Merge pull request #78 from ahembree/fix-var-logic

Fix var logic

.github/extra-vars.yml

@@ -9,11 +9,11 @@
   "custom_scripts_enabled": true,
   "monitoring_scripts_enabled": true,
   "media_avail_script_enabled": true,
-  "expose_ports_enabled_calibre": false,
+  "hmsdocker_expose_ports_enabled_calibre": false,
   "hms_docker_container_map": {
     "traefik": {
       "enabled": true,
-      "proxy_host_rule": "traefik",
+      "proxy_host_rule": traefik,
       "directory": true,
       "traefik": true,
       "authentik": false,

Makefile

@@ -54,10 +54,18 @@ install-reqs:
 verify-containers:
 	@sudo python3 .github/workflows/scripts/check_containers.py
 
+update:
+	@echo Updating from Git repo... && git pull
+	@echo Updating variable names
+	@echo Updating Traefik variables
+	@sed -i 's\traefik_ext_hosts_configs_path\hmsdocker_traefik_static_config_location\g' $(CUSTOM_CONF_DIR)/traefik.yml
+	@echo Update finished
+
 help:
 	@echo make basic :: setup a basic config
 	@echo make advanced :: setup an advanced config
 	@echo make check :: check for any changes without doing anything \(diff\)
 	@echo make apply :: apply any changes identified in the diff
 	@echo make install-reqs :: installs ansible galaxy role requirements
 	@echo make verify-containers :: checks containers exposed ports \(used in GitHub Actions\)
+	@echo update :: updates from the git repo and updates variable names (if they were changed)

README.md

@@ -12,6 +12,7 @@ Ansible Playbook to setup an automated Home Media Server stack running on Docker
 - [Requirements](#requirements)
 - [Warnings](#warning)
 - [Installation](#installation)
+- [Updating](#updating)
 - [Configuration](#configuration)
 - [Content layout](#content-layout)
 - [Using Cloudflare Tunnel](./docs/Cloudflare.md/#cloudflare-tunnel)
@@ -149,6 +150,18 @@ It is recommended to read and follow this guide entirely as there is a lot of co
 
 ---
 
+## Updating
+
+To easily update from this git repo _**and**_ update your custom variable names (due to deprecating/renaming variables), run:
+
+```bash
+make update
+```
+
+Previous variable names will still work for at least a year after the change and will be noted as such within the default configs. Please update to resolve.
+
+---
+
 ## Configuration
 
 Copy the base configurations to the `vars/custom` directory by running:

hms-docker.yml

@@ -37,5 +37,5 @@
     when:
       - item.value.traefik is defined and item.value.traefik
       - item.value.enabled is defined and item.value.enabled
-      - container_enabled_traefik
+      - hmsdocker_container_enabled_traefik
       - traefik_verify_endpoints is defined and traefik_verify_endpoints

roles/_archive/docker/defaults/main.yml

@@ -9,4 +9,4 @@ docker_repo_state: present # default: present
 docker_enable_live_restore: no # default: no
 docker_pip_package_state: present # default: present
 distribution_override: "{{ 'centos' if ansible_distribution | lower == 'almalinux' else ansible_distribution | lower }}"
-family_override: "{{ 'redhat' if ansible_os_family | lower == 'almalinux' else ansible_os_family | lower }}"
+hmsdocker_family_override: "{{ 'redhat' if ansible_os_family | lower == 'almalinux' else ansible_os_family | lower }}"

roles/_archive/docker/tasks/main.yml

@@ -7,7 +7,7 @@
 
 - name: Run RHEL-based Docker install.
   import_tasks: redhat.yml
-  when: family_override | lower == "redhat"
+  when: hmsdocker_family_override | lower == "redhat"
 
 - name: Run Debian-based Docker install.
   import_tasks: debian.yml

roles/gpu/defaults/main.yml

@@ -1,3 +1,3 @@
 gpu_prereq_packages_state: present
-distribution_override: "{{ 'centos' if ansible_distribution | lower == 'almalinux' else ansible_distribution | lower }}"
-family_override: "{{ 'redhat' if ansible_os_family | lower == 'almalinux' else ansible_os_family | lower }}"
+gpu_distribution_override: "{{ 'centos' if ansible_distribution | lower == 'almalinux' else ansible_distribution | lower }}"
+gpu_family_override: "{{ 'redhat' if ansible_os_family | lower == 'almalinux' else ansible_os_family | lower }}"

roles/gpu/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Run RHEL-based install.
   import_tasks: redhat.yml
-  when: family_override | lower == "redhat"
+  when: gpu_family_override | lower == "redhat"
 
 - name: Run Debian-based install.
   import_tasks: debian.yml

roles/gpu/tasks/redhat.yml

@@ -21,7 +21,7 @@
     name: libnvidia-container
     description: libnvidia-container
     file: nvidia-container-runtime
-    baseurl: https://nvidia.github.io/libnvidia-container/stable/{{ distribution_override | lower }}{{ ansible_facts['distribution_major_version'] }}/$basearch
+    baseurl: https://nvidia.github.io/libnvidia-container/stable/{{ gpu_distribution_override | lower }}{{ ansible_facts['distribution_major_version'] }}/$basearch
     enabled: 1
     gpgcheck: 0
     repo_gpgcheck: 1
@@ -34,7 +34,7 @@
     name: libnvidia-container-experimental
     description: libnvidia-container-experimental
     file: nvidia-container-runtime
-    baseurl: https://nvidia.github.io/libnvidia-container/experimental/{{ distribution_override | lower }}{{ ansible_facts['distribution_major_version'] }}/$basearch
+    baseurl: https://nvidia.github.io/libnvidia-container/experimental/{{ gpu_distribution_override | lower }}{{ ansible_facts['distribution_major_version'] }}/$basearch
     enabled: 0
     gpgcheck: 0
     repo_gpgcheck: 1
@@ -47,7 +47,7 @@
     name: nvidia-container-runtime
     description: nvidia-container-runtime
     file: nvidia-container-runtime
-    baseurl: https://nvidia.github.io/nvidia-container-runtime/stable/{{ distribution_override | lower }}{{ ansible_facts['distribution_major_version'] }}/$basearch
+    baseurl: https://nvidia.github.io/nvidia-container-runtime/stable/{{ gpu_distribution_override | lower }}{{ ansible_facts['distribution_major_version'] }}/$basearch
     enabled: 1
     gpgcheck: 0
     repo_gpgcheck: 1
@@ -60,7 +60,7 @@
     name: nvidia-container-runtime-experimental
     description: nvidia-container-runtime-experimental
     file: nvidia-container-runtime
-    baseurl: https://nvidia.github.io/nvidia-container-runtime/experimental/{{ distribution_override | lower }}{{ ansible_facts['distribution_major_version'] }}/$basearch
+    baseurl: https://nvidia.github.io/nvidia-container-runtime/experimental/{{ gpu_distribution_override | lower }}{{ ansible_facts['distribution_major_version'] }}/$basearch
     enabled: 0
     gpgcheck: 0
     repo_gpgcheck: 1

roles/hmsdocker/defaults/main/traefik.yml

@@ -1,11 +1,10 @@
 ### SSL and Traefik settings
-traefik_container_tag: v2.10.1
 
 # Enables or Disables SSL wildcard certificate generation // default: "no"
 traefik_ssl_enabled: no
 
 # This option implements a number of additional security features for Traefik, such as:
-# * Disable TLS1.0
+# * Minimum TLS1.2
 traefik_security_hardening: no # default: no
 
 # Whether to use the staging/testing URL or production URL // default: "yes"
@@ -41,9 +40,15 @@ traefik_ssl_dns_resolver_2: "1.0.0.1"
 # Required for Let's Encrypt, the email address to use when generating your SSL certificate
 traefik_ssl_letsencrypt_email: ""
 
+# Where static config files are stored for Traefik (middlewares and external hosts)
+# Deprecation notice:
+# the `traefik_ext_hosts_configs_path` variable was removed on 5/31/2024 but will still work for the time being.
+# It will be removed at least 1 year from the deprecation date (6/1/2025) and then will be fully removed and no longer work
+# To fix: run `make update`
+hmsdocker_traefik_static_config_location: "{{ traefik_ext_hosts_configs_path | default(hms_docker_apps_path + '/traefik/config/static_confs/') }}"
+
 # Enables or Disables watching a directory for Traefik static file configs, see https://doc.traefik.io/traefik/providers/file/#configuration-examples // default: "no"
 traefik_ext_hosts_enabled: no
-traefik_ext_hosts_configs_path: "{{ hms_docker_apps_path }}/traefik/config/static_confs/"
 # Settings for each external host:
 #    friendly_name: host1, # just a friendly name for it
 #    subdomain_name: sub-example, # the subdomain that will be used to access the service (such as sub-example.example.com, where example.com is the hms_docker_domain you defined above)

roles/hmsdocker/tasks/authentik.yml

@@ -45,7 +45,7 @@
   register: authentik_key_template_output
   no_log: true
   vars:
-    key: "{{ authentik_old_key if authentik_old_key is defined and authentik_old_key != '' else lookup('password', '/dev/null length=50 chars=ascii_letters') }}"
+    key: "{{ authentik_old_key | default(lookup('password', '/dev/null length=50 chars=ascii_letters')) }}"
 
 - name: Ensure authentik postgres password file
   ansible.builtin.template:
@@ -59,7 +59,7 @@
   register: authentik_pgpass_template_output
   no_log: true
   vars:
-    key: "{{ authentik_old_pg_pass if authentik_old_pg_pass is defined and authentik_old_pg_pass != '' else lookup('password', '/dev/null length=50 chars=ascii_letters') }}"
+    key: "{{ authentik_old_pg_pass | default(lookup('password', '/dev/null length=50 chars=ascii_letters')) }}"
 
 - name: Slurp authentik secret key data
   ansible.builtin.slurp:
@@ -119,6 +119,3 @@
     - item.key == 'sonarr' or item.key == 'radarr'
     - item.value.authentik_provider_type is defined and item.value.authentik_provider_type == 'proxy'
     - separate_4k_instances_enable is defined and separate_4k_instances_enable
-
-#### if authentik_provision_config is defined and authentik_provision_config:
-#### do the logic to configure providers, applications, etc

roles/hmsdocker/tasks/main.yml

@@ -48,16 +48,16 @@
 
 - name: Ensure Traefik
   import_tasks: "traefik.yml"
-  when: container_enabled_traefik
+  when: hmsdocker_container_enabled_traefik
 
 - name: Ensure Authentik
   import_tasks: "authentik.yml"
-  when: (authentik_enabled_globally and 
+  when: (hmsdocker_authentik_enabled_globally and 
         traefik_ssl_enabled)
 
 - name: Ensure homepage
   ansible.builtin.import_tasks: "homepage.yml"
-  when: container_enabled_homepage
+  when: hmsdocker_container_enabled_homepage
 
 - name: Ensure JBOPS if enabled
   when: tautulli_jbops_enabled | default(false)
@@ -117,7 +117,7 @@
 
 - name: Sabnzbd additional config
   ansible.builtin.import_tasks: "sabnzbd.yml"
-  when: container_enabled_sabnzbd
+  when: hmsdocker_container_enabled_sabnzbd
 
 - name: Ensure Plex SSL script and resources
   ansible.builtin.import_tasks: "plex_ssl.yml"
@@ -130,6 +130,6 @@
 - name: Ensure Transmission and VPN connection
   import_tasks: "transmission.yml"
   when: 
-    - container_enabled_transmission
+    - hmsdocker_container_enabled_transmission
     - not ansible_check_mode
     - not is_github_runner | default(false)

roles/hmsdocker/tasks/nas_additional_nfs.yml

@@ -4,7 +4,7 @@
     name:
       - nfs-utils
     state: "{{ nas_client_package_state }}"
-  when: family_override | lower == "redhat"
+  when: hmsdocker_family_override | lower == "redhat"
 
 - name: Ensure Debian NFS packages.
   ansible.builtin.package:

roles/hmsdocker/tasks/nas_nfs.yml

@@ -4,7 +4,7 @@
     name:
       - nfs-utils
     state: "{{ nas_client_package_state }}"
-  when: family_override | lower == "redhat"
+  when: hmsdocker_family_override | lower == "redhat"
 
 - name: Ensure Debian NFS packages.
   ansible.builtin.package:

roles/hmsdocker/tasks/traefik.yml

@@ -6,28 +6,42 @@
     mode: 0644
     group: docker
     backup: yes
+    lstrip_blocks: yes
+    trim_blocks: yes
   notify: restart traefik
 
 - name: Ensure Traefik certs directory
   ansible.builtin.file:
     path: "{{ hms_docker_apps_path }}/traefik/config/certs"
     state: directory
+    mode: 0755
   register: traefik_certs_dir
 
+- name: Ensure Traefik Static file dir
+  ansible.builtin.file:
+    path: "{{ hmsdocker_traefik_static_config_location }}"
+    state: directory
+    mode: 0755
+    group: docker
+  register: traefik_static_config_dir
+
+- name: Ensure Traefik static config file
+  ansible.builtin.template:
+    src: hmsd_traefik_middlewares.yml.j2
+    dest: "{{ traefik_static_config_dir.path }}/hmsd_middlewares.yml"
+    mode: 0644
+    group: docker
+    backup: yes
+    lstrip_blocks: yes
+    trim_blocks: yes
+
 - name: Ensure Traefik static file configs requirements
+  when: traefik_ext_hosts_enabled
   block:
-    - name: Ensure Traefik Static file dir
-      ansible.builtin.file:
-        path: "{{ traefik_ext_hosts_configs_path }}"
-        state: directory
-        mode: 0755
-        group: docker
-      register: traefik_additional_routes_dir
-
-    - name: Ensure Traefik static file configs
+    - name: Ensure Traefik static external host configs
       ansible.builtin.template:
         src: traefik_additional_routes.yml.j2
-        dest: "{{ traefik_ext_hosts_configs_path }}/{{ item.friendly_name | map('regex_replace', regex, replace) | list | join }}.yml"
+        dest: "{{ traefik_static_config_dir.path }}/{{ item.friendly_name | map('regex_replace', regex, replace) | list | join }}.yml"
         mode: 0644
         group: docker
         backup: yes
@@ -37,11 +51,10 @@
         - item.subdomain_name is defined and item.subdomain_name != ''
         - item.backend_url is defined and item.backend_url != ''
         - item.enabled is defined and item.enabled
-  when: traefik_ext_hosts_enabled
 
-- name: Ensure disabled Traefik static file configs are removed
+- name: Ensure disabled Traefik static external host configs are removed
   ansible.builtin.file:
-    path: "{{ traefik_ext_hosts_configs_path }}/{{ item.friendly_name | map('regex_replace', regex, replace) | list | join }}.yml"
+    path: "{{ traefik_static_config_dir.path }}/{{ item.friendly_name | map('regex_replace', regex, replace) | list | join }}.yml"
     state: absent
   with_items: "{{ traefik_ext_hosts_list }}"
   when: 

roles/hmsdocker/tasks/transmission.yml

@@ -26,6 +26,7 @@
     - ansible_facts['ipify_public_ip'] != vpn_public_ip.stdout
 
 - name: Public IP and VPN IP are identical, stop container
+  when: ansible_facts['ipify_public_ip'] == vpn_public_ip.stdout or ansible_facts['ipify_public_ip'] == '' or ansible_facts['ipify_public_ip'] is undefined
   block:
     - name: Stop transmission if public IP and VPN IP are identical.
       ansible.builtin.command: docker stop transmission
@@ -37,4 +38,3 @@
           - "Current public IP: {{ ansible_facts['ipify_public_ip'] }}"
           - "Current VPN IP: {{ vpn_public_ip.stdout }}"
           - The Transmission container has been stopped
-  when: ansible_facts['ipify_public_ip'] == vpn_public_ip.stdout or ansible_facts['ipify_public_ip'] == '' or ansible_facts['ipify_public_ip'] is undefined

roles/hmsdocker/templates/authentik_outpost.j2

@@ -9,7 +9,7 @@ docker_labels:
 authentik_host: https://authentik-server:9443
 authentik_host_insecure: true
 authentik_host_browser: {{ authentik_external_host }}
-docker_network: {{ project_name }}_traefik_net
+docker_network: {{ project_name }}_proxy_net
 container_image: null
 docker_map_ports: false
 kubernetes_replicas: 1

roles/hmsdocker/templates/authentik_outpost_4k.j2

@@ -9,7 +9,7 @@ docker_labels:
 authentik_host: https://authentik-server:9443
 authentik_host_insecure: true
 authentik_host_browser: {{ authentik_external_host }}
-docker_network: {{ project_name }}_traefik_net
+docker_network: {{ project_name }}_proxy_net
 container_image: null
 docker_map_ports: false
 kubernetes_replicas: 1

roles/hmsdocker/templates/authentik_outpost_ext_host.j2

@@ -9,7 +9,7 @@ docker_labels:
 authentik_host: https://authentik-server:9443
 authentik_host_insecure: true
 authentik_host_browser: {{ authentik_external_host }}
-docker_network: {{ project_name }}_traefik_net
+docker_network: {{ project_name }}_proxy_net
 container_image: null
 docker_map_ports: false
 kubernetes_replicas: 1