Refactor OpenProject role:

- Add CPU, memory and PID limits to all services in config/main.yml to prevent OOM - Replace old LDAP admin bootstrap with new 02_admin.yml using OPENPROJECT_ADMINISTRATOR_* vars - Standardize variable names (uppercase convention) - Fix HTTPS/HSTS port check (443 instead of 433) - Allow docker_restart_policy override in base.yml.j2 - Cleanup redundant LDAP admin runner in 01_ldap.yml See: https://chatgpt.com/share/68d40c6e-ab9c-800f-a4a0-d9338d8c1b32
2025-10-10 18:58:10 +02:00 · 2025-09-24 17:22:47 +02:00
parent 4f59e8e48b
commit ca52dcda43
10 changed files with 134 additions and 88 deletions
--- a/roles/web-app-openproject/tasks/01_ldap.yml
+++ b/roles/web-app-openproject/tasks/01_ldap.yml
@@ -77,25 +77,3 @@
  when: ldap_check.query_result | length == 0
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-
-# This works just after the first admin login
-# @todo Remove and replace trough LDAP RBAC group
- name: Set LDAP user as admin via OpenProject Rails runner
-  shell: >
-    docker compose exec web bash -c "
-      cd /app &&
-      RAILS_ENV={{ ENVIRONMENT | lower }} bundle exec rails runner \"
-        user = User.find_by(mail: '{{ users.administrator.email }}');
-        if user.nil?;
-          puts 'User with email {{ users.administrator.email }} not found.';
-        else;
-          user.admin = true;
-          user.save!;
-          puts 'User \#{user.login} is now an admin.';
-        end
-      \"
-    "
-  args:
-    chdir: "{{ docker_compose.directories.instance }}"
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
--- a/roles/web-app-openproject/tasks/02_admin.yml
+++ b/roles/web-app-openproject/tasks/02_admin.yml
@@ -0,0 +1,30 @@
+- name: Ensure administrator user exists and is admin
+  shell: >
+    docker compose exec web bash -c "
+      cd /app &&
+      RAILS_ENV={{ ENVIRONMENT | lower }} bundle exec rails runner \"
+        u = User.find_by(login: '{{ OPENPROJECT_ADMINISTRATOR_USERNAME }}')
+        if u.nil?
+          u = User.new(
+            login: '{{ OPENPROJECT_ADMINISTRATOR_USERNAME }}',
+            mail: '{{ OPENPROJECT_ADMINISTRATOR_EMAIL }}',
+            firstname: 'Admin',
+            lastname: 'User',
+            password: '{{ OPENPROJECT_ADMINISTRATOR_PASSWORD }}',
+            password_confirmation: '{{ OPENPROJECT_ADMINISTRATOR_PASSWORD }}'
+          )
+          u.admin = true
+          u.save!
+          puts 'Administrator {{ OPENPROJECT_ADMINISTRATOR_USERNAME }} created and set as admin.'
+        else
+          u.admin = true
+          u.save!
+          puts 'User {{ OPENPROJECT_ADMINISTRATOR_USERNAME }} updated to admin.'
+        end
+      \"
+    "
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
--- a/roles/web-app-openproject/tasks/main.yml
+++ b/roles/web-app-openproject/tasks/main.yml
@@ -3,23 +3,23 @@
  include_role:
    name: sys-stk-full-stateful

- name: "Create {{ openproject_plugins_folder }}"
+- name: "Create {{ OPENPROJECT_PLUGINS_FOLDER }}"
  file:
-    path: "{{ openproject_plugins_folder }}"
+    path: "{{ OPENPROJECT_PLUGINS_FOLDER }}"
    state: directory
    mode: '0755'

- name: "Transfering Gemfile.plugins to {{ openproject_plugins_folder }}"
+- name: "Transfering Gemfile.plugins to {{ OPENPROJECT_PLUGINS_FOLDER }}"
  copy:
    src: Gemfile.plugins
-    dest: "{{ openproject_plugins_folder }}Gemfile.plugins"
+    dest: "{{ OPENPROJECT_PLUGINS_FOLDER }}Gemfile.plugins"
  notify:
    - docker compose up
    - docker compose build

- name: "create {{ openproject_dummy_volume }}"
+- name: "create {{ OPENPROJECT_DUMMY_VOLUME }}"
  file:
-    path: "{{ openproject_dummy_volume }}"
+    path: "{{ OPENPROJECT_DUMMY_VOLUME }}"
    state: directory
    mode: "0755"

@@ -32,11 +32,14 @@
    RAILS_ENV={{ ENVIRONMENT | lower }} bundle exec rails runner \"Setting[:{{ item.key }}] = '{{ item.value }}'\""
  args:
    chdir: "{{ docker_compose.directories.instance }}"
-  loop:   "{{ openproject_rails_settings | dict2items }}"
+  loop:   "{{ OPENPROJECT_RAILS_SETTINGS | dict2items }}"
  async:  "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
  poll:   "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

 - name: Setup LDAP
  include_tasks: 01_ldap.yml
-  when: applications | get_app_conf(application_id, 'features.ldap', True) | bool
+  when: OPENPROJECT_LDAP_ENABLED | bool
+
+- name: Create OpenProject Administrator
+  include_tasks: 02_admin.yml