From 9efcf64b318c5d94aaf4b9509eb96b003347b318 Mon Sep 17 00:00:00 2001
From: Marco Procaccini <marco.procaccini@igg.cnr.it>
Date: Mon, 21 Jul 2025 14:53:18 +0200
Subject: [PATCH] duplicated variables removed, fixed syntax bug in main.yml,
 added users.acl secret file and its handlers

---
 defaults/main.yml                             |  3 +--
 handlers/main.yml                             | 10 ++++++++
 tasks/main.yml                                |  4 ++--
 tasks/shinyproxy_redis_service.yml            | 22 +++++++++++++----
 .../shinyproxy-redis-docker-compose.yml.j2    | 24 ++++++++++++++-----
 .../shinyproxy-redis-users-config.acl.j2      |  2 ++
 6 files changed, 51 insertions(+), 14 deletions(-)
 create mode 100644 templates/shinyproxy-redis-users-config.acl.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index cfaa400..8975a4f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -129,8 +129,7 @@ shinyproxy_max_request_size: "{{ shinyproxy_max_file_size }}"
 # REDIS for shinyproxy
 shinyproxy_redis_installation: false
 shinyproxy_redis_image: "redis:bookworm"
-# shinyproxy_redis_compose_dir: "/srv/shinyproxy_redis_stack"
-# shinyproxy_redis_docker_stack_name: ""
+
 # shinyproxy_redis_docker_network:""
 # shinyproxy_redis_service_name: ""
 # shinyproxy_redis_user: ""
diff --git a/handlers/main.yml b/handlers/main.yml
index 6a08b49..78a2f41 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,3 +13,13 @@
     name: "{{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_as_docker_service_name }}"
     data_src: '{{ shinyproxy_as_docker_src_dir }}/application.yml'
     state: present
+  
+  
+- name: Stop the REDIS Swarm stack before creating the secrets
+  community.docker.docker_swarm_service:
+    name: "{{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_redis_service_name }}"
+    state: absent
+- name: Remove the secret for the REDIS user configuration file
+  community.docker.docker_secret:
+    name: "{{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_redis_service_name }}_user_config"
+    state: absent 
\ No newline at end of file
diff --git a/tasks/main.yml b/tasks/main.yml
index 429d29a..0efc211 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -11,8 +11,8 @@
   ansible.builtin.import_tasks: shinyproxy_docker_stack_service.yml
   when:
     - shinyproxy_as_docker_service
-    - shinyproxy_container_backend == 'docker-swarm
-- name: Shiniproxy REDIS service as docker swarm stack'
+    - shinyproxy_container_backend == 'docker-swarm'
+- name: Shiniproxy REDIS service as docker swarm stack
   ansible.builtin.import_tasks: shinyproxy_redis_service.yml
   when:
     - shinyproxy_as_docker_service
diff --git a/tasks/shinyproxy_redis_service.yml b/tasks/shinyproxy_redis_service.yml
index 649b662..29f0b77 100644
--- a/tasks/shinyproxy_redis_service.yml
+++ b/tasks/shinyproxy_redis_service.yml
@@ -5,7 +5,7 @@
   block:
     - name: Create the compose directory for the REDIS Swarm stack
       ansible.builtin.file:
-        dest: "{{ shinyproxy_redis_compose_dir }}"
+        dest: "{{ shinyproxy_as_docker_src_dir }}"
         state: directory
         owner: root
         group: root
@@ -13,15 +13,29 @@
     - name: Install the docker compose file of the REDIS Swarm stack
       ansible.builtin.template:
         src: shinyproxy-redis-docker-compose.yml.j2
-        dest: "{{ redis_compose_dir }}/shinyproxy-redis-docker-compose.yml"
+        dest: "{{ shinyproxy_as_docker_src_dir }}/shinyproxy-redis-docker-compose.yml"
         owner: root
         group: root
         mode: "0400"
+    - name: Install the REDIS user configuration file 
+      ansible.builtin.template:
+        src: shinyproxy-redis-users-config.acl.j2
+        dest: "{{ shinyproxy_as_docker_src_dir }}/shinyproxy-redis-users-config.acl"
+        owner: root
+        group: root
+        mode: "0400"
+      notify: 
+        - Stop the REDIS Swarm stack before creating the secrets
+        - Remove the secret for the REDIS user configuration file
+        - Restart shinyproxy
+        
+    - name: Flush the handlers so that we can manage the configuration file as a secret
+      ansible.builtin.meta: flush_handlers
 
     - name: Start the REDIS Swarm stack
       community.docker.docker_stack:
-        name: "{{ shinyproxy_redis_docker_stack_name }}"
+        name: "{{ shinyproxy_as_docker_stack_name }}"
         state: present
         compose:
-          - "{{ shinyproxy_redis_compose_dir }}/shinyproxy-redis-docker-compose.yml"
+          - "{{ shinyproxy_redis_compose_dir }}/shinyproxy_redis-docker-compose.yml"
 
diff --git a/templates/shinyproxy-redis-docker-compose.yml.j2 b/templates/shinyproxy-redis-docker-compose.yml.j2
index cb42295..55954e5 100644
--- a/templates/shinyproxy-redis-docker-compose.yml.j2
+++ b/templates/shinyproxy-redis-docker-compose.yml.j2
@@ -1,9 +1,25 @@
+networks:
+  haproxy-public:
+    external: true
+  {{ shinyproxy_docker_network }}:
+    external: true
+
+secrets: 
+  {{ shinyproxy_redis_service_name }}_user_config:
+    file: ./shinyproxy-redis-users-config.acl
+
 services:
   {{ shinyproxy_redis_service_name }}:
     image: {{ shiniproxy_redis_image }}
     networks:
       - haproxy-public
-      - {{ shinyproxy_redis_docker_network }}
+      - {{ shinyproxy_docker_network }}
+    secrets: 
+      - source: {{ shinyproxy_redis_service_name }}_user_config
+        target: /usr/local/etc/redis/users.acl
+    
+    command: ["redis-server", "--aclfile", "/usr/local/etc/redis/users.acl"]
+    
     deploy:
       mode: replicated
       replicas: 1
@@ -16,8 +32,4 @@ services:
     logging:
       driver: "journald"
 
-networks:
-  haproxy-public:
-    external: true
-  {{ shinyproxy_redis_docker_network }}:
-    external: true
+
diff --git a/templates/shinyproxy-redis-users-config.acl.j2 b/templates/shinyproxy-redis-users-config.acl.j2
new file mode 100644
index 0000000..ac7d8e4
--- /dev/null
+++ b/templates/shinyproxy-redis-users-config.acl.j2
@@ -0,0 +1,2 @@
+user default off
+user {{ shinyproxy_redis_user }}  on >{{ shinyproxy_redis_password }} ~* +@all
\ No newline at end of file