test: add test for separate_server option

.env.jinja

@@ -22,6 +22,8 @@ DB_ROOT_PASSWORD="{{ db_root_password }}"
 DB_USE_TLS={{ db_use_tls | int }}
 {% if use_custom_certs -%}
 DB_CERTS=/certs/db-certs.crt
+{%- else -%}
+DB_CERTS=/etc/ssl/certs/ca-certificates.crt
 {%- endif %}
 
 SOURCE_SYSTEM_HOST=

.github/workflows/ci.yaml

@@ -47,7 +47,6 @@ jobs:
           version: "0.9.26"
       - name: Test template using copier-template-tester
         run: |
-          docker container ps
           uv run --with copier --with copier-templates-extensions --with bcrypt --with copier-template-tester ctt
       - name: Show running containers
         run: |

compose.yaml.jinja

@@ -57,7 +57,7 @@ services:
     {% if db_host_type == "container" -%}
     depends_on:
       - db
-    {%- elif db_host_type == "same_server" -%}
+    {%- elif db_host_type == "same_server" or is_test -%}
     extra_hosts:
       - "host.docker.internal:host-gateway"
     {%- endif %}
@@ -98,7 +98,7 @@ services:
     {% if db_host_type == "container" -%}
     depends_on:
       - db
-    {%- elif db_host_type == "same_server" -%}
+    {%- elif db_host_type == "same_server" or is_test -%}
     extra_hosts:
       - "host.docker.internal:host-gateway"
     {%- endif %}
@@ -135,7 +135,7 @@ services:
     {% if db_host_type == "container" -%}
     depends_on:
       - db
-    {%- elif db_host_type == "same_server" -%}
+    {%- elif db_host_type == "same_server" or is_test -%}
     extra_hosts:
       - "host.docker.internal:host-gateway"
     {%- endif %}
@@ -170,7 +170,7 @@ services:
     {% if db_host_type == "container" -%}
     depends_on:
       - db
-    {%- elif db_host_type == "same_server" -%}
+    {%- elif db_host_type == "same_server" or is_test -%}
     extra_hosts:
       - "host.docker.internal:host-gateway"
     {%- endif %}

copier.yaml

@@ -162,7 +162,12 @@ db_use_adminer:
 use_custom_certs:
   type: bool
   help: Do you need to use a custom CA file to verify HTTPS and DB connections?
-  default: false
+  default: |-
+    {% if certificate_type == 'file' or db_use_tls -%}
+      {{ UNSET }}
+    {%- else -%}
+      false
+    {%- endif %}
   when: "{{ certificate_type == 'file' or db_use_tls }}"
 
 use_ofelia:
@@ -257,6 +262,15 @@ _message_after_copy: |
 
 _tasks:
   # validation
+  - "echo Checking that the compose file has no warnings"
+  - command: |
+      if docker compose config --quiet 2>&1 | grep --quiet level=; then
+        echo compose config has errors or warnings
+        docker compose config --quiet 2>&1
+        exit 1
+      else
+          echo compose config has no errors or warnings
+      fi
   - "echo Checking that required files are provided"
   - command: |
       echo Firebase admin key missing at {{ extra_files + '/firebase-admin-key.json' }}
@@ -382,4 +396,5 @@ _exclude:
   - "zizmor.yml"
   # - "README.md"
   - extensions
+  - "{% if not is_test %}scripts/cleanup_db.sh{% endif %}"
   - "{% if not is_test %}tests{% endif %}"

ctt.toml

@@ -45,3 +45,22 @@ db_host_type = "same_server"
 db_port = 3307
 db_root_user = "root"
 db_root_password = "root-password"
+_extra_tasks = [
+  # need to clean up on existing DB server
+  "ENVIRONMENT='{{ environment }}' DB_ROOT_USER='{{ db_root_user }}' DB_ROOT_PASSWORD='{{ db_root_password }}' DB_HOST='{{ db_host }}' DB_PORT='{{ db_port }}' DB_USER='{{ db_user }}' DB_NAME=admin ./scripts/cleanup_db.sh",
+  "docker compose down",
+]
+
+# DB on a different server requires a db_host
+[output.".ctt/db_different_server"]
+db_host_type = "separate_server"
+# use the service container to pretend it is a separate server
+# very tricky to test in CI with a dedicated hostname
+db_host = "host.docker.internal"
+db_port = 3307
+db_root_user = "root"
+db_root_password = "root-password"
+# force no TLS during test, requires certificate otherwise
+# TODO: add test case with TLS enabled
+db_use_tls = 0
+use_custom_certs = false

scripts/cleanup_db.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+set -euo pipefail
+
+# renovate: datasource=docker depName=alpine
+ALPINE_VERSION="3.23.2"
+
+echo "Running container for mysql-client..."
+docker run --rm --interactive \
+    --env DB_ROOT_USER=${DB_ROOT_USER} \
+    --env DB_ROOT_PASSWORD=${DB_ROOT_PASSWORD} \
+    --env DB_HOST=${DB_HOST} \
+    --env DB_USER=${DB_USER} \
+    --env DB_NAME=${DB_NAME} \
+    --network opal-${ENVIRONMENT} \
+    --add-host "host.docker.internal:host-gateway" \
+    alpine:${ALPINE_VERSION} sh -s << EOF
+set -euo pipefail
+apk add --no-cache mysql-client
+echo "Connecting to DB server on ${DB_HOST}:${DB_PORT}..."
+echo "Dropping databases..."
+MYSQL_PWD=${DB_ROOT_PASSWORD} mariadb --protocol tcp --skip-ssl --user ${DB_ROOT_USER} --host ${DB_HOST} --port ${DB_PORT} <<'EOIF'
+DROP DATABASE IF EXISTS \`$DB_NAME\`;
+DROP DATABASE IF EXISTS \`OpalDB\`;
+DROP DATABASE IF EXISTS \`QuestionnaireDB\`;
+EOIF
+echo "Successfully dropped databases"
+echo "Dropping DB user ${DB_USER}..."
+MYSQL_PWD=${DB_ROOT_PASSWORD} mariadb --protocol tcp --skip-ssl --user ${DB_ROOT_USER} --host ${DB_HOST} --port ${DB_PORT} <<'EOIF'
+DROP USER IF EXISTS '$DB_USER'@'%';
+FLUSH PRIVILEGES;
+EOIF
+echo "Successfully dropped DB user ${DB_USER}"
+EOF
+echo "Done!"