Confluence/Jira roles: add READMEs, switch to custom images, proxy/JVM envs, and integer-safe heap sizing

Confluence: README added; demo disables OIDC/LDAP; Dockerfile overlay; docker-compose now uses CONFLUENCE_CUSTOM_IMAGE and DB depends include; env.j2 adds ATL_* and JVM_*; vars use integer math (//) for Xmx/Xms and expose CUSTOM_IMAGE. Jira: initial role skeleton with README, config/meta/tasks; Dockerfile overlay; docker-compose using JIRA_CUSTOM_IMAGE and DB depends include; env.j2 with proxy + JVM envs; vars with integer-safe memory sizing. Context: https://chatgpt.com/share/68b6b592-2250-800f-b68e-b37ae98dbe70
2025-09-09 11:47:14 +02:00 · 2025-09-02 12:07:34 +02:00
parent bc56940e55
commit 188b098503
15 changed files with 265 additions and 29 deletions
--- a/roles/web-app-jira/README.md
+++ b/roles/web-app-jira/README.md
@@ -0,0 +1,25 @@
+# Jira
+
+## Description
+
+Jira Software is Atlassian’s issue and project-tracking platform. This role deploys Jira via Docker Compose, connects it to PostgreSQL, and adds proxy awareness, optional OIDC SSO, health checks, and production-oriented defaults for Infinito.Nexus.
+
+## Overview
+
+The role builds a lean custom image on top of the official Jira Software image, provisions persistent volumes, and exposes the app behind your reverse proxy. Variables control image/version/volumes/domains/SSO. JVM heap sizing is auto-derived from host RAM with safe caps to prevent `Xms > Xmx`.
+
+## Features
+
+* **Fully Dockerized:** Compose stack with a dedicated data volume (`jira_data`) and a minimal overlay image to enable future plugins/config.
+* **Reverse-Proxy/HTTPS Ready:** Preconfigured Atlassian Tomcat proxy envs so Jira respects external scheme/host/port.
+* **OIDC SSO (Optional):** Pre-templated vars for issuer, client, endpoints, scopes; compatible with Atlassian DC SSO/OIDC marketplace apps.
+* **Central Database:** PostgreSQL integration (local or central) with credentials sourced from role configuration.
+* **JVM Auto-Tuning:** Safe calculation of `JVM_MINIMUM_MEMORY` / `JVM_MAXIMUM_MEMORY` with caps to avoid VM init errors.
+* **Health Checks:** Container healthcheck for quicker failure detection and stable automation.
+* **CSP & Canonical Domains:** Integrates with platform CSP and domain management.
+* **Backup Ready:** Persistent data under `/var/atlassian/application-data/jira`.
+
+## Further Resources
+
+* Product page: [Atlassian Jira Software](https://www.atlassian.com/software/jira)
+* Docker Hub (official image): [atlassian/jira-software](https://hub.docker.com/r/atlassian/jira-software)
--- a/roles/web-app-jira/config/main.yml
+++ b/roles/web-app-jira/config/main.yml
@@ -0,0 +1,29 @@
+
+credentials: {}
+docker:
+  services:
+    database:
+      enabled:  true
+    application:
+      image:    atlassian/jira-software
+      version:  latest
+      name:     jira
+  volumes:
+    data:       "jira_data"
+features:
+  matomo:           true
+  css:              true
+  desktop:          true
+  central_database: true
+  logout:           true
+  oidc:             false  # Not enabled for demo version
+  ldap:             false  # Not enabled for demo version
+server:
+  csp:
+    whitelist:      {}
+    flags:          {}
+  domains:
+    canonical:
+      - "jira.{{ PRIMARY_DOMAIN }}"
+rbac:
+  roles: {}
--- a/roles/web-app-jira/meta/main.yml
+++ b/roles/web-app-jira/meta/main.yml
@@ -0,0 +1,20 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Jira Software is Atlassian’s issue & project tracking platform. This role deploys Jira in Docker, adds optional OIDC support, and integrates with the Infinito.Nexus ecosystem."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: | 
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  galaxy_tags: []
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://s.infinito.nexus/code/"
+  logo:
+    class: "fas fa-diagram-project"
+  run_after:
+    - web-app-matomo
+    - web-app-keycloak
+    - web-app-mailu
+dependencies: []
--- a/roles/web-app-jira/schema/main.yml
+++ b/roles/web-app-jira/schema/main.yml
--- a/roles/web-app-jira/tasks/main.yml
+++ b/roles/web-app-jira/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- block:
+  - name: "load docker, db and proxy for {{ application_id }}"
+    include_role:
+      name: sys-stk-full-stateful
+  - include_tasks: utils/run_once.yml
+  when: run_once_web_app_jira is not defined
--- a/roles/web-app-jira/templates/Dockerfile.j2
+++ b/roles/web-app-jira/templates/Dockerfile.j2
@@ -0,0 +1,8 @@
+FROM "{{ JIRA_IMAGE }}:{{ JIRA_VERSION }}"
+
+# Optional: install OIDC SSO app (example path/name)
+# COPY ./plugins/atlassian-sso-dc-latest.obr /opt/atlassian/jira/atlassian-bundled-plugins/
+
+# Ensure proper permissions for app data
+RUN mkdir -p /var/atlassian/application-data/jira && \
+    chown -R 2001:2001 /var/atlassian/application-data/jira
--- a/roles/web-app-jira/templates/docker-compose.yml.j2
+++ b/roles/web-app-jira/templates/docker-compose.yml.j2
@@ -0,0 +1,23 @@
+
+{% include 'roles/docker-compose/templates/base.yml.j2' %}
+  application:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: "{{ JIRA_CUSTOM_IMAGE }}"
+    container_name: "{{ JIRA_CONTAINER }}"
+    hostname: '{{ JIRA_HOSTNAME }}'
+    ports:
+      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:8080"
+    volumes:
+      - 'data:/var/atlassian/application-data/jira'
+{% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+
+{% include 'roles/docker-compose/templates/volumes.yml.j2' %}
+  data:
+    name: {{ JIRA_DATA_VOLUME }}
+
+{% include 'roles/docker-compose/templates/networks.yml.j2' %}
--- a/roles/web-app-jira/templates/env.j2
+++ b/roles/web-app-jira/templates/env.j2
@@ -0,0 +1,31 @@
+## Jira core
+JIRA_URL="{{ JIRA_URL }}"
+
+## Database
+JIRA_DATABASE_NAME="{{ database_name }}"
+JIRA_DATABASE_USER="{{ database_username }}"
+JIRA_DATABASE_PASSWORD="{{ database_password }}"
+JIRA_DATABASE_HOST="{{ database_host }}"
+JIRA_DATABASE_PORT="{{ database_port }}"
+
+ATL_PROXY_NAME={{ JIRA_HOSTNAME }}
+ATL_PROXY_PORT={{ WEB_PORT }}
+ATL_TOMCAT_SCHEME={{ WEB_PROTOCOL }}
+ATL_TOMCAT_SECURE={{ (WEB_PORT == 443) | lower }}
+JVM_MINIMUM_MEMORY={{ JIRA_JVM_MIN }}
+JVM_MAXIMUM_MEMORY={{ JIRA_JVM_MAX }}
+
+## OIDC
+{% if JIRA_OIDC_ENABLED %}
+JIRA_OIDC_TITLE="{{ JIRA_OIDC_LABEL | replace('\"','\\\"') }}"
+JIRA_OIDC_ISSUER="{{ JIRA_OIDC_ISSUER }}"
+JIRA_OIDC_AUTHORIZATION_ENDPOINT="{{ JIRA_OIDC_AUTH_URL }}"
+JIRA_OIDC_TOKEN_ENDPOINT="{{ JIRA_OIDC_TOKEN_URL }}"
+JIRA_OIDC_USERINFO_ENDPOINT="{{ JIRA_OIDC_USERINFO_URL }}"
+JIRA_OIDC_END_SESSION_ENDPOINT="{{ JIRA_OIDC_LOGOUT_URL }}"
+JIRA_OIDC_JWKS_URI="{{ JIRA_OIDC_JWKS_URL }}"
+JIRA_OIDC_CLIENT_ID="{{ JIRA_OIDC_CLIENT_ID }}"
+JIRA_OIDC_CLIENT_SECRET="{{ JIRA_OIDC_CLIENT_SECRET }}"
+JIRA_OIDC_SCOPES="{{ JIRA_OIDC_SCOPES }}"
+JIRA_OIDC_UNIQUE_ATTRIBUTE="{{ JIRA_OIDC_UNIQUE_ATTRIBUTE }}"
+{% endif %}
--- a/roles/web-app-jira/vars/main.yml
+++ b/roles/web-app-jira/vars/main.yml
@@ -0,0 +1,41 @@
+# General
+application_id:               "web-app-jira"
+database_type:                "postgres"
+
+# Container
+container_port:               8080   # Standardport Jira
+container_hostname:           "{{ domains | get_domain(application_id) }}"
+
+# Jira
+
+## URLs
+JIRA_URL:                     "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
+JIRA_HOSTNAME:                "{{ container_hostname }}"
+
+## OIDC
+JIRA_OIDC_ENABLED:            "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
+JIRA_OIDC_LABEL:              "{{ OIDC.BUTTON_TEXT }}"
+JIRA_OIDC_CLIENT_ID:          "{{ OIDC.CLIENT.ID }}"
+JIRA_OIDC_CLIENT_SECRET:      "{{ OIDC.CLIENT.SECRET }}"
+JIRA_OIDC_ISSUER:             "{{ OIDC.CLIENT.ISSUER_URL }}"
+JIRA_OIDC_AUTH_URL:           "{{ OIDC.CLIENT.AUTHORIZE_URL }}"
+JIRA_OIDC_TOKEN_URL:          "{{ OIDC.CLIENT.TOKEN_URL }}"
+JIRA_OIDC_USERINFO_URL:       "{{ OIDC.CLIENT.USER_INFO_URL }}"
+JIRA_OIDC_LOGOUT_URL:         "{{ OIDC.CLIENT.LOGOUT_URL }}"
+JIRA_OIDC_JWKS_URL:           "{{ OIDC.CLIENT.CERTS }}"
+JIRA_OIDC_SCOPES:             "openid,email,profile"
+JIRA_OIDC_UNIQUE_ATTRIBUTE:   "{{ OIDC.ATTRIBUTES.USERNAME }}"
+
+## Docker
+JIRA_VERSION:                 "{{ applications | get_app_conf(application_id, 'docker.services.application.version') }}"
+JIRA_IMAGE:                   "{{ applications | get_app_conf(application_id, 'docker.services.application.image') }}"
+JIRA_CONTAINER:               "{{ applications | get_app_conf(application_id, 'docker.services.application.name') }}"
+JIRA_DATA_VOLUME:             "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
+JIRA_CUSTOM_IMAGE:            "{{ JIRA_IMAGE }}_custom"
+
+## Performance (auto-derive from host memory)
+JIRA_TOTAL_MB:                "{{ ansible_memtotal_mb | int }}"
+JIRA_JVM_MAX_MB:              "{{ [ (JIRA_TOTAL_MB // 2), 12288 ] | min }}"
+JIRA_JVM_MIN_MB:              "{{ [ (JIRA_TOTAL_MB // 4), JIRA_JVM_MAX_MB ] | min }}"
+JIRA_JVM_MIN:                 "{{ JIRA_JVM_MIN_MB }}m"
+JIRA_JVM_MAX:                 "{{ JIRA_JVM_MAX_MB }}m"