michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Gitea Traefik routing and connection pool optimization
Some checks failed
🚀 Build & Deploy Image / Determine Build Necessity (push) Failing after 10m14s
Details
🚀 Build & Deploy Image / Build Runtime Base Image (push) Has been skipped
Details
🚀 Build & Deploy Image / Build Docker Image (push) Has been skipped
Details
🚀 Build & Deploy Image / Run Tests & Quality Checks (push) Has been skipped
Details
🚀 Build & Deploy Image / Auto-deploy to Staging (push) Has been skipped
Details
🚀 Build & Deploy Image / Auto-deploy to Production (push) Has been skipped
Details
Security Vulnerability Scan / Check for Dependency Changes (push) Failing after 11m25s
Details
Security Vulnerability Scan / Composer Security Audit (push) Has been cancelled
Details

Browse Source 
- Remove middleware reference from Gitea Traefik labels (caused routing issues)
- Optimize Gitea connection pool settings (MAX_IDLE_CONNS=30, authentication_timeout=180s)
- Add explicit service reference in Traefik labels
- Fix intermittent 504 timeouts by improving PostgreSQL connection handling

Fixes Gitea unreachability via git.michaelschiemer.de
This commit is contained in:
Michael Schiemer
2025-11-09 14:46:15 +01:00
parent 85c369e846
commit 36ef2a1e2c
1366 changed files with 104925 additions and 28719 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
deployment/ansible/roles/application/tasks/composer.yml Normal file
View File

@@ -0,0 +1,87 @@
---
# Install Composer Dependencies in Application Container
- name: Check if composer.json exists
ansible.builtin.stat:
path: "{{ application_code_dest }}/composer.json"
register: composer_json_exists
- name: Fail if composer.json is missing
ansible.builtin.fail:
msg: "composer.json not found at {{ application_code_dest }}/composer.json"
when: not composer_json_exists.stat.exists
- name: Check if container is running
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} ps {{ application_php_service_name }} --format json
register: container_status
changed_when: false
failed_when: false
- name: Display container status
ansible.builtin.debug:
msg: "Container status: {{ container_status.stdout }}"
when: application_show_status | default(true) | bool
- name: Fail if container is not running
ansible.builtin.fail:
msg: |
Container '{{ application_php_service_name }}' is not running!
The container must be started before installing composer dependencies.
This is typically done by the 'deploy-image.yml' playbook which should run before this.
To start the container manually:
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} up -d {{ application_php_service_name }}
Note: The container requires environment variables (DB_USERNAME, DB_PASSWORD, etc.)
which should be set in a .env file or via docker-compose environment configuration.
when: container_status.rc != 0 or '"State":"running"' not in container_status.stdout
- name: Install composer dependencies in PHP container
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} exec -T {{ application_php_service_name }} composer install --no-dev --optimize-autoloader --no-interaction
register: composer_install
changed_when: true
failed_when: composer_install.rc != 0
- name: Display composer install output
ansible.builtin.debug:
msg: |
Composer Install Output:
stdout: {{ composer_install.stdout }}
stderr: {{ composer_install.stderr }}
rc: {{ composer_install.rc }}
when:
- composer_install.rc != 0
- application_show_status | default(true) | bool
- name: Restart queue-worker and scheduler to pick up vendor directory
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} restart queue-worker scheduler
register: restart_workers
changed_when: true
failed_when: false
when: application_restart_workers_after_composer | default(true) | bool
- name: Verify vendor/autoload.php exists
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} exec -T {{ application_php_service_name }} test -f /var/www/html/vendor/autoload.php && echo "EXISTS" || echo "MISSING"
register: autoload_check
changed_when: false
- name: Display autoload verification
ansible.builtin.debug:
msg: "vendor/autoload.php: {{ autoload_check.stdout.strip() }}"
when: application_show_status | default(true) | bool
- name: Fail if autoload.php is missing
ansible.builtin.fail:
msg: "vendor/autoload.php was not created after composer install"
when: "autoload_check.stdout.strip() != 'EXISTS'"

86
deployment/ansible/roles/application/tasks/containers.yml Normal file
View File

@@ -0,0 +1,86 @@
---
# Container Management Tasks (Fix, Recreate, etc.)
- name: Check if vendor directory exists on host
ansible.builtin.stat:
path: "{{ application_code_dest }}/vendor"
register: vendor_dir_exists
- name: Display vendor directory status
ansible.builtin.debug:
msg: "vendor directory on host: {{ 'EXISTS' if vendor_dir_exists.stat.exists else 'MISSING' }}"
when: application_show_status | default(true) | bool
- name: Install composer dependencies in PHP container (if vendor missing)
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} exec -T {{ application_php_service_name }} composer install --no-dev --optimize-autoloader --no-interaction
register: composer_install
changed_when: true
failed_when: composer_install.rc != 0
when:
- application_container_action | default('fix') == 'fix'
- not vendor_dir_exists.stat.exists
- name: Verify vendor/autoload.php exists in container
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} exec -T {{ application_php_service_name }} test -f /var/www/html/vendor/autoload.php && echo "EXISTS" || echo "MISSING"
register: autoload_check
changed_when: false
when: application_container_action | default('fix') == 'fix'
- name: Display autoload verification
ansible.builtin.debug:
msg: "vendor/autoload.php in container: {{ autoload_check.stdout.strip() }}"
when:
- application_container_action | default('fix') == 'fix'
- application_show_status | default(true) | bool
- name: Recreate web container with new security settings
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} up -d --force-recreate --no-deps web
register: recreate_web
changed_when: true
when:
- application_container_action | default('fix') in ['fix', 'fix-web']
- name: Recreate queue-worker and scheduler containers
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} up -d --force-recreate {{ application_container_target_services | default('queue-worker scheduler') }}
register: recreate_containers
changed_when: true
when:
- application_container_action | default('fix') in ['recreate', 'recreate-with-env', 'sync-recreate']
- name: Restart queue-worker and scheduler to pick up vendor directory
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} restart queue-worker scheduler
register: restart_workers
changed_when: true
failed_when: false
when:
- application_container_action | default('fix') == 'fix'
- application_restart_workers_after_composer | default(true) | bool
- name: Wait for containers to stabilize
ansible.builtin.pause:
seconds: "{{ application_container_stabilize_wait | default(5) }}"
when: application_container_action | default('fix') in ['fix', 'recreate', 'recreate-with-env', 'sync-recreate']
- name: Get final container status
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} ps {{ application_container_status_services | default('queue-worker web scheduler php') }}
register: final_status
changed_when: false
- name: Display final container status
ansible.builtin.debug:
msg: |
{{ final_status.stdout }}
when: application_show_status | default(true) | bool

356
deployment/ansible/roles/application/tasks/deploy.yml
View File

@@ -1,12 +1,326 @@
---
- name: Debug all available variables before password determination
ansible.builtin.debug:
msg: |
Available variables for registry password:
- docker_registry_password_default defined: {{ docker_registry_password_default is defined }}
- vault_docker_registry_password defined: {{ vault_docker_registry_password is defined }}
- All vault_* variable names: {{ vars.keys() | select('match', '^vault_.*') | list | join(', ') }}
delegate_to: localhost
become: no
- name: Check if docker_registry_password_default is set (safe check)
ansible.builtin.set_fact:
_docker_registry_password_default_set: "{{ 'YES' if (docker_registry_password_default is defined and docker_registry_password_default | string | trim != '') else 'NO' }}"
delegate_to: localhost
become: no
when: docker_registry_password_default is defined
- name: Check if vault_docker_registry_password is set (safe check)
ansible.builtin.set_fact:
_vault_docker_registry_password_set: "{{ 'YES' if (vault_docker_registry_password is defined and vault_docker_registry_password | string | trim != '') else 'NO' }}"
delegate_to: localhost
become: no
when: vault_docker_registry_password is defined
- name: Debug password status
ansible.builtin.debug:
msg: |
Password status:
- docker_registry_password_default: {{ _docker_registry_password_default_set | default('NOT DEFINED') }}
- vault_docker_registry_password: {{ _vault_docker_registry_password_set | default('NOT DEFINED') }}
delegate_to: localhost
become: no
- name: Determine Docker registry password from vault or defaults
ansible.builtin.set_fact:
registry_password: >-
{%- if docker_registry_password_default is defined and docker_registry_password_default | string | trim != '' -%}
{{ docker_registry_password_default }}
{%- elif vault_docker_registry_password is defined and vault_docker_registry_password | string | trim != '' -%}
{{ vault_docker_registry_password }}
{%- else -%}
{{ '' }}
{%- endif -%}
no_log: yes
- name: Debug registry password source after determination
ansible.builtin.debug:
msg: |
Registry password determination result:
- docker_registry_password_default: {{ 'SET (length: ' + (docker_registry_password_default | default('') | string | length | string) + ')' if (docker_registry_password_default | default('') | string | trim) != '' else 'NOT SET' }}
- vault_docker_registry_password defined: {{ vault_docker_registry_password is defined }}
- vault_docker_registry_password set: {{ 'YES (length: ' + (vault_docker_registry_password | default('') | string | length | string) + ')' if (vault_docker_registry_password | default('') | string | trim) != '' else 'NO' }}
- registry_password set: {{ 'YES (length: ' + (registry_password | default('') | string | length | string) + ')' if (registry_password | default('') | string | trim) != '' else 'NO' }}
delegate_to: localhost
become: no
- name: Debug vault loading
ansible.builtin.debug:
msg: |
Vault loading status:
- Vault file exists: {{ application_vault_stat.stat.exists | default(false) }}
- vault_docker_registry_password defined: {{ vault_docker_registry_password is defined }}
- vault_docker_registry_password value: {{ 'SET (length: ' + (vault_docker_registry_password | default('') | string | length | string) + ')' if (vault_docker_registry_password | default('') | string | trim) != '' else 'NOT SET or EMPTY' }}
- registry_password: {{ 'SET (length: ' + (registry_password | default('') | string | length | string) + ')' if (registry_password | default('') | string | trim) != '' else 'NOT SET or EMPTY' }}
when: true
no_log: yes
- name: Check if registry is accessible
ansible.builtin.uri:
url: "http://{{ docker_registry | default('localhost:5000') }}/v2/"
method: GET
status_code: [200, 401]
timeout: 5
register: registry_check
ignore_errors: yes
delegate_to: "{{ inventory_hostname }}"
become: no
- name: Debug registry accessibility
ansible.builtin.debug:
msg: |
Registry accessibility check:
- Registry URL: http://{{ docker_registry | default('localhost:5000') }}/v2/
- Status code: {{ registry_check.status | default('UNKNOWN') }}
- Accessible: {{ 'YES' if registry_check.status | default(0) in [200, 401] else 'NO' }}
- Note: Status 401 means registry requires authentication (expected)
delegate_to: localhost
become: no
- name: Login to Docker registry
community.docker.docker_login:
registry_url: "{{ docker_registry | default('localhost:5000') }}"
username: "{{ docker_registry_username_default | default('admin') }}"
password: "{{ registry_password }}"
when:
- registry_password | string | trim != ''
- registry_check.status | default(0) in [200, 401]
no_log: yes
ignore_errors: yes
register: docker_login_result
- name: Warn if Docker registry login failed
ansible.builtin.debug:
msg: "WARNING: Docker registry login failed or skipped. Images may not be pullable without authentication."
when:
- registry_password | string | trim != ''
- docker_login_result.failed | default(false)
- name: Debug registry authentication status
ansible.builtin.debug:
msg: |
Registry authentication status:
- Registry: {{ docker_registry | default('localhost:5000') }}
- Password set: {{ 'YES' if (registry_password | string | trim) != '' else 'NO' }}
- Login result: {{ 'SUCCESS' if (docker_login_result.failed | default(true) == false) else 'FAILED or SKIPPED' }}
- Username: {{ docker_registry_username_default | default('admin') }}
when: true
- name: Fail if registry password is not set
ansible.builtin.fail:
msg: |
Docker registry authentication required but password not set!
The registry at {{ docker_registry | default('localhost:5000') }} requires authentication.
Please set the password in one of these ways:
1. Set in vault file (recommended):
ansible-vault edit {{ vault_file | default('inventory/group_vars/production/vault.yml') }}
# Add: vault_docker_registry_password: "your-password"
2. Pass via extra vars:
-e "docker_registry_password_default=your-password"
3. Use init-secrets.sh script to generate all passwords:
cd deployment/ansible
./scripts/init-secrets.sh
Note: The registry password was likely generated when the registry stack was deployed.
Check the registry role output or the vault file for the generated password.
when:
- registry_password | string | trim == ''
- docker_registry | default('localhost:5000') == 'localhost:5000'
- name: Check registry htpasswd file to verify password
ansible.builtin.shell: |
if [ -f "{{ registry_auth_path | default('/home/deploy/deployment/stacks/registry/auth') }}/htpasswd" ]; then
cat "{{ registry_auth_path | default('/home/deploy/deployment/stacks/registry/auth') }}/htpasswd"
else
echo "htpasswd file not found"
fi
register: registry_htpasswd_check
changed_when: false
failed_when: false
delegate_to: "{{ inventory_hostname }}"
become: no
when: docker_login_result.failed | default(false)
- name: Debug registry password mismatch
ansible.builtin.debug:
msg: |
Registry authentication failed!
Registry: {{ docker_registry | default('localhost:5000') }}
Username: {{ docker_registry_username_default | default('admin') }}
Possible causes:
1. The password in vault does not match the password used during registry deployment
2. The registry was deployed with a different password (generated by registry role)
3. The username is incorrect
To fix:
1. Check the registry htpasswd file on the server:
cat {{ registry_auth_path | default('/home/deploy/deployment/stacks/registry/auth') }}/htpasswd
2. Extract the password from the registry .env file (if available):
grep REGISTRY_AUTH {{ registry_stack_path | default('/home/deploy/deployment/stacks/registry') }}/.env
3. Update the vault file with the correct password:
ansible-vault edit {{ vault_file | default('inventory/group_vars/production/vault.yml') }}
# Set: vault_docker_registry_password: "correct-password"
4. Or re-deploy the registry stack with the password from vault:
ansible-playbook -i inventory/production.yml playbooks/setup-infrastructure.yml --tags registry
Registry htpasswd file content:
{{ registry_htpasswd_check.stdout | default('NOT FOUND') }}
when:
- registry_password | string | trim != ''
- docker_login_result.failed | default(false)
- name: Fail if registry authentication failed and password was provided
ansible.builtin.fail:
msg: |
Docker registry authentication failed!
Registry: {{ docker_registry | default('localhost:5000') }}
Username: {{ docker_registry_username_default | default('admin') }}
The password in the vault file does not match the password used during registry deployment.
Please check the debug output above for instructions on how to fix this.
when:
- registry_password | string | trim != ''
- docker_login_result.failed | default(false)
- name: Force pull latest Docker images before deployment
shell: |
docker compose -f {{ application_stack_dest }}/docker-compose.base.yml -f {{ application_stack_dest }}/docker-compose.{{ application_compose_suffix }} pull --ignore-pull-failures
changed_when: false
failed_when: false
when: not ansible_check_mode
- name: Verify entrypoint script exists in Docker image (method 1 - file check)
shell: |
docker run --rm --entrypoint=/bin/sh {{ docker_registry | default('localhost:5000') }}/{{ app_name | default('framework') }}:latest -c "test -f /usr/local/bin/entrypoint.sh && ls -la /usr/local/bin/entrypoint.sh || echo 'FILE_NOT_FOUND'"
register: entrypoint_check
changed_when: false
failed_when: false
- name: Verify entrypoint script exists in Docker image (method 2 - inspect image)
shell: |
docker image inspect {{ docker_registry | default('localhost:5000') }}/{{ app_name | default('framework') }}:latest --format '{{ "{{" }}.Config.Entrypoint{{ "}}" }}' 2>&1 || echo "INSPECT_FAILED"
register: entrypoint_inspect
changed_when: false
failed_when: false
- name: Verify entrypoint script exists in Docker image (method 3 - extract and check)
shell: |
CONTAINER_ID=$(docker create {{ docker_registry | default('localhost:5000') }}/{{ app_name | default('framework') }}:latest 2>/dev/null) && \
docker cp $CONTAINER_ID:/usr/local/bin/entrypoint.sh /tmp/entrypoint_check.sh 2>&1 && \
if [ -f /tmp/entrypoint_check.sh ]; then \
echo "FILE_EXISTS"; \
ls -la /tmp/entrypoint_check.sh; \
head -5 /tmp/entrypoint_check.sh; \
rm -f /tmp/entrypoint_check.sh; \
else \
echo "FILE_NOT_FOUND"; \
fi && \
docker rm $CONTAINER_ID >/dev/null 2>&1 || true
register: entrypoint_extract
changed_when: false
failed_when: false
- name: Set entrypoint verification message
set_fact:
entrypoint_verification_msg: |
==========================================
Entrypoint Script Verification
==========================================
Image: {{ docker_registry | default('localhost:5000') }}/{{ app_name | default('framework') }}:latest
Method 1 - File Check:
Return Code: {{ entrypoint_check.rc | default('unknown') }}
Output: {{ entrypoint_check.stdout | default('No output') }}
Method 2 - Image Inspect:
Entrypoint Config: {{ entrypoint_inspect.stdout | default('Not available') }}
Method 3 - Extract and Check:
{{ entrypoint_extract.stdout | default('Check not performed') }}
{% if 'FILE_NOT_FOUND' in entrypoint_check.stdout or 'FILE_NOT_FOUND' in entrypoint_extract.stdout %}
⚠️ WARNING: Entrypoint script NOT FOUND in image!
This means the Docker image was built without the entrypoint script.
Possible causes:
1. The entrypoint script was not copied during rsync to build directory
2. The Dockerfile COPY command failed silently
3. The image needs to be rebuilt with --no-cache
Next steps:
1. Rebuild the image: ansible-playbook -i inventory/production.yml playbooks/build-initial-image.yml --vault-password-file secrets/.vault_pass -e "build_no_cache=true"
2. Check if docker/entrypoint.sh exists on server: ls -la /home/deploy/michaelschiemer/docker/entrypoint.sh
3. Manually check image: docker run --rm --entrypoint=/bin/sh localhost:5000/framework:latest -c "ls -la /usr/local/bin/entrypoint.sh"
{% elif entrypoint_check.rc == 0 %}
✅ Entrypoint script found in image
File details: {{ entrypoint_check.stdout }}
{% if '\r' in entrypoint_extract.stdout %}
⚠️ CRITICAL: Entrypoint script has CRLF line endings!
The script contains \r characters which will cause "no such file or directory" errors.
The script needs to be converted to LF line endings before building the image.
{% endif %}
{% else %}
⚠️ Could not verify entrypoint script (check may have failed)
{% endif %}
==========================================
- name: Display entrypoint script verification result
debug:
var: entrypoint_verification_msg
- name: Deploy application stack
community.docker.docker_compose_v2:
project_src: "{{ application_stack_dest }}"
files:
- docker-compose.base.yml
- "docker-compose.{{ application_compose_suffix }}"
state: present
pull: always
recreate: "{{ application_compose_recreate }}"
remove_orphans: "{{ application_remove_orphans | bool }}"
register: application_compose_result
failed_when: false
- name: Show PHP container logs if deployment failed
shell: |
docker compose -f {{ application_stack_dest }}/docker-compose.base.yml -f {{ application_stack_dest }}/docker-compose.{{ application_compose_suffix }} logs --tail=50 {{ application_service_name }} 2>&1 || true
register: application_php_logs
changed_when: false
when: application_compose_result.failed | default(false)
- name: Display PHP container logs on failure
debug:
msg: |
PHP Container Logs (last 50 lines):
{{ application_php_logs.stdout | default('No logs available') }}
when: application_compose_result.failed | default(false)
- name: Fail if deployment failed
fail:
msg: "Application stack deployment failed. Check logs above for details."
when: application_compose_result.failed | default(false)
- name: Wait for application container to report Up
shell: |
@@ -17,6 +331,48 @@
retries: "{{ ((application_wait_timeout | int) + (application_wait_interval | int) - 1) // (application_wait_interval | int) }}"
delay: "{{ application_wait_interval | int }}"
when: application_compose_result.changed
failed_when: false
- name: Show container status when container doesn't start
shell: |
docker compose -f {{ application_stack_dest }}/docker-compose.base.yml -f {{ application_stack_dest }}/docker-compose.{{ application_compose_suffix }} ps {{ application_service_name }}
register: application_container_status
changed_when: false
when:
- application_compose_result.changed
- application_app_running.rc != 0
- name: Show PHP container logs when container doesn't start
shell: |
docker compose -f {{ application_stack_dest }}/docker-compose.base.yml -f {{ application_stack_dest }}/docker-compose.{{ application_compose_suffix }} logs --tail=100 {{ application_service_name }} 2>&1 || true
register: application_php_logs_failed
changed_when: false
when:
- application_compose_result.changed
- application_app_running.rc != 0
- name: Display container status and logs when startup failed
debug:
msg: |
Container Status:
{{ application_container_status.stdout | default('Container not found') }}
Container Logs (last 100 lines):
{{ application_php_logs_failed.stdout | default('No logs available') }}
when:
- application_compose_result.changed
- application_app_running.rc != 0
- name: Fail if container didn't start
fail:
msg: |
Application container '{{ application_service_name }}' failed to start.
Check the logs above for details.
You can also check manually with:
docker compose -f {{ application_stack_dest }}/docker-compose.base.yml -f {{ application_stack_dest }}/docker-compose.{{ application_compose_suffix }} logs {{ application_service_name }}
when:
- application_compose_result.changed
- application_app_running.rc != 0
- name: Ensure app container is running before migrations
shell: |

236
deployment/ansible/roles/application/tasks/deploy_code.yml Normal file
View File

@@ -0,0 +1,236 @@
---
# Deploy Application Code via Git or Rsync
- name: Set git_repo_url from provided value or default
ansible.builtin.set_fact:
git_repo_url: "{{ application_git_repository_url if (application_git_repository_url is defined and application_git_repository_url != '') else application_git_repository_url_default }}"
- name: Determine deployment method
ansible.builtin.set_fact:
deployment_method: "{{ application_deployment_method | default('git') }}"
when: application_deployment_method is not defined
- name: Ensure Git is installed (for Git deployment)
ansible.builtin.apt:
name: git
state: present
update_cache: no
become: yes
when: deployment_method == 'git'
- name: Ensure application code directory exists
ansible.builtin.file:
path: "{{ application_code_dest }}"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0755'
become: yes
# Git Deployment Tasks
- name: Check if repository already exists (Git)
ansible.builtin.stat:
path: "{{ application_code_dest }}/.git"
register: git_repo_exists
when: deployment_method == 'git'
- name: Check if destination directory exists (Git)
ansible.builtin.stat:
path: "{{ application_code_dest }}"
register: dest_dir_exists
when: deployment_method == 'git'
- name: Remove destination directory if it exists but is not a git repo (Git)
ansible.builtin.file:
path: "{{ application_code_dest }}"
state: absent
when:
- deployment_method == 'git'
- dest_dir_exists.stat.exists
- not git_repo_exists.stat.exists
become: yes
- name: Clone repository (if not exists) (Git)
ansible.builtin.git:
repo: "{{ git_repo_url }}"
dest: "{{ application_code_dest }}"
version: "{{ application_git_branch }}"
force: no
update: no
when:
- deployment_method == 'git'
- not git_repo_exists.stat.exists
environment:
GIT_TERMINAL_PROMPT: "0"
vars:
ansible_become: no
register: git_clone_result
retries: "{{ application_git_retries | default(5) }}"
delay: "{{ application_git_retry_delay | default(10) }}"
until: git_clone_result is succeeded
ignore_errors: yes
- name: Fail if git clone failed after retries (Git)
ansible.builtin.fail:
msg: "Failed to clone repository after {{ application_git_retries | default(5) }} retries. Gitea may be unreachable or overloaded. Last error: {{ git_clone_result.msg | default('Unknown error') }}"
when:
- deployment_method == 'git'
- not git_repo_exists.stat.exists
- git_clone_result is failed
- name: Check if repository is already on correct branch (Git)
ansible.builtin.shell: |
cd {{ application_code_dest }}
CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")
TARGET_BRANCH="{{ application_git_branch | default('main') }}"
if [ "$CURRENT_BRANCH" = "$TARGET_BRANCH" ] || [ "$CURRENT_BRANCH" = "HEAD" ]; then
echo "ALREADY_ON_BRANCH"
else
echo "NEEDS_UPDATE"
fi
register: git_branch_check
changed_when: false
failed_when: false
when:
- deployment_method == 'git'
- git_repo_exists.stat.exists
- application_skip_git_update | default(false) | bool == false
- name: Update repository (if exists and not already on correct branch) (Git)
ansible.builtin.git:
repo: "{{ git_repo_url }}"
dest: "{{ application_code_dest }}"
version: "{{ application_git_branch }}"
force: yes
update: yes
when:
- deployment_method == 'git'
- git_repo_exists.stat.exists
- application_skip_git_update | default(false) | bool == false
- git_branch_check.stdout | default('NEEDS_UPDATE') == 'NEEDS_UPDATE'
environment:
GIT_TERMINAL_PROMPT: "0"
vars:
ansible_become: no
register: git_update_result
retries: "{{ application_git_retries | default(5) }}"
delay: "{{ application_git_retry_delay | default(10) }}"
until: git_update_result is succeeded
ignore_errors: yes
- name: Skip git update (repository already on correct branch or skip flag set)
ansible.builtin.debug:
msg: "Skipping git update - repository already on correct branch or skip_git_update is set"
when:
- deployment_method == 'git'
- git_repo_exists.stat.exists
- (application_skip_git_update | default(false) | bool == true) or (git_branch_check.stdout | default('NEEDS_UPDATE') == 'ALREADY_ON_BRANCH')
- name: Fail if git update failed after retries (Git)
ansible.builtin.fail:
msg: "Failed to update repository after {{ application_git_retries | default(5) }} retries. Gitea may be unreachable or overloaded. Last error: {{ git_update_result.msg | default('Unknown error') }}"
when:
- deployment_method == 'git'
- git_repo_exists.stat.exists
- application_skip_git_update | default(false) | bool == false
- git_branch_check.stdout | default('NEEDS_UPDATE') == 'NEEDS_UPDATE'
- git_update_result is defined
- git_update_result is failed
- name: Set ownership of repository files (Git)
ansible.builtin.file:
path: "{{ application_code_dest }}"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
recurse: yes
become: yes
when: deployment_method == 'git'
# Rsync Deployment Tasks
- name: Clear destination directory before sync (Rsync)
ansible.builtin.shell: |
# Remove all files and directories except .git (if it exists)
find {{ application_code_dest }} -mindepth 1 -maxdepth 1 -not -name '.git' -exec rm -rf {} + 2>/dev/null || true
become: yes
changed_when: true
failed_when: false
register: clear_result
when: deployment_method == 'rsync'
- name: Display clear status (Rsync)
ansible.builtin.debug:
msg: "Cleared destination directory before sync (preserved .git if present)"
when:
- deployment_method == 'rsync'
- clear_result.rc | default(0) == 0
- application_show_status | default(true) | bool
- name: Synchronize application code from repository root (Rsync)
ansible.builtin.synchronize:
src: "{{ application_rsync_source }}/"
dest: "{{ application_code_dest }}/"
delete: no
recursive: yes
rsync_opts: "{{ application_rsync_opts | default(['--chmod=D755,F644', '--exclude=.git', '--exclude=.gitignore', '--exclude=node_modules', '--exclude=vendor', '--exclude=.env', '--exclude=.env.*', '--exclude=*.log', '--exclude=.idea', '--exclude=.vscode', '--exclude=.DS_Store', '--exclude=*.swp', '--exclude=*.swo', '--exclude=*~', '--exclude=.phpunit.result.cache', '--exclude=coverage', '--exclude=.phpunit.cache', '--exclude=public/assets', '--exclude=storage/logs', '--exclude=storage/framework/cache', '--exclude=storage/framework/sessions', '--exclude=storage/framework/views', '--exclude=deployment', '--exclude=docker', '--exclude=.deployment-archive-*', '--exclude=docs', '--exclude=tests']) }}"
when: deployment_method == 'rsync'
delegate_to: localhost
run_once: true
- name: Ensure executable permissions on PHP scripts (Rsync)
ansible.builtin.file:
path: "{{ application_code_dest }}/{{ item }}"
mode: '0755'
loop: "{{ application_php_scripts | default(['worker.php', 'console.php']) }}"
when:
- deployment_method == 'rsync'
- item is defined
ignore_errors: yes
- name: Verify critical files exist (Rsync)
ansible.builtin.stat:
path: "{{ application_code_dest }}/{{ item }}"
register: critical_files_check
loop: "{{ application_critical_files | default(['worker.php', 'console.php', 'composer.json']) }}"
when: deployment_method == 'rsync'
- name: Display file verification results (Rsync)
ansible.builtin.debug:
msg: |
File Verification:
{% for result in critical_files_check.results | default([]) %}
- {{ result.item }}: {{ 'EXISTS' if result.stat.exists else 'MISSING' }}
{% endfor %}
when:
- deployment_method == 'rsync'
- application_show_status | default(true) | bool
- critical_files_check is defined
- name: Fail if critical files are missing (Rsync)
ansible.builtin.fail:
msg: |
Critical files are missing after sync:
{% for result in critical_files_check.results | default([]) %}
{% if not result.stat.exists %}- {{ result.item }}{% endif %}
{% endfor %}
when:
- deployment_method == 'rsync'
- critical_files_check is defined
- critical_files_check.results | selectattr('stat.exists', 'equalto', false) | list | length > 0
- name: Display deployment summary
ansible.builtin.debug:
msg: |
========================================
Application Code Deployment Summary
========================================
Method: {{ deployment_method | upper }}
Destination: {{ application_code_dest }}
{% if deployment_method == 'git' %}
Repository: {{ git_repo_url }}
Branch: {{ application_git_branch }}
{% elif deployment_method == 'rsync' %}
Source: {{ application_rsync_source }}
{% endif %}
========================================
when: application_show_status | default(true) | bool

0
deployment/ansible/roles/application/tasks/main.yml → deployment/ansible/roles/application/tasks/deploy_stack.yml
View File

80
deployment/ansible/roles/application/tasks/health_check.yml Normal file
View File

@@ -0,0 +1,80 @@
---
# Health Check Tasks
- name: Get container status
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} ps {{ application_container_status_services | default('queue-worker web scheduler php') }}
register: container_status
changed_when: false
- name: Display container status
ansible.builtin.debug:
msg: |
{{ container_status.stdout }}
when: application_show_status | default(true) | bool
- name: Get queue-worker logs (last N lines)
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} logs --tail={{ application_health_check_logs_tail | default(20) }} queue-worker 2>&1 || true
register: queue_worker_logs
changed_when: false
- name: Display queue-worker logs
ansible.builtin.debug:
msg: |
================
Queue-Worker Logs:
================
{{ queue_worker_logs.stdout }}
when: application_show_status | default(true) | bool
- name: Get scheduler logs (last N lines)
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} logs --tail={{ application_health_check_logs_tail | default(20) }} scheduler 2>&1 || true
register: scheduler_logs
changed_when: false
- name: Display scheduler logs
ansible.builtin.debug:
msg: |
================
Scheduler Logs:
================
{{ scheduler_logs.stdout }}
when: application_show_status | default(true) | bool
- name: Get web container logs (last N lines)
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} logs --tail={{ application_health_check_logs_tail | default(20) }} web 2>&1 || true
register: web_logs
changed_when: false
- name: Display web container logs
ansible.builtin.debug:
msg: |
================
Web Container Logs:
================
{{ web_logs.stdout }}
when: application_show_status | default(true) | bool
- name: Get all container status (final status check)
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} ps
register: all_containers
changed_when: false
when: application_health_check_final | default(false) | bool
- name: Display all container status (final)
ansible.builtin.debug:
msg: |
{{ all_containers.stdout }}
when:
- application_health_check_final | default(false) | bool
- application_show_status | default(true) | bool

155
deployment/ansible/roles/application/tasks/logs.yml Normal file
View File

@@ -0,0 +1,155 @@
---
# Log Analysis Tasks
- name: Get queue-worker logs
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} logs --tail={{ application_logs_tail | default(50) }} queue-worker 2>&1 || true
register: queue_worker_logs
changed_when: false
- name: Display queue-worker logs
ansible.builtin.debug:
var: queue_worker_logs.stdout_lines
when: application_show_status | default(true) | bool
- name: Get scheduler logs
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} logs --tail={{ application_logs_tail | default(50) }} scheduler 2>&1 || true
register: scheduler_logs
changed_when: false
- name: Display scheduler logs
ansible.builtin.debug:
var: scheduler_logs.stdout_lines
when: application_show_status | default(true) | bool
- name: Get web container logs
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} logs --tail={{ application_logs_tail | default(50) }} web 2>&1 || true
register: web_logs
changed_when: false
- name: Display web container logs
ansible.builtin.debug:
var: web_logs.stdout_lines
when: application_show_status | default(true) | bool
- name: Check if vendor/autoload.php exists in queue-worker container
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} exec -T queue-worker test -f /var/www/html/vendor/autoload.php && echo "EXISTS" || echo "MISSING"
register: queue_worker_vendor_check
changed_when: false
failed_when: false
ignore_errors: yes
when: application_logs_check_vendor | default(true) | bool
- name: Display queue-worker vendor check
ansible.builtin.debug:
msg: "vendor/autoload.php in queue-worker: {{ queue_worker_vendor_check.stdout | default('CHECK_FAILED') }}"
when:
- application_logs_check_vendor | default(true) | bool
- application_show_status | default(true) | bool
- name: Check if vendor/autoload.php exists in scheduler container
ansible.builtin.shell: |
cd {{ application_code_dest }}
docker compose -f docker-compose.base.yml -f docker-compose.{{ application_compose_suffix }} exec -T scheduler test -f /var/www/html/vendor/autoload.php && echo "EXISTS" || echo "MISSING"
register: scheduler_vendor_check
changed_when: false
failed_when: false
ignore_errors: yes
when: application_logs_check_vendor | default(true) | bool
- name: Display scheduler vendor check
ansible.builtin.debug:
msg: "vendor/autoload.php in scheduler: {{ scheduler_vendor_check.stdout | default('CHECK_FAILED') }}"
when:
- application_logs_check_vendor | default(true) | bool
- application_show_status | default(true) | bool
- name: Check vendor directory permissions on host
ansible.builtin.shell: |
ls -la {{ application_code_dest }}/vendor 2>&1 | head -5 || echo "DIRECTORY_NOT_FOUND"
register: vendor_perms
changed_when: false
when: application_logs_check_permissions | default(true) | bool
- name: Display vendor directory permissions
ansible.builtin.debug:
msg: |
Vendor directory permissions on host:
{{ vendor_perms.stdout }}
when:
- application_logs_check_permissions | default(true) | bool
- application_show_status | default(true) | bool
- name: Check if worker.php exists on host
ansible.builtin.stat:
path: "{{ application_code_dest }}/worker.php"
register: worker_file_host
when: application_logs_check_files | default(true) | bool
- name: Display worker.php host check result
ansible.builtin.debug:
msg: |
worker.php on host:
- Exists: {{ worker_file_host.stat.exists | default(false) }}
{% if worker_file_host.stat.exists %}
- Path: {{ worker_file_host.stat.path }}
- Size: {{ worker_file_host.stat.size | default(0) }} bytes
{% endif %}
when:
- application_logs_check_files | default(true) | bool
- application_show_status | default(true) | bool
- name: Check if console.php exists on host
ansible.builtin.stat:
path: "{{ application_code_dest }}/console.php"
register: console_file_host
when: application_logs_check_files | default(true) | bool
- name: Display console.php host check result
ansible.builtin.debug:
msg: |
console.php on host:
- Exists: {{ console_file_host.stat.exists | default(false) }}
{% if console_file_host.stat.exists %}
- Path: {{ console_file_host.stat.path }}
- Size: {{ console_file_host.stat.size | default(0) }} bytes
{% endif %}
when:
- application_logs_check_files | default(true) | bool
- application_show_status | default(true) | bool
- name: List files in application directory
ansible.builtin.shell: |
ls -la {{ application_code_dest }}/ | head -20
register: app_dir_listing
changed_when: false
when: application_logs_list_files | default(false) | bool
- name: Display application directory listing
ansible.builtin.debug:
var: app_dir_listing.stdout_lines
when:
- application_logs_list_files | default(false) | bool
- application_show_status | default(true) | bool
- name: Check what PHP files exist in application directory
ansible.builtin.shell: |
find {{ application_code_dest }} -maxdepth 1 -name "*.php" -type f 2>/dev/null | head -20
register: php_files
changed_when: false
when: application_logs_list_files | default(false) | bool
- name: Display PHP files found
ansible.builtin.debug:
var: php_files.stdout_lines
when:
- application_logs_list_files | default(false) | bool
- application_show_status | default(true) | bool

218
deployment/ansible/roles/application/tasks/sync.yml
View File

@@ -5,6 +5,44 @@
state: directory
mode: '0755'
- name: Ensure secrets directory exists for Docker Compose secrets
file:
path: "{{ application_stack_dest }}/secrets"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0700'
- name: Ensure parent directory exists for application code
file:
path: "/home/deploy/michaelschiemer"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0755'
when: application_compose_suffix == 'production.yml'
become: yes
- name: Ensure application code directory exists
file:
path: "/home/deploy/michaelschiemer/current"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0755'
when: application_compose_suffix == 'production.yml'
become: yes
ignore_errors: yes
- name: Fix ownership of application code directory if needed
command: chown -R {{ ansible_user }}:{{ ansible_user }} /home/deploy/michaelschiemer/current
when:
- application_compose_suffix == 'production.yml'
- ansible_check_mode is not defined or not ansible_check_mode
become: yes
changed_when: false
failed_when: false
- name: Check if vault file exists locally
stat:
path: "{{ application_vault_file }}"
@@ -21,26 +59,70 @@
delegate_to: localhost
become: no
- name: Check if PostgreSQL .env exists on target host
- name: Check if PostgreSQL Production .env exists on target host
stat:
path: "{{ stacks_base_path }}/postgresql-production/.env"
register: application_postgres_production_env_file
changed_when: false
- name: Check if PostgreSQL Staging .env exists on target host (for staging deployments)
stat:
path: "{{ stacks_base_path }}/postgresql-staging/.env"
register: application_postgres_staging_env_file
changed_when: false
when: application_compose_suffix == 'staging'
- name: Extract PostgreSQL Production password from .env file
shell: "grep '^POSTGRES_PASSWORD=' {{ stacks_base_path }}/postgresql-production/.env 2>/dev/null | cut -d'=' -f2- || echo ''"
register: application_postgres_production_password
changed_when: false
failed_when: false
when: application_postgres_production_env_file.stat.exists
no_log: yes
- name: Extract PostgreSQL Staging password from .env file
shell: "grep '^POSTGRES_PASSWORD=' {{ stacks_base_path }}/postgresql-staging/.env 2>/dev/null | cut -d'=' -f2- || echo ''"
register: application_postgres_staging_password
changed_when: false
failed_when: false
when:
- application_compose_suffix == 'staging'
- application_postgres_staging_env_file.stat.exists
no_log: yes
- name: "Fallback: Check if legacy PostgreSQL .env exists on target host"
stat:
path: "{{ stacks_base_path }}/postgresql/.env"
register: application_postgres_env_file
changed_when: false
when: not (application_postgres_production_env_file.stat.exists | default(false))
- name: Extract PostgreSQL password from .env file
- name: "Fallback: Extract PostgreSQL password from legacy .env file"
shell: "grep '^POSTGRES_PASSWORD=' {{ stacks_base_path }}/postgresql/.env 2>/dev/null | cut -d'=' -f2- || echo ''"
register: application_postgres_password
changed_when: false
failed_when: false
when: application_postgres_env_file.stat.exists
when:
- not (application_postgres_production_env_file.stat.exists | default(false))
- application_postgres_env_file.stat.exists
no_log: yes
- name: Determine application database password
set_fact:
application_db_password: >-
{{ (application_postgres_env_file.stat.exists and application_postgres_password.stdout != '') |
ternary(application_postgres_password.stdout,
vault_db_root_password | default(lookup('password', '/dev/null length=32 chars=ascii_letters,digits,punctuation'))) }}
{% if application_compose_suffix == 'staging' %}
{{ (application_postgres_staging_env_file.stat.exists | default(false) and application_postgres_staging_password.stdout | default('') != '') |
ternary(application_postgres_staging_password.stdout,
(application_postgres_env_file.stat.exists | default(false) and application_postgres_password.stdout | default('') != '') |
ternary(application_postgres_password.stdout,
vault_db_root_password | default(lookup('password', '/dev/null length=32 chars=ascii_letters,digits,punctuation')))) }}
{% else %}
{{ (application_postgres_production_env_file.stat.exists | default(false) and application_postgres_production_password.stdout | default('') != '') |
ternary(application_postgres_production_password.stdout,
(application_postgres_env_file.stat.exists | default(false) and application_postgres_password.stdout | default('') != '') |
ternary(application_postgres_password.stdout,
vault_db_root_password | default(lookup('password', '/dev/null length=32 chars=ascii_letters,digits,punctuation')))) }}
{% endif %}
no_log: yes
- name: Determine application redis password
@@ -73,32 +155,55 @@
application_encryption_key: "{{ encryption_key | default(vault_encryption_key | default('')) }}"
no_log: yes
- name: Check if application docker-compose.base.yml source exists locally
- name: Determine project root directory
set_fact:
project_root: "{{ playbook_dir | default(role_path + '/..') | dirname | dirname | dirname }}"
changed_when: false
- name: Check if application docker-compose.base.yml source exists locally (in project root)
stat:
path: "{{ application_stack_src }}/docker-compose.base.yml"
path: "{{ project_root }}/docker-compose.base.yml"
delegate_to: localhost
register: application_compose_base_src
become: no
- name: Check if application docker-compose override file exists locally (production or staging)
stat:
path: "{{ application_stack_src }}/../../../docker-compose.{{ application_compose_suffix }}"
path: "{{ project_root }}/docker-compose.{{ application_compose_suffix }}"
delegate_to: localhost
register: application_compose_override_src
become: no
- name: Copy application docker-compose.base.yml to target host
- name: Check if production-base.yml exists (preferred for production/staging)
stat:
path: "{{ project_root }}/docker-compose.production-base.yml"
delegate_to: localhost
register: application_compose_production_base_src
become: no
- name: Copy application docker-compose.production-base.yml to target host (production/staging)
copy:
src: "{{ application_stack_src }}/docker-compose.base.yml"
src: "{{ project_root }}/docker-compose.production-base.yml"
dest: "{{ application_stack_dest }}/docker-compose.base.yml"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0644'
when: application_compose_base_src.stat.exists
when: application_compose_production_base_src.stat.exists
- name: Copy application docker-compose.base.yml to target host (fallback)
copy:
src: "{{ project_root }}/docker-compose.base.yml"
dest: "{{ application_stack_dest }}/docker-compose.base.yml"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0644'
when:
- not application_compose_production_base_src.stat.exists
- application_compose_base_src.stat.exists
- name: Copy application docker-compose override file to target host (production or staging)
copy:
src: "{{ application_stack_src }}/../../../docker-compose.{{ application_compose_suffix }}"
src: "{{ project_root }}/docker-compose.{{ application_compose_suffix }}"
dest: "{{ application_stack_dest }}/docker-compose.{{ application_compose_suffix }}"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
@@ -141,14 +246,69 @@
mode: '0644'
when: application_nginx_src.stat.exists
- name: Expose secrets for template rendering
- name: Debug - Check available variables before set_fact
debug:
msg:
- "application_environment: {{ application_environment | default('NOT SET') }}"
- "app_env: {{ app_env | default('NOT SET') }}"
- "application_compose_suffix: {{ application_compose_suffix | default('NOT SET') }}"
- "app_domain (from vars): {{ 'DEFINED' if app_domain is defined else 'NOT SET' }}"
- "db_user_default: {{ db_user_default | default('NOT SET') }}"
- "db_name_default: {{ db_name_default | default('NOT SET') }}"
- "db_host_default: {{ db_host_default | default('NOT SET') }}"
- "application_db_password: {{ 'SET (length: ' + (application_db_password | default('') | string | length | string) + ')' if (application_db_password | default('') | string | trim) != '' else 'NOT SET' }}"
- "application_redis_password: {{ 'SET (length: ' + (application_redis_password | default('') | string | length | string) + ')' if (application_redis_password | default('') | string | trim) != '' else 'NOT SET' }}"
- "application_app_key: {{ 'SET (length: ' + (application_app_key | default('') | string | length | string) + ')' if (application_app_key | default('') | string | trim) != '' else 'NOT SET' }}"
changed_when: false
- name: Determine application environment for domain resolution
set_fact:
db_password: "{{ application_db_password }}"
redis_password: "{{ application_redis_password }}"
app_key: "{{ application_app_key }}"
encryption_key: "{{ application_encryption_key }}"
db_username: "{{ db_user | default(db_user_default) }}"
db_name: "{{ db_name | default(db_name_default) }}"
_app_env: "{{ app_env | default(application_environment | default('production')) }}"
no_log: yes
- name: Expose secrets for template rendering (step 1 - basic vars)
set_fact:
db_password: "{{ application_db_password | default('') }}"
redis_password: "{{ application_redis_password | default('') }}"
app_key: "{{ application_app_key | default('') }}"
encryption_key: "{{ application_encryption_key | default('') }}"
app_env: "{{ _app_env }}"
minio_root_user: "{{ minio_root_user | default('minioadmin') }}"
minio_root_password: "{{ minio_root_password | default('') }}"
no_log: yes
- name: Expose secrets for template rendering (step 2 - db vars)
set_fact:
db_username: "{{ db_user | default(db_user_default | default('postgres')) }}"
db_name: "{{ db_name | default(db_name_default | default('michaelschiemer')) }}"
no_log: yes
- name: Expose secrets for template rendering (step 3 - db_host with conditional)
set_fact:
db_host: >-
{%- if db_host is defined and db_host | string | trim != '' -%}
{{ db_host }}
{%- elif db_host_default is defined and db_host_default | string | trim != '' -%}
{{ db_host_default }}
{%- elif application_compose_suffix == 'production.yml' -%}
postgres-production
{%- elif application_compose_suffix == 'staging.yml' -%}
postgres-staging
{%- else -%}
postgres
{%- endif -%}
no_log: yes
- name: Expose secrets for template rendering (step 4 - app_domain)
set_fact:
app_domain: >-
{%- if app_domain is defined and app_domain | string | trim != '' -%}
{{ app_domain }}
{%- elif _app_env == 'production' -%}
michaelschiemer.de
{%- else -%}
staging.michaelschiemer.de
{%- endif -%}
no_log: yes
- name: Render application environment file
@@ -158,3 +318,21 @@
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0600'
- name: Create Docker Compose secret files from determined passwords
copy:
content: "{{ item.value }}"
dest: "{{ application_stack_dest }}/secrets/{{ item.name }}.txt"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0600'
loop:
- name: db_user_password
value: "{{ application_db_password }}"
- name: redis_password
value: "{{ application_redis_password }}"
- name: app_key
value: "{{ application_app_key }}"
- name: vault_encryption_key
value: "{{ application_encryption_key | default(application_app_key) }}"
no_log: yes