web-app-taiga: extract admin bootstrap into dedicated task; add robust upsert path

Add roles/web-app-taiga/tasks/01_administrator.yml to handle admin creation via 'createsuperuser' and, on failure, an upsert fallback using 'manage.py shell'. Ensures email, is_staff, is_superuser, is_active are set and password is updated when needed; emits CHANGED marker for idempotence. Update roles/web-app-taiga/tasks/main.yml to include the new 01_administrator.yml task file, removing the inline admin logic for better separation of concerns. Uses taiga-manage helper service and composes docker-compose.yml with docker-compose-inits.yml to inherit env/networks/volumes consistently. Chat reference: https://chatgpt.com/share/68af7637-225c-800f-b670-2b948f5dea54
2025-08-30 07:18:09 +02:00 · 2025-08-27 23:58:37 +02:00
parent 1401779a9d
commit 8baec17562
2 changed files with 40 additions and 23 deletions
--- a/roles/web-app-taiga/tasks/01_administrator.yml
+++ b/roles/web-app-taiga/tasks/01_administrator.yml
@@ -0,0 +1,38 @@
+- name: "Create Taiga admin user (idempotent)"
+  command: >
+    docker compose
+    -f {{ TAIGA_DOCKER_COMPOSE_PATH }}
+    -f {{ TAIGA_DOCKER_COMPOSE_INIT_PATH }}
+    run --rm taiga-manage
+    createsuperuser --noinput
+    --username {{ TAIGA_SUPERUSER_NAME }}
+    --email {{ TAIGA_SUPERUSER_EMAIL }}
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: taiga_create_admin
+  changed_when: taiga_create_admin.rc == 0
+  failed_when: >
+    taiga_create_admin.rc != 0 and
+    ('already taken' not in (taiga_create_admin.stdout + taiga_create_admin.stderr) | lower) and
+    ('already exists' not in (taiga_create_admin.stdout + taiga_create_admin.stderr) | lower) and
+    ('integrityerror' not in (taiga_create_admin.stdout + taiga_create_admin.stderr) | lower)
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
+- name: "Upsert Taiga admin via manage.py shell"
+  command: >
+    docker compose
+    -f {{ TAIGA_DOCKER_COMPOSE_PATH }}
+    -f {{ TAIGA_DOCKER_COMPOSE_INIT_PATH }}
+    run --rm
+    -e DJANGO_SUPERUSER_PASSWORD={{ TAIGA_SUPERUSER_PASSWORD | quote }}
+    taiga-manage
+    shell -c
+    "from django.contrib.auth import get_user_model; import os; U=get_user_model(); u,created=U.objects.get_or_create(username='{{ TAIGA_SUPERUSER_NAME }}'); changed=bool(created); old=(u.email,u.is_staff,u.is_superuser,u.is_active); u.email='{{ TAIGA_SUPERUSER_EMAIL }}'; u.is_staff=True; u.is_superuser=True; u.is_active=True; changed = changed or old!=(u.email,u.is_staff,u.is_superuser,u.is_active); pwd=os.environ.get('DJANGO_SUPERUSER_PASSWORD'); assert pwd, 'Missing DJANGO_SUPERUSER_PASSWORD'; need_pwd = not u.check_password(pwd); changed = changed or need_pwd; need_pwd and u.set_password(pwd); u.save(); print('CHANGED=1' if changed else 'CHANGED=0')"
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: taiga_upsert_admin
+  when: taiga_create_admin.rc != 0
+  changed_when: "'CHANGED=1' in ((taiga_upsert_admin.stdout | default('')) + (taiga_upsert_admin.stderr | default('')))"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
--- a/roles/web-app-taiga/tasks/main.yml
+++ b/roles/web-app-taiga/tasks/main.yml
@@ -22,26 +22,5 @@
 - name: "Flush Taiga handlers"
  meta: flush_handlers

- name: "Create Taiga admin user (idempotent)"
-  command: >
-    docker compose
-    -f {{ TAIGA_DOCKER_COMPOSE_PATH }}
-    -f {{ TAIGA_DOCKER_COMPOSE_INIT_PATH }}
-    run --rm taiga-manage
-    createsuperuser --noinput
-    --username {{ TAIGA_SUPERUSER_NAME }}
-    --email {{ TAIGA_SUPERUSER_EMAIL }}
-  environment:
-    DJANGO_SUPERUSER_PASSWORD: "{{ TAIGA_SUPERUSER_PASSWORD }}"
-  args:
-    chdir: "{{ docker_compose.directories.instance }}"
-  register: taiga_create_admin
-  changed_when: taiga_create_admin.rc == 0
-  failed_when: >
-    taiga_create_admin.rc != 0 and
-    ('already taken' not in (taiga_create_admin.stdout + taiga_create_admin.stderr) | lower) and
-    ('already exists' not in (taiga_create_admin.stdout + taiga_create_admin.stderr) | lower) and
-    ('integrityerror' not in (taiga_create_admin.stdout + taiga_create_admin.stderr) | lower)
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+- name: "Include Taiga administrator routines"
+  include_tasks: 01_administrator.yml