feat(infra): Improve StorageBox mounting reliability and directory management

Refactor StorageBox mount logic for greater stability and consistent remounts by utilizing shell commands. Enable `user_allow_other` for davfs2 mounts in `/etc/fuse.conf` and `fstab`, ensuring non-root container access to mounted files. Standardize SWAG configuration directory provisioning to include specific subdirectories for DNS, proxy, and Certbot files. Streamline local `/opt/iklimco` directory creation on app and db nodes, removing obsolete paths and consolidating relevant service directories.
2026-05-24 16:27:00 +03:00 · 2026-05-24 16:27:00 +03:00 · 3641f1a87e
commit 3641f1a87e
parent 6f9d0d1588
5 changed files with 65 additions and 49 deletions
--- a/ansible/prod/group_vars/all/vars.yml
+++ b/ansible/prod/group_vars/all/vars.yml
@ -8,10 +8,16 @@ storagebox_managed_directories:
    mode: "0777"
  - path: "{{ storagebox_mount_point }}/ssl"
    mode: "0777"
-  - path: "{{ storagebox_mount_point }}/swag/config"
+  - path: "{{ storagebox_mount_point }}/swag"
+    mode: "0777"
+  - path: "{{ storagebox_mount_point }}/swag/dns-conf"
    mode: "0777"
  - path: "{{ storagebox_mount_point }}/swag/site-confs"
    mode: "0777"
+  - path: "{{ storagebox_mount_point }}/swag/proxy-confs"
+    mode: "0777"
+  - path: "{{ storagebox_mount_point }}/swag/certbot"
+    mode: "0777"
  - path: "{{ storagebox_managed_directories_grafana_path | default(storagebox_mount_point ~ '/grafana/data') }}"
    mode: "0777"
  - path: "{{ storagebox_mount_point }}/precipitation/images"
--- a/ansible/roles/node_dirs/tasks/main.yml
+++ b/ansible/roles/node_dirs/tasks/main.yml
@ -5,29 +5,6 @@
    state: directory
    mode: '0755'

- name: Create app specific directories
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: directory
-    mode: '0755'
-  loop:
-    - /opt/iklimco/ssl
-    - /opt/iklimco/init
-    - /opt/iklimco/init/postgresql
-    - /opt/iklimco/init/mongodb
-    - /opt/iklimco/stacks
-    - /opt/iklimco/vault/data
-  when: inventory_hostname in groups['app']
-
- name: Set vault data directory ownership (vault container runs as uid 100)
-  ansible.builtin.file:
-    path: /opt/iklimco/vault/data
-    state: directory
-    owner: '100'
-    group: '100'
-    mode: '0750'
-  when: inventory_hostname in groups['app']
-
 - name: Create db specific directories
  ansible.builtin.file:
    path: "{{ item }}"
@ -37,3 +14,12 @@
    - /opt/iklimco/db
    - /opt/iklimco/backup
  when: inventory_hostname in groups['db']
+
+- name: Create service node directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - /opt/iklimco/ssl
+  when: inventory_hostname in groups['app']
--- a/ansible/roles/storagebox/handlers/main.yml
+++ b/ansible/roles/storagebox/handlers/main.yml
@ -2,9 +2,3 @@
 - name: Reload systemd
  ansible.builtin.systemd:
    daemon_reload: yes
-
- name: Remount storagebox
-  ansible.builtin.shell: |
-    umount {{ storagebox_mount_point }} || true
-    mount {{ storagebox_mount_point }}
-  listen: "refresh storagebox mount"
--- a/ansible/roles/storagebox/tasks/main.yml
+++ b/ansible/roles/storagebox/tasks/main.yml
@ -4,6 +4,15 @@
    name: davfs2
    state: present

+- name: Enable user_allow_other in /etc/fuse.conf
+  ansible.builtin.lineinfile:
+    path: /etc/fuse.conf
+    regexp: '^#?\s*user_allow_other'
+    line: 'user_allow_other'
+    state: present
+    create: yes
+  register: fuse_conf
+
 - name: Configure davfs2 secrets
  ansible.builtin.lineinfile:
    path: /etc/davfs2/secrets
@ -22,28 +31,32 @@
 - name: Add fstab entry for StorageBox
  ansible.builtin.lineinfile:
    path: /etc/fstab
-    line: "{{ storagebox_url }} {{ storagebox_mount_point }} davfs _netdev,auto,user,rw,uid={{ storagebox_uid | default('root') }},gid={{ storagebox_gid | default('root') }}{% if storagebox_dir_mode is defined %},dir_mode={{ storagebox_dir_mode }}{% endif %}{% if storagebox_file_mode is defined %},file_mode={{ storagebox_file_mode }}{% endif %} 0 0"
+    line: "{{ storagebox_url }} {{ storagebox_mount_point }} davfs _netdev,auto,user,rw,uid={{ storagebox_uid | default('root') }},gid={{ storagebox_gid | default('root') }}{% if storagebox_dir_mode is defined %},dir_mode={{ storagebox_dir_mode }}{% endif %}{% if storagebox_file_mode is defined %},file_mode={{ storagebox_file_mode }}{% endif %},allow_other 0 0"
    regexp: "^{{ storagebox_url | regex_escape() }}"
    state: present
-  notify:
-    - Reload systemd
-    - refresh storagebox mount
+  register: fstab_entry
+
+- name: Remove stale davfs2 PID file
+  ansible.builtin.shell: |
+    mountpoint -q {{ storagebox_mount_point }} && exit 0
+    rm -f /var/run/mount.davfs/mnt-storagebox.pid
+  changed_when: false
+
+- name: Remount StorageBox to apply updated options
+  ansible.builtin.shell: |
+    if mountpoint -q {{ storagebox_mount_point }}; then
+      umount -l {{ storagebox_mount_point }} || true
+      sleep 3
+    fi
+    rm -f /var/run/mount.davfs/mnt-storagebox.pid 2>/dev/null || true
+    mount {{ storagebox_mount_point }}
+  when: fuse_conf.changed or fstab_entry.changed

 - name: Mount StorageBox
-  ansible.builtin.mount:
-    path: "{{ storagebox_mount_point }}"
-    src: "{{ storagebox_url }}"
-    fstype: davfs
-    opts: "_netdev,auto,user,rw,uid={{ storagebox_uid | default('root') }},gid={{ storagebox_gid | default('root') }}{% if storagebox_dir_mode is defined %},dir_mode={{ storagebox_dir_mode }}{% endif %}{% if storagebox_file_mode is defined %},file_mode={{ storagebox_file_mode }}{% endif %}"
-    state: mounted
-  notify:
-    - refresh storagebox mount
-
- name: Write mount marker
-  ansible.builtin.copy:
-    content: "mounted by ansible"
-    dest: "{{ storagebox_mount_point }}/.mounted_marker"
-    mode: '0644'
+  ansible.builtin.shell: |
+    mountpoint -q {{ storagebox_mount_point }} && exit 0
+    mount {{ storagebox_mount_point }}
+  changed_when: false

 - name: Create managed StorageBox directories
  ansible.builtin.file:
@ -53,4 +66,3 @@
    group: "{{ item.group | default(omit) }}"
    mode: "{{ item.mode | default('0755') }}"
  loop: "{{ storagebox_managed_directories | default([]) }}"
-  notify: "refresh storagebox mount"
--- a/ansible/test/group_vars/all/vars.yml
+++ b/ansible/test/group_vars/all/vars.yml
@ -3,7 +3,25 @@ storagebox_user: "{{ storagebox_account }}-sub4"
 storagebox_url: "https://{{ storagebox_user }}.your-storagebox.de/"
 storagebox_mount_point: "/mnt/storagebox"
 storagebox_password: "{{ vault_storagebox_password }}"
+storagebox_uid: "1000"
+storagebox_gid: "1000"
+storagebox_dir_mode: "0777"
+storagebox_file_mode: "0666"
 storagebox_managed_directories:
+  - path: "{{ storagebox_mount_point }}/db"
+    mode: "0777"
+  - path: "{{ storagebox_mount_point }}/ssl"
+    mode: "0777"
+  - path: "{{ storagebox_mount_point }}/swag"
+    mode: "0777"
+  - path: "{{ storagebox_mount_point }}/swag/dns-conf"
+    mode: "0777"
+  - path: "{{ storagebox_mount_point }}/swag/site-confs"
+    mode: "0777"
+  - path: "{{ storagebox_mount_point }}/swag/proxy-confs"
+    mode: "0777"
+  - path: "{{ storagebox_mount_point }}/swag/certbot"
+    mode: "0777"
  - path: "{{ storagebox_mount_point }}/precipitation/images"
    mode: "0755"
 iklim_password: "{{ vault_iklim_password }}"