56 lines
2.5 KiB
Markdown
56 lines
2.5 KiB
Markdown
---
|
|
name: Appwrite domain target fix and idempotency
|
|
description: Corrections to previous session's diagnosis and compose download idempotency
|
|
type: decision
|
|
date: 2026-03-14
|
|
---
|
|
|
|
## Decisions / Corrections
|
|
|
|
### _APP_DOMAIN_TARGET_CNAME (CORRECTS previous handoff)
|
|
|
|
Previous session recorded: `_APP_DOMAIN_TARGET` added to fix null Domain crash.
|
|
|
|
**That was wrong.** `_APP_DOMAIN_TARGET` is deprecated since Appwrite 1.7.0.
|
|
The compose file's `environment:` blocks pass only:
|
|
- `_APP_DOMAIN_TARGET_CNAME`
|
|
- `_APP_DOMAIN_TARGET_A`
|
|
- `_APP_DOMAIN_TARGET_AAAA`
|
|
- `_APP_DOMAIN_TARGET_CAA`
|
|
|
|
`_APP_DOMAIN_TARGET` is never injected into containers. It was silently ignored.
|
|
|
|
**Fix:** Replaced `_APP_DOMAIN_TARGET` with `_APP_DOMAIN_TARGET_CNAME` in
|
|
`playbooks/templates/appwrite.env.j2`. Added `_APP_DOMAIN_TARGET_CAA` (default: '').
|
|
`_APP_DOMAIN_TARGET_CNAME` defaults to `appwrite_domain` (appwrite.toal.ca).
|
|
|
|
**Why:** PHP `console.php:49` constructs a Domain object from `_APP_DOMAIN_TARGET_CNAME`.
|
|
Null → TypeError crash on every `/v1/console/variables` request.
|
|
|
|
### get_url force: true removed (idempotency)
|
|
|
|
`force: true` on the compose download caused the task to always report `changed`,
|
|
triggering a service restart on every playbook run.
|
|
|
|
**Fix:** Removed `force: true` from `playbooks/install_appwrite.yml` get_url task.
|
|
File is now only downloaded if absent. Upgrade playbook handles re-downloads.
|
|
|
|
## State After This Session
|
|
|
|
- Appwrite console loads without error ✅
|
|
- Stack running on bab1.mgmt.toal.ca ✅
|
|
- install_appwrite.yml is idempotent ✅
|
|
- node_exporter install: complete, metrics confirmed ✅
|
|
- bootstrap_appwrite.yml: project + API key creation working ✅
|
|
- API key stored at kv/oys/bab-appwrite-api-key
|
|
|
|
## bootstrap_appwrite.yml — Key Decisions
|
|
|
|
| Decision | Rationale |
|
|
|----------|-----------|
|
|
| No account creation task | Appwrite only grants console owner role via web UI signup, not REST API |
|
|
| JWT required for console API | Session cookie alone gives `role: users`; JWT carries team membership claims including `projects.write` |
|
|
| teamId fetched dynamically | Appwrite 1.8.x requires teamId in POST /v1/projects; use teams[0]['$id'] from GET /v1/teams |
|
|
| `$id` via bracket notation | Jinja2 treats `$` as special; dot notation fails |
|
|
| vault_kv2_write (not vault_kv2_put) | No put module in community.hashi_vault; no patch operation — dedicated path avoids clobbering other secrets |
|
|
| Dedicated Vault path kv/oys/bab-appwrite-api-key | Separate from env config secrets to avoid full-overwrite on re-run | |