playbooks/camo.yml

@@ -0,0 +1,25 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure camo
+  hosts: camo
+  roles:
+    - docker
+    - docker_cleanup
+    - traefik
+    - camo

playbooks/docker_ipv6_nat.yml

@@ -0,0 +1,23 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure Docker IPv6 NAT
+  hosts: docker_ipv6_nat
+  roles:
+    - docker
+    - docker_cleanup
+    - docker_ipv6_nat

playbooks/factorio.yml

@@ -0,0 +1,23 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure Factorio
+  hosts: factorio
+  roles:
+    - docker
+    - docker_cleanup
+    - factorio

playbooks/gitlab.yml

@@ -0,0 +1,25 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure GitLab
+  hosts: gitlab
+  roles:
+    - docker
+    - docker_cleanup
+    - traefik
+    - gitlab

playbooks/gitlab_runner.yml

@@ -0,0 +1,32 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure GitLab Runner
+  hosts: gitlab_runner
+  roles:
+    - docker
+    - docker_cleanup
+    - gitlab_runner
+  tasks:
+    - name: Install docker image prune crontab
+      ansible.builtin.cron:
+        name: "Prune unused docker images"
+        minute: "0"
+        hour: "*/4"
+        job: "docker image prune -f"
+      become: true

playbooks/lvm_self_backup.yml

@@ -0,0 +1,22 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure LVM self backup
+  hosts: lvm_self_backup
+  roles:
+    - docker
+    - lvm_self_backup

playbooks/minecraft.yml

@@ -0,0 +1,24 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure Minecraft
+  hosts: minecraft
+  roles:
+    - docker
+    - docker_cleanup
+    - minecraft

playbooks/minecraft_blockmap.yml

@@ -0,0 +1,24 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure BlockMap
+  hosts: minecraft
+  roles:
+    - docker
+    - docker_cleanup
+    - traefik
+    - minecraft_blockmap

playbooks/minio.yml

@@ -0,0 +1,25 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure MinIO
+  hosts: minio
+  roles:
+    - docker
+    - docker_cleanup
+    - traefik
+    - minio

playbooks/owncast.yml

@@ -0,0 +1,24 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure Owncast
+  hosts: owncast
+  roles:
+    - docker
+    - docker_cleanup
+    - traefik
+    - owncast

playbooks/penpot.yml

@@ -0,0 +1,24 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2021       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure Penpot
+  hosts: penpot
+  roles:
+    - docker
+    - docker_cleanup
+    - traefik
+    - penpot

playbooks/saiblog.yml

@@ -1,17 +0,0 @@
-- name: Install Saiblog.
-
-  hosts: saiblog
-
-  roles:
-    - role: podman
-      become: true
-      tags:
-        - always
-        - podman
-    - role: caddy
-      become: true
-      tags:
-        - always
-        - caddy
-    - role: saiblog
-      become: true

playbooks/site.yml

@@ -1,16 +1,63 @@
+---
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure unattended upgrades
+  import_playbook: unattended_upgrades.yml
+- name: Install & configure ipv6 NAT for Docker
+  import_playbook: docker_ipv6_nat.yml
+- name: Install & configure backup solution using LVM
+  import_playbook: lvm_self_backup.yml
+- name: Install & configure GitLab
+  import_playbook: gitlab.yml
+- name: Install & configure GitLab Runner
+  import_playbook: gitlab_runner.yml
+- name: Install & configure camo
+  import_playbook: camo.yml
 - name: Install & configure Keycloak
   import_playbook: keycloak.yml
 - name: Install & configure monitoring
   import_playbook: monitoring.yml
+- name: Install & configure MinIO
+  import_playbook: minio.yml
 - name: Install & configure Mastodon
   import_playbook: mastodon.yml
 - name: Install & configure HedgeDoc
-  import_playbook: hedgedoc.yml
+  import_playbook: codimd.yml
-- name: Install & configure Synapse
+- name: Install & configure Matrix
-  import_playbook: synapse.yml
+  import_playbook: matrix.yml
+- name: Install & configure Matrix Delegate
+  import_playbook: matrix_delegate.yml
 - name: Install & configure Element Web
-  import_playbook: elementweb.yml
+  import_playbook: matrix_elementweb.yml
-- name: Install & configure Saiblog
+- name: Install & configure Matrix Webhooks
-  import_playbook: saiblog.yml
+  import_playbook: matrix_webhooks.yml
+- name: Install & configure Maubot
+  import_playbook: matrix_maubot.yml
+- name: Install & configure static websites
+  import_playbook: static_websites.yml
 - name: Install & configure Teamspeak
   import_playbook: teamspeak.yml
+- name: Install & configure Owncast
+  import_playbook: owncast.yml
+- name: Install & configure Factorio
+  import_playbook: factorio.yml
+- name: Install & configure Penpot
+  import_playbook: penpot.yml
+- name: Install & configure Vikunja
+  import_playbook: vikunja.yml

playbooks/static_websites.yml

@@ -0,0 +1,26 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure static websites
+  hosts: static_websites
+  serial: 1
+  roles:
+    - docker
+    - docker_cleanup
+    - traefik
+    - static_websites

playbooks/unattended_upgrades.yml

@@ -0,0 +1,22 @@
+---
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2021       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Configure unattended upgrades
+  hosts: unattended_upgrades
+  roles:
+    - unattended_upgrades

playbooks/vikunja.yml

@@ -0,0 +1,24 @@
+---
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2021       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install & configure Vikunja
+  hosts: vikunja
+  roles:
+    - docker
+    - docker_cleanup
+    - traefik
+    - vikunja

roles/camo/README.md

@@ -0,0 +1,35 @@
+Camo
+=========
+
+This will setup a [go-camo](https://github.com/cactus/go-camo) content proxy server with their official docker container and traefik.
+
+Requirements
+------------
+
+You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.  
+
+**This role assumes that you have setup traefik with an endpoint called `websecure`.**
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
+
+### Global variables, that are used:
+
+- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
+- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
+
+Dependencies
+------------
+
+- docker
+- docker-compose
+- traefik
+
+License
+-------
+
+GPL-3.0-only

roles/camo/defaults/main.yml

@@ -0,0 +1,42 @@
+---
+# Default variables for the camo role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The install location (where the docker-compose file is stored)
+camo_install_location: "/srv/camo"
+
+# The camo version that should be used
+# renovate: depName=docker.io/cactus4docker/go-camo
+camo_version: "2.6.0"
+
+# The domain under which camo should be available using traefik
+camo_domain: camo.example.com
+
+# The certresolver that is used by traefik for camo's domain
+camo_traefik_certresolver: "letsencrypt_http"
+
+# The HMAC key to be used
+camo_key: "{{ lookup('passwordstore', camo_domain + '/hmac-key create=true length=128') }}"
+
+# The maximum allowed response size (in KB). (0 means unlimited)
+camo_max_size: 0
+
+# Docker image and version
+camo_image: "docker.io/cactus4docker/go-camo"
+camo_image_version: "v{{ camo_version }}"

roles/camo/meta/main.yml

@@ -0,0 +1,44 @@
+galaxy_info:
+  author: saibotk
+  description: "Installs a go-camo image proxy server via Docker."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker
+  - role: traefik

roles/camo/tasks/main.yml

@@ -0,0 +1,54 @@
+---
+# Tasks file for the camo role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Create install directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ camo_install_location }}"
+  become: true
+  tags:
+    - camo
+
+- name: Deploy docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml
+    dest: "{{ camo_install_location }}/docker-compose.yml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    validate: docker compose -f %s config -q
+  tags:
+    - docker
+    - camo
+  become: true
+
+- name: Compose camo container
+  community.docker.docker_compose_v2:
+    state: present
+    project_src: "{{ camo_install_location }}"
+    pull: always
+    remove_orphans: true
+  tags:
+    - camo
+  become: true

roles/camo/templates/docker-compose.yml

@@ -0,0 +1,62 @@
+{{ ansible_managed | comment }}
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+version: '2'
+services:
+  camo:
+    image: "{{ camo_image }}:{{ camo_image_version }}"
+    mem_limit: 64mb
+    memswap_limit: 128mb
+    security_opt:
+      - no-new-privileges
+    environment:
+      - "GOCAMO_HMAC={{ camo_key }}"
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.camo.rule=Host(`{{ camo_domain }}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.camo.entrypoints=websecure"
+      - "traefik.http.routers.camo.tls=true"
+      - "traefik.http.routers.camo.tls.certresolver={{ camo_traefik_certresolver }}"
+      - "traefik.http.routers.camo.middlewares=camo,compress"
+      - "traefik.http.middlewares.camo.headers.sslredirect=true"
+      - "traefik.http.middlewares.camo.headers.stsSeconds=63072000"
+      - "traefik.http.middlewares.camo.headers.referrerPolicy=no-referrer"
+
+{% if proxy_network is defined %}
+      - "traefik.docker.network={{ proxy_network }}"
+{% endif %}
+{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
+      - "traefik.http.middlewares.camo.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
+{% endif %}
+
+    command:
+      - "--max-size={{ camo_max_size }}"
+      - "--server-name='go-camo v{{ camo_version }}'"
+    restart: always
+{% if proxy_network is defined %}
+    networks:
+      {{ proxy_network }}:
+{% endif %}
+
+{% if proxy_network is defined %}
+networks:
+  {{ proxy_network }}:
+    external: true
+{% endif %}

roles/docker_cleanup/README.md

@@ -0,0 +1,24 @@
+docker_cleanup
+=========
+
+This will prune unused docker images older than 3 days, to keep the system clean.
+
+Requirements
+------------
+
+You will need to have docker installed with its python package to use this role.
+
+Role Variables
+--------------
+
+None
+
+Dependencies
+------------
+
+- docker
+
+License
+-------
+
+GPL-3.0-only

roles/docker_cleanup/meta/main.yml

@@ -0,0 +1,43 @@
+galaxy_info:
+  author: Christoph Kern
+  description: "Cleans up the exsting Docker install"
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker

roles/docker_cleanup/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Prune docker images older than 3 days
+  community.docker.docker_prune:
+    images: true
+    images_filters:
+      dangling: false
+      until: 72h
+  become: true

roles/docker_ipv6_nat/README.md

@@ -0,0 +1,31 @@
+docker_ipv6_nat
+===============
+
+This will install the [docker-ipv6nat](https://github.com/robbertkl/docker-ipv6nat) container to manage IPv6 with ease on a single IP.
+The container will automatically create ip6table forwarding rules on demand. To use the functionality, make sure that each container, that exposes a port
+also has an `ipv6_enabled: true` user-defined network attached to it, with a ULA IPv6 for the tool to forward to.
+
+**Note: This will enable the kernel module `ipv6nat` if not enabled!**
+
+Requirements
+------------
+
+You will need to have docker, docker-compose installed or declared as dependencies with their respective roles. 
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
+
+Dependencies
+------------
+
+- docker
+- docker-compose
+
+License
+-------
+
+GPL-3.0-only

roles/docker_ipv6_nat/defaults/main.yml

@@ -0,0 +1,26 @@
+---
+# Default variables for the docker_ipv6_nat role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The install location (where the docker-compose.yml file will be deployed)
+docker_ipv6_nat_install_location: /srv/docker-ipv6-nat
+
+# The docker image and version/tag to use
+docker_ipv6_nat_baseimage: docker.io/robbertkl/ipv6nat
+# renovate: depName=docker.io/robbertkl/ipv6nat
+docker_ipv6_nat_version: 0.4.4

roles/docker_ipv6_nat/meta/main.yml

@@ -0,0 +1,43 @@
+galaxy_info:
+  author: saibotk
+  description: "Deploys a robbertkl/ipv6nat container."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker

roles/docker_ipv6_nat/tasks/main.yml

@@ -0,0 +1,55 @@
+---
+# Tasks file for the docker_ipv6_nat role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Create install directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ docker_ipv6_nat_install_location }}"
+  tags:
+    - docker-ipv6-nat
+  become: true
+
+- name: Deploy docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml
+    dest: "{{ docker_ipv6_nat_install_location }}/docker-compose.yml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    validate: docker compose -f %s config -q
+  tags:
+    - docker
+    - docker-ipv6-nat
+  become: true
+
+- name: Compose docker-ipv6-nat
+  community.docker.docker_compose_v2:
+    state: present
+    project_src: "{{ docker_ipv6_nat_install_location }}"
+    pull: always
+    remove_orphans: true
+  tags:
+    - docker
+    - docker-ipv6-nat
+  become: true

roles/docker_ipv6_nat/templates/docker-compose.yml

@@ -0,0 +1,35 @@
+{{ ansible_managed | comment }}
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+version: '2'
+services:
+  ipv6nat:
+    image: {{ docker_ipv6_nat_baseimage }}:{{ docker_ipv6_nat_version }}
+    security_opt:
+      - label:disable
+    restart: always
+    network_mode: "host"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "/lib/modules:/lib/modules:ro"
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+      - SYS_MODULE

roles/epel/README.md

@@ -0,0 +1,24 @@
+EPEL
+=========
+
+Installs the `epel-release` package via yum.
+
+Requirements
+------------
+
+None
+
+Role Variables
+--------------
+
+None
+
+Dependencies
+------------
+
+None, except for a CentOS 7 system.
+
+License
+-------
+
+GPL-3.0-only

roles/epel/meta/main.yml

@@ -0,0 +1,15 @@
+galaxy_info:
+  author: saibotk
+  description: Installs the epel-release package.
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - "7"
+
+  galaxy_tags: []
+
+dependencies: []

roles/epel/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+# Tasks file for the epel role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install EPEL repository package # noqa fqcn
+  ansible.builtin.yum:
+    name: epel-release
+    state: present
+  become: true

roles/factorio/README.md

@@ -0,0 +1,27 @@
+Factorio
+=========
+
+This will setup a [Factorio](https://github.com/factoriotools/factorio-docker) gameserver using a docker container.
+
+Requirements
+------------
+
+You will need to have docker and docker-compose installed or declared as dependencies with their respective roles.  
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
+
+Dependencies
+------------
+
+- docker
+- docker-compose
+
+License
+-------
+
+GPL-3.0-only

roles/factorio/defaults/main.yml

@@ -0,0 +1,37 @@
+---
+# Default variables for the factorio role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The install location (where the docker-compose file is stored)
+factorio_install_location: "/srv/factorio"
+factorio_data_location: "{{ factorio_install_location }}/data"
+
+# The camo version that should be used
+# renovate: depName=docker.io/factoriotools/factorio
+factorio_version: "2.0.16"
+
+# Docker image
+factorio_image: "docker.io/factoriotools/factorio"
+
+# The factorio server port that should be exposed
+factorio_server_port: 34197
+
+# IPv6 ULA config for the bridge network used by docker-ipv6-nat
+factorio_ipv6:
+  enabled: false
+  subnet: "fd9e:21a7:a92c:2456::/64"

roles/factorio/meta/main.yml

@@ -0,0 +1,43 @@
+galaxy_info:
+  author: saibotk
+  description: "Installs a factorio server via Docker."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker

roles/factorio/tasks/main.yml

@@ -0,0 +1,79 @@
+---
+# Tasks file for the factorio role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Update default SELinux contexts
+  community.general.sefcontext:
+    target: "{{ item }}(/.*)?"
+    setype: "container_file_t"
+    state: present
+  with_items:
+    - "{{ factorio_data_location }}"
+  tags:
+    - factorio
+  become: true
+
+- name: Create install directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ factorio_install_location }}"
+  become: true
+  tags:
+    - factorio
+
+- name: Create data directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0750"
+    owner: "845"
+    group: "845"
+    setype: "container_file_t"
+  with_items:
+    - "{{ factorio_data_location }}"
+  tags:
+    - factorio
+  become: true
+
+- name: Deploy docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml
+    dest: "{{ factorio_install_location }}/docker-compose.yml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    validate: docker compose -f %s config -q
+  tags:
+    - docker
+    - factorio
+  become: true
+
+- name: Compose factorio container
+  community.docker.docker_compose_v2:
+    state: present
+    project_src: "{{ factorio_install_location }}"
+    pull: always
+    remove_orphans: true
+  tags:
+    - factorio
+  become: true

roles/factorio/templates/docker-compose.yml

@@ -0,0 +1,40 @@
+{{ ansible_managed | comment }}
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+version: '2.1'
+services:
+  factorio:
+    image: "{{ factorio_image }}:{{ factorio_version }}"
+    ports:
+      - "{{ factorio_server_port }}:34197/udp"
+    volumes:
+      - "{{ factorio_data_location }}:/factorio"
+    restart: always
+    networks:
+      factorio-backend:
+
+networks:
+  factorio-backend:
+    driver: bridge
+{% if factorio_ipv6 is defined and factorio_ipv6.enabled %}
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ factorio_ipv6.subnet }}
+    enable_ipv6: true
+{% endif %}

roles/gitlab/README.md

@@ -0,0 +1,35 @@
+Gitlab
+=========
+
+This will setup a Gitlab instance using their official docker container and traefik as a reverse proxy.
+
+Requirements
+------------
+
+You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
+
+**This role assumes that you have setup traefik with an endpoint called `websecure`.**
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
+
+### Global variables, that are used:
+
+- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
+- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
+
+Dependencies
+------------
+
+- docker
+- docker-compose
+- traefik
+
+License
+-------
+
+GPL-3.0-only

roles/gitlab/defaults/main.yml

@@ -0,0 +1,167 @@
+---
+# Default variables for the gitlab role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Install location settings
+gitlab_install_location: /srv/gitlab
+gitlab_data_location: "{{ gitlab_install_location }}/data"
+gitlab_config_location: "{{ gitlab_install_location }}/config"
+gitlab_log_location: "{{ gitlab_install_location }}/log"
+gitlab_telegraf_location: "{{ gitlab_install_location }}/telegraf"
+
+# Put GitLab's logs in a tempfs instead to save headache with diskspace
+gitlab_log_tmpfs: false
+
+# Set the certresolver to your desired traefik certresolver.
+# Note: This is `letsencrypt_cf` by default for backwards compatibility, you might want to use `letsencrypt_http` instead, depending on your setup
+gitlab_traefik_certresolver: letsencrypt_http
+
+# The domain under which traefik should make gitlab (and, if enabled, the registry) reachable
+gitlab_domain: gitlab.example.com
+gitlab_registry_domain: registry.gitlab.example.com
+
+# The Gitlab version, usually you don't need to adjust this for a host.
+# renovate: depName=gitlab/gitlab-ce
+gitlab_version: 17.5.1-ce.0
+
+# renovate: depName=docker.io/library/telegraf
+gitlab_telegraf_version: "1.26"
+
+# The port you want Gitlab to listen on for SSH connections
+gitlab_ssh_port: 22
+
+# The memory limits for the GitLab container
+#
+# Notice the gitlab_memoryswap_limit must be equal
+# or higher than the gitlab_memory_limit
+gitlab_memory_limit: "6096mb"
+gitlab_memoryswap_limit: "6352mb"
+
+# Enable or disable selinux handling
+gitlab_selinux_enabled: true
+
+# Email/SMTP settings
+gitlab_smtp_address: smtp.example.com
+gitlab_smtp_port: 465
+gitlab_smtp_user_name: "gitlab@example.com"
+gitlab_smtp_password: "{{ lookup('passwordstore', gitlab_domain + '/' + gitlab_smtp_user_name + ' create=true length=42') }}"
+gitlab_smtp_tls: "{{ gitlab_snmp_tls | default('true') }}" # There was a typo in the config option name, this makes sure it's falling back properly
+gitlab_email_from: "{{ gitlab_smtp_user_name }}"
+gitlab_email_reply_to: "{{ gitlab_smtp_user_name }}"
+gitlab_smtp_starttls_auto: false
+gitlab_smtp_openssl_verify_mode: "peer"
+
+# Libravatar / Gravatar URLs
+gitlab_libravatar_plain: "cdn.libravatar.org"
+gitlab_libravatar_ssl: "seccdn.libravatar.org"
+
+# CSP settings
+gitlab_csp:
+  enabled: true
+  img_src: "https:"
+  # yamllint disable-line rule:line-length
+  # frame_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
+  # script_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
+
+# SAML settings
+gitlab_saml:
+  enabled: false
+  label: "SAML"
+  groups_attribute: "roles"
+  external_groups: "{{ gitlab_domain }}:external"
+  idp_cert_fingerprint: "<to be set>"
+  idp_sso_target_url: "https://sso.example.com"
+  idp_slo_target_url: "https://sso.example.com"
+  issuer: "{{ gitlab_domain }}"
+  certificate: "<cert without '----BEGIN CERTIFICATE----' (can be omited)>"
+  private_key: "<private key without '----BEGIN RSA PRIVATE KEY----' (can be omited)>"
+  attribute_statements:
+    first_name: "first_name"
+    last_name: "last_name"
+    name: "name"
+    username: "username"
+    email: "email"
+  name_identifier_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+  autologin: false
+
+# LDAP settings
+gitlab_ldap:
+  enabled: false
+  label: "LDAP"
+  host: "ldap.example.com"
+  port: 389
+  bind_dn: "_the_full_dn_of_the_user_you_will_bind_with"
+  password: "_the_password_of_the_bind_user"
+  encryption: "simple_tls"
+  verify_certificates: true
+  uid: "sAMAccountName"
+  active_directory: true
+  user_filter: ""
+  base: "dc=example,dc=com"
+
+# IMAP settings (for email replies to comments etc.)
+gitlab_imap:
+  enabled: false
+  username: "{{ gitlab_smtp_user_name }}"
+  password: "{{ gitlab_smtp_password }}"
+  server_address: imap.example.com
+  email_address: "incoming+%{key}@gitlab.example.com"
+
+# Gitlab docker registry settings
+gitlab_registry:
+  enabled: false
+  # Defines the port that is appended to the registry domain used by gitlab.
+  # This can be omitted, when no port is needed (eg. registry on its own domain)
+  external_port: 5050
+  # Defines the entrypoint that traefik should use for the registry.
+  # Can be useful to use another port while still using the certificate of the main domain.
+  # This can be omitted to use "websecure" by default
+  traefik_entrypoint: "websecure"
+
+# Gitlab telegraf configuration, allows to configure a monitoring setup for Gitlab
+gitlab_telegraf:
+  enabled: false
+  # Your influxDB hosts
+  influxdb_endpoints:
+    - "influxdb.example.com"
+  influxdb_username: telegraf
+  influxdb_password: ""
+  influxdb_retention_policy: "gitlab"
+  influxdb_retention_policy_tag: ""
+  # Token provided by Gitlab on the admin page
+  # See https://docs.gitlab.com/ee/administration/monitoring/prometheus/gitlab_metrics.html
+  metrics_token: ""
+
+# Gitlab dependency proxy feature (see https://docs.gitlab.com/ee/administration/packages/dependency_proxy.html)
+gitlab_dependency_proxy:
+  enabled: false
+
+# Enable the packages feature (see https://docs.gitlab.com/ee/administration/packages/index.html)
+gitlab_packages:
+  enabled: false
+
+# IPv6 ULA config for the bridge network used by docker-ipv6-nat
+gitlab_ipv6:
+  enabled: false
+  subnet: "fd9e:21a7:a92c:2326::/64"
+
+# Gitlab bundled Mattermost instance settings
+gitlab_mattermost:
+  enabled: false
+  domain: chat.gitlab.com

roles/gitlab/meta/main.yml

@@ -0,0 +1,44 @@
+galaxy_info:
+  author: saibotk
+  description: "Installs and configures GitLab via Docker."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker
+  - role: traefik

roles/gitlab/tasks/main.yml

@@ -0,0 +1,101 @@
+---
+# Tasks file for the gitlab role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Update default SELinux contexts
+  community.general.sefcontext:
+    target: "{{ item }}(/.*)?"
+    setype: "container_file_t"
+    state: present
+  with_items:
+    - "{{ gitlab_data_location }}"
+    - "{{ gitlab_config_location }}"
+    - "{{ gitlab_log_location }}"
+    - "{{ gitlab_telegraf_location }}"
+  tags:
+    - gitlab
+  when:
+    - gitlab_selinux_enabled
+  become: true
+
+- name: Create install directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ gitlab_install_location }}"
+  tags:
+    - gitlab
+  become: true
+
+- name: Create data directory
+  ansible.builtin.file: # noqa risky-file-permissions # Container manages permissions on its own
+    path: "{{ item }}"
+    state: directory
+    owner: "root"
+    group: "root"
+    setype: "container_file_t"
+  with_items:
+    - "{{ gitlab_data_location }}"
+    - "{{ gitlab_config_location }}"
+    - "{{ gitlab_log_location }}"
+    - "{{ gitlab_telegraf_location }}"
+  tags:
+    - gitlab
+  become: true
+
+- name: Deploy telegraf.conf
+  ansible.builtin.template:
+    src: telegraf.conf
+    dest: "{{ gitlab_telegraf_location }}/telegraf.conf"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+  tags:
+    - telegraf
+    - gitlab
+  become: true
+  when:
+    - gitlab_telegraf.enabled
+
+- name: Deploy docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml
+    dest: "{{ gitlab_install_location }}/docker-compose.yml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    validate: docker compose -f %s config -q
+  tags:
+    - docker
+    - gitlab
+  become: true
+
+- name: Compose GitLab
+  community.docker.docker_compose_v2:
+    state: present
+    project_src: "{{ gitlab_install_location }}"
+    pull: always
+    remove_orphans: true
+  tags:
+    - gitlab
+  become: true

roles/gitlab/templates/docker-compose.yml

@@ -0,0 +1,321 @@
+{{ ansible_managed | comment }}
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+version: '2.1'
+services:
+  web:
+    image: docker.io/gitlab/gitlab-ce:{{ gitlab_version }}
+    hostname: '{{ gitlab_domain }}'
+    mem_limit: {{ gitlab_memory_limit }}
+    memswap_limit: {{ gitlab_memoryswap_limit }}
+    environment:
+      GITLAB_OMNIBUS_CONFIG: |
+        external_url 'https://{{ gitlab_domain }}'
+        gitlab_rails['gitlab_shell_ssh_port'] = {{ gitlab_ssh_port }}
+        letsencrypt['enable'] = false
+        nginx['listen_https'] = false
+        nginx['listen_port'] = 80
+        nginx['real_ip_trusted_addresses'] = [ '172.16.0.0/12' ]
+        nginx['gzip_enabled'] = false
+
+        prometheus_monitoring['enable'] = false
+
+        # CSP config
+        gitlab_rails['content_security_policy'] = {
+            enabled: {{ gitlab_csp.enabled | default(true) | bool | lower }},
+            report_only: false,
+            directives: {
+              default_src: "'self' {{ gitlab_csp.default_src | default("") }}",
+              script_src: "'self' {{ gitlab_csp.script_src | default("") }} 'unsafe-eval'",
+              frame_ancestor: "'self'",
+              frame_src: "'self' {{ gitlab_csp.frame_src | default("") }}",
+              img_src: "'self' https://{{ gitlab_libravatar_ssl }} {{ gitlab_csp.img_src | default("") }} data: blob:",
+              style_src: "'self' 'unsafe-inline'",
+              worker_src: "'self' blob:",
+              object_src: "'none'"
+            }
+        }
+
+        # Mail settings
+        gitlab_rails['smtp_enable'] = true
+        gitlab_rails['smtp_address'] = "{{ gitlab_smtp_address }}"
+        gitlab_rails['smtp_port'] = {{ gitlab_smtp_port }}
+        gitlab_rails['smtp_user_name'] = "{{ gitlab_smtp_user_name }}"
+        gitlab_rails['smtp_password'] = "{{ gitlab_smtp_password }}"
+        gitlab_rails['smtp_authentication'] = "login"
+        gitlab_rails['smtp_domain'] = "{{ gitlab_smtp_address }}"
+        gitlab_rails['smtp_tls'] = {{ gitlab_smtp_tls | bool | lower }}
+        gitlab_rails['smtp_enable_starttls_auto'] = {{ gitlab_smtp_starttls_auto | bool | lower }}
+        gitlab_rails['smtp_openssl_verify_mode'] = '{{ gitlab_smtp_openssl_verify_mode }}'
+
+        gitlab_rails['gitlab_email_from'] = '{{ gitlab_email_from }}'
+        gitlab_rails['gitlab_email_reply_to'] = '{{ gitlab_email_reply_to }}'
+
+        # Use Libravatar
+        gitlab_rails['gravatar_enabled'] = true
+        gitlab_rails['gravatar_plain_url'] = "http://{{ gitlab_libravatar_plain }}/avatar/%{hash}?s=%{size}&d=identicon"
+        gitlab_rails['gravatar_ssl_url'] = "https://{{ gitlab_libravatar_ssl }}/avatar/%{hash}?s=%{size}&d=identicon"
+
+{% if gitlab_imap.enabled %}
+        gitlab_rails['incoming_email_enabled'] = true
+
+        # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
+        # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
+        #gitlab_rails['incoming_email_address'] = "incoming+%{key}@gitlab.example.com"
+        gitlab_rails['incoming_email_address'] = "{{ gitlab_imap.email_address }}"
+
+        # Email account username
+        # With third party providers, this is usually the full email address.
+        # With self-hosted email servers, this is usually the user part of the email address.
+        gitlab_rails['incoming_email_email'] = "{{ gitlab_imap.username }}"
+        # Email account password
+        gitlab_rails['incoming_email_password'] = "{{ gitlab_imap.password }}"
+
+        # IMAP server host
+        gitlab_rails['incoming_email_host'] = "{{ gitlab_imap.server_address }}"
+        # IMAP server port
+        gitlab_rails['incoming_email_port'] = 993
+        # Whether the IMAP server uses SSL
+        gitlab_rails['incoming_email_ssl'] = true
+        # Whether the IMAP server uses StartTLS
+        gitlab_rails['incoming_email_start_tls'] = false
+
+        # The mailbox where incoming mail will end up. Usually "inbox".
+        gitlab_rails['incoming_email_mailbox_name'] = "inbox"
+        # The IDLE command timeout.
+        gitlab_rails['incoming_email_idle_timeout'] = 60
+{% endif %}
+
+{% if gitlab_packages.enabled %}
+        # Gitlab packages
+        gitlab_rails['packages_enabled'] = true
+{% endif %}
+
+{% if gitlab_dependency_proxy.enabled %}
+        # Gitlab dependency proxy
+        gitlab_rails['dependency_proxy_enabled'] = true
+{% endif %}
+
+{% if gitlab_registry.enabled %}
+        # Gitlab registry
+        gitlab_rails['registry_enabled'] = true
+        gitlab_rails['registry_host'] = "{{ gitlab_registry_domain }}"
+        registry_external_url "https://{{ gitlab_registry_domain }}{% if gitlab_registry.external_port is defined %}:{{ gitlab_registry.external_port }}{% endif %}"
+        registry_nginx['listen_port'] = 5040
+        registry_nginx['listen_https'] = false
+{% endif %}
+
+{% if gitlab_mattermost.enabled %}
+        # Mattermost
+        mattermost_external_url 'https://{{ gitlab_mattermost.domain }}'
+        mattermost_nginx['listen_port'] = 8050
+        mattermost_nginx['listen_https'] = false
+        mattermost['gitlab_auth_endpoint'] = "http://{{ gitlab_domain }}/oauth/authorize"
+        mattermost['gitlab_token_endpoint'] = "http://{{ gitlab_domain }}/oauth/token"
+        mattermost['gitlab_user_api_endpoint'] = "http://{{ gitlab_domain }}/api/v4/user"
+{% endif %}
+
+{% if gitlab_ldap.enabled %}
+        gitlab_rails['ldap_enabled'] = true
+        gitlab_rails['prevent_ldap_sign_in'] = false
+        gitlab_rails['ldap_servers'] = {
+        'main' => {
+          'label' => '{{ gitlab_ldap.label }}',
+          'host' =>  '{{ gitlab_ldap.host }}',
+          'port' => {{ gitlab_ldap.port }},
+          'uid' => '{{ gitlab_ldap.uid }}',
+          'encryption' => '{{ gitlab_ldap.encryption }}',
+          'verify_certificates' => {{ gitlab_ldap.verify_certificates | bool | lower }},
+          'bind_dn' => '{{ gitlab_ldap.bind_dn }}',
+          'password' => '{{ gitlab_ldap.password }}',
+          'timeout' => 10,
+          'active_directory' => {{ gitlab_ldap.active_directory | bool | lower }},
+          'allow_username_or_email_login' => false,
+          'block_auto_created_users' => false,
+          'base' => '{{ gitlab_ldap.base }}',
+          'attributes' => {
+            'username' => ['uid', 'userid', 'sAMAccountName'],
+            'email' => ['mail', 'email', 'userPrincipalName'],
+            'name' => 'cn',
+            'first_name' => 'givenName',
+            'last_name' => 'sn'
+          },
+          'lowercase_usernames' => false
+          }
+        }
+{% endif %}
+
+{% if gitlab_saml.enabled %}
+        # SAML settings
+        gitlab_rails['omniauth_enabled'] = true
+        gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
+        gitlab_rails['omniauth_block_auto_created_users'] = false
+        gitlab_rails['omniauth_auto_link_ldap_user'] = false
+        gitlab_rails['omniauth_auto_link_saml_user'] = false
+        gitlab_rails['omniauth_external_providers'] = []
+        gitlab_rails['omniauth_providers'] = [
+          {
+            name: 'saml',
+            label: '{{ gitlab_saml.label }}',
+            groups_attribute: '{{ gitlab_saml.groups_attribute }}',
+            external_groups: ['{{ gitlab_saml.external_groups }}'],
+            args: {
+                     assertion_consumer_service_url: 'https://{{ gitlab_domain }}/users/auth/saml/callback',
+                     idp_cert_fingerprint: '{{ gitlab_saml.idp_cert_fingerprint }}',
+                     idp_sso_target_url: '{{ gitlab_saml.idp_sso_target_url }}',
+                     idp_slo_target_url: '{{ gitlab_saml.idp_slo_target_url }}',
+{% if gitlab_saml.certificate is defined and gitlab_saml.private_key is defined %}
+                     certificate: '-----BEGIN CERTIFICATE-----
+        {{ gitlab_saml.certificate }}
+        -----END CERTIFICATE-----',
+                     private_key: '-----BEGIN RSA PRIVATE KEY-----
+        {{ gitlab_saml.private_key }}
+        -----END RSA PRIVATE KEY-----',
+                     security: {
+                       authn_requests_signed: true,
+                       want_assertions_signed: true,
+                       embed_sign: true,
+                       signature_method: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
+                       digest_method: 'http://www.w3.org/2001/04/xmlenc#sha256',
+                     },
+{% endif %}
+                     issuer: '{{ gitlab_saml.issuer }}',
+                     attribute_statements: {
+                       first_name: ['{{ gitlab_saml.attribute_statements.first_name }}'],
+                       last_name: ['{{ gitlab_saml.attribute_statements.last_name }}'],
+                       name: ['{{ gitlab_saml.attribute_statements.name }}'],
+                       username: ['{{ gitlab_saml.attribute_statements.username }}'],
+                       email: ['{{ gitlab_saml.attribute_statements.email }}'] },
+                     name_identifier_format: '{{ gitlab_saml.name_identifier_format }}',
+                     upstream_two_factor_authn_contexts:
+                       %w(
+                         urn:oasis:names:tc:SAML:2.0:ac:classes:CertificateProtectedTransport
+                         urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorOTPSMS
+                         urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorIGTOKEN
+                       )
+                   }
+          }
+        ]
+{% if gitlab_saml.autologin %}
+        gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
+{% endif %}
+{% endif %}
+
+{% if gitlab_log_tmpfs %}
+        # Configure logging to only retain 10 log files, of 10MiB each
+        # This should prevent the tmpfs from overflowing
+        logging['svlogd_size'] = 10 * 1024 * 1024
+        logging['svlogd_num'] = 5
+        logging['logrotate_maxsize'] = 10 * 1024 * 1024
+        logging['logrotate_rotate'] = 5
+{% endif %}
+
+    labels:
+      - "traefik.http.routers.gitlab.rule=Host(`{{ gitlab_domain }}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.gitlab.entrypoints=websecure"
+      - "traefik.http.routers.gitlab.tls=true"
+      - "traefik.http.routers.gitlab.tls.certresolver={{ gitlab_traefik_certresolver }}"
+      - "traefik.http.routers.gitlab.middlewares=gitlab,compress"
+      - "traefik.http.routers.gitlab.service=gitlab"
+      - "traefik.http.services.gitlab.loadbalancer.server.port=80"
+
+{% if gitlab_registry.enabled %}
+      - "traefik.http.routers.gitlab-registry.rule=Host(`{{ gitlab_registry_domain }}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.gitlab-registry.entrypoints={{ gitlab_registry.traefik_entrypoint | default('websecure') }}"
+      - "traefik.http.routers.gitlab-registry.tls=true"
+      - "traefik.http.routers.gitlab-registry.tls.certresolver={{ gitlab_traefik_certresolver }}"
+      - "traefik.http.routers.gitlab-registry.middlewares=gitlab,compress"
+      - "traefik.http.routers.gitlab-registry.service=gitlab-registry"
+      - "traefik.http.services.gitlab-registry.loadbalancer.server.port=5040"
+{% endif %}
+
+{% if gitlab_mattermost.enabled %}
+      - "traefik.http.routers.gitlab-mattermost.rule=Host(`{{ gitlab_mattermost.domain }}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.gitlab-mattermost.entrypoints=websecure"
+      - "traefik.http.routers.gitlab-mattermost.tls=true"
+      - "traefik.http.routers.gitlab-mattermost.tls.certresolver={{ gitlab_traefik_certresolver }}"
+      - "traefik.http.routers.gitlab-mattermost.middlewares=gitlab,compress"
+      - "traefik.http.routers.gitlab-mattermost.service=gitlab-mattermost"
+      - "traefik.http.services.gitlab-mattermost.loadbalancer.server.port=8050"
+{% endif %}
+
+      - "traefik.http.middlewares.gitlab.headers.sslredirect=true"
+      - "traefik.http.middlewares.gitlab.headers.stsSeconds=63072000"
+
+      - "traefik.enable=true"
+{% if proxy_network is defined %}
+      - "traefik.docker.network={{ proxy_network }}"
+{% endif %}
+{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
+      - "traefik.http.middlewares.gitlab.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
+{% endif %}
+    volumes:
+      - "{{ gitlab_data_location }}:/var/opt/gitlab"
+      - "{{ gitlab_config_location }}:/etc/gitlab"
+{% if not gitlab_log_tmpfs %}
+      - "{{ gitlab_log_location }}:/var/log/gitlab"
+{% endif %}
+
+
+{% if gitlab_log_tmpfs %}
+    tmpfs:
+      - "/var/log/gitlab:size=256M,noexec,nodev,nosuid,rw"
+{% endif %}
+
+    restart: always
+    ports:
+      - "{{ gitlab_ssh_port }}:22"
+{% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
+    networks:
+{% if proxy_network is defined %}
+      {{ proxy_network }}:
+{% endif %}
+{% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
+      gitlab-ipv6:
+{% endif %}
+{% endif %}
+
+
+{% if gitlab_telegraf.enabled %}
+  telegraf:
+    image: docker.io/library/telegraf:{{ gitlab_telegraf_version }}
+    restart: always
+    mem_limit: 256mb
+    memswap_limit: 384mb
+    read_only: false # TODO: Switch to self-made container
+    volumes:
+      - {{ gitlab_telegraf_location }}:/etc/telegraf/:ro
+{% endif %}
+
+{% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
+networks:
+{% if proxy_network is defined %}
+  {{ proxy_network }}:
+    external: true
+{% endif %}
+{% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
+  gitlab-ipv6:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ gitlab_ipv6.subnet }}
+    enable_ipv6: true
+{% endif %}
+{% endif %}

roles/gitlab/templates/telegraf.conf

@@ -0,0 +1,26 @@
+{{ ansible_managed | comment }}
+[global_tags]
+
+[agent]
+  interval = "10s"
+  round_interval = true
+  metric_batch_size = 1000
+  metric_buffer_limit = 1000000
+  collection_jitter = "5s"
+  flush_interval = "10s"
+  flush_jitter = "5s"
+  precision = ""
+  hostname = "{{ ansible_fqdn }}"
+  omit_hostname = false
+
+[[outputs.influxdb]]
+  urls = ["https://{{ gitlab_telegraf.influxdb_endpoints | join('","https://') }}"]
+  database = "telegraf"
+  timeout = "5s"
+  retention_policy = "{{ gitlab_telegraf.influxdb_retention_policy }}"
+  retention_policy_tag = "{{ gitlab_telegraf.influxdb_retention_policy_tag }}"
+  username = "{{ gitlab_telegraf.influxdb_username }}"
+  password = "{{ gitlab_telegraf.influxdb_password }}"
+
+[[inputs.prometheus]]
+  urls = ["http://{{ gitlab_domain }}/-/metrics?token={{ gitlab_telegraf.metrics_token }}"]

roles/gitlab_runner/README.md

@@ -0,0 +1,87 @@
+gitlab_runner
+=========
+
+This will set up a [gitlab-runner](https://docs.gitlab.com/runner/) instance via Docker, that is used to run CI jobs from a GitLab instance.  
+Multiple different runners can be created and configured for this runner instance.
+
+**NOTE: Currently this will only allow to configure a docker, shell & docker+machine runner.**
+
+**NOTE2: When deploying docker-machines with the privileged flag enabled, only use this in a trusted environment or set max builds to 1 to prevent malicious actions affecting other builds.**
+
+Requirements
+------------
+
+You will need to have docker and docker-compose installed or declared as dependencies with their respective roles.
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
+
+### Example autoscaling Hetzner-Runner configuration:
+```yaml
+# This image has the hetzner plugin pre-installed
+gitlabrunner_image: "quay.io/shivering-isles/gitlab-hetzner-runner"
+gitlabrunner_image_version: 13.6.0
+
+# Extra paths that should be created (eg. to be mounted in the container)
+gitlabrunner_extra_paths:
+  - "{{ gitlabrunner_install_location }}/hetzner_machine"
+
+gitlabrunner_runners:
+    # The URL of the instance that this runner should be associated with
+  - gitlab_url: https://gitlab.example.com
+
+    # The token that you received when registering the runner (not the register token!!!)
+    # Register a runner first to obtain a token: https://docs.gitlab.com/runner/register/index.html#docker
+    # Can be done via the API and the registration token: eg. `curl --request POST "https://gitlab.example.com/api/v4/runners" --form "token=<registration_token>"`
+    gitlab_token: "ENTER_YOUR_TOKEN_HERE"
+    
+    # Adjust the name of the runner
+    name: "hetzner-docker-auto-scale"
+
+    # Set the docker executor
+    executor: "docker+machine"
+
+    # Should the docker runner start containers as privileged? (eg. needed for docker in docker / building with docker etc)
+    docker_privileged: true
+    # Should the docker socket be mounted into the containers? (SECURITY NOTE: This is critical, as it is effectively the same as root!)
+    docker_mount_socket: true
+
+    # The docker-machine driver that should be used (the server provider)
+    machine_driver: "hetzner"
+    # The template for naming new machines
+    machine_name: "machine-%s-gitlab-runner"
+    # The maximum amount of builds on a machine (VM) before a new one will be used
+    machine_max_builds: 20
+    # Time (in seconds) for machine to be in Idle state before it is removed.
+    machine_idle_time: 1800
+    # Number of machines, that need to be created and are waiting in Idle state.
+    machine_idle_count: 0
+
+    # The "MachineOptions" field with parameters that depend on the driver (these usually provide the api token, which machine type is used etc...)
+    machine_options:
+      hetzner-api-token: "REPLACE_WITH_YOUR_API_TOKEN" # The Hetzner specific API token
+      hetzner-image: "debian-10" # The image that should be used for new machines
+      hetzner-server-type: "cx11" # The server type (the hardware configuration) to use for a new machine
+      hetzner-server-location: "fsn1" # The server location to use for a new machine
+      engine-install-url: "https://releases.rancher.com/install-docker/19.03.9.sh" # Workaround until 20.10 gets an update https://github.com/JonasProgrammer/docker-machine-driver-hetzner/issues/54
+
+    # Extra volumes that should be added to the gitlab runner container.
+    gitlabrunner_extra_volumes:
+      - "./hetzner_machine:/root/.docker/machine"
+
+```
+
+Dependencies
+------------
+
+- docker
+- docker-compose
+
+License
+-------
+
+GPL-3.0-only

roles/gitlab_runner/defaults/main.yml

@@ -0,0 +1,109 @@
+---
+# Default variables for the gitlab_runner role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Install location settings
+gitlab_runner_install_location: "/srv/gitlab-runner"
+gitlab_runner_config_location: "{{ gitlab_runner_install_location }}/config"
+
+# The runner image & tag/version to be used
+gitlab_runner_image: "docker.io/gitlab/gitlab-runner"
+# renovate: depName=docker.io/gitlab/gitlab-runner
+gitlab_runner_image_version: "v17.5.3"
+gitlab_runner_image_variant: "alpine-{{ gitlab_runner_image_version }}"
+
+# Extra paths that should be created (eg. to be mounted in the container)
+gitlab_runner_extra_paths: []
+
+# Enable or disable selinux handling
+gitlab_runner_selinux_enabled: true
+
+# Should the docker socket be mounted to the gitlab runner (usually needed for the docker executor)
+gitlab_runner_mount_docker_socket: false
+
+# Extra volumes that should be added to the gitlab runner container.
+gitlab_runner_extra_volumes: []
+
+# The maximum overall concurrent running jobs. This is the most upper limit of number of jobs using all defined runners, local and autoscale.
+gitlab_runner_concurrent: 1
+
+# The interval in seconds, to check for available jobs. (0 means default value is used.
+# See https://docs.gitlab.com/runner/configuration/advanced-configuration.html#how-check_interval-works)
+gitlab_runner_check_interval: 0
+
+# This is used to define all the runners, that may be served by this gitlab-runner
+# !! YOU WILL NEED TO ADJUST THIS! BELOW IS A FULL EXAMPLE!
+gitlab_runner_runners:
+  # The URL of the instance that this runner should be associated with
+  - gitlab_url: https://gitlab.example.com
+
+    # The token that you received when registering the runner (not the register token!!!)
+    # Register a runner first to obtain a token: https://docs.gitlab.com/runner/register/index.html#docker
+    # Can be done via the API and the registration token:
+    # curl --request POST "https://gitlab.example.com/api/v4/runners" --form "token=<registration_token>"
+    gitlab_token:
+
+    # The name of the runner
+    name: "docker-runner"
+
+    # The limit of machines created by the runner and with that also the limit of jobs that can be handled concurrently by this specific runner.
+    limit: 1
+
+    # The executor that is used for this runner.
+    # Eg. "docker", "shell", "docker+machine"
+    executor: "docker"
+
+    # Should the docker runner start containers as privileged? (eg. needed for docker in docker / building with docker etc)
+    docker_privileged: false
+    # Should the docker socket be mounted into the containers? (SECURITY NOTE: This is critical, as it is effectively the same as root!)
+    docker_mount_socket: false
+    # The image that should be used for jobs by default
+    docker_image: "docker.io/library/docker:stable"
+
+    # The docker-machine driver that should be used (the server provider)
+    machine_driver: "hetzner"
+    # The template for naming new machines
+    machine_name: "machine-%s-gitlab-runner"
+    # The maximum amount of builds on a machine (VM) before a new one will be used
+    machine_max_builds: 20
+    # Time (in seconds) for machine to be in Idle state before it is removed.
+    machine_idle_time: 1800
+    # Number of machines, that need to be created and are waiting in Idle state.
+    machine_idle_count: 0
+
+    # The "MachineOptions" field with parameters that depend on the driver (these usually provide the api token, which machine type is used etc...)
+    # This for example are parameters for the Hetzner driver (but remember, that this will need the hetzner docker-machine plugin)
+    # The options can also be omitted if you do not need any.
+    machine_options:
+      # The Hetzner specific API token
+      hetzner-api-token: "TOKENHERE"
+      # The image that should be used for new machines
+      hetzner-image: "debian-10"
+      # The server type (the hardware configuration) to use for a new machine
+      hetzner-server-type: "cx11"
+      # The server location to use for a new machine
+      hetzner-server-location: "fsn1"
+
+    # S3 Runner cache configuration to improve performance between runs
+    # (see https://docs.gitlab.com/runner/configuration/autoscale.html#distributed-runners-caching)
+    # The options can also be omitted if you do not want to configure a cache
+    cache_s3:
+      server: s3.example.com
+      access_key: ""
+      secret_key: ""
+      bucket: "runner"

roles/gitlab_runner/meta/main.yml

@@ -0,0 +1,43 @@
+galaxy_info:
+  author: saibotk
+  description: "Deploys a gitlab-runner using Docker."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker

roles/gitlab_runner/tasks/main.yml

@@ -0,0 +1,86 @@
+---
+# Tasks file for the gitlab_runner role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Alexander Wellbrock
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Update default SELinux contexts
+  community.general.sefcontext:
+    target: "{{ item }}(/.*)?"
+    setype: "container_file_t"
+    state: present
+  with_items:
+    - "{{ gitlab_runner_config_location }}"
+    - "{{ gitlab_runner_extra_paths }}"
+  when:
+    - gitlab_runner_selinux_enabled
+  become: true
+
+- name: Create install directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ gitlab_runner_install_location }}"
+  become: true
+
+- name: Create config directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+    setype: "container_file_t"
+  with_items:
+    - "{{ gitlab_runner_config_location }}"
+    - "{{ gitlab_runner_extra_paths }}"
+  become: true
+
+- name: Deploy docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml
+    dest: "{{ gitlab_runner_install_location }}/docker-compose.yml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    validate: docker compose -f %s config -q
+  tags:
+    - docker
+  become: true
+
+- name: Deploy config.toml for gitlab-runner
+  ansible.builtin.template:
+    src: config.toml
+    dest: "{{ gitlab_runner_config_location }}/config.toml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+  become: true
+
+- name: Compose gitlab-runner
+  community.docker.docker_compose_v2:
+    state: present
+    project_src: "{{ gitlab_runner_install_location }}"
+    pull: always
+    remove_orphans: true
+  tags:
+    - gitlab-runner
+  become: true

roles/gitlab_runner/templates/config.toml

@@ -0,0 +1,63 @@
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+concurrent = {{ gitlab_runner_concurrent }}
+check_interval = {{ gitlab_runner_check_interval }}
+
+{% for gitlabrunner in gitlab_runner_runners %}
+[[runners]]
+  name = "{{ gitlabrunner.name }}"
+  limit = {{ gitlabrunner.limit | default(1) }}
+  url = "{{ gitlabrunner.gitlab_url }}"
+  token = "{{ gitlabrunner.gitlab_token }}"
+  executor = "{{ gitlabrunner.executor }}"
+{% if gitlabrunner.executor == "docker" or gitlabrunner.executor == "docker+machine" %}
+  [runners.docker]
+    image = "{{ gitlabrunner.docker_image | default("docker.io/library/docker:stable") }}"
+    privileged = {{ gitlabrunner.docker_privileged | bool | lower }}
+    volumes = [
+      "/cache",
+{% if gitlabrunner.docker_mount_socket %}
+      "/var/run/docker.sock:/var/run/docker.sock"
+{% endif %}
+    ]
+{% endif %}
+{% if gitlabrunner.executor == "docker+machine" %}
+  [runners.machine]
+    IdleCount = {{ gitlabrunner.machine_idle_count }}
+    IdleTime = {{ gitlabrunner.machine_idle_time }}
+    MaxBuilds = {{ gitlabrunner.machine_max_builds }}
+    MachineDriver = "{{ gitlabrunner.machine_driver }}"
+    MachineName = "{{ gitlabrunner.machine_name }}"
+    MachineOptions = [
+{% for key, value in gitlabrunner.machine_options.items() %}
+      "{{ key }}={{ value }}",
+{% endfor %}
+    ]
+{% endif %}
+  [runners.cache]
+{% if gitlabrunner.cache_s3 is defined %}
+    Type = "s3"
+    Shared = false
+    [runners.cache.s3]
+      ServerAddress = "{{ gitlabrunner.cache_s3.server }}"
+      AccessKey = "{{ gitlabrunner.cache_s3.access_key }}"
+      SecretKey = "{{ gitlabrunner.cache_s3.secret_key }}"
+      BucketName = "{{ gitlabrunner.cache_s3.bucket }}"
+      Insecure = false
+{% endif %}
+{% endfor %}

roles/gitlab_runner/templates/docker-compose.yml

@@ -0,0 +1,33 @@
+{{ ansible_managed | comment }}
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+version: '2'
+services:
+  runner:
+    image: {{ gitlab_runner_image }}:{{ gitlab_runner_image_variant }}
+    mem_limit: 128mb
+    memswap_limit: 256mb
+    volumes:
+      - "{{ gitlab_runner_config_location }}:/etc/gitlab-runner"
+{% if gitlab_runner_mount_docker_socket %}
+      - "/var/run/docker.sock:/var/run/docker.sock"
+{% endif %}
+{% for item in gitlab_runner_extra_volumes %}
+      - "{{item}}"
+{% endfor %}
+    restart: always

roles/lvm_self_backup/README.md

@@ -0,0 +1,26 @@
+lvm_self_backup
+=========
+
+This will deploy a `backup-lvm` and `backup-lvm-ls` script to backup configured LVM volumes encrypted with GPG using duplicity and list the remote content for verification. A systemd timer is also deployed to schedule automatic backups daily at 4 AM.
+
+Requirements
+------------
+
+You will need to have docker installed or declared as a dependency with the respective role.
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
+
+Dependencies
+------------
+
+- docker
+
+License
+-------
+
+GPL-3.0-only

roles/lvm_self_backup/defaults/main.yml

@@ -0,0 +1,72 @@
+---
+# Default variables for the lvm_self_backup role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The directory to put the status flag in
+lvm_self_backup_status_directory: "/monitoring"
+
+# Status directory user & group id
+# This can be used for example to give telegraf access to the status files.
+lvm_self_backup_status_directory_uid: 100
+lvm_self_backup_status_directory_gid: 101
+
+# The LVM volumes to backup
+# Available fields:
+#  vg_name - The volume group that the volume resides in
+#  lv_name - The logical volume name that should be backed up
+#  fstype - Optional. Set to "xfs" to mount the snapshots with the `nouuid` flag when the XFS filesystem is used.
+#
+lvm_self_backup_vols: []
+
+# The backup target (see duplicity for valid inputs)
+lvm_self_backup_target: ""
+
+# The duplicity image & version
+lvm_self_backup_duplicity_image: "quay.io/sheogorath/duplicity"
+# renovate: depName=quay.io/sheogorath/duplicity
+lvm_self_backup_duplicity_version: "1.2.3"
+lvm_self_backup_duplicity_image_version: "{{ lvm_self_backup_duplicity_version }}"
+
+# The GPG options to be used when backing up
+# Generate a GPG key as the root user before using this role and enter the details here!
+lvm_self_backup_gpg:
+  id: ""
+  passphrase: "PASSWORD"
+  sign_key: "{{ lvm_self_backup_gpg.id }}"
+  encryption_keys:
+    - "{{ lvm_self_backup_gpg.id }}"
+
+# Should the systemd timer be enabled to automatically backup every day?
+lvm_self_backup_timer_enabled: true
+lvm_self_backup_timer_state: "started"
+
+# Management for backup retention if enabled, backups will be dropped.
+lvm_self_backup_retention:
+  # Number of incremental backups to keep.
+  # Incremental backups require a full backup as base.
+  # Therefore the incremental count must be lower
+  # then under full backup if both are enabled.
+  incremental:
+    enabled: true
+    count: 3
+  # Number of full backups to keep. All additional will be deleted.
+  # Starting from the oldest.
+  full:
+    enabled: true
+    count: 6

roles/lvm_self_backup/handlers/main.yml

@@ -0,0 +1,23 @@
+---
+# Handlers for lvm_self_backup
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2021       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Reload systemd config
+  ansible.builtin.systemd:
+    daemon_reload: true
+  become: true

roles/lvm_self_backup/meta/main.yml

@@ -0,0 +1,43 @@
+galaxy_info:
+  author: saibotk
+  description: "Deploys a self backup solution using lvm and duplicity."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker

roles/lvm_self_backup/tasks/main.yml

@@ -0,0 +1,78 @@
+---
+# Tasks file for the lvm_self_backup role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Create backup mount directories
+  ansible.builtin.file:
+    path: "/lvm_self_backup_snapshots/{{ item.vg_name }}-{{ item.lv_name }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+    recurse: true
+  with_items:
+    - "{{ lvm_self_backup_vols }}"
+  become: true
+
+- name: Create backup status directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "{{ lvm_self_backup_status_directory_uid }}"
+    group: "{{ lvm_self_backup_status_directory_gid }}"
+    recurse: true
+  with_items:
+    - "{{ lvm_self_backup_status_directory }}"
+  become: true
+
+- name: Install backup scripts.
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_items:
+    - src: "backup-lvm.sh"
+      dest: "/usr/local/bin/backup-lvm"
+    - src: "backup-lvm-ls.sh"
+      dest: "/usr/local/bin/backup-lvm-ls"
+  become: true
+
+- name: Install backup services & timer.
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: /etc/systemd/system/
+    mode: "0600"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "backup-error.service"
+    - "backup-lvm.service"
+    - "backup-lvm.timer"
+  notify: Reload systemd config
+  become: true
+
+- name: Start & enable backup service timer.
+  ansible.builtin.systemd:
+    daemon_reload: true
+    name: backup-lvm.timer
+    enabled: "{{ lvm_self_backup_timer_enabled | bool }}"
+    state: "{{ lvm_self_backup_timer_state }}"
+  become: true

roles/lvm_self_backup/templates/backup-error.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Writes the error for the monitoring to pick the failure up.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/bash -c 'echo 1337 > {{ lvm_self_backup_status_directory }}/backup.status && chown {{ lvm_self_backup_status_directory_uid }}:{{ lvm_self_backup_status_directory_gid }} {{ lvm_self_backup_status_directory }}/backup.status'

roles/lvm_self_backup/templates/backup-lvm-ls.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+echo "Listing backed up data:"
+docker run --name="duplicity-backup-lvm" \
+           --security-opt "label=disable" \
+           --security-opt "no-new-privileges" \
+           --cap-drop=ALL \
+           --cap-add=DAC_OVERRIDE \
+           --rm \
+           -v "$HOME/.cache/duplicity/:/archive" \
+           -v "/root/.gnupg/:/root/.gnupg/" \
+           -v "/lvm_self_backup_snapshots/:/backup/:ro" \
+           -e "PASSPHRASE={{ lvm_self_backup_gpg.passphrase }}" \
+           --hostname {{ ansible_fqdn }} \
+           {{ lvm_self_backup_duplicity_image }}:{{ lvm_self_backup_duplicity_image_version }} \
+           list-current-files \
+           --sign-key "{{ lvm_self_backup_gpg.sign_key | default(lvm_self_backup_gpg.id) }}" \
+{% for encryption_key in lvm_self_backup_gpg.encryption_keys | default([lvm_self_backup_gpg.id]) %}
+           --encrypt-key "{{ encryption_key }}" \
+{% endfor %}
+           "{{ lvm_self_backup_target }}"

roles/lvm_self_backup/templates/backup-lvm.service

@@ -0,0 +1,33 @@
+[Unit]
+Description=Start lvm backup using duplicity.
+
+[Service]
+Type=oneshot
+
+TimeoutSec=20h
+
+# Creating snapshots
+{% for item in lvm_self_backup_vols %}
+ExecStartPre=/usr/sbin/lvcreate -L 1G -n {{ item.lv_name }}_snap -s {{ item.vg_name }}/{{ item.lv_name }}
+{% endfor %}
+
+# Mounting snapshots
+{% for item in lvm_self_backup_vols %}
+ExecStartPre=/usr/bin/mount -o ro,nosuid,noexec{% if item.fstype is defined and item.fstype == "xfs" %},nouuid{% endif %} -t {{ item.fstype | default("ext4") }} /dev/{{ item.vg_name }}/{{ item.lv_name }}_snap /lvm_self_backup_snapshots/{{ item.vg_name }}-{{ item.lv_name }}
+{% endfor %}
+
+ExecStart=/usr/local/bin/backup-lvm
+
+# Make sure duplicity container is gone
+ExecStopPost=/usr/bin/docker rm --force duplicity-backup-lvm
+
+# Unmount snapshots
+{% for item in lvm_self_backup_vols %}
+ExecStopPost=/usr/bin/umount /dev/{{ item.vg_name }}/{{ item.lv_name }}_snap
+{% endfor %}
+
+# Remove snapshots
+{% for item in lvm_self_backup_vols %}
+ExecStopPost=/usr/sbin/lvremove -f {{ item.vg_name }}/{{ item.lv_name }}_snap
+{% endfor %}
+

roles/lvm_self_backup/templates/backup-lvm.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function backup () {(
+    set -e
+
+    echo "Starting data backup:"
+
+    docker run --name="duplicity-backup-lvm" \
+            --security-opt "label=disable" \
+            --security-opt "no-new-privileges" \
+            --cap-drop=ALL \
+            --cap-add=DAC_OVERRIDE \
+            --rm \
+            -v "$HOME/.cache/duplicity/:/archive" \
+            -v "/root/.gnupg/:/root/.gnupg/" \
+            -v "/lvm_self_backup_snapshots/:/backup/:ro" \
+            -e "PASSPHRASE={{ lvm_self_backup_gpg.passphrase }}" \
+            --hostname {{ ansible_fqdn }} \
+            {{ lvm_self_backup_duplicity_image }}:{{ lvm_self_backup_duplicity_image_version }} \
+            --full-if-older-than 1M \
+            --progress \
+            --progress-rate 60 \
+            --sign-key "{{ lvm_self_backup_gpg.sign_key | default(lvm_self_backup_gpg.id) }}" \
+{% for encryption_key in lvm_self_backup_gpg.encryption_keys | default([lvm_self_backup_gpg.id]) %}
+            --encrypt-key "{{ encryption_key }}" \
+{% endfor %}
+            /backup/ \
+            "{{ lvm_self_backup_target }}"
+
+{% if lvm_self_backup_retention.incremental.enabled %}
+    echo "Remove old incremental backups"
+    docker run --name="duplicity-backup-lvm" \
+            --security-opt "label=disable" \
+            --security-opt "no-new-privileges" \
+            --cap-drop=ALL \
+            --cap-add=DAC_OVERRIDE \
+            --rm \
+            -v "$HOME/.cache/duplicity/:/archive" \
+            --hostname {{ ansible_fqdn }} \
+            {{ lvm_self_backup_duplicity_image }}:{{ lvm_self_backup_duplicity_image_version }} \
+            remove-all-inc-of-but-n-full {{ lvm_self_backup_retention.incremental.count }} --force \
+            "{{ lvm_self_backup_target }}"
+{% endif %}
+
+{% if lvm_self_backup_retention.full.enabled %}
+    echo "Remove old full backups"
+    docker run --name="duplicity-backup-lvm" \
+            --security-opt "label=disable" \
+            --security-opt "no-new-privileges" \
+            --cap-drop=ALL \
+            --cap-add=DAC_OVERRIDE \
+            --rm \
+            -v "$HOME/.cache/duplicity/:/archive" \
+            --hostname {{ ansible_fqdn }} \
+            {{ lvm_self_backup_duplicity_image }}:{{ lvm_self_backup_duplicity_image_version }} \
+            remove-all-but-n-full {{ lvm_self_backup_retention.full.count }} --force \
+            "{{ lvm_self_backup_target }}"
+{% endif %}
+)}
+
+echo "LVM backup started:"
+
+backup
+success=$?
+if [ $success -gt 0 ]; then
+  echo "ERROR: An error occured during backup! $success"
+fi
+
+echo $success > {{ lvm_self_backup_status_directory }}/backup.status
+
+chown {{ lvm_self_backup_status_directory_uid }}:{{ lvm_self_backup_status_directory_gid }} {{ lvm_self_backup_status_directory }}/backup.status
+
+exit $success

roles/lvm_self_backup/templates/backup-lvm.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Schedule regular lvm backups.
+
+[Timer]
+OnCalendar=*-*-* 4:00:00
+
+[Install]
+WantedBy=multi-user.target

roles/minecraft/README.md

@@ -0,0 +1,37 @@
+Minecraft
+=========
+
+Setup a Minecraft server container (https://github.com/itzg/docker-minecraft-server) with an optional RCON interface.
+
+Requirements
+------------
+
+You will need to have docker, docker-compose and optionally traefik installed or declared as dependencies with their respective roles.
+
+**This role assumes that (if your are using the RCON webinterface) you have setup traefik with an endpoint called `websecure`.**
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
+
+### Global variables, that are used:
+
+**Only when the webinterface is enabled:**  
+
+- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
+- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
+
+Dependencies
+------------
+
+- docker
+- docker-compose
+- traefik (optional, only when enabling the webinterface)
+
+License
+-------
+
+GPL-3.0-only

roles/minecraft/defaults/main.yml

@@ -0,0 +1,89 @@
+---
+# Default variables for the minecraft role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The install locations
+minecraft_install_location: "/srv/minecraft"
+minecraft_data_location: "{{ minecraft_install_location }}/data"
+minecraft_rcon_location: "{{ minecraft_install_location }}/rcon"
+minecraft_backup_location: "{{ minecraft_install_location }}/worlds"
+minecraft_telegraf_location: "{{ minecraft_install_location }}/telegraf"
+
+# renovate: depName=docker.io/itzg/minecraft-server
+minecraft_image_version: "2024.10.2"
+
+# Container versions
+minecraft_image_tag: "{{ minecraft_image_version }}"
+
+# renovate: depName=docker.io/library/telegraf
+minecraft_telegraf_version: "1.26.1"
+
+# Changing this image may also require changing the UID / GID below,
+# to set the correct permissions
+minecraft_telegraf_image_version: "{{ minecraft_telegraf_version }}-alpine"
+
+# Telegraf config user & group id
+# This is used for the config folder that is mounted to the container
+minecraft_telegraf_config_uid: 100
+minecraft_telegraf_config_gid: 101
+
+# The minecraft server port that should be exposed
+minecraft_server_port: 25565
+
+# The certresolver traefik should use for the domain
+minecraft_rcon_certresolver: letsencrypt_http
+
+# The domain under which the rcon web console/websocket is reachable (used by traefik)
+minecraft_rcon_domain: minecraft.example.com
+
+# Should RCON be enabled on the minecraft server?
+minecraft_enable_rcon: true
+
+# Should the RCON webinterface be deployed?
+minecraft_enable_rcon_web: false
+
+# The RCON password
+minecraft_rcon_password: "CHANGEME"
+
+# The minecraft container configuration as environment variables (see https://github.com/itzg/docker-minecraft-server)
+minecraft_config: []
+
+# This config allows to add new portbindings to the minecraft server, eg. for voicechat.
+#
+# Example entry:
+# - 24454:24454/udp
+minecraft_additional_ports: []
+
+# IPv6 ULA config for the bridge network used by docker-ipv6-nat
+minecraft_ipv6:
+  enabled: false
+  subnet: "fd9e:21a7:a92c:2325::/64"
+
+# Minecraft telegraf configuration, allows to configure a monitoring setup for the minecraft server
+minecraft_telegraf:
+  enabled: false
+  influxdb_database: "telegraf"
+  # Your influxDB hosts
+  influxdb_endpoints:
+    - "influxdb.example.com"
+  influxdb_username: telegraf
+  influxdb_password: ""
+  influxdb_retention_policy: "minecraft"
+  influxdb_retention_policy_tag: ""
+  plugins: []

roles/minecraft/handlers/main.yml

@@ -0,0 +1,25 @@
+---
+# Handlers for the minecraft role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2021  Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Restart telegraf
+  community.docker.docker_compose_v2:
+    services: "telegraf"
+    project_src: "{{ minecraft_install_location }}"
+    state: restarted
+  become: true

roles/minecraft/meta/main.yml

@@ -0,0 +1,43 @@
+galaxy_info:
+  author: saibotk
+  description: "Deploys a minecraft server with docker and an optional RCON webinterface."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker

roles/minecraft/tasks/main.yml

@@ -0,0 +1,118 @@
+---
+# Tasks file for the minecraft role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Update default SELinux contexts
+  community.general.sefcontext:
+    target: "{{ item }}(/.*)?"
+    setype: "container_file_t"
+    state: present
+  with_items:
+    - "{{ minecraft_data_location }}"
+    - "{{ minecraft_backup_location }}"
+    - "{{ minecraft_rcon_location }}"
+    - "{{ minecraft_telegraf_location }}"
+  become: true
+
+- name: Create install directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ minecraft_install_location }}"
+  become: true
+  tags:
+    - minecraft
+
+- name: Create data directories
+  ansible.builtin.file: # noqa risky-file-permissions # Container manages permissions on its own
+    path: "{{ item }}"
+    state: directory
+    setype: "container_file_t"
+  with_items:
+    - "{{ minecraft_data_location }}"
+    - "{{ minecraft_backup_location }}"
+    - "{{ minecraft_rcon_location }}"
+  become: true
+  tags:
+    - minecraft
+
+- name: Create telegraf config directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    mode: "0700"
+    owner: "{{ minecraft_telegraf_config_uid }}"
+    group: "{{ minecraft_telegraf_config_gid }}"
+    state: directory
+    setype: "container_file_t"
+  with_items:
+    - "{{ minecraft_telegraf_location }}"
+  become: true
+
+- name: Deploy telegraf.conf
+  ansible.builtin.template:
+    src: telegraf.conf
+    dest: "{{ minecraft_telegraf_location }}/telegraf.conf"
+    mode: "0600"
+    owner: "{{ minecraft_telegraf_config_uid }}"
+    group: "{{ minecraft_telegraf_config_gid }}"
+  notify: "Restart telegraf"
+  tags:
+    - telegraf
+    - minecraft
+  become: true
+  when:
+    - minecraft_telegraf.enabled
+
+- name: Deploy docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml
+    dest: "{{ minecraft_install_location }}/docker-compose.yml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    validate: docker compose -f %s config -q
+  tags:
+    - docker
+    - minecraft
+  become: true
+
+- name: Install minecraftctl CLI
+  ansible.builtin.template:
+    src: minecraftctl.sh
+    dest: "/usr/local/bin/minecraftctl"
+    mode: "0755"
+    owner: "root"
+    group: "root"
+  tags:
+    - minecraft
+  become: true
+
+- name: Compose minecraft
+  community.docker.docker_compose_v2:
+    state: present
+    project_src: "{{ minecraft_install_location }}"
+    pull: always
+    remove_orphans: true
+  tags:
+    - minecraft
+  become: true

roles/minecraft/templates/docker-compose.yml

@@ -0,0 +1,119 @@
+{{ ansible_managed | comment }}
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+version: '2.1'
+
+services:
+  minecraft:
+    image: docker.io/itzg/minecraft-server:{{ minecraft_image_tag }}
+    ports:
+      - "{{ minecraft_server_port }}:25565"
+{% for item in minecraft_additional_ports %}
+      - "{{ item }}"
+{% endfor %}
+    volumes:
+      - "{{ minecraft_data_location }}:/data"
+    security_opt:
+      - no-new-privileges
+    environment:
+      EULA: "TRUE"
+      ENABLE_RCON: "{{ minecraft_enable_rcon | bool | lower }}"
+      RCON_PASSWORD: "{{ minecraft_rcon_password }}"
+      RCON_PORT: 28016
+      # enable env variable replacement
+      REPLACE_ENV_VARIABLES: "TRUE"
+      # define an optional prefix for your env variables you want to replace
+      ENV_VARIABLE_PREFIX: "CFG_"
+
+{% for key, value in minecraft_config.items() %}
+      {{ key | upper }}: "{{ value }}"
+{% endfor %}
+
+    networks:
+      minecraft-backend:
+
+    restart: always
+
+{% if minecraft_enable_rcon_web %}
+  rcon:
+    image: docker.io/itzg/rcon
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.minecraft-websocket.rule=Host(`{{ minecraft_rcon_domain }}`) && PathPrefix(`/rcon-websocket`)"
+      - "traefik.http.routers.minecraft-websocket.entrypoints=websecure"
+      - "traefik.http.routers.minecraft-websocket.tls.certresolver={{ minecraft_rcon_certresolver }}"
+      - "traefik.http.routers.minecraft-websocket.middlewares=minecraft,compress,minecraft-websocket-stripprefix"
+      - "traefik.http.routers.minecraft-websocket.service=minecraft-websocket"
+      - "traefik.http.services.minecraft-websocket.loadbalancer.server.port=4327"
+      - "traefik.http.middlewares.minecraft-websocket-stripprefix.stripprefix.prefixes=/rcon-websocket"
+
+      - "traefik.http.routers.minecraft.rule=Host(`{{ minecraft_rcon_domain }}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.minecraft.entrypoints=websecure"
+      - "traefik.http.routers.minecraft.tls.certresolver={{ minecraft_rcon_certresolver }}"
+      - "traefik.http.routers.minecraft.middlewares=minecraft,compress"
+      - "traefik.http.routers.minecraft.service=minecraft"
+      - "traefik.http.services.minecraft.loadbalancer.server.port=4326"
+      - "traefik.http.middlewares.minecraft.headers.sslredirect=true"
+      - "traefik.http.middlewares.minecraft.headers.stsSeconds=63072000"
+      - "traefik.http.middlewares.minecraft.headers.referrerPolicy=no-referrer"
+
+{% if proxy_network is defined %}
+      - "traefik.docker.network={{ proxy_network }}"
+{% endif %}
+
+    volumes:
+      - "{{ minecraft_rcon_location }}:/opt/rcon-web-admin/db"
+    networks:
+      minecraft-backend:
+{% if proxy_network is defined %}
+      {{ proxy_network }}:
+{% endif %}
+
+    restart: always
+
+{% endif %}
+
+{% if minecraft_telegraf.enabled %}
+  telegraf:
+    image: docker.io/library/telegraf:{{ minecraft_telegraf_image_version }}
+    restart: always
+    mem_limit: 256mb
+    memswap_limit: 384mb
+    read_only: false # TODO: Switch to self-made container
+    networks:
+      minecraft-backend:
+    volumes:
+      - {{ minecraft_telegraf_location }}:/etc/telegraf/:ro
+{% endif %}
+
+networks:
+  minecraft-backend:
+    driver: bridge
+{% if minecraft_ipv6 is defined and minecraft_ipv6.enabled %}
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ minecraft_ipv6.subnet }}
+    enable_ipv6: true
+{% endif %}
+{% if proxy_network is defined and minecraft_enable_rcon_web %}
+  {{ proxy_network }}:
+    external: true
+{% endif %}

roles/minecraft/templates/minecraftctl.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+
+MINECRAFT_PATH="{{ minecraft_data_location }}"
+
+COMMAND=${1:-help}
+
+cd "$MINECRAFT_PATH"
+
+usage() {
+cat <<EOF
+  $0 up
+     Starts the minecraft server
+  $0 restart
+     Restarts the minecraft server
+  $0 down
+     Stops the minecraft server
+  $0 logs
+     Show the logs of the minecraft server
+  $0 status
+     Show the status of all minecraft containers
+  $0 mod-ls
+     Lists all installed mod packages in the mods directory of the minecraft server
+  $0 mod-cp <some mod jar file>
+     Copies a mod package to the mods directory of the mincraft server
+  $0 mod-rm <file name from mod-ls output>
+     Removes a mod package from the mods directory of the minecraft server
+  $0 world-ls
+     Lists backed up worlds
+  $0 world-rm <time reference>
+     Removes a world backup
+  $0 world-backup
+     Creates a backup of the current world
+  $0 world-restore <time reference>
+     Restores a world from the backup
+  $0 world-destroy
+     Destroys the current world of the server.
+     Warning: Stop the server before using this.
+EOF
+}
+
+case "$COMMAND" in
+    "restart")
+      docker-compose restart
+      ;;
+    "up")
+      docker-compose up -d
+      ;;
+    "down")
+      docker-compose down
+      ;;
+    "logs")
+      docker-compose logs minecraft
+      ;;
+    "status")
+      docker-compose ps
+      ;;
+    "mod-cp")
+      if [ ! -e "$OLDPWD/$2" ]; then
+        echo "file \"$OLDPWD/$2\" not found"
+	      exit 1
+      fi
+      cp "$OLDPWD/$2" "$MINECRAFT_PATH/data/mods/"
+      chown -R root:root "$MINECRAFT_PATH/data/mods/"
+      ;;
+    "mod-rm")
+      if ls "$MINECRAFT_PATH/data/mods/" | grep "$2"; then
+        rm "$MINECRAFT_PATH/data/mods/$2"
+      fi
+      ;;
+    "mod-ls")
+      ls "$MINECRAFT_PATH/data/mods/"
+      ;;
+    "world-ls")
+      ls "$MINECRAFT_PATH/worlds/"
+      ;;
+    "world-rm")
+      if ls "$MINECRAFT_PATH/worlds/" | grep "$2"; then
+        rm -Ir "$MINECRAFT_PATH/worlds/$2"
+      fi
+      ;;
+    "world-backup")
+      mkdir "$MINECRAFT_PATH/worlds/$(date +%Y-%m-%dT%H:%M)"
+      cp -r "$MINECRAFT_PATH/data/"{world,world_the_end,world_nether} "$MINECRAFT_PATH/worlds/$(date +%Y-%m-%dT%H:%M)/"
+      ;;
+    "world-restore")
+      if [ -e "$MINECRAFT_PATH/data/world" ]; then
+	      echo "Please destroy the world before restoring"
+        exit 1
+      fi
+      if ls "$MINECRAFT_PATH/worlds/" | grep "$2"; then
+        cp -Ir "$MINECRAFT_PATH/worlds/$2/*" "$MINECRAFT_PATH/data/"
+      fi
+      ;;
+    "world-destroy")
+      rm -Ir "$MINECRAFT_PATH/data/"{world,world_the_end,world_nether}
+      ;;
+    *)
+      usage
+      ;;
+esac

roles/minecraft/templates/telegraf.conf

@@ -0,0 +1,55 @@
+{{ ansible_managed | comment }}
+[global_tags]
+
+[agent]
+  interval = "10s"
+  round_interval = true
+  metric_batch_size = 1000
+  metric_buffer_limit = 1000000
+  collection_jitter = "5s"
+  flush_interval = "10s"
+  flush_jitter = "5s"
+  precision = ""
+  hostname = "{{ ansible_fqdn }}"
+  omit_hostname = false
+
+[[outputs.influxdb]]
+  urls = ["https://{{ minecraft_telegraf.influxdb_endpoints | join('","https://') }}"]
+  database = "{{ minecraft_telegraf.influxdb_database }}"
+  timeout = "5s"
+  retention_policy = "{{ minecraft_telegraf.influxdb_retention_policy }}"
+  retention_policy_tag = "{{ minecraft_telegraf.influxdb_retention_policy_tag }}"
+  username = "{{ minecraft_telegraf.influxdb_username }}"
+  password = "{{ minecraft_telegraf.influxdb_password }}"
+
+{% if minecraft_telegraf.plugins is defined and minecraft_telegraf.plugins is iterable %}
+{% for item in minecraft_telegraf.plugins %}
+[[inputs.{{ item.plugin }}]]
+{% if item.interval is defined %}
+    interval = "{{ item.interval }}s"
+{% endif %}
+{% if item.config is defined and item.config is iterable %}
+{% for items in item.config %}
+    {{ items }}
+{% endfor %}
+{% endif %}
+{% if item.tags is defined and item.tags is iterable %}
+    [inputs.{{ item.plugin }}.tags]
+{% for items in item.tags %}
+        {{ items }}
+{% endfor %}
+{% endif %}
+{% if item.tagpass is defined and item.tagpass is iterable %}
+    [inputs.{{ item.plugin }}.tagpass]
+{% for items in item.tagpass %}
+        {{ items }}
+{% endfor %}
+{% endif %}
+{% if item.tagdrop is defined and item.tagdrop is iterable %}
+    [inputs.{{ item.plugin }}.tagdrop]
+{% for items in item.tagdrop %}
+        {{ items }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}

roles/minecraft_blockmap/README.md

@@ -0,0 +1,37 @@
+Minecraft-Blockmap
+=========
+
+This will setup a Blockmap render job using the Blockmap container and automatically render the provided Minecraft world. The render result then is made available with an nginx container and traefik.
+
+Requirements
+------------
+
+You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
+
+Also currently the container expects you to use LVM with enough space for a snapshot.
+
+**This role assumes that you have setup traefik with an endpoint called `websecure`.**
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
+
+### Global variables, that are used:
+
+- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
+- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
+
+Dependencies
+------------
+
+- docker
+- docker-compose
+- traefik
+
+License
+-------
+
+GPL-3.0-only

roles/minecraft_blockmap/defaults/main.yml

@@ -0,0 +1,59 @@
+---
+# Default variables for the minecraft_blockmap role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020-2021      Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The install locations
+minecraft_blockmap_install_location: "/srv/minecraft-blockmap"
+minecraft_blockmap_config_location: "{{ minecraft_blockmap_install_location }}/config"
+minecraft_blockmap_output_location: "{{ minecraft_blockmap_install_location }}/output"
+minecraft_blockmap_archive_location: "{{ minecraft_blockmap_install_location }}/archive"
+
+# The certresolver for traefik to use on this domain
+minecraft_blockmap_certresolver: letsencrypt_http
+
+# The domain under which the render result is made available using nginx and traefik
+minecraft_blockmap_domain: minecraft.example.com
+
+# The blockmap container image and version to use
+minecraft_blockmap_image: registry.git.saibotk.de/saibotk/blockmap-docker
+# renovate: depName=registry.git.saibotk.de/saibotk/blockmap-docker
+minecraft_blockmap_image_version: 2.4.0
+
+# The LVM information, which volume needs to be snapshotted, to render the world.
+# This is the volume in which the minecraft server/world folder is in.
+minecraft_blockmap_vg_name:
+minecraft_blockmap_lv_name:
+
+# Enable the systemd timer? This will enable automatic rendering every 20 minutes
+minecraft_blockmap_timer_enabled: true
+minecraft_blockmap_timer_state: "started"
+
+# The input location, where the world resides in, that should be rendered.
+# ! NOTE: This is relative to the lvm volume root
+# (eg. a volume covering `/srv` will result in an input path `/minecraft/data/WORLDNAME` if a minecraft server is installed under /srv/minecraft)
+minecraft_blockmap_input_location:
+
+# Additional parameters, that should be passed to the blockmap-cli
+minecraft_blockmap_parameters: ""
+
+# The blockmap render config
+minecraft_blockmap_config_server:
+  name: "Minecraft"
+  description: "Flauschparadies"
+  address: "localhost"
+  max_players: 5

roles/minecraft_blockmap/handlers/main.yml

@@ -0,0 +1,23 @@
+---
+# Handlers for minecraft_blockmap
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2021       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Reload systemd config
+  ansible.builtin.systemd:
+    daemon_reload: true
+  become: true

roles/minecraft_blockmap/meta/main.yml

@@ -0,0 +1,44 @@
+galaxy_info:
+  author: saibotk
+  description: "Deploys a minecraft-blockmap renderer and makes the result available using nginx and traefik."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker
+  - role: traefik

roles/minecraft_blockmap/tasks/main.yml

@@ -0,0 +1,154 @@
+---
+# Tasks file for the minecraft_blockmap roles
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Update default SELinux contexts
+  community.general.sefcontext:
+    target: "{{ item }}(/.*)?"
+    setype: "container_file_t"
+    state: present
+  with_items:
+    - "{{ minecraft_blockmap_output_location }}"
+    - "{{ minecraft_blockmap_config_location }}"
+  become: true
+
+- name: Create install directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ minecraft_blockmap_install_location }}"
+  become: true
+  tags:
+    - blockmap
+
+- name: Create data directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+    owner: "root"
+    group: "root"
+    setype: "container_file_t"
+  with_items:
+    - "{{ minecraft_blockmap_output_location }}"
+    - "{{ minecraft_blockmap_config_location }}"
+  become: true
+  tags:
+    - blockmap
+
+- name: Create archive directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ minecraft_blockmap_archive_location }}"
+  become: true
+  tags:
+    - blockmap
+
+- name: Deploy nginx config file
+  ansible.builtin.template:
+    src: "default.conf"
+    dest: "{{ minecraft_blockmap_install_location }}/default.conf"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+  become: true
+
+- name: Deploy blockmap config
+  ansible.builtin.template:
+    src: "blockmap.json"
+    dest: "{{ minecraft_blockmap_config_location }}/blockmap.json"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    setype: "container_file_t"
+  become: true
+
+- name: Deploy docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml
+    dest: "{{ minecraft_blockmap_install_location }}/docker-compose.yml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    validate: docker compose -f %s config -q
+  tags:
+    - docker
+    - blockmap
+  become: true
+
+- name: Create lvm mount directories
+  ansible.builtin.file:
+    path: "/blockmap_snapshot"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+    recurse: true
+  become: true
+
+- name: Install render script
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "0700"
+    owner: root
+    group: root
+  with_items:
+    - src: "render.sh"
+      dest: "{{ minecraft_blockmap_install_location }}/render.sh"
+  become: true
+
+- name: Install render service & timer
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: /etc/systemd/system/
+    mode: "0755"
+    owner: root
+    group: root
+  with_items:
+    - "blockmap-render.service"
+    - "blockmap-render.timer"
+  notify: Reload systemd config
+  become: true
+
+- name: Start & enable render service timer
+  ansible.builtin.systemd:
+    daemon_reload: true
+    name: blockmap-render.timer
+    enabled: "{{ minecraft_blockmap_timer_enabled | bool }}"
+    state: "{{ minecraft_blockmap_timer_state }}"
+  become: true
+
+- name: Compose minecraft-blockmap
+  community.docker.docker_compose_v2:
+    state: present
+    project_src: "{{ minecraft_blockmap_install_location }}"
+    pull: always
+    remove_orphans: true
+  tags:
+    - blockmap
+  become: true

roles/minecraft_blockmap/templates/blockmap-render.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Start a blockmap render.
+
+[Service]
+Type=oneshot
+ExecStart={{ minecraft_blockmap_install_location }}/render.sh

roles/minecraft_blockmap/templates/blockmap-render.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Schedule regular blockmap renderings.
+
+[Timer]
+OnCalendar=*-*-* *:10:00
+OnCalendar=*-*-* *:30:00
+OnCalendar=*-*-* *:50:00
+
+[Install]
+WantedBy=multi-user.target

roles/minecraft_blockmap/templates/blockmap.json

@@ -0,0 +1,34 @@
+{
+    "output dir": "/output",
+    "server": {
+        "server name": "{{ minecraft_blockmap_config_server.name }}",
+        "server description": "{{ minecraft_blockmap_config_server.description }}",
+        "server address": "{{ minecraft_blockmap_config_server.address }}",
+        "max players": {{ minecraft_blockmap_config_server.max_players }}
+    },
+    "worlds": [
+        {
+            "name": "Overworld",
+            "input dir": "/input",
+            "dimension": "OVERWORLD",
+            "force": false
+        },
+        {
+            "name": "Nether",
+            "input dir": "/input",
+            "dimension": "NETHER",
+            "render settings": {
+                "block colors": "CAVES",
+                "shader": "RELIEF",
+                "maxY": "80"
+            },
+            "force": false
+        },
+        {
+            "name": "End",
+            "input dir": "/input",
+            "dimension": "END",
+            "force": false
+        }
+    ]
+}

roles/minecraft_blockmap/templates/default.conf

@@ -0,0 +1,38 @@
+server {
+
+    root /usr/share/nginx/html;
+    listen 80;
+
+    access_log off;
+
+    charset UTF-8;
+
+    set_real_ip_from 172.16.0.0/12;
+    set_real_ip_from 10.0.0.0/8;
+
+    add_header X-Frame-Options "DENY";
+    add_header Referrer-Policy "no-referrer";
+    add_header Access-Control-Allow-Origin "*";
+    add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline'; font-src data: 'self'; object-src data:; base-uri 'none'; form-action 'none'; worker-src 'self'; connect-src 'self'; manifest-src 'self'";
+    add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'self'; payment 'none'; usb 'none';";
+    add_header Allow "GET, HEAD" always;
+
+    if ( $request_method !~ ^(GET|HEAD)$ ) {
+      return 405;
+    }
+
+    location / {
+      root   /usr/share/nginx/html;
+      index  index.json;
+      try_files  $uri $uri/index.json $uri.html =404;
+    }
+
+    error_page  404              /404.html;
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+}

roles/minecraft_blockmap/templates/docker-compose.yml

@@ -0,0 +1,64 @@
+{{ ansible_managed | comment }}
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+version: '2'
+
+services:
+  blockmap-nginx:
+    image: docker.io/library/nginx:alpine
+    mem_limit: 32mb
+    memswap_limit: 64mb
+    read_only: true
+    tmpfs:
+      - /run/:size=32K
+      - /var/cache/nginx:size=10M
+    security_opt:
+      - no-new-privileges
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.blockmap.rule=Host(`{{ minecraft_blockmap_domain }}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.blockmap.entrypoints=websecure"
+      - "traefik.http.routers.blockmap.tls.certresolver={{ minecraft_blockmap_certresolver }}"
+      - "traefik.http.routers.blockmap.middlewares=blockmap,compress"
+      - "traefik.http.routers.blockmap.service=blockmap"
+      - "traefik.http.services.blockmap.loadbalancer.server.port=80"
+      - "traefik.http.middlewares.blockmap.headers.sslredirect=true"
+      - "traefik.http.middlewares.blockmap.headers.stsSeconds=63072000"
+      - "traefik.http.middlewares.blockmap.headers.referrerPolicy=no-referrer"
+
+{% if proxy_network is defined %}
+      - "traefik.docker.network={{ proxy_network }}"
+{% endif %}
+
+    volumes:
+      - "{{ minecraft_blockmap_install_location }}/default.conf:/etc/nginx/conf.d/default.conf:ro"
+      - "{{ minecraft_blockmap_output_location }}:/usr/share/nginx/html:ro"
+
+    networks:
+{% if proxy_network is defined %}
+      {{ proxy_network }}:
+{% endif %}
+
+    restart: always
+
+networks:
+{% if proxy_network is defined %}
+  {{ proxy_network }}:
+    external: true
+{% endif %}

roles/minecraft_blockmap/templates/render.sh

@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+echo "Creating snapshot:"
+lvcreate -L 1G -n {{ minecraft_blockmap_lv_name }}_mc_snap -s {{ minecraft_blockmap_vg_name }}/{{ minecraft_blockmap_lv_name }}
+
+echo "Mount snapshots:"
+mount -o ro,nosuid,noexec{% if minecraft_blockmap_fstype is defined and minecraft_blockmap_fstype == "xfs" %},nouuid{% endif %} -t {{ minecraft_blockmap_fstype | default("ext4") }} /dev/{{ minecraft_blockmap_vg_name }}/{{ minecraft_blockmap_lv_name }}_mc_snap /blockmap_snapshot
+
+echo "Start blockmap container:"
+docker pull {{ minecraft_blockmap_image }}:{{ minecraft_blockmap_image_version }}
+docker run --name=blockmap-renderer \
+           --security-opt "label=disable" \
+           --security-opt "no-new-privileges" \
+           --cap-drop=ALL \
+           --cap-add=DAC_OVERRIDE \
+           --rm \
+           -v "/blockmap_snapshot/{{ minecraft_blockmap_input_location }}:/input:ro" \
+           -v "{{ minecraft_blockmap_config_location }}/blockmap.json:/config.json:ro" \
+           -v "{{ minecraft_blockmap_output_location }}:/output" \
+           {{ minecraft_blockmap_image }}:{{ minecraft_blockmap_image_version }} {{ minecraft_blockmap_parameters }}
+
+echo "Archive render output..."
+cp -rf {{ minecraft_blockmap_output_location }} "{{ minecraft_blockmap_archive_location }}/$(date +"%d-%m-%Y")"
+
+echo "Unmount snapshot:"
+umount /dev/{{ minecraft_blockmap_vg_name }}/{{ minecraft_blockmap_lv_name }}_mc_snap
+
+echo "Remove snapshot:"
+lvremove -f {{ minecraft_blockmap_vg_name }}/{{ minecraft_blockmap_lv_name }}_mc_snap
+
+echo "Finished"

roles/minio/README.md

@@ -0,0 +1,57 @@
+Minio
+=========
+
+This role provides an easy to use and extend automated setup of S3 compatible object storage.
+
+Since minio only support single-tenant per instance, providing one instance per use-case is the way to go.
+
+It also helps to scale minio in the future. Simply move from group_vars to host vars and distribute your data this way.
+
+Details about multi-tenant support in minio:
+https://docs.minio.io/docs/multi-tenant-minio-deployment-guide.html
+
+Requirements
+------------
+
+You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
+
+**This role assumes that you have setup traefik with an endpoint called `websecure`.**
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
+
+### Global variables, that are used:
+
+- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
+- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
+
+### Example config:
+
+`group_vars/minio`:
+
+```yaml
+---
+minio_domain: minio.example.com
+minio_users:
+  codimd:
+    access_key: EXAMPLEgVfvsmjz4KG5tEXAMPLE
+    secret_key: EXAMPLEPlTMWneuixqzJDjqTAQSjJgLw92CCgTUf2Hkq9QFq6vMVsHel7EXAMPLE
+    browser: "on"
+```
+
+Dependencies
+------------
+
+- docker
+- docker-compose
+- traefik
+
+License
+-------
+
+GPL-3.0-only
+

roles/minio/defaults/main.yml

@@ -0,0 +1,41 @@
+---
+# Default variables for the minio role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The install/data volume location
+minio_install_location: "/srv/minio"
+minio_data_location: "{{ minio_install_location }}/data"
+
+# The container version/tag
+# renovate: depName=docker.io/minio/minio
+minio_version: "latest"
+
+# The domain, under which traefik should serve the minio instances as subdomains
+minio_domain: s3.example.com
+
+# The certresolver traefik should use for the domains
+minio_traefik_certresolver: "letsencrypt_http"
+
+# The minio instances that should be deployed
+# Available fields:
+#   NAME - The instance name eg. mastodon -> will result in the domain `mastodon.s3.example.com`
+#     access_key - The access key
+#     secret_key - The secret key
+#     browser - Optional: Enable/Disable the minio browser
+minio_users: []

roles/minio/meta/main.yml

@@ -0,0 +1,44 @@
+galaxy_info:
+  author: saibotk
+  description: "Installs and manages minio instances for S3 compatible storage."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker
+  - role: traefik

roles/minio/tasks/main.yml

@@ -0,0 +1,98 @@
+---
+# Tasks file for the minio role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+# Copyright (C) 2020       Alexander Wellbrock
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Update default SELinux contexts
+  community.general.sefcontext:
+    target: "{{ item }}(/.*)?"
+    setype: "container_file_t"
+    state: present
+  with_items:
+    - "{{ minio_data_location }}"
+  tags:
+    - minio
+  become: true
+
+- name: Create install directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ minio_install_location }}"
+  become: true
+  tags:
+    - minio
+
+- name: Create data directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+    setype: "container_file_t"
+  with_items:
+    - "{{ minio_data_location }}"
+  become: true
+  tags:
+    - minio
+
+- name: Create minio user directory
+  ansible.builtin.file:
+    path: "{{ minio_data_location }}/{{ item.key }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_dict:
+    - "{{ minio_users }}"
+  tags:
+    - minio
+  become: true
+  no_log: true
+
+- name: Deploy docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml
+    dest: "{{ minio_install_location }}/docker-compose.yml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    validate: docker compose -f %s config -q
+  tags:
+    - docker
+    - minio
+  become: true
+  when:
+    - minio_users | length > 0
+
+- name: Compose minio
+  community.docker.docker_compose_v2:
+    state: present
+    project_src: "{{ minio_install_location }}"
+    pull: always
+    remove_orphans: true
+  tags:
+    - minio
+  become: true
+  when:
+    - minio_users | length > 0

roles/minio/templates/docker-compose.yml

@@ -0,0 +1,72 @@
+{{ ansible_managed | comment }}
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+version: '2'
+services:
+{% for key, value in minio_users.items() %}
+
+  {{ key }}:
+    image:  docker.io/minio/minio:{{ minio_version }}
+    mem_limit: 256mb
+    memswap_limit: 512mb
+    read_only: true
+    tmpfs:
+      - /root/.minio:size=128K
+    environment:
+      - "MINIO_ROOT_USER={{ value.access_key }}"
+      - "MINIO_ROOT_PASSWORD={{ value.secret_key }}"
+      - "MINIO_BROWSER={{ value.browser | default("off") }}"
+      - "MINIO_DOMAIN={{ key }}.{{ minio_domain }}"
+    volumes:
+      - "{{ minio_data_location }}/{{ key }}:/data"
+    command: ["server", "/data"]
+    restart: always
+    labels:
+      - "traefik.http.routers.minio_{{ key }}.rule=Host(`{{ key }}.{{ minio_domain }}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.minio_{{ key }}.entrypoints=websecure"
+      - "traefik.http.routers.minio_{{ key }}.tls=true"
+      - "traefik.http.routers.minio_{{ key }}.tls.certresolver={{ minio_traefik_certresolver }}"
+      - "traefik.http.routers.minio_{{ key }}.middlewares=minio_{{ key }},compress"
+      - "traefik.http.routers.minio_{{ key }}.service=minio_{{ key }}"
+      - "traefik.http.services.minio_{{ key }}.loadbalancer.server.port=9000"
+      - "traefik.http.middlewares.minio_{{ key }}.headers.sslredirect=true"
+      - "traefik.http.middlewares.minio_{{ key }}.headers.stsSeconds=63072000"
+      - "traefik.http.middlewares.minio_{{ key }}.headers.referrerPolicy=no-referrer"
+      - "traefik.http.middlewares.minio_{{ key }}.headers.contentTypeNosniff=true"
+      - "traefik.http.middlewares.minio_{{ key }}.headers.browserXssFilter=true"
+
+      - "traefik.enable=true"
+{% if proxy_network is defined %}
+      - "traefik.docker.network={{ proxy_network }}"
+{% endif %}
+{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
+      - "traefik.http.middlewares.minio_{{ key }}.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
+{% endif %}
+
+{% if proxy_network is defined %}
+    networks:
+      {{ proxy_network }}:
+{% endif %}
+
+{% endfor %}
+
+{% if proxy_network is defined %}
+networks:
+  {{ proxy_network }}:
+    external: true
+{% endif %}

roles/moby_engine/README.md

@@ -0,0 +1,26 @@
+moby-engine
+=========
+
+This will install the `moby-engine` package.
+
+Requirements
+------------
+
+Currently only Fedora-32 is supported.
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
+
+Dependencies
+------------
+
+None
+
+License
+-------
+
+GPL-3.0-only

roles/moby_engine/defaults/main.yml

@@ -0,0 +1,23 @@
+---
+# Default variables for the moby_engine role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Service options.
+moby_engine_docker_service_state: started
+moby_engine_docker_service_enabled: true
+moby_engine_docker_restart_handler_state: restarted

roles/moby_engine/handlers/main.yml

@@ -0,0 +1,38 @@
+---
+# Handlers file for the moby_engine role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Restart docker service
+  ansible.builtin.service:
+    name: "docker"
+    state: "{{ moby_engine_docker_restart_handler_state }}"
+  become: true
+
+- name: Regenerate grub config BIOS
+  ansible.builtin.command: grub2-mkconfig -o  /etc/grub2.cfg
+  listen: Regenerate grub config
+  register: grub_output
+  changed_when: grub_output.rc != 0
+  become: true
+
+- name: Regenerate grub config EFI
+  ansible.builtin.command: grub2-mkconfig -o  /etc/grub2-efi.cfg
+  listen: Regenerate grub config
+  register: grub_efi_output
+  changed_when: grub_efi_output.rc != 0
+  become: true

roles/moby_engine/meta/main.yml

@@ -0,0 +1,15 @@
+galaxy_info:
+  author: saibotk
+  description: "Installs moby-engine."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: Fedora
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies: []

roles/moby_engine/tasks/Fedora-32.yml

@@ -0,0 +1,57 @@
+---
+# Tasks for the moby_engine role on Fedora 32
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Install moby-engine.
+  ansible.builtin.package:
+    name: 'moby-engine'
+    state: 'present'
+  become: true
+  notify: Restart docker service
+
+- name: Ensure Docker is started and enabled at boot.
+  ansible.builtin.service:
+    name: docker
+    state: "{{ moby_engine_docker_service_state }}"
+    enabled: "{{ moby_engine_docker_service_enabled }}"
+  become: true
+
+- name: Check if line is present
+  ansible.builtin.shell: cat /etc/default/grub | grep GRUB_CMDLINE_LINUX_DEFAULT
+  changed_when: false
+  ignore_errors: true
+  register: moby_engine_grub_default
+
+- name: Ensure that GRUB_CMDLINE_LINUX_DEFAULT is present
+  ansible.builtin.lineinfile:
+    path: /etc/default/grub
+    regexp: '^GRUB_CMDLINE_LINUX_DEFAULT'
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT=""'
+  become: true
+  notify: Regenerate grub config
+  when: moby_engine_grub_default.rc != 0
+
+# This method will only add the parameter if it was not already added
+# NOTICE: If the parameter was manually added, it will not be altered!
+- name: Enable legacy cgroup v1 support (to allow CPU/RAM limits etc)
+  ansible.builtin.replace:
+    path: /etc/default/grub
+    regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=\"((?:(?!systemd\.unified_cgroup_hierarchy=).)*?)"$'
+    replace: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 systemd.unified_cgroup_hierarchy=0"'
+  become: true
+  notify: Regenerate grub config

roles/moby_engine/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+# Tasks file for the moby_engine role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: "Select tasks for {{ ansible_distribution }} {{ ansible_distribution_major_version }}" # noqa name[template]
+  ansible.builtin.include_tasks: "{{ distro_file }}"
+  with_first_found:
+    - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ ansible_distribution }}.yml"
+    - "{{ ansible_os_family }}.yml"
+  loop_control:
+    loop_var: distro_file

roles/owncast/README.md

@@ -0,0 +1,35 @@
+Owncast
+=========
+
+This will setup an [Owncast](https://owncast.online) container using their official image and traefik.
+
+Requirements
+------------
+
+You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
+
+**This role assumes that you have setup traefik with an endpoint called `websecure`.**
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
+
+### Global variables, that are used:
+
+- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
+- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
+
+Dependencies
+------------
+
+- docker
+- docker-compose
+- traefik
+
+License
+-------
+
+GPL-3.0-only

roles/owncast/defaults/main.yml

@@ -0,0 +1,81 @@
+---
+# Default variables for the owncast role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The install locations
+owncast_install_location: "/srv/owncast"
+owncast_config_location: "{{ owncast_install_location }}/config"
+
+# The certresolver for traefik to use on this domain
+owncast_certresolver: letsencrypt_http
+
+# The domain under which the server is made available using traefik
+owncast_domain: stream.example.com
+
+# The owncast container image and version to use
+owncast_image: docker.io/gabekangas/owncast
+# renovate: depName=docker.io/gabekangas/owncast
+owncast_image_version: "0.1.3"
+
+# The RTMP port
+owncast_stream_port: 1935
+
+# IPv6 ULA config for the bridge network used by docker-ipv6-nat
+owncast_ipv6:
+  enabled: false
+  subnet: "fd9e:21a7:a92c:1225::/64"
+
+# Application config below
+# See https://owncast.online/docs/configuration/ for more information and a full reference
+# Put the whole config into this object and it will be put into the file
+owncast_config:
+  instanceDetails:
+    name: Owncast
+    title: Owncast
+    summary: "This is brief summary of whom you are or what your stream is. You can edit this description in your config file."
+
+    logo: /img/logo.svg
+
+    tags:
+      - music
+      - software
+      - streaming
+
+    # https://owncast.online/docs/configuration/#external-links
+    # for full list of supported social links.  All optional.
+    socialHandles:
+      - platform: github
+        url: http://github.com/owncast/owncast
+
+  videoSettings:
+    # Change this value and keep it secure. Treat it like a password to your live stream.
+    streamingKey:
+
+    streamQualities:
+      - medium:
+        videoBitrate: 1200
+        encoderPreset: veryfast
+
+  # Set to true if you don't want the service checking for future releases.
+  disableUpgradeChecks: false
+
+  # Off by default.  You can optionally list yourself in the Owncast directory.
+  # Make sure your instanceURL is the public URL to your Owncast instance.
+  yp:
+    enabled: false
+    instanceURL: https://stream.myserver.org

roles/owncast/handlers/main.yml

@@ -0,0 +1,30 @@
+---
+# Handlers file for the owncast role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020  saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+- name: Restart owncast
+  community.docker.docker_compose_v2:
+    services:
+      - owncast
+    state: restarted
+    project_src: "{{ owncast_install_location }}"
+  tags:
+    - docker
+    - owncast
+  become: true

roles/owncast/meta/main.yml

@@ -0,0 +1,44 @@
+galaxy_info:
+  author: saibotk
+  description: "Deploys an owncast server."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker
+  - role: traefik

roles/owncast/tasks/main.yml

@@ -0,0 +1,88 @@
+---
+# Tasks file for the owncast roles
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Update default SELinux contexts
+  community.general.sefcontext:
+    target: "{{ item }}(/.*)?"
+    setype: "container_file_t"
+    state: present
+  with_items:
+    - "{{ owncast_config_location }}"
+  become: true
+
+- name: Create install directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ owncast_install_location }}"
+  become: true
+  tags:
+    - owncast
+
+- name: Create data directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0750"
+    owner: "root"
+    group: "root"
+    setype: "container_file_t"
+  with_items:
+    - "{{ owncast_config_location }}"
+  become: true
+  tags:
+    - owncast
+
+- name: Deploy owncast config
+  ansible.builtin.template:
+    src: "config.yaml"
+    dest: "{{ owncast_config_location }}/config.yaml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    setype: "container_file_t"
+  notify: Restart owncast
+  become: true
+
+- name: Deploy docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml
+    dest: "{{ owncast_install_location }}/docker-compose.yml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    validate: docker compose -f %s config -q
+  tags:
+    - docker
+    - owncast
+  become: true
+
+- name: Compose owncast
+  community.docker.docker_compose_v2:
+    state: present
+    project_src: "{{ owncast_install_location }}"
+    pull: always
+    remove_orphans: true
+  tags:
+    - owncast
+  become: true

roles/owncast/templates/config.yaml

@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+# Dynamic configuration
+
+{{ owncast_config | to_nice_yaml(indent=2) }}

roles/owncast/templates/docker-compose.yml

@@ -0,0 +1,72 @@
+{{ ansible_managed | comment }}
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+version: '2.1'
+
+services:
+  owncast:
+    image: {{ owncast_image }}:{{ owncast_image_version }}
+    mem_limit: 1gb
+    memswap_limit: 1280mb
+    security_opt:
+      - no-new-privileges
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.owncast.rule=Host(`{{ owncast_domain }}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.owncast.entrypoints=websecure"
+      - "traefik.http.routers.owncast.tls.certresolver={{ owncast_certresolver }}"
+      - "traefik.http.routers.owncast.middlewares=owncast,compress"
+      - "traefik.http.routers.owncast.service=owncast"
+      - "traefik.http.services.owncast.loadbalancer.server.port=8080"
+      - "traefik.http.middlewares.owncast.headers.sslredirect=true"
+      - "traefik.http.middlewares.owncast.headers.stsSeconds=63072000"
+      - "traefik.http.middlewares.owncast.headers.referrerPolicy=no-referrer"
+
+{% if proxy_network is defined %}
+      - "traefik.docker.network={{ proxy_network }}"
+{% endif %}
+
+    volumes:
+      - "{{ owncast_config_location }}/config.yaml:/app/config.yaml:ro"
+
+    ports:
+      - "{{ owncast_stream_port }}:1935"
+
+    networks:
+      owncast-backend:
+{% if proxy_network is defined %}
+      {{ proxy_network }}:
+{% endif %}
+
+    restart: always
+
+networks:
+  owncast-backend:
+    driver: bridge
+{% if owncast_ipv6 is defined and owncast_ipv6.enabled %}
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ owncast_ipv6.subnet }}
+    enable_ipv6: true
+{% endif %}
+{% if proxy_network is defined %}
+  {{ proxy_network }}:
+    external: true
+{% endif %}

roles/penpot/README.md

@@ -0,0 +1,35 @@
+Penpot
+=========
+
+This will set up a [Penpot](https://penpot.app) server using docker and traefik.
+
+Requirements
+------------
+
+You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.  
+
+**This role assumes that you have setup traefik with an endpoint called `websecure`.**
+
+Role Variables
+--------------
+
+**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
+
+**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
+
+### Global variables, that are used:
+
+- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
+- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
+
+Dependencies
+------------
+
+- Docker
+- Docker-Compose
+- Traefik
+
+License
+-------
+
+GPL-3.0-only

roles/penpot/defaults/main.yml

@@ -0,0 +1,68 @@
+---
+# Default variables for the penpot role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2021       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The install locations
+penpot_install_location: /srv/penpot
+penpot_database_location: "{{ penpot_install_location }}/database"
+penpot_redis_location: "{{ penpot_install_location }}/redis"
+penpot_asset_location: "{{ penpot_install_location }}/assets"
+
+# The docker image/version
+# renovate: depName=docker.io/penpotapp/frontend
+penpot_frontend_image_version: "2.3.1"
+# renovate: depName=docker.io/penpotapp/backend
+penpot_backend_image_version: "2.3.1"
+# renovate: depName=docker.io/penpotapp/exporter
+penpot_exporter_image_version: "2.3.1"
+
+# The redis/database image versions/tags
+# renovate: depName=docker.io/library/redis
+penpot_redis_image_version: "7"
+# renovate: depName=docker.io/library/postgres
+penpot_database_image_version: "17"
+
+# The domain for traefik to serve this on
+penpot_domain: design.example.com
+
+# The certresolver for traefik to use on this domain
+penpot_traefik_certresolver: letsencrypt_http
+
+# The database credentials
+penpot_database_password: "{{ lookup('passwordstore', penpot_domain + '/db create=true length=42') }}"
+
+# Should the registration be enabled?
+penpot_registration_enabled: false
+
+# Gitlab OAuth settings
+penpot_gitlab:
+  base_uri: "https://gitlab.com"
+  client_id: ""
+  client_secret: ""
+
+# SMTP settings for the application
+penpot_smtp:
+  enabled: false
+  host: ""
+  port: ""
+  username: ""
+  password: ""
+  tls: true
+  ssl: false
+  from: "no-reply@example.com"
+  reply_to: "no-reply@example.com"

roles/penpot/meta/main.yml

@@ -0,0 +1,44 @@
+galaxy_info:
+  author: saibotk
+  description: "Setup a penpot docker container with traefik."
+  license: GPL-3.0-only
+  min_ansible_version: "2.9"
+  standalone: true
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: GenericUNIX
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+    - name: GenericBSD
+      versions:
+        - all
+    - name: FreeBSD
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: SLES
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags: []
+
+dependencies:
+  - role: docker
+  - role: traefik

roles/penpot/tasks/main.yml

@@ -0,0 +1,85 @@
+---
+# Tasks file for the penpot role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2021  Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Update default SELinux contexts
+  community.general.sefcontext:
+    target: "{{ item }}(/.*)?"
+    setype: "container_file_t"
+    state: present
+  with_items:
+    - "{{ penpot_database_location }}"
+    - "{{ penpot_asset_location }}"
+    - "{{ penpot_redis_location }}"
+  become: true
+
+- name: Create install directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ penpot_install_location }}"
+  become: true
+
+- name: Create data directories
+  ansible.builtin.file: # noqa risky-file-permissions # Container manages permissions on its own
+    path: "{{ item }}"
+    state: directory
+    setype: "container_file_t"
+  with_items:
+    - "{{ penpot_database_location }}"
+    - "{{ penpot_redis_location }}"
+  become: true
+
+- name: Create asset directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    setype: "container_file_t"
+    mode: "0755"
+    owner: "1001"
+    group: "root"
+  with_items:
+    - "{{ penpot_asset_location }}"
+  become: true
+
+- name: Deploy docker-compose.yml
+  ansible.builtin.template:
+    src: "docker-compose.yml"
+    dest: "{{ penpot_install_location }}/docker-compose.yml"
+    mode: "0600"
+    owner: "root"
+    group: "root"
+    validate: docker compose -f %s config -q
+  tags:
+    - penpot
+  become: true
+
+- name: Compose penpot
+  community.docker.docker_compose_v2:
+    state: present
+    project_src: "{{ penpot_install_location }}"
+    pull: always
+    remove_orphans: true
+  tags:
+    - docker
+    - penpot
+  become: true