diff --git a/ansible/playbooks/indri.yml b/ansible/playbooks/indri.yml index 5b6489f..40ca301 100644 --- a/ansible/playbooks/indri.yml +++ b/ansible/playbooks/indri.yml @@ -5,6 +5,7 @@ # Fetch all 1Password credentials upfront to minimize prompts # Each role also fetches its own credentials (with 'when: is not defined') # so they still work when running with --tags + # Tags ensure pre_tasks only run when relevant roles are included pre_tasks: - name: Fetch PostgreSQL superuser password ansible.builtin.command: @@ -13,11 +14,13 @@ register: _pg_superuser_pw changed_when: false no_log: true + tags: [postgresql] - name: Set PostgreSQL superuser password fact ansible.builtin.set_fact: pg_superuser_password: "{{ _pg_superuser_pw.stdout }}" no_log: true + tags: [postgresql] - name: Fetch PostgreSQL alloy user password ansible.builtin.command: @@ -26,11 +29,13 @@ register: _pg_alloy_pw changed_when: false no_log: true + tags: [alloy, postgresql] - name: Set PostgreSQL alloy password fact ansible.builtin.set_fact: alloy_postgres_password: "{{ _pg_alloy_pw.stdout }}" no_log: true + tags: [alloy, postgresql] - name: Fetch miniflux database password ansible.builtin.command: @@ -39,11 +44,13 @@ register: _miniflux_db_pw changed_when: false no_log: true + tags: [miniflux, postgresql] - name: Set miniflux passwords fact ansible.builtin.set_fact: miniflux_db_password: "{{ _miniflux_db_pw.stdout }}" no_log: true + tags: [miniflux, postgresql] - name: Fetch borgmatic database password ansible.builtin.command: @@ -52,6 +59,7 @@ register: _borgmatic_db_pw changed_when: false no_log: true + tags: [postgresql] - name: Build PostgreSQL user password lookup ansible.builtin.set_fact: @@ -60,6 +68,7 @@ borgmatic: "{{ _borgmatic_db_pw.stdout }}" alloy: "{{ _pg_alloy_pw.stdout }}" no_log: true + tags: [postgresql] roles: - role: loki diff --git a/ansible/roles/tailscale_serve/tasks/main.yml b/ansible/roles/tailscale_serve/tasks/main.yml index 6ed7442..d7e9a8f 100644 --- a/ansible/roles/tailscale_serve/tasks/main.yml +++ b/ansible/roles/tailscale_serve/tasks/main.yml @@ -4,22 +4,33 @@ register: serve_status changed_when: false +- name: Parse serve status + ansible.builtin.set_fact: + serve_config: "{{ (serve_status.stdout | from_json).Services | default({}) }}" + +# Configure HTTPS if service doesn't have Web config yet - name: Configure HTTPS services ansible.builtin.command: > tailscale serve --service="{{ item.name }}" --https={{ item.https.port }} {{ item.https.upstream }} loop: "{{ tailscale_services }}" - when: item.https is defined + when: + - item.https is defined + - serve_config[item.name] is not defined or serve_config[item.name].Web is not defined register: https_result - changed_when: "'already serving' not in https_result.stderr | default('')" failed_when: false +# Configure TCP if service doesn't have the specific port configured yet - name: Configure TCP services ansible.builtin.command: > tailscale serve --service="{{ item.name }}" --tcp={{ item.tcp.port }} {{ item.tcp.upstream }} loop: "{{ tailscale_services }}" - when: item.tcp is defined + when: + - item.tcp is defined + - serve_config[item.name] is not defined or + serve_config[item.name].TCP is not defined or + serve_config[item.name].TCP[item.tcp.port | string] is not defined or + serve_config[item.name].TCP[item.tcp.port | string].TCPForward is not defined register: tcp_result - changed_when: "'already serving' not in tcp_result.stderr | default('')" failed_when: false