From b9d30f3e60a60c332d17c126833842b978d31490 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:04:36 -0500
Subject: [PATCH 01/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 11ac1c9..350c6cc 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -48,6 +48,8 @@ jobs:
       - name: Test template using copier-template-tester
         run: |
           docker container ps
+          ping -c 4 external-db
+          docker run --rm --interactive alpine sh -c "apk add --no-cache iputils-ping && ping -c 4 external-db && exit 1"
           uv run --with copier --with copier-templates-extensions --with bcrypt --with copier-template-tester ctt
       - name: Show running containers
         run: |

From 31fbfb18c741a4fea87e6d62284c0137cdf6e9a1 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:08:48 -0500
Subject: [PATCH 02/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 350c6cc..2c65714 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -48,8 +48,8 @@ jobs:
       - name: Test template using copier-template-tester
         run: |
           docker container ps
-          ping -c 4 external-db
           docker run --rm --interactive alpine sh -c "apk add --no-cache iputils-ping && ping -c 4 external-db && exit 1"
+          ping -c 4 external-db
           uv run --with copier --with copier-templates-extensions --with bcrypt --with copier-template-tester ctt
       - name: Show running containers
         run: |

From c07c728ab3b05f116f04cc6f09ed857ec7d0404d Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:12:24 -0500
Subject: [PATCH 03/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 2c65714..69c2bb7 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -36,6 +36,8 @@ jobs:
           - 3307:3306
         env:
           MARIADB_ROOT_PASSWORD: root-password
+    # https://docs.github.com/en/actions/tutorials/use-containerized-services/use-docker-service-containers#running-jobs-in-a-container
+    container: alpine
     steps:
       - uses: actions/checkout@v6.0.1
         with:

From e3b6c309039436a4ca50588430ea1573b8c53421 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:15:53 -0500
Subject: [PATCH 04/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 69c2bb7..61b0943 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -37,7 +37,7 @@ jobs:
         env:
           MARIADB_ROOT_PASSWORD: root-password
     # https://docs.github.com/en/actions/tutorials/use-containerized-services/use-docker-service-containers#running-jobs-in-a-container
-    container: alpine
+    container: docker
     steps:
       - uses: actions/checkout@v6.0.1
         with:

From b87d948362d65124407795029226a0a476a6e803 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:17:38 -0500
Subject: [PATCH 05/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 61b0943..ef12918 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -50,8 +50,8 @@ jobs:
       - name: Test template using copier-template-tester
         run: |
           docker container ps
-          docker run --rm --interactive alpine sh -c "apk add --no-cache iputils-ping && ping -c 4 external-db && exit 1"
           ping -c 4 external-db
+          docker run --rm --interactive alpine sh -c "apk add --no-cache iputils-ping && ping -c 4 external-db && exit 1"
           uv run --with copier --with copier-templates-extensions --with bcrypt --with copier-template-tester ctt
       - name: Show running containers
         run: |

From e785d0958f290402f55fb84b74dd7987efa955cb Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:18:59 -0500
Subject: [PATCH 06/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ef12918..5e21b26 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -37,7 +37,7 @@ jobs:
         env:
           MARIADB_ROOT_PASSWORD: root-password
     # https://docs.github.com/en/actions/tutorials/use-containerized-services/use-docker-service-containers#running-jobs-in-a-container
-    container: docker
+    container: docker:dind
     steps:
       - uses: actions/checkout@v6.0.1
         with:

From fa2be5d80253c793472b3b1df9449b906285357c Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:23:31 -0500
Subject: [PATCH 07/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 5e21b26..0a0a937 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -37,7 +37,10 @@ jobs:
         env:
           MARIADB_ROOT_PASSWORD: root-password
     # https://docs.github.com/en/actions/tutorials/use-containerized-services/use-docker-service-containers#running-jobs-in-a-container
-    container: docker:dind
+    container:
+      image: docker:29
+      volumes:
+        - /var/run/docker.sock:/var/run/docker.sock
     steps:
       - uses: actions/checkout@v6.0.1
         with:

From 83e4f5d378b96c8ba5ac8a9aa9a825d5d38ce504 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:28:58 -0500
Subject: [PATCH 08/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 0a0a937..5d6b280 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -53,6 +53,7 @@ jobs:
       - name: Test template using copier-template-tester
         run: |
           docker container ps
+          docker network ls
           ping -c 4 external-db
           docker run --rm --interactive alpine sh -c "apk add --no-cache iputils-ping && ping -c 4 external-db && exit 1"
           uv run --with copier --with copier-templates-extensions --with bcrypt --with copier-template-tester ctt

From a3cadddcc97081494c359d3d6f5885eb8eead2a1 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:33:27 -0500
Subject: [PATCH 09/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 5d6b280..b8016dd 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -39,8 +39,9 @@ jobs:
     # https://docs.github.com/en/actions/tutorials/use-containerized-services/use-docker-service-containers#running-jobs-in-a-container
     container:
       image: docker:29
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock
+      # volumes:
+        # - /var/run/docker.sock:/var/run/docker.sock
+      options: "--add-host external-db:host-gateway"
     steps:
       - uses: actions/checkout@v6.0.1
         with:
@@ -52,6 +53,7 @@ jobs:
           version: "0.9.26"
       - name: Test template using copier-template-tester
         run: |
+          cat /etc/hosts
           docker container ps
           docker network ls
           ping -c 4 external-db

From 1d4bed76717b44c79ecca60b637b4df45366633c Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:35:25 -0500
Subject: [PATCH 10/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b8016dd..ea2ee98 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -41,7 +41,7 @@ jobs:
       image: docker:29
       # volumes:
         # - /var/run/docker.sock:/var/run/docker.sock
-      options: "--add-host external-db:host-gateway"
+      # options: "--add-host external-db:host-gateway"
     steps:
       - uses: actions/checkout@v6.0.1
         with:

From 3317c215d34802acda95b8e0e5c783ba3e453533 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:39:33 -0500
Subject: [PATCH 11/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ea2ee98..f23b06a 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -53,6 +53,9 @@ jobs:
           version: "0.9.26"
       - name: Test template using copier-template-tester
         run: |
+          cat /etc/hosts
+          DB_IP=$(dig +short external-db)
+          echo "$DB_IP external-db" >> /etc/hosts
           cat /etc/hosts
           docker container ps
           docker network ls

From ccc3ca6aa1baffc338a53bf299ddb519313e741d Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:41:56 -0500
Subject: [PATCH 12/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index f23b06a..f88713d 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -53,6 +53,7 @@ jobs:
           version: "0.9.26"
       - name: Test template using copier-template-tester
         run: |
+          apk add --no-cache bind-tools
           cat /etc/hosts
           DB_IP=$(dig +short external-db)
           echo "$DB_IP external-db" >> /etc/hosts

From 274dfa2e7e8a541bd97bc4c59385c1a18faf2fd9 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:43:57 -0500
Subject: [PATCH 13/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index f88713d..0fe3a37 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -61,7 +61,7 @@ jobs:
           docker container ps
           docker network ls
           ping -c 4 external-db
-          docker run --rm --interactive alpine sh -c "apk add --no-cache iputils-ping && ping -c 4 external-db && exit 1"
+          docker run --rm --interactive --add-host "external-db:$DB_IP" alpine sh -c "apk add --no-cache iputils-ping && ping -c 4 external-db && exit 1"
           uv run --with copier --with copier-templates-extensions --with bcrypt --with copier-template-tester ctt
       - name: Show running containers
         run: |

From 47810cd9f2d41f41de4a3147958e1cdb0e49cebb Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:46:34 -0500
Subject: [PATCH 14/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 0fe3a37..a38e3d6 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -41,7 +41,7 @@ jobs:
       image: docker:29
       # volumes:
         # - /var/run/docker.sock:/var/run/docker.sock
-      # options: "--add-host external-db:host-gateway"
+      options: "--add-host external-db:external-db"
     steps:
       - uses: actions/checkout@v6.0.1
         with:

From beaf2f3e08cbeec7949e5a83b0bb2b756d5faa49 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:49:09 -0500
Subject: [PATCH 15/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index a38e3d6..5d97b6c 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -41,7 +41,7 @@ jobs:
       image: docker:29
       # volumes:
         # - /var/run/docker.sock:/var/run/docker.sock
-      options: "--add-host external-db:external-db"
+      options: "--add-host external-db:$(dig +short external-db)"
     steps:
       - uses: actions/checkout@v6.0.1
         with:

From 32c12c4fcc9f6190bb379bd7d65a526ca15fa009 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:51:01 -0500
Subject: [PATCH 16/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 5d97b6c..6f44c27 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -39,9 +39,7 @@ jobs:
     # https://docs.github.com/en/actions/tutorials/use-containerized-services/use-docker-service-containers#running-jobs-in-a-container
     container:
       image: docker:29
-      # volumes:
-        # - /var/run/docker.sock:/var/run/docker.sock
-      options: "--add-host external-db:$(dig +short external-db)"
+      options: "--add-host external-db:172.18.0.3"
     steps:
       - uses: actions/checkout@v6.0.1
         with:
@@ -61,7 +59,7 @@ jobs:
           docker container ps
           docker network ls
           ping -c 4 external-db
-          docker run --rm --interactive --add-host "external-db:$DB_IP" alpine sh -c "apk add --no-cache iputils-ping && ping -c 4 external-db && exit 1"
+          docker run --rm --interactive alpine sh -c "apk add --no-cache iputils-ping && ping -c 4 external-db && exit 1"
           uv run --with copier --with copier-templates-extensions --with bcrypt --with copier-template-tester ctt
       - name: Show running containers
         run: |

From 8aa71a59a0ab3dc71340ec623bbda1d8448cd3d4 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 16:57:10 -0500
Subject: [PATCH 17/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 10 +------
 ctt.toml                  | 57 ++++++++++++++++++++++-----------------
 2 files changed, 33 insertions(+), 34 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 6f44c27..8dcde6b 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -39,7 +39,6 @@ jobs:
     # https://docs.github.com/en/actions/tutorials/use-containerized-services/use-docker-service-containers#running-jobs-in-a-container
     container:
       image: docker:29
-      options: "--add-host external-db:172.18.0.3"
     steps:
       - uses: actions/checkout@v6.0.1
         with:
@@ -52,14 +51,7 @@ jobs:
       - name: Test template using copier-template-tester
         run: |
           apk add --no-cache bind-tools
-          cat /etc/hosts
-          DB_IP=$(dig +short external-db)
-          echo "$DB_IP external-db" >> /etc/hosts
-          cat /etc/hosts
-          docker container ps
-          docker network ls
-          ping -c 4 external-db
-          docker run --rm --interactive alpine sh -c "apk add --no-cache iputils-ping && ping -c 4 external-db && exit 1"
+          # DB_IP=$(dig +short external-db)
           uv run --with copier --with copier-templates-extensions --with bcrypt --with copier-template-tester ctt
       - name: Show running containers
         run: |
diff --git a/ctt.toml b/ctt.toml
index 7dba317..536b35b 100644
--- a/ctt.toml
+++ b/ctt.toml
@@ -15,33 +15,40 @@ _extra_tasks = [
   "docker compose down",
 ]
 
-[output.".ctt/defaults"]
-_extra_tasks = [
-  "uv run tests/admin_login.py '{{ admin_password }}'",
-  "uv run tests/system_user_login.py '{{ labs_password }}'",
-  "uv run tests/labs_basic_auth.py '{{ labs_password }}'",
-  "uv run tests/validate_token.py admin_token {{ admin_token }}",
-  "uv run tests/validate_token.py listener_token {{ listener_token }}",
-  "uv run tests/validate_token.py listener_registration_token {{ listener_registration_token }}",
-  "uv run tests/validate_token.py interface_engine_token {{ interface_engine_token }}",
-  # need to set legacy DBs to test mode so that refresh_data script can run
-  "docker compose run --rm db-management python -m db_management.run_sql_scripts OpalDB db_management/opaldb/data/test/testmode/",
-  "docker compose run --rm db-management python -m db_management.run_sql_scripts QuestionnaireDB db_management/questionnairedb/data/test/testmode/",
-  "scripts/refresh_data.sh OMI",
-  "docker compose down",
-]
+# [output.".ctt/defaults"]
+# _extra_tasks = [
+#   "uv run tests/admin_login.py '{{ admin_password }}'",
+#   "uv run tests/system_user_login.py '{{ labs_password }}'",
+#   "uv run tests/labs_basic_auth.py '{{ labs_password }}'",
+#   "uv run tests/validate_token.py admin_token {{ admin_token }}",
+#   "uv run tests/validate_token.py listener_token {{ listener_token }}",
+#   "uv run tests/validate_token.py listener_registration_token {{ listener_registration_token }}",
+#   "uv run tests/validate_token.py interface_engine_token {{ interface_engine_token }}",
+#   # need to set legacy DBs to test mode so that refresh_data script can run
+#   "docker compose run --rm db-management python -m db_management.run_sql_scripts OpalDB db_management/opaldb/data/test/testmode/",
+#   "docker compose run --rm db-management python -m db_management.run_sql_scripts QuestionnaireDB db_management/questionnairedb/data/test/testmode/",
+#   "scripts/refresh_data.sh OMI",
+#   "docker compose down",
+# ]
 
-# the tests are excluded
-[output.".ctt/no_test"]
-is_test = false
-_extra_tasks = [
-  "! ls tests",
-  "docker compose down",
-]
+# # the tests are excluded
+# [output.".ctt/no_test"]
+# is_test = false
+# _extra_tasks = [
+#   "! ls tests",
+#   "docker compose down",
+# ]
+
+# # DB on same host
+# [output.".ctt/db_same_host"]
+# db_host_type = "same_server"
+# db_port = 3307
+# db_root_user = "root"
+# db_root_password = "root-password"
 
-# DB on same host
-[output.".ctt/db_same_host"]
-db_host_type = "same_server"
+# DB on a different server requires a db_host
+[output.".ctt/db_different_server"]
+db_host_type = "separate_server"
 db_port = 3307
 db_root_user = "root"
 db_root_password = "root-password"

From 7fdac54d57d6b80c5122d640169399e96d06cfb7 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 17:04:28 -0500
Subject: [PATCH 18/31] test: add test for separate_server option

---
 .github/workflows/ci.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 8dcde6b..4aed18d 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -37,8 +37,8 @@ jobs:
         env:
           MARIADB_ROOT_PASSWORD: root-password
     # https://docs.github.com/en/actions/tutorials/use-containerized-services/use-docker-service-containers#running-jobs-in-a-container
-    container:
-      image: docker:29
+    # container:
+      # image: docker:29
     steps:
       - uses: actions/checkout@v6.0.1
         with:
@@ -50,7 +50,7 @@ jobs:
           version: "0.9.26"
       - name: Test template using copier-template-tester
         run: |
-          apk add --no-cache bind-tools
+          # apk add --no-cache bind-tools
           # DB_IP=$(dig +short external-db)
           uv run --with copier --with copier-templates-extensions --with bcrypt --with copier-template-tester ctt
       - name: Show running containers

From b22419e8ceaaee20e8031623d33d8a49aa19be3c Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Mon, 26 Jan 2026 17:08:02 -0500
Subject: [PATCH 19/31] test: add test for separate_server option

---
 ctt.toml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ctt.toml b/ctt.toml
index 536b35b..439750f 100644
--- a/ctt.toml
+++ b/ctt.toml
@@ -49,6 +49,9 @@ _extra_tasks = [
 # DB on a different server requires a db_host
 [output.".ctt/db_different_server"]
 db_host_type = "separate_server"
+# use the service container to pretend it is a separate server
+# very tricky to test in CI with a dedicated hostname
+db_host = "host.docker.internal"
 db_port = 3307
 db_root_user = "root"
 db_root_password = "root-password"

From c83089cf478c3c91e55355b72a6648724e4b20bb Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Tue, 27 Jan 2026 14:21:22 -0500
Subject: [PATCH 20/31] add host.docker.internal during test

---
 compose.yaml.jinja | 8 ++++----
 copier.yaml        | 3 +++
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/compose.yaml.jinja b/compose.yaml.jinja
index 9a54336..3514c74 100644
--- a/compose.yaml.jinja
+++ b/compose.yaml.jinja
@@ -57,7 +57,7 @@ services:
     {% if db_host_type == "container" -%}
     depends_on:
       - db
-    {%- elif db_host_type == "same_server" -%}
+    {%- elif db_host_type == "same_server" or is_test -%}
     extra_hosts:
       - "host.docker.internal:host-gateway"
     {%- endif %}
@@ -98,7 +98,7 @@ services:
     {% if db_host_type == "container" -%}
     depends_on:
       - db
-    {%- elif db_host_type == "same_server" -%}
+    {%- elif db_host_type == "same_server" or is_test -%}
     extra_hosts:
       - "host.docker.internal:host-gateway"
     {%- endif %}
@@ -135,7 +135,7 @@ services:
     {% if db_host_type == "container" -%}
     depends_on:
       - db
-    {%- elif db_host_type == "same_server" -%}
+    {%- elif db_host_type == "same_server" or is_test -%}
     extra_hosts:
       - "host.docker.internal:host-gateway"
     {%- endif %}
@@ -170,7 +170,7 @@ services:
     {% if db_host_type == "container" -%}
     depends_on:
       - db
-    {%- elif db_host_type == "same_server" -%}
+    {%- elif db_host_type == "same_server" or is_test -%}
     extra_hosts:
       - "host.docker.internal:host-gateway"
     {%- endif %}
diff --git a/copier.yaml b/copier.yaml
index db2c1a8..34115c0 100644
--- a/copier.yaml
+++ b/copier.yaml
@@ -257,6 +257,9 @@ _message_after_copy: |
 
 _tasks:
   # validation
+  - "echo Checking that the compose file has no warnings"
+  # - command: |
+      # docker compose config --quiet 2>&1 | grep --invert warning
   - "echo Checking that required files are provided"
   - command: |
       echo Firebase admin key missing at {{ extra_files + '/firebase-admin-key.json' }}

From 60e0fb6b8eebaf7ae0831cf74682b339caaa13fa Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Tue, 27 Jan 2026 14:28:54 -0500
Subject: [PATCH 21/31] unset default value of use_custom_certs when the user
 should decide

---
 copier.yaml | 11 ++++++++---
 ctt.toml    |  1 +
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/copier.yaml b/copier.yaml
index 34115c0..1f15a24 100644
--- a/copier.yaml
+++ b/copier.yaml
@@ -162,7 +162,12 @@ db_use_adminer:
 use_custom_certs:
   type: bool
   help: Do you need to use a custom CA file to verify HTTPS and DB connections?
-  default: false
+  default: |-
+    {% if certificate_type == 'file' or db_use_tls -%}
+      {{ UNSET }}
+    {%- else -%}
+      false
+    {%- endif %}
   when: "{{ certificate_type == 'file' or db_use_tls }}"
 
 use_ofelia:
@@ -258,8 +263,8 @@ _message_after_copy: |
 _tasks:
   # validation
   - "echo Checking that the compose file has no warnings"
-  # - command: |
-      # docker compose config --quiet 2>&1 | grep --invert warning
+  - command: |
+      docker compose config --quiet 2>&1 | grep --invert warning
   - "echo Checking that required files are provided"
   - command: |
       echo Firebase admin key missing at {{ extra_files + '/firebase-admin-key.json' }}
diff --git a/ctt.toml b/ctt.toml
index 439750f..e4afc9a 100644
--- a/ctt.toml
+++ b/ctt.toml
@@ -55,3 +55,4 @@ db_host = "host.docker.internal"
 db_port = 3307
 db_root_user = "root"
 db_root_password = "root-password"
+use_custom_certs = false

From 5330f7e85c889d5090f6dce820e2b300b4c56a24 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Tue, 27 Jan 2026 14:32:48 -0500
Subject: [PATCH 22/31] ensure that warnings show up

---
 copier.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/copier.yaml b/copier.yaml
index 1f15a24..e38d4b3 100644
--- a/copier.yaml
+++ b/copier.yaml
@@ -264,6 +264,7 @@ _tasks:
   # validation
   - "echo Checking that the compose file has no warnings"
   - command: |
+      docker compose config --quiet
       docker compose config --quiet 2>&1 | grep --invert warning
   - "echo Checking that required files are provided"
   - command: |

From 5c61e4bd3bdf5abf5075b92ea9d5c86f01ddb7ed Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Tue, 27 Jan 2026 14:55:26 -0500
Subject: [PATCH 23/31] add check to ensure that compose config shows no errors
 or warnings

---
 .env.jinja  | 2 ++
 copier.yaml | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/.env.jinja b/.env.jinja
index 99f25f4..4c11fe6 100644
--- a/.env.jinja
+++ b/.env.jinja
@@ -22,6 +22,8 @@ DB_ROOT_PASSWORD="{{ db_root_password }}"
 DB_USE_TLS={{ db_use_tls | int }}
 {% if use_custom_certs -%}
 DB_CERTS=/certs/db-certs.crt
+{%- else -%}
+DB_CERTS=/etc/ssl/certs/ca-certificates.crt
 {%- endif %}
 
 SOURCE_SYSTEM_HOST=
diff --git a/copier.yaml b/copier.yaml
index e38d4b3..a0dd39e 100644
--- a/copier.yaml
+++ b/copier.yaml
@@ -264,8 +264,13 @@ _tasks:
   # validation
   - "echo Checking that the compose file has no warnings"
   - command: |
-      docker compose config --quiet
-      docker compose config --quiet 2>&1 | grep --invert warning
+      if docker compose config --quiet 2>&1 | grep --quiet level=; then
+        echo compose config has errors or warnings
+        docker compose config --quiet 2>&1
+        exit 1
+      else
+          echo compose config has no errors or warnings
+      fi
   - "echo Checking that required files are provided"
   - command: |
       echo Firebase admin key missing at {{ extra_files + '/firebase-admin-key.json' }}

From 5813780e3faa40f4ddd839c8ce224220cd0d8f28 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Tue, 27 Jan 2026 14:59:10 -0500
Subject: [PATCH 24/31] disable DB TLS for test

---
 ctt.toml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ctt.toml b/ctt.toml
index e4afc9a..ffcdd01 100644
--- a/ctt.toml
+++ b/ctt.toml
@@ -55,4 +55,7 @@ db_host = "host.docker.internal"
 db_port = 3307
 db_root_user = "root"
 db_root_password = "root-password"
+# force no TLS during test, requires certificate otherwise
+# TODO: add test case with TLS enabled
+db_use_tls = false
 use_custom_certs = false

From 997ab5d65c9b5a1c8eebbc40212a5a431103b38e Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Tue, 27 Jan 2026 15:36:57 -0500
Subject: [PATCH 25/31] remove test code

---
 .github/workflows/ci.yaml |  5 ----
 ctt.toml                  | 56 +++++++++++++++++++--------------------
 2 files changed, 28 insertions(+), 33 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 4aed18d..3465c06 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -36,9 +36,6 @@ jobs:
           - 3307:3306
         env:
           MARIADB_ROOT_PASSWORD: root-password
-    # https://docs.github.com/en/actions/tutorials/use-containerized-services/use-docker-service-containers#running-jobs-in-a-container
-    # container:
-      # image: docker:29
     steps:
       - uses: actions/checkout@v6.0.1
         with:
@@ -50,8 +47,6 @@ jobs:
           version: "0.9.26"
       - name: Test template using copier-template-tester
         run: |
-          # apk add --no-cache bind-tools
-          # DB_IP=$(dig +short external-db)
           uv run --with copier --with copier-templates-extensions --with bcrypt --with copier-template-tester ctt
       - name: Show running containers
         run: |
diff --git a/ctt.toml b/ctt.toml
index ffcdd01..be148e2 100644
--- a/ctt.toml
+++ b/ctt.toml
@@ -15,36 +15,36 @@ _extra_tasks = [
   "docker compose down",
 ]
 
-# [output.".ctt/defaults"]
-# _extra_tasks = [
-#   "uv run tests/admin_login.py '{{ admin_password }}'",
-#   "uv run tests/system_user_login.py '{{ labs_password }}'",
-#   "uv run tests/labs_basic_auth.py '{{ labs_password }}'",
-#   "uv run tests/validate_token.py admin_token {{ admin_token }}",
-#   "uv run tests/validate_token.py listener_token {{ listener_token }}",
-#   "uv run tests/validate_token.py listener_registration_token {{ listener_registration_token }}",
-#   "uv run tests/validate_token.py interface_engine_token {{ interface_engine_token }}",
-#   # need to set legacy DBs to test mode so that refresh_data script can run
-#   "docker compose run --rm db-management python -m db_management.run_sql_scripts OpalDB db_management/opaldb/data/test/testmode/",
-#   "docker compose run --rm db-management python -m db_management.run_sql_scripts QuestionnaireDB db_management/questionnairedb/data/test/testmode/",
-#   "scripts/refresh_data.sh OMI",
-#   "docker compose down",
-# ]
+[output.".ctt/defaults"]
+_extra_tasks = [
+  "uv run tests/admin_login.py '{{ admin_password }}'",
+  "uv run tests/system_user_login.py '{{ labs_password }}'",
+  "uv run tests/labs_basic_auth.py '{{ labs_password }}'",
+  "uv run tests/validate_token.py admin_token {{ admin_token }}",
+  "uv run tests/validate_token.py listener_token {{ listener_token }}",
+  "uv run tests/validate_token.py listener_registration_token {{ listener_registration_token }}",
+  "uv run tests/validate_token.py interface_engine_token {{ interface_engine_token }}",
+  # need to set legacy DBs to test mode so that refresh_data script can run
+  "docker compose run --rm db-management python -m db_management.run_sql_scripts OpalDB db_management/opaldb/data/test/testmode/",
+  "docker compose run --rm db-management python -m db_management.run_sql_scripts QuestionnaireDB db_management/questionnairedb/data/test/testmode/",
+  "scripts/refresh_data.sh OMI",
+  "docker compose down",
+]
 
-# # the tests are excluded
-# [output.".ctt/no_test"]
-# is_test = false
-# _extra_tasks = [
-#   "! ls tests",
-#   "docker compose down",
-# ]
+# the tests are excluded
+[output.".ctt/no_test"]
+is_test = false
+_extra_tasks = [
+  "! ls tests",
+  "docker compose down",
+]
 
-# # DB on same host
-# [output.".ctt/db_same_host"]
-# db_host_type = "same_server"
-# db_port = 3307
-# db_root_user = "root"
-# db_root_password = "root-password"
+# DB on same host
+[output.".ctt/db_same_host"]
+db_host_type = "same_server"
+db_port = 3307
+db_root_user = "root"
+db_root_password = "root-password"
 
 # DB on a different server requires a db_host
 [output.".ctt/db_different_server"]

From c806a664ee4a3b0013881ea2474f722d3d23b3af Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Tue, 27 Jan 2026 16:04:30 -0500
Subject: [PATCH 26/31] replace false with 0

---
 ctt.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctt.toml b/ctt.toml
index be148e2..f4c1456 100644
--- a/ctt.toml
+++ b/ctt.toml
@@ -57,5 +57,5 @@ db_root_user = "root"
 db_root_password = "root-password"
 # force no TLS during test, requires certificate otherwise
 # TODO: add test case with TLS enabled
-db_use_tls = false
+db_use_tls = 0
 use_custom_certs = false

From aac022f67b1eb0e5af156c125ca7b7c4894e6349 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Tue, 27 Jan 2026 16:15:20 -0500
Subject: [PATCH 27/31] add clean up DB script

---
 copier.yaml | 1 +
 ctt.toml    | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/copier.yaml b/copier.yaml
index a0dd39e..bddeb0d 100644
--- a/copier.yaml
+++ b/copier.yaml
@@ -396,4 +396,5 @@ _exclude:
   - "zizmor.yml"
   # - "README.md"
   - extensions
+  - "{% if not is_test %}.ctt{% endif %}"
   - "{% if not is_test %}tests{% endif %}"
diff --git a/ctt.toml b/ctt.toml
index f4c1456..3ac46f9 100644
--- a/ctt.toml
+++ b/ctt.toml
@@ -45,6 +45,11 @@ db_host_type = "same_server"
 db_port = 3307
 db_root_user = "root"
 db_root_password = "root-password"
+_extra_tasks = [
+  # need to clean up on existing DB server
+  "DB_ROOT_USER='{{ db_root_user }}' DB_ROOT_PASSWORD='{{ db_root_password }}' DB_HOST='{{ db_host }}' DB_PORT='{{ db_port }}' DB_USER='{{ db_user }}' DB_NAME=admin .ctt/scripts/cleanup_db.sh",
+  "docker compose down",
+]
 
 # DB on a different server requires a db_host
 [output.".ctt/db_different_server"]

From fa9c0d5fb1d27cc3bdb1fae200eb9a5248e6af82 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Tue, 27 Jan 2026 16:29:45 -0500
Subject: [PATCH 28/31] move cleanup script to scripts directory

---
 copier.yaml           |  2 +-
 ctt.toml              |  2 +-
 scripts/cleanup_db.sh | 18 ++++++++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100755 scripts/cleanup_db.sh

diff --git a/copier.yaml b/copier.yaml
index bddeb0d..b98b419 100644
--- a/copier.yaml
+++ b/copier.yaml
@@ -396,5 +396,5 @@ _exclude:
   - "zizmor.yml"
   # - "README.md"
   - extensions
-  - "{% if not is_test %}.ctt{% endif %}"
+  - "{% if not is_test %}scripts/cleanup_db.sh{% endif %}"
   - "{% if not is_test %}tests{% endif %}"
diff --git a/ctt.toml b/ctt.toml
index 3ac46f9..f0e651d 100644
--- a/ctt.toml
+++ b/ctt.toml
@@ -47,7 +47,7 @@ db_root_user = "root"
 db_root_password = "root-password"
 _extra_tasks = [
   # need to clean up on existing DB server
-  "DB_ROOT_USER='{{ db_root_user }}' DB_ROOT_PASSWORD='{{ db_root_password }}' DB_HOST='{{ db_host }}' DB_PORT='{{ db_port }}' DB_USER='{{ db_user }}' DB_NAME=admin .ctt/scripts/cleanup_db.sh",
+  "DB_ROOT_USER='{{ db_root_user }}' DB_ROOT_PASSWORD='{{ db_root_password }}' DB_HOST='{{ db_host }}' DB_PORT='{{ db_port }}' DB_USER='{{ db_user }}' DB_NAME=admin ./scripts/cleanup_db.sh",
   "docker compose down",
 ]
 
diff --git a/scripts/cleanup_db.sh b/scripts/cleanup_db.sh
new file mode 100755
index 0000000..7fa4fe5
--- /dev/null
+++ b/scripts/cleanup_db.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -euo pipefail
+
+echo "Connecting to DB server on ${DB_HOST}:${DB_PORT}..."
+echo "Dropping databases..."
+MYSQL_PWD=${DB_ROOT_PASSWORD} mariadb --protocol tcp --skip-ssl --user ${DB_ROOT_USER} --host ${DB_HOST} --port ${DB_PORT} <<'EOIF'
+DROP DATABASE IF EXISTS \`$DB_NAME\`;
+DROP DATABASE IF EXISTS \`OpalDB\`;
+DROP DATABASE IF EXISTS \`QuestionnaireDB\`;
+EOIF
+echo "Successfully dropped databases"
+echo "Dropping DB user "${DB_USER}"..."
+MYSQL_PWD=${DB_ROOT_PASSWORD} mariadb --protocol tcp --skip-ssl --user ${DB_ROOT_USER} --host ${DB_HOST} --port ${DB_PORT} <<'EOIF'
+DROP USER IF EXISTS '$DB_USER'@'%';
+FLUSH PRIVILEGES;
+EOIF
+echo "Successfully dropped DB user ${DB_USER}"
+echo "Done!"

From 9a4bc1c4e360a5aa6c71e1d7f60241ddcd0d9e2d Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Tue, 27 Jan 2026 16:35:43 -0500
Subject: [PATCH 29/31] switch to mysql command

---
 scripts/cleanup_db.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/cleanup_db.sh b/scripts/cleanup_db.sh
index 7fa4fe5..167cf06 100755
--- a/scripts/cleanup_db.sh
+++ b/scripts/cleanup_db.sh
@@ -3,14 +3,14 @@ set -euo pipefail
 
 echo "Connecting to DB server on ${DB_HOST}:${DB_PORT}..."
 echo "Dropping databases..."
-MYSQL_PWD=${DB_ROOT_PASSWORD} mariadb --protocol tcp --skip-ssl --user ${DB_ROOT_USER} --host ${DB_HOST} --port ${DB_PORT} <<'EOIF'
+MYSQL_PWD=${DB_ROOT_PASSWORD} mysql --protocol tcp --skip-ssl --user ${DB_ROOT_USER} --host ${DB_HOST} --port ${DB_PORT} <<'EOIF'
 DROP DATABASE IF EXISTS \`$DB_NAME\`;
 DROP DATABASE IF EXISTS \`OpalDB\`;
 DROP DATABASE IF EXISTS \`QuestionnaireDB\`;
 EOIF
 echo "Successfully dropped databases"
 echo "Dropping DB user "${DB_USER}"..."
-MYSQL_PWD=${DB_ROOT_PASSWORD} mariadb --protocol tcp --skip-ssl --user ${DB_ROOT_USER} --host ${DB_HOST} --port ${DB_PORT} <<'EOIF'
+MYSQL_PWD=${DB_ROOT_PASSWORD} mysql --protocol tcp --skip-ssl --user ${DB_ROOT_USER} --host ${DB_HOST} --port ${DB_PORT} <<'EOIF'
 DROP USER IF EXISTS '$DB_USER'@'%';
 FLUSH PRIVILEGES;
 EOIF

From cf163e1e746f4fd1df93c6e6b36b7b94f4a27366 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Tue, 27 Jan 2026 16:49:17 -0500
Subject: [PATCH 30/31] run cleanup script in a container

---
 scripts/cleanup_db.sh | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/scripts/cleanup_db.sh b/scripts/cleanup_db.sh
index 167cf06..649fb5c 100755
--- a/scripts/cleanup_db.sh
+++ b/scripts/cleanup_db.sh
@@ -1,18 +1,34 @@
 #!/bin/bash
 set -euo pipefail
 
+# renovate: datasource=docker depName=alpine
+ALPINE_VERSION="3.23.2"
+
+echo "Running container for mysql-client..."
+docker run --rm --interactive \
+    --env DB_ROOT_USER=${DB_ROOT_USER} \
+    --env DB_ROOT_PASSWORD=${DB_ROOT_PASSWORD} \
+    --env DB_HOST=${DB_HOST} \
+    --env DB_USER=${DB_USER} \
+    --env DB_NAME=${DB_NAME} \
+    --network opal-${ENVIRONMENT} \
+    --add-host "host.docker.internal:host-gateway" \
+    alpine:${ALPINE_VERSION} sh -s << EOF
+set -euo pipefail
+apk add --no-cache mysql-client
 echo "Connecting to DB server on ${DB_HOST}:${DB_PORT}..."
 echo "Dropping databases..."
-MYSQL_PWD=${DB_ROOT_PASSWORD} mysql --protocol tcp --skip-ssl --user ${DB_ROOT_USER} --host ${DB_HOST} --port ${DB_PORT} <<'EOIF'
+MYSQL_PWD=${DB_ROOT_PASSWORD} mariadb --protocol tcp --skip-ssl --user ${DB_ROOT_USER} --host ${DB_HOST} --port ${DB_PORT} <<'EOIF'
 DROP DATABASE IF EXISTS \`$DB_NAME\`;
 DROP DATABASE IF EXISTS \`OpalDB\`;
 DROP DATABASE IF EXISTS \`QuestionnaireDB\`;
 EOIF
 echo "Successfully dropped databases"
-echo "Dropping DB user "${DB_USER}"..."
-MYSQL_PWD=${DB_ROOT_PASSWORD} mysql --protocol tcp --skip-ssl --user ${DB_ROOT_USER} --host ${DB_HOST} --port ${DB_PORT} <<'EOIF'
+echo "Dropping DB user ${DB_USER}..."
+MYSQL_PWD=${DB_ROOT_PASSWORD} mariadb --protocol tcp --skip-ssl --user ${DB_ROOT_USER} --host ${DB_HOST} --port ${DB_PORT} <<'EOIF'
 DROP USER IF EXISTS '$DB_USER'@'%';
 FLUSH PRIVILEGES;
 EOIF
 echo "Successfully dropped DB user ${DB_USER}"
+EOF
 echo "Done!"

From f050362dca250a10cea98e343faac1ccd691ac01 Mon Sep 17 00:00:00 2001
From: Matthias Schoettle <git@mattsch.com>
Date: Tue, 27 Jan 2026 16:54:11 -0500
Subject: [PATCH 31/31] add missing environment env variable

---
 ctt.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctt.toml b/ctt.toml
index f0e651d..10cceed 100644
--- a/ctt.toml
+++ b/ctt.toml
@@ -47,7 +47,7 @@ db_root_user = "root"
 db_root_password = "root-password"
 _extra_tasks = [
   # need to clean up on existing DB server
-  "DB_ROOT_USER='{{ db_root_user }}' DB_ROOT_PASSWORD='{{ db_root_password }}' DB_HOST='{{ db_host }}' DB_PORT='{{ db_port }}' DB_USER='{{ db_user }}' DB_NAME=admin ./scripts/cleanup_db.sh",
+  "ENVIRONMENT='{{ environment }}' DB_ROOT_USER='{{ db_root_user }}' DB_ROOT_PASSWORD='{{ db_root_password }}' DB_HOST='{{ db_host }}' DB_PORT='{{ db_port }}' DB_USER='{{ db_user }}' DB_NAME=admin ./scripts/cleanup_db.sh",
   "docker compose down",
 ]