Since being diagnosed with ADHD, in September 2024, I have been diagnosed with a myriad of physical and neurodevelopmental health conditions. I did briefly mentioned my autism diagnosis in my post about CIUK 2025. I will probably write a post about all of the ways in which the doctors have concluded my body and mind are broken, at some point (I intend to, it’s just emotionally challenging).

So, back to the point… What is inclusion?

Searching online for a definition, I found that the Government Security website (“This site is the home of security strategies, standards, policies, and guidance for UK government departments and their arm’s length bodies.”) defines inclusion as:

Inclusion

Inclusion refers to the practice or policy of providing equal access to opportunities and resources for people who might otherwise be excluded or marginalised, such as those who have physical or mental disabilities and members of other minority groups.

The Civil Service definition of inclusion highlights three key components:

• Belonging – feeling like you belong in your organisation and team
• Authenticity – feeling like you can be your authentic self at work
• Voice – feeling like you have the opportunity to speak up and are heard

What isn’t inclusion?

I think there is a distinction between “inclusion” and “accommodations” (or “adjustments”, I am using those two words synonymously), or this blog post doesn’t work. Inclusion is being part of the whole; feeling and being a part of the wider community. Accommodations are the changes to practice or environment that happen, hopefully to help people to feel included but are also “box-ticking” to fulfil legal obligations, and end up feeling punishing or alienating if solely approached in that way.

I think that is the theme of this post, accommodations do not naturally lead to inclusion. “Inclusive culture” in the workplace is a thing that gets talked about a lot but I am struggling to think of any disability training I have been through that went beyond “we have a legal obligation to make accommodations so everyone has fair access” to “each person has a moral duty to help people feel included”. Maybe it’s another one of those unwritten rules “everyone knows”, but I don’t and that there is an example of the inclusion problem. (EDIT: This is no longer the case.)

My autistic brain isn’t good at working out these unwritten rules, so I do need to be told them directly in order to be included in the group of people who understand these social norms. In my case, it helps me that I am a people-pleaser so I naturally try to make everyone happy which masks my difficulty, and anxiety about, not understanding how I am supposed to be behaving most of the time (“but not well”, my wife adds). My difficulties expressing myself were identified by an educational psychologist at a young age and I think they are rooted in this uncertainty. I do not cope with uncertainty in any form well, it causes me extreme anxiety. I think that not being sure how to say things appropriately is why I rapidly withdraw and shutdown when I begin to feel overwhelmed, until I can cope no more then I spectacularly meltdown.

Perhaps ironically, in an emergency situation I rarely feel overwhelmed, as my very logical mind can very quickly assess the situation, weigh up all the options, policies & procedures and priorities to find an objectively good¹ course of action towards resolving it. Unless I am the emergency (e.g. injured etc.), in which case I almost always feel overwhelmed and shutdown. But I digress (“tangent alert!” used to be said in meetings at the University of Birmingham - an example of how I now see people were gently accommodating my ADHD, trying to help me stay on-topic even though I was unaware it was not typical to go off on tangents all the time).

This is inclusion!

The workplaces I’ve most enjoyed working, I now look back at and recognise how accommodating people were. Without me having to ask (because I am not someone who naturally asks), without me having to have any labels (because in most of them, I didn’t have any). Inclusion is cultural, not achieved by ticking boxes. They were the places where I felt it was okay to be me. Where I could bring my authentic self to work, without fear of judgement for who I am as a person, and that enabled me to do my best work for my employer. Conversely, the places I’ve least enjoyed working are those where I have felt unable to be myself and split my energy between fitting in and working.

When I first started working at Loughborough University, as part of my induction I met with the heads of each team within the IT Services department. I distinctly remember many of them, but particularly my meeting with the Communications and Training Manager Rob Kirkwood and the part of the conversation that went something like this:

Rob: So, how are you finding working here so far?
Me: I’m really enjoying it. It seems like a certain amount of eccentricity is tolerated here.
Rob: No, I don’t think that’s right at all… it’s positively encouraged!

That, there, is inclusion. Not tolerating, but accommodating and celebrating individuals’ quirks and personalities.

My new workplace, OCF Limited has an inclusive culture. Since starting there, for me inclusion has been:

• My first day starting with my new boss (who was aware I was recently diagnosed autistic and had been through a very difficult time with the upset of that diagnosis, going through compulsory redundancy process and my mum dying at the same time) saying “before we get down to business, just give me a hand to clear this desk in my office” and, once done, “right, if you get overwhelmed in the open plan office and need somewhere quiet to work, you can come and use this desk in my office whether I am here or not”. I have so far not needed to use that desk.
• My new boss then starting with the most important things of where to make a drink and the toilets are, and showing not telling me them.

• Being empowered to set status messages to manage overwhelm:

  

• Adjustments coming as suggestions, not impositions. For example, “since you are known to faint while on the toilet, you can use the accessible toilet because it has an alarm cord if you need help” as opposed to, possibly, saying “you must use the accessible toilet”. (For context, the accessible toilet is also the ground-floor female toilet, so being given permission to use it was helpful.)
• On that topic, adjustments being a two-way conversation - I can make suggestions, but I also get suggestions being made to me - sometimes things I wasn’t aware of impacting on others. And they are always suggestions, there’s been occasions on both sides where we have said “that won’t work but let’s talk about the barrier the adjustment is trying to overcome and see what else we can do”.
• Having my wishes completely respected when I said “I don’t mind you joking with me about my disabilities, but I’m not quite ready for you to make fun of one particular aspect yet”.
• Saying “a cheap visual timer really helps me with my time-blindness” and the next day one appeared on my desk.
• When I pointed out the alarm cord finished mid-air, so isn’t reachable from the floor (if someone has fallen, for example), it just got quietly sorted without needing to make a case about compliance or chasing.
• Working somewhere where the little things, like most of the above, that make a huge difference to my ability to work and be comfortable in the environment, seem to happen informally and naturally.

Where I work today, it feels like everyone tries to be considerate and accommodating of one another. That is inclusion.

Clearly actions are more important than words so, despite having said there’s a distinction between accommodations/adjustments and inclusion, accommodations/adjustments are necessary for inclusion. They just have to be driven by inclusion, not as a box-ticking exercise. Identifying the barriers to productivity, then working out the adjustments is inclusion, trying to do it the other way around (e.g. with a proforma “tick list of adjustments for neurodivergent employees”) I found both upsetting and alienating, when I experienced that approach. It seemed like “here is a list of all the problems we think autism causes the business in the workplace, tick which apply to you” and only catered to (for example) the sensory avoidant, not sensory seeking, neurodivergent employees. Inclusion is about conversations, not forms.

Who cares?

Well, I do for a start. I struggle socially but I desperately want to feel included and part of the team/company/crowd/tribe (pick your own collective noun for “group”).

However it’s good for the business too; over the past few months I’ve spent more than one weekend driving up to the office (>200 mile, 4hrs on a good day, round trip) to help out in an emergency. I feel very pleased to be working again somewhere where I want to go the extra mile. I’ve had several previous jobs where this has been the case and several where my goodwill dissipated and I would not have willingly worked at weekends, when I am not contracted to, for example.

A large part of my goodwill to my employer comes from feeling that I am part of the team, I am included and this starts with feeling welcomed with open arms into the organisation. I might be the weird cousin but I love working somewhere where if feels like we are a family of colleagues, rather than professional drones.

Epilogue

It is now 3 weeks since I drafted this post (typical me, starting and not finishing yet another “project”!). Last week, at a celebration for a retiring former manager and good friend of mine, I bumped into another good friend, Georgina Ellis. Georgina has known me for most of my career, and we had a brief conversation that I presume she started because I was wearing my Sunflower Lanyard (as I often do in public these days) which also epitomises what I think I am trying to say about inclusion:

Georgina: I always thought “that’s just Laurence”. I remember the first time I met you at Loughborough University; this lad who looked 12 years old and was running the entire University’s HPC service. It was amazing.
Me: It’s interesting that you should say that, I’ve just drafted a blog post about inclusion and what you just said, “that’s just Laurence” and he’s okay just being Laurence, sort of sums up the piece. One of the things I’ve been struggling with recently is, I thought I was doing a really good job of acting normal and fitting in. But when I started telling people, some who have known me for a very long time, I had just been diagnosed with autism most of them responded “yes, we know” and seemed really surprised this was a big shock to me.
Georgina: I knew, but you were just always “Laurence”.

Better training

I drafted this blog post on 4th March 2026, it was not posted until 28th March 2026 partly because of my usual “start a project then never finish it” difficulty but I also sought permission from everyone named to attribute/name them before posting. I was recently reminded that during this time between writing the words and posting, I completed my new employer’s “Diversity, Equity and Inclusion in the Workplace” training course.

This course really emphasised the importance of having a diverse workplace, and ensuring a diverse range of people are in meetings to ensure voices are heard and to generate new ideas. One key message I took from it was having the same people in meetings all the time is going to result in a limited pool, and potentially stagnating, ideas. As the, often misquoted and misattributed, idiom goes: “insanity is repeating the same mistakes and expecting different results” (Narcotics Anonymous, 1981).

In the end, this proved to be quite straight-forward. I reused some code (such as choosing wget or curl) from previous plugins I have written:

#!/bin/bash

if which curl &>/dev/null
then
  CURL_CMD="curl -Ls"
elif which wget &>/dev/null
then
  CURL_CMD="wget -q -O-"
else
  echo "ERROR: Unable to locate a webscraper (curl or wget) - cannot continue"
  exit 3  # Usage/internal error
fi

usage() {
    cat - <<EOF
$0 [--help]
Nagios plugin to check Debian stable version status.

--help: display this message and quit
-m mirror: Specify the mirror url (defaults to https://deb.debian.org/debian)

Exits with warning if local Debian version is a minor version different to
the remote repository's stable release, exits with cricital if the major
ersion is different or exits with ok if both versions exactly match.
EOF
}

if [[ $# == 1 ]] && [[ $1 == "--help" ]]
then
  usage
  exit 0
fi

# Default values
URL_BASE=https://deb.debian.org/debian

while getopts hm: option
do
    case $option in
        h) usage; exit 0 ;;
        m) URL_BASE="${OPTARG}" ;;
        ?) usage; exit 3 ;;
    esac
done
shift $(($OPTIND - 1))

# Only stable has a version number in it's Release file, so it does not make
# sense to specify any other path, as this is currently written. In the future
# it might be nice to add support for testing by checking if the version
# codenames match as well.
repository_version="$( ${CURL_CMD} "${URL_BASE}/dists/stable/Release" | grep '^Version: ' | awk '{print $2}' )"

if [[ $? -ne 0 ]] || [[ -z ${repository_version} ]]
then
  echo "ERROR: Unable to fetch Release from repository"
  exit  3 # Internal error
fi

if [ -f /etc/os-release ]
then
  local_version="$( . /etc/os-release && echo ${DEBIAN_VERSION_FULL} )"
fi

# DEBIAN_VERSION_FULL was not present in os-release in Bookworm, it was in
# Trixie
if [[ -z ${local_version} ]]
then
  local_version="$( cat /etc/debian_version )"
fi

if [[ -z ${local_version} ]]
then
  echo "ERROR: Unable to get local version from /etc"
  exit 3  # Internal error
fi

if [[ ${repository_version%.*} == ${local_version%.*} ]]
then
  # Major versions match - check for full version match
  if [[ ${repository_version} == ${local_version} ]]
  then
   echo "OK: Local version (${local_version}) matches current stable version (${repository_version})"
   exit 0  # Ok
  else
    # Minor version mis-match
    echo "WARNING: Local minor version (${local_version}) does not match current stable version (${repository_version})"
    exit 1  # Warning
  fi
else
  echo "CRITICAL: Local major version (${local_version}) does not match current stable version (${repository_version})"
  exit 2  # Critical
fi

Adding it to be monitored on the server side just involved adding the command (which I did in global-templates/commands-debian-version.conf):

object CheckCommand "debian-version" {
	import "plugin-check-command"

	command = [ PluginContribDir + "/check_debian_version" ]

	arguments = {
                "-m" = "$debian_mirror$"
        }
}

and then assigned to all hosts with apt as the package manager, which are all Debian stable hosts, in my network - something more targetted might be required if that is not the case in yours (which I did in global-templates/services-debian.conf along side adding a debsecan check, having noticed the check_descan plugin from the monitoring-plugins-contrib package in /usr/lib/nagios/plugins):

apply Service "debian-version" {
  display_name = "Debian stable version check"
  import "generic-service"

  check_command = "debian-version"
  command_endpoint = host.name // Execute on client

  if (host.vars.debian_mirror) {
    vars.debian_mirror = host.vars.debian_mirror
  }

  assign where host.vars.pkg_system && host.vars.pkg_system == "apt"
}

apply Service "debsecan" {
  display_name = "Debian security scan"
  import "generic-service"

  check_command = "debsecan"
  command_endpoint = host.name // Execute on client

  assign where host.vars.pkg_system && host.vars.pkg_system == "apt"
}

On hosts in the restricted server network, I set the mirror URL to be my reverse proxy that exposes a limited set of URLs to that network.

For context, the -ceph hostnames (for the Ceph private network addresses) are in /etc/hosts on each of the Proxmox hosts. Those network dongles are plugged into a 2.5G unmanaged switch that has no other devices attached (it is dedicated for the internal Ceph private network).

The final configuration I came up with was this, note that I had to split the name on . then remove the first item (as there is no way to select a slice of an array) before rejoining (because there is no way to limit the number of parts split splits into):

// Ping all proxmox hosts 
apply Service "ping-" for (target in get_objects(Host).filter((host) => host.vars.services && "proxmox-ve" in host.vars.services).map((host) => host.name)) {
  import "generic-service"

  check_command = "ping"
  command_endpoint = host.name

  vars.ping_address = target

  assign where host.vars.services && "proxmox-ve" in host.vars.services
}

// Ping all proxmox hosts' ceph private network interfaces
apply Service "ping-ceph-" for (target in get_objects(Host).filter((host) => host.vars.services && "proxmox-ve" in host.vars.services).map((host) => host.name)) {
  import "generic-service"

  check_command = "ping"
  command_endpoint = host.name

  // Extract the domain from the host's FQDN
  var domain_parts = target.split(".")
  domain_parts.remove(0)
  var domain = domain_parts.join(".")

  vars.ping_address = target.split(".")[0] + "-ceph." + domain

  assign where host.vars.services && "proxmox-ve" in host.vars.services
}

The hosts already had a vars.services array listing some of the services on them (e.g. hashicorp-vault to monitor my Hashicorp Vault cluster), so I just added proxmox-ve to them and the all automatically got these checks to start checking all of the hosts with that service.

The revised playbook, in full, is:

---
- hosts: all:!dummy
  tasks:
    - name: Ansible sudo password is retrieved from vault, if known
      delegate_to: localhost
      community.hashi_vault.vault_read:
        # So many things can determine the remote username (
        # ansible_user variable, SSH_DEFAULT_USER environment
        # variable, .ssh/config, etc. etc.) it's safer to use the
        # discovered fact.
        path: kv/hosts/{{ inventory_hostname }}/users/{{ ansible_facts.user_id }}
      register: sudo_pass
      # No password in vault is fine - will just not set it.
      failed_when: false
    - name: sudo password is set for host, if found in the vault
      ansible.builtin.set_fact:
        ansible_become_password: '{{ sudo_pass.data.data.password }}'
      when: "'data' in sudo_pass"
    - name: Updates are installed (apt systems)
      become: yes
      ansible.builtin.apt:
        update_cache: true
        upgrade: true
      when: ansible_facts['os_family'] == 'Debian'
    # Proxmox updates keep installing the unsigned kernels, in my secure-boot enabled
    # environment. Ensure the signed variants are installed.
    - name: Package facts are known
      ansible.builtin.package_facts:
    - name: All non-signed proxmox kernels are replaced with signed variants
      become: true
      ansible.builtin.package:
        name: '{{ item }}-signed'
      loop: "{{ ansible_facts.packages.keys() | select('ansible.builtin.match', '^proxmox-kernel-.*-pve$') }}"

...

Although specific to the Proxmox kernels, I chose to apply the patch to everything in order to avoid having to either have the patch outside of my monitoring role or have to make my monitoring role selectively apply tasks based on what groups the hosts were in.

Firstly, I added patch to the list of packages the role installs so I can use ansible.posix.patch to apply the fix:

- name: Packages are installed (icinga2 itself and nagios plugins)
  become: yes
  ansible.builtin.package:
    name:
      - icinga2  # Same package provides client & server
      - monitoring-plugins
      - monitoring-plugins-contrib
      - xz-utils  # Required for check_running_kernel plugin
      - mokutil  # Required for my check_secure_boot plugin
      - patch  # Required to apply check_running_kernel patch, below
    state: present

Next, I moved my existing custom plugins into a subdirectory (which I called nagios-plugins) in the role’s files directory. Previously, these were the only files so I have put them at the top level. I then added this new prefix to the `ansible.builtin.fileglob lookup that ensures out all of my local plugins are deployed:

- name: Additional (locally created) Icinga plugins are deployed
  become: true
  ansible.builtin.copy:
    owner: root
    group: root
    mode: 0555
    src: "{{ item }}"
    dest: /usr/lib/nagios/plugins/{{ plugin_name }}
  loop: "{{ q('ansible.builtin.fileglob', 'nagios-plugins/check_*') }}"
  vars:
    # Strip extension off plugin name when deployed (just to help
    # distinguish different languages this side).
    plugin_name: "{{ item | ansible.builtin.basename | ansible.builtin.splitext | first }}"

Then I dropped the patch I had created into the files directory (I called it check_running_kernel.proxmox.patch) - please excuse the long line length and comment length, I followed the style of the rest of that script which has very long line:

--- /usr/lib/nagios/plugins/check_running_kernel	2025-04-20 22:08:25.000000000 +0100
+++ /usr/lib/nagios/plugins/check_running_kernel	2026-03-08 11:09:16.315946430 +0000
@@ -204,7 +204,8 @@
 			exit $UNKNOWN
 		fi
 		if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
-			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | tail -n1`"
+			# Local patch - Proxmox kernel images seem to have an empty parentheses at the end that is now showing in /proc/version. Added sed to stip this.
+			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | tail -n1 | sed -e 's/ ()//'`"
 			if [ -x /usr/bin/lsb_release ] ; then
 				vendor=$(lsb_release -i -s)
 				if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then

Finally, I added the task to ensure the patch has been applied with Ansible’s patch module:

- name: check_running_kernel is patched to work with Proxmox kernels
  become: true
  ansible.posix.patch:
    dest: /usr/lib/nagios/plugins/check_running_kernel
    src: check_running_kernel.proxmox.patch

My system automatically allocates income to the buckets based on rules, including (optionally) allocating surplus to a different bucket (instead of falling through) if the bucket is “full” (at an upper limit I set). For example, I used to have a hobby bucket (before I consolidated it into my “savings” one) and any surplus from my monthly mobile phone and broadband allocations, once I already had what was required to pay the monthly bill but a little contingency, went into it.

At some point I think I want to re-write this (again) using Django. One thing I have in mind it to add a receipts management component too, currently I just save these in a folder structured by date (e.g. year/month/year-month-day <receipt source> [tags].pdf - they are mostly PDF format) and I would like to then link the receipt to the transaction in my accounts system. I wasn’t sure how to link them, if I created separate Django applications for them, while keeping it optional to enable/disable the applications individually (as I would hope to make this available on GitHub). I think I have found the answer to this, from a Stack Overflow question on referencing models from other applications and Django’s documentation on application registry, which explains how to discover if applications are enabled. So I should be able to make the model and UI references conditional on the other application being enabled. Maybe.

Anyway, back to the change at hand…

Adding notes to transactions

To do this, I just added a notes column to the database then updated the UI elements to support adding, editing, searching and displaying this.

Database/ORM changes

Firstly, I added the notes column to my transactions table definition which was in the files budget/entities.py in my source (everything else here was already there):

class Transaction(Base):
    __tablename__ = 'transactions'

    id = sa.Column(sa.Integer, primary_key=True)
    date = sa.Column(sa.Date, nullable=False)
    description = sa.Column(sa.Text)
    notes = sa.Column(sa.Text)
    ratified = sa.Column(sa.Boolean, nullable=False)
    template = sa.Column(sa.Boolean, nullable=False)

    account_postings = sao.relation(TransactionAccountPosting, backref=sao.backref('transaction'))
    bucket_postings = sao.relation(TransactionBucketPosting, backref=sao.backref('transaction'))

I also updated the search class method to support searching the notes as well as the description:

@classmethod
def search(cls, description=None, search_notes=False, start_date=None, end_date=None, min_value=None, max_value=None, limit=None, offset=None):
    query = Session.query(cls)

    # Going to want to join TAP in all cases - for overall value and also if min/max are provided
    query = query.join(TransactionAccountPosting).distinct()

    logger.info("Searching for %s transactions, offset %d, with description '%s' (%s notes), %s<=date<=%s and %d<=value<=%s", limit or 'all', offset or 0, description, 'including' if search_notes else 'not including', start_date or 'any', end_date or 'any', min_value or 0, max_value or 'infinity')

    if description:
        if search_notes:
            query = query.filter(or_(cls.description.ilike('%{}%'.format(description)), cls.notes.ilike('%{}%'.format(description))))
        else:
            query = query.filter(cls.description.ilike('%{}%'.format(description)))

    if start_date:
        query = query.filter(cls.date >= start_date)

    if end_date:
        query = query.filter(cls.date <= end_date)

    # Take min/max to be any individual account posting between the limits
    if min_value and max_value:
        query = query.filter(or_(and_(TransactionAccountPosting.value>=min_value, TransactionAccountPosting.value<=max_value), and_(TransactionAccountPosting.value<=-1*min_value, TransactionAccountPosting.value>=-1*max_value)))
    elif min_value:
        query = query.filter(or_(TransactionAccountPosting.value>=min_value, TransactionAccountPosting.value<=-1*min_value))
    elif max_value:
        query = query.filter(and_(TransactionAccountPosting.value<=max_value, TransactionAccountPosting.value>=-1*max_value))

    count = query.count()
    total_value = query.with_entities(sa.func.sum(TransactionAccountPosting.value)).scalar()

    query = query.order_by(Transaction.date.desc(), Transaction.id)

    if limit is not None:
        query = query.limit(limit)
    if offset is not None:
        query = query.offset(offset)

    return {
        'count': count,
        'transactions': query.all(),
        'total_value': total_value
    }

Currently I have no mechanism for updating the database - in previous iterations of the system I had migration scripts for doing this. This is another driver for wanting to move to Django. Instead, I manually added the column to my database:

ALTER TABLE transactions ADD COLUMN notes TEXT;

UI changes

The were a number of places I wanted to update for this field - obviously editing and displaying individual transactions, but I also wanted to see which transactions had notes in the transaction list display and to optionally search the notes as well as descriptions from the search form.

Edit transaction form

My original plan was to add <textarea>...</textarea> to the form, to allow the flexibility to have multiline notes. However, my current wizard uses <input type="hidden" .../> to store the values from the previous steps, which won’t work with values that have newlines. So, instead, I just used a single-line <input type="text" .../> for the notes - less flexible but better than the current situation (nothing). This was added to my templates/create.j2 template (which is now a misnomer as the same template is used for editing transactions):

<p><label for="txtNotes">Notes:</label><input type="text" id="txtNotes" name="notes" {{ macros.value_if(transaction, 'notes') or macros.value_if(template, 'notes') }}/></p>

The other templates (allocate_account.j2 and allocate_buckets.j2) just needed a hidden field adding to preserve the value through the rest of the add/edit transaction (same templates for either) wizard:

<input type="hidden" id="hdnNotes" name="notes" value="{{ notes }}" />

Backend code changes

Relatively few code changes were required - in my budget/controller/transaction.py file I passed the notes through to the template for the allocate_account and allocate_buckets functions:

def allocate_account(request, response):
    # [...]
    response.unicode_body = v.render_view('transaction/allocate_account.j2', request,
        type=request.params['type'],
        date=request.params['date'],
        description=request.params['description'],
        notes=request.params['notes'],
        template=request.params.get('template', False),
        base_template=template,
        **data
    )

def allocate_buckets(request, response):
    data = {}
    
    data['transaction'] = _get_transaction(request)

    for key in ('type', 'date', 'description', 'notes', 'ratified', 'template'):
        data[key] = request.params.get(key)
    # [...]

The other changes were in the do_create function (another misnomer, as it also updates edited transactions), to add/update the notes (for new/existing transactions respectively):

def do_create(request, response):
    # [...]
    if transaction is None:
        transaction = entities.Transaction(request.params['date'], request.params['description'], request.params['notes'], ratified)
        logger.debug("New transaction")
    else:
        # [...]
        if transaction.notes != request.params['notes']:
            logger.debug("Transaction %d has new notes (old: %s, new: %s)", transaction.id, transaction.notes, request.params['notes'])
            transaction.notes = request.params['notes']
        # [...]

Finally, I have an function to bulk-create transactions from multiple template transactions, which also needed the notes field adding to the constructor call for a new transaction:

def bulk_add_template(request, response):
    # [...]

    for id in ids:
        # [...]

        new_transaction = entities.Transaction(transaction_date, template_transaction.description, template_transaction.notes)

        # [...]

Textarea version notes

From my initial work to add notes as a textarea, I had a few notes that I want to preserve although I reverted these code changes as they are unnecessary with the plain text input version:

The new CSS class was needed to ensure the label is vertically aligned neatly.

Without the class:

With the class:

The CSS for the class is (I added it to the file htdocs/static/styles/main.css in my source tree - htdocs/static is served up directly by the webserver, rather than passed through to uwsgi and my application, for efficiency):

/*
 * Display label and textarea vertically aligned (otherwise label will sit at the bottom of the text area).
 * Based on: https://stackoverflow.com/a/1839450
 */
.textarea_container {
       display: flex;
       align-items: center;
}

I had an existing macro to output a value= attribute for input elements, however the textarea takes its text as content rather than an attribute. I therefore added a new macro to my templates/macros.j2 file to output just the value (without the surrounding value=" and "). Only text_if is new but I’ve reproduced the existing macro here for reference - note the macro returning nothing if there’s no value is useful for the value_if(...) or value_if(...) logic in the template above:

{% macro value_if(item, value=None) -%}
{%     if item %}value="{% if value %}{% if item[value] and item[value] != None %}{{ item[value] }}{% endif %}{% else %}{{ item }}{% endif %}"{%     endif %}
{%- endmacro %}
{% macro text_if(item, value=None) -%}
{%     if item %}{% if value %}{% if item[value] and item[value] != None %}{{ item[value] }}{% endif %}{% else %}{{ item }}{% endif %}{%     endif %}
{%- endmacro %}

Transaction display

This was a simple one line addition to my templates/transaction/view.j2 template:

<p>Notes: {{ transaction.notes or '' }}</p>

Transaction list

I wanted to display if a transaction had a note in the lists of transactions, so far my application has no images and I did not want to start adding some so I used the UnicodePlus website to search for a suitable Unicode character to use. I chose 🗒, “Spiral Note Pad” as other symbols that sounded more appropriate, like “Note”, “Note Page” were not rendering in Chrome.

In my budget/entities.py ORM code, I added the new notes field to the list of fields retrieved by the transactions method on the Account and Bucket classes:

class Bucket(base):
    # [...]
    def transactions(self, limit=None, offset=None):
		query = Session.object_session(self) \
			.query(Transaction.id, Transaction.date, Transaction.description, Transaction.notes, Transaction.ratified, TransactionBucketPosting.value) \
			.join(TransactionBucketPosting) \
			.filter(TransactionBucketPosting.bucket_id==self.id) \
			.order_by(Transaction.date.desc(), Transaction.id)
		
		if limit is not None:
			query = query.limit(limit)
		if offset is not None:
			query = query.offset(offset)
		
		return query.all()
    # [...]

class Account(base):
    # [...]
	def transactions(self, limit=None, offset=None):
		query = Session.object_session(self) \
			.query(Transaction.id, Transaction.date, Transaction.description, Transaction.notes, Transaction.ratified, TransactionAccountPosting.value) \
			.join(TransactionAccountPosting) \
			.filter(TransactionAccountPosting.account_id==self.id) \
			.order_by(Transaction.date.desc(), Transaction.id)
		
		if limit is not None:
			query = query.limit(limit)
		if offset is not None:
			query = query.offset(offset)
		
		return query.all()

There are a number of templates, where transactions are displayed, to edit, however the change is the same for all of them. The templates are:

• Account display (templates/account.j2)
• Bucket display (templates/bucket.j2)
• Search results (templates/search/form.j2 (another misnomer, it shows both the search form and, if a search has been conducted, the results below it))
• Template transactions management page (templates/manage/template_transactions/list.j2)

I enabled the note to display as a “tooltip”esque popup, using CSS and an attribute on a block element based on a Stack Overflow answer. The CSS just went in my static htdocs/static/styles/main.css file:

[data-tooltip] {
	display: inline-block;
	cursor: pointer;
}

[data-tooltip]:hover::after {
	display: block;
	position: absolute;
	content: attr(data-tooltip);
    color: #000;
	font-weight: normal;
	border: 1px solid black;
	background: #eee;
	padding: .25em;
}

Within the templates, I just added the note icon with the note as data in a div element after the existing display of the description:

<a href="{{ request.script_name }}/transaction/{{ transaction.id }}">{{ transaction.description }}</a>{% if transaction.notes %}<div data-tooltip="{{ transaction.notes }}">&#x1f5d2;</div>{% endif %}

Searching

Although I have already added support for displaying notes in search results and support for searching notes to the ORM layer, I have not added the UI support for searching notes.

This is just a checkbox on the search form, so say whether the description text search should also search the notes (for now, I have decided not to separately search notes). The parenthesis are just aesthetic, it appears in brackets after the description search box:

(
    <input type="checkbox" id="chkIncludeNotes" name="include_notes" {% if params and params.get('include_notes', False) %}checked="checked" {% endif %} />
    <label for="chkIncludeNotes">also search notes</label>
)

Since I had done most of the work, I just needed to adjust the do_search function in my budget/controller/search.py file to pass through the value to the transaction search method and template (so the state of the tickbox is correct on the form after searching) respectively:

def do_search(request, response):
	# [...]

	description = request.params.get('term', None)
	include_notes = request.params.get('include_notes')
	if include_notes == 'on':
		include_notes = True
	else:
		include_notes = False
	start_date = request.params.get('start_date', None)
	end_date = request.params.get('end_date', None)

    # [...]

	logger.debug("Searching for transactions with description '%s' (%s notes), %s<=date<=%s and %d<=value<=%s", description, 'including' if include_notes else 'not including', start_date or 'any', end_date or 'any', min_value or 0, max_value or 'infinity')

	# Result with be a dict with keys 'count', 'transactions' (the individual, paginated, transactions), 'total_value'
	result = entities.Transaction.search(description=description, search_notes=include_notes, start_date=start_date, end_date=end_date, min_value=min_value, max_value=max_value, limit=page_size, offset=((page-1)*page_size))

	# Multiply by 1.0 to give python the hint we want a float to round up
	pages = int(math.ceil(result['count'] * 1.0 / page_size))

	return {
		'page': page,
		'pages': pages,
		'params': {
			'term': description,
			'include_notes': include_notes,
			'start_date': start_date,
			'end_date': end_date,
			'min_pounds': min_pounds,
			'min_pence': min_pence,
			'max_pounds': max_pounds,
			'max_pence': max_pence
		},
		'search_results': result
	}

And that’s all there was to adding support for making arbitrary notes on my transactions.

Linking transactions

Now I can add notes, I also want to be able to link related transactions together. For example, I transfer our mortgage payment to our joint account and then it’s separately collected from there by the bank each month (so it would be helpful to link those), I pay for my wife’s mobile phone and she transfers the payment to me each month (again, they can be linked) and when I have out of pocket work-related expenses, it would be helpful to link the transaction reimbursing me for them to the amount going out. I might even want to go a step further and link all costs related to a particular holiday, for example (although I might want to be able to add a description to the set of links for that one).

One complication is how this works with my template transactions. A “template transaction”, in my system, is just a boolean “template” flag on the transaction which causes it to appear in a list on a “Add Transaction from Template” page - there’s also a “Clone transaction” option on every transaction’s details page and adding a transaction from template just does a “clone” on the template transaction (and any transaction can be cloned). While I’m quite happy with the idea that links to other transactions get cloned, what I’m wrestling with is whether that’s a shallow or deep copy of the links - i.e. do linked transactions also get duplicated (so the clone is a complete set of new transactions) or do the links to the existing related transactions, but not the linked transactions themselves, get duplicated (so the clone is itself a new transaction but linked to the same, existing, transactions as the old one).

Thinking this through, with the idea of labelling sets of links too, I think I need to create an idea of “link sets” and allow for cloning a link set (which clones the entire set, i.e. does a “deep copy” creating a brand new copy of every transaction in the set) separately from cloning a transaction (which clones the links to the existing transactions, i.e. does a “shallow copy” creating one new transaction and new links within the same link set).

Database/ORM changes

So, in my database I need two new tables:

1. link_sets

   This will defines each set of links with a description and whether or not this link set is a template (as with transactions, I am imagining that any link set is able to be cloned, the template flag is just a convenience that controls whether it appears in template lists). I expect there to be many link sets, for example one for each month of my work expenses that I claim (and get reimbursed for) together, so I also added a show_in_list flag (I did call it list but that clashes with the Python builtin function, so I changed the name) to control whether it gets displayed by default in lists to allocate transactions to or has to be searched for.

   Therefore is needs three fields:

   1. id (primary key)
   2. description (which may be null)
   3. template boolean (default false)
   4. show_in_list boolean (default false)

2. transaction_link_sets

   This will link transactions that are linked via a link set to the link set definition. The neatness of this approach is that it captures the non-directional nature of these links (i.e. if a transaction appears in the link set, it is linked to all other transactions in that set and there is no need to specify links between individual transactions directly).

   It therefore needs three fields:

   1. id (primary key - should be unnecessary but is with SQLAlchemy)
   2. transaction_id (links to the transaction)
   3. link_set_id (links to the link set)

   Ideally the primary key will be (transaction_id, link_set_id) to ensure no duplication of any transactions occurs within a single link set, however SQLAlechemy only likes single column primary keys so I have to add an id column. Django does support composite primary keys (since version 5.2) - another reason to rewrite in it…

I added the new classes to my ORM, in budget/entities.py:

class TransactionLinkSet(Base):
	__tablename__ = 'transaction_link_sets'
	
	id = sa.Column(sa.Integer, primary_key=True)
	transaction_id = sa.Column(sa.Integer, sa.ForeignKey('transactions.id'), nullable=False)
	link_set_id = sa.Column(sa.Integer, sa.ForeignKey('link_sets.id'), nullable=False)
	
	def __init__(self, transaction, link_set):
		self.transaction = transaction
		self.link_set = link_set

# [...]

class Transaction(Base):
    # [...]
    linksets = sao.relation(TransactionLinkSet, backref=sao.backref('transaction'))

# [...]

class LinkSet(Base):
	__tablename__ = 'link_sets'
	
	id = sa.Column(sa.Integer, primary_key=True)
	description = sa.Column(sa.Text)
	template = sa.Column(sa.Boolean, nullable=False)
	show_in_list = sa.Column(sa.Boolean, nullable=False)
	
	transactions = sao.relation(TransactionLinkSet, backref=sao.backref('link_set'))

	def __init__(self, description, template=False, show_in_list=False):
		self.description = description
		self.template = template
		self.show_in_list = show_in_list

Although I have no migration capability, as I described earlier, these are new tables and I do have a metadata.create_all(engine) call to SQLAlchemy which will create any missing tables (it just will not modify them if they exist) so I did not need to manually edit my database at all.

Class utility functions

For encapsulation and ease of use, I added a few methods for searching for link sets:

class TransactionLinkSet(Base):
# [...]
	@classmethod
	def find_by_transaction_link_set(cls, transaction, link_set):
		session = Session()
		query = session.query(cls).filter(cls.transaction==transaction, cls.link_set==link_set)
		return query.scalar()

# [...]

class LinkSet(Base):
# [...]
	@classmethod
	def all(cls, only_show_in_list=True):
		logger.debug("Listing all link sets, %s those set to not show in lists", 'not including' if only_show_in_list else 'including')
		session = Session()
		query = session.query(cls)
		if only_show_in_list:
			query = query.filter(cls.show_in_list == True)
		return query.order_by(cls.description).all()

	@classmethod
	def find_by_description(cls, description):
		logger.debug("Find link sets with description '%s'", description)
		session=Session()
		query = session.query(cls).filter(cls.description==description)
		return query.scalar()

	@classmethod
	def search(cls, description, add_only_show_in_list=False):
		logger.debug("Searching for links sets with '%s' in the description, will %s include those set to show in list", description, 'also' if add_only_show_in_list else 'not')

		query = Session.query(cls)

		if add_only_show_in_list:
			query = query.filter(or_(cls.show_in_list == True, cls.description.ilike('%{}%'.format(description))))
		else:
			query = query.filter(cls.description.ilike('%{}%'.format(description)))

		query = query.order_by(cls.description)

		return query.all()

Displaying linked transactions

I decided the most logical, from the user interface, way to do this was to have the option to link transactions on the transaction display page.

Firstly, I added a link to the (as yet unwritten) new controller method that will start the link process to the list of options at the bottom of templates/transaction/view.j2:

<p>
	<a href="{{ request.script_name }}/transaction/{{ transaction.id }}/add_to_link_set">Add to link set</a>
{%     if not transaction.ratified %}
	<a href="{{ request.script_name }}/transaction/{{ transaction.id }}/ratify">Ratify transaction</a>
{%     else %}
	<a href="{{ request.script_name }}/transaction/{{ transaction.id }}/unratify">Unratify transaction</a>
{%     endif %}
	<a href="{{ request.script_name }}/transaction/create?template={{ transaction.id }}">Clone transaction</a>
</p>

Listing link sets

After adding the capability to links transactions, I added the display of them to the bottom of my transaction display page (templates/transaction/view.j2). I also moved (but did not otherwise change) the links for adding to a link set, ratifying and cloning transactions to the top of the page.:

<br />
<table>
	<caption>Transaction Links</caption>
	<tr>
		<th>Date</th>
		<th>Description</th>
		<th>Value</th>
	</tr>
{%     for transaction_link_sets in transaction.link_sets %}
	<tr>
		<th colspan="3">{{ transaction_link_sets.link_set.description }} (<a href="{{ request.script_name }}/transaction/{{ transaction.id }}/remove_from_link_set/{{ transaction_link_sets.link_set.id }}">Remove from link set</a>)</th>
	</tr>
{%         for linked_transaction in transaction_link_sets.link_set.transactions | sort(reverse=True, attribute='transaction.date') %}
{%             if linked_transaction.transaction.id != transaction.id %}
	<tr>
		<td>{{ linked_transaction.transaction.date }}</td>
		<td><a href="{{ request.script_name }}/transaction/{{ linked_transaction.transaction.id }}">{{ linked_transaction.transaction.description }}</a>{% if linked_transaction.transaction.notes %}<div data-tooltip="{{ linked_transaction.transaction.notes }}">&#x1f5d2;</div>{% endif %}</td>
		{{ money.render_cell(linked_transaction.transaction.value) }}
	</tr>
{%             endif %}
{%         endfor %}
{%     endfor %}
</table>

Adding transactions to link sets

In order to avoid creating duplicate link sets, I set up the “add to link set” form to require searching for a link set before showing the option to add a new one.

The template for adding a transaction to a link set is fairly simple:

{% extends 'base.j2' %}
{% import 'macros.j2' as macros %}
{% block title %}Add to link set{% endblock %}
{% block content %}
<form method="get">
    <label for="txtSearch">Search for more link sets:</label> <input type="text" id="txtSearch" name="search_term" {{ macros.value_if(search_term) }} />
    <input type="submit" value="Search"/> <input type="reset" />
</form>
<form method="post" action="{{ request.script_name }}/transaction/{{ transaction.id }}/do_add_to_link_set">

{%     for link_set in link_sets %}
{%         if transaction.id not in link_set.transactions | map(attribute='transaction_id') %}
	<p><input type="checkbox" id="chkLinkSet{{ link_set.id }}" name="link_sets" value="{{ link_set.id }}"/><label for="chkLinkSet{{ link_set.id }}">{{ link_set.description }}</label></p>
{%         endif %}
{%     endfor %}

<p><input type="submit" /> <input type="reset" /></p>
</form>
{%     if search_term %}
<form method="post" action="{{ request.script_name }}/manage/link_sets/add">
    <input type="hidden" name="description" value="{{ search_term }}" />
    <input type="hidden" name="return_url" value="{{ request.script_name }}/transaction/{{ transaction.id }}/add_to_link_set?search_term={{ search_term }}" />
    <input type="submit" value="Add '{{ search_term }}' as new link set" />
</form>
{%     endif %}
{% endblock %}

The controller methods for the form and doing the addition are also straight-forward:

def add_to_link_set(request, response):
	transaction = _get_transaction(request)

	if transaction is None:
		raise Exception("No transaction found.")
	
	if request.params.get('search_term', None) and not request.params['search_term'].isspace():
		search_term = request.params['search_term']
		# Search for the extra ones requested but also always include the link sets set to be listed by default
		link_sets = entities.LinkSet.search(description = search_term, add_only_show_in_list=True)
	else:
		search_term = None
		link_sets = entities.LinkSet.all()
	
	return {
		'transaction': transaction,
		'link_sets': link_sets,
		'search_term': search_term,
	}

def do_add_to_link_set(request, response):
	transaction = _get_transaction(request)

	if transaction is None:
		raise Exception("No transaction found.")

	added_to_link_sets = []
	for link_set_id in request.params.getall('link_sets'):
		link_set = entities.LinkSet.find(link_set_id)
		logger.debug("Adding link set id %d (%s) to transaction id %s", link_set.id, link_set.description, transaction.id)
		new_link_set_link = entities.TransactionLinkSet(transaction, link_set)
		new_link_set_link.save()	
		added_to_link_sets.append(link_set)

	return {
		'transaction': transaction,
		'added_to_link_sets': added_to_link_sets,
	}

Finally, the feedback after adding the transactions to some link sets:

{% extends 'base.j2' %}
{% block content %}
<p>
    Transaction '{{ transaction.description }}' ({{ transaction.id }}) added to link sets:
    <ul>
{%     for link_set in added_to_link_sets %}
        <li>{{ link_set.description }}</li>
{%     endfor %}
    </ul>
</p>
<p>
	<a href="{{ request.script_name }}/transaction/{{ transaction.id }}">Click here to go back to the transaction details</a><br />
	or<br />
	<a href="{{ request.script_name }}/">Click here to get back to account list</a><br />
</p>
{% endblock %}

Adding transactions to link sets at creation

I added the ability to link to sets set to show by default to the templates/transaction/create.j2. There is logic for displaying for existing transactions too, as the same form is used to ratify transactions:

	<p>
		<fieldset>
			<legend>Link sets:</legend>
{%     for link_set in link_sets %}
			<p><input type="checkbox" id="chkLinkSet{{ link_set.id }}" name="link_sets" value="{{ link_set.id }}"{% if transaction and transaction in ( link_set.transactions | map(attribute='transaction') ) %} checked="checked"{% elif template and template in ( link_set.transactions | map(attribute='transaction') ) %} checked="checked"{% endif %} /><label for="chkLinkSet{{ link_set.id }}">{{ link_set.description }}</label></p>
{%     endfor %}
{%     if transaction %}
{%         set additional_link_sets_links = transaction.link_sets %}
{%     elif template %}
{%         set additional_link_sets_links = template.link_sets %}
{%     endif %}
{%     for link_set_link in additional_link_sets_links | default([]) %}
{%         if link_set_link.link_set not in link_sets %}
			<input type="checkbox" id="chkLinkSet{{ link_set_link.link_set.id }}" name="link_sets" value="{{ link_set_link.link_set.id }}" checked="checked" /><label for="chkLinkSet{{ link_set_link.link_set.id }}">{{ link_set_link.link_set.description }}</label>
{%         endif %}
{%     endfor %}
			<p>
				(To link to a link set not displayed here, or create a new link set, create the transaction then use 'add to link set' to search and create all link sets.)
			</p>
		</fieldset>
	</p>

The only change to the create controller was to add the default link sets to the data returned (for the view):

return {
    'transaction': _get_transaction(request),
    'template': template,
    'saved_postings': entities.SavedBucketPosting.all(),
    'link_sets': entities.LinkSet.all(),
}

The subsequent steps of the transaction creation process, needed to pass through the link sets to be linked to the final step (where the transaction is created or updated). This required a change to the controller (budget/controller/transaction.py) to pass the links to the templates:

if 'link_sets' in request.params:
    data['link_set_ids'] = request.params.getall('link_sets')

And a change to the templates (templates/transaction/allocated_accounts.j2 and templates/transaction/allocated_buckets.j2) to pass the values to the next step (allocated_accounts.j2 uses a macro for the hidden field, but the logic is the same):

{%     for link_set_id in link_set_ids %}
	<input type="hidden" id="hdnLinkSet{{ link_set_id }}" name="link_sets" value="{{ link_set_id }}" />
{%     endfor %}

Finally, the logic to set the link sets on a transaction (so it works for adding, or changing them during ratification):

# XXX Also should be in the DAO/model layer
def _set_transation_link_sets(transaction, link_set_ids):
	logger.debug("Setting transaction link_sets on transaction id %d to %s", transaction.id, link_set_ids)

	logger.debug("Existing link sets: %s", transaction.link_sets)
	# Remove link sets that should not be present
	for link_set_link in transaction.link_sets:
		if link_set_link.link_set_id not in link_set_ids:
			logger.debug("Removing link_set %s (%d) from transaction id %d", link_set_link.link_set.description, link_set_link.link_set.id, transaction.id)
			link_set_link.delete()

	existing_link_set_ids = [link_set_link.link_set_id for link_set_link in transaction.link_sets]
	logger.debug("Existing link set ids: %s", existing_link_set_ids)
	for link_set_id in link_set_ids:
		if link_set_id not in existing_link_set_ids:
			link_set_to_add = entities.LinkSet.find(link_set_id)
			logger.debug("Adding link_set %s (%d) to transaction id %d", link_set_to_add.description, link_set_to_add.id, transaction.id)
			new_link_set_link = entities.TransactionLinkSet(transaction, link_set_to_add)
			new_link_set_link.save()

# [...]

def do_create(request, response):
# [...]
	if 'link_sets' in request.params:
		_set_transation_link_sets(transaction, [int(id) for id in request.params.getall('link_sets')])

There was also the process by which I could bulk-add new transactions from template transactions, which also needed a call to the same function to ensure the link sets are also duplicated:

def bulk_add_template(request, response):
	ids = request.params.getall('selected_ids')
	# [...]
	for id in ids:
		transaction_date = request.params['transaction_date_%s' % id]
		template_transaction = entities.Transaction.find(id)
		# [...]

		_set_transation_link_sets(new_transaction, [link_set_link.link_set_id for link_set_link in template_transaction.link_sets])

Removing transactions from link sets

The remove from link set controller was also quite simple:

def remove_from_link_set(request, response):
	transaction = _get_transaction(request)

	if transaction is None:
		raise Exception("No transaction found.")
	
	remove_from_link_set = entities.LinkSet.find(request.url_captures['link_set_id'])

	if remove_from_link_set is None:
		raise Exception("No link set found.")
	
	entities.TransactionLinkSet.find_by_transaction_link_set(transaction, remove_from_link_set).delete()
	
	return {
		'transaction': transaction,
		'link_set': remove_from_link_set,
	}

And the feedback template reports what has happened:

{% extends 'base.j2' %}
{% block content %}
<p>
    Transaction '{{ transaction.description }}' ({{ transaction.id }}) removed from link set '{{ link_set.description }}' ({{ link_set.id }}).
</p>
<p>
	<a href="{{ request.script_name }}/transaction/{{ transaction.id }}">Click here to go back to the transaction details</a><br />
	or<br />
	<a href="{{ request.script_name }}/">Click here to get back to account list</a><br />
</p>
{% endblock %}

Managing link sets

Now that I can add link sets and add/remove transactions from them, I need to be able to manage them - rename and change whether they can be used as templates or are shown by default.

I began by adding link sets to the list of things that can be managed in templates/manage/index.j2:

<li><a href="{{ request.path }}/link_sets">Link Sets</a></li>

Listing all link sets

The start of the new budget/controller/manage/link_sets.py controller is just a method that returns all of the link sets (so they can be displayed):

import logging

import budget.entities as entities

logger = logging.getLogger(__name__)

def list(request, response):
	return { 'link_sets': entities.LinkSet.all(only_show_in_list=False) }

And the template, templates/manage/link_sets/list.j2, that shows the list:

{% extends 'base.j2' %}
{% import 'macros.j2' as macros %}
{% block title %}Manage link sets{% endblock %}
{% block content %}
<ul>
{%     for link_set in link_sets %}
    <li>
        <a href="{{ request.script_name }}/link_set/{{ link_set.id }}/view">{{ link_set.description }}</a>
        {% if link_set.show_in_list %}D{% endif %}
        {% if link_set.template %}T{% endif %}
        <a href="{{ request.path }}/{{ link_set.id }}/edit">edit</a>
    </li>
{%     endfor %}
</ul>
<p><a href="{{ request.path }}/add">Add new</a></p>
<p>(D = show in list by default, T = template link set)</p>
{% endblock %}

Viewing a link set

This went into a new link sets controller, although at the moment it is only accessed via the management interface. The only method in this controller is to view a link set, so this is the new budget/controller/link_set.py in its entirety:

import logging

import budget.entities as entities

def view(request, response):
    link_set = entities.LinkSet.find(request.url_captures['link_set_id'])

    return {
        'link_set': link_set,
    }

The template to display the link set’s transactions, templates/link_set/view.j2, which links to each transaction’s view page:

{% extends 'base.j2' %}
{% import 'macros/money.j2' as money %}
{% block title %}View Link Set{% endblock %}
{% block content %}
<h1>{{ link_set.description }}</h1>
<table>
        <caption>Transactions</caption>
        <tr>
                <th>Date</th>
                <th>Description</th>
                <th>Value</th>
        </tr>
{%     for linked_transaction in link_set.transactions | sort(reverse=True, attribute='transaction.date') %}
        <tr>
                <td>{{ linked_transaction.transaction.date }}</td>
                <td><a href="{{ request.script_name }}/transaction/{{ linked_transaction.transaction.id }}">{{ linked_transaction.transaction.description }}</a>{% if linked_transaction.transaction.notes %}<div data-tooltip="{{ linked_transaction.transaction.notes }}">&#x1f5d2;</div>{% endif %}</td>
                {{ money.render_cell(linked_transaction.transaction.value) }}
        </tr>
{%     endfor %}
</table>

Adding and editing link sets

Like with transactions, the same forms and processes are used for adding new link sets and editing existing ones.

The first controller method, in the new budget/controller/manage/link_set.py controller, retrieves the link set being edited (if any) and sets values from the request for if the add was instigated from the add transaction process:

def add(request, response):
	if 'link_set_id' in request.url_captures:
		link_set = entities.LinkSet.find(request.url_captures['link_set_id'])
	else:
		link_set = None

	return {
		'link_set': link_set,
		'return_url': request.params.get('return_url', None),
		'description': request.params.get('description', None),
	}

The template for adding/editing just allows setting the description and whether this is a default and/or template link set:

{% extends 'base.j2' %}
{% import 'macros.j2' as macros %}
{% block title %}Add new link set{% endblock %}
{% block content %}
<form method="post" action="{{ request.script_name }}/manage/link_sets/do_add">
{%     if return_url %}
    <input type="hidden" id="hdnReturnUrl" name="return_url" value="{{ return_url }}" />
{%    endif %}
{%     if link_set %}
    <input type="hidden" id="hdnLinkeSetId" name="link_set_id" value="{{ link_set.id }}" />
{%     endif %}
    <p><label for="txtDescription">Description: </label><input type="text" id="txtDescription" name="description" {{ macros.value_if(link_set, 'description') or macros.value_if(description) }} /></p>
    <p><input type="checkbox" id="chkShowInlist" name="show_in_list" {% if link_set and link_set.show_in_list %}checked="checked" {% endif %}/><label for="chkShowInlist">Show in lists by default</label></p>
    <p><input type="checkbox" id="chkTemplate" name="template" {% if link_set and link_set.template %}checked="checked" {% endif %}/><label for="chkTemplate">Template list set</label></p>

    <p><input type="submit" /> <input type="reset" /></p>
</form>
{% endblock %}

The do_add method, in the same controller, adds or updates the link set - with logic to ensure that exact duplicates are not created (but it would still be easy to, for example, create a typo’d version of an existing link set):

def do_add(request, response):

	data = {
		'success': False,
		'return_url': request.params.get('return_url', None),
	}

	if 'list_set_id' in request.params:
		data['action'] = 'edit'
	else:
		data['action'] = 'add'
		
	if request.params['description'] == '' or request.params['description'].isspace():
		data['error'] = 'no description'
	else:
		link_set = None
		if 'link_set_id' in request.params:
			link_set = entities.LinkSet.find(request.params['link_set_id'])
			link_set.description = request.params['description']
		elif entities.LinkSet.find_by_description(request.params['description']) is not None:
			data['error'] = 'link set with that name already exists'			
		else:
			link_set = entities.LinkSet(request.params['description'])
		
		if link_set is not None:
			if request.params.get('show_in_list', 'off') == 'on':
				link_set.show_in_list = True
			else:
				link_set.show_in_list = False

			if request.params.get('template', 'off') == 'on':
				link_set.template = True
			else:
				link_set.template = False

			link_set.save()
			data['success'] = True
			data['link_set'] = link_set

	return data

The feedback template just reports if the link set was added or updated, or any errors if not, and links back to the management list or the specified return path (if provided):

{% extends 'base.j2' %}
{% block content %}
{% if success %}
<p>Link set, {{ link_set.description }}, {{ action }} successful (id: {{ link_set.id }}).</p>
{% else %}
<p><b>Error:</b> Unable to {{ action }} link set{% if link_set is defined %}, {{ link_set.description }} (id: {{ link_set.id }}){% endif %}, {{ error }}!</p>
{% endif %}
{% if return_url %}
<p><a href="{{ return_url }}">Click here to return</a></p>
{% else %}
<p><a href="{{ request.script_name }}/manage/link_sets">Click here to get back to manage link sets list</a></p>
{% endif %}
{% endblock %}

Dispatcher configuration

All of these new controllers and views needed hooking up via my budget application’s config.json (I have only listed the new ones, the actual configuration file has more sections a many more urls, in the urls section):

{
    "urls": {
        "/link_set/<int:link_set_id>/view": { "controller": "budget.controller.link_set.view", "view": { "engine": "jinja2", "template": "link_set/view.j2" } },
        "/manage/link_sets": { "controller": "budget.controller.manage.link_sets.list", "view": { "engine": "jinja2", "template": "manage/link_sets/list.j2" } },
        "/manage/link_sets/<int:link_set_id>/edit": { "controller": "budget.controller.manage.link_sets.add", "view": { "engine": "jinja2", "template": "manage/link_sets/add.j2" } },
        "/manage/link_sets/add": { "controller": "budget.controller.manage.link_sets.add", "view": { "engine": "jinja2", "template": "manage/link_sets/add.j2" } },
        "/manage/link_sets/do_add": { "controller": "budget.controller.manage.link_sets.do_add", "view": { "engine": "jinja2", "template": "manage/link_sets/added.j2" } },
        "/transaction/<int:transaction_id>/add_to_link_set": { "controller": "budget.controller.transaction.add_to_link_set", "view": { "engine": "jinja2", "template": "transaction/add_to_link_set.j2" } },
        "/transaction/<int:transaction_id>/remove_from_link_set/<int:link_set_id>": { "controller": "budget.controller.transaction.remove_from_link_set", "view": { "engine": "jinja2", "template": "transaction/remove_from_link_set.j2" } },
        "/transaction/<int:transaction_id>/do_add_to_link_set": { "controller": "budget.controller.transaction.do_add_to_link_set", "view": { "engine": "jinja2", "template": "transaction/added_to_link_set.j2" } },
    }
}

More work to do

The template flag will be used to select which link sets can be cloned, and there is no provision for deleting link sets currently. Having spent over a month on this project so far, due to other pressures meaning I’ve not had time to finish it, I have committed the code for the completed features and am publishing this post at this stage but these pieces still need finishing off.

Linking transactions epilogue

It occurred to me, somewhere after creating the database tables and before adding the ability to create link sets, that “link sets” could also just be “tags” and the “linked transactions” other transactions with the same tag. Other than the entity names (database tables, class names etc.), the code and logic would be exactly the same.

I also considered whether link sets could replace my buckets concept, by (e.g.) linking all transactions that, at present, go to a bucket. However, these links are at the transaction level and I often split transactions between several buckets - for example, my expenses for mileage and specific out of pocket expenses (e.g. food, travel tickets) are paid together but I split the reimbursement between “car fuel”, “car maintenance” and “out of pocket work expenses” buckets (although individual expenses incurred will usually be allocated in full to one of these). Likewise, if a bucket has insufficient funds to cover a cost I may split a transaction between it and, for example, my savings bucket. Aside: I also allow buckets to go negative, if I know I have enough to cover it in other buckets that won’t need to spend from for a while (e.g. for annual bills) and recoup the overspend over the next few months - something the physical envelope method doesn’t readily allow, although I suppose the same effect could be achieved by “borrowing” money from another physical envelope and leaving an “I owe you” from the overspending envelope in there.

The playbook itself is actually really, really simple (so much so, I don’t think it needs any explanation!):

- name: Unseal the vault on all nodes in HA cluster
  hosts: hashicorp_vault_servers
  vars_prompt:
    # Assumes 3 keys needed to unseal - this might not be the case...
    - name: unseal_key_1
      prompt: Enter unseal key 1
      private: true
    - name: unseal_key_2
      prompt: Enter unseal key 2
      private: true
    - name: unseal_key_3
      prompt: Enter unseal key 3
      private: true
  tasks:
    - name: Enter unseal keys
      delegate_to: localhost
      ansible.builtin.uri:
        body:
          key: "{{ item }}"
        body_format: json
        force: true
        method: PUT
        url: "https://{{ ansible_facts.fqdn }}:8200/v1/sys/unseal"
      loop:
       - '{{ unseal_key_1 }}'
       - '{{ unseal_key_2 }}'
       - '{{ unseal_key_3 }}'
      loop_control:
        extended: true
        label: "key {{ ansible_loop.index }}/{{ ansible_loop.length }}"

Only unlocking a subset of hosts, e.g. if one gets rebooted, can be done by passing -l to ansible-playbook to limit the hosts being targetted.

Simple, convenient and so far reliable. I like this playbook and am mildly proud of it!

Fixing reinstall process for dynamic hosts

The Desktop does not have a static IP, so I had to make some changes to the (re)installation process that has previously only been used for hosts with static IP assignments and DNS entries. Thanks to other work to dynamically connect to hosts there were actually only two changes needed to support this, but I’ll explain the full reinstall process to show why only two little changes were needed…

The reinstall process uses three playbooks that are imported in sequence:

1. reinstall.yaml

   This playbook destroys the existing partition table (on all disks with partitions), reboots the system and removes existing keys from the local (as in the host Ansible is running on) user’s SSH known_hosts file (as these will be invalid when the install has generated new ones). It then imports the install.yaml playbook as it’s last item.

   Removing the partitions forces the host to fall-through to the next boot method (as disk boot will fail) with the system’s disks in a state that will be seen as uninitialised, and hence available, by the OS installer.

   The only change to this playbook was to add the existing host discovery playbook (which also gets the SUDO password for the ansible user) that is already used by most other playbooks for finding the address of dynamic hosts with no DNS entry:

    # Get connection information for dynamic hosts
    - name: Host connection information is available
      import_playbook: discover-hosts.yaml
   

   The reinstall playbook uses the existing credentials to login to the host and prepare it for reinstallation, which are valid (as the old OS is still in place) so this all worked fine as-is.

2. install.yaml

   This playbook configures the auto-install.ipxe configuration file for iPXE and sets up a host-specific symlink using the host’s MAC address, which it checks is specified as a variable (e.g. via the inventory) with an assert at the start, to ensure the host boots from it.

   Next, it configures the DHCP server to temporarily ignore the client ID when handing out leases to the host’s MAC address (so the IP doesn’t keep changing between the EFI PXE/iPXE/installer/installed system) and clears out all but the latest existing lease for the host’s MAC. It then waits until SSH is available on the host’s current IP (indicating the install has completed).

   Once SSH is up, it gets the host’s new SSH keys and puts them into the local (as in the host Ansible is being run on) user’s SSH known_hosts before removing the host-specific iPXE configuration symlink. It then imports the bootstrap playbook (bootstrap.yaml, see below) before, finally, removing the DHCP configuration to ignore client ID and the dynamic IP from the known_hosts (which may change after the DHCP configuration is restored).

   The install playbook doesn’t actually login to the host being installed at all (bootstrap.yaml does), it logs into the DHCP and PXE servers, so no changes were needed at all.

3. bootstrap.yaml

   This is the one that does the initial post-install setup on the newly installed host. This one does need to login to the host, so it also needs to include the host discovery playbook. However, the discover playbook uses host facts (specifically, user_id to determine the username Ansible is logging in as) but at this stage of the (re)installation process it cannot gather facts - Python has not yet been installed and even if it had, the default login settings will probably use a username that has not yet been created (which happens later in the bootstrap playbook). It uses the fact as the most reliable way to determine the user, as there are so many ways (within and outside of Ansible’s configuration, e.g. via inventory variables, environment variables, SSH client configuration files etc.) the remote user might be set locally.

   To work around this, I added a new variable to the discover-hosts.yaml playbook (DISCOVER_SUDO_HOSTS) to allow overriding the set of hosts to lookup SUDO passwords for in that play:

    - name: sudo password is set
      # This requires fact gathering, and it's not guaranteed that we can connect
      # in some playbook workflows so allow separate skipping of this step with a
      # different hosts variable.
      hosts: "{{ DISCOVER_SUDO_HOSTS | default(DISCOVER_HOSTS) | default('all') }}:!dummy"
   

   Then, I just needed to set that variable to “not all” hosts (i.e. no hosts) when the discover playbook is imported in bootstrap.yaml:

    - name: Host connection information is available
      import_playbook: discover-hosts.yaml
      vars:
        # Ansible user won't be setup to discover facts yet, which is required
        # for sudo password lookup.
        DISCOVER_SUDO_HOSTS: '!all'
   

Installing the new host

My previous host was setup mostly manually.

I created host_vars/galaxy.yaml, moved existing settings (which consisted of just the interfaces that had the one entry with the MAC address of the network interface), added some desktop profiles (copied from my old laptop’s variables), SSH hostkey and temporarily hardcoded the DHCP IP for backup purposes:

interfaces:
  - mac_address: aa:bb:cc:dd:ee:ff  # Real MAC redacted
# Copied and pasted from defiant
desktop_profiles:
  - administration_tools
  - audio-visual
  - base
  - development
  - office
  - remote-desktop-client
  - virtualisation
  - linux_desktop_environment_awesome
backuppc_host_settings:
  # Hardcoded IP until some sort of DNS arrangement sorted out
  ClientNameAlias: "'192.168.20.158'"

My desktop profile was originally developed to be run directly as my “normal” user, on my Dell XPS 13 laptop in 2022.. As a result it, naïvely, used ansible_facts['env'] to lookup up various environment variables (like HOME and XDG_CONFIG_HOME). The problem is that this reports the environment variable’s value at the time the facts were gathered - if (as is the case now) the facts were gathered as a different user to the one we are setting up a desktop for, then the values will be incorrect - in the case of these examples, the HOME and XDG_CONFIG_HOME of the ansible user. To get around this, I added a command to find the XDG_CONFIG_HOME of each desktop user being configured and populate a fact that holds a dictionary mapping user to their directory in my desktop role’s tasks/Linux_base.yaml task file:

- name: XDG config directory is known
  become: yes
  become_user: '{{ desktop_user }}'
  ansible.builtin.shell: '[ -z "$XDG_CONFIG_HOME" ] && echo $HOME/.config || echo $XDG_CONFIG_HOME'
  register: xdg_config_dir_output
  loop: '{{ desktop_users | default([]) }}'
  loop_control:
    loop_var: desktop_user
  changed_when: false # Read operation
  check_mode: no # Run even when in check mode
- name: Dictionary of XDG config directories is initialised
  ansible.builtin.set_fact:
    desktop_xdg_config_directories: {}
- name: Dictionary of XDG config directories is populated
  ansible.builtin.set_fact:
    desktop_xdg_config_directories: >-
      {{
        desktop_xdg_config_directories
        |
        combine({
          desktop_user: xdg_config_dir_output.results | selectattr('desktop_user', 'eq', desktop_user) | map(attribute='stdout') | first
        })
      }}
  loop: '{{ desktop_users | default([]) }}'
  loop_control:
    loop_var: desktop_user

The remaining changes were all typos, a few URLs that had changed for source packages/repositories and using this new fact. The most complete example is pushing out my awesome window manager configuration files in tasks/linux_desktop_environment_awesome.yaml:

- name: "my awesome configuration files are deployed"
  become: true
  become_user: '{{ desktop_user }}'
  ansible.builtin.copy:
    dest: "{{ desktop_xdg_config_directories[desktop_user] }}/awesome/"
    src: awesome/config/
    force: yes # Overwrite existing files with server copies
  tags: ['awesome-rc']
  loop: '{{ desktop_users | default([]) }}'
  loop_control:
    loop_var: desktop_user

For replacing the lookup of HOME, I did not have anywhere where ~ did not work as an alternative - for example (from tasks/linux_lightweight_desktop_utils.yaml):

- name: Set urxvt configuration options
  become: true
  become_user: '{{ desktop_user }}'
  ansible.builtin.copy:
    dest: "~/.Xresources"
    content: |
      URxvt*font: xft:Terminus (TTF):size=10
      ! See salt-home/states/linux/desktop/utils/urxvt for transparancy options
      URxvt*background: black
      URxvt*foreground: white
      URxvt*fading: 40
      URxvt*faceColor: black
      URxvt*scrollstyle: plain
      URxvt*visualBell: True
      URxvt.saveLines: 2000
      URxvt.loginShell: True
    mode: 0o400
  loop: '{{ desktop_users | default([]) }}'
  loop_control:
    loop_var: desktop_user

I am aware there’s an inconsistency between the capitalisation of linux and Linux (e.g. linux_desktop_environment_awesome.yaml and Linux_base.yaml) - the original task files were all lowercase, then I started using (e.g.) ansible.builtin.include_tasks: '{{ ansible_facts.system }}_base.yaml' to dynamically include Linux_base.yaml and Win32NT_base.yaml on Linux and Windows systems respectively and ansible_facts.system has the first letter capitalised.

Containers

I have a number of Docker containers, which replaced manually building and installing software outside the system’s package manager, particularly for software that updated frequently. My intention was to migrate all of this to Podman, however I encountered some problems passing through DVD drives (I think it’s related to Podman’s more robust security model) so I ended up with a mixed Podman/Docker setup.

Building containers requires a large /var partition, so I added it to the list of logical_volumes overrides in group_vars/desktops.yaml. As the comment notes, I think I should restructure this variable - as the /var override is specific to containers (and so really should be in a specific group for machines expecting to be used to build containers) but the desktops group already has an override to ensure a large /home filesystem:

filesystems_lvm_volume_groups:
  - name: vg_{{ inventory_hostname }}
    logical_volumes:
      # [...]
      # XXX this is specifically for a large /var/tmp for podman builds - should be applied to that group only?
      - name: var
        size: 30G

In order to manage Docker containers, I added community.docker collection to the requirements.yaml (containers.podman was already present):

collections:
  # [...]
  - community.docker
  # [...]

Docker role

My existing Podman role is published on GitHub but my new Docker role involves adding repositories, which creates a dependency on one of my other roles for managing Debian repositories that I have not yet published - so for now, it is not published somewhere publicly.

It is, however, very straight-forward.

Argument specs and defaults

It’s only argument is the mirror to use, as my air-gapped lab requires using a local mirror so this needs to be configurable. So, the meta/argument_specs.yaml is very simple:

---
argument_specs:
  main:
    short_description: Install and setup Docker
    author: Laurence Alexander Hurst
    options:
      docker_mirror_debian_url_base:
        description: Url to use as the base for Docker Debian repositories
        type: str
        default: https://download.docker.com/linux/debian
...

The defaults/main.yaml is trivial:

---
docker_mirror_debian_url_base: https://download.docker.com/linux/debian
...

Dependency - apt-source

Configuring the meta/main.yaml to include my existing Debian repository role (recently updated to use the newer deb822 format), which will configure the repository including fetching and de-armouring the GPG key for validation, worked like this:

---
dependencies:
  - role: apt-source
    vars:
      name: docker
      uri: "{{ docker_mirror_debian_url_base }}"
      gpg_key:
        url: "{{ docker_mirror_debian_url_base }}/gpg"
      suite: '{{ ansible_facts.distribution_release }}'
      components:
        - stable
      src:
        no_src: yes
    when: ansible_facts['os_family'] == 'Debian'
...

Task file

The tasks/main.yaml file is very straight-forward, just installing Docker. Unlike Podman, I have not configured it properly for rootless use (as I’m using it for one rootful container that I am having difficulty getting Podman to run, as root or not). This is very lazy of me, really, since it should be straight-forward to port setting up the subuid/subgid from my Podman role:

---
# Currently only sets up rootful Docker - see podman role for setting up subuid/subgids for rootless access
- name: Handlers are flushed (so any new repos are synced)
  meta: flush_handlers
- name: Docker is installed
  become: true
  ansible.builtin.package:
    name:
      - docker-ce
      - docker-ce-cli
      - containerd.io
- name: containers-storage is installed on Debian
  become: true
  ansible.builtin.package:
    name: containers-storage
  when: ansible_facts.distribution == 'Debian'
...

Container building tasks

I created Podman and Docker versions of a tasks file for building images, called build-image.yaml, that pulls the base image if it is missing (unless told not to) and builds the image if the image is missing, tha base image is pulled or the base image is newer than the existing image. These were originally placed in a role that used the generated containers, but I extracted and generalised them so I could place them in the respective roles. The Podman version I added to my existing role on GitHub, the Docker version was added to the new role I just created.

You’ll see Podman tasks file has a copyright and licence header missing from my Docker version, I will add that when I publish it - it is released under the same licence (GPLv3). I also, but have not reproduced here, updated the README.md in my Podman role to document the new entry point and variables.

Argument specs and defaults

The meta/argument_specs.yaml and defaults/main.yaml files were updated for each with the arguments for these entry points. These are almost identical to give me a nice consistent interface to use regardless of which I need to use, despite (as you will see) the tasks being different:

Docker

Extra arguments that needed adding to the defaults file:

docker_image_build_user: root
docker_image_fetch_base: true
docker_image_build_args: []

and the additional section for this new entry-point to argument_specs.yaml:

build-image:
  short_description: Build images for use by docker
  author: Laurence Alexander Hurst
  options:
    docker_image_build_user:
      description: User to build container as
      type: str
      default: root
    docker_image_base_image:
      description: Name of the base image for building from
      type: str
      required: true
    docker_image_fetch_base:
      description: Fetch the base image if it does not exist (set to false if base image should have been previously built locally)
      type: bool
      default: true
    docker_image_name:
      description: Name of the image to build
      type: str
      required: true
    docker_image_container_file:
      description: Dockerfile for building the image
      type: str
      required: true
    docker_image_build_args:
      description: List of build args to pass to the build command with `--build-arg`
      type: list
      elements: dict
      options:
        name:
          description: The argument name
          type: str
          required: true
        value:
          description: The argument value
          type: str
          required: true
      default: []

Podman

Extra arguments that needed adding to the defaults file:

podman_image_fetch_base: true
podman_image_build_args: []

and the additional section for this new entry-point to argument_specs.yaml:

build-image:
  short_description: Build images for use by Podman
  author: Laurence Alexander Hurst
  options:
    podman_image_build_user:
      description: User to build container as
      type: str
      required: true
    podman_image_base_image:
      description: Name of the base image for building from
      type: str
      required: true
    podman_image_fetch_base:
      description: Fetch the base image if it does not exist (set to false if base image should have been previously built locally)
      type: bool
      default: true
    podman_image_name:
      description: Name of the image to build
      type: str
      required: true
    podman_image_container_file:
      description: Container for building the image
      type: str
      required: true
    podman_image_build_args:
      description: List of build args to pass to the build command with `--build-arg`
      type: list
      elements: dict
      options:
        name:
          description: The argument name
          type: str
          required: true
        value:
          description: The argument value
          type: str
          required: true
      default: []

build-image.yaml tasks files

These were different, as the community.docker collection and containers.podman collection have very different interfaces - particularly when it comes to building images.

However, they work the same way:

1. Check if the base image exists
2. If the base image does not exit, fetch it (unless <docker|podman>_image_fetch_base variable is set to false)

3. (re)build the image if any of these are true:

   • It is missing
   • The base image was fetched
   • The base image is newer than the existing image

Docker

The Docker version of tasks/build-image.yaml, to implement the above logic using my interface (variables):

---
- name: Info is gathered on base image {{ docker_image_base_image }}
  become: true
  become_user: '{{ docker_image_build_user }}'
  community.docker.docker_image_info:
    name: '{{ docker_image_base_image }}'
  register: docker_image_base_info
- name: Base image {{ docker_image_base_image }} is fetched if missing
  become: true
  become_user: '{{ docker_image_build_user }}'
  community.docker.docker_image_pull:
    name: '{{ docker_image_base_image }}'
    pull: always
  when: >-
    docker_image_fetch_base
    and
    docker_image_base_info.images | length == 0
  register: docker_image_base_image_updated
- name: Info is gathered on base image {{ docker_image_base_image }} again (in case it was fetched)
  become: true
  become_user: '{{ docker_image_build_user }}'
  community.docker.docker_image_info:
    name: '{{ docker_image_base_image }}'
  register: docker_image_base_info
- name: Base image {{ docker_image_base_image }} exists
  ansible.builtin.assert:
    that: docker_image_base_info.images | length > 0
    fail_msg: Base image must exist to check if we need to build a new one!
- name: Info is gathered on image {{ docker_image_name }}
  become: true
  become_user: '{{ docker_image_build_user }}'
  community.docker.docker_image_info:
    name: '{{ docker_image_name }}'
  register: docker_image_info
- name: Image {{ docker_image_name }} is correct
  block:
    - name: Context folder exists
      become: true
      become_user: '{{ docker_image_build_user }}'
      ansible.builtin.tempfile:
        state: directory
      register: build_context_path
    - name: Dockerfile exists
      become: true
      become_user: '{{ docker_image_build_user }}'
      ansible.builtin.copy:
        dest: '{{ build_context_path.path }}/Dockerfile'
        content: '{{ docker_image_container_file }}'
        mode: '0600'
    - name: New {{ docker_image_name }} image is built
      become: true
      become_user: '{{ docker_image_build_user }}'
      community.docker.docker_image_build:
        name: '{{ docker_image_name }}'
        path: '{{ build_context_path.path }}'
        rebuild: always
        nocache: true
        args: "{{ dict( docker_image_build_args | map(attribute='name') | zip( docker_image_build_args | map(attribute='value') ) ) }}"
      register: docker_image_new_image_built
  always:
    - name: Build context is absent
      become: true
      become_user: '{{ docker_image_build_user }}'
      ansible.builtin.file:
        path: '{{ build_context_path.path }}'
        state: absent
      when: build_context_path is defined
  # In some edge cases (e.g. changing the base image), the base might be
  # changed but older then the previously built custom image.
  when: >-
    docker_image_base_image_updated.changed | default(False)
    or
    docker_image_info.images | length == 0
    or
    base_created_short | ansible.builtin.to_datetime(iso8601format) > image_created_short | ansible.builtin.to_datetime(iso8601format)
  vars:
    # Taken from the example at:
    # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/to_datetime_filter.html
    iso8601format: '%Y-%m-%dT%H:%M:%S.%fZ'
    # shorten to microseconds, make sure there's a fractional
    # component to match format string.
    base_created_short: >-
      {{
        docker_image_base_info.images[0].Created
        | regex_replace("([^.]+)(\.\d{6})(\d*)(.+)", "\1\2\4")
        | regex_replace("(:[0-9]+)Z$", "\1.0Z")
      }}
    image_created_short: >-
      {{
        docker_image_info.images[0].Created
        | regex_replace("([^.]+)(\.\d{6})(\d*)(.+)", "\1\2\4")
        | regex_replace("(:[0-9]+)Z$", "\1.0Z")
      }}
...

Podman

The Podman version of tasks/build-image.yaml, to implement the above logic using my interface (variables):

---
# Copyright 2025 Laurence Alexander Hurst
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.
- name: Info is gathered on base image {{ podman_image_base_image }}
  become: true
  become_user: '{{ podman_image_build_user }}'
  containers.podman.podman_image_info:
    name: '{{ podman_image_base_image }}'
  register: podman_image_base_info
- name: Base image {{ podman_image_base_image }} is fetched if missing
  become: true
  become_user: '{{ podman_image_build_user }}'
  containers.podman.podman_image:
    name: '{{ podman_image_base_image }}'
    force: true
  when: >-
    podman_image_fetch_base
    and
    podman_image_base_info.images | length == 0
  register: podman_image_base_image_updated
- name: Info is gathered on base image {{ podman_image_base_image }} again (in case it was fetched)
  become: true
  become_user: '{{ podman_image_build_user }}'
  containers.podman.podman_image_info:
    name: '{{ podman_image_base_image }}'
  register: podman_image_base_info
- name: Base image {{ podman_image_base_image }} exists
  ansible.builtin.assert:
    that: podman_image_base_info.images | length > 0
    fail_msg: Base image must exist to check if we need to build a new one!
- name: Info is gathered on image {{ podman_image_name }}
  become: true
  become_user: '{{ podman_image_build_user }}'
  containers.podman.podman_image_info:
    name: '{{ podman_image_name }}'
  register: podman_image_info
- name: Image {{ podman_image_name }} is correct
  block:
    - name: Context folder exists
      become: true
      become_user: '{{ podman_image_build_user }}'
      ansible.builtin.tempfile:
        state: directory
      register: build_context_path
    - name: New {{ podman_image_name }} image is built
      become: true
      become_user: '{{ podman_image_build_user }}'
      containers.podman.podman_image:
        name: '{{ podman_image_name }}'
        path: '{{ build_context_path.path }}'
        state: build
        force: true
        build:
          cache: false
          force_rm: true
          container_file: '{{ podman_image_container_file }}'
          extra_args: "{% for item in podman_image_build_args %}\
            --build-arg \
            {{ item.name | ansible.builtin.quote }}\
            =\
            {{ item.value | ansible.builtin.quote }}\
            {% if not loop.last %} {% endif %}\
            {% endfor %}"
      register: podman_image_new_image_built
  always:
    - name: Build context is absent
      become: true
      become_user: '{{ podman_image_build_user }}'
      ansible.builtin.file:
        path: '{{ build_context_path.path }}'
        state: absent
      when: build_context_path is defined
  # In some edge cases (e.g. changing the base image), the base might be
  # changed but older then the previously built custom image.
  when: >-
    podman_image_base_image_updated.changed | default(False)
    or
    podman_image_info.images | length == 0
    or
    base_created_short | ansible.builtin.to_datetime(iso8601format) > image_created_short | ansible.builtin.to_datetime(iso8601format)
  vars:
    # Taken from the example at:
    # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/to_datetime_filter.html
    iso8601format: '%Y-%m-%dT%H:%M:%S.%fZ'
    # shorten to microseconds, make sure there's a fractional
    # component to match format string.
    base_created_short: >-
      {{
        podman_image_base_info.images[0].Created
        | regex_replace("([^.]+)(\.\d{6})(\d*)(.+)", "\1\2\4")
        | regex_replace("(:[0-9]+)Z$", "\1.0Z")
      }}
    image_created_short: >-
      {{
        podman_image_info.images[0].Created
        | regex_replace("([^.]+)(\.\d{6})(\d*)(.+)", "\1\2\4")
        | regex_replace("(:[0-9]+)Z$", "\1.0Z")
      }}
...

This will be my first time attending as part of the contingent of a vendor, my new employer OCF Limited, exhibiting at the conference. I am organising, or helping organise, several events; the OCF Steel Stack User Forum, OCF Steel Stack is OCF’s HPC management platform which I now lead the development of, and the final on-site challenge for this year’s Student Cluster Challenge which OCF, and specifically my Research and Development team, are setting. The students will undertake our challenge on Friday morning, before the winning team is crowned in the afternoon - not giving us a huge window for marking but I do tend to perform well under pressure so I am not too worried.

Amongst these students is, I hope, the potential next generation of HPC experts and it is a privilege to have a role in trying to inspire them to consider working in this fascinating area of technology. I am immensely proud of my team and the hard work that has gone into OCF Steel Stack and the challenge this year, and I hope that seeing it come to fruition in the next few days is rewarding for them as well. Finally, I am looking forward to seeing friends, old and new, again this year in a community I have been part of for most of my career, now.

I am also getting very anxious in the run-up to travelling to this event. In September, I went to and spoke at The 3rd IBM Fusion EMEA User Group in Amsterdam (with a very unflattering picture taken of me in full flow being shared by the hosts) and I had been intending to write a blog post about that experience. Public speaking I’m generally good at - by the time I have to speak I will have it well scripted and rehearsed and the speaking itself I think went well. I tried to “ad-lib” some additional content I wrote during the earlier talks (which is why I’m holding a digital notebook in the picture, with those additional lines) but I ended up just sticking to my original script.

That trip to Amsterdam was my first time flying since I was diagnosed with autism in January (which upset me greatly, I am still struggling with it which is why I have not written a post about that diagnosis or followed up the post about my ADHD diagnosis as I promised). It was also my first time ever travelling internationally on my own.

Knowing why I find certain things very difficult was helpful to managing my experience on that trip, however despite doing what I could to self-regulate it was extremely stressful and a couple of problems (related to travelling through Birmingham International Airport, navigating around on foot and travelling as a passenger on public transport, particular difficulties of mine) did push me beyond my coping ability. I survived, with my wife and boss remotely helping me, but I think this work trip I am finding particularly hard - despite a venue and event I have attended several times before - because it’s so soon, and the next one, after that experience.

I have a little script, which I wrote a while ago, that finds the existing tag and category names from my published posts to help me avoid duplication of tags via subtle variants (e.g. using the tag networking instead of network). Originally this script used tabs (\t) to separate the names it found, however as the list of tags (in particular) has grown this has become difficult to read. In looking for a solution, I came across the column command which I’d not seen before. In typical “do one thing and do it well” style (which I am huge fan of - simple building blocks that we can use, and reuse, to make complex systems), it does what it says on the tin and formats the list of things it receives on STDIN into columns on STDOUT.

I present the revised find-tags-and-categories.bash in full:

#!/bin/bash

heading() {
        echo "-------------------------------"
        echo $@
        echo "-------------------------------"
}

grep_posts() {
        grep -h "^$1: " _posts/* | sed "s/^$1: //; s/ /\n/g" | sort -u
}

heading tags
grep_posts tags | column
echo

heading categories
grep_posts categories | column
echo