- Added CPU, memory and PID limits for espocrm, daemon and websocket services
- Enabled init process and graceful stop (SIGTERM, 30s) in docker-compose
- Adjusted env template (removed forced True/default flags)
- Introduced entity_name/ESPOCRM_SERVICE in vars for service naming
- Minor cleanup of get_app_conf defaults
Ref: https://chatgpt.com/share/68d937ce-9c34-800f-9136-54baed9c91c7
- Removed ?transport=udp from Nextcloud Talk TURN server definitions
- Dropped --no-tcp-relay to allow TCP fallback
- Removed invalid UDP mapping on TLS port
- Introduced switch between REST secret auth and lt-cred-mech via COTURN_USER_AUTH_ENABLED
- Added user_auth_enabled flag in coturn config for flexibility
See: https://chatgpt.com/share/68d7d601-3558-800f-bc84-00d7e8fc3243
- Replace inline get_app_conf secrets in env.j2 with dedicated vars (TURN, signaling, internal)
- Correctly model signaling_servers as object {servers, secret} in spreed.yml
- Use UDP stun_turn port instead of TLS for transport=udp
- Add fallback logic for standalone Coturn role in main.yml
- Remove obsolete Greenlight section from BBB override
Ref: https://chatgpt.com/share/68d74e25-c068-800f-ae20-d0e34ac8ee12
- Switch to custom BBB Docker repository
- Externalize Coturn and Collabora by default
- Add dedicated 03_dependencies.yml for dependency handling
- Improve env templating with lowercased feature flags
- Add conditional healthcheck for Greenlight
- Refactor TURN/STUN/relay handling with role variable _BBB_COTURN_ROLE
- Extend Collabora/Greenlight dependency wiring in override file
- Nextcloud Talk: refine vars and enable/disable logic with separate plugin/service flags, add network_mode support and conditional nginx proxy block
Ref: https://chatgpt.com/share/68d741ff-a544-800f-9e81-a565e0bab0eb
- Introduced `COTURN_NETWORK_MODE` to support both host and bridge modes
- Updated docker-compose template to skip port publishing in host mode
- Changed user_password credential algorithm to random_hex for stronger randomness
- Set default network_mode: host in config
Ref: https://chatgpt.com/share/68d72a50-c36c-800f-9367-32c4ae520000
- Set CPU, memory reservation/limit, and PID limit for coturn
- Ensure docker_compose_file_creation_enabled and disable git repo pulling
- Move certificate mounts to volumes and fix env var interpolation in command
- Correct realm and user formatting
See: https://chatgpt.com/share/66f65f18-799c-800a-95f4-b6b26511e9cb
- Split internal/external Coturn for BBB and Nextcloud
- Added dedicated relay port ranges per app
- Updated env and compose overrides for coturn
- Ensure coturn role is loaded conditionally
- Standardize credential/env passing for coturn
@Seehttps://chatgpt.com/share/68d6f376-4878-800f-b4f7-62822caa49ea
- Extract common HTTPS + Cloudflare + handler bootstrap into new role sys-stk-front-base
- Update sys-stk-front-proxy, web-svc-cdn, web-svc-file, web-svc-html to depend on sys-stk-front-base
- Add new sys-stk-semi-stateless role combining front-base + back-stateless
- Update web-svc-coturn to use sys-stk-semi-stateless and rewrite README/meta with detailed Coturn description
- Unify sys-util-csp-cert README heading
Ref: ChatGPT conversation https://chatgpt.com/share/68d6cea2-3570-800f-acb3-c3277317f17b
- added entity_name to vars for consistent docker.service lookup
- switched docker_repository_* vars to use entity_name dynamically
- introduced BBB_TURN_DOMAIN, BBB_TURN_PORT, and BBB_STUN_PORT
→ fallback to web-svc-coturn when BBB_COTURN_ENABLED is false
- updated env.j2 to use new BBB_TURN_* vars instead of hardcoded domain/ports
- cleaned up obsolete comments and spacing
Conversation: https://chatgpt.com/share/68d6c4a8-d524-800f-9592-e8a3407cd721
- registered subnet 192.168.104.48/28 for coturn in group_vars/all/09_networks.yml
- defined public ports for stun/turn and relay port range in group_vars/all/10_ports.yml
- removed obsolete TODO.md and env.j2 from role
- added schema/main.yml with credentials validation (user_password, auth_secret)
- refactored tasks to load sys-stk-back-stateless instead of sys-stk-full-stateful
- implemented docker-compose.yml.j2 with auth-secret + lt-cred-mech and TLS config
- restructured vars/main.yml with docker, ports, credentials, and certificates
- updated config/main.yml.j2 with canonical domain and service definitions
Conversation: https://chatgpt.com/share/68d6c4a8-d524-800f-9592-e8a3407cd721
- Aligned schema/main.yml credential definitions with consistent spacing
- Changed PostgreSQL secret to use random_hex_32 instead of bcrypt
- Improved administrator creation logic in tasks/02_administrator.yml:
* First try with primary password
* Retry with starred password if OIDC is enabled
* Fallback to user:set_admin_role if both fail
See: https://chatgpt.com/share/68d6aa34-19cc-800f-828a-a5121fda589f
feat(bbb/schema): auto-generate etherpad_api_key; set fsesl_password to alphanumeric_32
test(unit): add InventoryManager tests (Option B) expecting feature-generated creds as plain strings
docs: full autocreation of credentials for BigBlueButton now enabled
See: https://chatgpt.com/share/68d69ee8-3fd4-800f-9209-60026b338934
Set MS_WORKERS=1, MS_ENABLE_IPV6=false, and MS_WEBRTC_LISTEN_IPS to announce only EXTERNAL_IPv4 for webrtc-sfu. Helps avoid mediasoup router init issues seen when IPv6 is present.
Context/conversation: https://chatgpt.com/share/68d69a0e-22b0-800f-890b-13721a35f51b
Context: debugging mediasoup/WebRTC failures caused by empty/interpolated vars (EXTERNAL_IPv4, etc.).
- Normalize config/main.yml (ip6_enabled flag, enable greenlight/coturn) and tidy formatting.
- Extend vars/main.yml with BBB_* switches (IPv6, Greenlight, Coturn), TURN/Coturn cert paths.
- env.j2: wire secrets & toggles, guard IPv6 via BBB_IP6_ENABLED, switch LDAP/OIDC to role flags, add TURN/STUN, and general cleanup.
- tasks/main.yml: use BBB_* fact names, robust path joins, write docker-compose.override.yml, and notify compose on env/override changes.
- tasks/01_docker-compose.yml: reference new BBB_DOCKER_COMPOSE_* facts.
- Add templates/docker-compose.override.yml.j2 (placeholder for SFU overrides to avoid bad defaults during runs).
Rationale: make Compose brings deterministic (no empty ), paving the way to set MS_WEBRTC_LISTEN_IPS in override without risk.
Chat reference: debugging thread with GPT-5 Thinking on 2025-09-26 https://chatgpt.com/share/68d59d98-4388-800f-a627-07b6a603d0b2.
- updated base image from openproject/community:13 to openproject/openproject:14
- added dedicated migration task (db:migrate + schema cache clear)
- moved settings, ldap, and admin tasks to separate files
- adjusted docker-compose template to use OPENPROJECT_WEB_SERVICE / OPENPROJECT_SEEDER_SERVICE variables
- replaced postinstall.sh with precompile-assets.sh
- ensured depends_on uses variable-based service names
Ref: https://chatgpt.com/share/68d57770-2430-800f-ae53-e7eda6993a8d
- Added _normalize_codes to support lists of valid HTTP status codes
- Updated web_health_expectations to handle multiple codes, deduplication, and fallback logic
- Extended unit tests with coverage for list/default combinations, invalid values, and alias behavior
- Fixed Flowise CSP flags and whitelist entries
- Adjusted Flowise, MinIO, and Pretix docker service resource limits
- Updated docker-compose templates with explicit service_name
- Corrected MinIO status_codes to 301 redirects
✅ All CSP errors fixed
See details: https://chatgpt.com/share/68d557ad-fc10-800f-b68b-0411d20ea6eb
- Raised web service to 3 CPUs, 3–4 GB RAM, 2048 pids
- Raised worker service to 2 CPUs, 2–3 GB RAM, 2048 pids
- Increased cache mem_reservation to 512m
- Adjusted formatting for proxy service
Ref: https://chatgpt.com/share/68d513c1-8c10-800f-bf57-351754e3f5c2
- Add CPU, memory and PID limits to all services in config/main.yml to prevent OOM
- Replace old LDAP admin bootstrap with new 02_admin.yml using OPENPROJECT_ADMINISTRATOR_* vars
- Standardize variable names (uppercase convention)
- Fix HTTPS/HSTS port check (443 instead of 433)
- Allow docker_restart_policy override in base.yml.j2
- Cleanup redundant LDAP admin runner in 01_ldap.yml
See: https://chatgpt.com/share/68d40c6e-ab9c-800f-a4a0-d9338d8c1b32
