AlmaLinux · anfimovdm · Jun 27, 2026 · Jun 27, 2026 · Jun 27, 2026 · Jun 27, 2026
diff --git a/inventories/one_vm/group_vars/all.yml b/inventories/one_vm/group_vars/all.yml
@@ -39,8 +39,12 @@ rabbitmq_vhost: "rabbitmq"
 pulp_host: "http://pulp"
 pulp_password: "password"
 pulp_user: "admin"
-pulp_database_url: "postgresql+psycopg2://postgres:{{ pulp_password }}@pulp/pulp"
-async_pulp_database_url: "postgresql+asyncpg://postgres:{{ pulp_password }}@pulp/pulp"
+# Pulp runs as a multi-container stack: the "pulp" host (pulp_web alias) is
+# HTTP-only, and the Pulp DB lives in the separate "postgres" service. The DB
+# user/password here must match pulp-postgres.env in the albs-web-server repo
+# (postgres/password).
+pulp_database_url: "postgresql+psycopg2://postgres:{{ pulp_password }}@postgres:5432/pulp"
+async_pulp_database_url: "postgresql+asyncpg://postgres:{{ pulp_password }}@postgres:5432/pulp"
 
 immudb_username: ""
 immudb_password: ""

diff --git a/roles/dev_deploy/defaults/main/common.yml b/roles/dev_deploy/defaults/main/common.yml
@@ -12,8 +12,6 @@ created_directories:
     mode: "0755"
 #  - path: "{{ volumes_root }}/{{ folder_name_for_result_backend }}"
 #    mode: "0755"
-  - path: "{{ volumes_root }}/pulp/settings"
-    mode: "0755"
   - path: "{{ sources_root }}/albs-sign-node/node-config"
     mode: "0755"
   - path: "{{ sources_root }}/albs-node/node-config/castor"

diff --git a/roles/dev_deploy/defaults/main/configs.yml b/roles/dev_deploy/defaults/main/configs.yml
@@ -8,14 +8,15 @@ generated_configs:
   # in the albs-web-server repo at nginx_configs/albs.conf and is mounted
   # directly into the nginx container. It has no per-deployment values, so
   # there is no reason to duplicate it as a Jinja template here.
-  - sname: alembic.ini.j2
-    dname: alembic.ini
-    dest: "{{ sources_root }}/albs-web-server/alws"
-    mode: "0644"
-  - sname: settings.py.j2
-    dname: settings.py
-    dest: "{{ volumes_root }}/pulp/settings"
-    mode: "0644"
+  # alembic.ini is intentionally NOT templated here — it lives in the
+  # albs-web-server repo at alws/alembic.ini and is used directly. The DB
+  # URL is no longer hardcoded in it; alws/alembic/env.py sets it at runtime
+  # from settings.sync_database_url (SYNC_DATABASE_URL), which is provided
+  # via vars.env. There are no per-deployment values left to template.
+  # Pulp's settings.py is intentionally NOT templated here — it lives in the
+  # albs-web-server repo at assets/pulp/settings.py and is mounted directly into
+  # every Pulp service by docker-compose. The multi-container stack no longer
+  # mounts volumes_root/pulp/settings, and the file has no per-deployment values.
   - sname: albs-gitea-listener-config.yaml.j2
     dname: albs-gitea-listener-config.yaml
     dest: "{{ sources_root }}/albs-web-server/alws/scripts/albs-gitea-listener"

diff --git a/roles/dev_deploy/tasks/misc.yml b/roles/dev_deploy/tasks/misc.yml
@@ -5,45 +5,22 @@
     path: "{{ volumes_root }}/is_clean_installation"
   register: is_clean_installation
 
+# Pulp runs as a multi-container stack: pulpcore-manager lives in the pulp_api
+# service. The init admin password is seeded to "password" by the
+# pulp_set_init_password one-shot in docker-compose; this resets it to the
+# configured pulp_password if a custom one was provided. The separate postgres
+# service already allows external access over the compose network (scram-sha-256
+# via pulp-postgres.env), so no manual pg_hba/postgresql.conf edits are needed.
 - name: Change pulp password
   community.docker.docker_container_exec:
-    container: "{{ container_name_prefix }}_pulp_1"
+    container: "{{ container_name_prefix }}_pulp_api_1"
     command: "bash -c 'pulpcore-manager reset-admin-password -p {{ pulp_password }}'"
   register: result
   until: result is succeeded
   retries: 10
   delay: 30
   when: is_clean_installation.stat.exists == False
 
-- name: Enable pulp database external access
-  community.docker.docker_container_exec:
-    container: "{{ container_name_prefix }}_pulp_1"
-    command: >-
-      bash -c "
-      if ! grep -q 'listen_addresses = \*' /var/lib/pgsql/data/postgresql.conf; then
-        echo \"listen_addresses = '*'\" >> /var/lib/pgsql/data/postgresql.conf;
-      fi &&
-      if ! grep -q 'host all all 0.0.0.0/0 md5' /var/lib/pgsql/data/pg_hba.conf; then
-        echo \"host all all 0.0.0.0/0 md5\" >> /var/lib/pgsql/data/pg_hba.conf;
-      fi &&
-      if ! grep -q 'host all all ::/0 md5' /var/lib/pgsql/data/pg_hba.conf; then
-        echo \"host all all ::/0 md5\" >> /var/lib/pgsql/data/pg_hba.conf;
-      fi &&
-      runuser postgres -c 'echo \"ALTER USER postgres WITH PASSWORD '\''{{ pulp_password }}'\'';\" | /usr/bin/psql'"
-  when: is_clean_installation.stat.exists == False
-
-- name: Stop pulp container
-  community.docker.docker_container:
-    name: "{{ container_name_prefix }}_pulp_1"
-    state: stopped
-  when: is_clean_installation.stat.exists == False
-
-- name: Start pulp container
-  community.docker.docker_container:
-    name: "{{ container_name_prefix }}_pulp_1"
-    state: started
-  when: is_clean_installation.stat.exists == False
-
 - name: Wait for web_server container to be running
   community.docker.docker_container_info:
     name: "{{ container_name_prefix }}_web_server_1"
@@ -120,27 +97,38 @@
     - regenerated_albs_jwt is defined
     - regenerated_albs_jwt.stdout | default('') | length > 0
 
+# Recreate all non-excluded consumer containers in a single compose invocation
+# (parallel, depends_on-ordered) instead of a per-service loop. The filtered list
+# is guarded so an empty arg list never makes 'docker compose up' touch ALL
+# services (including the excluded ones).
 - name: Recreate consumer containers to pick up regenerated JWT
   tags:
     - jwt_tokens
     - albs_jwt_token
     - services
-  shell: "{{ docker_compose }} -p {{ container_name_prefix }} --compatibility up -d --force-recreate {{ item }}"
+  vars:
+    consumer_services: >-
+      {{ services.stdout_lines
+         | difference(excluded_containers)
+         | difference(pre_bootstrap_excluded_containers | default([])) }}
+  shell: >-
+    {{ docker_compose }} -p {{ container_name_prefix }} --compatibility
+    up -d --force-recreate {{ consumer_services | join(' ') }}
   args:
     chdir: "{{ sources_root }}/albs-web-server"
-  loop: "{{ services.stdout_lines }}"
   when:
     - regenerated_albs_jwt is defined
     - regenerated_albs_jwt.stdout | default('') | length > 0
-    - item not in excluded_containers
-    - item not in (pre_bootstrap_excluded_containers | default([]))
     - services is defined
+    - consumer_services | length > 0
 
 - name: Start containers deferred until after bootstrap
-  shell: "{{ docker_compose }} -p {{ container_name_prefix }} --compatibility up -d --build --force-recreate {{ item }}"
+  shell: >-
+    {{ docker_compose }} -p {{ container_name_prefix }} --compatibility
+    up -d --build --force-recreate
+    {{ pre_bootstrap_excluded_containers | default([]) | join(' ') }}
   args:
     chdir: "{{ sources_root }}/albs-web-server"
-  loop: "{{ pre_bootstrap_excluded_containers | default([]) }}"
   when: pre_bootstrap_excluded_containers | default([]) | length > 0
 
 - name: Checking if GPG key exists on web_server

diff --git a/roles/dev_deploy/tasks/services.yml b/roles/dev_deploy/tasks/services.yml
@@ -16,14 +16,24 @@
         chdir: "{{ sources_root }}/albs-web-server"
       register: services
 
-    - name: Create and start each service individually
-      shell: "{{ docker_compose }} -p {{ container_name_prefix }} --compatibility up -d --build --force-recreate {{ item }}"
+    # Start all non-excluded services in a single compose invocation so images
+    # build in parallel (BuildKit) and startup respects depends_on. A per-service
+    # loop would serialize the builds. Excluded containers are filtered out of the
+    # service list rather than skipped via 'docker compose up' (which has no
+    # native "all except X" flag). The filtered list is guarded so an empty arg
+    # list never makes 'docker compose up' start ALL services.
+    - name: Create and start non-excluded services
+      vars:
+        included_services: >-
+          {{ services.stdout_lines
+             | difference(excluded_containers)
+             | difference(pre_bootstrap_excluded_containers | default([])) }}
+      shell: >-
+        {{ docker_compose }} -p {{ container_name_prefix }} --compatibility
+        up -d --build --force-recreate {{ included_services | join(' ') }}
       args:
         chdir: "{{ sources_root }}/albs-web-server"
-      when:
-        - item not in excluded_containers
-        - item not in (pre_bootstrap_excluded_containers | default([]))
-      loop: "{{ services.stdout_lines }}"
+      when: included_services | length > 0
   when:
     - docker_compose != "not found"
     - (excluded_containers | length > 0) or (pre_bootstrap_excluded_containers | default([]) | length > 0)

diff --git a/roles/dev_deploy/templates/alembic.ini.j2 b/roles/dev_deploy/templates/alembic.ini.j2
diff --git a/roles/dev_deploy/templates/settings.py.j2 b/roles/dev_deploy/templates/settings.py.j2