refactor(web-app-espocrm): improve config patching and container vars

- Replace `ESPOCRM_NAME` with `ESPOCRM_CONTAINER` for clarity and consistency. - Drop unused `ESPOCRM_CONFIG_FILE_PUBLIC`, rely only on `config-internal.php`. - Make DB credential patching idempotent using `grep` + `sed` checks. - Replace direct sed edits for maintenance/cron/cache with EspoCRM ConfigWriter. - Add fallback execution as root if www-data user cannot write config. - Clear EspoCRM cache only when config changes and in update mode. - Remove obsolete OIDC scopes inline task (now handled via env/vars). - Fix docker-compose template to use `ESPOCRM_CONTAINER`. This refactor makes the EspoCRM role more robust, idempotent, and aligned with EspoCRM’s official ConfigWriter mechanism. See conversation: https://chatgpt.com/share/68a87820-12f8-800f-90d6-01ba97a1b279
2025-08-26 21:45:20 +02:00 · 2025-08-22 16:01:48 +02:00 · 2025-08-22 16:01:48 +02:00 · 8b2f0ac47b
commit 8b2f0ac47b
parent 9d6d64e11d
4 changed files with 81 additions and 54 deletions
--- a/roles/web-app-espocrm/tasks/01_patch_config.yml
+++ b/roles/web-app-espocrm/tasks/01_patch_config.yml
@ -1,25 +1,37 @@
- name: Update DB host
+- name: Update DB host (idempotent)
  command: >
-    docker exec --user root {{ ESPOCRM_NAME }}
-    sed -i "s/'host' => .*/'host' => '{{ database_host }}',/" {{ ESPOCRM_CONFIG_FILE_PRIVATE }}
+    docker exec --user root {{ ESPOCRM_CONTAINER }} sh -lc
+    "grep -q \"'host' *=> *'{{ database_host }}',\" {{ ESPOCRM_CONFIG_FILE_PRIVATE }} ||
+     { sed -i \"s/'host'\\s*=>\\s*[^,]*,/'host' => '{{ database_host }}',/\" {{ ESPOCRM_CONFIG_FILE_PRIVATE }} && echo CHANGED; }"
+  register: db_host_set
+  changed_when: "'CHANGED' in db_host_set.stdout"
  notify: docker compose restart

- name: Update DB name
+- name: Update DB name (idempotent)
  command: >
-    docker exec --user root {{ ESPOCRM_NAME }}
-    sed -i "s/'dbname' => .*/'dbname' => '{{ database_name }}',/" {{ ESPOCRM_CONFIG_FILE_PRIVATE }}
+    docker exec --user root {{ ESPOCRM_CONTAINER }} sh -lc
+    "grep -q \"'dbname' *=> *'{{ database_name }}',\" {{ ESPOCRM_CONFIG_FILE_PRIVATE }} ||
+     { sed -i \"s/'dbname'\\s*=>\\s*[^,]*,/'dbname' => '{{ database_name }}',/\" {{ ESPOCRM_CONFIG_FILE_PRIVATE }} && echo CHANGED; }"
+  register: db_name_set
+  changed_when: "'CHANGED' in db_name_set.stdout"
  notify: docker compose restart

- name: Update DB user
+- name: Update DB user (idempotent)
  command: >
-    docker exec --user root {{ ESPOCRM_NAME }}
-    sed -i "s/'user' => .*/'user' => '{{ database_username }}',/" {{ ESPOCRM_CONFIG_FILE_PRIVATE }}
+    docker exec --user root {{ ESPOCRM_CONTAINER }} sh -lc
+    "grep -q \"'user' *=> *'{{ database_username }}',\" {{ ESPOCRM_CONFIG_FILE_PRIVATE }} ||
+     { sed -i \"s/'user'\\s*=>\\s*[^,]*,/'user' => '{{ database_username }}',/\" {{ ESPOCRM_CONFIG_FILE_PRIVATE }} && echo CHANGED; }"
+  register: db_user_set
+  changed_when: "'CHANGED' in db_user_set.stdout"
  notify: docker compose restart

- name: Update DB password
+- name: Update DB password (idempotent)
  command: >
-    docker exec --user root {{ ESPOCRM_NAME }}
-    sed -i "s/'password' => .*/'password' => '{{ database_password }}',/" {{ ESPOCRM_CONFIG_FILE_PRIVATE }}
+    docker exec --user root {{ ESPOCRM_CONTAINER }} sh -lc
+    "grep -q \"'password' *=> *'{{ database_password }}',\" {{ ESPOCRM_CONFIG_FILE_PRIVATE }} ||
+     { sed -i \"s/'password'\\s*=>\\s*[^,]*,/'password' => '{{ database_password }}',/\" {{ ESPOCRM_CONFIG_FILE_PRIVATE }} && echo CHANGED; }"
+  register: db_pass_set
+  changed_when: "'CHANGED' in db_pass_set.stdout"
  notify: docker compose restart
  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

@ -43,26 +55,56 @@
  register: siteurl_set
  changed_when: "'CHANGED' in siteurl_set.stdout"

- name: Disable EspoCRM maintenance mode
-  ansible.builtin.shell: |
-    docker exec -u root {{ ESPOCRM_NAME }} \
-      sed -i "s/'maintenanceMode' => true/'maintenanceMode' => false/" {{ ESPOCRM_CONFIG_FILE_PUBLIC }}
-  register: disable_maintenance
-  changed_when: disable_maintenance.rc == 0
-  failed_when: disable_maintenance.rc != 0
+- name: Ensure maintenance off, cron on, cache on (idempotent via ConfigWriter)
+  block:
+    - name: Apply config via ConfigWriter as app user
+      command: >
+        docker exec --user {{ ESPOCRM_USER }} {{ ESPOCRM_CONTAINER }}
+        php -r '
+          require "/var/www/html/bootstrap.php";
+          $app = new \Espo\Core\Application();
+          $c = $app->getContainer();
+          $cfg = $c->get("config");
+          $w = $c->get("injectableFactory")->create("\Espo\Core\Utils\Config\ConfigWriter");
+          $pairs = [
+            "maintenanceMode" => false,
+            "cronDisabled"    => false,
+            "useCache"        => true
+          ];
+          $changed = false;
+          foreach ($pairs as $k => $v) {
+            if ($cfg->get($k) !== $v) { $w->set($k, $v); $changed = true; }
+          }
+          if ($changed) { $w->save(); echo "CHANGED"; }
+        '
+      register: cfg_set
+      changed_when: "'CHANGED' in cfg_set.stdout"

- name: Enable EspoCRM cache
-  ansible.builtin.shell: |
-    docker exec -u root {{ ESPOCRM_NAME }} \
-      sed -i "s/'useCache' => false/'useCache' => true/" {{ ESPOCRM_CONFIG_FILE_PUBLIC }}
-  register: enable_cache
-  changed_when: enable_cache.rc == 0
-  failed_when: enable_cache.rc != 0
+  rescue:
+    - name: Apply config via ConfigWriter as root (fallback)
+      command: >
+        docker exec --user root {{ ESPOCRM_CONTAINER }}
+        php -r '
+          require "/var/www/html/bootstrap.php";
+          $app = new \Espo\Core\Application();
+          $c = $app->getContainer();
+          $cfg = $c->get("config");
+          $w = $c->get("injectableFactory")->create("\Espo\Core\Utils\Config\ConfigWriter");
+          $pairs = [
+            "maintenanceMode" => false,
+            "cronDisabled"    => false,
+            "useCache"        => true
+          ];
+          $changed = false;
+          foreach ($pairs as $k => $v) {
+            if ($cfg->get($k) !== $v) { $w->set($k, $v); $changed = true; }
+          }
+          if ($changed) { $w->save(); echo "CHANGED"; }
+        '
+      register: cfg_set
+      changed_when: "'CHANGED' in cfg_set.stdout"

- name: Enable EspoCRM cron
-  ansible.builtin.shell: |
-    docker exec -u root {{ ESPOCRM_NAME }} \
-      sed -i "s/'cronDisabled' => true/'cronDisabled' => false/" {{ ESPOCRM_CONFIG_FILE_PUBLIC }}
-  register: enable_cron
-  changed_when: enable_cron.rc == 0
-  failed_when: enable_cron.rc != 0
+- name: Clear EspoCRM cache (only when config changed and we are updating)
+  command: >
+    docker exec --user {{ ESPOCRM_USER }} {{ ESPOCRM_CONTAINER }} php clear_cache.php
+  when: "'CHANGED' in cfg_set.stdout and MODE_UPDATE | bool"
--- a/roles/web-app-espocrm/tasks/main.yml
+++ b/roles/web-app-espocrm/tasks/main.yml
@ -6,29 +6,14 @@
    docker_compose_flush_handlers:  true

 - name: Check if config.php exists in EspoCRM
-  command: docker exec --user root {{ ESPOCRM_NAME }} test -f {{ ESPOCRM_CONFIG_FILE_PRIVATE }}
+  command: docker exec --user root {{ ESPOCRM_CONTAINER }} test -f {{ ESPOCRM_CONFIG_FILE_PRIVATE }}
  register: config_file_exists
  changed_when: false
  failed_when: false

- name: Patch EspoCRM config.php with updated DB credentials
+- name: Patch EspoCRM config.php
  include_tasks: 01_patch_config.yml
  when: config_file_exists.rc == 0

 - name: Flush handlers to make DB available before password reset
  meta: flush_handlers
-
- name: Set OIDC scopes in EspoCRM config (inside web container)
-  ansible.builtin.shell: |
-    docker compose exec -T web php -r '
-      require "/var/www/html/bootstrap.php";
-      $writer = (new \Espo\Core\Application())
-        ->getContainer()
-        ->get("injectableFactory")
-        ->create("\Espo\Core\Utils\Config\ConfigWriter");
-      $writer->set("oidcScopes", ["openid", "profile", "email"]);
-      $writer->save();
-    '
-  args:
-    chdir: "{{ docker_compose.directories.instance }}"
-  when: ESPOCRM_OIDC_ENABLED | bool
--- a/roles/web-app-espocrm/templates/docker-compose.yml.j2
+++ b/roles/web-app-espocrm/templates/docker-compose.yml.j2
@ -1,6 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
  web:
-    container_name: {{ ESPOCRM_NAME }}
+    container_name: {{ ESPOCRM_CONTAINER }}
    image: "{{ ESPOCRM_IMAGE }}:{{ ESPOCRM_VERSION }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
--- a/roles/web-app-espocrm/vars/main.yml
+++ b/roles/web-app-espocrm/vars/main.yml
@ -13,9 +13,9 @@ vhost_flavour:                "ws_generic"
 # Espocrm
 ESPOCRM_VERSION:              "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.version', True) }}"
 ESPOCRM_IMAGE:                "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.image', True) }}"
-ESPOCRM_NAME:                 "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.name', True) }}"
+ESPOCRM_CONTAINER:            "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.name', True) }}"
 ESPOCRM_VOLUME:               "{{ applications | get_app_conf(application_id, 'docker.volumes.data', True) }}"
 ESPOCRM_CONFIG_FILE_PRIVATE:  "/var/www/html/data/config-internal.php"
-ESPOCRM_CONFIG_FILE_PUBLIC:   "/var/www/html/data/config.php"
 ESPOCRM_URL:                  "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
-ESPOCRM_OIDC_ENABLED:         "{{ applications | get_app_conf(application_id, 'features.central_database', False) }}"
+ESPOCRM_OIDC_ENABLED:         "{{ applications | get_app_conf(application_id, 'features.oidc', False) }}"
+ESPOCRM_USER:                 "www-data"