fix(semaphore): provide SEMAPHORE_ADMIN_* env vars for non-interactive first boot

The v2.18 image's entrypoint runs the setup wizard on first boot. Without
the SEMAPHORE_ADMIN_* variables it prompts on stdin, fails with 'Username
cannot be empty', and the container exits — leading to a crash loop.

Set:
  SEMAPHORE_ADMIN=admin
  SEMAPHORE_ADMIN_NAME=Administrator
  SEMAPHORE_ADMIN_EMAIL=admin@local.mk-labs.cloud
  SEMAPHORE_ADMIN_PASSWORD={{ vault_semaphore_admin_password }}
  SEMAPHORE_PLAYBOOK_PATH=/var/lib/semaphore/playbooks

The env-var bootstrap path is stable in v2.x; only the legacy
'semaphore user add' CLI invocation was unreliable. Drop the manual
user-add step from the README.
This commit is contained in:
Hermes Agent service account
2026-05-29 21:38:44 -05:00
parent 80f810fb0c
commit d05cfcf317
3 changed files with 24 additions and 18 deletions

View File

@@ -62,21 +62,21 @@ Or via the dedicated playbook:
ansible-playbook -i inventory.yml playbooks/day1_deploy_semaphore.yml ansible-playbook -i inventory.yml playbooks/day1_deploy_semaphore.yml
``` ```
## First-run admin user creation (manual) ## First-run admin user
Semaphore's CLI `user add` is intentionally invoked once, by hand, after The container provisions the initial admin user from the
the first deployment succeeds: `SEMAPHORE_ADMIN_*` environment variables on first boot. Credentials:
```bash | Field | Value |
sudo podman exec -it semaphore semaphore user add --admin \ |----------|------------------------------------------------|
--login admin \ | Login | `admin` |
--name "Administrator" \ | Name | `Administrator` |
--email admin@local.mk-labs.cloud \ | Email | `admin@local.mk-labs.cloud` |
--password '<vault_semaphore_admin_password>' | Password | `vault_semaphore_admin_password` (in vault) |
```
Subsequent password rotations should also be done via the CLI, not by The admin env vars are only consulted on first boot when no admin
re-running this role. exists in the database. Subsequent password rotations should be done
through the web UI, not by re-running this role.
## Pinned versions ## Pinned versions

View File

@@ -22,9 +22,5 @@
msg: >- msg: >-
Semaphore is reachable on http://127.0.0.1:{{ semaphore_listen_port }}. Semaphore is reachable on http://127.0.0.1:{{ semaphore_listen_port }}.
Public URL: {{ semaphore_web_url }}. Public URL: {{ semaphore_web_url }}.
If this is the first deployment, create the admin user with: Admin user 'admin' is provisioned automatically on first boot using
sudo podman exec -it {{ semaphore_container_name }} \ vault_semaphore_admin_password.
semaphore user add --admin \
--login admin --name Administrator \
--email admin@local.mk-labs.cloud \
--password '<see vault_semaphore_admin_password>'

View File

@@ -25,6 +25,16 @@ Environment=SEMAPHORE_DB={{ semaphore_db_name }}
Environment=SEMAPHORE_DB_USER={{ semaphore_db_user }} Environment=SEMAPHORE_DB_USER={{ semaphore_db_user }}
Environment=SEMAPHORE_DB_PASS={{ semaphore_db_password }} Environment=SEMAPHORE_DB_PASS={{ semaphore_db_password }}
# First-boot admin user (used only during initial setup; subsequent
# password changes go through the web UI).
Environment=SEMAPHORE_ADMIN=admin
Environment=SEMAPHORE_ADMIN_PASSWORD={{ semaphore_admin_password }}
Environment=SEMAPHORE_ADMIN_NAME=Administrator
Environment=SEMAPHORE_ADMIN_EMAIL=admin@local.mk-labs.cloud
# Playbook scratch directory inside the container
Environment=SEMAPHORE_PLAYBOOK_PATH=/var/lib/semaphore/playbooks
# Encryption for stored access keys (must be a 32-byte base64 string). # Encryption for stored access keys (must be a 32-byte base64 string).
Environment=SEMAPHORE_ACCESS_KEY_ENCRYPTION={{ semaphore_access_key_encryption }} Environment=SEMAPHORE_ACCESS_KEY_ENCRYPTION={{ semaphore_access_key_encryption }}