feat(semaphore): rewrite role with rootful Podman Quadlet + PostgreSQL

Complete rewrite of the semaphore role. Supersedes three prior
iterations whose admin-user-creation logic was unreliable across
Semaphore CLI versions.

Architecture:
  - Rootful Podman Quadlet under /etc/containers/systemd/
  - Separate PostgreSQL 16-alpine container on a user-defined
    podman network (semaphore-net)
  - Named volumes for both data stores (semaphore_data,
    semaphore_postgres_data) so container recreation is
    non-destructive
  - Pinned image tags: semaphoreui/semaphore:v2.18.5-ansible2.16.5
    and postgres:16-alpine
  - Post-deploy HTTP health check fails the playbook if Semaphore
    doesn't respond on /api/ping within ~60s

Admin user creation remains intentionally manual after first deploy;
the role README documents the exact podman exec command.

Removes the duplicate deploy_semaphore.yml and the now-unneeded
cleanup_semaphore.yml; day1_deploy_semaphore.yml is the canonical
entry point.
This commit is contained in:
Hermes Agent service account
2026-05-29 21:34:22 -05:00
parent 9153324795
commit 80f810fb0c
17 changed files with 460 additions and 337 deletions

View File

@@ -1,46 +1,72 @@
---
# Semaphore version (use a known good tag)
semaphore_version: "latest"
# ============================================================================
# semaphore role defaults
# ============================================================================
# Deploys SemaphoreUI (https://semaphoreui.com) as a rootful Podman service
# managed via Quadlet. Uses a separate PostgreSQL 16 container on the same
# user-defined network. Both services persist to named volumes.
#
# Admin user creation is intentionally NOT automated — the Semaphore CLI's
# `user add` command has been unreliable across versions. Operator creates
# the first admin manually after the first successful deployment; see README.
# ============================================================================
# Service account
semaphore_user: cast
semaphore_group: cast
# ---------------------------------------------------------------------------
# Image pinning
# ---------------------------------------------------------------------------
# The -ansible2.16.5 tag bundles Ansible 2.16.5 inside the Semaphore image,
# which matches the controller. Useful when Semaphore itself runs playbooks.
semaphore_image: "docker.io/semaphoreui/semaphore:v2.18.5-ansible2.16.5"
semaphore_postgres_image: "docker.io/library/postgres:16-alpine"
# Container settings
# ---------------------------------------------------------------------------
# Container & network identifiers
# ---------------------------------------------------------------------------
semaphore_container_name: semaphore
semaphore_image: "semaphoreui/semaphore:{{ semaphore_version }}"
semaphore_postgres_container_name: semaphore-postgres
semaphore_network_name: semaphore-net
# Paths
semaphore_data_dir: /var/lib/semaphore
semaphore_config_dir: /etc/semaphore
# Named podman volumes
semaphore_data_volume: semaphore_data
semaphore_postgres_volume: semaphore_postgres_data
# Port
semaphore_port: 3000
# ---------------------------------------------------------------------------
# Networking
# ---------------------------------------------------------------------------
# Port exposed on the VM. Traefik on lightning-lane terminates TLS and
# forwards to this port. Localhost-bind keeps the raw service off the LAN.
semaphore_listen_address: "0.0.0.0"
semaphore_listen_port: 3000
# Database
semaphore_db_type: bolt
semaphore_db_path: "{{ semaphore_data_dir }}/database.boltdb"
# Public URL (used by Semaphore for OIDC redirects, webhook URLs, etc.)
semaphore_web_url: "https://semaphore.local.mk-labs.cloud"
# Vault variables (defined in group_vars/all/vault)
# vault_semaphore_admin_password
# vault_semaphore_access_key_encryption
# Initial admin user (password should come from vault)
semaphore_admin_user: admin
semaphore_admin_name: Administrator
semaphore_admin_email: admin@local.mk-labs.cloud
# semaphore_admin_password: defined in vault
# ---------------------------------------------------------------------------
# PostgreSQL configuration
# ---------------------------------------------------------------------------
semaphore_db_user: semaphore
semaphore_db_name: semaphore
# semaphore_db_password sourced from vault below
# Set to true to force recreation of the admin user (deletes existing user first)
semaphore_force_admin_user: false
# ---------------------------------------------------------------------------
# Vault inputs (defined in group_vars/all/vault, encrypted with ansible-vault)
# ---------------------------------------------------------------------------
# vault_semaphore_database_password - postgres role password
# vault_semaphore_admin_password - initial admin password (used only
# during manual user-add step)
# vault_semaphore_access_key_encryption - 32-byte key for encrypting
# Semaphore-stored access keys
semaphore_db_password: "{{ vault_semaphore_database_password }}"
semaphore_admin_password: "{{ vault_semaphore_admin_password }}"
semaphore_access_key_encryption: "{{ vault_semaphore_access_key_encryption }}"
# PostgreSQL settings (when using postgres instead of bolt)
semaphore_use_postgres: true
semaphore_postgres_image: "postgres:16"
semaphore_postgres_container_name: "semaphore-postgres"
semaphore_postgres_volume: "semaphore_postgres_data"
semaphore_postgres_user: "semaphore"
semaphore_postgres_db: "semaphore"
# vault_semaphore_database_password: defined in vault
# ---------------------------------------------------------------------------
# Health check
# ---------------------------------------------------------------------------
semaphore_health_check_retries: 30
semaphore_health_check_delay: 2
# Named volumes
semaphore_data_volume: "semaphore_data"
# ---------------------------------------------------------------------------
# Quadlet location (rootful)
# ---------------------------------------------------------------------------
semaphore_quadlet_dir: /etc/containers/systemd