Refactor Akaunting role and CSP handling

- Improved CSP filter to properly include web-svc-cdn and use protocol-aware domains
- Added Todo.md with redis and OIDC notes
- Enhanced Akaunting role config with CSP flags and redis option
- Updated schema to include app_key validation
- Reworked tasks to handle first-run marker logic cleanly
- Fixed docker-compose template (marker, healthcheck, setup flag)
- Expanded env.j2 with cache, email, proxy, and redis options
- Added javascript.js.j2 template for SSO warning
- Introduced structured vars for Akaunting role
- Removed deprecated update-repository-with-files.yml task

See conversation: https://chatgpt.com/share/68af00df-2c74-800f-90b6-6ac5b29acdcb

roles/web-app-akaunting/templates/docker-compose.yml.j2

@@ -2,22 +2,26 @@
   application:
 
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    container_name: {{ akaunting_name }}
-    image: "{{ akaunting_image }}:{{ akaunting_version }}"
+{% set container_port = 80 %}
+    container_name: {{ AKAUNTING_CONTAINER }}
+    image: "{{ AKAUNTING_IMAGE }}:{{ AKAUNTING_VERSION }}"
     build:
-      context: .
+      context:    {{ docker_repository_path }}
+      dockerfile: Dockerfile
     ports:
-      - 127.0.0.1:{{ ports.localhost.http[application_id] }}:80
+      - 127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}
     volumes:
       - data:/var/www/html
+{% if akaunting_setup_enabled | bool %}
     environment:
-      - AKAUNTING_SETUP
+      - AKAUNTING_SETUP=true
+{% endif %}
+{% include 'roles/docker-container/templates/healthcheck/tcp.yml.j2' %}
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
 
 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
   data:
-    name: {{ akaunting_volume }}
-
+    name: {{ AKAUNTING_VOLUME }}
 
 {% include 'roles/docker-compose/templates/networks.yml.j2' %}

roles/web-app-akaunting/templates/env.j2

@@ -1,22 +1,55 @@
-# You should change this to match your reverse proxy DNS name and protocol
-APP_URL={{ domains | get_url(application_id, WEB_PROTOCOL) }}
+# https://github.com/akaunting/akaunting/blob/master/.env.example
+APP_URL={{ AKAUNTING_URL }}
+
+# Locales
 LOCALE={{ HOST_LL }}
+TIMEZONE={{ HOST_TIMEZONE }}
+
+# Environment
+APP_DEBUG={{ MODE_DEBUG | lower }}
+APP_ENV={{ ENVIRONMENT }}
 
 # Don't change this unless you rename your database container or use rootless podman, in case of using rootless podman you should set it to 127.0.0.1 (NOT localhost)
 DB_HOST={{ database_host }}
-
-# Change these to match env/db.env
 DB_DATABASE={{ database_name }}
 DB_USERNAME={{ database_username }}
 DB_PASSWORD={{ database_password }}
-
-# You should change this to a random string of three numbers or letters followed by an underscore
+DB_PORT={{ database_port }}
+DB_CONNECTION=mysql
 DB_PREFIX=asd_
 
+# Proxy
+TRUSTED_PROXIES=*
+TRUSTED_HEADERS=X_FORWARDED_FOR,X_FORWARDED_HOST,X_FORWARDED_PORT,X_FORWARDED_PROTO
+
 # These define the first company to exist on this instance. They are only used during setup.
-COMPANY_NAME={{applications | get_app_conf(application_id, 'company.name', True)}}
-COMPANY_EMAIL={{applications | get_app_conf(application_id, 'company.email', True)}}
+COMPANY_NAME={{ AKAUNTING_COMPANY_NAME }}
+COMPANY_EMAIL={{ AKAUNTING_COMPANY_EMAIL }}
+
+# Credentials
+APP_KEY={{ AKAUNTING_APP_KEY }}
 
 # This will be the first administrative user created on setup.
-ADMIN_EMAIL={{applications.akaunting.setup_admin_email}}
-ADMIN_PASSWORD={{applications | get_app_conf(application_id, 'credentials.setup_admin_password', True)}}
+ADMIN_EMAIL={{ AKAUNTING_ADMIN_EMAIL }}
+ADMIN_PASSWORD={{ AKAUNTING_ADMIN_PASSWORD }}
+
+# Cache
+CACHE_DRIVER={{ AKAUNTING_CACHE_DRIVER }}
+SESSION_DRIVER={{ AKAUNTING_CACHE_DRIVER }}
+QUEUE_CONNECTION={{ 'sync' if AKAUNTING_CACHE_DRIVER == 'file' else AKAUNTING_CACHE_DRIVER }}
+{% if AKAUNTING_CACHE_DRIVER == 'redis' %}
+REDIS_CLIENT=phpredis
+REDIS_HOST=redis
+REDIS_PASSWORD=null
+REDIS_PORT=6379
+{% endif %}
+
+# Email
+MAIL_MAILER={{ 'smtp' if SYSTEM_EMAIL.SMTP else 'sendmail' }}
+MAIL_HOST={{ SYSTEM_EMAIL.HOST }}
+MAIL_PORT={{ SYSTEM_EMAIL.PORT }}
+MAIL_USERNAME={{ users['no-reply'].email }}
+MAIL_PASSWORD={{ users['no-reply'].mailu_token }}
+MAIL_ENCRYPTION={{ SYSTEM_EMAIL.TLS | ternary("tls","null") }}
+MAIL_FROM_ADDRESS={{ AKAUNTING_COMPANY_EMAIL }}
+MAIL_FROM_NAME={{ AKAUNTING_COMPANY_NAME }}

roles/web-app-akaunting/templates/javascript.js.j2

@@ -0,0 +1 @@
+{% include 'templates/roles/web-app/templates/javascripts/sso_warning.js.j2' %}