oys/bab-backend-ansible
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
Files
f14e405e6f75d2fcad1fb24b39b7273caa5a9326
bab-backend-ansible/docs/summaries/decisions-2026-03-14-domain-target-fix.md

2.5 KiB
Raw Blame History

name, description, type, date
name description type date
Appwrite domain target fix and idempotency Corrections to previous session's diagnosis and compose download idempotency decision 2026-03-14

Decisions / Corrections

_APP_DOMAIN_TARGET_CNAME (CORRECTS previous handoff)

Previous session recorded: _APP_DOMAIN_TARGET added to fix null Domain crash.

That was wrong. _APP_DOMAIN_TARGET is deprecated since Appwrite 1.7.0. The compose file's environment: blocks pass only:

  • _APP_DOMAIN_TARGET_CNAME
  • _APP_DOMAIN_TARGET_A
  • _APP_DOMAIN_TARGET_AAAA
  • _APP_DOMAIN_TARGET_CAA

_APP_DOMAIN_TARGET is never injected into containers. It was silently ignored.

Fix: Replaced _APP_DOMAIN_TARGET with _APP_DOMAIN_TARGET_CNAME in playbooks/templates/appwrite.env.j2. Added _APP_DOMAIN_TARGET_CAA (default: ''). _APP_DOMAIN_TARGET_CNAME defaults to appwrite_domain (appwrite.toal.ca).

Why: PHP console.php:49 constructs a Domain object from _APP_DOMAIN_TARGET_CNAME. Null → TypeError crash on every /v1/console/variables request.

get_url force: true removed (idempotency)

force: true on the compose download caused the task to always report changed, triggering a service restart on every playbook run.

Fix: Removed force: true from playbooks/install_appwrite.yml get_url task. File is now only downloaded if absent. Upgrade playbook handles re-downloads.

State After This Session

  • Appwrite console loads without error
  • Stack running on bab1.mgmt.toal.ca
  • install_appwrite.yml is idempotent
  • node_exporter install: complete, metrics confirmed
  • bootstrap_appwrite.yml: project + API key creation working
    • API key stored at kv/oys/bab-appwrite-api-key

bootstrap_appwrite.yml — Key Decisions

Decision Rationale
No account creation task Appwrite only grants console owner role via web UI signup, not REST API
JWT required for console API Session cookie alone gives role: users; JWT carries team membership claims including projects.write
teamId fetched dynamically Appwrite 1.8.x requires teamId in POST /v1/projects; use teams[0]['$id'] from GET /v1/teams
$id via bracket notation Jinja2 treats $ as special; dot notation fails
vault_kv2_write (not vault_kv2_put) No put module in community.hashi_vault; no patch operation — dedicated path avoids clobbering other secrets
Dedicated Vault path kv/oys/bab-appwrite-api-key Separate from env config secrets to avoid full-overwrite on re-run