Files
homelab/ansible/roles/semaphore/defaults/main.yml
Hermes Agent service account 80f810fb0c feat(semaphore): rewrite role with rootful Podman Quadlet + PostgreSQL
Complete rewrite of the semaphore role. Supersedes three prior
iterations whose admin-user-creation logic was unreliable across
Semaphore CLI versions.

Architecture:
  - Rootful Podman Quadlet under /etc/containers/systemd/
  - Separate PostgreSQL 16-alpine container on a user-defined
    podman network (semaphore-net)
  - Named volumes for both data stores (semaphore_data,
    semaphore_postgres_data) so container recreation is
    non-destructive
  - Pinned image tags: semaphoreui/semaphore:v2.18.5-ansible2.16.5
    and postgres:16-alpine
  - Post-deploy HTTP health check fails the playbook if Semaphore
    doesn't respond on /api/ping within ~60s

Admin user creation remains intentionally manual after first deploy;
the role README documents the exact podman exec command.

Removes the duplicate deploy_semaphore.yml and the now-unneeded
cleanup_semaphore.yml; day1_deploy_semaphore.yml is the canonical
entry point.
2026-05-29 21:34:22 -05:00

73 lines
3.6 KiB
YAML

---
# ============================================================================
# semaphore role defaults
# ============================================================================
# Deploys SemaphoreUI (https://semaphoreui.com) as a rootful Podman service
# managed via Quadlet. Uses a separate PostgreSQL 16 container on the same
# user-defined network. Both services persist to named volumes.
#
# Admin user creation is intentionally NOT automated — the Semaphore CLI's
# `user add` command has been unreliable across versions. Operator creates
# the first admin manually after the first successful deployment; see README.
# ============================================================================
# ---------------------------------------------------------------------------
# Image pinning
# ---------------------------------------------------------------------------
# The -ansible2.16.5 tag bundles Ansible 2.16.5 inside the Semaphore image,
# which matches the controller. Useful when Semaphore itself runs playbooks.
semaphore_image: "docker.io/semaphoreui/semaphore:v2.18.5-ansible2.16.5"
semaphore_postgres_image: "docker.io/library/postgres:16-alpine"
# ---------------------------------------------------------------------------
# Container & network identifiers
# ---------------------------------------------------------------------------
semaphore_container_name: semaphore
semaphore_postgres_container_name: semaphore-postgres
semaphore_network_name: semaphore-net
# Named podman volumes
semaphore_data_volume: semaphore_data
semaphore_postgres_volume: semaphore_postgres_data
# ---------------------------------------------------------------------------
# Networking
# ---------------------------------------------------------------------------
# Port exposed on the VM. Traefik on lightning-lane terminates TLS and
# forwards to this port. Localhost-bind keeps the raw service off the LAN.
semaphore_listen_address: "0.0.0.0"
semaphore_listen_port: 3000
# Public URL (used by Semaphore for OIDC redirects, webhook URLs, etc.)
semaphore_web_url: "https://semaphore.local.mk-labs.cloud"
# ---------------------------------------------------------------------------
# PostgreSQL configuration
# ---------------------------------------------------------------------------
semaphore_db_user: semaphore
semaphore_db_name: semaphore
# semaphore_db_password sourced from vault below
# ---------------------------------------------------------------------------
# Vault inputs (defined in group_vars/all/vault, encrypted with ansible-vault)
# ---------------------------------------------------------------------------
# vault_semaphore_database_password - postgres role password
# vault_semaphore_admin_password - initial admin password (used only
# during manual user-add step)
# vault_semaphore_access_key_encryption - 32-byte key for encrypting
# Semaphore-stored access keys
semaphore_db_password: "{{ vault_semaphore_database_password }}"
semaphore_admin_password: "{{ vault_semaphore_admin_password }}"
semaphore_access_key_encryption: "{{ vault_semaphore_access_key_encryption }}"
# ---------------------------------------------------------------------------
# Health check
# ---------------------------------------------------------------------------
semaphore_health_check_retries: 30
semaphore_health_check_delay: 2
# ---------------------------------------------------------------------------
# Quadlet location (rootful)
# ---------------------------------------------------------------------------
semaphore_quadlet_dir: /etc/containers/systemd