mounts.yaml

@@ -1,12 +1,8 @@
 ---
-- name: Initialize variables
-  ansible.builtin.set_fact:
-    _service_container_mounts: []
-
 - name: Set container named mounts
   ansible.builtin.set_fact:
     _service_container_mounts: >
-      {{ _service_container_mounts + 
+      {{ _service_container_mounts +
       [mount | combine({'source': service_name + '-' + mount.source})] }}
   when: mount.type == 'volume'
   loop: "{{ service_container_mounts }}"

roles/service/tasks/validation.yaml

@@ -0,0 +1,5 @@
+---
+- name: Fail if service_database_type is postgres but service_postgres_tag is not set
+  ansible.builtin.fail:
+    msg: "service_postgres_tag needs to be set when database type is postgres"
+  when: "service_database_type == 'postgres' and service_postgres_tag is not defined"