Рефакторинг: вынес запуск ролей в отдельный файл deploy.yml

- Создан файл roles/deploy.yml с блоком запуска роли nginx - Обновлен molecule/default/site.yml для импорта deploy.yml - Улучшена модульность структуры проекта - Автор: Сергей Антропов
2025-10-22 22:34:07 +03:00
parent 0b981ca61e
commit c99df83bad
23 changed files with 661 additions and 659 deletions
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -0,0 +1,52 @@
+---
+- hosts: localhost
+  gather_facts: false
+  vars:
+    # перечисли файлы/глобы, которые нужно временно расшифровать
+    vault_targets:
+      - /ansible/vault/secrets.yml
+      # добавляй сюда свои пути (host_vars/*/vault.yml, group_vars/*/vault.yml, и т.п.)
+
+  tasks:
+    - name: Install collections
+      community.docker.docker_container_exec:
+        container: ansible
+        command: bash -lc "ansible-galaxy collection install -r /ansible/requirements.yml --force --no-deps --upgrade >/dev/null 2>&1 || true"
+
+    - name: Decrypt vault targets (best-effort)
+      community.docker.docker_container_exec:
+        container: ansible
+        command: >
+          bash -lc '
+          set -euo pipefail;
+          for p in {{ vault_targets | map('quote') | join(' ') }}; do
+            if [ -e "$p" ]; then
+              echo "[vault] decrypt $p";
+              ansible-vault decrypt --vault-password-file /ansible/vault-password.txt "$p" || true;
+            fi
+          done
+          '
+
+    - name: Run external playbook (your lab play)
+      community.docker.docker_container_exec:
+        container: ansible
+        command: >
+          bash -lc "
+            ANSIBLE_ROLES_PATH=/ansible/roles
+            ansible-playbook -i {{ lookup('env','MOLECULE_EPHEMERAL_DIRECTORY') }}/inventory/hosts.ini /ansible/molecule/default/site.yml
+          "
+
+    - name: Re-encrypt vault targets (always)
+      community.docker.docker_container_exec:
+        container: ansible
+        command: >
+          bash -lc '
+          set -euo pipefail;
+          for p in {{ vault_targets | map('quote') | join(' ') }}; do
+            if [ -e "$p" ]; then
+              echo "[vault] encrypt $p";
+              ansible-vault encrypt --encrypt-vault-id default --vault-password-file /ansible/vault-password.txt "$p" || true;
+            fi
+          done
+          '
+      ignore_errors: true