sys-ctl: make service file generation deterministic and simplify ignore logic

- Added '| sort' to all service group lists and backup routine lists to ensure
  deterministic ordering and stable checksums across Ansible runs.
- Adjusted systemctl templates to use a single service variable
  ('SYS_SERVICE_BACKUP_RMT_2_LOC') instead of rejecting dynamic list entries,
  making the ignore logic simpler and more predictable.
- Fixed minor whitespace inconsistencies in Jinja templates to avoid
  unnecessary changes.

This change was made to prevent spurious 'changed' states in Ansible caused by
non-deterministic list order and to reduce complexity in service definitions.

See discussion: https://chatgpt.com/share/68a74c20-6300-800f-a44e-da43ae2f3dea

group_vars/all/07_services.yml

@@ -18,32 +18,34 @@ SYS_SERVICE_ON_FAILURE_COMPOSE:       "{{ ('sys-ctl-alm-compose@') | get_service
 ## Groups
 SYS_SERVICE_GROUP_BACKUPS: >
   {{ (('sys-ctl-bkp-' | get_category_entries) + ('svc-bkp-' | get_category_entries))
-     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list }}
+     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list | sort }}
 
 SYS_SERVICE_GROUP_CLEANUP: >
   {{ ('sys-ctl-cln-' | get_category_entries)
-     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list }}
+     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list | sort }}
 
 SYS_SERVICE_GROUP_REPAIR: >
   {{ ('sys-ctl-rpr-' | get_category_entries)
-     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list }}
+     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list | sort }}
 
 SYS_SERVICE_GROUP_OPTIMIZATION: >
   {{ ('svc-opt-' | get_category_entries)
-     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list }}
+     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list | sort }}
 
 SYS_SERVICE_GROUP_MAINTANANCE: >
   {{ ('svc-mtn-' | get_category_entries)
-     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list }}
+     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list | sort }}
  
 ## Collection of services to manipulate the system
 SYS_SERVICE_GROUP_MANIPULATION: >
   {{ 
-    SYS_SERVICE_GROUP_BACKUPS + 
-    SYS_SERVICE_GROUP_CLEANUP + 
-    SYS_SERVICE_GROUP_REPAIR + 
-    SYS_SERVICE_GROUP_OPTIMIZATION + 
-    SYS_SERVICE_GROUP_MAINTANANCE +
-    [ SYS_SERVICE_UPDATE_DOCKER ]
+    (
+      SYS_SERVICE_GROUP_BACKUPS + 
+      SYS_SERVICE_GROUP_CLEANUP + 
+      SYS_SERVICE_GROUP_REPAIR + 
+      SYS_SERVICE_GROUP_OPTIMIZATION + 
+      SYS_SERVICE_GROUP_MAINTANANCE +
+      [ SYS_SERVICE_UPDATE_DOCKER ] 
+    ) | sort
   }}
 

roles/sys-ctl-bkp-docker-2-loc/templates/systemctl.service.j2

@@ -4,5 +4,5 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }} {{ SYS_SERVICE_CLEANUP_BACKUPS_FA
 
 [Service]
 Type=oneshot
-ExecStartPre=/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_BACKUPS | reject('equalto', role_name ~ '-everything') | join(' ') }} --timeout "{{ SYS_TIMEOUT_BACKUP_SERVICES }}"
+ExecStartPre=/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_BACKUP_RMT_2_LOC }} --timeout "{{ SYS_TIMEOUT_BACKUP_SERVICES }}"
 ExecStart=/bin/sh -c '{{ BKP_DOCKER_2_LOC_EXEC }}'

roles/sys-ctl-bkp-docker-2-loc/vars/main.yml

@@ -12,13 +12,13 @@ BKP_DOCKER_2_LOC_DB_ENABLED: "{{ database_type | default('') | bool }}"
 
 # Gather mapped values as lists
 BKP_DOCKER_2_LOC_DB_ROUTINE: >-
-  {{ applications | find_dock_val_by_bkp_entr('database_routine', 'name') | list }}
+  {{ applications | find_dock_val_by_bkp_entr('database_routine', 'name') | list | sort }}
 
 BKP_DOCKER_2_LOC_NO_STOP_REQUIRED: >-
-  {{ applications | find_dock_val_by_bkp_entr('no_stop_required', 'image') | list }}
+  {{ applications | find_dock_val_by_bkp_entr('no_stop_required', 'image') | list | sort }}
 
 BKP_DOCKER_2_LOC_DISABLED: >-
-  {{ applications | find_dock_val_by_bkp_entr('disabled', 'image') | list }}
+  {{ applications | find_dock_val_by_bkp_entr('disabled', 'image') | list | sort }}
 
 # CLI argument strings (only set if list not empty)
 BKP_DOCKER_2_LOC_DB_ROUTINE_CLI: >-
@@ -45,4 +45,4 @@ BKP_DOCKER_2_LOC_CLI_ARGS_LIST:
 BKP_DOCKER_2_LOC_EXEC: >-
   /usr/bin/python {{ backup_docker_to_local_folder }}backup-docker-to-local.py
   --compose-dir {{ PATH_DOCKER_COMPOSE_INSTANCES }}
-  {{ BKP_DOCKER_2_LOC_CLI_ARGS_LIST | select('string') | join(' ') }}
+  {{  BKP_DOCKER_2_LOC_CLI_ARGS_LIST | select('string') | join(' ') }}

roles/sys-ctl-cln-disc-space/templates/systemctl.service.j2

@@ -4,5 +4,5 @@ OnFailure={{ SYS_SERVICE_ON_FAILURE_COMPOSE }}
 
 [Service]
 Type=oneshot
-ExecStartPre=/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_CLEANUP| join(' ') }} --timeout "{{ SYS_TIMEOUT_BACKUP_SERVICES }}"
+ExecStartPre=/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ SYS_SERVICE_GROUP_MANIPULATION | join(' ')  }} --ignore {{ SYS_SERVICE_GROUP_CLEANUP | join(' ') }} --timeout "{{ SYS_TIMEOUT_BACKUP_SERVICES }}"
 ExecStart={{ system_service_script_exec }} {{ SIZE_PERCENT_CLEANUP_DISC_SPACE }}

roles/sys-service/tasks/05_service.yml

@@ -32,6 +32,9 @@
   template:
     src:  "{{ system_service_template_src }}"
     dest: "{{ [ PATH_SYSTEM_SERVICE_DIR, system_service_id | get_service_name(SOFTWARE_NAME) ] | path_join }}"
+    owner: root
+    group: root
+    mode: '0644'
   notify: "{{ 'reload system daemon' if system_service_uses_at else 'refresh systemctl service' }}"
 
 - name: refresh systemctl service when SYS_SERVICE_ALL_ENABLE

roles/web-app-espocrm/config/main.yml

@@ -38,4 +38,4 @@ docker:
       version:  "latest"
       name:     "espocrm"
   volumes:
-    data: espocrm_data
+    data: ESPOCRM_data

roles/web-app-espocrm/tasks/01_patch_config.yml

@@ -1,25 +1,25 @@
 - name: Update DB host
   command: >
-    docker exec --user root {{ espocrm_name }}
-    sed -i "s/'host' => .*/'host' => '{{ database_host }}',/" {{ espocrm_config_file }}
+    docker exec --user root {{ ESPOCRM_NAME }}
+    sed -i "s/'host' => .*/'host' => '{{ database_host }}',/" {{ ESPOCRM_CONFIG_FILE_PRIVATE }}
   notify: docker compose restart
 
 - name: Update DB name
   command: >
-    docker exec --user root {{ espocrm_name }}
-    sed -i "s/'dbname' => .*/'dbname' => '{{ database_name }}',/" {{ espocrm_config_file }}
+    docker exec --user root {{ ESPOCRM_NAME }}
+    sed -i "s/'dbname' => .*/'dbname' => '{{ database_name }}',/" {{ ESPOCRM_CONFIG_FILE_PRIVATE }}
   notify: docker compose restart
 
 - name: Update DB user
   command: >
-    docker exec --user root {{ espocrm_name }}
-    sed -i "s/'user' => .*/'user' => '{{ database_username }}',/" {{ espocrm_config_file }}
+    docker exec --user root {{ ESPOCRM_NAME }}
+    sed -i "s/'user' => .*/'user' => '{{ database_username }}',/" {{ ESPOCRM_CONFIG_FILE_PRIVATE }}
   notify: docker compose restart
 
 - name: Update DB password
   command: >
-    docker exec --user root {{ espocrm_name }}
-    sed -i "s/'password' => .*/'password' => '{{ database_password }}',/" {{ espocrm_config_file }}
+    docker exec --user root {{ ESPOCRM_NAME }}
+    sed -i "s/'password' => .*/'password' => '{{ database_password }}',/" {{ ESPOCRM_CONFIG_FILE_PRIVATE }}
   notify: docker compose restart
   no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
 
@@ -31,7 +31,7 @@
       $c   = $app->getContainer();
       $cfg = $c->get("config");
       $writer = $c->get("injectableFactory")->create("\Espo\Core\Utils\Config\ConfigWriter");
-      $new = "{{ espocrm_url }}";
+      $new = "{{ ESPOCRM_URL }}";
       if ($cfg->get("siteUrl") !== $new) {
         $writer->set("siteUrl", $new);
         $writer->save();
@@ -41,4 +41,28 @@
   args:
     chdir: "{{ docker_compose.directories.instance }}"
   register: siteurl_set
-  changed_when: "'CHANGED' in siteurl_set.stdout"
+  changed_when: "'CHANGED' in siteurl_set.stdout"
+
+- name: Disable EspoCRM maintenance mode
+  ansible.builtin.shell: |
+    docker exec -u root {{ ESPOCRM_NAME }} \
+      sed -i "s/'maintenanceMode' => true/'maintenanceMode' => false/" {{ ESPOCRM_CONFIG_FILE_PUBLIC }}
+  register: disable_maintenance
+  changed_when: disable_maintenance.rc == 0
+  failed_when: disable_maintenance.rc != 0
+
+- name: Enable EspoCRM cache
+  ansible.builtin.shell: |
+    docker exec -u root {{ ESPOCRM_NAME }} \
+      sed -i "s/'useCache' => false/'useCache' => true/" {{ ESPOCRM_CONFIG_FILE_PUBLIC }}
+  register: enable_cache
+  changed_when: enable_cache.rc == 0
+  failed_when: enable_cache.rc != 0
+
+- name: Enable EspoCRM cron
+  ansible.builtin.shell: |
+    docker exec -u root {{ ESPOCRM_NAME }} \
+      sed -i "s/'cronDisabled' => true/'cronDisabled' => false/" {{ ESPOCRM_CONFIG_FILE_PUBLIC }}
+  register: enable_cron
+  changed_when: enable_cron.rc == 0
+  failed_when: enable_cron.rc != 0

roles/web-app-espocrm/tasks/main.yml

@@ -6,7 +6,7 @@
     docker_compose_flush_handlers:  true
 
 - name: Check if config.php exists in EspoCRM
-  command: docker exec --user root {{ espocrm_name }} test -f {{ espocrm_config_file }}
+  command: docker exec --user root {{ ESPOCRM_NAME }} test -f {{ ESPOCRM_CONFIG_FILE_PRIVATE }}
   register: config_file_exists
   changed_when: false
   failed_when: false
@@ -30,4 +30,5 @@
       $writer->save();
     '
   args:
-    chdir: "{{ docker_compose.directories.instance }}"
+    chdir: "{{ docker_compose.directories.instance }}"
+  when: ESPOCRM_OIDC_ENABLED | bool

roles/web-app-espocrm/templates/docker-compose.yml.j2

@@ -1,7 +1,7 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   web:
-    container_name: {{ espocrm_name }}
-    image: "{{ espocrm_image }}:{{ espocrm_version }}"
+    container_name: {{ ESPOCRM_NAME }}
+    image: "{{ ESPOCRM_IMAGE }}:{{ ESPOCRM_VERSION }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
     ports:
@@ -12,7 +12,7 @@
       - data:/var/www/html
 
   daemon:
-    image: "{{ espocrm_image }}:{{ espocrm_version }}"
+    image: "{{ ESPOCRM_IMAGE }}:{{ ESPOCRM_VERSION }}"
     restart: {{ DOCKER_RESTART_POLICY }}
     logging:
       driver: journald
@@ -22,7 +22,7 @@
       - data:/var/www/html
 
   websocket:
-    image: "{{ espocrm_image }}:{{ espocrm_version }}"
+    image: "{{ ESPOCRM_IMAGE }}:{{ ESPOCRM_VERSION }}"
     restart: {{ DOCKER_RESTART_POLICY }}
     logging:
       driver: journald
@@ -41,6 +41,6 @@
 
 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
   data:
-    name: {{ espocrm_volume }}
+    name: {{ ESPOCRM_VOLUME }}
 
 {% include 'roles/docker-compose/templates/networks.yml.j2' %}

roles/web-app-espocrm/templates/env.j2

@@ -23,7 +23,7 @@ ESPOCRM_ADMIN_USERNAME={{ applications | get_app_conf(application_id, 'users.adm
 ESPOCRM_ADMIN_PASSWORD={{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}
 
 # Public base URL of the EspoCRM instance
-ESPOCRM_SITE_URL={{ espocrm_url }}
+ESPOCRM_SITE_URL={{ ESPOCRM_URL }}
 
 # ------------------------------------------------
 # General UI & locale settings
@@ -77,7 +77,7 @@ ESPOCRM_CONFIG_LDAP_USER_LOGIN_FILTER=(sAMAccountName=%USERNAME%)
 # OpenID Connect settings (optional)
 # Applied only if the feature flag is true
 # ------------------------------------------------
-{% if applications | get_app_conf(application_id, 'features.oidc', False) %}
+{% if ESPOCRM_OIDC_ENABLED | bool %}
 
 # ------------------------------------------------
 # OpenID Connect settings
@@ -94,12 +94,12 @@ ESPOCRM_CONFIG_OIDC_TOKEN_ENDPOINT={{ OIDC.CLIENT.TOKEN_URL }}
 ESPOCRM_CONFIG_OIDC_USER_INFO_ENDPOINT={{ OIDC.CLIENT.USER_INFO_URL }}
 ESPOCRM_CONFIG_OIDC_JWKS_ENDPOINT={{ OIDC.CLIENT.CERTS }}
 
-ESPOCRM_CONFIG_OIDC_AUTHORIZATION_REDIRECT_URI={{ espocrm_url }}/oidc/callback
+ESPOCRM_CONFIG_OIDC_AUTHORIZATION_REDIRECT_URI={{ ESPOCRM_URL }}/oidc/callback
 #ESPOCRM_CONFIG_OIDC_SCOPES=openid,profile,email # Defined in main.yml
 
 ESPOCRM_CONFIG_OIDC_CREATE_USER=true
 ESPOCRM_CONFIG_OIDC_SYNC=true
-ESPOCRM_CONFIG_OIDC_USERNAME_CLAIM={{OIDC.ATTRIBUTES.USERNAME}}
+ESPOCRM_CONFIG_OIDC_USERNAME_CLAIM={{ OIDC.ATTRIBUTES.USERNAME }}
 # ESPOCRM_CONFIG_OIDC_SYNC_TEAMS=true
 # ESPOCRM_CONFIG_OIDC_GROUP_CLAIM=group
 {% endif %}

roles/web-app-espocrm/vars/main.yml

@@ -1,19 +1,21 @@
 # General
-application_id:                 "web-app-espocrm"
+application_id:               "web-app-espocrm"
 
 # Database
-database_type:                  "mariadb"
+database_type:                "mariadb"
 
 # Webserver
-location_ws:                    "/ws"
-ws_port:                        "{{ ports.localhost.websocket[application_id] }}"
-client_max_body_size:           "100m"
-vhost_flavour:                  "ws_generic"
+location_ws:                  "/ws"
+ws_port:                      "{{ ports.localhost.websocket[application_id] }}"
+client_max_body_size:         "100m"
+vhost_flavour:                "ws_generic"
 
 # Espocrm
-espocrm_version:                "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.version', True) }}"
-espocrm_image:                  "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.image', True) }}"
-espocrm_name:                   "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.name', True) }}"
-espocrm_volume:                 "{{ applications | get_app_conf(application_id, 'docker.volumes.data', True) }}"
-espocrm_config_file:            "/var/www/html/data/config-internal.php"
-espocrm_url:                    "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
+ESPOCRM_VERSION:              "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.version', True) }}"
+ESPOCRM_IMAGE:                "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.image', True) }}"
+ESPOCRM_NAME:                 "{{ applications | get_app_conf(application_id, 'docker.services.espocrm.name', True) }}"
+ESPOCRM_VOLUME:               "{{ applications | get_app_conf(application_id, 'docker.volumes.data', True) }}"
+ESPOCRM_CONFIG_FILE_PRIVATE:  "/var/www/html/data/config-internal.php"
+ESPOCRM_CONFIG_FILE_PUBLIC:   "/var/www/html/data/config.php"
+ESPOCRM_URL:                  "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
+ESPOCRM_OIDC_ENABLED:         "{{ applications | get_app_conf(application_id, 'features.central_database', False) }}"

roles/web-app-keycloak/templates/import/realm.json.j2

@@ -1295,7 +1295,7 @@
             "user.attribute": "username",
             "id.token.claim": "true",
             "access.token.claim": "true",
-            "claim.name": "{{OIDC.ATTRIBUTES.USERNAME}}",
+            "claim.name": "{{ OIDC.ATTRIBUTES.USERNAME }}",
             "jsonType.label": "String"
           }
         },

roles/web-app-mastodon/templates/env.j2

@@ -65,7 +65,7 @@ OIDC_ISSUER={{ OIDC.CLIENT.ISSUER_URL }}
 OIDC_DISCOVERY=true
 OIDC_SCOPE="openid,profile,email"
 # @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
-OIDC_UID_FIELD={{OIDC.ATTRIBUTES.USERNAME}}
+OIDC_UID_FIELD={{ OIDC.ATTRIBUTES.USERNAME }}
 OIDC_CLIENT_ID={{ OIDC.CLIENT.ID }}
 OIDC_REDIRECT_URI=https://{{ domains | get_domain(application_id) }}/auth/auth/openid_connect/callback
 OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true

roles/web-app-matrix/templates/synapse/homeserver.yaml.j2

@@ -57,7 +57,7 @@ oidc_providers:
     scopes: ["openid", "profile"]
     user_mapping_provider:
       config:
-        localpart_template: "{% raw %}{{ user.{% endraw %}{{OIDC.ATTRIBUTES.USERNAME}}{% raw %}}}{% endraw %}"
+        localpart_template: "{% raw %}{{ user.{% endraw %}{{ OIDC.ATTRIBUTES.USERNAME }}{% raw %}}}{% endraw %}"
         display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
     backchannel_logout_enabled: true
 {% endif %}

roles/web-app-nextcloud/templates/config/oidc.config.php.j2

@@ -102,7 +102,7 @@ return array (
         'mail' => 'email',
         'quota' => '{{ ldap.user.attributes.nextcloud_quota }}',
         # 'home' => 'homeDirectory',    # Not implemented yet
-        'ldap_uid' => '{{OIDC.ATTRIBUTES.USERNAME}}',
+        'ldap_uid' => '{{ OIDC.ATTRIBUTES.USERNAME }}',
         # 'groups' => 'ownCloudGroups', # Not implemented yet
         # 'login_filter' => 'realm_access_roles',
     //    'photoURL' => 'picture',

roles/web-app-pixelfed/templates/env.j2

@@ -145,8 +145,8 @@ PF_OIDC_AUTHORIZE_URL="{{ OIDC.CLIENT.AUTHORIZE_URL }}"
 PF_OIDC_TOKEN_URL="{{OIDC.CLIENT.TOKEN_URL}}"
 PF_OIDC_PROFILE_URL="{{ OIDC.CLIENT.USER_INFO_URL }}"
 PF_OIDC_LOGOUT_URL="{{OIDC.CLIENT.LOGOUT_URL}}"
-PF_OIDC_USERNAME_FIELD="{{OIDC.ATTRIBUTES.USERNAME}}"
-PF_OIDC_FIELD_ID="{{OIDC.ATTRIBUTES.USERNAME}}"
+PF_OIDC_USERNAME_FIELD="{{ OIDC.ATTRIBUTES.USERNAME }}"
+PF_OIDC_FIELD_ID="{{ OIDC.ATTRIBUTES.USERNAME }}"
 PF_OIDC_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}
 PF_OIDC_CLIENT_ID={{ OIDC.CLIENT.ID }}
 PF_OIDC_SCOPES="openid profile email"

roles/web-app-taiga/templates/env.j2

@@ -76,7 +76,7 @@ OPENID_TOKEN_URL="{{OIDC.CLIENT.TOKEN_URL}}"
 OPENID_CLIENT_ID="{{ OIDC.CLIENT.ID }}"
 OPENID_CLIENT_SECRET="{{ OIDC.CLIENT.SECRET }}"
 OPENID_NAME="{{ OIDC.BUTTON_TEXT }}"
-OPENID_USERNAME_FIELD="{{OIDC.ATTRIBUTES.USERNAME}}"
+OPENID_USERNAME_FIELD="{{ OIDC.ATTRIBUTES.USERNAME }}"
 # Optional:
 # OPENID_ID_FIELD="sub"
 # OPENID_FULLNAME_FIELD="name"

roles/web-svc-collabora/config/main.yml

@@ -6,6 +6,9 @@ server:
     whitelist:
       frame-ancestors:
         - "{{ WEB_PROTOCOL }}://*.{{ PRIMARY_DOMAIN }}"
+    flags:
+      style-src:
+        unsafe-inline:  true
 docker:
   services:
     redis:

roles/web-svc-collabora/tasks/01_core.yml

@@ -1,7 +1,14 @@
-- name: "generate {{ domains | get_domain(application_id) }}.conf"
+- name: "load docker, proxy for '{{ application_id }}'"
+  include_role:
+    name: cmp-docker-proxy
+    public: true
+  vars:
+    docker_compose_flush_handlers: true
+    
+- name: "generate {{ domain }}.conf"
   template:
     src: "nginx.conf.j2"
-    dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domains | get_domain(application_id) }}.conf"
+    dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domain }}.conf"
   notify: restart openresty
 
 - name: Update Collabora systemplate to include new fonts

roles/web-svc-collabora/tasks/main.yml

@@ -1,9 +1,4 @@
 - block:
-  - name: "load docker, proxy for '{{ application_id }}'"
-    include_role:
-      name: cmp-docker-proxy
-    vars:
-      docker_compose_flush_handlers: true
   - name: "Load core functions for '{{ application_id }}'"
     include_tasks: 01_core.yml
   - include_tasks: utils/run_once.yml

roles/web-svc-collabora/vars/main.yml

@@ -1,9 +1,14 @@
 ---
 # General 
-application_id:         web-svc-collabora
+application_id:             web-svc-collabora
+
+# @todo in a later step it makes sense to refactor the use of them, but they are used atm in the role
+domain:                     "{{ domains | get_domain(application_id) }}"
+http_port:                  "{{ ports.localhost.http[application_id] }}"
+
 # Container
-container_port:         9980
-container_healthcheck:  "/hosting/discovery"
+container_port:             9980
+container_healthcheck:      "/hosting/discovery"
 
 # Collabora
 COLLABORA_CONTAINER:        "{{ applications | get_app_conf(application_id, 'docker.services.collabora.name') }}"