From 91d5ba35d1cc0dc48ffb922d7e7c6d9481b88a84 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Wed, 3 Dec 2025 22:00:18 +0100
Subject: [PATCH] Add container-aware execution logic and CI stability fixes

- Introduce global IS_CONTAINER flag based on ansible_virtualization facts
- Skip systemd-based handlers and tasks when running inside containers
- Extend EXCLUDED_ROLES list in GitHub Actions test-deploy workflow
- Ensure docker.sock is mounted for all CI deploy stages
- Improve sys-svc-docker by suppressing service restarts inside containers
- Add meta: flush_handlers to properly trigger delayed docker restarts
- Update sys-service handlers with container guards
- Update sys-timer tasks to avoid systemctl inside CI containers
- Enhance drv-non-free role with Manjaro detection and mhwd fallback warning
- Skip swapfile generation in containers
- Minor service template fixes and cleanup in proxy.conf.j2

Details and discussion: https://chatgpt.com/share/6930a4ca-56f4-800f-9b3d-4791f040a03b
---
 .github/workflows/test-deploy.yml             | 16 +++++++--
 group_vars/all/00_general.yml                 | 10 +++++-
 roles/drv-non-free/tasks/main.yml             | 34 +++++++++++++++++--
 .../svc-net-wireguard-core/Administration.md  |  2 ++
 roles/svc-opt-swapfile/tasks/main.yml         |  4 ++-
 .../templates/systemctl.service.j2            |  2 +-
 roles/sys-service/handlers/main.yml           |  5 ++-
 roles/sys-svc-docker/handlers/main.yml        |  3 +-
 roles/sys-svc-docker/tasks/01_core.yml        |  3 ++
 roles/sys-timer/tasks/main.yml                |  4 ++-
 roles/web-svc-file/templates/proxy.conf.j2    |  8 ++---
 11 files changed, 77 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/test-deploy.yml b/.github/workflows/test-deploy.yml
index b90c9a88..e6b2140d 100644
--- a/.github/workflows/test-deploy.yml
+++ b/.github/workflows/test-deploy.yml
@@ -15,8 +15,17 @@ jobs:
     env:
       # The following roles will be ignored in the tests
       EXCLUDED_ROLES: >
-        drv-lid-switch
-
+        drv-lid-switch,
+        svc-net-wireguard-core,
+        svc-net-wireguard-firewalled,
+        svc-net-wireguard-plain,
+        svc-opt-keyboard-color,
+        svc-opt-ssd-hdd,
+        web-app-bridgy-fed,
+        web-app-oauth2-proxy,
+        web-app-postmarks,
+        web-app-socialhome,
+        web-svc-xmpp,
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -29,6 +38,7 @@ jobs:
       - name: First deploy (normal + debug)
         run: |
           docker run --network=host --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
             -e EXCLUDED_ROLES="$EXCLUDED_ROLES" \
             infinito:latest \
             /bin/sh -lc '
@@ -52,6 +62,7 @@ jobs:
       - name: Second deploy (--reset --debug)
         run: |
           docker run --network=host --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
             -e EXCLUDED_ROLES="$EXCLUDED_ROLES" \
             infinito:latest \
             /bin/sh -lc '
@@ -74,6 +85,7 @@ jobs:
       - name: Third deploy (async deploy – no debug)
         run: |
           docker run --network=host --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
             -e EXCLUDED_ROLES="$EXCLUDED_ROLES" \
             infinito:latest \
             /bin/sh -lc '
diff --git a/group_vars/all/00_general.yml b/group_vars/all/00_general.yml
index 84444276..b556d771 100644
--- a/group_vars/all/00_general.yml
+++ b/group_vars/all/00_general.yml
@@ -112,4 +112,12 @@ HCAPTCHA_ENABLED:  "{{ (CAPTCHA.HCAPTCHA.KEY   | default('') | length > 0)
 # Applications which are allways required
 WEBSERVER_CORE_APPLICATIONS: 
   - web-svc-logout
-  - web-svc-cdn
\ No newline at end of file
+  - web-svc-cdn
+
+# Global flag for detecting containerized environments
+IS_CONTAINER: >-
+  {{
+    (ansible_virtualization_role | default('') == 'guest')
+    and
+    (ansible_virtualization_type | default('') in ['docker', 'podman', 'lxc', 'container'])
+  }}
diff --git a/roles/drv-non-free/tasks/main.yml b/roles/drv-non-free/tasks/main.yml
index 713b9095..526a85da 100644
--- a/roles/drv-non-free/tasks/main.yml
+++ b/roles/drv-non-free/tasks/main.yml
@@ -1,2 +1,32 @@
-- name: Install nonfree drivers
-  ansible.builtin.shell: mhwd -a pci nonfree 0300
\ No newline at end of file
+- name: Gather OS facts (ensure we know distribution)
+  ansible.builtin.setup:
+  when: ansible_facts is not defined
+
+- name: Ensure mhwd is installed on Manjaro
+  community.general.pacman:
+    name: mhwd
+    state: present
+  become: true
+  when:
+    - ansible_facts['distribution'] is defined
+    - ansible_facts['distribution'] in ['ManjaroLinux', 'Manjaro']
+  register: mhwd_install
+
+- name: Detect mhwd command
+  ansible.builtin.stat:
+    path: /usr/bin/mhwd
+  register: mhwd_binary
+
+- name: Install nonfree drivers via mhwd (Manjaro only)
+  ansible.builtin.shell: mhwd -a pci nonfree 0300
+  become: true
+  when:
+    - mhwd_binary.stat.exists
+
+- name: Warn when mhwd is not available
+  ansible.builtin.debug:
+    msg: >
+      Skipping proprietary GPU driver installation: `mhwd` not found.
+      This role currently only supports Manjaro (mhwd); on other distros it does nothing.
+  when:
+    - not mhwd_binary.stat.exists
diff --git a/roles/svc-net-wireguard-core/Administration.md b/roles/svc-net-wireguard-core/Administration.md
index 80d9bc2f..589f3639 100644
--- a/roles/svc-net-wireguard-core/Administration.md
+++ b/roles/svc-net-wireguard-core/Administration.md
@@ -1,5 +1,7 @@
 # Administration
+
 ## Client
+
 ### Setup wireguard
 ```bash
   pacman -S wireguard-tools
diff --git a/roles/svc-opt-swapfile/tasks/main.yml b/roles/svc-opt-swapfile/tasks/main.yml
index bd0f5cc1..0d82a659 100644
--- a/roles/svc-opt-swapfile/tasks/main.yml
+++ b/roles/svc-opt-swapfile/tasks/main.yml
@@ -1,2 +1,4 @@
 - include_tasks: 01_core.yml
-  when: run_once_svc_opt_swapfile is not defined
+  when: 
+    - run_once_svc_opt_swapfile is not defined
+    - not IS_CONTAINER
diff --git a/roles/sys-ctl-mtn-cert-renew/templates/systemctl.service.j2 b/roles/sys-ctl-mtn-cert-renew/templates/systemctl.service.j2
index 3b8bc351..bc2b8515 100644
--- a/roles/sys-ctl-mtn-cert-renew/templates/systemctl.service.j2
+++ b/roles/sys-ctl-mtn-cert-renew/templates/systemctl.service.j2
@@ -5,4 +5,4 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/certbot renew --quiet --agree-tos
-ExecStartPost=/usr/bin/docker restart {{ applications | get_app_conf('svc-prx-openresty', 'docker.services.openresty.name', True) }}
+ExecStartPost=/usr/bin/docker restart {{ applications | get_app_conf('svc-prx-openresty', 'docker.services.openresty.name') }}
diff --git a/roles/sys-service/handlers/main.yml b/roles/sys-service/handlers/main.yml
index 3cd9af1a..b5c7fb43 100644
--- a/roles/sys-service/handlers/main.yml
+++ b/roles/sys-service/handlers/main.yml
@@ -7,6 +7,7 @@
   async:  "{{ system_service_async }}"
   poll:   "{{ system_service_poll }}"
   listen: refresh systemctl service
+  when: not (IS_CONTAINER | bool)
 
 - name: "Set systemctl service state"
   systemd:
@@ -15,5 +16,7 @@
   become: true
   async:  "{{ system_service_async }}"
   poll:   "{{ system_service_poll }}"
-  when:   not (system_service_suppress_flush | bool)
+  when:   
+    - not (system_service_suppress_flush | bool)
+    - not (IS_CONTAINER | bool)
   listen: refresh systemctl service
\ No newline at end of file
diff --git a/roles/sys-svc-docker/handlers/main.yml b/roles/sys-svc-docker/handlers/main.yml
index 84d905b4..0b16810a 100644
--- a/roles/sys-svc-docker/handlers/main.yml
+++ b/roles/sys-svc-docker/handlers/main.yml
@@ -1,6 +1,7 @@
 ---
 - name: docker restart
-  service:
+  ansible.builtin.service:
     name: docker.service
     state:  restarted
     enabled: yes
+  when: not (IS_CONTAINER | bool)
diff --git a/roles/sys-svc-docker/tasks/01_core.yml b/roles/sys-svc-docker/tasks/01_core.yml
index 2c54b018..17869974 100644
--- a/roles/sys-svc-docker/tasks/01_core.yml
+++ b/roles/sys-svc-docker/tasks/01_core.yml
@@ -8,6 +8,9 @@
     state: present
   notify: docker restart
 
+- name: Restart and enable docker service
+  meta: flush_handlers
+
 - name: Setup Swapfile to prevent OOM Failures
   # @ See https://en.wikipedia.org/wiki/Out_of_memory
   include_role:
diff --git a/roles/sys-timer/tasks/main.yml b/roles/sys-timer/tasks/main.yml
index 927923dd..d0835a9d 100644
--- a/roles/sys-timer/tasks/main.yml
+++ b/roles/sys-timer/tasks/main.yml
@@ -12,6 +12,8 @@
     name: "{{ sys_timer_file }}"
     state: restarted
     enabled: yes
-  when: dummy_timer.changed or SYS_TIMER_ALL_ENABLED | bool
+  when:
+    - dummy_timer.changed or SYS_TIMER_ALL_ENABLED | bool
+    - not (IS_CONTAINER | bool)
   async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
   poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
diff --git a/roles/web-svc-file/templates/proxy.conf.j2 b/roles/web-svc-file/templates/proxy.conf.j2
index d33284ad..b125a90e 100644
--- a/roles/web-svc-file/templates/proxy.conf.j2
+++ b/roles/web-svc-file/templates/proxy.conf.j2
@@ -14,10 +14,10 @@ server
   
   location /
   {
-    alias {{NGINX.DIRECTORIES.DATA.FILES}};  {# Path to your file directory #}
-    autoindex on;                            {# Enable directory listing #}
-    autoindex_exact_size off;                {# Display sizes in a human-readable format #}
-    autoindex_localtime on;                  {# Show local time #}
+    alias {{ NGINX.DIRECTORIES.DATA.FILES }}; {# Path to your file directory #}
+    autoindex on;                             {# Enable directory listing #}
+    autoindex_exact_size off;                 {# Display sizes in a human-readable format #}
+    autoindex_localtime on;                   {# Show local time #}
     {% include 'roles/sys-front-inj-all/templates/location.lua.j2' %}
   }