Remove WINDMILL_ENABLED from apache start.sh, simplify windmill cert config, add cache invalidation on image update

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/6ba2c0de-f503-4989-9dea-4bc64a51e4f9

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>

Containers/apache/start.sh

@@ -60,12 +60,6 @@ if [ -z "$ADDITIONAL_TRUSTED_DOMAIN" ]; then
 fi
 echo "$CADDYFILE" > /tmp/Caddyfile
 
-# Remove windmill route if windmill is not enabled
-if [ "$WINDMILL_ENABLED" != "yes" ]; then
-    CADDYFILE="$(sed '/# Windmill/{N;N;N;N;d}' /tmp/Caddyfile)"
-    echo "$CADDYFILE" > /tmp/Caddyfile
-fi
-
 # Fix the Caddyfile format
 caddy fmt --overwrite /tmp/Caddyfile
 

Containers/windmill/Dockerfile

@@ -62,7 +62,11 @@ RUN set -ex; \
     # Create symlinks so postgres tools are on PATH
     ln -sf /usr/lib/postgresql/17/bin/postgres /usr/local/bin/postgres; \
     ln -sf /usr/lib/postgresql/17/bin/initdb   /usr/local/bin/initdb; \
-    ln -sf /usr/lib/postgresql/17/bin/pg_ctl   /usr/local/bin/pg_ctl
+    ln -sf /usr/lib/postgresql/17/bin/pg_ctl   /usr/local/bin/pg_ctl; \
+    \
+    # Write a build-time marker so start.sh can detect image updates and
+    # clear the cache volume when a new image version is deployed.
+    date -u +%s > /etc/windmill-image-build-epoch
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -79,7 +83,10 @@ COPY --chmod=664 supervisord.conf /supervisord.conf
 ENV UV_TOOL_BIN_DIR=/tmp/windmill/cache/uv/bin \
     UV_TOOL_DIR=/tmp/windmill/cache/uv/tools \
     WINDMILL_DIR=/tmp/windmill/cache \
-    SSL_CERT_FILE=/etc/ssl/ca-bundle.crt
+    SSL_CERT_FILE=/etc/ssl/ca-bundle.crt \
+    CURL_CA_BUNDLE=/etc/ssl/ca-bundle.crt \
+    REQUESTS_CA_BUNDLE=/etc/ssl/ca-bundle.crt \
+    NODE_EXTRA_CA_CERTS=/etc/ssl/ca-bundle.crt
 
 VOLUME ["/var/lib/postgresql/data", "/tmp/windmill/cache"]
 

Containers/windmill/start.sh

@@ -9,22 +9,23 @@ fi
 
 export TZ="${TZ:-Etc/UTC}"
 
-# The Docker daemon injects SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt and
-# SSL_CERT_DIR=/etc/ssl/certs into every container, but /etc/ssl/certs/ is mode 700
-# (root only) in the base Windmill image, so uid=1000 cannot traverse it.
-# Build a combined, world-readable CA bundle in the writable /tmp tmpfs and
-# override all SSL cert env vars so Windmill and its sub-processes use it.
-_COMBINED_BUNDLE="/tmp/ca-bundle.crt"
-cat /etc/ssl/ca-bundle.crt /etc/ssl/cert.pem > "$_COMBINED_BUNDLE" 2>/dev/null || \
-    cat /etc/ssl/ca-bundle.crt > "$_COMBINED_BUNDLE" 2>/dev/null || true
-if [ -s "$_COMBINED_BUNDLE" ]; then
-    export SSL_CERT_FILE="$_COMBINED_BUNDLE"
-    export CURL_CA_BUNDLE="$_COMBINED_BUNDLE"
-    export REQUESTS_CA_BUNDLE="$_COMBINED_BUNDLE"
-    export NODE_EXTRA_CA_CERTS="$_COMBINED_BUNDLE"
-    # Unset SSL_CERT_DIR so rustls-native-certs does not also try to traverse
-    # the inaccessible /etc/ssl/certs/ directory.
-    unset SSL_CERT_DIR
+# Clear the cache volume when the image has been updated.
+# /etc/windmill-image-build-epoch is written at image build time.
+# A copy is stored in the cache volume after first start.
+# If the two differ the image was updated and any stale cached artefacts
+# (uv tools, worker dirs) should be removed so Windmill starts clean.
+IMAGE_EPOCH_FILE="/etc/windmill-image-build-epoch"
+CACHE_EPOCH_FILE="/tmp/windmill/cache/.image-build-epoch"
+if [ -f "$IMAGE_EPOCH_FILE" ]; then
+    IMAGE_EPOCH="$(cat "$IMAGE_EPOCH_FILE")"
+    if [ -f "$CACHE_EPOCH_FILE" ]; then
+        CACHE_EPOCH="$(cat "$CACHE_EPOCH_FILE")"
+        if [ "$IMAGE_EPOCH" != "$CACHE_EPOCH" ]; then
+            echo "Windmill image updated (was $CACHE_EPOCH, now $IMAGE_EPOCH). Clearing cache..."
+            find /tmp/windmill/cache -mindepth 1 -maxdepth 1 ! -name '.image-build-epoch' -exec rm -rf {} +
+        fi
+    fi
+    echo "$IMAGE_EPOCH" > "$CACHE_EPOCH_FILE"
 fi
 
 PGDATA="/var/lib/postgresql/data"