ai-workspace-infra/playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
edc70fb658
playbooks/roles/vhosts/xworkmate_bridge/tasks/main.yml

369 lines
12 KiB
YAML
Raw Blame History

---
- name: Install xworkmate-bridge prerequisites
ansible.builtin.package:
name: "{{ xworkmate_bridge_packages }}"
state: present
when: ansible_os_family != 'Darwin'
- name: Ensure xworkmate-bridge service group exists
ansible.builtin.group:
name: "{{ xworkmate_bridge_service_group }}"
state: present
- name: Ensure xworkmate-bridge service user exists
ansible.builtin.user:
name: "{{ xworkmate_bridge_service_user }}"
group: "{{ xworkmate_bridge_service_group }}"
shell: /bin/bash
create_home: true
state: present
- name: Ensure xworkmate-bridge base directory exists
ansible.builtin.file:
path: "{{ xworkmate_bridge_base_dir }}"
state: directory
owner: "{{ xworkmate_bridge_service_user }}"
group: "{{ xworkmate_bridge_service_group }}"
mode: "0755"
- name: Read existing xworkmate-bridge auth token from systemd units
ansible.builtin.shell: |
set -euo pipefail
for unit in \
"{{ xworkmate_bridge_systemd_unit_path }}" \
"{{ xworkmate_bridge_user_systemd_unit_path }}"
do
if [ -f "${unit}" ]; then
sed -n 's/^Environment="BRIDGE_AUTH_TOKEN=\(.*\)"$/\1/p' "${unit}" | head -n 1
fi
done | sed '/^$/d' | head -n 1
args:
executable: /bin/bash
register: xworkmate_bridge_existing_auth_token
check_mode: false
changed_when: false
failed_when: false
no_log: true
when: ansible_os_family != 'Darwin'
- name: Read existing xworkmate-bridge review auth token from systemd units
ansible.builtin.shell: |
set -euo pipefail
for unit in \
"{{ xworkmate_bridge_systemd_unit_path }}" \
"{{ xworkmate_bridge_user_systemd_unit_path }}"
do
if [ -f "${unit}" ]; then
sed -n 's/^Environment="BRIDGE_REVIEW_AUTH_TOKEN=\(.*\)"$/\1/p' "${unit}" | head -n 1
fi
done | sed '/^$/d' | head -n 1
args:
executable: /bin/bash
register: xworkmate_bridge_existing_review_auth_token
check_mode: false
changed_when: false
failed_when: false
no_log: true
when: ansible_os_family != 'Darwin'
- name: Resolve xworkmate-bridge auth token
ansible.builtin.set_fact:
xworkmate_bridge_effective_auth_token: >-
{{
xworkmate_bridge_auth_token
if (xworkmate_bridge_auth_token | trim | length > 0)
else (xworkmate_bridge_existing_auth_token.stdout | default(''))
}}
xworkmate_bridge_effective_review_auth_token: >-
{{
xworkmate_bridge_review_auth_token
if (xworkmate_bridge_review_auth_token | trim | length > 0)
else (xworkmate_bridge_existing_review_auth_token.stdout | default(''))
}}
no_log: true
- name: Assert xworkmate-bridge binary exists
ansible.builtin.stat:
path: "{{ xworkmate_bridge_binary_path }}"
register: xworkmate_bridge_binary
- name: Fail when xworkmate-bridge binary is missing
ansible.builtin.assert:
that:
- xworkmate_bridge_binary.stat.exists
- xworkmate_bridge_binary.stat.isreg
fail_msg: "xworkmate-bridge binary is missing: {{ xworkmate_bridge_binary_path }}"
- name: Assert xworkmate-bridge auth token is provided
ansible.builtin.assert:
that:
- xworkmate_bridge_effective_auth_token | trim | length > 0
fail_msg: >-
xworkmate_bridge_auth_token is required. Pass it with -e or provide
BRIDGE_AUTH_TOKEN / INTERNAL_SERVICE_TOKEN in the deploy environment.
no_log: true
- name: Stop deprecated Docker bridge container when present
ansible.builtin.shell: |
set -euo pipefail
if docker ps -a --format '{{ "{{" }}.Names{{ "}}" }}' | grep -Eq '^{{ xworkmate_bridge_deprecated_container_name }}$'; then
docker rm -f {{ xworkmate_bridge_deprecated_container_name }}
fi
args:
executable: /bin/bash
changed_when: false
failed_when: false
when:
- not ansible_check_mode
- ansible_os_family != 'Darwin'
- name: Remove deprecated Docker bridge compose file
ansible.builtin.file:
path: "{{ xworkmate_bridge_deprecated_compose_file }}"
state: absent
- name: Remove obsolete xworkmate-bridge systemd drop-ins
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop: "{{ xworkmate_bridge_obsolete_systemd_dropin_paths }}"
notify: Reload bridge
- name: Disable and stop obsolete user-level xworkmate-serve service
ansible.builtin.shell: |
set -euo pipefail
sudo -i -u {{ xworkmate_bridge_service_user }} systemctl --user stop xworkmate-serve || true
sudo -i -u {{ xworkmate_bridge_service_user }} systemctl --user disable xworkmate-serve || true
changed_when: false
failed_when: false
when:
- not ansible_check_mode
- ansible_os_family != 'Darwin'
- name: Remove obsolete user-level xworkmate-serve service file
ansible.builtin.file:
path: "/home/{{ xworkmate_bridge_service_user }}/.config/systemd/user/xworkmate-serve.service"
state: absent
- name: Inspect xworkmate-bridge config file attributes
ansible.builtin.command:
cmd: lsattr "{{ xworkmate_bridge_config_file }}"
register: xworkmate_bridge_config_attrs
changed_when: false
failed_when: false
when: ansible_os_family != 'Darwin'
- name: Remove immutable flag from xworkmate-bridge config file when present
ansible.builtin.command:
cmd: chattr -i "{{ xworkmate_bridge_config_file }}"
when:
- ansible_os_family != 'Darwin'
- "'i' in (xworkmate_bridge_config_attrs.stdout | default(''))"
changed_when: true
- name: Deploy xworkmate-bridge runtime configuration
ansible.builtin.template:
src: config.yaml.j2
dest: "{{ xworkmate_bridge_config_file }}"
owner: "{{ xworkmate_bridge_service_user }}"
group: "{{ xworkmate_bridge_service_group }}"
mode: "0644"
notify: Reload bridge
- name: Restore immutable flag on xworkmate-bridge config file
ansible.builtin.command:
cmd: chattr +i "{{ xworkmate_bridge_config_file }}"
changed_when: true
when:
- not ansible_check_mode
- ansible_os_family != 'Darwin'
- name: Inspect xworkmate-bridge systemd unit attributes
ansible.builtin.command:
cmd: lsattr "{{ xworkmate_bridge_systemd_unit_path }}"
register: xworkmate_bridge_unit_attrs
changed_when: false
failed_when: false
when: ansible_os_family != 'Darwin'
- name: Remove immutable flag from xworkmate-bridge systemd unit when present
ansible.builtin.command:
cmd: chattr -i "{{ xworkmate_bridge_systemd_unit_path }}"
when:
- ansible_os_family != 'Darwin'
- "'i' in (xworkmate_bridge_unit_attrs.stdout | default(''))"
changed_when: true
- name: Deploy xworkmate-bridge systemd unit
ansible.builtin.template:
src: xworkmate-bridge.service.j2
dest: "{{ xworkmate_bridge_systemd_unit_path }}"
owner: root
group: root
mode: "0644"
diff: false
no_log: true
register: xworkmate_bridge_systemd_unit
notify: Reload bridge
when: ansible_os_family != 'Darwin'
- name: Restore immutable flag on xworkmate-bridge systemd unit
ansible.builtin.command:
cmd: chattr +i "{{ xworkmate_bridge_systemd_unit_path }}"
changed_when: true
when:
- not ansible_check_mode
- ansible_os_family != 'Darwin'
- name: Reload systemd after xworkmate-bridge unit changes
ansible.builtin.systemd:
daemon_reload: true
when:
- xworkmate_bridge_systemd_unit.changed | default(false)
- not ansible_check_mode
- ansible_os_family != 'Darwin'
- name: Ensure Caddy fragment directory exists
ansible.builtin.file:
path: "{{ xworkmate_bridge_caddy_conf_dir }}"
state: directory
owner: root
group: root
mode: "0755"
- name: Inspect Caddy main file attributes
ansible.builtin.command:
cmd: lsattr "{{ xworkmate_bridge_caddyfile_path }}"
register: xworkmate_bridge_caddyfile_attrs
changed_when: false
failed_when: false
when: ansible_os_family != 'Darwin'
- name: Remove immutable flag from Caddy main file when present
ansible.builtin.command:
cmd: chattr -i "{{ xworkmate_bridge_caddyfile_path }}"
when:
- ansible_os_family != 'Darwin'
- "'i' in (xworkmate_bridge_caddyfile_attrs.stdout | default(''))"
changed_when: true
- name: Ensure Caddy imports managed fragments
ansible.builtin.lineinfile:
path: "{{ xworkmate_bridge_caddyfile_path }}"
line: "import {{ xworkmate_bridge_caddy_conf_dir }}/*.caddy"
insertafter: EOF
create: true
owner: root
group: root
mode: "0644"
state: present
notify: Reload caddy
- name: Restore immutable flag on Caddy main file
ansible.builtin.command:
cmd: chattr +i "{{ xworkmate_bridge_caddyfile_path }}"
when:
- ansible_os_family != 'Darwin'
- "'i' in (xworkmate_bridge_caddyfile_attrs.stdout | default(''))"
changed_when: true
- name: Inspect xworkmate-bridge Caddy fragment attributes
ansible.builtin.command:
cmd: lsattr "{{ xworkmate_bridge_service_caddy_fragment_path }}"
register: xworkmate_bridge_site_fragment_attrs
changed_when: false
failed_when: false
when: ansible_os_family != 'Darwin'
- name: Remove immutable flag from xworkmate-bridge Caddy fragment when present
ansible.builtin.command:
cmd: chattr -i "{{ xworkmate_bridge_service_caddy_fragment_path }}"
when:
- ansible_os_family != 'Darwin'
- "'i' in (xworkmate_bridge_site_fragment_attrs.stdout | default(''))"
changed_when: true
- name: Deploy xworkmate-bridge public Caddy site
ansible.builtin.template:
src: xworkmate-bridge-site.caddy.j2
dest: "{{ xworkmate_bridge_service_caddy_fragment_path }}"
owner: root
group: root
mode: "0644"
when: xworkmate_bridge_public_access | bool
notify: Reload caddy
- name: Remove xworkmate-bridge public Caddy site when public access is disabled
ansible.builtin.file:
path: "{{ xworkmate_bridge_service_caddy_fragment_path }}"
state: absent
when: not (xworkmate_bridge_public_access | bool)
notify: Reload caddy
- name: Restore immutable flag on xworkmate-bridge Caddy fragment
ansible.builtin.command:
cmd: chattr +i "{{ xworkmate_bridge_service_caddy_fragment_path }}"
changed_when: true
when:
- not ansible_check_mode
- ansible_os_family != 'Darwin'
- xworkmate_bridge_public_access | bool
- name: Inspect deprecated ACP Caddy fragment attributes
ansible.builtin.command:
cmd: lsattr "{{ item }}"
register: xworkmate_bridge_obsolete_fragment_attrs
changed_when: false
failed_when: false
loop: "{{ xworkmate_bridge_obsolete_caddy_fragment_paths }}"
when: ansible_os_family != 'Darwin'
- name: Remove immutable flag from deprecated ACP Caddy fragments when present
ansible.builtin.command:
cmd: chattr -i "{{ item.item }}"
when:
- ansible_os_family != 'Darwin'
- "'i' in (item.stdout | default(''))"
changed_when: true
loop: "{{ xworkmate_bridge_obsolete_fragment_attrs.results }}"
loop_control:
label: "{{ item.item }}"
- name: Remove deprecated ACP Caddy fragments
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop: "{{ xworkmate_bridge_obsolete_caddy_fragment_paths }}"
notify: Reload caddy
- name: Ensure xworkmate-bridge service is enabled and running
ansible.builtin.systemd:
name: "{{ xworkmate_bridge_service_name }}"
enabled: true
state: started
when:
- not ansible_check_mode
- ansible_os_family != 'Darwin'
- name: Ensure Caddy is enabled and running
ansible.builtin.systemd:
name: caddy
enabled: true
state: started
when:
- not ansible_check_mode
- ansible_os_family != 'Darwin'
- name: Apply xworkmate-bridge service and Caddy changes before validation
ansible.builtin.meta: flush_handlers
- name: Include ACP ingress validation tasks
ansible.builtin.import_tasks: validate.yml
tags: [xworkmate_bridge, xworkmate_bridge_validate]
when:
- not ansible_check_mode
- name: Import macOS specific xworkmate-bridge tasks
ansible.builtin.import_tasks: macos.yml
when: ansible_os_family == 'Darwin'
Reference in New Issue View Git Blame Copy Permalink