feat(semaphore): rewrite role with rootful Podman Quadlet + PostgreSQL

Complete rewrite of the semaphore role. Supersedes three prior
iterations whose admin-user-creation logic was unreliable across
Semaphore CLI versions.

Architecture:
  - Rootful Podman Quadlet under /etc/containers/systemd/
  - Separate PostgreSQL 16-alpine container on a user-defined
    podman network (semaphore-net)
  - Named volumes for both data stores (semaphore_data,
    semaphore_postgres_data) so container recreation is
    non-destructive
  - Pinned image tags: semaphoreui/semaphore:v2.18.5-ansible2.16.5
    and postgres:16-alpine
  - Post-deploy HTTP health check fails the playbook if Semaphore
    doesn't respond on /api/ping within ~60s

Admin user creation remains intentionally manual after first deploy;
the role README documents the exact podman exec command.

Removes the duplicate deploy_semaphore.yml and the now-unneeded
cleanup_semaphore.yml; day1_deploy_semaphore.yml is the canonical
entry point.
This commit is contained in:
Hermes Agent service account
2026-05-29 21:34:22 -05:00
parent 9153324795
commit 80f810fb0c
17 changed files with 460 additions and 337 deletions

View File

@@ -1,28 +1,42 @@
# {{ ansible_managed }}
# mk-labs SemaphoreUI web service
# Managed by Ansible - semaphore role
[Unit]
Description=Semaphore UI
After=network-online.target
Description=SemaphoreUI
After=network-online.target {{ semaphore_postgres_container_name }}.service
Wants=network-online.target
Requires={{ semaphore_postgres_container_name }}.service
[Container]
Image={{ semaphore_image }}
ContainerName={{ semaphore_container_name }}
PublishPort={{ semaphore_port }}:3000
Network={{ semaphore_network_name }}
PublishPort={{ semaphore_listen_address }}:{{ semaphore_listen_port }}:3000
# Persistent runtime state (project repos, tmp playbooks, etc.)
Volume={{ semaphore_data_volume }}:/var/lib/semaphore:Z
Volume={{ semaphore_config_dir }}:/etc/semaphore:Z
# Database — points at the postgres container on the user-defined network
Environment=SEMAPHORE_DB_DIALECT=postgres
Environment=SEMAPHORE_DB_PATH=
Environment=SEMAPHORE_DB_USER={{ semaphore_postgres_user }}
Environment=SEMAPHORE_DB_PASS={{ vault_semaphore_database_password }}
Environment=SEMAPHORE_DB_HOST={{ semaphore_postgres_container_name }}
Environment=SEMAPHORE_DB_PORT=5432
Environment=SEMAPHORE_DB_NAME={{ semaphore_postgres_db }}
Environment=SEMAPHORE_ADMIN=admin
Environment=SEMAPHORE_ADMIN_PASSWORD={{ vault_semaphore_admin_password }}
Environment=SEMAPHORE_ACCESS_KEY_ENCRYPTION={{ vault_semaphore_access_key_encryption }}
Restart=always
Environment=SEMAPHORE_DB={{ semaphore_db_name }}
Environment=SEMAPHORE_DB_USER={{ semaphore_db_user }}
Environment=SEMAPHORE_DB_PASS={{ semaphore_db_password }}
# Encryption for stored access keys (must be a 32-byte base64 string).
Environment=SEMAPHORE_ACCESS_KEY_ENCRYPTION={{ semaphore_access_key_encryption }}
# Public-facing URL used for OIDC redirects, webhooks, etc.
Environment=SEMAPHORE_WEB_ROOT={{ semaphore_web_url }}
# Timezone matches host baseline
Environment=TZ=America/Chicago
[Service]
Restart=always
TimeoutStartSec=180
[Install]
WantedBy=multi-user.target
WantedBy=multi-user.target default.target