---
name: Appwrite domain target fix and idempotency
description: Corrections to previous session's diagnosis and compose download idempotency
type: decision
date: 2026-03-14
---

## Decisions / Corrections

### _APP_DOMAIN_TARGET_CNAME (CORRECTS previous handoff)

Previous session recorded: `_APP_DOMAIN_TARGET` added to fix null Domain crash.

**That was wrong.** `_APP_DOMAIN_TARGET` is deprecated since Appwrite 1.7.0.
The compose file's `environment:` blocks pass only:
- `_APP_DOMAIN_TARGET_CNAME`
- `_APP_DOMAIN_TARGET_A`
- `_APP_DOMAIN_TARGET_AAAA`
- `_APP_DOMAIN_TARGET_CAA`

`_APP_DOMAIN_TARGET` is never injected into containers. It was silently ignored.

**Fix:** Replaced `_APP_DOMAIN_TARGET` with `_APP_DOMAIN_TARGET_CNAME` in
`playbooks/templates/appwrite.env.j2`. Added `_APP_DOMAIN_TARGET_CAA` (default: '').
`_APP_DOMAIN_TARGET_CNAME` defaults to `appwrite_domain` (appwrite.toal.ca).

**Why:** PHP `console.php:49` constructs a Domain object from `_APP_DOMAIN_TARGET_CNAME`.
Null → TypeError crash on every `/v1/console/variables` request.

### get_url force: true removed (idempotency)

`force: true` on the compose download caused the task to always report `changed`,
triggering a service restart on every playbook run.

**Fix:** Removed `force: true` from `playbooks/install_appwrite.yml` get_url task.
File is now only downloaded if absent. Upgrade playbook handles re-downloads.

## State After This Session

- Appwrite console loads without error ✅
- Stack running on bab1.mgmt.toal.ca ✅
- install_appwrite.yml is idempotent ✅
- node_exporter install: complete, metrics confirmed ✅
- bootstrap_appwrite.yml: project + API key creation working ✅
  - API key stored at kv/oys/bab-appwrite-api-key

## bootstrap_appwrite.yml — Key Decisions

| Decision | Rationale |
|----------|-----------|
| No account creation task | Appwrite only grants console owner role via web UI signup, not REST API |
| JWT required for console API | Session cookie alone gives `role: users`; JWT carries team membership claims including `projects.write` |
| teamId fetched dynamically | Appwrite 1.8.x requires teamId in POST /v1/projects; use teams[0]['$id'] from GET /v1/teams |
| `$id` via bracket notation | Jinja2 treats `$` as special; dot notation fails |
| vault_kv2_write (not vault_kv2_put) | No put module in community.hashi_vault; no patch operation — dedicated path avoids clobbering other secrets |
| Dedicated Vault path kv/oys/bab-appwrite-api-key | Separate from env config secrets to avoid full-overwrite on re-run |