Enhance Shopware role: fix init script permissions, CSP for data: fonts, and unify shell usage

- Added 'font-src data:' to CSP whitelist to allow inline fonts in Admin UI - Refactored init.sh to run as root only for volume permission setup, then drop privileges to www-data - Unified all bash invocations to sh for POSIX compliance - Added missing 'bundles' named volume and mount to Docker Compose - Set init container to run as root (0:0) for permission setup - Added admin user rename step via Ansible task See discussion: https://chatgpt.com/share/69087361-859c-800f-862c-7413350cca3e
2025-11-07 21:58:02 +00:00 · 2025-11-03 10:18:45 +01:00
parent df8390f386
commit 0bf286f62a
8 changed files with 148 additions and 63 deletions
--- a/roles/web-app-shopware/tasks/01_admin.yml
+++ b/roles/web-app-shopware/tasks/01_admin.yml
@@ -1,4 +1,22 @@
-# Ensures that the admin user exists and always has the desired password
+- name: "Rename default Shopware admin user to {{ users.administrator.username }}"
+  shell: |
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
+      set -e
+      cd {{ SHOPWARE_ROOT }}
+      old_user="admin"
+      new_user="{{ users.administrator.username }}"
+      if php bin/console user:list | grep -q "^$old_user "; then
+        echo "[INFO] Renaming Shopware user: $old_user -> $new_user"
+        php bin/console user:update "$old_user" --username="$new_user" || true
+      else
+        echo "[INFO] No user named $old_user found (already renamed or custom setup)"
+      fi
+    '
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  changed_when: false
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
 - name: "Ensure Shopware admin exists and has the desired password"
  shell: |
    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
@@ -17,3 +35,4 @@
    '
  args:
    chdir: "{{ docker_compose.directories.instance }}"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
--- a/roles/web-app-shopware/tasks/cleanup/ldap.yml
+++ b/roles/web-app-shopware/tasks/cleanup/ldap.yml
@@ -1,6 +1,6 @@
 - name: "Deactivate/uninstall LDAP plugin if present"
  shell: |
-    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} bash -lc '
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
      cd {{ SHOPWARE_ROOT }}
      php bin/console plugin:deactivate INFX_LDAP_PLUGIN || true
      php bin/console plugin:uninstall INFX_LDAP_PLUGIN --keep-user-data || true
--- a/roles/web-app-shopware/tasks/cleanup/oidc.yml
+++ b/roles/web-app-shopware/tasks/cleanup/oidc.yml
@@ -1,6 +1,6 @@
 - name: "Deactivate/uninstall OIDC plugin if present"
  shell: |
-    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} bash -lc '
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
      cd {{ SHOPWARE_ROOT }}
      php bin/console plugin:deactivate INFX_OIDC_PLUGIN || true
      php bin/console plugin:uninstall INFX_OIDC_PLUGIN --keep-user-data || true
--- a/roles/web-app-shopware/tasks/setup/ldap.yml
+++ b/roles/web-app-shopware/tasks/setup/ldap.yml
@@ -1,7 +1,7 @@
 # Replace INFX_LDAP_PLUGIN with the actual plugin name you use
 - name: "Install LDAP admin plugin & activate"
  shell: |
-    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} bash -lc '
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
      set -e
      cd {{ SHOPWARE_ROOT }}
      php bin/console plugin:refresh
@@ -13,7 +13,7 @@

 - name: "Configure LDAP connection"
  shell: |
-    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} bash -lc '
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
      set -e
      cd {{ SHOPWARE_ROOT }}
      php bin/console system:config:set "InfxLdap.config.host"     "{{ LDAP.SERVER.DOMAIN }}"
--- a/roles/web-app-shopware/tasks/setup/oidc.yml
+++ b/roles/web-app-shopware/tasks/setup/oidc.yml
@@ -1,7 +1,7 @@
 # Replace INFX_OIDC_PLUGIN with the actual plugin name (Composer or local)
 - name: "Install OIDC plugin & activate"
  shell: |
-    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} bash -lc '
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
      set -e
      cd {{ SHOPWARE_ROOT }}
      php bin/console plugin:refresh
@@ -13,7 +13,7 @@

 - name: "Configure OIDC via system:config"
  shell: |
-    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} bash -lc '
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
      set -e
      cd {{ SHOPWARE_ROOT }}
      php bin/console system:config:set "InfxOidc.config.clientId"        "{{ OIDC.CLIENT.ID }}"