Removed false -

fix(web-svc-collabora): add required Docker capabilities and resource limits for Collabora Jails
- Added security_opt (seccomp=unconfined, apparmor=unconfined) and cap_add (MKNOD, SYS_CHROOT, SETUID, SETGID, FOWNER) to allow Collabora's sandbox (coolmount/systemplate) to mount and chroot properly - Increased resource limits (2 CPUs, 2 GB RAM, 2048 PIDs) to prevent document timeout and OOM issues - Resolves 'coolmount: Operation not permitted' and systemplate performance warnings Refs: https://chatgpt.com/share/68ed03cd-1afc-800f-904e-d1c1cb133914
2025-11-21 04:26:39 +00:00 · 2025-10-13 19:03:23 +02:00 · 2025-10-13 15:52:50 +02:00 · 2025-10-13 15:48:26 +02:00 · 2025-10-13 15:12:23 +02:00
21 changed files with 97 additions and 97 deletions
--- a/roles/sys-front-inj-all/tasks/main.yml
+++ b/roles/sys-front-inj-all/tasks/main.yml
@@ -1,22 +1,53 @@
 - block:
    - name: Include dependency 'sys-svc-webserver-core'
      include_role:
        name: sys-svc-webserver-core
      when: run_once_sys_svc_webserver_core is not defined
    - include_tasks: utils/run_once.yml
  when: run_once_sys_front_inj_all is not defined
 - name: Build inj_enabled
  set_fact:
    inj_enabled: "{{ applications | inj_enabled(application_id, SRV_WEB_INJ_COMP_FEATURES_ALL) }}"
- name: "Load CDN Service for '{{ domain }}'"
+- name: "Load CDN for '{{ domain }}'"
  include_role:
-    name: sys-svc-cdn
+    name: web-svc-cdn
-    public: true # Expose variables so that they can be used in all injection roles
+    public: false
  when:
    - application_id != 'web-svc-cdn'
    - run_once_web_svc_cdn is not defined
- name: Reinitialize 'inj_enabled' for '{{ domain }}', after modification by CDN
+- name: Load Logout for '{{ domain }}'
  include_role:
    name: web-svc-logout
    public: false
  when: 
    - run_once_web_svc_logout is not defined
    - application_id != 'web-svc-logout'
    - inj_enabled.logout
 - name: Reinitialize 'inj_enabled' for '{{ domain }}', after loading the required webservices
  set_fact:
    inj_enabled: "{{ applications | inj_enabled(application_id, SRV_WEB_INJ_COMP_FEATURES_ALL) }}"
    inj_head_features: "{{ SRV_WEB_INJ_COMP_FEATURES_ALL | inj_features('head') }}"
    inj_body_features: "{{ SRV_WEB_INJ_COMP_FEATURES_ALL | inj_features('body') }}"
 - name: "Load CDN Service for '{{ domain }}'"
  include_role:
    name: sys-svc-cdn
    public: true
 - name: "Activate logout proxy for '{{ domain }}'"
  include_role:
    name: sys-front-inj-logout
    public: true
  when: inj_enabled.logout
 - name: "Activate Desktop iFrame notifier for '{{ domain }}'"
  include_role:
    name:   sys-front-inj-desktop
-    public: true # Vars used in templates
+    public: true
  when: inj_enabled.desktop
 - name: "Activate Corporate CSS for '{{ domain }}'"
@@ -33,17 +64,3 @@
  include_role:
    name: sys-front-inj-javascript
  when: inj_enabled.javascript
 - name: "Activate logout proxy for '{{ domain }}'"
  include_role:
    name: sys-front-inj-logout
    public: true # Vars used in templates
  when: inj_enabled.logout
 - block:
  - name: Include dependency 'sys-svc-webserver-core'
    include_role:
      name: sys-svc-webserver-core
    when: run_once_sys_svc_webserver_core is not defined
  - include_tasks: utils/run_once.yml
  when: run_once_sys_front_inj_all is not defined
--- a/roles/sys-front-inj-css/tasks/01_core.yml
+++ b/roles/sys-front-inj-css/tasks/01_core.yml
@@ -1,8 +1,3 @@
 - name: Include dependency 'sys-svc-webserver-core'
  include_role:
    name: sys-svc-webserver-core
  when: run_once_sys_svc_webserver_core is not defined
 - name: Generate color palette with colorscheme-generator
  set_fact:
    color_palette: "{{ lookup('colorscheme', CSS_BASE_COLOR, count=CSS_COUNT, shades=CSS_SHADES) }}"
@@ -19,3 +14,5 @@
    group:  "{{ NGINX.USER }}"
    mode:   '0644'
  loop: "{{ CSS_FILES }}"
 - include_tasks: utils/run_once.yml
--- a/roles/sys-front-inj-css/tasks/main.yml
+++ b/roles/sys-front-inj-css/tasks/main.yml
@@ -1,6 +1,4 @@
- block:
+- include_tasks: 01_core.yml
    - include_tasks: 01_core.yml
    - include_tasks: utils/run_once.yml
  when: run_once_sys_front_inj_css is not defined
 - name: "Resolve optional app style.css source for '{{ application_id }}'"
--- a/roles/sys-front-inj-css/templates/head_sub.j2
+++ b/roles/sys-front-inj-css/templates/head_sub.j2
@@ -3,6 +3,6 @@
 {% for css_file in ['default.css','bootstrap.css'] %}
 <link rel="stylesheet" href="{{ [ cdn_urls.shared.css, css_file, lookup('local_mtime_qs', [__css_tpl_dir, css_file ~ '.j2'] | path_join)] | url_join }}">
 {% endfor %}
-{% if app_style_present | bool %}
+{% if app_style_present | default(false) | bool %}
 <link rel="stylesheet" href="{{ [ cdn_urls.role.release.css, 'style.css', lookup('local_mtime_qs', app_style_src)] | url_join }}">
 {% endif %}
--- a/roles/sys-front-inj-desktop/tasks/main.yml
+++ b/roles/sys-front-inj-desktop/tasks/main.yml
@@ -1,8 +1,4 @@
 - block:
  - name: Include dependency 'sys-svc-webserver-core'
    include_role:
      name: sys-svc-webserver-core
    when: run_once_sys_svc_webserver_core is not defined
  - include_tasks: 01_deploy.yml
  - include_tasks: utils/run_once.yml
  when: run_once_sys_front_inj_desktop is not defined
--- a/roles/sys-front-inj-javascript/tasks/main.yml
+++ b/roles/sys-front-inj-javascript/tasks/main.yml
@@ -1,11 +1,4 @@
- block:
+# run_once_sys_front_inj_javascript: deactivated
  - name: Include dependency 'sys-svc-webserver-core'
    include_role:
      name: sys-svc-webserver-core
    when: run_once_sys_svc_webserver_core is not defined
  - include_tasks: utils/run_once.yml
  when: run_once_sys_front_inj_javascript is not defined
 - name: "Load JavaScript code for '{{ application_id }}'"
  set_fact:
--- a/roles/sys-front-inj-logout/templates/logout.js.j2
+++ b/roles/sys-front-inj-logout/templates/logout.js.j2
--- a/roles/sys-front-inj-logout/tasks/01_core.yml
+++ b/roles/sys-front-inj-logout/tasks/01_core.yml
@@ -1,9 +1,3 @@
 - name: Include dependency 'web-svc-logout'
  include_role:
    name: web-svc-logout
  when: 
    - run_once_web_svc_logout is not defined
 - name: "deploy the logout.js"
  include_tasks: "02_deploy.yml"
--- a/roles/sys-front-inj-logout/tasks/02_deploy.yml
+++ b/roles/sys-front-inj-logout/tasks/02_deploy.yml
@@ -1,10 +1,10 @@
 - name: Deploy logout.js
-  template:
+  copy:
-    src: logout.js.j2
+    src:    logout.js
-    dest: "{{ INJ_LOGOUT_JS_DESTINATION }}"
+    dest:   "{{ INJ_LOGOUT_JS_DESTINATION }}"
-    owner: "{{ NGINX.USER }}"
+    owner:  "{{ NGINX.USER }}"
-    group: "{{ NGINX.USER }}"
+    group:  "{{ NGINX.USER }}"
-    mode: '0644'
+    mode:   '0644'
 - name: Get stat for logout.js
  stat:
--- a/roles/sys-front-inj-logout/tasks/main.yml
+++ b/roles/sys-front-inj-logout/tasks/main.yml
@@ -5,10 +5,12 @@
 - name: "Load logout code for '{{ application_id }}'"
  set_fact:
    logout_code: "{{ lookup('template', 'logout_one_liner.js.j2') }}"
  changed_when: false
 - name: "Collapse logout code into one-liner for '{{ application_id }}'"
  set_fact:
    logout_code_one_liner: "{{ logout_code | to_one_liner }}"
  changed_when: false
 - name: "Append logout CSP hash for '{{ application_id }}'"
  set_fact:
--- a/roles/sys-front-inj-logout/templates/head_sub.j2
+++ b/roles/sys-front-inj-logout/templates/head_sub.j2
@@ -1 +1 @@
-<script src="{{ cdn_urls.shared.js }}/{{ INJ_LOGOUT_JS_FILE_NAME }}{{ lookup('local_mtime_qs', [playbook_dir, 'roles', 'sys-front-inj-logout', 'templates', INJ_LOGOUT_JS_FILE_NAME ~ '.j2'] | path_join) }}"></script>
+<script src="{{ cdn_urls.shared.js }}/{{ INJ_LOGOUT_JS_FILE_NAME }}{{ lookup('local_mtime_qs', [playbook_dir, 'roles', 'sys-front-inj-logout', 'files', INJ_LOGOUT_JS_FILE_NAME] | path_join) }}"></script>
--- a/roles/sys-front-inj-matomo/tasks/main.yml
+++ b/roles/sys-front-inj-matomo/tasks/main.yml
@@ -1,10 +1,4 @@
- block:
+# run_once_sys_front_inj_matomo: deactivated
  - name: Include dependency 'sys-svc-webserver-core'
    include_role:
      name: sys-svc-webserver-core
    when: run_once_sys_svc_webserver_core is not defined
  - include_tasks: utils/run_once.yml
  when: run_once_sys_front_inj_matomo is not defined
 - name: "Relevant variables for role: {{ role_path | basename }}"
  debug:
--- a/roles/sys-svc-cdn/tasks/01_core.yml
+++ b/roles/sys-svc-cdn/tasks/01_core.yml
@@ -1,21 +0,0 @@
 - name: "Load CDN for '{{ domain }}'"
  include_role:
    name: web-svc-cdn
    public: false
  when:
  - application_id != 'web-svc-cdn'
  - run_once_web_svc_cdn is not defined
 # ------------------------------------------------------------------
 # Only-once creations (shared root and vendor)
 # ------------------------------------------------------------------
 - name: Ensure shared root and vendor exist (run once)
  ansible.builtin.file:
    path:  "{{ item }}"
    state: directory
    owner: "{{ NGINX.USER }}"
    group: "{{ NGINX.USER }}"
    mode:  "0755"
  loop: "{{ CDN_DIRS_GLOBAL }}"
 - include_tasks: utils/run_once.yml
--- a/roles/sys-svc-cdn/tasks/main.yml
+++ b/roles/sys-svc-cdn/tasks/main.yml
@@ -1,6 +1,14 @@
 ---
 - block:
-    - include_tasks: 01_core.yml
+    - name: Ensure shared root and vendor exist (run once)
      ansible.builtin.file:
        path:  "{{ item }}"
        state: directory
        owner: "{{ NGINX.USER }}"
        group: "{{ NGINX.USER }}"
        mode:  "0755"
      loop: "{{ CDN_DIRS_GLOBAL }}"
    - include_tasks: utils/run_once.yml
  when:
    - run_once_sys_svc_cdn is not defined
--- a/roles/web-app-desktop/tasks/01_core.yml
+++ b/roles/web-app-desktop/tasks/01_core.yml
@@ -17,6 +17,8 @@
 - name: "load docker, proxy for '{{ application_id }}'"
  include_role:
    name: sys-stk-full-stateless
  vars:
    docker_compose_flush_handlers: false
 - name: "Check if host-specific config.yaml exists in {{ DESKTOP_CONFIG_INV_PATH }}"
  stat:
@@ -57,8 +59,16 @@
  notify: docker compose up
  when: not config_file.stat.exists
- name: add docker-compose.yml
+- name: "Flush docker compose handlers"
-  template:
+  meta: flush_handlers
-    src:  docker-compose.yml.j2 
+
-    dest: "{{ docker_compose.directories.instance }}docker-compose.yml"
+- name: Wait for Desktop HTTP endpoint (required so all logos can be downloaded during initialization)
-  notify: docker compose up
+  uri:
    url: "http://127.0.0.1:{{ http_port }}/"
    status_code: 200
  register: desktop_http
  retries: 60
  delay: 5
  until: desktop_http.status == 200
 - include_tasks: utils/run_once.yml
--- a/roles/web-app-desktop/tasks/main.yml
+++ b/roles/web-app-desktop/tasks/main.yml
@@ -1,5 +1,3 @@
 ---
- block:
+- include_tasks: 01_core.yml  
    - include_tasks: 01_core.yml
    - include_tasks: utils/run_once.yml
  when: run_once_web_app_desktop is not defined
--- a/roles/web-app-desktop/vars/main.yml
+++ b/roles/web-app-desktop/vars/main.yml
@@ -1,5 +1,6 @@
 # General
 application_id:                   "web-app-desktop"
 http_port:                        "{{ ports.localhost.http[application_id] }}"
 ## Webserver
 proxy_extra_configuration:        "{{ lookup('template', 'nginx/sso.html.conf.j2') }}"
--- a/roles/web-app-discourse/tasks/01_core.yml
+++ b/roles/web-app-discourse/tasks/01_core.yml
@@ -7,3 +7,5 @@
 - name: "Setup '{{ application_id }}' network"
  include_tasks: 04_network.yml
 - include_tasks: utils/run_once.yml
--- a/roles/web-app-discourse/tasks/main.yml
+++ b/roles/web-app-discourse/tasks/main.yml
@@ -1,6 +1,4 @@
 ---
 - name: "Setup {{ application_id }}"
  include_tasks: 01_core.yml
  when: run_once_web_app_discourse is not defined
  block:
  - include_tasks: 01_core.yml
  - include_tasks: utils/run_once.yml
--- a/roles/web-svc-collabora/config/main.yml
+++ b/roles/web-svc-collabora/config/main.yml
@@ -17,9 +17,13 @@ docker:
    database: 
      enabled: false
    collabora:
-      image:    collabora/code
+      image:            collabora/code
-      version:  latest 
+      version:          latest
-      name:     collabora
+      name:             collabora
      cpus:             2
      mem_reservation:  1g
      mem_limit:        2g
      pids_limit:       2048
 features:
  logout:   false 
  desktop:  true # Just set to allow the iframe to load it
--- a/roles/web-svc-collabora/templates/docker-compose.yml.j2
+++ b/roles/web-svc-collabora/templates/docker-compose.yml.j2
@@ -4,6 +4,15 @@
    {% include 'roles/docker-container/templates/base.yml.j2' %}
    image: "{{ COLLABORA_IMAGE }}:{{ COLLABORA_VERSION }}"
    container_name: {{ COLLABORA_CONTAINER }}
    security_opt:
      - seccomp=unconfined
      - apparmor=unconfined
    cap_add:
      - MKNOD
      - SYS_CHROOT
      - SETUID
      - SETGID
      - FOWNER
    ports:
      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	6abf2629e0	Removed false -	2025-10-13 19:03:23 +02:00
Kevin Veen-Birkenbach	6a8e0f38d8	fix(web-svc-collabora): add required Docker capabilities and resource limits for Collabora Jails - Added security_opt (seccomp=unconfined, apparmor=unconfined) and cap_add (MKNOD, SYS_CHROOT, SETUID, SETGID, FOWNER) to allow Collabora's sandbox (coolmount/systemplate) to mount and chroot properly - Increased resource limits (2 CPUs, 2 GB RAM, 2048 PIDs) to prevent document timeout and OOM issues - Resolves 'coolmount: Operation not permitted' and systemplate performance warnings Refs: https://chatgpt.com/share/68ed03cd-1afc-800f-904e-d1c1cb133914	2025-10-13 15:52:50 +02:00
Kevin Veen-Birkenbach	ae618cbf19	refactor(web-app-desktop, web-app-discourse): improve initialization handling and HTTP readiness check - Added HTTP readiness check for Desktop application to ensure all logos can be downloaded during initialization - Introduced 'http_port' variable for better readability - Simplified role execution structure by moving run_once inclusion into core task file - Adjusted docker compose handler flushing behavior - Applied consistent structure to Discourse role See: https://chatgpt.com/share/68ed02aa-b44c-800f-a125-de8600b102d4	2025-10-13 15:48:26 +02:00
Kevin Veen-Birkenbach	c835ca8f2c	refactor(front-injection): stabilize run_once flow and explicit web-service loading - sys-front-inj-all: load web-svc-cdn and web-svc-logout once; reinitialize inj_enabled after services; move run_once block to top; reorder injections. - sys-front-inj-css: move run_once call into 01_core; fix app_style_present default; simplify main. - sys-front-inj-desktop/js/matomo: deactivate per-role run_once blocks; keep utils/run_once where appropriate. - sys-front-inj-logout: switch to files/logout.js + copy; update head_sub mtime lookup; mark set_fact tasks unchanged. - sys-svc-cdn: inline former 01_core tasks into main; ensure shared/vendor dirs and set run_once in guarded block; remove 01_core.yml. Rationale: prevent cascading 'false_condition: run_once_sys_svc_cdn is not defined' skips by setting run-once facts only after the necessary tasks and avoiding parent-scope guards; improves determinism and handler flushing. Conversation: https://chatgpt.com/share/68ecfaa5-94a0-800f-b1b6-2b969074651f	2025-10-13 15:12:23 +02:00
`@@ -1 +1 @@`
	`<script src="{{ cdn_urls.shared.js }}/{{ INJ_LOGOUT_JS_FILE_NAME }}{{ lookup('local_mtime_qs', [playbook_dir, 'roles', 'sys-front-inj-logout', 'templates', INJ_LOGOUT_JS_FILE_NAME ~ '.j2'] \| path_join) }}"></script>`	`<script src="{{ cdn_urls.shared.js }}/{{ INJ_LOGOUT_JS_FILE_NAME }}{{ lookup('local_mtime_qs', [playbook_dir, 'roles', 'sys-front-inj-logout', 'files', INJ_LOGOUT_JS_FILE_NAME] \| path_join) }}"></script>`