From aae69ea15b51c832b809850331ea1b0caa73eb39 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Fri, 8 Aug 2025 17:25:31 +0200 Subject: [PATCH] Ensure that keycloak is up --- group_vars/all/00_general.yml | 9 +++++---- roles/cmp-db-docker/tasks/main.yml | 2 +- roles/cmp-db-docker/vars/main.yml | 3 +-- .../templates/services/mariadb.yml.j2 | 2 +- .../templates/services/postgres.yml.j2 | 2 +- roles/docker-compose/tasks/helpers/ensure.yml | 5 +++++ roles/docker-compose/tasks/helpers/none.yml | 1 + roles/docker-compose/tasks/main.yml | 2 +- roles/docker-container/templates/base.yml.j2 | 2 +- roles/svc-db-mariadb/tasks/main.yml | 2 +- roles/svc-db-postgres/tasks/main.yml | 3 +++ roles/svc-db-redis/README.md | 2 +- roles/svc-db-redis/templates/service.yml.j2 | 2 +- .../templates/docker-compose.yml.j2 | 4 ++-- .../templates/docker-compose.yml.j2 | 2 +- roles/web-app-keycloak/tasks/01_import.yml | 19 +++++++++++++++++++ roles/web-app-keycloak/tasks/main.yml | 19 ++++--------------- roles/web-app-keycloak/vars/main.yml | 3 +-- .../templates/docker-compose.yml.j2 | 2 +- .../templates/docker-compose.yml.j2 | 8 ++++---- .../templates/docker-compose.yml.j2 | 4 ++-- .../templates/docker-compose.yml.j2 | 4 ++-- .../templates/container.yml.j2 | 2 +- roles/web-app-port-ui/tasks/main.yml | 2 +- .../templates/docker-compose.yml.j2 | 2 +- roles/web-svc-cdn/tasks/main.yml | 5 ++++- tasks/utils/run_once.yml | 8 ++++++++ 27 files changed, 74 insertions(+), 47 deletions(-) create mode 100644 roles/docker-compose/tasks/helpers/ensure.yml create mode 100644 roles/docker-compose/tasks/helpers/none.yml create mode 100644 roles/web-app-keycloak/tasks/01_import.yml diff --git a/group_vars/all/00_general.yml b/group_vars/all/00_general.yml index 79162992..5e51d13b 100644 --- a/group_vars/all/00_general.yml +++ b/group_vars/all/00_general.yml @@ -50,16 +50,17 @@ certbot_dns_propagation_wait_seconds: 300 # How long sho certbot_flavor: san # Possible options: san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), dedicated # Path where Certbot stores challenge webroot files -letsencrypt_webroot_path: "/var/lib/letsencrypt/" +letsencrypt_webroot_path: "/var/lib/letsencrypt/" # Base directory containing Certbot configuration, account data, and archives -letsencrypt_base_path: "/etc/letsencrypt/" +letsencrypt_base_path: "/etc/letsencrypt/" # Symlink directory for the current active certificate and private key -letsencrypt_live_path: "{{ letsencrypt_base_path }}live/" +letsencrypt_live_path: "{{ letsencrypt_base_path }}live/" ## Docker Role Specific Parameters -docker_restart_policy: "unless-stopped" +DOCKER_RESTART_POLICY: "unless-stopped" +DOCKER_VARS_FILE: "{{ playbook_dir }}/roles/docker-compose/vars/docker-compose.yml" # default value if not set via CLI (-e) or in playbook vars allowed_applications: [] diff --git a/roles/cmp-db-docker/tasks/main.yml b/roles/cmp-db-docker/tasks/main.yml index 324e15be..f8022673 100644 --- a/roles/cmp-db-docker/tasks/main.yml +++ b/roles/cmp-db-docker/tasks/main.yml @@ -7,7 +7,7 @@ - name: "For '{{ application_id }}': Load database variables" include_vars: "{{ item }}" loop: - - "{{ cmp_db_docker_vars_file_docker }}" # Important to load docker variables first so that database can use them + - "{{ DOCKER_VARS_FILE }}" # Important to load docker variables first so that database can use them - "{{ cmp_db_docker_vars_file_db }}" # Important to load them before docker role so that backup can use them - name: "For '{{ application_id }}': Load cmp-docker-oauth2" diff --git a/roles/cmp-db-docker/vars/main.yml b/roles/cmp-db-docker/vars/main.yml index 6a8a6f7c..c4bd6db2 100644 --- a/roles/cmp-db-docker/vars/main.yml +++ b/roles/cmp-db-docker/vars/main.yml @@ -1,2 +1 @@ -cmp_db_docker_vars_file_db: "{{ playbook_dir }}/roles/cmp-rdbms/vars/database.yml" -cmp_db_docker_vars_file_docker: "{{ playbook_dir }}/roles/docker-compose/vars/docker-compose.yml" \ No newline at end of file +cmp_db_docker_vars_file_db: "{{ playbook_dir }}/roles/cmp-rdbms/vars/database.yml" \ No newline at end of file diff --git a/roles/cmp-rdbms/templates/services/mariadb.yml.j2 b/roles/cmp-rdbms/templates/services/mariadb.yml.j2 index 0faddb93..525c98df 100644 --- a/roles/cmp-rdbms/templates/services/mariadb.yml.j2 +++ b/roles/cmp-rdbms/templates/services/mariadb.yml.j2 @@ -6,7 +6,7 @@ logging: driver: journald image: mariadb - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} env_file: - {{database_env}} command: "--transaction-isolation=READ-COMMITTED --binlog-format=ROW" diff --git a/roles/cmp-rdbms/templates/services/postgres.yml.j2 b/roles/cmp-rdbms/templates/services/postgres.yml.j2 index 3b6d8d39..26787c9c 100644 --- a/roles/cmp-rdbms/templates/services/postgres.yml.j2 +++ b/roles/cmp-rdbms/templates/services/postgres.yml.j2 @@ -6,7 +6,7 @@ container_name: {{ application_id | get_entity_name }}-database env_file: - {{database_env}} - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} healthcheck: test: ["CMD-SHELL", "pg_isready -U {{database_name}}"] interval: 10s diff --git a/roles/docker-compose/tasks/helpers/ensure.yml b/roles/docker-compose/tasks/helpers/ensure.yml new file mode 100644 index 00000000..5d3989a6 --- /dev/null +++ b/roles/docker-compose/tasks/helpers/ensure.yml @@ -0,0 +1,5 @@ +- name: "Load handlers without when condition. to guaranty that they are executed" + import_role: + name: docker-compose + tasks_from: helpers/none + handlers_from: main \ No newline at end of file diff --git a/roles/docker-compose/tasks/helpers/none.yml b/roles/docker-compose/tasks/helpers/none.yml new file mode 100644 index 00000000..97576e1e --- /dev/null +++ b/roles/docker-compose/tasks/helpers/none.yml @@ -0,0 +1 @@ +# Dummy file for handler import \ No newline at end of file diff --git a/roles/docker-compose/tasks/main.yml b/roles/docker-compose/tasks/main.yml index 80c12a39..bc691578 100644 --- a/roles/docker-compose/tasks/main.yml +++ b/roles/docker-compose/tasks/main.yml @@ -16,7 +16,7 @@ mode: '0755' with_dict: "{{ docker_compose.directories }}" -- name: "Include routines to set up a git repository based installaion for '{{application_id}}'." +- name: "Include routines to set up a git repository based installation for '{{application_id}}'." include_tasks: "02_repository.yml" when: docker_pull_git_repository | bool diff --git a/roles/docker-container/templates/base.yml.j2 b/roles/docker-container/templates/base.yml.j2 index ce44783f..f963ee43 100644 --- a/roles/docker-container/templates/base.yml.j2 +++ b/roles/docker-container/templates/base.yml.j2 @@ -1,6 +1,6 @@ {# Base for docker services #} - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} {% if application_id | has_env %} env_file: - "{{docker_compose.files.env}}" diff --git a/roles/svc-db-mariadb/tasks/main.yml b/roles/svc-db-mariadb/tasks/main.yml index 12414f5b..802186ba 100644 --- a/roles/svc-db-mariadb/tasks/main.yml +++ b/roles/svc-db-mariadb/tasks/main.yml @@ -21,7 +21,7 @@ published_ports: - "127.0.0.1:{{ mariadb_port }}:3306" # can be that this will be removed if all applications use sockets command: "--transaction-isolation=READ-COMMITTED --binlog-format=ROW" #for nextcloud - restart_policy: "{{ docker_restart_policy }}" + restart_policy: "{{ DOCKER_RESTART_POLICY }}" healthcheck: test: "/usr/bin/mariadb --user=root --password={{ mariadb_root_pwd }} --execute \"SHOW DATABASES;\"" interval: 10s diff --git a/roles/svc-db-postgres/tasks/main.yml b/roles/svc-db-postgres/tasks/main.yml index cbca9841..4348a294 100644 --- a/roles/svc-db-postgres/tasks/main.yml +++ b/roles/svc-db-postgres/tasks/main.yml @@ -25,6 +25,9 @@ - include_tasks: utils/run_once.yml when: run_once_svc_db_postgres is not defined +- name: "Ensure that {{ docker_compose.directories.instance }} is up" + include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/helpers/ensure.yml" + - name: "Initialize database for '{{ database_name }}'" include_tasks: init.yml when: "{{ postgres_init }}" \ No newline at end of file diff --git a/roles/svc-db-redis/README.md b/roles/svc-db-redis/README.md index d77ffa93..0e03c481 100644 --- a/roles/svc-db-redis/README.md +++ b/roles/svc-db-redis/README.md @@ -25,7 +25,7 @@ Include this snippet in your top-level `docker-compose.yml.j2` where you want Re Sets container name (`{{ application_id }}-redis`). - **Restart policy** - Controlled by `docker_restart_policy`. + Controlled by `DOCKER_RESTART_POLICY`. - **Journald logging** Ensures logs are captured by systemd’s journal. diff --git a/roles/svc-db-redis/templates/service.yml.j2 b/roles/svc-db-redis/templates/service.yml.j2 index cf1857b2..e476521a 100644 --- a/roles/svc-db-redis/templates/service.yml.j2 +++ b/roles/svc-db-redis/templates/service.yml.j2 @@ -4,7 +4,7 @@ redis: image: "{{ redis_image }}:{{ redis_version }}" container_name: {{ application_id | get_entity_name }}-redis - restart: {{ docker_restart_policy }} + restart: {{ DOCKER_RESTART_POLICY }} logging: driver: journald volumes: diff --git a/roles/web-app-espocrm/templates/docker-compose.yml.j2 b/roles/web-app-espocrm/templates/docker-compose.yml.j2 index 5559c8a6..985ac323 100644 --- a/roles/web-app-espocrm/templates/docker-compose.yml.j2 +++ b/roles/web-app-espocrm/templates/docker-compose.yml.j2 @@ -13,7 +13,7 @@ daemon: image: "{{ espocrm_image }}:{{ espocrm_version }}" - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} logging: driver: journald entrypoint: docker-daemon.sh @@ -23,7 +23,7 @@ websocket: image: "{{ espocrm_image }}:{{ espocrm_version }}" - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} logging: driver: journald environment: diff --git a/roles/web-app-jenkins/templates/docker-compose.yml.j2 b/roles/web-app-jenkins/templates/docker-compose.yml.j2 index a2751b36..6b3aae78 100644 --- a/roles/web-app-jenkins/templates/docker-compose.yml.j2 +++ b/roles/web-app-jenkins/templates/docker-compose.yml.j2 @@ -1,7 +1,7 @@ {% include 'roles/docker-compose/templates/base.yml.j2' %} application: image: jenkins/jenkins:lts - restart: "{{docker_restart_policy}}" + restart: "{{DOCKER_RESTART_POLICY}}" ports: - "127.0.0.1:{{ports.localhost.http[application_id]}}:8080" volumes: diff --git a/roles/web-app-keycloak/tasks/01_import.yml b/roles/web-app-keycloak/tasks/01_import.yml new file mode 100644 index 00000000..5f20c3f6 --- /dev/null +++ b/roles/web-app-keycloak/tasks/01_import.yml @@ -0,0 +1,19 @@ +- name: "load variables from {{ DOCKER_VARS_FILE }}" + include_vars: "{{ DOCKER_VARS_FILE }}" + +- name: Set the directory to which keycloack import files will be copied on host + set_fact: + keycloak_host_import_directory: "{{ docker_compose.directories.volumes }}import/" + +- name: "create directory {{keycloak_host_import_directory}}" + file: + path: "{{keycloak_host_import_directory}}" + state: directory + mode: 0755 + +- name: "Copy import files to {{ keycloak_host_import_directory }}" + template: + src: "{{ item }}" + dest: "{{ keycloak_host_import_directory }}/{{ item | basename | regex_replace('\\.j2$', '') }}" + mode: '770' + loop: "{{ lookup('fileglob', '{{ role_path }}/templates/import/*.j2', wantlist=True) }}" \ No newline at end of file diff --git a/roles/web-app-keycloak/tasks/main.yml b/roles/web-app-keycloak/tasks/main.yml index 17d1ccc5..ae44b53b 100644 --- a/roles/web-app-keycloak/tasks/main.yml +++ b/roles/web-app-keycloak/tasks/main.yml @@ -1,22 +1,11 @@ --- +- name: "create import files for {{application_id}}" + include_tasks: 01_import.yml + - name: "load docker, db and proxy for {{application_id}}" include_role: name: cmp-db-docker-proxy -- name: "create directory {{keycloak_host_import_directory}}" - file: - path: "{{keycloak_host_import_directory}}" - state: directory - mode: 0755 - -- name: "Copy import files to {{ keycloak_host_import_directory }}" - template: - src: "{{ item }}" - dest: "{{ keycloak_host_import_directory }}/{{ item | basename | regex_replace('\\.j2$', '') }}" - mode: '770' - loop: "{{ lookup('fileglob', '{{ role_path }}/templates/import/*.j2', wantlist=True) }}" - notify: docker compose up - # Deactivated temporary. Import now via realm.yml #- name: Implement SSH Public Key Attribut -# include_tasks: attributes/ssh_public_key.yml \ No newline at end of file +# include_tasks: attributes/ssh_public_key.yml diff --git a/roles/web-app-keycloak/vars/main.yml b/roles/web-app-keycloak/vars/main.yml index f2ae978f..36220777 100644 --- a/roles/web-app-keycloak/vars/main.yml +++ b/roles/web-app-keycloak/vars/main.yml @@ -4,7 +4,6 @@ database_type: "postgres" # Keycloak Specific keycloak_container: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name', True) }}" # Name of the keycloack docker container -keycloak_host_import_directory: "{{ docker_compose.directories.volumes }}import/" # Directory in which keycloack import files are placed on the host keycloak_docker_import_directory: "/opt/keycloak/data/import/" # Directory in which keycloack import files are placed in the running docker container keycloak_realm: "{{ primary_domain}}" # This is the name of the default realm which is used by the applications keycloak_administrator: "{{ applications | get_app_conf(application_id, 'users.administrator', True) }}" # Master Administrator @@ -20,4 +19,4 @@ keycloak_import_realm: "{{ applications | get_app_conf(application_id keycloak_debug_enabled: "{{ enable_debug }}" # Docker -docker_compose_flush_handlers: false # Copy realm import etc. before flush \ No newline at end of file +docker_compose_flush_handlers: true # Remember to copy realm import before flushg when set to true \ No newline at end of file diff --git a/roles/web-app-mailu/templates/docker-compose.yml.j2 b/roles/web-app-mailu/templates/docker-compose.yml.j2 index 6fa96246..402f3da3 100644 --- a/roles/web-app-mailu/templates/docker-compose.yml.j2 +++ b/roles/web-app-mailu/templates/docker-compose.yml.j2 @@ -82,7 +82,7 @@ container_name: {{mailu_name}}_oletools image: {{docker_source}}/oletools:{{ mailu_version }} hostname: oletools - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} depends_on: - resolver dns: diff --git a/roles/web-app-matrix/templates/docker-compose.yml.j2 b/roles/web-app-matrix/templates/docker-compose.yml.j2 index 9a3d268f..f6cdea72 100644 --- a/roles/web-app-matrix/templates/docker-compose.yml.j2 +++ b/roles/web-app-matrix/templates/docker-compose.yml.j2 @@ -3,7 +3,7 @@ {% set container_port = 8008 %} image: "{{ matrix_synapse_image }}:{{ matrix_synapse_version }}" container_name: {{ matrix_synapse_name }} - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} logging: driver: journald volumes: @@ -32,7 +32,7 @@ {% set container_port = 80 %} image: "{{ matrix_element_image }}:{{ matrix_element_version }}" container_name: {{ matrix_element_name }} - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} volumes: - ./element-config.json:/app/config.json ports: @@ -44,7 +44,7 @@ mautrix-{{item.bridge_name}}: container_name: matrix-{{item.bridge_name}} image: dock.mau.dev/mautrix/{{ item.bridge_name }}:latest - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} volumes: - ./mautrix/{{item.bridge_name}}:/data healthcheck: @@ -56,7 +56,7 @@ {% endfor %} {% if applications | get_app_conf(application_id, 'plugins.chatgpt', True) | bool %} matrix-chatgpt-bot: - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} container_name: matrix-chatgpt image: ghcr.io/matrixgpt/matrix-chatgpt-bot:latest volumes: diff --git a/roles/web-app-mybb/templates/docker-compose.yml.j2 b/roles/web-app-mybb/templates/docker-compose.yml.j2 index e96c8ef3..cdad81b8 100644 --- a/roles/web-app-mybb/templates/docker-compose.yml.j2 +++ b/roles/web-app-mybb/templates/docker-compose.yml.j2 @@ -6,7 +6,7 @@ tag: "mybb_application" image: {{ mybb_image }}:{{ mybb_version }} container_name: {{ mybb_name }} - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} volumes: - data:/var/www/html {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %} @@ -18,7 +18,7 @@ options: tag: "mybb_server" image: nginx:mainline - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} ports: - "127.0.0.1:{{ports.localhost.http[application_id]}}:80" volumes: diff --git a/roles/web-app-nextcloud/templates/docker-compose.yml.j2 b/roles/web-app-nextcloud/templates/docker-compose.yml.j2 index 2f93734c..0bb743c3 100644 --- a/roles/web-app-nextcloud/templates/docker-compose.yml.j2 +++ b/roles/web-app-nextcloud/templates/docker-compose.yml.j2 @@ -37,7 +37,7 @@ container_name: "{{ nextcloud_proxy_name }}" logging: driver: journald - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} ports: - "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}" volumes: @@ -53,7 +53,7 @@ cron: container_name: "{{ nextcloud_cron_name }}" image: "{{ nextcloud_image }}:{{ nextcloud_version }}" - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} logging: driver: journald volumes: diff --git a/roles/web-app-oauth2-proxy/templates/container.yml.j2 b/roles/web-app-oauth2-proxy/templates/container.yml.j2 index 907c8475..a133308a 100644 --- a/roles/web-app-oauth2-proxy/templates/container.yml.j2 +++ b/roles/web-app-oauth2-proxy/templates/container.yml.j2 @@ -1,7 +1,7 @@ {% if applications | get_app_conf(application_id, 'features.oauth2', False) %} oauth2-proxy: image: quay.io/oauth2-proxy/oauth2-proxy:{{applications['web-app-oauth2-proxy'].version}} - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} command: --config /oauth2-proxy.cfg hostname: oauth2-proxy ports: diff --git a/roles/web-app-port-ui/tasks/main.yml b/roles/web-app-port-ui/tasks/main.yml index 7b1b0057..661c91f7 100644 --- a/roles/web-app-port-ui/tasks/main.yml +++ b/roles/web-app-port-ui/tasks/main.yml @@ -62,4 +62,4 @@ notify: docker compose up - include_tasks: utils/run_once.yml - when: run_once_web_app_port_ui is not defined \ No newline at end of file + when: run_once_web_app_port_ui is not defined diff --git a/roles/web-app-roulette-wheel/templates/docker-compose.yml.j2 b/roles/web-app-roulette-wheel/templates/docker-compose.yml.j2 index b5ad77e1..f143683e 100644 --- a/roles/web-app-roulette-wheel/templates/docker-compose.yml.j2 +++ b/roles/web-app-roulette-wheel/templates/docker-compose.yml.j2 @@ -5,6 +5,6 @@ context: . ports: - 127.0.0.1:{{ports.localhost.http[application_id]}}:8080 - restart: {{docker_restart_policy}} + restart: {{DOCKER_RESTART_POLICY}} {% include 'roles/docker-compose/templates/networks.yml.j2' %} \ No newline at end of file diff --git a/roles/web-svc-cdn/tasks/main.yml b/roles/web-svc-cdn/tasks/main.yml index 76a09ecc..f24343ca 100644 --- a/roles/web-svc-cdn/tasks/main.yml +++ b/roles/web-svc-cdn/tasks/main.yml @@ -17,4 +17,7 @@ - name: run the web svc cdn tasks once set_fact: run_once_web_svc_cdn: true - when: run_once_web_svc_cdn is not defined \ No newline at end of file + when: run_once_web_svc_cdn is not defined + +- name: "Ensure that {{ docker_compose.directories.instance }} is up" + include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/helpers/ensure.yml" \ No newline at end of file diff --git a/tasks/utils/run_once.yml b/tasks/utils/run_once.yml index af8442a2..c7bcbfe5 100644 --- a/tasks/utils/run_once.yml +++ b/tasks/utils/run_once.yml @@ -1,6 +1,14 @@ --- # This is necessary to flush the handlers before the when is set, because otherwise the when will be attached to the handlers +- name: "Ensure that {{ docker_compose.directories.instance }} is up" + # This is a little hack to guaranty that the docker containers are allways up + # It isn't the cleanest solution to have it here but it should fullfill their purpose + include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/04_ensure_up.yml" + when: + - docker_compose is defined + - (application_id | get_entity_name) == (docker_compose.directories.instance | basename) + - meta: flush_handlers - name: Set “run-once” fact for role {{ role_name }}