enh(shopware): improve healthchecks and proxy configuration

Removed obsolete EXPOSE/healthcheck from Dockerfile and added robust service-specific healthchecks:

- web: HTTP robots.txt check

- worker/scheduler: php -v runtime check

- opensearch: cluster health API check

Added TRUSTED_PROXIES=* for proxy-aware headers and centralized OPENSEARCH_PORT in vars.

Context: discussed implementation details in ChatGPT conversation on 2025-11-06 — https://chatgpt.com/share/690c9fb3-79f4-800f-bbdf-ea370c8f142c

roles/web-app-desktop/templates/menu/contact.yml.j2

@@ -11,8 +11,8 @@ contact:
       description: Send {{ 'us' if service_provider.type == 'legal' else 'me' }} an email
       icon:
         class: fa-solid fa-envelope
-      url: mailto:{{service_provider.contact.email}}
-      identifier: {{service_provider.contact.email}}
+      url: mailto:{{ service_provider.contact.email }}
+      identifier: {{ service_provider.contact.email }}
 
 {% endif %}
 {% if service_provider.contact.phone is defined %}
@@ -32,6 +32,6 @@ contact:
       description: Chat with {{ 'us' if service_provider.type == 'legal' else 'me' }} on Matrix
       icon:
         class: fa-solid fa-cubes
-      identifier: "{{service_provider.contact.matrix}}"
+      identifier: "{{ service_provider.contact.matrix }}"
 
 {% endif %}

roles/web-app-joomla/tasks/01_install.yml

@@ -30,6 +30,8 @@
     argv:
       - docker
       - exec
+      - --user
+      - "{{ JOOMLA_WEB_USER }}"
       - "{{ JOOMLA_CONTAINER }}"
       - php
       - "{{ JOOMLA_INSTALLER_CLI_FILE }}"

roles/web-app-joomla/vars/main.yml

@@ -21,3 +21,4 @@ JOOMLA_USER_NAME:                 "{{ users.administrator.username }}"
 JOOMLA_USER:                      "{{ JOOMLA_USER_NAME | capitalize }}"     
 JOOMLA_USER_PASSWORD:             "{{ users.administrator.password }}"
 JOOMLA_USER_EMAIL:                "{{ users.administrator.email }}"
+JOOMLA_WEB_USER:                  "www-data"

roles/web-app-peertube/config/main.yml

@@ -30,6 +30,10 @@ docker:
   services:
     redis:
       enabled: true
+      cpus: "0.5"
+      mem_reservation: "256m"
+      mem_limit: "512m"
+      pids_limit: 512
     database: 
       enabled: true
     peertube: 
@@ -38,6 +42,10 @@ docker:
       image:            "chocobozzz/peertube"
       backup:
         no_stop_required: true
+      cpus: 4
+      mem_reservation:  "4g"
+      mem_limit:        "8g"
+      pids_limit:       2048  # ffmpeg spawnt Threads/Prozesse
   volumes:
     data: peertube_data
     config: peertube_config

roles/web-app-peertube/templates/docker-compose.yml.j2

@@ -12,6 +12,17 @@
       - assets:/app/client/dist
       - data:/data
       - config:/config
+    environment:
+      - NODE_OPTIONS=--max-old-space-size={{ PEERTUBE_MAX_OLD_SPACE_SIZE }}
+      - PEERTUBE_TRANSCODING_CONCURRENCY={{ PEERTUBE_TRANSCODING_CONCURRENCY }}
+    shm_size: "512m"
+    tmpfs:
+      - /tmp:size=1g,exec
+    ulimits:
+      nofile:
+        soft: 131072
+        hard: 131072
+      nproc:  8192
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 {% include 'roles/docker-container/templates/healthcheck/tcp.yml.j2' %}

roles/web-app-peertube/vars/main.yml

@@ -1,17 +1,47 @@
 # General
-application_id:                 "web-app-peertube"
-database_type:                  "postgres"
+application_id:                   "web-app-peertube"
+database_type:                    "postgres"
 
 # Docker
-docker_compose_flush_handlers:  true
+docker_compose_flush_handlers:    true
 
 # Role variables
-PEERTUBE_VERSION:               "{{ applications | get_app_conf(application_id, 'docker.services.peertube.version') }}"
-PEERTUBE_IMAGE:                 "{{ applications | get_app_conf(application_id, 'docker.services.peertube.image') }}"
-PEERTUBE_CONTAINER:             "{{ applications | get_app_conf(application_id, 'docker.services.peertube.name') }}"
-PEERTUBE_DATA_VOLUME:           "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
-PEERTUBE_CONFIG_VOLUME:         "{{ applications | get_app_conf(application_id, 'docker.volumes.config') }}"
+PEERTUBE_VERSION:                 "{{ applications | get_app_conf(application_id, 'docker.services.peertube.version') }}"
+PEERTUBE_IMAGE:                   "{{ applications | get_app_conf(application_id, 'docker.services.peertube.image') }}"
+PEERTUBE_CONTAINER:               "{{ applications | get_app_conf(application_id, 'docker.services.peertube.name') }}"
+PEERTUBE_DATA_VOLUME:             "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
+PEERTUBE_CONFIG_VOLUME:           "{{ applications | get_app_conf(application_id, 'docker.volumes.config') }}"
 
 # OIDC
-PEERTUBE_OIDC_PLUGIN:           "peertube-plugin-auth-openid-connect"
-PEERTUBE_OIDC_ENABLED:          "{{ applications | get_app_conf(application_id, 'features.oidc', False) }}"
+PEERTUBE_OIDC_PLUGIN:             "peertube-plugin-auth-openid-connect"
+PEERTUBE_OIDC_ENABLED:            "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
+
+# === Dynamic performance defaults ==========================================
+
+# Raw Docker configuration values (with sane fallbacks)
+peertube_cpus:          "{{ applications | get_app_conf(application_id, 'docker.services.peertube.cpus') | float }}"
+peertube_mem_limit_raw: "{{ applications | get_app_conf(application_id, 'docker.services.peertube.mem_limit') }}"
+peertube_mem_bytes:     "{{ peertube_mem_limit_raw | human_to_bytes }}"
+peertube_mem_mb:        "{{ ((peertube_mem_bytes | int) // (1024 * 1024)) | int }}"
+
+# ---------------------------------------------------------------------------
+# Node heap size:
+# ~35% of total RAM, but at least 768 MB, at most 3072 MB,
+# and never more than 60% of total memory (safety cap for small containers)
+# ---------------------------------------------------------------------------
+
+_peertube_heap_candidate_mb: "{{ ((peertube_mem_mb | float) * 0.35) | round(0, 'floor') | int }}"
+_peertube_heap_cap_mb:       "{{ ((peertube_mem_mb | float) * 0.60) | round(0, 'floor') | int }}"
+
+# Step 1: enforce minimum (≥768 MB)
+_peertube_heap_min_applied:  "{{ [ (_peertube_heap_candidate_mb | int), 768 ] | max }}"
+
+# Step 2: determine hard cap (min of 3072 MB and 60% of total memory)
+_peertube_heap_hardcap:      "{{ [ 3072, (_peertube_heap_cap_mb | int) ] | min }}"
+
+# Step 3: final heap = min(min-applied, hardcap)
+PEERTUBE_MAX_OLD_SPACE_SIZE: "{{ [ (_peertube_heap_min_applied | int), (_peertube_heap_hardcap | int) ] | min }}"
+
+# Transcoding concurrency: half the vCPUs; min 1, max 8
+_peertube_concurrency_candidate:  "{{ ((peertube_cpus | float) * 0.5) | round(0, 'floor') | int }}"
+PEERTUBE_TRANSCODING_CONCURRENCY: "{{ [ ( [ (_peertube_concurrency_candidate | int), 1 ] | max ), 8 ] | min }}"

roles/web-app-shopware/config/main.yml

@@ -5,12 +5,17 @@ features:
   ldap:                           false # Not implemented yet
   oidc:                           false # Not implemented yet
   logout:                         true
+  desktop:                        true
+  css:                            true
 server:
   csp:
     flags:
       script-src-elem:
         unsafe-inline:  true
-    whitelist: {}
+        unsafe-eval:    true
+    whitelist:
+      font-src:
+        - "data:"
   domains:
     aliases: []
     canonical:

roles/web-app-shopware/files/init.sh

@@ -1,81 +1,140 @@
 #!/bin/sh
+# Shopware initialization script (POSIX sh)
+# - Root phase: fix volumes & permissions, then switch to www-data
+# - First run: perform system:install
+# - Every run: run DB migrations + rebuild cache + compile assets & themes
+# - Verifies admin bundles exist, otherwise exits with error
+
 set -eu
 
-# Paths / constants
 APP_ROOT="/var/www/html"
 MARKER="$APP_ROOT/.infinito/installed"
+LOG_PREFIX="[INIT]"
+PHP_BIN="php"
 
-cd "$APP_ROOT"
-mkdir -p "$APP_ROOT/.infinito"
+log() { printf "%s %s\n" "$LOG_PREFIX" "$1"; }
+fail() { printf "%s [ERROR] %s\n" "$LOG_PREFIX" "$1" >&2; exit 1; }
 
-echo "[INIT] Checking database via PDO..."
-php -r '
+# ---------------------------
+# 0) Root phase (if running as root)
+# ---------------------------
+if [ "$(id -u)" -eq 0 ]; then
+  # Prepare required folders and shared volumes
+  mkdir -p "$APP_ROOT/.infinito" \
+           "$APP_ROOT/public/bundles" \
+           "$APP_ROOT/public/media" \
+           "$APP_ROOT/public/theme" \
+           "$APP_ROOT/public/thumbnail" \
+           "$APP_ROOT/public/sitemap" \
+           "$APP_ROOT/var"
+
+  log "Fixing permissions on shared volumes..."
+  chown -R www-data:www-data "$APP_ROOT/public" "$APP_ROOT/var" || true
+  chmod -R 775 "$APP_ROOT/public" "$APP_ROOT/var" || true
+
+  # Switch to www-data for all subsequent operations
+  exec su -s /bin/sh www-data "$0" "$@"
+fi
+
+# From here on: running as www-data
+cd "$APP_ROOT" || fail "Cannot cd to $APP_ROOT"
+
+# Optional environment hints
+APP_ENV_STR=$($PHP_BIN -r 'echo getenv("APP_ENV") ?: "";' 2>/dev/null || true)
+APP_URL_STR=$($PHP_BIN -r 'echo getenv("APP_URL") ?: "";' 2>/dev/null || true)
+[ -n "$APP_ENV_STR" ] || log "APP_ENV not set (using defaults)"
+[ -n "$APP_URL_STR" ] || log "APP_URL not set (reverse proxy must set headers)"
+
+# ---------------------------
+# 1) Database reachability check (PDO)
+# ---------------------------
+log "Checking database via PDO..."
+$PHP_BIN -r '
 $url = getenv("DATABASE_URL");
 if (!$url) { fwrite(STDERR, "DATABASE_URL not set\n"); exit(1); }
 $p = parse_url($url);
 if (!$p || !isset($p["scheme"])) { fwrite(STDERR, "Invalid DATABASE_URL\n"); exit(1); }
-$scheme = $p["scheme"];
-if ($scheme === "mysql" || $scheme === "mariadb") {
-  $host = $p["host"] ?? "localhost";
-  $port = $p["port"] ?? 3306;
-  $db   = ltrim($p["path"] ?? "", "/");
-  $user = $p["user"] ?? "";
-  $pass = $p["pass"] ?? "";
-  $dsn  = "mysql:host=".$host.";port=".$port.";dbname=".$db.";charset=utf8mb4";
-} else {
-  fwrite(STDERR, "Unsupported DB scheme: ".$scheme."\n"); exit(1);
-}
+$host = $p["host"] ?? "localhost";
+$port = $p["port"] ?? 3306;
+$db   = ltrim($p["path"] ?? "", "/");
+$user = $p["user"] ?? "";
+$pass = $p["pass"] ?? "";
+$dsn  = "mysql:host=".$host.";port=".$port.";dbname=".$db.";charset=utf8mb4";
 $retries = 60;
 while ($retries-- > 0) {
-  try { $pdo = new PDO($dsn, $user, $pass, [PDO::ATTR_TIMEOUT => 3]); exit(0); }
+  try { new PDO($dsn, $user, $pass, [PDO::ATTR_TIMEOUT => 3]); exit(0); }
   catch (Exception $e) { sleep(2); }
 }
 fwrite(STDERR, "DB not reachable\n"); exit(1);
-'
+' || fail "Database not reachable"
 
+# ---------------------------
+# 2) First-time install detection
+# ---------------------------
+FIRST_INSTALL=0
 if [ ! -f "$MARKER" ]; then
-  echo "[INIT] Checking if database is empty..."
-  # PHP exits: 0 = empty, 100 = non-empty, 1 = error
-  if php -r '
+  log "Checking if database is empty..."
+  if $PHP_BIN -r '
     $url = getenv("DATABASE_URL");
     $p   = parse_url($url);
     $db  = ltrim($p["path"] ?? "", "/");
     $dsn = "mysql:host=".($p["host"]??"localhost").";port=".($p["port"]??3306).";dbname=".$db.";charset=utf8mb4";
-    try {
-      $pdo = new PDO($dsn, $p["user"] ?? "", $p["pass"] ?? "");
-      $q = $pdo->query("SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=".$pdo->quote($db));
-      $cnt = (int)$q->fetchColumn();
-      if ($cnt === 0) { exit(0); } else { exit(100); }
-    } catch (Exception $e) { fwrite(STDERR, $e->getMessage()."\n"); exit(1); }
+    $pdo = new PDO($dsn, $p["user"] ?? "", $p["pass"] ?? "");
+    $q = $pdo->query("SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=".$pdo->quote($db));
+    $cnt = (int)$q->fetchColumn();
+    exit($cnt === 0 ? 0 : 100);
   '; then
-    DBCHK=0
+    FIRST_INSTALL=1
   else
-    DBCHK=$?
+    ST=$?
+    if [ "$ST" -eq 100 ]; then
+      log "Database not empty → skipping install"
+    else
+      fail "Database check failed (exit code $ST)"
+    fi
   fi
-
-  if [ "$DBCHK" -eq 0 ]; then
-    echo "[INIT] Installing Shopware (empty DB detected)..."
-    # IMPORTANT: no --force; let Shopware run its internal steps only on empty DB
-    php -d memory_limit=1024M bin/console system:install --basic-setup --create-database
-  elif [ "$DBCHK" -eq 100 ]; then
-    echo "[INIT] Database is not empty -> skipping system:install"
-  else
-    echo "[INIT] Database check failed (code $DBCHK)"; exit 1
-  fi
-
-  # Safe to run (no-ops when up-to-date)
-  php -d memory_limit=1024M bin/console database:migrate --all || true
-  php -d memory_limit=1024M bin/console database:migrate-destructive --all || true
-
-  # Housekeeping
-  php bin/console cache:clear || true
-  php bin/console dal:refresh:index || true
-
-  # Marker + perms
-  touch "$MARKER"
-  chown -R www-data:www-data "$APP_ROOT"
-
-  echo "[INIT] Done."
-else
-  echo "[INIT] Marker found, skipping install."
 fi
+
+if [ "$FIRST_INSTALL" -eq 1 ]; then
+  log "Performing first-time Shopware installation..."
+  $PHP_BIN -d memory_limit=1024M bin/console system:install --basic-setup --create-database
+  mkdir -p "$(dirname "$MARKER")"
+  : > "$MARKER"
+fi
+
+# ---------------------------
+# 3) Always run migrations
+# ---------------------------
+log "Running database migrations..."
+$PHP_BIN -d memory_limit=1024M bin/console database:migrate --all
+$PHP_BIN -d memory_limit=1024M bin/console database:migrate-destructive --all
+
+# ---------------------------
+# 4) Always rebuild caches, bundles, and themes
+# ---------------------------
+log "Rebuilding caches and assets..."
+$PHP_BIN bin/console cache:clear
+$PHP_BIN bin/console bundle:dump
+# Use --copy if symlinks cause issues
+$PHP_BIN bin/console assets:install --no-interaction --force
+$PHP_BIN bin/console theme:refresh
+$PHP_BIN bin/console theme:compile
+# Best-effort: not critical if it fails
+$PHP_BIN bin/console dal:refresh:index || log "dal:refresh:index failed (non-critical)"
+
+# ---------------------------
+# 5) Verify admin bundles
+# ---------------------------
+if [ ! -d "public/bundles/administration" ]; then
+  fail "Missing directory public/bundles/administration (asset build failed)"
+fi
+if ! ls public/bundles/administration/* >/dev/null 2>&1; then
+  fail "No files found in public/bundles/administration (asset build failed)"
+fi
+
+# ---------------------------
+# 6) Show version info
+# ---------------------------
+$PHP_BIN bin/console system:version 2>/dev/null || log "system:version not available"
+
+log "Initialization complete."

roles/web-app-shopware/tasks/01_admin.yml

@@ -1,4 +1,22 @@
-# Ensures that the admin user exists and always has the desired password
+- name: "Rename default Shopware admin user to {{ users.administrator.username }}"
+  shell: |
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
+      set -e
+      cd {{ SHOPWARE_ROOT }}
+      old_user="admin"
+      new_user="{{ users.administrator.username }}"
+      if php bin/console user:list | grep -q "^$old_user "; then
+        echo "[INFO] Renaming Shopware user: $old_user -> $new_user"
+        php bin/console user:update "$old_user" --username="$new_user" || true
+      else
+        echo "[INFO] No user named $old_user found (already renamed or custom setup)"
+      fi
+    '
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  changed_when: false
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
 - name: "Ensure Shopware admin exists and has the desired password"
   shell: |
     docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
@@ -17,3 +35,4 @@
     '
   args:
     chdir: "{{ docker_compose.directories.instance }}"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

roles/web-app-shopware/tasks/cleanup/ldap.yml

@@ -1,6 +1,6 @@
 - name: "Deactivate/uninstall LDAP plugin if present"
   shell: |
-    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} bash -lc '
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
       cd {{ SHOPWARE_ROOT }}
       php bin/console plugin:deactivate INFX_LDAP_PLUGIN || true
       php bin/console plugin:uninstall INFX_LDAP_PLUGIN --keep-user-data || true

roles/web-app-shopware/tasks/cleanup/oidc.yml

@@ -1,6 +1,6 @@
 - name: "Deactivate/uninstall OIDC plugin if present"
   shell: |
-    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} bash -lc '
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
       cd {{ SHOPWARE_ROOT }}
       php bin/console plugin:deactivate INFX_OIDC_PLUGIN || true
       php bin/console plugin:uninstall INFX_OIDC_PLUGIN --keep-user-data || true

roles/web-app-shopware/tasks/setup/ldap.yml

@@ -1,7 +1,7 @@
 # Replace INFX_LDAP_PLUGIN with the actual plugin name you use
 - name: "Install LDAP admin plugin & activate"
   shell: |
-    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} bash -lc '
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
       set -e
       cd {{ SHOPWARE_ROOT }}
       php bin/console plugin:refresh
@@ -13,7 +13,7 @@
 
 - name: "Configure LDAP connection"
   shell: |
-    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} bash -lc '
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
       set -e
       cd {{ SHOPWARE_ROOT }}
       php bin/console system:config:set "InfxLdap.config.host"     "{{ LDAP.SERVER.DOMAIN }}"

roles/web-app-shopware/tasks/setup/oidc.yml

@@ -1,7 +1,7 @@
 # Replace INFX_OIDC_PLUGIN with the actual plugin name (Composer or local)
 - name: "Install OIDC plugin & activate"
   shell: |
-    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} bash -lc '
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
       set -e
       cd {{ SHOPWARE_ROOT }}
       php bin/console plugin:refresh
@@ -13,7 +13,7 @@
 
 - name: "Configure OIDC via system:config"
   shell: |
-    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} bash -lc '
+    docker exec -i --user {{ SHOPWARE_USER }} {{ SHOPWARE_WEB_CONTAINER }} sh -lc '
       set -e
       cd {{ SHOPWARE_ROOT }}
       php bin/console system:config:set "InfxOidc.config.clientId"        "{{ OIDC.CLIENT.ID }}"

roles/web-app-shopware/templates/Dockerfile.j2

@@ -85,8 +85,3 @@ RUN set -eux; \
 
 # Drop back to the app user
 USER www-data
-
-# Expose internal port & add a lightweight healthcheck
-EXPOSE 8000
-HEALTHCHECK --interval=30s --timeout=5s --retries=5 --start-period=20s \
-  CMD php -r '$s=@fsockopen("127.0.0.1", 8000, $e, $t, 3); if(!$s) exit(1); fclose($s);'

roles/web-app-shopware/templates/docker-compose.yml.j2

@@ -7,6 +7,7 @@ x-environment: &shopware
     - thumbnail:/var/www/html/public/thumbnail
     - sitemap:/var/www/html/public/sitemap
     - "{{ SHOPWARE_INIT_HOST }}:{{ SHOPWARE_INIT_DOCKER }}:ro"
+    - bundles:/var/www/html/public/bundles
   working_dir: {{ SHOPWARE_ROOT }}
 
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
@@ -22,6 +23,7 @@ x-environment: &shopware
     <<: *shopware
     container_name: "{{ SHOPWARE_INIT_CONTAINER }}"
     entrypoint: [ "sh", "{{ SHOPWARE_INIT_DOCKER }}" ]
+    user: "0:0"
 
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 
@@ -40,9 +42,13 @@ x-environment: &shopware
     depends_on:
       init:
         condition: service_completed_successfully
-{% filter indent(4) %}
-    {% include 'roles/docker-container/templates/healthcheck/http.yml.j2' %}
-{% endfilter %}
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q --spider http://127.0.0.1:{{ container_port }}/robots.txt || wget -q --spider http://127.0.0.1:{{ container_port }}/ || exit 1"]
+      interval: 30s
+      timeout: 5s
+      retries: 10
+      start_period: 120s
+
 
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 
@@ -62,6 +68,12 @@ x-environment: &shopware
 # @todo Activate for swarm deploy
 #    deploy:
 #      replicas: {{ SHOPWARE_WORKER_REPLICAS }}
+    healthcheck:
+      test: ["CMD", "php", "-v"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
 
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 
@@ -78,6 +90,13 @@ x-environment: &shopware
     depends_on:
       init:
         condition: service_completed_successfully
+    healthcheck:
+      test: ["CMD", "php", "-v"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+
 
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 
@@ -97,6 +116,12 @@ x-environment: &shopware
     depends_on:
       init:
         condition: service_completed_successfully
+    healthcheck:
+      test: ["CMD-SHELL", "curl -fsSL http://127.0.0.1:{{ SHOPWARE_OPENSEARCH_PORT }}/_cluster/health || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 60s
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 {% endif %}
 
@@ -113,5 +138,7 @@ x-environment: &shopware
     name: {{ entity_name }}_thumbnail
   sitemap:
     name: {{ entity_name }}_sitemap
+  bundles:
+    name: {{ entity_name }}_bundles
 
 {% include 'roles/docker-compose/templates/networks.yml.j2' %}

roles/web-app-shopware/templates/env.j2

@@ -5,7 +5,7 @@ APP_DEBUG="{{ MODE_DEBUG | ternary(1, 0) }}"
 
 # Shopware
 APP_ENV={{ 'dev' if (ENVIRONMENT | lower) == 'development' else 'prod' }}
-#TRUSTED_PROXIES=127.0.0.1
+TRUSTED_PROXIES=*
 INSTANCE_ID={{ application_id }}
 
 # Database
@@ -22,10 +22,10 @@ CACHE_URL="file://cache"
 
 {% if SHOPWARE_OPENSEARCH_ENABLED %}
 # Search
-ELASTICSEARCH_URL="http://opensearch:9200"
-OPENSEARCH_URL="http://opensearch:9200"
+ELASTICSEARCH_URL="http://opensearch:{{ SHOPWARE_OPENSEARCH_PORT }}"
+OPENSEARCH_URL="http://opensearch:{{ SHOPWARE_OPENSEARCH_PORT }}"
 OPENSEARCH_HOST="opensearch"
-OPENSEARCH_PORT_NUMBER="9200"
+OPENSEARCH_PORT_NUMBER="{{ SHOPWARE_OPENSEARCH_PORT }}"
 OPENSEARCH_INITIAL_ADMIN_PASSWORD="{{ users.administrator.password }}"
 {% endif %}
 

roles/web-app-shopware/vars/main.yml

@@ -28,16 +28,14 @@ SHOPWARE_WORKER_ENTRYPOINT:     "{{ applications | get_app_conf(application_id,
 SHOPWARE_SCHED_ENTRYPOINT:      "{{ applications | get_app_conf(application_id, 'docker.services.scheduler.entrypoint') }}"
 SHOPWARE_WORKER_REPLICAS:       "{{ applications | get_app_conf(application_id, 'docker.services.worker.replicas') }}"
 
-# Search/Cache
+# Redis Cache
 SHOPWARE_REDIS_ENABLED:               "{{ applications | get_app_conf(application_id, 'docker.services.redis.enabled') }}"
 SHOPWARE_REDIS_ADDRESS:               "redis:6379"
+
+# Opensearch
+SHOPWARE_OPENSEARCH_PORT:             "9200"
 SHOPWARE_OPENSEARCH_ENABLED:          "{{ applications | get_app_conf(application_id, 'docker.services.opensearch.enabled') }}"
-SHOPWARE_OPENSEARCH_ENGINE:           "{{ applications | get_app_conf(application_id, 'docker.services.opensearch.engine') }}"
 SHOPWARE_OPENSEARCH_IMAGE:            "{{ applications | get_app_conf(application_id, 'docker.services.opensearch.image') }}"
 SHOPWARE_OPENSEARCH_VERSION:          "{{ applications | get_app_conf(application_id, 'docker.services.opensearch.version') }}"
 SHOPWARE_OPENSEARCH_CONTAINER:        "{{ applications | get_app_conf(application_id, 'docker.services.opensearch.name') }}"
 SHOPWARE_OPENSEARCH_MEM_RESERVATION:  "{{ applications | get_app_conf(application_id, 'docker.services.opensearch.mem_reservation') }}"
-SHOPWARE_OPENSEARCH_MEM_LIMIT:        "{{ applications | get_app_conf(application_id, 'docker.services.opensearch.mem_limit') }}"
-
-# IAM (true if either OIDC or LDAP is enabled)
-SHOPWARE_IAM_ENABLED: "{{ applications | get_app_conf(application_id, 'features.oidc') or applications | get_app_conf(application_id, 'features.ldap') }}"

tests/integration/test_filters_are_defined.py

@@ -37,7 +37,7 @@ BUILTIN_FILTERS: Set[str] = {
     "type_debug", "json_query", "mandatory", "hash", "checksum",
     "lower", "upper", "capitalize", "unique", "dict2items", "items2dict", 
     "password_hash", "path_join", "product", "quote", "split", "ternary", "to_nice_yaml", 
-    "tojson", "to_nice_json",
+    "tojson", "to_nice_json", "human_to_bytes",
 
 
     # Date/time-ish