digitalboard.core/roles/garage/tasks/main.yml

#SPDX-License-Identifier: MIT-0
---
# tasks file for garage

- name: Create docker compose directory
  file:
    path: "{{ garage_docker_compose_dir }}"
    state: directory
    mode: '0755'

- name: Create garage meta data directory
  file:
    path: "{{ garage_docker_volume_dir }}/meta"
    state: directory
    mode: '0755'

- name: Create garage data directory
  file:
    path: "{{ garage_docker_volume_dir }}/data"
    state: directory
    mode: '0755'

- name: Generate garage configuration file
  template:
    src: garage.toml.j2
    dest: "{{ garage_docker_compose_dir }}/garage.toml"
    mode: '0644'

- name: Set webui htpasswd activation fact
  ansible.builtin.set_fact:
    # htpasswd only runs when the WebUI is enabled AND authentik ForwardAuth
    # is not handling authentication. When authentik is in front, the
    # compose template drops AUTH_USER_PASS so no hash is needed.
    _garage_webui_htpasswd_active: >-
      {{
        garage_webui_enabled
        and not (garage_webui_authentik_forward_auth | default(false))
      }}

- name: Read cached webui htpasswd hash
  ansible.builtin.slurp:
    src: "{{ garage_docker_compose_dir }}/webui.htpasswd"
  register: _garage_webui_htpasswd_cached
  failed_when: false
  changed_when: false
  when: _garage_webui_htpasswd_active

- name: Verify cached webui htpasswd hash still matches password
  ansible.builtin.command:
    argv:
      - htpasswd
      - -vbB
      - "{{ garage_docker_compose_dir }}/webui.htpasswd"
      - "{{ garage_webui_username }}"
      - "{{ garage_webui_password }}"
  register: _garage_webui_htpasswd_verify
  failed_when: false
  changed_when: false
  no_log: true
  when:
    - _garage_webui_htpasswd_active
    - _garage_webui_htpasswd_cached.content is defined

- name: Generate bcrypt hash for webui password using htpasswd
  ansible.builtin.command:
    argv:
      - htpasswd
      - -nbBC
      - "10"
      - "{{ garage_webui_username }}"
      - "{{ garage_webui_password }}"
  register: _garage_webui_password_hash_new
  changed_when: true
  when:
    - _garage_webui_htpasswd_active
    - (_garage_webui_htpasswd_cached.content is not defined)
      or (_garage_webui_htpasswd_verify.rc | default(1) != 0)

- name: Persist webui htpasswd hash on disk
  ansible.builtin.copy:
    content: "{{ _garage_webui_password_hash_new.stdout }}\n"
    dest: "{{ garage_docker_compose_dir }}/webui.htpasswd"
    mode: '0600'
  when:
    - _garage_webui_htpasswd_active
    - _garage_webui_password_hash_new is changed

- name: Load current webui htpasswd hash
  ansible.builtin.slurp:
    src: "{{ garage_docker_compose_dir }}/webui.htpasswd"
  register: _garage_webui_htpasswd_current
  changed_when: false
  when: _garage_webui_htpasswd_active

- name: Expose current webui htpasswd hash to template
  ansible.builtin.set_fact:
    _garage_webui_password_hash:
      stdout: "{{ (_garage_webui_htpasswd_current.content | b64decode).strip() }}"
  when: _garage_webui_htpasswd_active

- name: Create docker-compose file for garage
  template:
    src: docker-compose.yml.j2
    dest: "{{ garage_docker_compose_dir }}/docker-compose.yml"
    mode: '0644'

- name: Start garage container
  community.docker.docker_compose_v2:
    project_src: "{{ garage_docker_compose_dir }}"
    state: present

- name: Wait for garage container to be running
  community.docker.docker_container_info:
    name: "{{ garage_service_name }}"
  register: _garage_container_info
  until: _garage_container_info.container.State.Running | default(false)
  retries: 30
  delay: 2

- name: Wait for garage to be ready (check if garage command responds)
  community.docker.docker_container_exec:
    container: "{{ garage_service_name }}"
    command: /garage status
  register: _garage_status_check
  until: _garage_status_check.rc == 0
  retries: 30
  delay: 2
  changed_when: false
  failed_when: false

# Include bootstraping tasks (cluster bootstrap)
- name: Include garage bootstraping tasks
  ansible.builtin.include_tasks: bootstrap.yml
  when: garage_bootstrap_enabled

# Include provisioning tasks (S3 keys and buckets)
- name: Include garage bootstraping tasks
  ansible.builtin.include_tasks: provision.yml
  when: garage_s3_keys | length > 0