Fix Confluence & BookWyrm setup:

- Add docker compose build trigger in docker-compose tasks
- Cleanup svc-prx-openresty vars
- Enable unsafe-inline CSP flags for BookWyrm, Confluence, Jira to allow Atlassian inline scripts
- Generalize CONFLUENCE_HOME usage in vars, env and docker-compose
- Ensure confluence-init.properties written with correct home
- Add JVM_SUPPORT_RECOMMENDED_ARGS to pass atlassian.home
- Update README to reference {{ CONFLUENCE_HOME }}

See: https://chatgpt.com/share/68b7582a-aeb8-800f-a14f-e98c5b4e6c70

roles/docker-compose/tasks/04_files.yml

@@ -5,7 +5,9 @@
   loop:
     - "{{ application_id | abs_role_path_by_application_id }}/templates/Dockerfile.j2"
     - "{{ application_id | abs_role_path_by_application_id }}/files/Dockerfile"
-  notify: docker compose up
+  notify: 
+    - docker compose up
+    - docker compose build
   register: create_dockerfile_result
   failed_when:
     - create_dockerfile_result is failed

roles/svc-prx-openresty/vars/main.yml

@@ -8,4 +8,3 @@ database_type:                  ""
 OPENRESTY_IMAGE:                "openresty/openresty"
 OPENRESTY_VERSION:              "alpine"
 OPENRESTY_CONTAINER:            "{{ applications | get_app_conf(application_id, 'docker.services.openresty.name', True) }}"
-

roles/web-app-bookwyrm/config/main.yml

@@ -24,7 +24,11 @@ features:
 server:
   csp:
     whitelist: {}
-    flags: {}
+    flags:
+      script-src-elem:
+        unsafe-inline:  true
+      script-src:
+        unsafe-inline:  true
   domains:
     canonical:
       - "book.{{ PRIMARY_DOMAIN }}"

roles/web-app-bookwyrm/templates/Dockerfile.j2

@@ -12,7 +12,8 @@ RUN git clone --depth=1 --branch "{{ BOOKWYRM_VERSION }}" https://github.com/boo
 
 # Pre-install Python deps to a wheelhouse for faster final image
 RUN pip install --upgrade pip \
- && pip wheel --wheel-dir /wheels -r requirements.txt
+ && pip wheel --wheel-dir /wheels -r requirements.txt \
+ && pip wheel --wheel-dir /wheels gunicorn
 
 FROM python:3.11-bookworm
 ENV PYTHONUNBUFFERED=1
@@ -28,6 +29,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libjpeg62-turbo zlib1g libxml2 libxslt1.1 libffi8 libmagic1 \
   && rm -rf /var/lib/apt/lists/* \
   && pip install --no-cache-dir --no-index --find-links=/wheels -r /app/requirements.txt \
+  && pip install --no-cache-dir --no-index --find-links=/wheels gunicorn \
   && adduser --disabled-password --gecos '' bookwyrm \
   && mkdir -p /app/data /app/media \
   && chown -R bookwyrm:bookwyrm /app

roles/web-app-bookwyrm/templates/docker-compose.yml.j2

@@ -6,7 +6,8 @@
       bash -lc '
         python manage.py migrate --noinput &&
         python manage.py collectstatic --noinput &&
-        gunicorn bookwyrm.wsgi:application --bind 0.0.0.0:{{ container_port }}
+        (python manage.py initdb || true) &&
+        python -m gunicorn bookwyrm.wsgi:application --bind 0.0.0.0:{{ container_port }}
       '
     build:
       context: .

roles/web-app-bookwyrm/templates/env.j2

@@ -22,17 +22,39 @@ EMAIL_HOST_PASSWORD="{{ EMAIL_HOST_PASSWORD }}"
 DEFAULT_FROM_EMAIL="{{ EMAIL_DEFAULT_FROM }}"
 
 # Database
+POSTGRES_DB="{{ database_name }}"
+POSTGRES_USER="{{ database_username }}"
+POSTGRES_PASSWORD="{{ database_password }}"
+POSTGRES_HOST="{{ database_host }}"
+POSTGRES_PORT="{{ database_port }}"
 DATABASE_URL="postgres://{{ database_username }}:{{ database_password }}@{{ database_host }}:{{ database_port }}/{{ database_name }}"
 
 # Redis / Celery
+REDIS_HOST="{{ BOOKWYRM_REDIS_HOST }}"
+REDIS_PORT="{{ BOOKWYRM_REDIS_PORT }}"
+REDIS_URL="{{ BOOKWYRM_REDIS_CACHE_URL }}"
+REDIS_CACHE_URL="{{ BOOKWYRM_REDIS_CACHE_URL }}"
+CACHE_URL="{{ BOOKWYRM_REDIS_CACHE_URL }}"
+DJANGO_REDIS_URL="{{ BOOKWYRM_REDIS_CACHE_URL }}"
+
+## Broker
+BROKER_URL="{{ BOOKWYRM_BROKER_URL }}"
 REDIS_BROKER_URL="{{ BOOKWYRM_REDIS_BROKER_URL }}"
-REDIS_CACHE_URL="{{ BOOKWYRM_REDIS_BASE_URL }}/1"
+REDIS_BROKER_HOST="{{ BOOKWYRM_REDIS_HOST }}"
+REDIS_BROKER_PORT="{{ BOOKWYRM_REDIS_PORT }}"
+REDIS_BROKER_DB_INDEX="{{ BOOKWYRM_REDIS_BROKER_DB }}"
 CELERY_BROKER_URL="{{ BOOKWYRM_REDIS_BROKER_URL }}"
 
+## Activity
+REDIS_ACTIVITY_HOST="{{ BOOKWYRM_REDIS_HOST }}"
+REDIS_ACTIVITY_PORT="{{ BOOKWYRM_REDIS_PORT }}"
+REDIS_ACTIVITY_DB_INDEX="{{ BOOKWYRM_REDIS_ACTIVITY_DB }}"
+REDIS_ACTIVITY_URL="{{ BOOKWYRM_REDIS_ACTIVITY_URL }}"
+
 # Proxy (if BookWyrm sits behind reverse proxy)
 FORWARDED_ALLOW_IPS="*"
 USE_X_FORWARDED_HOST="true"
-SECURE_PROXY_SSL_HEADER="HTTP_X_FORWARDED_PROTO,{{ WEB_PROTOCOL }}"
+SECURE_PROXY_SSL_HEADER="{{ (WEB_PORT == 443) | string | lower }}"
 
 # OIDC (optional – only if BOOKWYRM_OIDC_ENABLED)
 {% if BOOKWYRM_OIDC_ENABLED %}

roles/web-app-bookwyrm/vars/main.yml

@@ -45,6 +45,12 @@ BOOKWYRM_REDIS_HOST:            "redis"
 BOOKWYRM_REDIS_PORT:            6379
 BOOKWYRM_REDIS_BASE_URL:        "redis://{{ BOOKWYRM_REDIS_HOST }}:{{ BOOKWYRM_REDIS_PORT }}"
 BOOKWYRM_REDIS_BROKER_URL:      "{{ BOOKWYRM_REDIS_BASE_URL }}/0"
+BOOKWYRM_REDIS_CACHE_URL:       "{{ BOOKWYRM_REDIS_BASE_URL }}/1"
+BOOKWYRM_REDIS_BROKER_DB:        0
+BOOKWYRM_REDIS_ACTIVITY_DB:      1
+BOOKWYRM_BROKER_URL:             "{{ BOOKWYRM_REDIS_BROKER_URL }}"
+BOOKWYRM_REDIS_ACTIVITY_URL:     "{{ BOOKWYRM_REDIS_CACHE_URL }}"
+#BOOKWYRM_CACHE_URL:              "{{ BOOKWYRM_REDIS_CACHE_URL }}"
 
 # Email
 EMAIL_HOST:                     "{{ SYSTEM_EMAIL.HOST }}"

roles/web-app-confluence/README.md

@@ -17,7 +17,7 @@ The role builds a minimal custom image on top of the official Confluence image,
 * **JVM Auto-Tuning:** `JVM_MINIMUM_MEMORY` / `JVM_MAXIMUM_MEMORY` computed from host memory with upper bounds.
 * **Health Checks:** Curl-based container healthcheck for early failure detection.
 * **CSP & Canonical Domains:** Hooks into platform CSP/SSL/domain management to keep policies strict and URLs stable.
-* **Backup Friendly:** Data isolated under `/var/atlassian/application-data/confluence`.
+* **Backup Friendly:** Data isolated under `{{ CONFLUENCE_HOME }}`.
 
 ## Further Resources
 

roles/web-app-confluence/config/main.yml

@@ -20,7 +20,11 @@ features:
 server:
   csp:
     whitelist:      {}
-    flags:          {}
+    flags:
+      script-src-elem:
+        unsafe-inline:  true
+      script-src:
+        unsafe-inline:  true
   domains:
     canonical:
       - "confluence.{{ PRIMARY_DOMAIN }}"

roles/web-app-confluence/templates/Dockerfile.j2

@@ -4,5 +4,7 @@ FROM "{{ CONFLUENCE_IMAGE }}:{{ CONFLUENCE_VERSION }}"
 # COPY ./plugins/atlassian-sso-dc-latest.obr /opt/atlassian/confluence/confluence/WEB-INF/atlassian-bundled-plugins/
 
 # Ensure proper permissions for app data
-RUN mkdir -p /var/atlassian/application-data/confluence && \
+RUN mkdir -p {{ CONFLUENCE_HOME }} && \
-    chown -R 2001:2001 /var/atlassian/application-data/confluence
+    chown -R 2001:2001 {{ CONFLUENCE_HOME }}
+RUN printf "confluence.home={{ CONFLUENCE_HOME }}\n" \
+  > /opt/atlassian/confluence/confluence/WEB-INF/classes/confluence-init.properties

roles/web-app-confluence/templates/docker-compose.yml.j2

@@ -9,7 +9,7 @@
     ports:
       - "127.0.0.1:{{ ports.localhost.http[application_id] }}:8090"
     volumes:
-      - 'data:/var/atlassian/application-data/confluence'
+      - 'data:{{ CONFLUENCE_HOME }}'
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}

roles/web-app-confluence/templates/env.j2

@@ -1,6 +1,6 @@
 ## Confluence core
 CONFLUENCE_URL="{{ CONFLUENCE_URL }}"
-
+CONFLUENCE_HOME="{{ CONFLUENCE_HOME }}"
 
 ATL_PROXY_NAME={{ CONFLUENCE_HOSTNAME }}
 ATL_PROXY_PORT={{ WEB_PORT }}
@@ -9,15 +9,17 @@ ATL_TOMCAT_SECURE={{ (WEB_PORT == 443) | lower }}
 JVM_MINIMUM_MEMORY={{ CONFLUENCE_JVM_MIN }}
 JVM_MAXIMUM_MEMORY={{ CONFLUENCE_JVM_MAX }}
 
+JVM_SUPPORT_RECOMMENDED_ARGS=-Datlassian.home={{ CONFLUENCE_HOME }}
+
 ## Database
-ATL_DB_TYPE=postgres72
+ATL_DB_TYPE=postgresql
 ATL_DB_DRIVER=org.postgresql.Driver
 ATL_JDBC_URL=jdbc:postgresql://{{ database_host }}:{{ database_port }}/{{ database_name }}
 ATL_JDBC_USER={{ database_username }}
 ATL_JDBC_PASSWORD={{ database_password }}
 
-## OIDC
 {% if CONFLUENCE_OIDC_ENABLED %}
+## OIDC
 CONFLUENCE_OIDC_TITLE="{{ CONFLUENCE_OIDC_LABEL | replace('\"','\\\"') }}"
 CONFLUENCE_OIDC_ISSUER="{{ CONFLUENCE_OIDC_ISSUER }}"
 CONFLUENCE_OIDC_AUTHORIZATION_ENDPOINT="{{ CONFLUENCE_OIDC_AUTH_URL }}"

roles/web-app-confluence/vars/main.yml

@@ -11,6 +11,7 @@ container_hostname:               "{{ domains | get_domain(application_id) }}"
 ## URLs
 CONFLUENCE_URL:                   "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
 CONFLUENCE_HOSTNAME:              "{{ container_hostname }}"
+CONFLUENCE_HOME:                  "/var/atlassian/application-data/confluence"
 
 ## OIDC
 CONFLUENCE_OIDC_ENABLED:          "{{ applications | get_app_conf(application_id, 'features.oidc') }}"

roles/web-app-jira/config/main.yml

@@ -21,7 +21,11 @@ features:
 server:
   csp:
     whitelist:      {}
-    flags:          {}
+    flags:
+      script-src-elem:
+        unsafe-inline:  true
+      script-src:
+        unsafe-inline:  true
   domains:
     canonical:
       - "jira.{{ PRIMARY_DOMAIN }}"