From a9097a3ec39176db6e87ada39f501cbcdd04c14e Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Sun, 28 Sep 2025 15:50:28 +0200
Subject: [PATCH] web-app-espocrm: add resource limits, init/stop settings and
 cleanups

- Added CPU, memory and PID limits for espocrm, daemon and websocket services
- Enabled init process and graceful stop (SIGTERM, 30s) in docker-compose
- Adjusted env template (removed forced True/default flags)
- Introduced entity_name/ESPOCRM_SERVICE in vars for service naming
- Minor cleanup of get_app_conf defaults

Ref: https://chatgpt.com/share/68d937ce-9c34-800f-9136-54baed9c91c7
---
 roles/web-app-espocrm/config/main.yml         | 20 +++++++++++--
 .../templates/docker-compose.yml.j2           | 29 +++++++++++++------
 roles/web-app-espocrm/templates/env.j2        |  6 ++--
 roles/web-app-espocrm/vars/main.yml           | 13 +++++----
 4 files changed, 48 insertions(+), 20 deletions(-)

diff --git a/roles/web-app-espocrm/config/main.yml b/roles/web-app-espocrm/config/main.yml
index 31d5813e..04c6043b 100644
--- a/roles/web-app-espocrm/config/main.yml
+++ b/roles/web-app-espocrm/config/main.yml
@@ -33,8 +33,22 @@ docker:
     database:
       enabled: true              
     espocrm:
-      image:    "espocrm/espocrm"
-      version:  "latest"
-      name:     "espocrm"
+      image:            "espocrm/espocrm"
+      version:          "latest"
+      name:             "espocrm"
+      cpus:             1.5
+      mem_reservation:  1.2g
+      mem_limit:        2g
+      pids_limit:       768
+    daemon:
+      cpus:             0.5
+      mem_reservation:  0.25g
+      mem_limit:        0.5g
+      pids_limit:       384
+    websocket:
+      cpus:             0.5
+      mem_reservation:  0.25g
+      mem_limit:        0.5g
+      pids_limit:       384
   volumes:
     data: espocrm_data
diff --git a/roles/web-app-espocrm/templates/docker-compose.yml.j2 b/roles/web-app-espocrm/templates/docker-compose.yml.j2
index dde2e765..9628074e 100644
--- a/roles/web-app-espocrm/templates/docker-compose.yml.j2
+++ b/roles/web-app-espocrm/templates/docker-compose.yml.j2
@@ -1,7 +1,12 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
-  web:
+
+{% set service_name = ESPOCRM_SERVICE %}
+  {{ service_name }}:
     container_name: {{ ESPOCRM_CONTAINER }}
     image: "{{ ESPOCRM_IMAGE }}:{{ ESPOCRM_VERSION }}"
+    init: true
+    stop_signal: SIGTERM
+    stop_grace_period: 30s
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
     ports:
@@ -11,21 +16,27 @@
     volumes:
       - data:/var/www/html
 
-  daemon:
+{% set service_name = 'daemon' %}
+  {{ service_name }}:
     image: "{{ ESPOCRM_IMAGE }}:{{ ESPOCRM_VERSION }}"
-    restart: {{ DOCKER_RESTART_POLICY }}
-    logging:
-      driver: journald
+    container_name: {{ ESPOCRM_CONTAINER }}_{{ service_name }}
+    init: true
+    stop_signal: SIGTERM
+    stop_grace_period: 30s
+{% include 'roles/docker-container/templates/base.yml.j2' %}
     entrypoint: docker-daemon.sh
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
     volumes:
       - data:/var/www/html
 
-  websocket:
+{% set service_name = 'websocket' %}
+  {{ service_name }}:
     image: "{{ ESPOCRM_IMAGE }}:{{ ESPOCRM_VERSION }}"
-    restart: {{ DOCKER_RESTART_POLICY }}
-    logging:
-      driver: journald
+    container_name: {{ ESPOCRM_CONTAINER }}_{{ service_name }}
+    init: true
+    stop_signal: SIGTERM
+    stop_grace_period: 30s
+{% include 'roles/docker-container/templates/base.yml.j2' %}
     environment:
       - ESPOCRM_CONFIG_USE_WEB_SOCKET=true
       - ESPOCRM_CONFIG_WEB_SOCKET_URL={{ WEBSOCKET_PROTOCOL }}://{{ domains | get_domain(application_id) }}/ws
diff --git a/roles/web-app-espocrm/templates/env.j2 b/roles/web-app-espocrm/templates/env.j2
index 1112d266..ee6f9000 100644
--- a/roles/web-app-espocrm/templates/env.j2
+++ b/roles/web-app-espocrm/templates/env.j2
@@ -20,7 +20,7 @@ CRON_DISABLED=true
 # Initial admin account
 # ------------------------------------------------
 ESPOCRM_ADMIN_USERNAME={{ applications | get_app_conf(application_id, 'users.administrator.username') }}
-ESPOCRM_ADMIN_PASSWORD={{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}
+ESPOCRM_ADMIN_PASSWORD={{ applications | get_app_conf(application_id, 'credentials.administrator_password') }}
 
 # Public base URL of the EspoCRM instance
 ESPOCRM_SITE_URL={{ ESPOCRM_URL }}
@@ -54,14 +54,14 @@ ESPOCRM_CONFIG_SMTP_SECURITY={{ "TLS" if SYSTEM_EMAIL.START_TLS else "SSL"}}
 ESPOCRM_CONFIG_SMTP_AUTH=true
 ESPOCRM_CONFIG_SMTP_USERNAME={{ users['contact'].email }}
 ESPOCRM_CONFIG_SMTP_PASSWORD={{ users['contact'].mailu_token }}
-ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_NAME={{ applications | get_app_conf(application_id, 'email.from_name', True)}}
+ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_NAME={{ applications | get_app_conf(application_id, 'email.from_name')}}
 ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_ADDRESS={{ users['contact'].email }}
 
 # ------------------------------------------------
 # LDAP settings (optional)
 # Applied only if the feature flag is true
 # ------------------------------------------------
-{% if applications | get_app_conf(application_id, 'features.ldap', False) %}
+{% if applications | get_app_conf(application_id, 'features.ldap') %}
 ESPOCRM_CONFIG_AUTHENTICATION_METHOD=Ldap
 ESPOCRM_CONFIG_LDAP_HOST={{ LDAP.SERVER.DOMAIN }}
 ESPOCRM_CONFIG_LDAP_PORT={{ LDAP.SERVER.PORT }}
diff --git a/roles/web-app-espocrm/vars/main.yml b/roles/web-app-espocrm/vars/main.yml
index 56f72168..387d4eaf 100644
--- a/roles/web-app-espocrm/vars/main.yml
+++ b/roles/web-app-espocrm/vars/main.yml
@@ -1,5 +1,6 @@
 # General
 application_id:               "web-app-espocrm"
+entity_name:                  "{{ application_id | get_entity_name }}"
 
 # Database
 database_type:                "mariadb"
@@ -11,11 +12,13 @@ client_max_body_size:         "100m"
 vhost_flavour:                "ws_generic"
 
 # Espocrm
-ESPOCRM_VERSION:              "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.version', True) }}"
-ESPOCRM_IMAGE:                "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.image', True) }}"
-ESPOCRM_CONTAINER:            "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.name', True) }}"
-ESPOCRM_VOLUME:               "{{ applications | get_app_conf(application_id, 'docker.volumes.data', True) }}"
+ESPOCRM_VERSION:              "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.version') }}"
+ESPOCRM_IMAGE:                "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.image') }}"
+ESPOCRM_CONTAINER:            "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.name') }}"
+ESPOCRM_VOLUME:               "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
+ESPOCRM_SERVICE:              "{{ entity_name }}"
+
 ESPOCRM_CONFIG_FILE_PRIVATE:  "/var/www/html/data/config-internal.php"
 ESPOCRM_URL:                  "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
-ESPOCRM_OIDC_ENABLED:         "{{ applications | get_app_conf(application_id, 'features.oidc', False) }}"
+ESPOCRM_OIDC_ENABLED:         "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
 ESPOCRM_USER:                 "www-data"