From 594d9417d19c69ca5bb7b7c8e20ee5421e1010f9 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Wed, 20 Aug 2025 06:42:49 +0200
Subject: [PATCH] handlers(docker): add once-per-directory docker compose pull
 with lockfile

- Introduced a new handler 'docker compose pull' that runs only once per
  {{ docker_compose.directories.instance }} directory by using a lock
  file under /run/ansible/compose-pull.
- Ensures idempotency by marking the task as changed only when a pull
  was actually executed.
- Restricted execution with 'when: MODE_UPDATE | bool'.
- Improves update workflow by avoiding redundant docker pulls during
  the same Ansible run.

Reference: ChatGPT discussion
https://chatgpt.com/share/68a55151-959c-800f-8b70-160ffe43e776
---
 roles/docker-compose/handlers/main.yml  | 24 ++++++++++++++++++++++++
 roles/web-svc-collabora/config/main.yml | 10 +++++++---
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/roles/docker-compose/handlers/main.yml b/roles/docker-compose/handlers/main.yml
index 06a9dc0e..aed3ca74 100644
--- a/roles/docker-compose/handlers/main.yml
+++ b/roles/docker-compose/handlers/main.yml
@@ -11,6 +11,30 @@
     - docker compose restart
     - docker compose just up
 
+- name: docker compose pull
+  shell: |
+    set -euo pipefail
+    lock="/run/ansible/compose-pull/{{ docker_compose.directories.instance | hash('sha1') }}"
+    if [ ! -e "$lock" ]; then
+      mkdir -p "$(dirname "$lock")"
+      docker compose pull
+      : > "$lock"
+      echo "pulled"
+    fi
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+    executable: /bin/bash
+  register: compose_pull
+  changed_when: "'pulled' in compose_pull.stdout"
+  environment:
+    COMPOSE_HTTP_TIMEOUT: 600
+    DOCKER_CLIENT_TIMEOUT: 600
+  when: (MODE_UPDATE | bool
+  listen:
+    - docker compose up
+    - docker compose restart
+    - docker compose just up
+
 - name: Build docker compose 
   shell: |
     set -euo pipefail
diff --git a/roles/web-svc-collabora/config/main.yml b/roles/web-svc-collabora/config/main.yml
index 6450c2d9..84f8f2a0 100644
--- a/roles/web-svc-collabora/config/main.yml
+++ b/roles/web-svc-collabora/config/main.yml
@@ -2,6 +2,10 @@ server:
   domains:
     canonical:
       - "collabora.{{ PRIMARY_DOMAIN }}"
+  csp:
+    whitelist:
+      frame-ancestors:
+        - "{{ WEB_PROTOCOL }}://*.{{ PRIMARY_DOMAIN }}"
 docker:
   services:
     redis:
@@ -9,9 +13,9 @@ docker:
     database: 
       enabled: false # May this is wrong. Just set during refactoring
     collabora:
-      image: collabora/code
-      version: latest 
-      name: collabora
+      image:    collabora/code
+      version:  latest 
+      name:     collabora
 features:
   logout:   false 
   desktop:  true # Just set to allow the iframe to load it