refactor: improve service handling and introduce MODE_ASSERT

- Improved get_service_name filter plugin (clearer suffix handling, consistent var names). - Added MODE_ASSERT flag to optionally execute validation/assertion tasks. - Fixed systemd unit handling: consistent use of %I instead of %i, correct escaping of instance names. - Unified on_failure behavior and alarm composer scripts. - Cleaned up redundant logging, handlers, and debug config. - Strengthened sys-service template resolution with assert (only active when MODE_ASSERT). - Simplified timer and suffix handling with get_service_name filter. - Hardened sensitive tasks with no_log. - Added conditional asserts across roles (Keycloak, DNS, Mailu, Discourse, etc.). These changes improve consistency, safety, and validation across the automation stack. Conversation: https://chatgpt.com/share/68a4ae28-483c-800f-b2f7-f64c7124c274
2025-08-29 15:06:26 +02:00 · 2025-08-19 19:02:52 +02:00
parent 6e538eabc8
commit a10dd402b8
30 changed files with 82 additions and 55 deletions
--- a/roles/sys-service/tasks/05_service.yml
+++ b/roles/sys-service/tasks/05_service.yml
@@ -1,4 +1,3 @@
-# 1) Find the template (prefer target role, then fall back to this role)
 - name: Resolve systemctl template source
  set_fact:
    system_service_template_src: >-
@@ -17,31 +16,29 @@
           errors='strict'
         ) }}

-# Optional: sanity check with a clear error if truly nothing found
 - name: Ensure a systemctl template was found
  assert:
    that: system_service_template_src | length > 0
    fail_msg: >-
      Could not resolve any systemctl template. Looked in:
      {{ system_service_role_dir }}/templates/ and {{ role_path }}/templates/.
+  when: MODE_ASSERT | bool

-# 2) Now we may safely derive whether it’s the “@” variant
 - name: Flag whether @-template is used
  set_fact:
-    system_service_uses_at: "{{ (system_service_template_src | basename) is search('@\\.service\\.j2$') }}"
+    system_service_uses_at: "{{ system_service_id.endswith('@') }}"

-# 3) Use it
 - name: "setup systemctl '{{ system_service_id }}'"
  template:
    src:  "{{ system_service_template_src }}"
    dest: "{{ [ PATH_SYSTEM_SERVICE_DIR, system_service_id | get_service_name(SOFTWARE_NAME) ] | path_join }}"
  notify: "{{ 'reload system daemon' if system_service_uses_at else 'refresh systemctl service' }}"

- name:   refresh systemctl service when SYS_SERVICE_ALL_ENABLED
-  command: /bin/true
-  notify:
-    - reload system daemon
-    - refresh systemctl service
-  when: 
-    - SYS_SERVICE_ALL_ENABLED | bool
-    - not system_service_uses_at
+- name: refresh systemctl service when SYS_SERVICE_ALL_ENABLE
+  block:
+  - command: /bin/true
+    notify: reload system daemon
+  - command: /bin/true
+    notify: refresh systemctl service
+    when: not system_service_uses_at
+  when: SYS_SERVICE_ALL_ENABLED | bool