bab-backend-ansible/playbooks/tasks/patch_appwrite_compose.yml

---
# Applies site-specific customizations to docker-compose.yml after it has been
# written by the Appwrite upgrade container or downloaded fresh during install.
#
# Required variables (define in calling play):
#   appwrite_dir          - absolute path to the appwrite directory on the host
#   appwrite_socket       - host path to the container socket
#   appwrite_web_port     - host port to map to container port 80  (default 8080)
#   appwrite_websecure_port - host port to map to container port 443 (default 8443)
#   appwrite_traefik_trusted_ips - CIDRs Traefik trusts for X-Forwarded-For (default 0.0.0.0/0)
#
# Notifies: "Restart appwrite service" — must be defined in the calling play.

- name: Pin Traefik image to minimum compatible version
  # traefik:2.11 (without patch) is incompatible with Docker Engine >= 29.
  ansible.builtin.replace:
    path: "{{ appwrite_dir }}/docker-compose.yml"
    regexp: 'image: traefik:.*'
    replace: "image: traefik:{{ appwrite_traefik_version | default('2.11.31') }}"
  notify: Restart appwrite service

- name: Replace dev build image with official appwrite image
  # The downloaded compose may contain image: appwrite-dev with a build: stanza
  # for local source builds. Replace with the pinned official image.
  ansible.builtin.replace:
    path: "{{ appwrite_dir }}/docker-compose.yml"
    regexp: 'image: appwrite-dev'
    replace: "image: appwrite/appwrite:{{ appwrite_version }}"
  notify: Restart appwrite service

- name: Remap traefik HTTP port
  ansible.builtin.replace:
    path: "{{ appwrite_dir }}/docker-compose.yml"
    regexp: '- "?80:80"?'
    replace: "- {{ appwrite_web_port }}:80"
  notify: Restart appwrite service

- name: Remap traefik HTTPS port
  ansible.builtin.replace:
    path: "{{ appwrite_dir }}/docker-compose.yml"
    regexp: '- "?443:443"?'
    replace: "- {{ appwrite_websecure_port }}:443"
  notify: Restart appwrite service

- name: Trust X-Forwarded-For from HAProxy on appwrite_web entrypoint
  ansible.builtin.lineinfile:
    path: "{{ appwrite_dir }}/docker-compose.yml"
    line: "      - --entrypoints.appwrite_web.forwardedHeaders.trustedIPs={{ appwrite_traefik_trusted_ips | default('0.0.0.0/0') }}"
    insertafter: '.*entrypoints\.appwrite_web\.address.*'
    state: present
  notify: Restart appwrite service

- name: Accept PROXY protocol v2 from HAProxy on appwrite_web entrypoint
  ansible.builtin.lineinfile:
    path: "{{ appwrite_dir }}/docker-compose.yml"
    line: "      - --entrypoints.appwrite_web.proxyProtocol.trustedIPs={{ appwrite_traefik_trusted_ips | default('0.0.0.0/0') }}"
    insertafter: '.*entrypoints\.appwrite_web\.address.*'
    state: present
  notify: Restart appwrite service

- name: Trust X-Forwarded-For from HAProxy on appwrite_websecure entrypoint
  ansible.builtin.lineinfile:
    path: "{{ appwrite_dir }}/docker-compose.yml"
    line: "      - --entrypoints.appwrite_websecure.forwardedHeaders.trustedIPs={{ appwrite_traefik_trusted_ips | default('0.0.0.0/0') }}"
    insertafter: '.*entrypoints\.appwrite_websecure\.address.*'
    state: present
  notify: Restart appwrite service

- name: Accept PROXY protocol v2 from HAProxy on appwrite_websecure entrypoint
  ansible.builtin.lineinfile:
    path: "{{ appwrite_dir }}/docker-compose.yml"
    line: "      - --entrypoints.appwrite_websecure.proxyProtocol.trustedIPs={{ appwrite_traefik_trusted_ips | default('0.0.0.0/0') }}"
    insertafter: '.*entrypoints\.appwrite_websecure\.address.*'
    state: present
  notify: Restart appwrite service

- name: Add host tmp mount to openruntimes-executor for docker file sharing
  # Inserts after the last occurrence of appwrite-builds:/storage/builds:rw,
  # which is in the openruntimes-executor volumes section.
  ansible.builtin.lineinfile:
    path: "{{ appwrite_dir }}/docker-compose.yml"
    line: "      - {{ appwrite_dir }}/tmp:/tmp:z"
    insertafter: "appwrite-builds:/storage/builds:rw"
    state: present
  notify: Restart appwrite service