Use the unsafe_writes parameter instead of prefix_path

Related to: https://github.com/debops/ansible-persistent_paths/pull/6

defaults/main.yml

@@ -159,20 +159,6 @@ tinc__systemd: '{{ True
                    if (ansible_service_mgr|d("unknown") == "systemd")
                    else False }}'
 
-                                                                   # ]]]
-# .. envvar:: tinc__persistent_prefix_path [[[
-#
-# Directory path prefix which should be used for writing/updating of files made
-# persistent by :envvar:`tinc__persistent_paths__dependent_paths`.
-tinc__persistent_prefix_path: '{{ ansible_local.persistent_paths.storage_path|d("")
-                                  if (ansible_local|d() and
-                                      ansible_local.tinc|d() and
-                                      ansible_local.tinc.enabled|d() | bool and
-                                      ansible_local.persistent_paths|d() and
-                                      ansible_local.persistent_paths.enabled|d() | bool and
-                                      ansible_local.persistent_paths.write_to_storage_path|d() | bool)
-                                  else "" }}'
-
                                                                    # ]]]
 # .. envvar:: tinc__vcs_ignore_patterns [[[
 #

docs/getting-started.rst

@@ -207,25 +207,32 @@ debops.persistent_paths_ support
 --------------------------------
 
 In case the host in question happens to be a TemplateBasedVM on `Qubes OS`_ or
-another system where persistence is not the default, it should absent in
-``debops_service_tinc`` and instead be added to
-``debops_service_tinc_persistent_paths`` so that the changes can be made
-persistently:
+another system where persistence is not the default, it should be absent in
+``debops_service_tinc`` and instead be added to the
+``debops_service_tinc_persistent_paths`` Ansible inventory group
+so that the changes can be made persistent:
 
 .. code:: ini
 
    [debops_service_tinc_persistent_paths]
    hostname
 
-Note that the :envvar:`tinc__user` (``tinc-vpn`` by default) created by the role is not made persistent because making
-:file:`/etc/passwd` and related files persistent might interfere with template
-changes.
+Note that the :envvar:`tinc__user` (``tinc-vpn`` by default) created by the
+role is not made persistent because making :file:`/etc/passwd` and related
+files persistent might interfere with template changes.
 
 You will need to ensure that the user exists by one of the following ways:
 
 * Create the user in the template using :command:`useradd --system tinc-vpn --comment 'tinc VPN service' --home-dir '/etc/tinc' --shell '/bin/false'`
 * Running the above command on start in the TemplateBasedVM
-* Run the role against your template with the role configured in such a way that it only
-  creates the user. Note that this is normally `discouraged <https://www.qubes-os.org/doc/software-update-vm/#notes-on-trusting-your-templatevms>`_.
+* Run the role against your template with the role configured in such a way
+  that it only creates the user.
+  Note that this is normally `discouraged on Qubes OS <https://www.qubes-os.org/doc/software-update-vm/#notes-on-trusting-your-templatevms>`_.
 
 Besides that, the :envvar:`tinc__base_packages` are expected to be present (typically installed in the TemplateVM).
+
+Also note that you will need to set ``core__unsafe_writes`` to ``True`` when you
+attempt to update the configuration on a system that uses bind mounts for
+persistence. You can set ``core__unsafe_writes`` directly in your inventory
+without the need to run the ``debops.core`` role for this special case.
+Refer to `Templating or updating persistent files`_ for details.

docs/includes/all.rst

@@ -1 +1,2 @@
 .. include:: includes/global.rst
+.. include:: includes/role.rst

docs/includes/role.rst

@@ -0,0 +1 @@
+.. _Templating or updating persistent files: https://docs.debops.org/en/latest/ansible/roles/ansible-persistent_paths/docs/guides.html#templating-or-updating-persistent-files

tasks/main.yml

@@ -60,6 +60,8 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d()
+                       and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}'
   notify: [ 'Reload tinc' ]
 
 - name: Disable tinc networks in systemd if requested
@@ -95,6 +97,8 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d()
+                       and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}'
   with_dict: '{{ tinc__combined_networks }}'
   when: item.value.state|d('present') != 'absent' and item.value.tinc_options|d()
   notify: [ 'Reload tinc' ]
@@ -111,6 +115,8 @@
     owner: 'root'
     group: '{{ tinc__group }}'
     mode: '0750'
+    unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d()
+                       and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}'
   with_dict: '{{ tinc__combined_networks }}'
   when: (item.value.state|d('present') != 'absent' and item.value.generate_tinc_up|d(True)|bool)
 
@@ -121,6 +127,8 @@
     owner: 'root'
     group: '{{ tinc__group }}'
     mode: '0750'
+    unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d()
+                       and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}'
   with_dict: '{{ tinc__combined_networks }}'
   when: (item.value.state|d('present') != 'absent' and item.value.generate_tinc_up|d(True)|bool)
 
@@ -131,6 +139,8 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d()
+                       and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}'
 
 # RSA key management [[[1
 
@@ -141,6 +151,8 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d()
+                       and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}'
 
 - name: Initialize RSA key pairs
   shell: yes | tincd -n {{ item.value.name | d(item.key) }} -K {{ item.value.rsa_key_length | d(tinc__rsa_key_length) }}
@@ -165,6 +177,8 @@
     owner: 'root'
     group: 'root'
     mode: '0640'
+    unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d()
+                       and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}'
   with_dict: '{{ tinc__combined_networks }}'
   when: item.value.state|d('present') != 'absent'
 
@@ -243,6 +257,8 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d()
+                       and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}'
   with_dict: '{{ tinc__combined_networks }}'
   when: tinc__systemd|bool and item.value.state|d('present') != 'absent'
   notify: [ 'Reload tinc' ]
@@ -254,6 +270,8 @@
     owner: 'root'
     group: 'root'
     mode: '0755'
+    unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d()
+                       and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}'
   when: tinc__systemd | bool
 
 - name: Clean up old systemd configuration
@@ -264,10 +282,12 @@
 - name: Configure systemd unit files
   template:
     src: 'etc/systemd/system/{{ item }}.j2'
-    dest: '{{ tinc__persistent_prefix_path + "/" + item }}'
+    dest: '/etc/systemd/system/{{ item }}'
     owner: 'root'
     group: 'root'
     mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d()
+                       and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}'
   with_items: [ 'tinc.service', '[email protected]' ]
   register: tinc__register_systemd
   when: tinc__systemd | bool
@@ -293,11 +313,6 @@
 
 # Ansible facts [[[1
 
-# Note that for ``debops.persistent_paths`` on Qubes OS to work correctly, the
-# facts need to be generated at the end of the (first) role playbook run. Note
-# this if it might be necessary to move this to a separate env role. Not sure
-# yet how this could be handled to cover both cases.
-
 - name: Make sure Ansible fact directory exists
   file:
     path: '/etc/ansible/facts.d'
@@ -313,6 +328,8 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes|d(True if (ansible_local|d() and ansible_local.core|d()
+                       and ansible_local.core.unsafe_writes|d() | bool) else False) | bool) else omit }}'
   register: tinc__register_facts
 
 - name: Reload facts if they were modified