Got things working. Added CLAUDE instructions

playbooks/tasks/patch_appwrite_compose.yml

@@ -7,18 +7,72 @@
 #   appwrite_socket       - host path to the container socket
 #   appwrite_web_port     - host port to map to container port 80  (default 8080)
 #   appwrite_websecure_port - host port to map to container port 443 (default 8443)
+#   appwrite_traefik_trusted_ips - CIDRs Traefik trusts for X-Forwarded-For (default 0.0.0.0/0)
+#
+# Notifies: "Restart appwrite service" — must be defined in the calling play.
+
+- name: Pin Traefik image to minimum compatible version
+  # traefik:2.11 (without patch) is incompatible with Docker Engine >= 29.
+  ansible.builtin.replace:
+    path: "{{ appwrite_dir }}/docker-compose.yml"
+    regexp: 'image: traefik:.*'
+    replace: "image: traefik:{{ appwrite_traefik_version | default('2.11.31') }}"
+  notify: Restart appwrite service
+
+- name: Replace dev build image with official appwrite image
+  # The downloaded compose may contain image: appwrite-dev with a build: stanza
+  # for local source builds. Replace with the pinned official image.
+  ansible.builtin.replace:
+    path: "{{ appwrite_dir }}/docker-compose.yml"
+    regexp: 'image: appwrite-dev'
+    replace: "image: appwrite/appwrite:{{ appwrite_version }}"
+  notify: Restart appwrite service
 
 - name: Remap traefik HTTP port
   ansible.builtin.replace:
     path: "{{ appwrite_dir }}/docker-compose.yml"
     regexp: '- "?80:80"?'
     replace: "- {{ appwrite_web_port }}:80"
+  notify: Restart appwrite service
 
 - name: Remap traefik HTTPS port
   ansible.builtin.replace:
     path: "{{ appwrite_dir }}/docker-compose.yml"
     regexp: '- "?443:443"?'
     replace: "- {{ appwrite_websecure_port }}:443"
+  notify: Restart appwrite service
+
+- name: Trust X-Forwarded-For from HAProxy on appwrite_web entrypoint
+  ansible.builtin.lineinfile:
+    path: "{{ appwrite_dir }}/docker-compose.yml"
+    line: "      - --entrypoints.appwrite_web.forwardedHeaders.trustedIPs={{ appwrite_traefik_trusted_ips | default('0.0.0.0/0') }}"
+    insertafter: '.*entrypoints\.appwrite_web\.address.*'
+    state: present
+  notify: Restart appwrite service
+
+- name: Accept PROXY protocol v2 from HAProxy on appwrite_web entrypoint
+  ansible.builtin.lineinfile:
+    path: "{{ appwrite_dir }}/docker-compose.yml"
+    line: "      - --entrypoints.appwrite_web.proxyProtocol.trustedIPs={{ appwrite_traefik_trusted_ips | default('0.0.0.0/0') }}"
+    insertafter: '.*entrypoints\.appwrite_web\.address.*'
+    state: present
+  notify: Restart appwrite service
+
+- name: Trust X-Forwarded-For from HAProxy on appwrite_websecure entrypoint
+  ansible.builtin.lineinfile:
+    path: "{{ appwrite_dir }}/docker-compose.yml"
+    line: "      - --entrypoints.appwrite_websecure.forwardedHeaders.trustedIPs={{ appwrite_traefik_trusted_ips | default('0.0.0.0/0') }}"
+    insertafter: '.*entrypoints\.appwrite_websecure\.address.*'
+    state: present
+  notify: Restart appwrite service
+
+- name: Accept PROXY protocol v2 from HAProxy on appwrite_websecure entrypoint
+  ansible.builtin.lineinfile:
+    path: "{{ appwrite_dir }}/docker-compose.yml"
+    line: "      - --entrypoints.appwrite_websecure.proxyProtocol.trustedIPs={{ appwrite_traefik_trusted_ips | default('0.0.0.0/0') }}"
+    insertafter: '.*entrypoints\.appwrite_websecure\.address.*'
+    state: present
+  notify: Restart appwrite service
 
 - name: Add host tmp mount to openruntimes-executor for docker file sharing
   # Inserts after the last occurrence of appwrite-builds:/storage/builds:rw,
@@ -28,3 +82,4 @@
     line: "      - {{ appwrite_dir }}/tmp:/tmp:z"
     insertafter: "appwrite-builds:/storage/builds:rw"
     state: present
+  notify: Restart appwrite service