Complete rewrite of the semaphore role. Supersedes three prior
iterations whose admin-user-creation logic was unreliable across
Semaphore CLI versions.
Architecture:
- Rootful Podman Quadlet under /etc/containers/systemd/
- Separate PostgreSQL 16-alpine container on a user-defined
podman network (semaphore-net)
- Named volumes for both data stores (semaphore_data,
semaphore_postgres_data) so container recreation is
non-destructive
- Pinned image tags: semaphoreui/semaphore:v2.18.5-ansible2.16.5
and postgres:16-alpine
- Post-deploy HTTP health check fails the playbook if Semaphore
doesn't respond on /api/ping within ~60s
Admin user creation remains intentionally manual after first deploy;
the role README documents the exact podman exec command.
Removes the duplicate deploy_semaphore.yml and the now-unneeded
cleanup_semaphore.yml; day1_deploy_semaphore.yml is the canonical
entry point.
73 lines
3.6 KiB
YAML
73 lines
3.6 KiB
YAML
---
|
|
# ============================================================================
|
|
# semaphore role defaults
|
|
# ============================================================================
|
|
# Deploys SemaphoreUI (https://semaphoreui.com) as a rootful Podman service
|
|
# managed via Quadlet. Uses a separate PostgreSQL 16 container on the same
|
|
# user-defined network. Both services persist to named volumes.
|
|
#
|
|
# Admin user creation is intentionally NOT automated — the Semaphore CLI's
|
|
# `user add` command has been unreliable across versions. Operator creates
|
|
# the first admin manually after the first successful deployment; see README.
|
|
# ============================================================================
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Image pinning
|
|
# ---------------------------------------------------------------------------
|
|
# The -ansible2.16.5 tag bundles Ansible 2.16.5 inside the Semaphore image,
|
|
# which matches the controller. Useful when Semaphore itself runs playbooks.
|
|
semaphore_image: "docker.io/semaphoreui/semaphore:v2.18.5-ansible2.16.5"
|
|
semaphore_postgres_image: "docker.io/library/postgres:16-alpine"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Container & network identifiers
|
|
# ---------------------------------------------------------------------------
|
|
semaphore_container_name: semaphore
|
|
semaphore_postgres_container_name: semaphore-postgres
|
|
semaphore_network_name: semaphore-net
|
|
|
|
# Named podman volumes
|
|
semaphore_data_volume: semaphore_data
|
|
semaphore_postgres_volume: semaphore_postgres_data
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Networking
|
|
# ---------------------------------------------------------------------------
|
|
# Port exposed on the VM. Traefik on lightning-lane terminates TLS and
|
|
# forwards to this port. Localhost-bind keeps the raw service off the LAN.
|
|
semaphore_listen_address: "0.0.0.0"
|
|
semaphore_listen_port: 3000
|
|
|
|
# Public URL (used by Semaphore for OIDC redirects, webhook URLs, etc.)
|
|
semaphore_web_url: "https://semaphore.local.mk-labs.cloud"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# PostgreSQL configuration
|
|
# ---------------------------------------------------------------------------
|
|
semaphore_db_user: semaphore
|
|
semaphore_db_name: semaphore
|
|
# semaphore_db_password sourced from vault below
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Vault inputs (defined in group_vars/all/vault, encrypted with ansible-vault)
|
|
# ---------------------------------------------------------------------------
|
|
# vault_semaphore_database_password - postgres role password
|
|
# vault_semaphore_admin_password - initial admin password (used only
|
|
# during manual user-add step)
|
|
# vault_semaphore_access_key_encryption - 32-byte key for encrypting
|
|
# Semaphore-stored access keys
|
|
semaphore_db_password: "{{ vault_semaphore_database_password }}"
|
|
semaphore_admin_password: "{{ vault_semaphore_admin_password }}"
|
|
semaphore_access_key_encryption: "{{ vault_semaphore_access_key_encryption }}"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Health check
|
|
# ---------------------------------------------------------------------------
|
|
semaphore_health_check_retries: 30
|
|
semaphore_health_check_delay: 2
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Quadlet location (rootful)
|
|
# ---------------------------------------------------------------------------
|
|
semaphore_quadlet_dir: /etc/containers/systemd
|