From 97b930c6edc7973497f469ae859fa2258cbea4d6 Mon Sep 17 00:00:00 2001 From: Egor Tensin Date: Sun, 20 Aug 2023 18:38:17 +0200 Subject: use variables instead facts mostly everywhere set_fact is stupid; they persist through multiple role executions; for example, you cannot do this: set_fact: foo: '{{ foo | default("bar") }}' If somebody calls the role and defines foo, it will always be set to that value forever, even for subsequent role calls. --- roles/apt_repo/defaults/main.yml | 2 + roles/apt_repo/tasks/main.yml | 25 ++++------ roles/digitalocean_volume/tasks/main.yml | 6 +-- roles/file_wait/tasks/check.yml | 14 +++--- roles/file_wait/tasks/main.yml | 4 ++ roles/letsencrypt/tasks/domain.yml | 52 ++++++++++----------- roles/letsencrypt/tasks/main.yml | 2 + roles/my_workspace/tasks/main.yml | 2 + roles/my_workspace/tasks/project.yml | 78 +++++++++++++++----------------- 9 files changed, 88 insertions(+), 97 deletions(-) diff --git a/roles/apt_repo/defaults/main.yml b/roles/apt_repo/defaults/main.yml index 7394a29..f4755e5 100644 --- a/roles/apt_repo/defaults/main.yml +++ b/roles/apt_repo/defaults/main.yml @@ -1,2 +1,4 @@ apt_repo_keys_dir: /etc/apt/keyrings apt_repo_key_dearmor: false + +apt_repo_component: main diff --git a/roles/apt_repo/tasks/main.yml b/roles/apt_repo/tasks/main.yml index 4c1d92f..bf9e3ea 100644 --- a/roles/apt_repo/tasks/main.yml +++ b/roles/apt_repo/tasks/main.yml @@ -1,5 +1,11 @@ - name: Set up repository become: true + vars: + # For some reason, if the key is in a weird format that requires + # running `gpg --dearmor`, you must save it with the .gpg extension + # instead of .asc. You can then completely skip the gpg step. Source: + # https://stackoverflow.com/q/71585303/514684 + apt_repo_key_path: '{{ apt_repo_keys_dir }}/{{ apt_repo_name }}{{ apt_repo_key_dearmor | ternary(".gpg", ".asc") }}' block: - name: Create keys directory ansible.builtin.file: @@ -7,30 +13,19 @@ mode: '755' state: directory - - name: Set key path - ansible.builtin.set_fact: - # For some reason, if the key is in a weird format that requires - # running `gpg --dearmor`, you must save it with the .gpg extension - # instead of .asc. You can then completely skip the gpg step. Source: - # https://stackoverflow.com/q/71585303/514684 - key_path: '{{ apt_repo_keys_dir }}/{{ apt_repo_name }}{{ apt_repo_key_dearmor | ternary(".gpg", ".asc") }}' - - name: 'Add key: {{ apt_repo_name }}' ansible.builtin.get_url: url: '{{ apt_repo_key_url }}' - dest: '{{ key_path }}' + dest: '{{ apt_repo_key_path }}' mode: '644' - name: Get host distro ansible.builtin.setup: gather_subset: [distribution_release] - - name: Set repository defaults - ansible.builtin.set_fact: - apt_repo_distro: '{{ apt_repo_distro | default(ansible_distribution_release) }}' - apt_repo_component: '{{ apt_repo_component | default("main") }}' - - name: 'Add repository: {{ apt_repo_name }}' ansible.builtin.apt_repository: - repo: 'deb [signed-by={{ key_path }}] {{ apt_repo_url }} {{ apt_repo_distro }} {{ apt_repo_component }}' + repo: 'deb [signed-by={{ apt_repo_key_path }}] {{ apt_repo_url }} {{ distro }} {{ apt_repo_component }}' filename: '{{ apt_repo_name }}' + vars: + distro: '{{ apt_repo_distro | default(ansible_distribution_release) }}' diff --git a/roles/digitalocean_volume/tasks/main.yml b/roles/digitalocean_volume/tasks/main.yml index c23da76..07d6c74 100644 --- a/roles/digitalocean_volume/tasks/main.yml +++ b/roles/digitalocean_volume/tasks/main.yml @@ -1,11 +1,7 @@ -- name: Set default mount point - ansible.builtin.set_fact: - volume_dir: "{{ volume_dir | default('/mnt/{{ volume_name }}') }}" - - name: 'Mount volume: {{ volume_name }}' become: true ansible.posix.mount: - path: '{{ volume_dir }}' + path: "{{ volume_dir | default('/mnt/{{ volume_name }}') }}" src: '/dev/disk/by-id/scsi-0DO_Volume_{{ volume_name }}' state: mounted fstype: '{{ volume_fs }}' diff --git a/roles/file_wait/tasks/check.yml b/roles/file_wait/tasks/check.yml index aa55830..47122b7 100644 --- a/roles/file_wait/tasks/check.yml +++ b/roles/file_wait/tasks/check.yml @@ -13,17 +13,17 @@ ignore_unreachable: true ignore_errors: true -- name: If the host restarted, try again +- name: If host restarted, try again when: file_wait_check is unreachable block: - - name: Log the number of tolerable reboots + - name: Show number of reboots ansible.builtin.debug: - msg: 'Number of tolerable reboots: {{ file_wait_reboots }}' + msg: 'Number of reboots left: {{ file_wait_reboots_left }}' - - name: Decrement the number of tolerable reboots + - name: Decrement number of reboots ansible.builtin.set_fact: - file_wait_reboots: '{{ (file_wait_reboots | int) - 1 }}' + file_wait_reboots_left: '{{ (file_wait_reboots_left | int) - 1 }}' - - name: Retry if there're more tolerable reboots + - name: Retry if there're more reboots ansible.builtin.include_tasks: check.yml - when: (file_wait_reboots | int >= 0) + when: (file_wait_reboots_left | int >= 0) diff --git a/roles/file_wait/tasks/main.yml b/roles/file_wait/tasks/main.yml index 9afef57..169f834 100644 --- a/roles/file_wait/tasks/main.yml +++ b/roles/file_wait/tasks/main.yml @@ -1,3 +1,7 @@ +- name: Reset number of reboots + ansible.builtin.set_fact: + file_wait_reboots_left: '{{ file_wait_reboots }}' + - name: Check if file exists ansible.builtin.include_tasks: check.yml diff --git a/roles/letsencrypt/tasks/domain.yml b/roles/letsencrypt/tasks/domain.yml index 13717ef..d3cb50a 100644 --- a/roles/letsencrypt/tasks/domain.yml +++ b/roles/letsencrypt/tasks/domain.yml @@ -1,30 +1,26 @@ -- name: Set certificate name - ansible.builtin.set_fact: - certificate_name: '{{ item.name | default(item) }}' - -- name: Set certificate domains - ansible.builtin.set_fact: - certificate_domains: "{{ item.domains | default([certificate_name]) | sort | unique }}" - -- name: Cache domain list +- name: Set up certificate for domain become: true - ansible.builtin.template: - src: domain_list.txt - dest: '/etc/letsencrypt/.domains_{{ certificate_name }}.txt' - owner: root - group: root - mode: '640' - register: domain_list + vars: + certificate_name: '{{ domain.name | default(domain) }}' + certificate_domains: "{{ domain.domains | default([certificate_name]) | sort | unique }}" + block: + - name: Cache domain list + ansible.builtin.template: + src: domain_list.txt + dest: '/etc/letsencrypt/.domains_{{ certificate_name }}.txt' + owner: root + group: root + mode: '640' + register: domain_list -- name: 'Create certificate: {{ certificate_name }}' - become: true - ansible.builtin.command: | - certbot certonly --noninteractive --agree-tos \ - --cert-name '{{ certificate_name }}' \ - --email '{{ certbot_email }}' \ - --domains '{{ certificate_domains | join(',') }}' \ - --preferred-challenges dns \ - --dns-digitalocean \ - --dns-digitalocean-credentials '{{ certbot_ini }}' \ - --dns-digitalocean-propagation-seconds 30 - when: domain_list.changed + - name: 'Create certificate: {{ certificate_name }}' + ansible.builtin.command: | + certbot certonly --noninteractive --agree-tos \ + --cert-name '{{ certificate_name }}' \ + --email '{{ certbot_email }}' \ + --domains '{{ certificate_domains | join(',') }}' \ + --preferred-challenges dns \ + --dns-digitalocean \ + --dns-digitalocean-credentials '{{ certbot_ini }}' \ + --dns-digitalocean-propagation-seconds 30 + when: domain_list.changed diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml index a4160d7..a1761a5 100644 --- a/roles/letsencrypt/tasks/main.yml +++ b/roles/letsencrypt/tasks/main.yml @@ -13,3 +13,5 @@ - name: Update certificates ansible.builtin.include_tasks: domain.yml loop: '{{ letsencrypt_domains }}' + loop_control: + loop_var: domain diff --git a/roles/my_workspace/tasks/main.yml b/roles/my_workspace/tasks/main.yml index 0acec47..6bbb308 100644 --- a/roles/my_workspace/tasks/main.yml +++ b/roles/my_workspace/tasks/main.yml @@ -31,3 +31,5 @@ - name: Update projects ansible.builtin.include_tasks: project.yml loop: '{{ workspace_projects }}' + loop_control: + loop_var: project diff --git a/roles/my_workspace/tasks/project.yml b/roles/my_workspace/tasks/project.yml index 813de46..d6bf857 100644 --- a/roles/my_workspace/tasks/project.yml +++ b/roles/my_workspace/tasks/project.yml @@ -1,47 +1,41 @@ -- name: Set project URL - ansible.builtin.set_fact: - project_url: '{{ item.url | default(item) }}' - -- name: Set project name - ansible.builtin.set_fact: - project_name: "{{ item.name | default(project_url | urlsplit('path') | basename | regex_replace('\\.git$', '')) }}" - -- name: Set project directory - ansible.builtin.set_fact: +- name: Set up project + vars: + project_url: '{{ project.url | default(project) }}' + project_name: "{{ project.name | default(project_url | urlsplit('path') | basename | regex_replace('\\.git$', '')) }}" project_dir: '{{ workspace_dir }}/{{ project_name }}' + block: + - name: 'Update repository: {{ project_name }}' + ansible.builtin.git: + accept_hostkey: true + dest: '{{ project_dir }}' + repo: '{{ project_url }}' -- name: 'Update repository: {{ project_name }}' - ansible.builtin.git: - accept_hostkey: true - dest: '{{ project_dir }}' - repo: '{{ project_url }}' - -- name: Check for Makefile - ansible.builtin.file: - path: '{{ project_dir }}/Makefile' - state: file - register: makefile_check - ignore_errors: true + - name: Check for Makefile + ansible.builtin.file: + path: '{{ project_dir }}/Makefile' + state: file + register: makefile_check + ignore_errors: true -- name: Check for docker-compose.yml - ansible.builtin.file: - path: '{{ project_dir }}/docker-compose.yml' - state: file - register: docker_compose_check - ignore_errors: true + - name: Check for docker-compose.yml + ansible.builtin.file: + path: '{{ project_dir }}/docker-compose.yml' + state: file + register: docker_compose_check + ignore_errors: true -- name: Run make - become: true - community.general.make: - chdir: '{{ project_dir }}' - when: makefile_check is succeeded + - name: Run make + become: true + community.general.make: + chdir: '{{ project_dir }}' + when: makefile_check is succeeded -- name: Run docker-compose - become: true - community.docker.docker_compose: - build: true - debug: true - project_src: '{{ project_dir }}' - pull: true - remove_orphans: true - when: makefile_check is not succeeded and docker_compose_check is succeeded + - name: Run docker-compose + become: true + community.docker.docker_compose: + build: true + debug: true + project_src: '{{ project_dir }}' + pull: true + remove_orphans: true + when: makefile_check is not succeeded and docker_compose_check is succeeded -- cgit v1.2.3