handlers(docker): add once-per-directory docker compose pull with lockfile

- Introduced a new handler 'docker compose pull' that runs only once per {{ docker_compose.directories.instance }} directory by using a lock file under /run/ansible/compose-pull. - Ensures idempotency by marking the task as changed only when a pull was actually executed. - Restricted execution with 'when: MODE_UPDATE | bool'. - Improves update workflow by avoiding redundant docker pulls during the same Ansible run. Reference: ChatGPT discussion https://chatgpt.com/share/68a55151-959c-800f-8b70-160ffe43e776
2025-08-26 13:35:24 +02:00 · 2025-08-20 06:42:49 +02:00 · 2025-08-20 06:42:49 +02:00 · 594d9417d1
commit 594d9417d1
parent dc125e4843
2 changed files with 31 additions and 3 deletions
--- a/roles/docker-compose/handlers/main.yml
+++ b/roles/docker-compose/handlers/main.yml
@ -11,6 +11,30 @@
    - docker compose restart
    - docker compose just up

+- name: docker compose pull
+  shell: |
+    set -euo pipefail
+    lock="/run/ansible/compose-pull/{{ docker_compose.directories.instance | hash('sha1') }}"
+    if [ ! -e "$lock" ]; then
+      mkdir -p "$(dirname "$lock")"
+      docker compose pull
+      : > "$lock"
+      echo "pulled"
+    fi
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+    executable: /bin/bash
+  register: compose_pull
+  changed_when: "'pulled' in compose_pull.stdout"
+  environment:
+    COMPOSE_HTTP_TIMEOUT: 600
+    DOCKER_CLIENT_TIMEOUT: 600
+  when: (MODE_UPDATE | bool
+  listen:
+    - docker compose up
+    - docker compose restart
+    - docker compose just up
+
 - name: Build docker compose 
  shell: |
    set -euo pipefail
--- a/roles/web-svc-collabora/config/main.yml
+++ b/roles/web-svc-collabora/config/main.yml
@ -2,6 +2,10 @@ server:
  domains:
    canonical:
      - "collabora.{{ PRIMARY_DOMAIN }}"
+  csp:
+    whitelist:
+      frame-ancestors:
+        - "{{ WEB_PROTOCOL }}://*.{{ PRIMARY_DOMAIN }}"
 docker:
  services:
    redis:
@ -9,9 +13,9 @@ docker:
    database: 
      enabled: false # May this is wrong. Just set during refactoring
    collabora:
-      image: collabora/code
-      version: latest 
-      name: collabora
+      image:    collabora/code
+      version:  latest 
+      name:     collabora
 features:
  logout:   false 
  desktop:  true # Just set to allow the iframe to load it