feat(semaphore): rewrite role with rootful Podman Quadlet + PostgreSQL
Complete rewrite of the semaphore role. Supersedes three prior
iterations whose admin-user-creation logic was unreliable across
Semaphore CLI versions.
Architecture:
- Rootful Podman Quadlet under /etc/containers/systemd/
- Separate PostgreSQL 16-alpine container on a user-defined
podman network (semaphore-net)
- Named volumes for both data stores (semaphore_data,
semaphore_postgres_data) so container recreation is
non-destructive
- Pinned image tags: semaphoreui/semaphore:v2.18.5-ansible2.16.5
and postgres:16-alpine
- Post-deploy HTTP health check fails the playbook if Semaphore
doesn't respond on /api/ping within ~60s
Admin user creation remains intentionally manual after first deploy;
the role README documents the exact podman exec command.
Removes the duplicate deploy_semaphore.yml and the now-unneeded
cleanup_semaphore.yml; day1_deploy_semaphore.yml is the canonical
entry point.
This commit is contained in:
@@ -1,28 +1,42 @@
|
||||
# {{ ansible_managed }}
|
||||
# mk-labs SemaphoreUI web service
|
||||
# Managed by Ansible - semaphore role
|
||||
|
||||
[Unit]
|
||||
Description=Semaphore UI
|
||||
After=network-online.target
|
||||
Description=SemaphoreUI
|
||||
After=network-online.target {{ semaphore_postgres_container_name }}.service
|
||||
Wants=network-online.target
|
||||
Requires={{ semaphore_postgres_container_name }}.service
|
||||
|
||||
[Container]
|
||||
Image={{ semaphore_image }}
|
||||
ContainerName={{ semaphore_container_name }}
|
||||
PublishPort={{ semaphore_port }}:3000
|
||||
Network={{ semaphore_network_name }}
|
||||
PublishPort={{ semaphore_listen_address }}:{{ semaphore_listen_port }}:3000
|
||||
|
||||
# Persistent runtime state (project repos, tmp playbooks, etc.)
|
||||
Volume={{ semaphore_data_volume }}:/var/lib/semaphore:Z
|
||||
Volume={{ semaphore_config_dir }}:/etc/semaphore:Z
|
||||
|
||||
# Database — points at the postgres container on the user-defined network
|
||||
Environment=SEMAPHORE_DB_DIALECT=postgres
|
||||
Environment=SEMAPHORE_DB_PATH=
|
||||
Environment=SEMAPHORE_DB_USER={{ semaphore_postgres_user }}
|
||||
Environment=SEMAPHORE_DB_PASS={{ vault_semaphore_database_password }}
|
||||
Environment=SEMAPHORE_DB_HOST={{ semaphore_postgres_container_name }}
|
||||
Environment=SEMAPHORE_DB_PORT=5432
|
||||
Environment=SEMAPHORE_DB_NAME={{ semaphore_postgres_db }}
|
||||
Environment=SEMAPHORE_ADMIN=admin
|
||||
Environment=SEMAPHORE_ADMIN_PASSWORD={{ vault_semaphore_admin_password }}
|
||||
Environment=SEMAPHORE_ACCESS_KEY_ENCRYPTION={{ vault_semaphore_access_key_encryption }}
|
||||
Restart=always
|
||||
Environment=SEMAPHORE_DB={{ semaphore_db_name }}
|
||||
Environment=SEMAPHORE_DB_USER={{ semaphore_db_user }}
|
||||
Environment=SEMAPHORE_DB_PASS={{ semaphore_db_password }}
|
||||
|
||||
# Encryption for stored access keys (must be a 32-byte base64 string).
|
||||
Environment=SEMAPHORE_ACCESS_KEY_ENCRYPTION={{ semaphore_access_key_encryption }}
|
||||
|
||||
# Public-facing URL used for OIDC redirects, webhooks, etc.
|
||||
Environment=SEMAPHORE_WEB_ROOT={{ semaphore_web_url }}
|
||||
|
||||
# Timezone matches host baseline
|
||||
Environment=TZ=America/Chicago
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
TimeoutStartSec=180
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
WantedBy=multi-user.target default.target
|
||||
|
||||
Reference in New Issue
Block a user