feat(proxy,bigbluebutton): use parameterized HTML location template & add build retry

- proxy(html.conf.j2):
  * Make proxy_pass more robust (strip '=', '^~' prefixes; ignore @/~ match locations)
  * Switch WS header to $connection_upgrade
  * Unify timeouts (proxy_connect_timeout 5s)
  * Lua optional: include only when proxy_lua_enabled=true; unset Accept-Encoding only then
  * Buffering via flag: proxy_buffering/proxy_request_buffering 'on' with Lua, otherwise 'off'
- proxy(media.conf.j2): minor formatting/spacing fix
- inj-css(head_sub.j2): consistent spacing for global_css_version
- bigbluebutton(tasks/main.yml):
  * Render HTML location block once before include_role (location='^~ /html5client', OAuth2/Lua disabled)
  * Pass rendered snippet via proxy_extra_configuration to the vHost
  * Cleanup afterwards: proxy_extra_configuration = undef()
- docker-compose(handlers):
  * Build with retry: if 'docker compose build' fails -> retry with '--no-cache --pull'
  * Enable BuildKit (DOCKER_BUILDKIT=1, COMPOSE_DOCKER_CLI_BUILD=1)
- vars: trailing newline / minor formatting

Motivation:
- BBB HTML5 client (^~ /html5client) needs a separate location without Lua/buffering.
- More resilient CI/CD builds via automatic no-cache retry.
- Cleaner headers/proxy defaults and fewer side effects.

Files:
- roles/docker-compose/handlers/main.yml
- roles/srv-proxy-7-4-core/templates/location/html.conf.j2
- roles/srv-proxy-7-4-core/templates/location/media.conf.j2
- roles/srv-web-7-7-inj-css/templates/head_sub.j2
- roles/web-app-bigbluebutton/tasks/main.yml
- roles/web-app-bigbluebutton/vars/main.yml

roles/docker-compose/handlers/main.yml

@@ -11,13 +11,22 @@
     - docker compose restart
     - docker compose just up
 
-- name: Build docker 
-  command:
-    cmd:   docker compose build
+- name: Build docker compose 
+  shell: |
+    set -euo pipefail
+    docker compose build || { 
+      echo "Retrying without cache and pulling bases...";
+      docker compose build --no-cache --pull; 
+    }
+  args:
     chdir: "{{ docker_compose.directories.instance }}"
+    executable: /bin/bash
   environment:
     COMPOSE_HTTP_TIMEOUT: 600
     DOCKER_CLIENT_TIMEOUT: 600
+    # Faster build
+    DOCKER_BUILDKIT: "1"
+    COMPOSE_DOCKER_CLI_BUILD: "1"
   listen:
     - docker compose build
 

roles/srv-proxy-7-4-core/templates/location/html.conf.j2

@@ -6,7 +6,8 @@ location {{location}}
     {% include 'roles/web-app-oauth2-proxy/templates/following_directives.conf.j2'%}
   {% endif %}
 
-  proxy_pass http://127.0.0.1:{{ http_port }}{{ location if not location.startswith('@') else '' }};
+  {% set _loc = location|trim %}
+  proxy_pass http://127.0.0.1:{{ http_port }}{{ (_loc|regex_replace('^(?:=|\\^~)\\s*','')) if not (_loc is match('^(@|~)')) else '' }};
 
   # headers
   proxy_set_header Host $host;
@@ -14,25 +15,27 @@ location {{location}}
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header X-Forwarded-Port {{ WEB_PORT }};
-  proxy_set_header Accept-Encoding "";
 
   {% include 'roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2' %}
 
   # WebSocket specific header
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "upgrade";
-
-  # Activate buffering
-  # Needs to be enabled, so that lua can do str replaces
-  proxy_buffering         on; 
-  proxy_request_buffering on;
+  proxy_set_header Connection $connection_upgrade;
 
   # timeouts
-  proxy_connect_timeout       1s;
+  proxy_connect_timeout     5s;
   proxy_send_timeout        900s;
   proxy_read_timeout        900s;
   send_timeout              900s;
   
+  {% set proxy_lua_enabled = proxy_lua_enabled | default(true) | bool %}
+  # Buffering needs to be activ, so that lua can do str replaces
+  proxy_buffering           {{ 'on' if proxy_lua_enabled else 'off' }}; 
+  proxy_request_buffering   {{ 'on' if proxy_lua_enabled else 'off' }};
+
+  {% if proxy_lua_enabled %}
+  proxy_set_header Accept-Encoding "";
   {% include 'roles/srv-web-7-7-inj-compose/templates/location.lua.j2'%}
+  {% endif %}
 }

roles/srv-proxy-7-4-core/templates/location/media.conf.j2

@@ -4,7 +4,7 @@ location ~* \.(jpg|jpeg|png|gif|webp|ico|svg)$ {
     add_header Cache-Control "public, max-age=2592000, immutable";
 
     # Cache on reverse proxy side
-    proxy_pass http://127.0.0.1:{{http_port}};
+    proxy_pass http://127.0.0.1:{{ http_port }};
     proxy_cache imgcache;
     proxy_cache_valid 200 302 60m;
     proxy_cache_valid 404 1m;

roles/srv-web-7-7-inj-css/templates/head_sub.j2

@@ -1 +1 @@
-<link rel="stylesheet" type="text/css" href="/global.css?version={{global_css_version}}">
+<link rel="stylesheet" type="text/css" href="/global.css?version={{ global_css_version }}">

roles/web-app-bigbluebutton/tasks/main.yml

@@ -1,4 +1,14 @@
 ---
+- name: Render HTML-Location-Block in Variable
+  set_fact:
+    proxy_extra_configuration: >-
+      {{ lookup('ansible.builtin.template',
+                playbook_dir ~ '/roles/srv-proxy-7-4-core/templates/location/html.conf.j2') | trim }}
+  vars:
+    location: '^~ /html5client'
+    oauth2_proxy_enabled: false
+    proxy_lua_enabled: false
+
 - name: "load docker, proxy for '{{application_id}}'"
   include_role:
     name: cmp-docker-proxy
@@ -7,6 +17,10 @@
 - name: "include 04_seed-database-to-backup.yml"
   include_tasks: "{{ playbook_dir }}/roles/sys-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml"
 
+- name: "Unset 'proxy_extra_configuration'"
+  set_fact:
+    proxy_extra_configuration: "{{ undef() }}"
+
 - name: configure websocket_upgrade.conf
   copy: 
     src:  "websocket_upgrade.conf"