- extended generic systemctl template to support ExecStartPost
- health-docker-volumes: run main script with whitelist, trigger both compose alarm and cleanup on failure
- repair-docker-hard: added ExecStartPre lock, ExecStart, and ExecStartPost to trigger compose alarm always, plus cleanup on failure
- removed obsolete role-specific systemctl.service.j2 templates
- improved consistency across vars and defaults
See: https://chatgpt.com/share/68ad6cb8-c164-800f-96b6-a45c6c7779b3
- Render userObjectClasses via `tojson` (and trim) to avoid invalid control
characters and ensure valid realm import parsing.
- Introduce KEYCLOAK_LDAP_USER_OBJECT_CLASSES in vars; exclude `posixAccount`
for Keycloak’s LDAP config while keeping it for Ansible-managed UNIX users.
- Update UserStorageProvider template to use the new variable.
Rationale:
Keycloak must not require `posixAccount` on every LDAP user. We keep
`posixAccount` structural for Ansible provisioning, but filter it out for
Keycloak to prevent sync/import errors on entries without POSIX attributes.
Touched:
- roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2
- roles/web-app-keycloak/vars/main.yml
Refs: conversation https://chatgpt.com/share/68aa1ef0-3658-800f-bdf4-5b57131d03b4
- Replace `ESPOCRM_NAME` with `ESPOCRM_CONTAINER` for clarity and consistency.
- Drop unused `ESPOCRM_CONFIG_FILE_PUBLIC`, rely only on `config-internal.php`.
- Make DB credential patching idempotent using `grep` + `sed` checks.
- Replace direct sed edits for maintenance/cron/cache with EspoCRM ConfigWriter.
- Add fallback execution as root if www-data user cannot write config.
- Clear EspoCRM cache only when config changes and in update mode.
- Remove obsolete OIDC scopes inline task (now handled via env/vars).
- Fix docker-compose template to use `ESPOCRM_CONTAINER`.
This refactor makes the EspoCRM role more robust, idempotent, and aligned
with EspoCRM’s official ConfigWriter mechanism.
See conversation: https://chatgpt.com/share/68a87820-12f8-800f-90d6-01ba97a1b279
- Removed unused soft restart function and switched to argparse-based CLI.
- Added --only argument to selectively restart subdirectories.
- Updated systemctl service template to pass PATH_DOCKER_COMPOSE_INSTANCES as argument.
- Ensures service unit correctly invokes the Python script with target path.
See conversation: https://chatgpt.com/share/68a771d9-5fd8-800f-a410-08132699cc3a
- Added '| sort' to all service group lists and backup routine lists to ensure
deterministic ordering and stable checksums across Ansible runs.
- Adjusted systemctl templates to use a single service variable
('SYS_SERVICE_BACKUP_RMT_2_LOC') instead of rejecting dynamic list entries,
making the ignore logic simpler and more predictable.
- Fixed minor whitespace inconsistencies in Jinja templates to avoid
unnecessary changes.
This change was made to prevent spurious 'changed' states in Ansible caused by
non-deterministic list order and to reduce complexity in service definitions.
See discussion: https://chatgpt.com/share/68a74c20-6300-800f-a44e-da43ae2f3dea
- sys-service:
- Set explicit ownership and permissions for generated unit files:
owner=root, group=root, mode=0644. Prevents drift and makes idempotence
predictable when handlers reload/refresh systemd.
- web-svc-collabora:
- Move cmp-docker-proxy include into tasks/01_core.yml and run it
before Nginx config generation. Use public: true only to initialize the
proxy/compose context and docker_compose_flush_handlers: true to ensure
timely handler execution.
- Define role-local variables domain and http_port in vars/main.yml
and use {{ domain }} for the Nginx server file path. These values MUST
be defined locally because they cannot be reliably imported via
public: true — other roles may override them later in the play, leading
to leakage and nondeterministic behavior. Localizing avoids precedence
conflicts without resorting to host-wide set_fact.
- CSP adjusted: add server.security.flags.style-src.unsafe-inline: true
to accommodate Collabora’s inline styles (requested as “csr” in notes).
- Minor variable alignment/cleanup and TODO note for future refactor.
- Housekeeping:
- Rename task title to reflect {{ domain }} usage.
Refs:
- Discussion and rationale in this chat https://chatgpt.com/share/68a731aa-d394-800f-9eb4-2499f45ed54b (2025-08-21, Europe/Berlin).
Introduced custom filter plugin to render optional systemd directives, refactored template to loop over directives, and adjusted default vars (TimeoutStartSec, RuntimeMaxSec handling).
Details: see ChatGPT conversation
https://chatgpt.com/share/68a5a730-6344-800f-b9a3-dc62d5902e9b
- Introduced a new handler 'docker compose pull' that runs only once per
{{ docker_compose.directories.instance }} directory by using a lock
file under /run/ansible/compose-pull.
- Ensures idempotency by marking the task as changed only when a pull
was actually executed.
- Restricted execution with 'when: MODE_UPDATE | bool'.
- Improves update workflow by avoiding redundant docker pulls during
the same Ansible run.
Reference: ChatGPT discussion
https://chatgpt.com/share/68a55151-959c-800f-8b70-160ffe43e776
This test scans all roles for tasks including:
- include_role:
name: sys-service
If present, the role must define a non-empty 'system_service_id' in vars/main.yml.
Helps enforce consistency and prevent misconfiguration.
Ref: https://chatgpt.com/share/68a536e5-c384-800f-937a-f9d91249950c
- Introduced module_utils/role_dependency_resolver.py with full support for include_role, import_role, meta dependencies, and run_after.
- Refactored cli/build/tree.py to use RoleDependencyResolver (added toggles for include/import/dependencies/run_after).
- Extended filter_plugins/canonical_domains_map.py with optional 'recursive' mode (ignores run_after by design).
- Updated roles/web-app-nextcloud to properly include Collabora dependency.
- Added comprehensive unittests under tests/unit/module_utils for RoleDependencyResolver.
Ref: https://chatgpt.com/share/68a519c8-8e54-800f-83c0-be38546620d9
Use `systemd-escape --unescape` to restore human-readable unit identifiers in
Telegram and Email alerts. Also ensure Telegram messages are URL-encoded and
Email status checks try both raw and escaped forms for robustness.
Fixes issue where slashes were shown as dashes in notifications.
Context: see ChatGPT conversation
https://chatgpt.com/share/68a4c171-db08-800f-8399-7e07f237a441
