--- - name: Install xworkmate-bridge prerequisites ansible.builtin.package: name: "{{ xworkmate_bridge_packages }}" state: present when: ansible_os_family != 'Darwin' - name: Ensure xworkmate-bridge service group exists ansible.builtin.group: name: "{{ xworkmate_bridge_service_group }}" state: present - name: Ensure xworkmate-bridge service user exists ansible.builtin.user: name: "{{ xworkmate_bridge_service_user }}" group: "{{ xworkmate_bridge_service_group }}" shell: /bin/bash create_home: true state: present - name: Ensure xworkmate-bridge base directory exists ansible.builtin.file: path: "{{ xworkmate_bridge_base_dir }}" state: directory owner: "{{ xworkmate_bridge_service_user }}" group: "{{ xworkmate_bridge_service_group }}" mode: "0755" - name: Read existing xworkmate-bridge auth token from systemd units ansible.builtin.shell: | set -euo pipefail for unit in \ "{{ xworkmate_bridge_systemd_unit_path }}" \ "{{ xworkmate_bridge_user_systemd_unit_path }}" do if [ -f "${unit}" ]; then sed -n 's/^Environment="BRIDGE_AUTH_TOKEN=\(.*\)"$/\1/p' "${unit}" | head -n 1 fi done | sed '/^$/d' | head -n 1 args: executable: /bin/bash register: xworkmate_bridge_existing_auth_token check_mode: false changed_when: false failed_when: false no_log: true when: ansible_os_family != 'Darwin' - name: Read existing xworkmate-bridge review auth token from systemd units ansible.builtin.shell: | set -euo pipefail for unit in \ "{{ xworkmate_bridge_systemd_unit_path }}" \ "{{ xworkmate_bridge_user_systemd_unit_path }}" do if [ -f "${unit}" ]; then sed -n 's/^Environment="BRIDGE_REVIEW_AUTH_TOKEN=\(.*\)"$/\1/p' "${unit}" | head -n 1 fi done | sed '/^$/d' | head -n 1 args: executable: /bin/bash register: xworkmate_bridge_existing_review_auth_token check_mode: false changed_when: false failed_when: false no_log: true when: ansible_os_family != 'Darwin' - name: Resolve xworkmate-bridge auth token ansible.builtin.set_fact: xworkmate_bridge_effective_auth_token: >- {{ xworkmate_bridge_auth_token if (xworkmate_bridge_auth_token | trim | length > 0) else (xworkmate_bridge_existing_auth_token.stdout | default('')) }} xworkmate_bridge_effective_review_auth_token: >- {{ xworkmate_bridge_review_auth_token if (xworkmate_bridge_review_auth_token | trim | length > 0) else (xworkmate_bridge_existing_review_auth_token.stdout | default('')) }} no_log: true - name: Assert xworkmate-bridge binary exists ansible.builtin.stat: path: "{{ xworkmate_bridge_binary_path }}" register: xworkmate_bridge_binary - name: Fail when xworkmate-bridge binary is missing ansible.builtin.assert: that: - xworkmate_bridge_binary.stat.exists - xworkmate_bridge_binary.stat.isreg fail_msg: "xworkmate-bridge binary is missing: {{ xworkmate_bridge_binary_path }}" - name: Assert xworkmate-bridge auth token is provided ansible.builtin.assert: that: - xworkmate_bridge_effective_auth_token | trim | length > 0 fail_msg: >- xworkmate_bridge_auth_token is required. Pass it with -e or provide BRIDGE_AUTH_TOKEN / INTERNAL_SERVICE_TOKEN in the deploy environment. no_log: true - name: Stop deprecated Docker bridge container when present ansible.builtin.shell: | set -euo pipefail if docker ps -a --format '{{ "{{" }}.Names{{ "}}" }}' | grep -Eq '^{{ xworkmate_bridge_deprecated_container_name }}$'; then docker rm -f {{ xworkmate_bridge_deprecated_container_name }} fi args: executable: /bin/bash changed_when: false failed_when: false when: - not ansible_check_mode - ansible_os_family != 'Darwin' - name: Remove deprecated Docker bridge compose file ansible.builtin.file: path: "{{ xworkmate_bridge_deprecated_compose_file }}" state: absent - name: Remove obsolete xworkmate-bridge systemd drop-ins ansible.builtin.file: path: "{{ item }}" state: absent loop: "{{ xworkmate_bridge_obsolete_systemd_dropin_paths }}" notify: Reload bridge - name: Disable and stop obsolete user-level xworkmate-serve service ansible.builtin.shell: | set -euo pipefail sudo -i -u {{ xworkmate_bridge_service_user }} systemctl --user stop xworkmate-serve || true sudo -i -u {{ xworkmate_bridge_service_user }} systemctl --user disable xworkmate-serve || true changed_when: false failed_when: false when: - not ansible_check_mode - ansible_os_family != 'Darwin' - name: Remove obsolete user-level xworkmate-serve service file ansible.builtin.file: path: "/home/{{ xworkmate_bridge_service_user }}/.config/systemd/user/xworkmate-serve.service" state: absent - name: Inspect xworkmate-bridge config file attributes ansible.builtin.command: cmd: lsattr "{{ xworkmate_bridge_config_file }}" register: xworkmate_bridge_config_attrs changed_when: false failed_when: false when: ansible_os_family != 'Darwin' - name: Remove immutable flag from xworkmate-bridge config file when present ansible.builtin.command: cmd: chattr -i "{{ xworkmate_bridge_config_file }}" when: - ansible_os_family != 'Darwin' - "'i' in (xworkmate_bridge_config_attrs.stdout | default(''))" changed_when: true - name: Deploy xworkmate-bridge runtime configuration ansible.builtin.template: src: config.yaml.j2 dest: "{{ xworkmate_bridge_config_file }}" owner: "{{ xworkmate_bridge_service_user }}" group: "{{ xworkmate_bridge_service_group }}" mode: "0644" notify: Reload bridge - name: Restore immutable flag on xworkmate-bridge config file ansible.builtin.command: cmd: chattr +i "{{ xworkmate_bridge_config_file }}" changed_when: true when: - not ansible_check_mode - ansible_os_family != 'Darwin' - name: Inspect xworkmate-bridge systemd unit attributes ansible.builtin.command: cmd: lsattr "{{ xworkmate_bridge_systemd_unit_path }}" register: xworkmate_bridge_unit_attrs changed_when: false failed_when: false when: ansible_os_family != 'Darwin' - name: Remove immutable flag from xworkmate-bridge systemd unit when present ansible.builtin.command: cmd: chattr -i "{{ xworkmate_bridge_systemd_unit_path }}" when: - ansible_os_family != 'Darwin' - "'i' in (xworkmate_bridge_unit_attrs.stdout | default(''))" changed_when: true - name: Deploy xworkmate-bridge systemd unit ansible.builtin.template: src: xworkmate-bridge.service.j2 dest: "{{ xworkmate_bridge_systemd_unit_path }}" owner: root group: root mode: "0644" diff: false no_log: true register: xworkmate_bridge_systemd_unit notify: Reload bridge when: ansible_os_family != 'Darwin' - name: Restore immutable flag on xworkmate-bridge systemd unit ansible.builtin.command: cmd: chattr +i "{{ xworkmate_bridge_systemd_unit_path }}" changed_when: true when: - not ansible_check_mode - ansible_os_family != 'Darwin' - name: Reload systemd after xworkmate-bridge unit changes ansible.builtin.systemd: daemon_reload: true when: - xworkmate_bridge_systemd_unit.changed | default(false) - not ansible_check_mode - ansible_os_family != 'Darwin' - name: Ensure Caddy fragment directory exists ansible.builtin.file: path: "{{ xworkmate_bridge_caddy_conf_dir }}" state: directory owner: root group: root mode: "0755" - name: Inspect Caddy main file attributes ansible.builtin.command: cmd: lsattr "{{ xworkmate_bridge_caddyfile_path }}" register: xworkmate_bridge_caddyfile_attrs changed_when: false failed_when: false when: ansible_os_family != 'Darwin' - name: Remove immutable flag from Caddy main file when present ansible.builtin.command: cmd: chattr -i "{{ xworkmate_bridge_caddyfile_path }}" when: - ansible_os_family != 'Darwin' - "'i' in (xworkmate_bridge_caddyfile_attrs.stdout | default(''))" changed_when: true - name: Ensure Caddy imports managed fragments ansible.builtin.lineinfile: path: "{{ xworkmate_bridge_caddyfile_path }}" line: "import {{ xworkmate_bridge_caddy_conf_dir }}/*.caddy" insertafter: EOF create: true owner: root group: root mode: "0644" state: present notify: Reload caddy - name: Restore immutable flag on Caddy main file ansible.builtin.command: cmd: chattr +i "{{ xworkmate_bridge_caddyfile_path }}" when: - ansible_os_family != 'Darwin' - "'i' in (xworkmate_bridge_caddyfile_attrs.stdout | default(''))" changed_when: true - name: Inspect xworkmate-bridge Caddy fragment attributes ansible.builtin.command: cmd: lsattr "{{ xworkmate_bridge_service_caddy_fragment_path }}" register: xworkmate_bridge_site_fragment_attrs changed_when: false failed_when: false when: ansible_os_family != 'Darwin' - name: Remove immutable flag from xworkmate-bridge Caddy fragment when present ansible.builtin.command: cmd: chattr -i "{{ xworkmate_bridge_service_caddy_fragment_path }}" when: - ansible_os_family != 'Darwin' - "'i' in (xworkmate_bridge_site_fragment_attrs.stdout | default(''))" changed_when: true - name: Deploy xworkmate-bridge public Caddy site ansible.builtin.template: src: xworkmate-bridge-site.caddy.j2 dest: "{{ xworkmate_bridge_service_caddy_fragment_path }}" owner: root group: root mode: "0644" when: xworkmate_bridge_public_access | bool notify: Reload caddy - name: Remove xworkmate-bridge public Caddy site when public access is disabled ansible.builtin.file: path: "{{ xworkmate_bridge_service_caddy_fragment_path }}" state: absent when: not (xworkmate_bridge_public_access | bool) notify: Reload caddy - name: Restore immutable flag on xworkmate-bridge Caddy fragment ansible.builtin.command: cmd: chattr +i "{{ xworkmate_bridge_service_caddy_fragment_path }}" changed_when: true when: - not ansible_check_mode - ansible_os_family != 'Darwin' - xworkmate_bridge_public_access | bool - name: Inspect deprecated ACP Caddy fragment attributes ansible.builtin.command: cmd: lsattr "{{ item }}" register: xworkmate_bridge_obsolete_fragment_attrs changed_when: false failed_when: false loop: "{{ xworkmate_bridge_obsolete_caddy_fragment_paths }}" when: ansible_os_family != 'Darwin' - name: Remove immutable flag from deprecated ACP Caddy fragments when present ansible.builtin.command: cmd: chattr -i "{{ item.item }}" when: - ansible_os_family != 'Darwin' - "'i' in (item.stdout | default(''))" changed_when: true loop: "{{ xworkmate_bridge_obsolete_fragment_attrs.results }}" loop_control: label: "{{ item.item }}" - name: Remove deprecated ACP Caddy fragments ansible.builtin.file: path: "{{ item }}" state: absent loop: "{{ xworkmate_bridge_obsolete_caddy_fragment_paths }}" notify: Reload caddy - name: Ensure xworkmate-bridge service is enabled and running ansible.builtin.systemd: name: "{{ xworkmate_bridge_service_name }}" enabled: true state: started when: - not ansible_check_mode - ansible_os_family != 'Darwin' - name: Ensure Caddy is enabled and running ansible.builtin.systemd: name: caddy enabled: true state: started when: - not ansible_check_mode - ansible_os_family != 'Darwin' - name: Apply xworkmate-bridge service and Caddy changes before validation ansible.builtin.meta: flush_handlers - name: Include ACP ingress validation tasks ansible.builtin.import_tasks: validate.yml tags: [xworkmate_bridge, xworkmate_bridge_validate] when: - not ansible_check_mode - name: Import macOS specific xworkmate-bridge tasks ansible.builtin.import_tasks: macos.yml when: ansible_os_family == 'Darwin'