Complete rewrite of the semaphore role. Supersedes three prior
iterations whose admin-user-creation logic was unreliable across
Semaphore CLI versions.
Architecture:
- Rootful Podman Quadlet under /etc/containers/systemd/
- Separate PostgreSQL 16-alpine container on a user-defined
podman network (semaphore-net)
- Named volumes for both data stores (semaphore_data,
semaphore_postgres_data) so container recreation is
non-destructive
- Pinned image tags: semaphoreui/semaphore:v2.18.5-ansible2.16.5
and postgres:16-alpine
- Post-deploy HTTP health check fails the playbook if Semaphore
doesn't respond on /api/ping within ~60s
Admin user creation remains intentionally manual after first deploy;
the role README documents the exact podman exec command.
Removes the duplicate deploy_semaphore.yml and the now-unneeded
cleanup_semaphore.yml; day1_deploy_semaphore.yml is the canonical
entry point.
43 lines
1.4 KiB
Django/Jinja
43 lines
1.4 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
# mk-labs SemaphoreUI web service
|
|
# Managed by Ansible - semaphore role
|
|
|
|
[Unit]
|
|
Description=SemaphoreUI
|
|
After=network-online.target {{ semaphore_postgres_container_name }}.service
|
|
Wants=network-online.target
|
|
Requires={{ semaphore_postgres_container_name }}.service
|
|
|
|
[Container]
|
|
Image={{ semaphore_image }}
|
|
ContainerName={{ semaphore_container_name }}
|
|
Network={{ semaphore_network_name }}
|
|
PublishPort={{ semaphore_listen_address }}:{{ semaphore_listen_port }}:3000
|
|
|
|
# Persistent runtime state (project repos, tmp playbooks, etc.)
|
|
Volume={{ semaphore_data_volume }}:/var/lib/semaphore:Z
|
|
|
|
# Database — points at the postgres container on the user-defined network
|
|
Environment=SEMAPHORE_DB_DIALECT=postgres
|
|
Environment=SEMAPHORE_DB_HOST={{ semaphore_postgres_container_name }}
|
|
Environment=SEMAPHORE_DB_PORT=5432
|
|
Environment=SEMAPHORE_DB={{ semaphore_db_name }}
|
|
Environment=SEMAPHORE_DB_USER={{ semaphore_db_user }}
|
|
Environment=SEMAPHORE_DB_PASS={{ semaphore_db_password }}
|
|
|
|
# Encryption for stored access keys (must be a 32-byte base64 string).
|
|
Environment=SEMAPHORE_ACCESS_KEY_ENCRYPTION={{ semaphore_access_key_encryption }}
|
|
|
|
# Public-facing URL used for OIDC redirects, webhooks, etc.
|
|
Environment=SEMAPHORE_WEB_ROOT={{ semaphore_web_url }}
|
|
|
|
# Timezone matches host baseline
|
|
Environment=TZ=America/Chicago
|
|
|
|
[Service]
|
|
Restart=always
|
|
TimeoutStartSec=180
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target default.target
|