Unify reverse proxy handling across apps via sys-stk-front-proxy and cleanly separate internal docker nginx configs from external vhosts.
Changes:
- docker-compose: use with_first_found for optional env and docker-compose.override files so roles can provide either a template or a static file without noisy 'Could not find or access' failures.
- sys-stk-front-proxy: remove front_proxy_domain_conf_src and switch nginx vhost rendering to with_first_found over app-specific proxy.conf.j2 and the generic roles/sys-svc-proxy vhost flavour; keep health-check and handler logic unchanged.
- web-app-nextcloud: migrate to sys-stk-full-stateful (front proxy + DB + docker), move internal nginx config to docker.conf.j2 under the volume path, and rename host.conf.j2 to proxy.conf.j2 for the external vhost.
- web-app-magento: rename nginx.conf.j2 to docker.conf.j2 and update the runtime template task accordingly to make the intent (internal nginx) explicit.
- web-app-matrix: rename nginx.conf.j2 to synapse.conf.j2 and adjust the webserver task to use the new template name for the synapse vhost.
- web-app-bridgy-fed & web-app-flowise: pass domain and http_port explicitly when including sys-stk-front-proxy so the front stack has all required context.
- web-svc-cdn/file/html: replace direct sys-stk-front-base + sys-util-csp-cert + nginx.conf.j2 handling with sys-stk-front-proxy and proxy.conf.j2, relying on the shared front-stack for TLS/CSP/vHost wiring.
- web-svc-collabora: drop the direct nginx.conf.j2 vhost generation and rename it to proxy.conf.j2 so it is picked up by sys-stk-front-proxy like other services.
- web-opt-rdr-domains: rename redirect.domain.nginx.conf.j2 to redirect-domain.conf.j2 and adjust the task for clearer and more consistent naming.
Context: see ChatGPT refactor discussion on 2025-11-30 (proxy unification, Collabora/Nextcloud/CDN stacks, CSP/header handling): https://chatgpt.com/share/692c64ea-a488-800f-ad42-7f7692a3742f
Replaced default 'item' with explicit loop variable 'minio_proxy' to prevent
conflicts with inner roles (e.g., sys-stk-front-proxy using with_first_found).
This resolves the undefined variable error and removes the Ansible warning
about the loop variable already being in use.
Reference: https://chatgpt.com/share/692c5778-2b24-800f-b203-5b6b2c9b1d4b
Implements automated merging of kc.user.profile.config using the generic _update.yml handler.
Fixes missing safety guard for components without a 'name' attribute and aligns providerId validation logic.
Reference: https://chatgpt.com/share/692b3337-a224-800f-8617-32f47a5af1df
- Add debugMode parameter to initLogoutPatch with structured console logging
- Pass MODE_DEBUG into logout_one_liner init call
- Exclude <form> elements and large text blocks from logout candidates to avoid mapping LAM user list form as logout
Ref: https://chatgpt.com/share/692b325e-37c0-800f-bb5a-129aae4c65f8
Add end-to-end support for reserved usernames and tighten CAPTCHA / Keycloak logic.
Changes:
- Makefile: rename EXTRA_USERS → RESERVED_USERNAMES and pass it as --reserved-usernames to the users defaults generator.
- cli/build/defaults/users.py: propagate flag into generated users, add --reserved-usernames CLI option and mark listed accounts as reserved.
- Add reserved_users filter plugin with and helpers for Ansible templates and tasks.
- Add unit tests for reserved_users filters and the new reserved-usernames behaviour in the users defaults generator.
- group_vars/all/00_general.yml: harden RECAPTCHA_ENABLED / HCAPTCHA_ENABLED checks with default('') and explicit > 0 length checks.
- svc-db-openldap: introduce OPENLDAP_PROVISION_* flags, add OPENLDAP_PROVISION_RESERVED and OPERNLDAP_USERS to optionally exclude reserved users from provisioning.
- svc-db-openldap templates/tasks: switch role/group LDIF and user import loops to use OPERNLDAP_USERS instead of the full users dict.
- networks: assign dedicated subnet for web-app-roulette-wheel.
- web-app-keycloak vars: compute KEYCLOAK_RESERVED_USERNAMES_LIST and KEYCLOAK_RESERVED_USERNAMES_REGEX from users | reserved_usernames.
- web-app-keycloak user profile template: inject reserved-username regex into username validation pattern and improve error message, fix SSH public key attribute usage and add component name field.
- web-app-keycloak update/_update.yml: strip subComponents from component payloads before update and disable async/poll for easier debugging.
- web-app-keycloak tasks/main.yml: guard cleanup include with MODE_CLEANUP and keep reCAPTCHA update behind KEYCLOAK_RECAPTCHA_ENABLED.
- user/users defaults: mark system/service accounts (root, daemon, mail, admin, webmaster, etc.) as reserved so they cannot be chosen as login names.
- svc-prx-openresty vars: simplify OPENRESTY_CONTAINER lookup by dropping unused default parameter.
- sys-ctl-rpr-btrfs-balancer: simplify main.yml by removing the extra block wrapper.
- sys-daemon handlers: quote handler name for consistency.
Context: change set discussed and refined in ChatGPT on 2025-11-29 (Infinito.Nexus reserved usernames & Keycloak user profile flow). See conversation: https://chatgpt.com/share/692b21f5-5d98-800f-8e15-1ded49deddc9
This update sorts all expectation keys alphabetically to guarantee idempotent
Ansible deployments and stable systemd unit generation. Added two unit tests to
validate proper key ordering for canonical domains, aliases, redirects, and WWW
mappings.
Reference: https://chatgpt.com/share/692ae99b-dd88-800f-8fad-2ff62666e295
- Introduce shared CAPTCHA settings and RECAPTCHA_ENABLED/HCAPTCHA_ENABLED flags in group_vars
- Wire reCAPTCHA/hCaptcha credentials into EspoCRM, Keycloak, Listmonk and Nextcloud
- Replace EspoCRM set_flags.php with generic seed_config.php and hook it into entrypoint/env
- Fix run_once handling in sys-ctl-cln-disc-space and minor CSS Jinja spacing issue
https://chatgpt.com/share/692a1d4f-1154-800f-a4ae-bb068aa24a53
- Activate css feature flag for EspoCRM
- Extend CSP with frame-ancestors for PRIMARY_DOMAIN
- Add style.css mapping EspoCRM UI to the --color-01-** blue palette
See ChatGPT discussion: https://chatgpt.com/share/6929b521-3a90-800f-9ce7-29bfb1faaeb4
- Updated Pixelfed worker and application CPU/RAM limits
- Added Redis memory reservation and limit
- Added pids_limit for worker
- Translated script message from German to English
- Reference: https://chatgpt.com/share/69295cad-0398-800f-9604-953c2f5a833b
This update introduces full JavaScript-based nested submenu handling for the
Apps menu, enabling reliable click-based toggling without interference from
Bootstrap’s native dropdown logic. Submenus now expand to the left via custom
CSS and no longer require dropstart or data-bs-toggle attributes.
Changes include:
- Add javascript feature flag and enable inline eval in CSP
- Add javascript.js implementing custom submenu toggle logic
- Add CSS rules for left-expanding nested dropdown menus
- Replace hardcoded headline with LITTLEJS_HEADLINE variable
- Modernize “Play” → “Start” labels in cards
- Remove unused/legacy examples from examples.yml (commented out, not deleted)
- Cleanup nav_top.html.j2 to remove conflicting Bootstrap attributes
Conversation reference:
https://chatgpt.com/share/6928b4c7-19ec-800f-a087-9af304ef4ed9
- Introduce env-aware php.ini.j2 template
- Mount PHP config into container via docker-compose
- Add SUITECRM_PHP_CONFIG_HOST and SUITECRM_WELL_SOFTWARE_NAME variables
- Refactor LDAP extension path using normalized software name
https://chatgpt.com/share/69284194-cf6c-800f-b138-eb6ddf25592c
