Introduced new variable HEALTH_CSP_IGNORE_NETWORK_BLOCKS_FROM (list, default [])
to suppress network block reports (e.g., ORB) from specific external domains.
Updated script.py to accept and forward the flag, extended systemd exec command
in tasks, added defaults, and documented usage in README.
Ref: https://chatgpt.com/share/68dfc69b-7c94-800f-871b-3525deb8e374
Replaced the previous shell-based /dev/tcp healthcheck with a PHP fsockopen() test to ensure compatibility with minimal base images. This avoids dependency on missing tools like nc or curl and provides a reliable onboard check.
Conversation: https://chatgpt.com/share/68deb8ec-d920-800f-bd35-2869544fe30f
- Added MODE_BACKUP to trigger backup before the rest of the deployment
- sys-ctl-bkp-docker-2-loc: force linear sync and force flush when MODE_BACKUP is true
- Unified name resolution via system_service_name across handlers and tasks
- Introduced system_service_force_linear_sync and system_service_force_flush (rename from system_force_flush)
- Drive async/poll via system_service_async/system_service_poll using omit when disabled
- Propagated per-role overrides (cleanup, repair, cert tasks) for clarity and safety
- Minor formatting and consistency cleanups
Why: Ensure the backup runs before the deployment routine to safeguard data integrity.
Refs: Conversation https://chatgpt.com/share/68de4c41-b6e4-800f-85cd-ce6949097b5e
Signed-off-by: Kevin Veen-Birkenbach <kevin@veen.world>
- Changed default Docker image version from 'latest' to '17-3.5' in config
- Introduced entity_name var for consistent lookups
- Added POSTGRES_VERSION and POSTGRES_VERSION_MAJOR extraction
- Updated Dockerfile to install postgresql-server-dev-<major> with default fallback to 'all'
- Minor YAML formatting improvements
Ref: https://chatgpt.com/share/68de40b4-2eb8-800f-ab5b-11cc873c3604
Stop forcing Access-Control-Allow-Origin to $scheme://$host. This default broke Element (element.infinito.nexus) -> Synapse (matrix.infinito.nexus) CORS and blocked login. Now ACAO is only set when 'aca_origin' is provided; otherwise we defer to the upstream app (e.g., Synapse) to emit correct CORS headers. Also convert top comments to Jinja block comment.
Discussion & debugging details: https://chatgpt.com/share/68de2236-4aec-800f-adc5-d025922c8753
- Store oidc_settings as proper YAML dict with correct keys
- Ensure plugin is installed only if missing
- Update DB settings as jsonb and enforce enabled/uninstalled state
- Add CLI enforcement for plugin activation
- Correct task conditions (enable/disable logic) with boolean filters
Ref: https://chatgpt.com/share/68dd1d16-9b34-800f-b2bf-a3fe058f25b1
• Build a custom image and replace upstream entrypoint with docker-entrypoint-custom.sh (strict fail on flag script).
• Introduce set_flags.php and wire via ESPOCRM_SET_FLAGS_SCRIPT; apply flags at container start; clear cache afterwards.
• Keep exactly one Docker volume (data:/var/www/html/); drop separate custom/extensions mounts.
• Compose: use custom image, add healthchecks & depends_on for daemon/websocket; keep service healthy gating.
• Ansible: deploy scripts, build & up via handlers; patch siteUrl as www-data; run upgrade non-fatal; always run flag setter.
• Vars/Env: add ESPO_INIT_* toggles and ESPOCRM_SET_FLAGS_SCRIPT; refactor variables for scripts & custom image paths.
Conversation context: https://chatgpt.com/share/68dd1992-020c-800f-bcf5-2db60cb4aab2
Conditionally include the generic WebSocket proxy block for NEXTCLOUD_TALK_SIGNALING_ENABLED. Set location_ws to '^~ <location>' and ws_port to NEXTCLOUD_PORT, then include roles/sys-svc-proxy/templates/location/ws.conf.j2. This enables proper Upgrade/Connection headers and disables buffering for the signaling path.
Context: https://chatgpt.com/share/68db9f41-16ec-800f-9cdf-7530862f89aa
CSP: add cloud.<PRIMARY_DOMAIN> to connect-src and frame-src (both HTTP and WS) and allow worker-src 'blob:' for web workers used by Talk/Collabora.
Apps: disable keeporsweep (installation no longer possible) and document reason.
Context: https://chatgpt.com/share/68db9f41-16ec-800f-9cdf-7530862f89aa
Add CPU/memory/pids limits for taiga, async, front, gateway, events, async-rabbitmq, events-rabbitmq, manager, and protected. Align manager service usage (was taiga-manage) in admin tasks and inits compose. Switch to variable-driven service names (TAIGA_* vars), add container_name patterns, normalize volume mappings via TAIGA_VOLUME_STATIC/MEDIA, fix depends_on to use TAIGA_* vars, and set RabbitMQ hostnames from vars. Remove obsolete Development.md.
Conversation reference: https://chatgpt.com/share/68da83b7-0cb4-800f-9702-d8a2d4ebea71 (replace with this chat’s share link)
- Add reusable Nginx include: roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2
(dynamic ACAO/credentials/methods/headers via role vars)
- Set global 'Vary: Origin' in nginx.conf.j2 to prevent cache poisoning
- CSP: allow Simple Icons via connect-src when feature is enabled
- Front proxy: rename vars to lowercase + flush handlers after config deploy
- Desktop: gate & load Simple Icons role; inject brand logos when enabled
- Bluesky + Logout: replace inline CORS with centralized include
- Simpleicons: public CORS (ACAO='*', no credentials), keep GET/OPTIONS, allow headers
- Taiga: adjust canonical domain to taiga.kanban.{{ PRIMARY_DOMAIN }}
- LibreTranslate: remove unused images/versions keys
Fixes: https://open.project.infinito.nexus/projects/cymais/work_packages/342/activity
Discussion: https://chatgpt.com/share/68da5e27-ffd4-800f-91a3-0ef103058d44
- Added CPU, memory and PID limits for espocrm, daemon and websocket services
- Enabled init process and graceful stop (SIGTERM, 30s) in docker-compose
- Adjusted env template (removed forced True/default flags)
- Introduced entity_name/ESPOCRM_SERVICE in vars for service naming
- Minor cleanup of get_app_conf defaults
Ref: https://chatgpt.com/share/68d937ce-9c34-800f-9136-54baed9c91c7
- Removed ?transport=udp from Nextcloud Talk TURN server definitions
- Dropped --no-tcp-relay to allow TCP fallback
- Removed invalid UDP mapping on TLS port
- Introduced switch between REST secret auth and lt-cred-mech via COTURN_USER_AUTH_ENABLED
- Added user_auth_enabled flag in coturn config for flexibility
See: https://chatgpt.com/share/68d7d601-3558-800f-bc84-00d7e8fc3243
- Replace inline get_app_conf secrets in env.j2 with dedicated vars (TURN, signaling, internal)
- Correctly model signaling_servers as object {servers, secret} in spreed.yml
- Use UDP stun_turn port instead of TLS for transport=udp
- Add fallback logic for standalone Coturn role in main.yml
- Remove obsolete Greenlight section from BBB override
Ref: https://chatgpt.com/share/68d74e25-c068-800f-ae20-d0e34ac8ee12
- Switch to custom BBB Docker repository
- Externalize Coturn and Collabora by default
- Add dedicated 03_dependencies.yml for dependency handling
- Improve env templating with lowercased feature flags
- Add conditional healthcheck for Greenlight
- Refactor TURN/STUN/relay handling with role variable _BBB_COTURN_ROLE
- Extend Collabora/Greenlight dependency wiring in override file
- Nextcloud Talk: refine vars and enable/disable logic with separate plugin/service flags, add network_mode support and conditional nginx proxy block
Ref: https://chatgpt.com/share/68d741ff-a544-800f-9e81-a565e0bab0eb
- Introduced `COTURN_NETWORK_MODE` to support both host and bridge modes
- Updated docker-compose template to skip port publishing in host mode
- Changed user_password credential algorithm to random_hex for stronger randomness
- Set default network_mode: host in config
Ref: https://chatgpt.com/share/68d72a50-c36c-800f-9367-32c4ae520000
- Set CPU, memory reservation/limit, and PID limit for coturn
- Ensure docker_compose_file_creation_enabled and disable git repo pulling
- Move certificate mounts to volumes and fix env var interpolation in command
- Correct realm and user formatting
See: https://chatgpt.com/share/66f65f18-799c-800a-95f4-b6b26511e9cb
- Split internal/external Coturn for BBB and Nextcloud
- Added dedicated relay port ranges per app
- Updated env and compose overrides for coturn
- Ensure coturn role is loaded conditionally
- Standardize credential/env passing for coturn
@Seehttps://chatgpt.com/share/68d6f376-4878-800f-b4f7-62822caa49ea
- Extract common HTTPS + Cloudflare + handler bootstrap into new role sys-stk-front-base
- Update sys-stk-front-proxy, web-svc-cdn, web-svc-file, web-svc-html to depend on sys-stk-front-base
- Add new sys-stk-semi-stateless role combining front-base + back-stateless
- Update web-svc-coturn to use sys-stk-semi-stateless and rewrite README/meta with detailed Coturn description
- Unify sys-util-csp-cert README heading
Ref: ChatGPT conversation https://chatgpt.com/share/68d6cea2-3570-800f-acb3-c3277317f17b
