duplicated variables removed, fixed syntax bug in main.yml, added users.acl secret file and its handlers

2025-07-21 14:53:18 +02:00 · 2025-07-21 14:53:18 +02:00 · 9efcf64b31
parent 88b23a2fa9
commit 9efcf64b31
6 changed files with 51 additions and 14 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -129,8 +129,7 @@ shinyproxy_max_request_size: "{{ shinyproxy_max_file_size }}"
 # REDIS for shinyproxy
 shinyproxy_redis_installation: false
 shinyproxy_redis_image: "redis:bookworm"
-# shinyproxy_redis_compose_dir: "/srv/shinyproxy_redis_stack"
-# shinyproxy_redis_docker_stack_name: ""
+
 # shinyproxy_redis_docker_network:""
 # shinyproxy_redis_service_name: ""
 # shinyproxy_redis_user: ""
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -13,3 +13,13 @@
    name: "{{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_as_docker_service_name }}"
    data_src: '{{ shinyproxy_as_docker_src_dir }}/application.yml'
    state: present
+  
+  
+- name: Stop the REDIS Swarm stack before creating the secrets
+  community.docker.docker_swarm_service:
+    name: "{{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_redis_service_name }}"
+    state: absent
+- name: Remove the secret for the REDIS user configuration file
+  community.docker.docker_secret:
+    name: "{{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_redis_service_name }}_user_config"
+    state: absent 
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -11,8 +11,8 @@
  ansible.builtin.import_tasks: shinyproxy_docker_stack_service.yml
  when:
    - shinyproxy_as_docker_service
-    - shinyproxy_container_backend == 'docker-swarm
- name: Shiniproxy REDIS service as docker swarm stack'
+    - shinyproxy_container_backend == 'docker-swarm'
+- name: Shiniproxy REDIS service as docker swarm stack
  ansible.builtin.import_tasks: shinyproxy_redis_service.yml
  when:
    - shinyproxy_as_docker_service
--- a/tasks/shinyproxy_redis_service.yml
+++ b/tasks/shinyproxy_redis_service.yml
@ -5,7 +5,7 @@
  block:
    - name: Create the compose directory for the REDIS Swarm stack
      ansible.builtin.file:
-        dest: "{{ shinyproxy_redis_compose_dir }}"
+        dest: "{{ shinyproxy_as_docker_src_dir }}"
        state: directory
        owner: root
        group: root
@ -13,15 +13,29 @@
    - name: Install the docker compose file of the REDIS Swarm stack
      ansible.builtin.template:
        src: shinyproxy-redis-docker-compose.yml.j2
-        dest: "{{ redis_compose_dir }}/shinyproxy-redis-docker-compose.yml"
+        dest: "{{ shinyproxy_as_docker_src_dir }}/shinyproxy-redis-docker-compose.yml"
        owner: root
        group: root
        mode: "0400"
+    - name: Install the REDIS user configuration file 
+      ansible.builtin.template:
+        src: shinyproxy-redis-users-config.acl.j2
+        dest: "{{ shinyproxy_as_docker_src_dir }}/shinyproxy-redis-users-config.acl"
+        owner: root
+        group: root
+        mode: "0400"
+      notify: 
+        - Stop the REDIS Swarm stack before creating the secrets
+        - Remove the secret for the REDIS user configuration file
+        - Restart shinyproxy
+        
+    - name: Flush the handlers so that we can manage the configuration file as a secret
+      ansible.builtin.meta: flush_handlers

    - name: Start the REDIS Swarm stack
      community.docker.docker_stack:
-        name: "{{ shinyproxy_redis_docker_stack_name }}"
+        name: "{{ shinyproxy_as_docker_stack_name }}"
        state: present
        compose:
-          - "{{ shinyproxy_redis_compose_dir }}/shinyproxy-redis-docker-compose.yml"
+          - "{{ shinyproxy_redis_compose_dir }}/shinyproxy_redis-docker-compose.yml"

--- a/templates/shinyproxy-redis-docker-compose.yml.j2
+++ b/templates/shinyproxy-redis-docker-compose.yml.j2
@ -1,9 +1,25 @@
+networks:
+  haproxy-public:
+    external: true
+  {{ shinyproxy_docker_network }}:
+    external: true
+
+secrets: 
+  {{ shinyproxy_redis_service_name }}_user_config:
+    file: ./shinyproxy-redis-users-config.acl
+
 services:
  {{ shinyproxy_redis_service_name }}:
    image: {{ shiniproxy_redis_image }}
    networks:
      - haproxy-public
-      - {{ shinyproxy_redis_docker_network }}
+      - {{ shinyproxy_docker_network }}
+    secrets: 
+      - source: {{ shinyproxy_redis_service_name }}_user_config
+        target: /usr/local/etc/redis/users.acl
+    
+    command: ["redis-server", "--aclfile", "/usr/local/etc/redis/users.acl"]
+    
    deploy:
      mode: replicated
      replicas: 1
@ -16,8 +32,4 @@ services:
    logging:
      driver: "journald"

-networks:
-  haproxy-public:
-    external: true
-  {{ shinyproxy_redis_docker_network }}:
-    external: true
+
--- a/templates/shinyproxy-redis-users-config.acl.j2
+++ b/templates/shinyproxy-redis-users-config.acl.j2
@ -0,0 +1,2 @@
+user default off
+user {{ shinyproxy_redis_user }}  on >{{ shinyproxy_redis_password }} ~* +@all