Modernise Draupnir Role ansible modules and update restart logic (#5187)

docs/configuring-playbook-appservice-draupnir-for-all.md

@@ -48,6 +48,14 @@ matrix_appservice_draupnir_for_all_enabled: true
 matrix_appservice_draupnir_for_all_config_adminRoom: "MANAGEMENT_ROOM_ALIAS_HERE"
 ```
 
+### Running Both Bot Mode and Appservice Mode
+
+When running both [Bot mode](./configuring-playbook-bot-draupnir.md) and appservice mode the playbook will force restart
+the bot if running a non release tag like `latest` or `main` or development builds.
+This is due to the conditional restart logic not being able to tell when a update happened correctly.
+
+Conditional restarts work perfectly for all tags when running only one of these two operating modes.
+
 ### Extending the configuration
 
 There are some additional things you may wish to configure about the component.

docs/configuring-playbook-bot-draupnir.md

@@ -82,6 +82,14 @@ matrix_bot_draupnir_login_native: true
 matrix_bot_draupnir_config_managementRoom: "MANAGEMENT_ROOM_ID_HERE"
 ```
 
+### Running Both Bot Mode and Appservice Mode
+
+When running both Bot mode and [appservice mode](./configuring-playbook-appservice-draupnir-for-all.md)(Draupnir for all) the
+playbook will force restart the bot if running a non release tag like `latest` or `main` or development builds.
+This is due to the conditional restart logic not being able to tell when a update happened correctly.
+
+Conditional restarts work perfectly for all tags when running only one of these two operating modes.
+
 ### Create and invite the bot to the management room
 
 Before proceeding to the next step, run the playbook with the following command to create the bot user.

roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml

@@ -22,7 +22,6 @@ matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream: "{{
 matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream_default: "ghcr.io/"
 matrix_appservice_draupnir_for_all_container_image: "{{ matrix_appservice_draupnir_for_all_container_image_registry_prefix }}{{ matrix_appservice_draupnir_for_all_container_image_registry_namespace_identifier }}:{{ matrix_appservice_draupnir_for_all_version }}"
 matrix_appservice_draupnir_for_all_container_image_registry_namespace_identifier: "the-draupnir-project/draupnir"
-matrix_appservice_draupnir_for_all_container_image_force_pull: "{{ matrix_appservice_draupnir_for_all_container_image.endswith(':latest') }}"
 
 matrix_appservice_draupnir_for_all_base_path: "{{ matrix_base_data_path }}/draupnir-for-all"
 matrix_appservice_draupnir_for_all_config_path: "{{ matrix_appservice_draupnir_for_all_base_path }}/config"
@@ -47,6 +46,18 @@ matrix_appservice_draupnir_for_all_systemd_required_services_list_custom: []
 # List of systemd services that matrix-bot-draupnir.service wants
 matrix_appservice_draupnir_for_all_systemd_wanted_services_list: []
 
+# Rolling tag: true if version doesn't match semver shape (vX.Y.Z with optional prerelease/build), false otherwise.
+matrix_appservice_draupnir_for_all_rolling_tag: "{{ not (matrix_appservice_draupnir_for_all_version is match('^v[0-9]+\\.[0-9]+\\.[0-9]+(?:-[0-9A-Za-z.-]+)?(?:\\+[0-9A-Za-z.-]+)?$')) }}"
+
+# Force restart the service on all runs only when both roles are enabled, both roles
+# are using the same version string, and that version is a classified as a moving tag.
+matrix_appservice_draupnir_for_all_force_restart: "{{
+  matrix_bot_draupnir_enabled | bool and
+  matrix_appservice_draupnir_for_all_enabled | bool and
+  matrix_bot_draupnir_version == matrix_appservice_draupnir_for_all_version and
+  matrix_appservice_draupnir_for_all_rolling_tag | bool
+}}"
+
 # The room ID where people can use the bot. The bot has no access controls, so
 # anyone in this room can use the bot - secure your room!
 # This should be a room alias - not a matrix.to URL.

roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml

@@ -26,11 +26,9 @@
   when: "item.when | bool"
 
 - name: Ensure Draupnir Docker image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
     name: "{{ matrix_appservice_draupnir_for_all_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_appservice_draupnir_for_all_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_draupnir_for_all_container_image_force_pull }}"
+    pull: always
   when: "not matrix_appservice_draupnir_for_all_container_image_self_build | bool"
   register: matrix_appservice_draupnir_for_all_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -49,15 +47,18 @@
   when: "matrix_appservice_draupnir_for_all_container_image_self_build | bool"
 
 - name: Ensure Draupnir Docker image is built
-  community.docker.docker_image:
+  # Using docker_image_build with BuildKit for modern, efficient builds.
+  # Rebuild when the git checkout advanced to a new commit; otherwise keep the build idempotent.
+  # Technically the idempotency of rebuilds is more that if a build has already been executed for that name:tag
+  # then we won't rebuild while in idempotent mode even if git moved. That's what the force rebuild logic is for.
+  community.docker.docker_image_build:
     name: "{{ matrix_appservice_draupnir_for_all_container_image }}"
-    source: build
-    force_source: "{{ matrix_appservice_draupnir_for_all_git_pull_results.changed }}"
-    build:
-      dockerfile: Dockerfile
-      path: "{{ matrix_appservice_draupnir_for_all_container_src_files_path }}"
-      pull: true
+    dockerfile: Dockerfile
+    path: "{{ matrix_appservice_draupnir_for_all_container_src_files_path }}"
+    pull: true
+    rebuild: "{{ 'always' if matrix_appservice_draupnir_for_all_git_pull_results.changed | bool else 'never' }}"
   when: "matrix_appservice_draupnir_for_all_container_image_self_build | bool"
+  register: matrix_appservice_draupnir_for_all_container_image_build_result
 
 - name: Ensure matrix-appservice-draupnir-for-all appservice config installed
   ansible.builtin.copy:
@@ -120,7 +121,8 @@
         or matrix_appservice_draupnir_for_all_registration_config_result.changed | default(false)
         or matrix_appservice_draupnir_for_all_systemd_service_result.changed | default(false)
         or matrix_appservice_draupnir_for_all_container_image_pull_result.changed | default(false)
-        or matrix_appservice_draupnir_for_all_container_image_force_pull | bool
+        or matrix_appservice_draupnir_for_all_container_image_build_result.changed | default(false)
+        or matrix_appservice_draupnir_for_all_force_restart | bool
       }}
 
 - name: Ensure matrix-appservice-draupnir-for-all.service restarted, if necessary

roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml

@@ -23,6 +23,7 @@
     - {'old': 'matrix_appservice_draupnir_for_all_docker_image_registry_prefix_upstream', 'new': 'matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream'}
     - {'old': 'matrix_appservice_draupnir_for_all_docker_image_registry_prefix_upstream_default', 'new': 'matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream_default'}
     - {'old': 'matrix_appservice_draupnir_for_all_docker_src_files_path', 'new': 'matrix_appservice_draupnir_for_all_container_src_files_path'}
+    - {'old': 'matrix_appservice_draupnir_for_all_container_image_force_pull', 'new': '<removed> (No longer needed due to new docker module doing this natively only if needed.)'}
 
 - name: Fail if required matrix-bot-draupnir variables are undefined
   ansible.builtin.fail:

roles/custom/matrix-bot-draupnir/defaults/main.yml

@@ -22,13 +22,24 @@ matrix_bot_draupnir_container_image_registry_namespace_identifier: "the-draupnir
 matrix_bot_draupnir_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_draupnir_container_image_self_build else matrix_bot_draupnir_container_image_registry_prefix_upstream }}"
 matrix_bot_draupnir_container_image_registry_prefix_upstream: "{{ matrix_bot_draupnir_container_image_registry_prefix_upstream_default }}"
 matrix_bot_draupnir_container_image_registry_prefix_upstream_default: "ghcr.io/"
-matrix_bot_draupnir_container_image_force_pull: "{{ matrix_bot_draupnir_container_image.endswith(':latest') }}"
 
 matrix_bot_draupnir_base_path: "{{ matrix_base_data_path }}/draupnir"
 matrix_bot_draupnir_config_path: "{{ matrix_bot_draupnir_base_path }}/config"
 matrix_bot_draupnir_data_path: "{{ matrix_bot_draupnir_base_path }}/data"
 matrix_bot_draupnir_container_src_files_path: "{{ matrix_bot_draupnir_base_path }}/docker-src"
 
+# Rolling tag: true if version doesn't match semver shape (vX.Y.Z with optional prerelease/build), false otherwise.
+matrix_bot_draupnir_rolling_tag: "{{ not (matrix_bot_draupnir_version is match('^v[0-9]+\\.[0-9]+\\.[0-9]+(?:-[0-9A-Za-z.-]+)?(?:\\+[0-9A-Za-z.-]+)?$')) }}"
+
+# Force restart the service on all runs only when both roles are enabled, both roles
+# are using the same version string, and that version is a classified as a moving tag.
+matrix_bot_draupnir_force_restart: "{{
+  matrix_bot_draupnir_enabled | bool and
+  matrix_appservice_draupnir_for_all_enabled | bool and
+  matrix_bot_draupnir_version == matrix_appservice_draupnir_for_all_version and
+  matrix_bot_draupnir_rolling_tag | bool
+}}"
+
 matrix_bot_draupnir_config_web_enabled: "{{ matrix_bot_draupnir_config_web_abuseReporting or matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled }}"  # noqa var-naming
 
 matrix_bot_draupnir_config_web_abuseReporting: false  # noqa var-naming

roles/custom/matrix-bot-draupnir/tasks/setup_install.yml

@@ -38,11 +38,9 @@
   register: matrix_bot_draupnir_support_files_result
 
 - name: Ensure Draupnir Docker image is pulled
-  community.docker.docker_image:
+  community.docker.docker_image_pull:
     name: "{{ matrix_bot_draupnir_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_bot_draupnir_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_draupnir_container_image_force_pull }}"
+    pull: always
   when: "not matrix_bot_draupnir_container_image_self_build | bool"
   register: matrix_bot_draupnir_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
@@ -61,15 +59,18 @@
   when: "matrix_bot_draupnir_container_image_self_build | bool"
 
 - name: Ensure Draupnir Docker image is built
-  community.docker.docker_image:
+  # Using docker_image_build with BuildKit for modern, efficient builds.
+  # Rebuild when the git checkout advanced to a new commit; otherwise keep the build idempotent.
+  # Technically the idempotency of rebuilds is more that if a build has already been executed for that name:tag
+  # then we won't rebuild while in idempotent mode even if git moved. That's what the force rebuild logic is for.
+  community.docker.docker_image_build:
     name: "{{ matrix_bot_draupnir_container_image }}"
-    source: build
-    force_source: "{{ matrix_bot_draupnir_git_pull_results.changed }}"
-    build:
-      dockerfile: Dockerfile
-      path: "{{ matrix_bot_draupnir_container_src_files_path }}"
-      pull: true
+    dockerfile: Dockerfile
+    path: "{{ matrix_bot_draupnir_container_src_files_path }}"
+    pull: true
+    rebuild: "{{ 'always' if matrix_bot_draupnir_git_pull_results.changed | bool else 'never' }}"
   when: "matrix_bot_draupnir_container_image_self_build | bool"
+  register: matrix_bot_draupnir_container_image_build_result
 
 - name: Ensure matrix-bot-draupnir config installed
   ansible.builtin.copy:
@@ -113,7 +114,8 @@
         or matrix_bot_draupnir_config_result.changed | default(false)
         or matrix_bot_draupnir_systemd_service_result.changed | default(false)
         or matrix_bot_draupnir_container_image_pull_result.changed | default(false)
-        or matrix_bot_draupnir_container_image_force_pull | bool
+        or matrix_bot_draupnir_container_image_build_result.changed | default(false)
+        or matrix_bot_draupnir_force_restart | bool
       }}
 
 - name: Ensure matrix-bot-draupnir.service restarted, if necessary

roles/custom/matrix-bot-draupnir/tasks/validate_config.yml

@@ -37,6 +37,7 @@
     - {'old': 'matrix_bot_draupnir_docker_image_registry_prefix_upstream', 'new': 'matrix_bot_draupnir_container_image_registry_prefix_upstream'}
     - {'old': 'matrix_bot_draupnir_docker_image_registry_prefix_upstream_default', 'new': 'matrix_bot_draupnir_container_image_registry_prefix_upstream_default'}
     - {'old': 'matrix_bot_draupnir_docker_src_files_path', 'new': 'matrix_bot_draupnir_container_src_files_path'}
+    - {'old': 'matrix_bot_draupnir_container_image_force_pull', 'new': '<removed> (No longer needed due to new docker module doing this natively only if needed.)'}
 
 - name: Fail if required matrix-bot-draupnir variables are undefined
   ansible.builtin.fail: