- Replace `ESPOCRM_NAME` with `ESPOCRM_CONTAINER` for clarity and consistency.
- Drop unused `ESPOCRM_CONFIG_FILE_PUBLIC`, rely only on `config-internal.php`.
- Make DB credential patching idempotent using `grep` + `sed` checks.
- Replace direct sed edits for maintenance/cron/cache with EspoCRM ConfigWriter.
- Add fallback execution as root if www-data user cannot write config.
- Clear EspoCRM cache only when config changes and in update mode.
- Remove obsolete OIDC scopes inline task (now handled via env/vars).
- Fix docker-compose template to use `ESPOCRM_CONTAINER`.
This refactor makes the EspoCRM role more robust, idempotent, and aligned
with EspoCRM’s official ConfigWriter mechanism.
See conversation: https://chatgpt.com/share/68a87820-12f8-800f-90d6-01ba97a1b279
- Removed unused soft restart function and switched to argparse-based CLI.
- Added --only argument to selectively restart subdirectories.
- Updated systemctl service template to pass PATH_DOCKER_COMPOSE_INSTANCES as argument.
- Ensures service unit correctly invokes the Python script with target path.
See conversation: https://chatgpt.com/share/68a771d9-5fd8-800f-a410-08132699cc3a
- Added '| sort' to all service group lists and backup routine lists to ensure
deterministic ordering and stable checksums across Ansible runs.
- Adjusted systemctl templates to use a single service variable
('SYS_SERVICE_BACKUP_RMT_2_LOC') instead of rejecting dynamic list entries,
making the ignore logic simpler and more predictable.
- Fixed minor whitespace inconsistencies in Jinja templates to avoid
unnecessary changes.
This change was made to prevent spurious 'changed' states in Ansible caused by
non-deterministic list order and to reduce complexity in service definitions.
See discussion: https://chatgpt.com/share/68a74c20-6300-800f-a44e-da43ae2f3dea
- sys-service:
- Set explicit ownership and permissions for generated unit files:
owner=root, group=root, mode=0644. Prevents drift and makes idempotence
predictable when handlers reload/refresh systemd.
- web-svc-collabora:
- Move cmp-docker-proxy include into tasks/01_core.yml and run it
before Nginx config generation. Use public: true only to initialize the
proxy/compose context and docker_compose_flush_handlers: true to ensure
timely handler execution.
- Define role-local variables domain and http_port in vars/main.yml
and use {{ domain }} for the Nginx server file path. These values MUST
be defined locally because they cannot be reliably imported via
public: true — other roles may override them later in the play, leading
to leakage and nondeterministic behavior. Localizing avoids precedence
conflicts without resorting to host-wide set_fact.
- CSP adjusted: add server.security.flags.style-src.unsafe-inline: true
to accommodate Collabora’s inline styles (requested as “csr” in notes).
- Minor variable alignment/cleanup and TODO note for future refactor.
- Housekeeping:
- Rename task title to reflect {{ domain }} usage.
Refs:
- Discussion and rationale in this chat https://chatgpt.com/share/68a731aa-d394-800f-9eb4-2499f45ed54b (2025-08-21, Europe/Berlin).
Introduced custom filter plugin to render optional systemd directives, refactored template to loop over directives, and adjusted default vars (TimeoutStartSec, RuntimeMaxSec handling).
Details: see ChatGPT conversation
https://chatgpt.com/share/68a5a730-6344-800f-b9a3-dc62d5902e9b
- Introduced a new handler 'docker compose pull' that runs only once per
{{ docker_compose.directories.instance }} directory by using a lock
file under /run/ansible/compose-pull.
- Ensures idempotency by marking the task as changed only when a pull
was actually executed.
- Restricted execution with 'when: MODE_UPDATE | bool'.
- Improves update workflow by avoiding redundant docker pulls during
the same Ansible run.
Reference: ChatGPT discussion
https://chatgpt.com/share/68a55151-959c-800f-8b70-160ffe43e776
This test scans all roles for tasks including:
- include_role:
name: sys-service
If present, the role must define a non-empty 'system_service_id' in vars/main.yml.
Helps enforce consistency and prevent misconfiguration.
Ref: https://chatgpt.com/share/68a536e5-c384-800f-937a-f9d91249950c
- Introduced module_utils/role_dependency_resolver.py with full support for include_role, import_role, meta dependencies, and run_after.
- Refactored cli/build/tree.py to use RoleDependencyResolver (added toggles for include/import/dependencies/run_after).
- Extended filter_plugins/canonical_domains_map.py with optional 'recursive' mode (ignores run_after by design).
- Updated roles/web-app-nextcloud to properly include Collabora dependency.
- Added comprehensive unittests under tests/unit/module_utils for RoleDependencyResolver.
Ref: https://chatgpt.com/share/68a519c8-8e54-800f-83c0-be38546620d9
Use `systemd-escape --unescape` to restore human-readable unit identifiers in
Telegram and Email alerts. Also ensure Telegram messages are URL-encoded and
Email status checks try both raw and escaped forms for robustness.
Fixes issue where slashes were shown as dashes in notifications.
Context: see ChatGPT conversation
https://chatgpt.com/share/68a4c171-db08-800f-8399-7e07f237a441
- Improved get_service_name filter plugin (clearer suffix handling, consistent var names).
- Added MODE_ASSERT flag to optionally execute validation/assertion tasks.
- Fixed systemd unit handling: consistent use of %I instead of %i, correct escaping of instance names.
- Unified on_failure behavior and alarm composer scripts.
- Cleaned up redundant logging, handlers, and debug config.
- Strengthened sys-service template resolution with assert (only active when MODE_ASSERT).
- Simplified timer and suffix handling with get_service_name filter.
- Hardened sensitive tasks with no_log.
- Added conditional asserts across roles (Keycloak, DNS, Mailu, Discourse, etc.).
These changes improve consistency, safety, and validation across the automation stack.
Conversation: https://chatgpt.com/share/68a4ae28-483c-800f-b2f7-f64c7124c274
