feat: backup appwritefix: CORS error by adding platforms
This commit is contained in:
@@ -0,0 +1,84 @@
|
||||
# Session Handoff: Appwrite Stack Setup & Infrastructure Hardening
|
||||
**Date:** 2026-03-14
|
||||
**Session Duration:** ~4 hours
|
||||
**Session Focus:** Bring Appwrite stack to production-ready state on bab1.mgmt.toal.ca
|
||||
**Context Usage at Handoff:** ~70%
|
||||
|
||||
---
|
||||
|
||||
## Current State
|
||||
|
||||
The install playbook is ready to run. All open questions from the session are resolved. The stack on bab1 is running but with an unpatched compose (no proxyProtocol, old entrypoint issue). **One run of the playbook will bring everything current.**
|
||||
|
||||
---
|
||||
|
||||
## What Was Accomplished This Session
|
||||
|
||||
1. Appwrite `.env` Jinja2 template → `playbooks/templates/appwrite.env.j2`
|
||||
2. Systemd unit template → `playbooks/templates/appwrite.service.j2`
|
||||
3. Prometheus node exporter playbook → `playbooks/install_node_exporter.yml`
|
||||
4. Appwrite inventory vars → `~/Dev/inventories/bab-inventory/host_vars/bab1.mgmt.toal.ca/appwrite.yml`
|
||||
5. Monitoring inventory vars → `~/Dev/inventories/bab-inventory/host_vars/bab1.mgmt.toal.ca/monitoring.yml`
|
||||
6. HashiCorp Vault secret lookups → `~/Dev/inventories/bab-inventory/host_vars/bab1.mgmt.toal.ca/secrets.yml`
|
||||
7. `playbooks/install_appwrite.yml` — .env deploy, systemd, tags (`deps`/`image`/`configure`), restart handler, production compose URL (`appwrite.io/install/compose`)
|
||||
8. `playbooks/tasks/patch_appwrite_compose.yml` — Traefik 2.11.31 pin, image fix (appwrite-dev→official), forwardedHeaders + proxyProtocol trustedIPs for both entrypoints, handler notifications
|
||||
9. `playbooks/upgrade_appwrite.yml` — docker prune after upgrade
|
||||
10. `requirements.yml` — added `community.hashi_vault`
|
||||
11. `~/.ansible-navigator.yml` — pipelining fixed (ANSIBLE_CONFIG file was never mounted into EE; replaced with `environment-variables.set`); SSH multiplexing, fact caching, profile_tasks via CALLBACKS_ENABLED
|
||||
12. Deleted `secrets.yml.example` — contained plaintext secrets
|
||||
|
||||
---
|
||||
|
||||
## Key Numbers
|
||||
|
||||
- `appwrite_version: "1.8.1"`
|
||||
- `appwrite_traefik_version: "2.11.31"` — minimum for Docker Engine >= 29
|
||||
- `appwrite_web_port: 8080`, `appwrite_websecure_port: 8443`
|
||||
- `appwrite_traefik_trusted_ips: "192.168.0.0/22"` — HAProxy subnet; used for both `forwardedHeaders.trustedIPs` and `proxyProtocol.trustedIPs`
|
||||
- `node_exporter_version: "1.9.0"`, `node_exporter_port: 9100`
|
||||
- Vault path: `kv/data/oys/bab-appwrite` (populated 2026-03-14)
|
||||
|
||||
---
|
||||
|
||||
## Decisions Made
|
||||
|
||||
| Decision | Rationale |
|
||||
|----------|-----------|
|
||||
| HashiCorp Vault for secrets | AAP + dev both need access; 1Password ansible-vault is local-only |
|
||||
| `appwrite.io/install/compose` as compose source | GitHub raw URL pointed to dev compose with `image: appwrite-dev` and broken entrypoint override |
|
||||
| Traefik pinned to 2.11.31 | Floating `traefik:2.11` tag incompatible with Docker Engine >= 29 |
|
||||
| `proxyProtocol.trustedIPs` on both Traefik entrypoints | HAProxy uses `send-proxy-v2` on both `appwrite` and `babdevapi` backends; without this Traefik returns 503 |
|
||||
| `_APP_DOMAIN_TARGET` added to .env template | Appwrite 1.8.x `console.php:49` constructs a `Domain` object from this var; null = crash |
|
||||
| systemd `Type=oneshot RemainAfterExit=yes` | `docker compose up -d` exits after starting containers; oneshot keeps unit active |
|
||||
| node exporter `security_opts: label=disable` | `:z` on `/` bind-mount would recursively relabel entire filesystem under RHEL 9 SELinux |
|
||||
| `profile_tasks` via `ANSIBLE_CALLBACKS_ENABLED` | It's an aggregate callback, not a stdout callback; `ANSIBLE_STDOUT_CALLBACK=profile_tasks` causes `'sort_order'` error |
|
||||
|
||||
---
|
||||
|
||||
## What the NEXT Session Should Do
|
||||
|
||||
1. **Run the install playbook** (skipping deps and image pull since stack is already running):
|
||||
```bash
|
||||
ansible-navigator run playbooks/install_appwrite.yml --mode stdout --skip-tags deps,image
|
||||
```
|
||||
2. **Verify** `curl -v https://appwrite.toal.ca` returns 200 (not 503)
|
||||
3. **Verify** Appwrite console loads without `Domain::__construct() null` error
|
||||
4. **Run node exporter**:
|
||||
```bash
|
||||
ansible-navigator run playbooks/install_node_exporter.yml --mode stdout
|
||||
```
|
||||
5. **Verify** `curl http://bab1.mgmt.toal.ca:9100/metrics` returns Prometheus metrics
|
||||
|
||||
---
|
||||
|
||||
## Open Questions
|
||||
|
||||
None. All issues from the session are resolved.
|
||||
|
||||
---
|
||||
|
||||
## Files to Load Next Session
|
||||
|
||||
- `playbooks/install_appwrite.yml` — if continuing install/configure work
|
||||
- `playbooks/tasks/patch_appwrite_compose.yml` — if debugging compose patches
|
||||
- `docs/context/architecture.md` — for Appwrite API or EDA work
|
||||
Reference in New Issue
Block a user