From d830c88275f893bc04c884e249f5c3e07ceeab04 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Fri, 1 May 2026 00:14:27 +0300
Subject: [PATCH] Fix Draupnir conditional restart not triggering on
 force-pulled image updates

matrix-bot-draupnir and matrix-appservice-draupnir-for-all share the same
upstream container image. When both are enabled and force-pull is on
(e.g. when pinning to a rolling tag like `latest` or `main`), the second
role to run during a single playbook invocation sees the image as already
up-to-date locally because the first role just pulled it. The
community.docker.docker_image module reports `changed: false` in that
case, so the second role's restart_necessary stays false and the
conditional restart logic skips it. Result: the first service picks up
the new image on restart, while the second keeps running the old one.

For other versions which don't get force-pulled (other than `latest`),
systemd service files also get updated by the playbook and these updates
done by each role properly flip the "requires restarting" variable
regardless of pulling. So it's just force-pulling that causes the problem.

Treating force-pull itself as a restart trigger sidesteps the lossy
"did this specific pull task fetch new bytes" heuristic. The downside
is that both Draupnir services now restart on every run when force-pull
is enabled, even when the upstream image has not moved. That is a small
amount of waste compared to silently running an outdated container.

Localized to these two roles via a comment that documents the
constraint, rather than applied playbook-wide, since this is the only
known image-sharing pair and other roles do not need the extra
restarts.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5186

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../tasks/setup_install.yml                           | 11 +++++++++++
 .../matrix-bot-draupnir/tasks/setup_install.yml       | 11 +++++++++++
 2 files changed, 22 insertions(+)

diff --git a/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml b/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml
index cb5b457cd..21a1e6f4e 100644
--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml
@@ -100,6 +100,16 @@
     mode: '0644'
   register: matrix_appservice_draupnir_for_all_systemd_service_result
 
+# matrix-appservice-draupnir-for-all and matrix-bot-draupnir share the
+# same upstream container image. When both are enabled and force-pull is
+# on, the second role to run sees the image as already up-to-date (the
+# first role just pulled it), so its pull_result.changed is false and
+# conditional restart would skip it. To avoid that, we also treat
+# force-pull itself as a restart trigger for this role. The downside is
+# that both Draupnir services restart on every run when force-pull is
+# enabled (e.g. with rolling tags like `latest` or `main`), even when the
+# upstream image has not moved. That is wasteful but acceptable.
+# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5186
 - name: Determine whether Draupnir for All needs a restart
   ansible.builtin.set_fact:
     matrix_appservice_draupnir_for_all_restart_necessary: >-
@@ -110,6 +120,7 @@
         or matrix_appservice_draupnir_for_all_registration_config_result.changed | default(false)
         or matrix_appservice_draupnir_for_all_systemd_service_result.changed | default(false)
         or matrix_appservice_draupnir_for_all_container_image_pull_result.changed | default(false)
+        or matrix_appservice_draupnir_for_all_container_image_force_pull | bool
       }}
 
 - name: Ensure matrix-appservice-draupnir-for-all.service restarted, if necessary
diff --git a/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
index 630d8ec88..3936521ae 100644
--- a/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
@@ -94,6 +94,16 @@
     mode: '0644'
   register: matrix_bot_draupnir_systemd_service_result
 
+# matrix-bot-draupnir and matrix-appservice-draupnir-for-all share the
+# same upstream container image. When both are enabled and force-pull is
+# on, the second role to run sees the image as already up-to-date (the
+# first role just pulled it), so its pull_result.changed is false and
+# conditional restart would skip it. To avoid that, we also treat
+# force-pull itself as a restart trigger for this role. The downside is
+# that both Draupnir services restart on every run when force-pull is
+# enabled (e.g. with rolling tags like `latest` or `main`), even when the
+# upstream image has not moved. That is wasteful but acceptable.
+# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5186
 - name: Determine whether Draupnir needs a restart
   ansible.builtin.set_fact:
     matrix_bot_draupnir_restart_necessary: >-
@@ -103,6 +113,7 @@
         or matrix_bot_draupnir_config_result.changed | default(false)
         or matrix_bot_draupnir_systemd_service_result.changed | default(false)
         or matrix_bot_draupnir_container_image_pull_result.changed | default(false)
+        or matrix_bot_draupnir_container_image_force_pull | bool
       }}
 
 - name: Ensure matrix-bot-draupnir.service restarted, if necessary