diff --git a/playbooks/codimd.yml b/playbooks/codimd.yml
deleted file mode 100644
index b9bd1f0..0000000
--- a/playbooks/codimd.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-- name: Install & configure HedgeDoc
- hosts: codimd
- roles:
- - docker
- - docker_cleanup
- - traefik
- - codimd
diff --git a/playbooks/hedgedoc.yml b/playbooks/hedgedoc.yml
new file mode 100644
index 0000000..9de83b5
--- /dev/null
+++ b/playbooks/hedgedoc.yml
@@ -0,0 +1,17 @@
+- name: Install Hedgedoc.
+
+ hosts: hedgedoc
+
+ roles:
+ - role: podman
+ become: true
+ tags:
+ - always
+ - podman
+ - role: caddy
+ become: true
+ tags:
+ - always
+ - caddy
+ - role: hedgedoc
+ become: true
diff --git a/roles/codimd/README.md b/roles/codimd/README.md
deleted file mode 100644
index 910c01c..0000000
--- a/roles/codimd/README.md
+++ /dev/null
@@ -1,35 +0,0 @@
-HedgeDoc
-=========
-
-This will setup a [HedgeDoc](https://github.com/hedgedoc/hedgedoc) server with their official docker container and traefik.
-
-Requirements
-------------
-
-You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
-
-**This role assumes that you have setup traefik with an endpoint called `websecure`.**
-
-Role Variables
---------------
-
-**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
-
-**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
-
-### Global variables, that are used:
-
-- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
-- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
-
-Dependencies
-------------
-
-- docker
-- docker-compose
-- traefik
-
-License
--------
-
-GPL-3.0-only
diff --git a/roles/codimd/defaults/main.yml b/roles/codimd/defaults/main.yml
deleted file mode 100644
index 060ffc8..0000000
--- a/roles/codimd/defaults/main.yml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-# Default variables for the codimd role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-# Database access variables: Please change/set the password!
-codimd_database_user: codimd
-codimd_database_password: codimdpass
-codimd_database_name: codimd
-
-# Adjust specific data locations, usually you would want to only adjust the "codimd_install_location" (the base path):
-codimd_install_location: /srv/codimd
-codimd_database_location: "{{ codimd_install_location }}/database"
-codimd_uploads_location: "{{ codimd_install_location }}/uploads"
-
-# Should a local uploads directory be created and mounted?
-codimd_uploads_local: false
-
-# Set the certresolver to your desired traefik certresolver.
-# Note: This is `letsencrypt_cf` by default for backwards compatibility, you might want to use `letsencrypt_http` instead, depending on your setup
-codimd_traefik_certresolver: letsencrypt_http
-
-# The domain under which traefik should make CodiMD reachable
-codimd_domain: pad.example.com
-
-# This is where all application related environment variables are defined except the database connection.
-# For all possible environment variables look here: https://github.com/codimd/server/blob/master/docs/configuration.md.
-# Note: All variables below will automatically be prefixed with "CMD_", eg. "DOMAIN" will automatically become "CMD_DOMAIN".
-codimd_options:
- ALLOW_FREE_URL: false
- DOMAIN: "{{ codimd_domain }}"
- EMAIL: false
- PROTOCOL_USESSL: true
- URL_ADDPORT: false
- USECDN: true
-
-# The version of codimd and its postgres server
-# (don't upgrade postgres without a backup etc, as it might have introduced breaking changes!)
-# renovate: depName=quay.io/hedgedoc/hedgedoc
-codimd_version: 1.10.0
-# renovate: depName=docker.io/library/postgres
-codimd_postgres_version: 11.16
-
-# The image tags that should be used (templated using the versions provided above)
-codimd_image_version: "{{ codimd_version }}"
-codimd_postgres_image_version: "{{ codimd_postgres_version }}-alpine"
-
-# SELinux level for codimd and the database, which are applied to their data folders and the containers.
-# (By default these will be omitted and ignored)
-codimd_selinux_level: "{{ omit }}"
-codimd_database_selinux_level: "{{ omit }}"
diff --git a/roles/codimd/meta/main.yml b/roles/codimd/meta/main.yml
deleted file mode 100644
index f284298..0000000
--- a/roles/codimd/meta/main.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-galaxy_info:
- author: saibotk
- description: "Installs HedgeDoc as a Docker container."
- license: GPL-3.0-only
- min_ansible_version: "2.9"
- standalone: true
-
- platforms:
- - name: EL
- versions:
- - all
- - name: GenericUNIX
- versions:
- - all
- - name: Fedora
- versions:
- - all
- - name: opensuse
- versions:
- - all
- - name: GenericBSD
- versions:
- - all
- - name: FreeBSD
- versions:
- - all
- - name: Ubuntu
- versions:
- - all
- - name: SLES
- versions:
- - all
- - name: GenericLinux
- versions:
- - all
- - name: Debian
- versions:
- - all
-
- galaxy_tags: []
-
-dependencies:
- - role: docker
- - role: traefik
diff --git a/roles/codimd/tasks/main.yml b/roles/codimd/tasks/main.yml
deleted file mode 100644
index 3ba5e67..0000000
--- a/roles/codimd/tasks/main.yml
+++ /dev/null
@@ -1,90 +0,0 @@
----
-# Tasks file for the codimd role
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-# Copyright (C) 2020 Alexander Wellbrock
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-- name: Update default SELinux contexts
- community.general.sefcontext:
- target: "{{ item.location }}(/.*)?"
- setype: "container_file_t"
- selevel: "{{ item.selevel | default(omit) }}"
- state: present
- when: item.when | default(true)
- with_items:
- - location: "{{ codimd_database_location }}"
- selevel: "{{ codimd_database_selinux_level }}"
- - location: "{{ codimd_uploads_location }}"
- selevel: "{{ codimd_selinux_level }}"
- when: "{{ codimd_uploads_local }}"
- tags:
- - codimd
- become: true
-
-- name: Create install directory
- ansible.builtin.file:
- path: "{{ item }}"
- state: directory
- mode: "0700"
- owner: "root"
- group: "root"
- with_items:
- - "{{ codimd_install_location }}"
- tags:
- - codimd
- become: true
-
-- name: Create data directory
- ansible.builtin.file: # noqa risky-file-permissions # Container adjusts permissions on its own
- path: "{{ item.location }}"
- state: directory
- setype: "container_file_t"
- selevel: "{{ item.selevel | default(omit) }}"
- when: item.when | default(true)
- with_items:
- - location: "{{ codimd_database_location }}"
- selevel: "{{ codimd_database_selinux_level }}"
- - location: "{{ codimd_uploads_location }}"
- selevel: "{{ codimd_selinux_level }}"
- when: "{{ codimd_uploads_local }}"
- tags:
- - codimd
- become: true
-
-- name: Deploy docker-compose.yml
- ansible.builtin.template:
- src: docker-compose.yml
- dest: "{{ codimd_install_location }}/docker-compose.yml"
- mode: "0600"
- owner: "root"
- group: "root"
- validate: docker compose -f %s config -q
- tags:
- - docker
- - codimd
- become: true
-
-- name: Compose codimd
- community.docker.docker_compose_v2:
- state: present
- project_src: "{{ codimd_install_location }}"
- pull: always
- remove_orphans: true
- tags:
- - codimd
- become: true
diff --git a/roles/codimd/templates/docker-compose.yml b/roles/codimd/templates/docker-compose.yml
deleted file mode 100644
index 474e036..0000000
--- a/roles/codimd/templates/docker-compose.yml
+++ /dev/null
@@ -1,105 +0,0 @@
-{{ ansible_managed | comment }}
-
-# Infrastructure
-# Ansible instructions to deploy the infrastructure
-# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
-# Copyright (C) 2020 Saibotk
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-version: '2'
-services:
- database:
- image: docker.io/library/postgres:{{ codimd_postgres_image_version }}
- mem_limit: 256mb
- memswap_limit: 512mb
- read_only: true
-{% if codimd_database_selinux_level != omit %}
- security_opt:
- - label=level:{{ codimd_database_selinux_level }}
-{% endif %}
-
- tmpfs:
- - /run/postgresql:size=512K
- - /tmp:size=128K
- stop_grace_period: 2m
- stop_signal: SIGINT
- environment:
- - POSTGRES_USER={{ codimd_database_user }}
- - POSTGRES_PASSWORD={{ codimd_database_password }}
- - POSTGRES_DB={{ codimd_database_name }}
- volumes:
- - {{ codimd_database_location }}:/var/lib/postgresql/data
- networks:
- backend:
- restart: always
-
- codimd:
- image: quay.io/hedgedoc/hedgedoc:{{ codimd_image_version }}
- mem_limit: 256mb
- memswap_limit: 512mb
- restart: always
- read_only: true
-{% if codimd_selinux_level != omit %}
- security_opt:
- - label=level:{{ codimd_selinux_level }}
-{% endif %}
-
- tmpfs:
- - /tmp:size=10M
-{% if not codimd_uploads_local %}
- - /hedgedoc/public/uploads:size=10M
-{% endif %}
- environment:
- - "CMD_DB_URL=postgres://{{ codimd_database_user }}:{{ codimd_database_password }}@database:5432/{{ codimd_database_name }}"
-{% for key, value in codimd_options.items() %}
- - "CMD_{{ key }}={{ value }}"
-{% endfor %}
-
- labels:
- - "traefik.http.routers.codimd.rule=Host(`{{ codimd_domain }}`) && PathPrefix(`/`)"
- - "traefik.http.routers.codimd.entrypoints=websecure"
- - "traefik.http.routers.codimd.tls=true"
- - "traefik.http.routers.codimd.tls.certresolver={{ codimd_traefik_certresolver }}"
- - "traefik.http.routers.codimd.middlewares=codimd,compress"
- - "traefik.http.routers.codimd.service=codimd"
- - "traefik.http.services.codimd.loadbalancer.server.port=3000"
- - "traefik.http.middlewares.codimd.headers.sslredirect=true"
- - "traefik.http.middlewares.codimd.headers.stsSeconds=63072000"
- - "traefik.http.middlewares.codimd.headers.browserXssFilter=true"
- - "traefik.http.middlewares.codimd.headers.contentTypeNosniff=true"
-
- - "traefik.enable=true"
-{% if proxy_network is defined %}
- - "traefik.docker.network={{ proxy_network }}"
-{% endif %}
-{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- - "traefik.http.middlewares.codimd.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
-{% endif %}
-
-{% if codimd_uploads_local %}
- volumes:
- - {{ codimd_uploads_location }}:/hedgedoc/public/uploads
-{% endif %}
- networks:
- backend:
-{% if proxy_network is defined %}
- {{ proxy_network }}:
-{% endif %}
-
-networks:
- backend:
-{% if proxy_network is defined %}
- {{ proxy_network }}:
- external: true
-{% endif %}
diff --git a/roles/hedgedoc/defaults/main.yml b/roles/hedgedoc/defaults/main.yml
new file mode 100644
index 0000000..dd658ca
--- /dev/null
+++ b/roles/hedgedoc/defaults/main.yml
@@ -0,0 +1,46 @@
+hedgedoc_install_dir: "/opt/hedgedoc"
+
+hedgedoc_domain: hedgedoc.example.com
+
+hedgedoc_containerimage: quay.io/hedgedoc/hedgedoc
+# renovate: depName=quay.io/hedgedoc/hedgedoc
+hedgedoc_image_tag: "1.10.0"
+
+hedgedoc_postgres_containerimage: docker.io/library/postgres
+# renovate: depName=docker.io/library/postgres
+hedgedoc_postgres_image_tag: "17.2-alpine"
+
+hedgedoc_selinux_level: "{{ omit }}"
+hedgedoc_postgres_selinux_level: "{{ omit }}"
+
+hedgedoc_memory_low: 128m
+hedgedoc_memory_high: 0
+hedgedoc_swap_max: -1
+
+hedgedoc_postgres_memory_low: 128m
+hedgedoc_postgres_memory_high: 0
+hedgedoc_postgres_swap_max: -1
+
+hedgedoc_postgres_database_password: "{{ lookup('passwordstore', 'hedgedoc.example.com/postgres/hedgedoc_password' + ' create=true length=64') }}"
+
+# These are only needed for the inital run to setup the hedgedoc database and user. On subsequent runs you can remove these.
+hedgedoc_postgres_environment_vars:
+ POSTGRES_DB: "hedgedoc"
+ POSTGRES_USER: "hedgedoc"
+ POSTGRES_PASSWORD: "{{ hedgedoc_postgres_database_password }}"
+
+# This is where all application related environment variables are defined.
+# For all possible environment variables look here: https://github.com/hedgedoc/hedgedoc/blob/a110bef68f52c2153eaea9b31bb91ce76cf4822b/docs/content/configuration.md
+# Note: All variables below will automatically be prefixed with "CMD_", eg. "DOMAIN" will automatically become "CMD_DOMAIN".
+hedgedoc_environment_vars:
+ DB_DIALECT: postgres
+ DB_USERNAME: hedgedoc
+ DB_PASSWORD: "{{ hedgedoc_postgres_database_password }}"
+ DB_DATABASE: hedgedoc
+ DB_HOST: /var/run/postgresql
+ ALLOW_FREE_URL: false
+ DOMAIN: "{{ hedgedoc_domain }}"
+ EMAIL: false
+ PROTOCOL_USESSL: true
+ URL_ADDPORT: false
+ USECDN: true
diff --git a/roles/hedgedoc/handlers/main.yml b/roles/hedgedoc/handlers/main.yml
new file mode 100644
index 0000000..3a7165a
--- /dev/null
+++ b/roles/hedgedoc/handlers/main.yml
@@ -0,0 +1,24 @@
+- name: Apply new SELinux file context to filesystem.
+ ansible.builtin.command: "restorecon -irF {{ hedgedoc_install_dir }}"
+ become: true
+ listen: "hedgedoc selinux context changed"
+
+- name: Restart hedgedoc service.
+ ansible.builtin.systemd:
+ state: restarted
+ name: hedgedoc.service
+ daemon_reload: true
+ become: true
+ listen:
+ - "hedgedoc service changed"
+ - "hedgedoc selinux context changed"
+
+- name: Restart hedgedoc-postgres service.
+ ansible.builtin.systemd:
+ state: restarted
+ name: hedgedoc-postgres.service
+ daemon_reload: true
+ become: true
+ listen:
+ - "hedgedoc postgres service changed"
+ - "hedgedoc selinux context changed"
diff --git a/roles/hedgedoc/meta/main.yml b/roles/hedgedoc/meta/main.yml
new file mode 100644
index 0000000..4259170
--- /dev/null
+++ b/roles/hedgedoc/meta/main.yml
@@ -0,0 +1,20 @@
+galaxy_info:
+ author: saibotk
+ description: Deploy hedgedoc with podman and systemd.
+
+ issue_tracker_url: https://git.sipsofcode.de/saibotk-de/infrastructure/issues
+
+ license: GPL-3.0-only
+
+ min_ansible_version: "2.10"
+
+ platforms:
+ - name: Fedora
+ versions:
+ - "41"
+
+ standalone: true
+
+ galaxy_tags: []
+
+dependencies: []
diff --git a/roles/hedgedoc/tasks/main.yml b/roles/hedgedoc/tasks/main.yml
new file mode 100644
index 0000000..374243c
--- /dev/null
+++ b/roles/hedgedoc/tasks/main.yml
@@ -0,0 +1,140 @@
+- name: Update default SELinux contexts
+ community.general.sefcontext:
+ target: "{{ item.target }}"
+ setype: "container_file_t"
+ selevel: "{{ item.selevel }}"
+ state: present
+ loop:
+ - target: "{{ hedgedoc_install_dir }}/uploads(/.*)?"
+ selevel: "{{ hedgedoc_selinux_level }}"
+ - target: "{{ hedgedoc_install_dir }}/postgres(/.*)?"
+ selevel: "{{ hedgedoc_postgres_selinux_level }}"
+ become: true
+ notify: "hedgedoc selinux context changed"
+
+- name: Create hedgedoc directories.
+ ansible.builtin.file:
+ path: "{{ hedgedoc_install_dir }}"
+ owner: "root"
+ group: "root"
+ mode: "0700"
+ state: directory
+ become: true
+
+- name: Ensure hedgedoc data directories exist.
+ block:
+ - name: Stat hedgedoc uploads dir.
+ ansible.builtin.stat:
+ path: "{{ hedgedoc_install_dir }}/uploads"
+ become: true
+ register: hedgedoc_stat_uploads_dir
+
+ - name: Stat hedgedoc postgres dir.
+ ansible.builtin.stat:
+ path: "{{ hedgedoc_install_dir }}/postgres"
+ become: true
+ register: hedgedoc_stat_postgres_dir
+
+ - name: Create hedgedoc data directories.
+ ansible.builtin.file:
+ path: "{{ item.path }}"
+ state: directory
+ mode: "0700"
+ owner: "{{ item.owner }}"
+ group: "{{ item.group }}"
+ loop:
+ - path: "{{ hedgedoc_install_dir }}/uploads"
+ owner: "{{ hedgedoc_stat_uploads_dir.stat.uid | default('root') }}"
+ group: "{{ hedgedoc_stat_uploads_dir.stat.gid | default('root') }}"
+ - path: "{{ hedgedoc_install_dir }}/postgres"
+ owner: "{{ hedgedoc_stat_postgres_dir.stat.uid | default('root') }}"
+ group: "{{ hedgedoc_stat_postgres_dir.stat.gid | default('root') }}"
+ become: true
+
+- name: Deploy hedgedoc environment file.
+ ansible.builtin.template:
+ src: hedgedoc.env.j2
+ dest: "{{ hedgedoc_install_dir }}/hedgedoc.env"
+ mode: "0600"
+ owner: "root"
+ group: "root"
+ become: true
+ notify:
+ - "hedgedoc service changed"
+
+- name: Deploy postgres environment file.
+ ansible.builtin.template:
+ src: hedgedoc-postgres.env.j2
+ dest: "{{ hedgedoc_install_dir }}/hedgedoc-postgres.env"
+ mode: "0600"
+ owner: "root"
+ group: "root"
+ become: true
+ notify:
+ - "hedgedoc postgres service changed"
+
+- name: Add caddy config file.
+ block:
+ - name: Check caddy config dir.
+ ansible.builtin.stat:
+ path: "{{ caddy_install_dir }}/config"
+ become: true
+ register: caddy_stat_config_dir
+
+ - name: Template caddy config for hedgedoc.
+ ansible.builtin.template:
+ src: hedgedoc.caddy.j2
+ dest: "{{ caddy_install_dir }}/config/hedgedoc.caddy"
+ mode: "0600"
+ setype: "container_file_t"
+ selevel: "{{ caddy_selinux_level }}"
+ owner: "{{ caddy_stat_config_dir.stat.uid }}"
+ group: "{{ caddy_stat_config_dir.stat.gid }}"
+ notify: "caddy config changed"
+ become: true
+
+- name: Create hedgedoc postgres socket volume.
+ ansible.builtin.template:
+ src: hedgedoc-postgres-socket.volume
+ dest: /etc/containers/systemd/hedgedoc-postgres-socket.volume
+ owner: "root"
+ group: "root"
+ mode: "0644"
+ become: true
+ notify:
+ - "hedgedoc service changed"
+ - "hedgedoc postgres service changed"
+
+- name: Create hedgedoc container file.
+ ansible.builtin.template:
+ src: hedgedoc.container.j2
+ dest: /etc/containers/systemd/hedgedoc.container
+ owner: "root"
+ group: "root"
+ mode: "0644"
+ become: true
+ notify: "hedgedoc service changed"
+
+- name: Create hedgedoc postgres container file.
+ ansible.builtin.template:
+ src: hedgedoc-postgres.container.j2
+ dest: /etc/containers/systemd/hedgedoc-postgres.container
+ owner: "root"
+ group: "root"
+ mode: "0644"
+ become: true
+ notify: "hedgedoc postgres service changed"
+
+- name: Flush handlers
+ ansible.builtin.meta: flush_handlers
+
+- name: Ensure hedgedoc services are started and enabled.
+ ansible.builtin.systemd:
+ state: started
+ enabled: true
+ name: "{{ item }}"
+ daemon_reload: true
+ loop:
+ - hedgedoc.service
+ - hedgedoc-postgres.service
+ become: true
diff --git a/roles/hedgedoc/templates/hedgedoc-postgres-socket.volume b/roles/hedgedoc/templates/hedgedoc-postgres-socket.volume
new file mode 100644
index 0000000..83661be
--- /dev/null
+++ b/roles/hedgedoc/templates/hedgedoc-postgres-socket.volume
@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+
+[Volume]
+
+VolumeName = hedgedoc-postgres-socket
diff --git a/roles/hedgedoc/templates/hedgedoc-postgres.container.j2 b/roles/hedgedoc/templates/hedgedoc-postgres.container.j2
new file mode 100644
index 0000000..da25ac2
--- /dev/null
+++ b/roles/hedgedoc/templates/hedgedoc-postgres.container.j2
@@ -0,0 +1,39 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description = Postgres for hedgedoc
+
+[Service]
+Restart = always
+RestartSec = 5s
+
+[Container]
+Image = {{ hedgedoc_postgres_containerimage }}:{{ hedgedoc_postgres_image_tag }}
+ContainerName = hedgedoc-postgres
+
+# AutoUpdate = registry
+LogDriver = journald
+
+# NoNewPrivileges = true
+ReadOnly = true
+DropCapability = all
+AddCapability = CHOWN DAC_OVERRIDE SETUID SETGID
+UserNS = auto:size=65535
+{% if hedgedoc_postgres_selinux_level != omit %}
+SecurityLabelLevel = {{ hedgedoc_postgres_selinux_level }}
+{% endif %}
+
+EnvironmentFile = {{ hedgedoc_install_dir }}/hedgedoc-postgres.env
+
+Volume = hedgedoc-postgres-socket:/var/run/postgresql:U,z
+Volume = {{ hedgedoc_install_dir }}/postgres:/var/lib/postgresql/data:U
+Tmpfs = /tmp:rw,noexec,nosuid,nodev,size=1m
+
+PodmanArgs = --memory={{ hedgedoc_postgres_memory_high }}
+PodmanArgs = --memory-swap={{ hedgedoc_postgres_swap_max }}
+PodmanArgs = --memory-reservation={{ hedgedoc_postgres_memory_low }}
+
+PodmanArgs = --stop-signal=SIGINT
+
+[Install]
+WantedBy = default.target
diff --git a/roles/hedgedoc/templates/hedgedoc-postgres.env.j2 b/roles/hedgedoc/templates/hedgedoc-postgres.env.j2
new file mode 100644
index 0000000..0f3fa97
--- /dev/null
+++ b/roles/hedgedoc/templates/hedgedoc-postgres.env.j2
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment}}
+
+{% if hedgedoc_postgres_environment_vars is mapping %}
+{% for key, value in hedgedoc_postgres_environment_vars.items() %}
+{{ key }}={{ value }}
+{% endfor %}
+{% endif %}
diff --git a/roles/hedgedoc/templates/hedgedoc.caddy.j2 b/roles/hedgedoc/templates/hedgedoc.caddy.j2
new file mode 100644
index 0000000..d956f33
--- /dev/null
+++ b/roles/hedgedoc/templates/hedgedoc.caddy.j2
@@ -0,0 +1,24 @@
+{{ ansible_managed | comment }}
+
+{{ hedgedoc_domain }} {
+ encode gzip
+
+ header {
+ # enable HSTS
+ Strict-Transport-Security "max-age=31536000; preload;"
+
+ # disable clients from sniffing the media type
+ X-Content-Type-Options nosniff
+
+ # clickjacking protection
+ X-Frame-Options DENY
+
+ # keep referrer data off of HTTP connections
+ Referrer-Policy no-referrer-when-downgrade
+
+ # Server name removing
+ -Server
+ }
+
+ reverse_proxy hedgedoc:3000
+}
diff --git a/roles/hedgedoc/templates/hedgedoc.container.j2 b/roles/hedgedoc/templates/hedgedoc.container.j2
new file mode 100644
index 0000000..d353fad
--- /dev/null
+++ b/roles/hedgedoc/templates/hedgedoc.container.j2
@@ -0,0 +1,44 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description = hedgedoc Server
+Requires = hedgedoc-postgres.service
+After = hedgedoc-postgres.service
+
+[Service]
+Restart = always
+RestartSec = 5s
+
+[Container]
+Image = {{ hedgedoc_containerimage }}:{{ hedgedoc_image_tag }}
+ContainerName = hedgedoc
+
+# Required for it to not use root / gosu in entrypoint
+User = 10000
+
+# AutoUpdate = registry
+LogDriver = journald
+
+ReadOnly = true
+NoNewPrivileges = true
+DropCapability = all
+UserNS = auto:size=65535
+{% if hedgedoc_selinux_level != omit %}
+SecurityLabelLevel = {{ hedgedoc_selinux_level }}
+{% endif %}
+
+Network = caddy.network
+
+Tmpfs = /tmp:rw,noexec,nosuid,nodev,size=10m
+
+EnvironmentFile = {{ hedgedoc_install_dir }}/hedgedoc.env
+
+Volume = {{ hedgedoc_install_dir }}/uploads:/hedgedoc/public/uploads:U
+Volume = hedgedoc-postgres-socket:/var/run/postgresql:z
+
+PodmanArgs = --memory={{ hedgedoc_memory_high }}
+PodmanArgs = --memory-swap={{ hedgedoc_swap_max }}
+PodmanArgs = --memory-reservation={{ hedgedoc_memory_low }}
+
+[Install]
+WantedBy = default.target
diff --git a/roles/hedgedoc/templates/hedgedoc.env.j2 b/roles/hedgedoc/templates/hedgedoc.env.j2
new file mode 100644
index 0000000..1f172ef
--- /dev/null
+++ b/roles/hedgedoc/templates/hedgedoc.env.j2
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment}}
+
+{% if hedgedoc_environment_vars is mapping %}
+{% for key, value in hedgedoc_environment_vars.items() %}
+CMD_{{ key }}={{ value }}
+{% endfor %}
+{% endif %}