refactor: improve service handling and introduce MODE_ASSERT

- Improved get_service_name filter plugin (clearer suffix handling, consistent var names). - Added MODE_ASSERT flag to optionally execute validation/assertion tasks. - Fixed systemd unit handling: consistent use of %I instead of %i, correct escaping of instance names. - Unified on_failure behavior and alarm composer scripts. - Cleaned up redundant logging, handlers, and debug config. - Strengthened sys-service template resolution with assert (only active when MODE_ASSERT). - Simplified timer and suffix handling with get_service_name filter. - Hardened sensitive tasks with no_log. - Added conditional asserts across roles (Keycloak, DNS, Mailu, Discourse, etc.). These changes improve consistency, safety, and validation across the automation stack. Conversation: https://chatgpt.com/share/68a4ae28-483c-800f-b2f7-f64c7124c274
2025-08-30 15:28:12 +02:00 · 2025-08-19 19:02:52 +02:00
parent 6e538eabc8
commit a10dd402b8
30 changed files with 82 additions and 55 deletions
--- a/roles/sys-ctl-alm-compose/tasks/01_core.yml
+++ b/roles/sys-ctl-alm-compose/tasks/01_core.yml
@@ -6,20 +6,30 @@
    - sys-ctl-alm-email
  vars:
    flush_handlers: true
-    systemctl_timer_enabled: false
-    systemctl_copy_files: true
+    system_service_timer_enabled: false
+    system_service_copy_files: true

 - name: "Include core service for '{{ system_service_id  }}'"
  include_role:
    name: sys-service
  vars:
    flush_handlers: true
-    systemctl_timer_enabled: false
-    systemctl_copy_files: true
-    systemctl_tpl_exec_start: "{{ system_service_script_exec }} %i"
-    systemctl_tpl_on_failure: "" # No on failure needed, because it's anyhow the default on failure procedure
+    system_service_timer_enabled: false
+    system_service_copy_files: true
+    system_service_tpl_exec_start: "{{ system_service_script_exec }} %I"
+    system_service_tpl_on_failure: "" # No on failure needed, because it's anyhow the default on failure procedure

- name: "Send message to test service."
-  systemd:
-    name: "sys-ctl-alm-compose@{{ SYSTEMCTL_ALARM_COMPOSER_DUMMY_MESSAGE }}.service"
-    state: started
+- block:
+  - name: Escape instance name for systemctl call
+    ansible.builtin.command:
+      argv:
+        - systemd-escape
+        - "{{ SYSTEMCTL_ALARM_COMPOSER_DUMMY_MESSAGE }}"
+    register: escaped_name
+    changed_when: false
+
+  - name: Start sys-ctl-alm-compose instance
+    ansible.builtin.systemd:
+      name: "{{ ('sys-ctl-alm-compose@') | get_service_name(SOFTWARE_NAME, False) ~ escaped_name.stdout ~ '.service' }}"
+      state: started
+  when: MODE_ASSERT | bool
--- a/roles/sys-ctl-alm-compose/templates/script.sh.j2
+++ b/roles/sys-ctl-alm-compose/templates/script.sh.j2
@@ -1,10 +1,11 @@
 #!/bin/bash
 err=0
 set -u
-{% for alarm_service in SYSTEMCTL_ALARM_COMPOSER_SUBSERVICES %}
-{% set alarm_service_full_name = alarm_service | get_service_name(SOFTWARE_NAME, '"$1".service') %}
-if ! /usr/bin/systemctl start {{ alarm_service_full_name }}; then
-  echo "ERROR: Failed to start {{ alarm_service_full_name }}" >&2
+{% for alarm in SYSTEMCTL_ALARM_COMPOSER_SUBSERVICES %}
+# sys-ctl-alm-email.infinito.nexus@<escaped>.service (no extra dot!)
+unit="{{ (alarm ~ '@') | get_service_name(SOFTWARE_NAME, False) }}$(systemd-escape "$1").service"
+if ! /usr/bin/systemctl start -- "$unit"; then
+  echo "ERROR: Failed to start $unit" >&2
  err=1
 fi
 {% endfor %}