From 50b3a68fb73e6b3a8df0680566d083fae527f813 Mon Sep 17 00:00:00 2001
From: Greg Harvey <greg.harvey@gmail.com>
Date: Wed, 1 Oct 2025 17:48:23 +0200
Subject: [PATCH 1/3] Fixing python venv vars.

---
 roles/debian/ansible/tasks/main.yml         |  6 ++++++
 roles/debian/ce_provision/defaults/main.yml | 10 +++++-----
 roles/debian/ce_provision/tasks/main.yml    |  8 ++++++--
 roles/debian/duplicity/defaults/main.yml    |  8 ++++----
 roles/debian/duplicity/tasks/main.yml       | 22 +++------------------
 roles/debian/mattermost/tasks/main.yml      |  3 +++
 roles/debian/nginx/tasks/main.yml           |  3 +++
 roles/debian/python_boto/tasks/main.yml     |  3 +++
 roles/debian/ssl/tasks/letsencrypt.yml      |  6 ++++++
 9 files changed, 39 insertions(+), 30 deletions(-)

diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml
index 146c62e8d..0e6efdb78 100644
--- a/roles/debian/ansible/tasks/main.yml
+++ b/roles/debian/ansible/tasks/main.yml
@@ -51,6 +51,9 @@
     name: debian/python_pip_packages
   vars:
     python_pip_packages:
+      venv_path: "{{ ce_ansible.venv_path }}"
+      venv_command: "{{ ce_ansible.venv_command }}"
+      venv_install_username: "{{ ce_ansible.venv_install_username }}"
       packages:
         - name: pip
           state: latest
@@ -62,6 +65,9 @@
     name: debian/python_pip_packages
   vars:
     python_pip_packages:
+      venv_path: "{{ ce_ansible.venv_path }}"
+      venv_command: "{{ ce_ansible.venv_command }}"
+      venv_install_username: "{{ ce_ansible.venv_install_username }}"
       packages:
         - name: ansible-lint
         - name: yamllint
diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml
index 121244dee..71db56728 100644
--- a/roles/debian/ce_provision/defaults/main.yml
+++ b/roles/debian/ce_provision/defaults/main.yml
@@ -1,11 +1,11 @@
 ---
 # See roles/_init/defaults/main.yml for Ansible installation, controller user creation and extra variables repo settings.
 ce_provision:
-  # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden.
-  #venv_path: "/home/{{ _ce_provision_username }}/ce-python"
-  #venv_command: /usr/bin/python3 -m venv
-  #venv_install_username: "{{ _ce_provision_username }}"
-  #upgrade_timer_name: upgrade_ce_provision_ansible
+  # These are usually set in the _init role but can be overridden here.
+  venv_path: "{{ _venv_path }}"
+  venv_command: "{{ _venv_command }}"
+  venv_install_username: "{{ _venv_install_username }}"
+  upgrade_timer_name: "{{ _ce_ansible_timer_name }}"
 
   # Other ce-provision settings.
   aws_support: true # installs boto3
diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml
index 6d65d25f9..845cf3403 100644
--- a/roles/debian/ce_provision/tasks/main.yml
+++ b/roles/debian/ce_provision/tasks/main.yml
@@ -172,8 +172,6 @@
 - name: Override systemd timer name for Ansible if provided.
   ansible.builtin.set_fact:
     _ce_ansible_timer_name: "{{ ce_provision.upgrade_timer_name }}"
-  when:
-    - ce_provision.upgrade_timer_name is defined
 
 # Install a new Ansible venv if we overrode the system Ansible venv path.
 - name: Install Ansible.
@@ -187,6 +185,9 @@
     name: debian/python_pip_packages
   vars:
     python_pip_packages:
+      venv_path: "{{ ce_provision.venv_path }}"
+      venv_command: "{{ ce_provision.venv_command }}"
+      venv_install_username: "{{ ce_provision.venv_install_username }}"
       packages:
         - name: ansible-lint
         - name: yamllint
@@ -202,6 +203,9 @@
     name: debian/python_pip_packages
   vars:
     python_pip_packages:
+      venv_path: "{{ ce_provision.venv_path }}"
+      venv_command: "{{ ce_provision.venv_command }}"
+      venv_install_username: "{{ ce_provision.venv_install_username }}"
       packages:
         - name: dnspython
         - name: certifi
diff --git a/roles/debian/duplicity/defaults/main.yml b/roles/debian/duplicity/defaults/main.yml
index bbdf1daf4..f0ca2e605 100644
--- a/roles/debian/duplicity/defaults/main.yml
+++ b/roles/debian/duplicity/defaults/main.yml
@@ -1,9 +1,9 @@
 ---
 duplicity:
-  # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden.
-  #venv_path: "/home/{{ user_provision.username }}/duplicity"
-  #venv_command: /usr/bin/python3 -m venv
-  #venv_install_username: "{{ user_provision.username }}"
+  # These are usually set in the _init role but can be overridden here.
+  venv_path: "{{ _venv_path }}"
+  venv_command: "{{ _venv_command }}"
+  venv_install_username: "{{ _venv_install_username }}"
 
   # Duplicity configuration
   backend: s3 # currently also support b2 for Backblaze
diff --git a/roles/debian/duplicity/tasks/main.yml b/roles/debian/duplicity/tasks/main.yml
index 2fdcab807..b9eda485f 100644
--- a/roles/debian/duplicity/tasks/main.yml
+++ b/roles/debian/duplicity/tasks/main.yml
@@ -23,31 +23,15 @@
       - librsync-dev
       - python3-dev
 
-# Optionally set Python venv variables.
-- name: Override Python venv path if provided.
-  ansible.builtin.set_fact:
-    _venv_path: "{{ duplicity.venv_path }}"
-  when:
-    - duplicity.venv_path is defined
-
-- name: Override Python venv command if provided.
-  ansible.builtin.set_fact:
-    _venv_command: "{{ duplicity.venv_command }}"
-  when:
-    - duplicity.venv_command is defined
-
-- name: Override Python user if provided.
-  ansible.builtin.set_fact:
-    _venv_install_username: "{{ duplicity.venv_install_username }}"
-  when:
-    - duplicity.venv_install_username is defined
-
 # Install Python applications.
 - name: Manage required pip packages.
   ansible.builtin.include_role:
     name: debian/python_pip_packages
   vars:
     python_pip_packages:
+      venv_path: "{{ duplicity.venv_path }}"
+      venv_command: "{{ duplicity.venv_command }}"
+      venv_install_username: "{{ duplicity.venv_install_username }}"
       packages:
         - name: pip
           state: latest
diff --git a/roles/debian/mattermost/tasks/main.yml b/roles/debian/mattermost/tasks/main.yml
index 0a1bd95c8..b78ad9225 100644
--- a/roles/debian/mattermost/tasks/main.yml
+++ b/roles/debian/mattermost/tasks/main.yml
@@ -5,6 +5,9 @@
     name: debian/python_pip_packages
   vars:
     python_pip_packages:
+      venv_path: "{{ _venv_path }}"  # variables in _init role
+      venv_command: "{{ _venv_command }}"
+      venv_install_username: "{{ _venv_install_username }}"
       packages:
         - name: psycopg2-binary
 
diff --git a/roles/debian/nginx/tasks/main.yml b/roles/debian/nginx/tasks/main.yml
index a471ee75a..3b6406c26 100644
--- a/roles/debian/nginx/tasks/main.yml
+++ b/roles/debian/nginx/tasks/main.yml
@@ -36,6 +36,9 @@
     name: debian/python_pip_packages
   vars:
     python_pip_packages:
+      venv_path: "{{ _venv_path }}"  # variables in _init role
+      venv_command: "{{ _venv_command }}"
+      venv_install_username: "{{ _venv_install_username }}"
       packages:
         - name: passlib
 
diff --git a/roles/debian/python_boto/tasks/main.yml b/roles/debian/python_boto/tasks/main.yml
index 282f8ef4a..eb5c91386 100644
--- a/roles/debian/python_boto/tasks/main.yml
+++ b/roles/debian/python_boto/tasks/main.yml
@@ -30,5 +30,8 @@
     name: debian/python_pip_packages
   vars:
     python_pip_packages:
+      venv_path: "{{ _venv_path }}"  # variables in _init role
+      venv_command: "{{ _venv_command }}"
+      venv_install_username: "{{ _venv_install_username }}"
       packages:
         - name: "{{ _boto3_install_package }}"
diff --git a/roles/debian/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml
index 9c3eb69d5..fffecbbc5 100644
--- a/roles/debian/ssl/tasks/letsencrypt.yml
+++ b/roles/debian/ssl/tasks/letsencrypt.yml
@@ -71,6 +71,9 @@
     name: debian/python_pip_packages
   vars:
     python_pip_packages:
+      venv_path: "{{ _venv_path }}"  # variables in _init role
+      venv_command: "{{ _venv_command }}"
+      venv_install_username: "{{ _venv_install_username }}"
       packages:
         - name: pip
           state: latest
@@ -87,6 +90,9 @@
     name: debian/python_pip_packages
   vars:
     python_pip_packages:
+      venv_path: "{{ _venv_path }}"  # variables in _init role
+      venv_command: "{{ _venv_command }}"
+      venv_install_username: "{{ _venv_install_username }}"
       packages:
         - name: "certbot-{{ _ssl_web_server }}"
   when: not (_ssl_web_server == "standalone" or _ssl_web_server == "webroot")

From 99af795f0f769d6a736c013940ff7e4c97ec66dd Mon Sep 17 00:00:00 2001
From: Greg Harvey <greg.harvey@gmail.com>
Date: Thu, 2 Oct 2025 10:17:00 +0200
Subject: [PATCH 2/3] Bad var name in pip role.

---
 roles/debian/ansible/defaults/main.yml             | 1 +
 roles/debian/python_pip_packages/defaults/main.yml | 2 +-
 roles/debian/python_pip_packages/tasks/main.yml    | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/roles/debian/ansible/defaults/main.yml b/roles/debian/ansible/defaults/main.yml
index bacce1d11..d092bb6ee 100644
--- a/roles/debian/ansible/defaults/main.yml
+++ b/roles/debian/ansible/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
+# ansible is reserved, so we use ce_ansible
 ce_ansible:
   # These are usually set in the _init role but can be overridden here.
   venv_path: "{{ _venv_path }}"
diff --git a/roles/debian/python_pip_packages/defaults/main.yml b/roles/debian/python_pip_packages/defaults/main.yml
index c2e179208..afbfbcb2c 100644
--- a/roles/debian/python_pip_packages/defaults/main.yml
+++ b/roles/debian/python_pip_packages/defaults/main.yml
@@ -3,7 +3,7 @@ python_pip_packages:
   # These are usually set in the _init role but can be overridden here.
   venv_path: "{{ _venv_path }}"
   venv_command: "{{ _venv_command }}"
-  install_username: "{{ _venv_install_username }}"
+  venv_install_username: "{{ _venv_install_username }}"
 
   packages: []
   #  - name: pip
diff --git a/roles/debian/python_pip_packages/tasks/main.yml b/roles/debian/python_pip_packages/tasks/main.yml
index 0bdbcd85b..091fa2391 100644
--- a/roles/debian/python_pip_packages/tasks/main.yml
+++ b/roles/debian/python_pip_packages/tasks/main.yml
@@ -12,5 +12,5 @@
     path: "{{ python_pip_packages.venv_path }}"
     state: directory
     recurse: true
-    owner: "{{ python_pip_packages.install_username }}"
-    group: "{{ python_pip_packages.install_username }}"
+    owner: "{{ python_pip_packages.venv_install_username }}"
+    group: "{{ python_pip_packages.venv_install_username }}"

From 3c6cb358c5bb6ef7f3d13c57d32bf847c78fad98 Mon Sep 17 00:00:00 2001
From: Greg Harvey <greg.harvey@gmail.com>
Date: Fri, 3 Oct 2025 18:34:33 +0200
Subject: [PATCH 3/3] Ensuring Ansible version gets passed to ce-provision as
 well.

---
 install.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/install.sh b/install.sh
index 3a3be01d8..df53b4ef5 100755
--- a/install.sh
+++ b/install.sh
@@ -241,6 +241,15 @@ ce_provision:
     enabled: true
     command: "/home/${CONTROLLER_USER}/ce-python/bin/ansible-galaxy collection install --force"
     on_calendar: "Mon *-*-* 04:00:00"
+ce_ansible:
+  venv_path: /home/${CONTROLLER_USER}/ce-python
+  venv_command: /usr/bin/python3 -m venv
+  venv_install_username: ${CONTROLLER_USER}
+  ansible_version: "${ANSIBLE_VERSION}"
+  upgrade:
+    enabled: false
+  linters:
+    enabled: true
 user_provision:
   username: "${CONTROLLER_USER}"
   home: "/home/${CONTROLLER_USER}"