http_frontend: Correctly update configs, etc.

Docker forbids updating configurations and secrets: to replace one, one
must either create the replacement with a new name or delete and
recreate the configuration or secret, which requires stopping any
containers that use it.

This change modifies the Docker Stack deployment to give each
configuration a name derived from a hash of its contents. This allows
running stacks to be updated while preserving idempotency.

This also changes some tasks to prevent them from unnecessarily
reporting changed status, making this role idempotent.

roles/http_frontend/tasks/main.yml

@@ -5,6 +5,7 @@
 - name: Create temporary directory.
   tempfile:
     state: directory
+  changed_when: false
   register: tmpdir
 
 - name: Copy httpd configuration file.
@@ -13,22 +14,59 @@
     src: httpd-frontend.conf.j2
     owner: root
     mode: 0644
+  changed_when: false
   when: tmpdir.path is defined
 
+- name: Register checksum of httpd configuration file.
+  stat:
+    path: "{{ tmpdir.path }}/httpd-frontend.conf"
+    checksum_algorithm: sha256
+  register: r
+  when: tmpdir.path is defined
+
+- name: Calculate name for configuration.
+  set_fact:
+    _r2: "{{ http_frontend_name }}_\
+         httpd_frontend_config-\
+         {{ r.stat.checksum }}"
+
+- name: Calculate shorter name for configuration.
+  set_fact:
+    httpd_frontend_config_name: "{{ _r2 | regex_replace('(.{,64}).*', '\\1') }}"
+
 - name: Copy landing page.
   template:
     dest: "{{ tmpdir.path }}/index.html"
     src: index.html.j2
     owner: root
     mode: 0644
+  changed_when: false
+  when: tmpdir.path is defined
+
+- name: Register checksum of landing page.
+  stat:
+    path: "{{ tmpdir.path }}/index.html"
+    checksum_algorithm: sha256
+  register: r
   when: tmpdir.path is defined
 
+- name: Calculate name for configuration.
+  set_fact:
+    _r2: "{{ http_frontend_name }}_\
+         index-\
+         {{ r.stat.checksum }}"
+
+- name: Calculate shorter name for configuration.
+  set_fact:
+    index_name: "{{ _r2 | regex_replace('(.{,64}).*', '\\1') }}"
+
 - name: Copy Dockerfile.
   copy:
     dest: "{{ tmpdir.path }}/Dockerfile"
     src: Dockerfile
     owner: root
     mode: 0644
+  changed_when: false
   when: tmpdir.path is defined
 
 - name: Install python3-jsondiff (Ubuntu).
@@ -49,25 +87,31 @@
 
 - name: Build Docker image.
   docker_image:
-    name: "{{ http_frontend_name }}"
+    name: "{{ http_frontend_name }}:latest"
+    state: present
     source: build
+    force_source: true
     build:
       path: "{{ tmpdir.path }}"
       pull: yes
   when: tmpdir.path is defined
 
+# Note: This won't trigger a redeployment when a new image is built because the
+# new image will have the same tag ("latest") as the currently-running
+# container.
 - name: Deploy stack.
   vars:
     ansible_python_interpreter: python3
   docker_stack:
     name: "{{ http_frontend_name }}"
     state: present
-    resolve_image: never
+    resolve_image: always
+    prune: true
     compose:
       - version: "3.7"
         services:
           frontend:
-            image: "{{ http_frontend_name }}"
+            image: "{{ http_frontend_name }}:latest"
             configs:
               - source: httpd_frontend_config
                 target: /usr/local/apache2/conf/conf.d/frontend.conf
@@ -76,18 +120,21 @@
 
         configs:
           httpd_frontend_config:
+            name: "{{ httpd_frontend_config_name }}"
             file: "{{ tmpdir.path }}/httpd-frontend.conf"
           index:
+            name: "{{ index_name }}"
             file: "{{ tmpdir.path }}/index.html"
 
         networks:
           default:
-            external:
-              name: host
+            external: true
+            name: host
   when: tmpdir.path is defined
 
 - name: Remove temporary directory.
   file:
     path: "{{ tmpdir.path }}"
     state: absent
+  changed_when: false
   when: tmpdir.path is defined