web-app-chess: build/runtime hardening & feature enablement

Build: use Yarn 4 via Corepack; immutable install with inline builds.

Runtime: enable Corepack as user 'node', use project-local cache (/app/.yarn/cache), add curl; fix ownership.

Entrypoint: generate keys in correct dir; run 'yarn install --immutable --inline-builds' before migrations; wait for Postgres.

Config: enable matomo/css/desktop; notify 'docker compose build' on entrypoint changes.

Docs: rename README title to 'Chess'.

Ref: ChatGPT conversation (2025-09-03) — https://chatgpt.com/share/68b88126-7a6c-800f-acae-ae61ed577f46

roles/web-app-chess/README.md

@@ -1,4 +1,4 @@
-# web-app-chess
+# Chess
 
 ## Description
 

roles/web-app-chess/config/main.yml

@@ -12,9 +12,9 @@ docker:
   volumes:
     data:           "chess_data"
 features:
-  matomo:           false
+  matomo:           true
-  css:              false
+  css:              true
-  desktop:          false
+  desktop:          true
   central_database: true
   logout:           false
   oidc:             false

roles/web-app-chess/files/docker-entrypoint.sh

@@ -7,9 +7,16 @@ APP_KEY_PUB="${APP_KEY_FILE}.pub"
 # 1) Generate signing key pair if missing
 if [[ ! -f "${APP_KEY_FILE}" || ! -f "${APP_KEY_PUB}" ]]; then
   echo "[chess] generating RSA signing key pair at ${APP_KEY_FILE}"
-  /app/tools/gen-signing-key.sh "${APP_KEY_FILE}"
+  key_dir="$(dirname "${APP_KEY_FILE}")"
+  key_base="$(basename "${APP_KEY_FILE}")"
+  ( cd "${key_dir}" && bash /app/tools/gen-signing-key.sh "${key_base}" )
 fi
 
+  # 1.5) Ensure Yarn is ready and deps are installed (PnP, immutable)
+echo "[chess] preparing yarn & installing deps (immutable)"
+corepack enable || true
+yarn install --immutable --inline-builds
+
 # 2) Wait for PostgreSQL if env is provided
 if [[ -n "${PGHOST:-}" ]]; then
   echo "[chess] waiting for PostgreSQL at ${PGHOST}:${PGPORT}..."

roles/web-app-chess/tasks/01_core.yml

@@ -6,5 +6,7 @@
   copy:
     src:    "{{ CHESS_ENTRYPOINT_FILE }}"
     dest:   "{{ CHESS_ENTRYPOINT_ABS }}"
+  notify: 
+    - docker compose build
 
 - include_tasks: utils/run_once.yml

roles/web-app-chess/templates/Dockerfile.j2

@@ -12,34 +12,41 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 WORKDIR /src
 RUN git clone --depth 1 --branch "${CHESS_REPO_REF}" "${CHESS_REPO_URL}" ./
 
-# Yarn is preinstalled in Node images via corepack; enable it.
+# Use Yarn 4 for the build
-RUN corepack enable
+RUN corepack enable && corepack prepare yarn@4.9.1 --activate && yarn -v
-
+RUN yarn install --immutable --inline-builds
-# Install deps and build TS
+RUN yarn build
-RUN yarn install --frozen-lockfile && yarn build
 
 # Stage 2: runtime
 FROM node:{{ CHESS_VERSION }}
 
 WORKDIR /app
 
-# Minimal runtime packages + dumb-init
+# Minimal runtime packages + dumb-init (+ curl for healthcheck)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    openssl dumb-init postgresql-client \
+    bash openssl dumb-init postgresql-client ca-certificates curl \
  && rm -rf /var/lib/apt/lists/*
 
-# Copy built app
+# Copy built app from builder
 COPY --from=build /src /app
 
-# Create data dir for signing keys & cache
+# Entrypoint script (root so chmod works in /usr/local/bin)
-RUN mkdir -p {{ CHESS_APP_DATA_DIR }} && chown -R node:node /app
-VOLUME ["{{ CHESS_APP_DATA_DIR }}"]
-
-# Entrypoint script
 COPY {{ CHESS_ENTRYPOINT_REL }} {{ CHESS_ENTRYPOINT_INT }}
 RUN chmod +x {{ CHESS_ENTRYPOINT_INT }}
 
+# Create data dir for signing keys and Yarn cache; fix ownership
+RUN mkdir -p {{ CHESS_APP_DATA_DIR }} /app/.yarn/cache /home/node \
+ && chown -R node:node /app /home/node
+
+# Use project-local yarn cache (avoid /root/.yarn)
+ENV YARN_ENABLE_GLOBAL_CACHE=false
+ENV YARN_CACHE_FOLDER=/app/.yarn/cache
+
+# Switch to non-root and prep yarn 4
 USER node
+ENV HOME=/home/node
+RUN corepack enable && corepack prepare yarn@4.9.1 --activate && yarn -v
+
 EXPOSE {{ container_port }}
 ENTRYPOINT ["dumb-init", "--"]
 CMD ["{{ CHESS_ENTRYPOINT_INT }}"]