fix(playbook): adjust site playbook to only contain used playbooks

remove!(lvm_self_backup): unused
remove!(docker_cleanup): unused
2025-01-20 00:36:41 +01:00 · 2025-01-20 00:33:55 +01:00 · 2025-01-20 00:32:29 +01:00 · 2025-01-20 00:31:52 +01:00 · 2025-01-20 00:31:10 +01:00 · 2025-01-20 00:30:13 +01:00
318 changed files with 4724 additions and 12122 deletions
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,7 +1,4 @@
 [defaults]
 roles_path = ./roles:$HOME/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
 collections_path = ./collections:$HOME/.ansible/collections:/usr/share/ansible/collections:/etc/ansible/collections
 playbook_dir = ./playbooks
 inventory = ./inventory
@ -10,6 +7,7 @@ vault_password_file = .vault_pass
 retry_files_enabled = False
 nocows=True
 use_persistent_connections = True
 interpreter_python = auto_silent
 [connection]
 pipelining = True
--- a/guides/SETUP_FEDORA_41.md
+++ b/guides/SETUP_FEDORA_41.md
@ -0,0 +1,48 @@
 # Fedora 41 ISO install setup GUI
 ## Netcup stuff
 - Setup Network mappings with hostnames / reverse addresses
 - Assign IPv6 address from space
 - Enable UEFI Boot
 - Set VNC keymap to DE
 ## Anaconda Setup (GUI)
 1. Select English US for installation
 2. Change keyboard to de nodeadkeys
 3. Choose Fedora Cloud Server and Guest Agents
 4. Disk
    - Choose Custom config
    - Delete all existing paritions
    - Choose Btrfs + encrypt
    - Click to create automatically
    - Done
    - Enter disk encryption pw generated via pass
 5. Network
    - Set hostname
    - Edit Interface
    - Set IPv6 to Manual
        - Enter address as given by provider
        - Set Gateway to fe80::1
    - Set IPv4 to Automatic (DHCP) addresses only
    - Configure DNS Servers on IPv4 to
        - 1.1.1.1
        - 9.9.9.9
    - Configure DNS Servers on IPv6 to
        - 2606:4700:4700::1111
        - 2620:fe::fe
 6. Date/Time: Set to Berlin
    - NTP Servers: 
        - Remove default pool
        - Add time.cloudflare.com (only NTS ticked, not pool)
        - Add sth1.nts.netnod.se (only NTS ticked, not pool)
 7. User Account
    - Leave root user disabled
    - Add your own user, use temp PW and replace with pass generated when connected via SSH
 ## Ansible prep
 Install python3-libdnf5
 Workaround until Ansible version is released with this fix:
 https://github.com/ansible/ansible/issues/84206
--- a/playbooks/caddy.yml
+++ b/playbooks/caddy.yml
@ -0,0 +1,12 @@
 - name: Install Caddy.
  hosts: caddy
  roles:
    - role: podman
      become: true
      tags:
        - always
        - podman
    - role: caddy
      become: true
--- a/playbooks/camo.yml
+++ b/playbooks/camo.yml
@ -1,25 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure camo
  hosts: camo
  roles:
    - docker
    - docker_cleanup
    - traefik
    - camo
--- a/playbooks/codimd.yml
+++ b/playbooks/codimd.yml
@ -1,24 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure HedgeDoc
  hosts: codimd
  roles:
    - docker
    - docker_cleanup
    - traefik
    - codimd
--- a/playbooks/docker_ipv6_nat.yml
+++ b/playbooks/docker_ipv6_nat.yml
@ -1,23 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Docker IPv6 NAT
  hosts: docker_ipv6_nat
  roles:
    - docker
    - docker_cleanup
    - docker_ipv6_nat
--- a/playbooks/elementweb.yml
+++ b/playbooks/elementweb.yml
@ -0,0 +1,17 @@
 - name: Install Element Web.
  hosts: elementweb
  roles:
    - role: podman
      become: true
      tags:
        - always
        - podman
    - role: caddy
      become: true
      tags:
        - always
        - caddy
    - role: elementweb
      become: true
--- a/playbooks/factorio.yml
+++ b/playbooks/factorio.yml
@ -1,23 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Factorio
  hosts: factorio
  roles:
    - docker
    - docker_cleanup
    - factorio
--- a/playbooks/gitlab.yml
+++ b/playbooks/gitlab.yml
@ -1,25 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure GitLab
  hosts: gitlab
  roles:
    - docker
    - docker_cleanup
    - traefik
    - gitlab
--- a/playbooks/gitlab_runner.yml
+++ b/playbooks/gitlab_runner.yml
@ -1,32 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure GitLab Runner
  hosts: gitlab_runner
  roles:
    - docker
    - docker_cleanup
    - gitlab_runner
  tasks:
    - name: Install docker image prune crontab
      ansible.builtin.cron:
        name: "Prune unused docker images"
        minute: "0"
        hour: "*/4"
        job: "docker image prune -f"
      become: true
--- a/playbooks/hedgedoc.yml
+++ b/playbooks/hedgedoc.yml
@ -0,0 +1,17 @@
 - name: Install Hedgedoc.
  hosts: hedgedoc
  roles:
    - role: podman
      become: true
      tags:
        - always
        - podman
    - role: caddy
      become: true
      tags:
        - always
        - caddy
    - role: hedgedoc
      become: true
--- a/playbooks/keycloak.yml
+++ b/playbooks/keycloak.yml
@ -1,25 +1,17 @@
---
+- name: Install Keycloak.
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Keycloak
  hosts: keycloak
  roles:
-    - docker
+    - role: podman
-    - docker_cleanup
+      become: true
-    - traefik
+      tags:
-    - keycloak
+        - always
        - podman
    - role: caddy
      become: true
      tags:
        - always
        - caddy
    - role: keycloak
      become: true
--- a/playbooks/lvm_self_backup.yml
+++ b/playbooks/lvm_self_backup.yml
@ -1,22 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure LVM self backup
  hosts: lvm_self_backup
  roles:
    - docker
    - lvm_self_backup
--- a/playbooks/mailcow.yml
+++ b/playbooks/mailcow.yml
@ -15,7 +15,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Docker & backup cronjob
+- name: Install & prepare Mailcow setup & backup cronjob
  hosts: mailcow
  roles:
    - docker
@ -28,5 +28,45 @@
        # yamllint disable-line rule:line-length
        job: "MAILCOW_BACKUP_LOCATION=/srv/mailcow-backups /srv/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all --delete-days 2 2>&1 | /usr/bin/logger -t mailcow_data_backup"
      become: true
-# Manual steps:
+
-# - Open ports / disable postfix
+    - name: Install git
      ansible.builtin.package:
        name: "git"
        state: "present"
      become: true
    - name: Clone mailcow # noqa latest[git]
      ansible.builtin.git:
        repo: "https://github.com/mailcow/mailcow-dockerized"
        update: false
        dest: "/srv/mailcow-dockerized"
      become: true
    - name: Create backup directory
      ansible.builtin.file:
        path: "/srv/mailcow-backups"
        owner: "root"
        group: "root"
        state: directory
        mode: "0755"
      become: true
    - name: Open ports
      ansible.posix.firewalld:
        state: enabled
        permanent: true
        immediate: true
        zone: public
        port: "{{ item }}"
      loop:
        - "25/tcp"
        - "465/tcp"
        - "587/tcp"
        - "143/tcp"
        - "993/tcp"
        - "110/tcp"
        - "995/tcp"
        - "4190/tcp"
        - "80/tcp"
        - "443/tcp"
      become: true
--- a/playbooks/mastodon.yml
+++ b/playbooks/mastodon.yml
@ -1,25 +1,17 @@
---
+- name: Install Mastodon.
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Mastodon
  hosts: mastodon
  roles:
-    - docker
+    - role: podman
-    - docker_cleanup
+      become: true
-    - traefik
+      tags:
-    - mastodon
+        - always
        - podman
    - role: caddy
      become: true
      tags:
        - always
        - caddy
    - role: mastodon
      become: true
--- a/playbooks/matrix.yml
+++ b/playbooks/matrix.yml
@ -1,24 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Matrix
  hosts: matrix
  roles:
    - docker
    - docker_cleanup
    - traefik
    - matrix
--- a/playbooks/matrix_delegate.yml
+++ b/playbooks/matrix_delegate.yml
@ -1,24 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Matrix Delegate
  hosts: matrix_delegate
  roles:
    - docker
    - docker_cleanup
    - traefik
    - matrix_delegate
--- a/playbooks/matrix_elementweb.yml
+++ b/playbooks/matrix_elementweb.yml
@ -1,24 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Element Web
  hosts: matrix_elementweb
  roles:
    - docker
    - docker_cleanup
    - traefik
    - matrix_elementweb
--- a/playbooks/matrix_maubot.yml
+++ b/playbooks/matrix_maubot.yml
@ -1,24 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Mauboot
  hosts: matrix_maubot
  roles:
    - docker
    - docker_cleanup
    - traefik
    - matrix_maubot
--- a/playbooks/matrix_sliding_sync.yml
+++ b/playbooks/matrix_sliding_sync.yml
@ -1,24 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2023       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Matrix Sliding Sync
  hosts: matrix_sliding_sync
  roles:
    - docker
    - docker_cleanup
    - traefik
    - matrix_sliding_sync
--- a/playbooks/matrix_webhooks.yml
+++ b/playbooks/matrix_webhooks.yml
@ -1,24 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Matrix Webhooks
  hosts: matrix_webhooks
  roles:
    - docker
    - docker_cleanup
    - traefik
    - matrix_webhooks
--- a/playbooks/minecraft.yml
+++ b/playbooks/minecraft.yml
@ -1,24 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Minecraft
  hosts: minecraft
  roles:
    - docker
    - docker_cleanup
    - minecraft
--- a/playbooks/minecraft_blockmap.yml
+++ b/playbooks/minecraft_blockmap.yml
@ -1,24 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure BlockMap
  hosts: minecraft
  roles:
    - docker
    - docker_cleanup
    - traefik
    - minecraft_blockmap
--- a/playbooks/minio.yml
+++ b/playbooks/minio.yml
@ -1,25 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure MinIO
  hosts: minio
  roles:
    - docker
    - docker_cleanup
    - traefik
    - minio
--- a/playbooks/monitoring.yml
+++ b/playbooks/monitoring.yml
@ -1,33 +1,17 @@
---
+- name: Install Monitoring Suite with Grafana, Loki and Prometheus.
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure monitoring servers
  hosts: monitoring
  roles:
    - docker
    - docker_cleanup
    - traefik
    - monitoring
 - name: Install & configure monitoring clients
  hosts: all
  serial: 1
  roles:
-    - docker
+    - role: podman
-    - docker_cleanup
+      become: true
-    - telegraf
+      tags:
        - always
        - podman
    - role: caddy
      become: true
      tags:
        - always
        - caddy
    - role: monitoring
      become: true
--- a/playbooks/owncast.yml
+++ b/playbooks/owncast.yml
@ -1,24 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Owncast
  hosts: owncast
  roles:
    - docker
    - docker_cleanup
    - traefik
    - owncast
--- a/playbooks/penpot.yml
+++ b/playbooks/penpot.yml
@ -1,24 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Penpot
  hosts: penpot
  roles:
    - docker
    - docker_cleanup
    - traefik
    - penpot
--- a/playbooks/podman.yml
+++ b/playbooks/podman.yml
@ -0,0 +1,7 @@
 - name: Install and configure podman.
  hosts: podman
  roles:
    - role: podman
      become: true
--- a/playbooks/roles
+++ b/playbooks/roles
@ -0,0 +1 @@
 ../roles
--- a/playbooks/saiblog.yml
+++ b/playbooks/saiblog.yml
@ -0,0 +1,17 @@
 - name: Install Saiblog.
  hosts: saiblog
  roles:
    - role: podman
      become: true
      tags:
        - always
        - podman
    - role: caddy
      become: true
      tags:
        - always
        - caddy
    - role: saiblog
      become: true
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@ -1,63 +1,16 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure unattended upgrades
  import_playbook: unattended_upgrades.yml
 - name: Install & configure ipv6 NAT for Docker
  import_playbook: docker_ipv6_nat.yml
 - name: Install & configure backup solution using LVM
  import_playbook: lvm_self_backup.yml
 - name: Install & configure GitLab
  import_playbook: gitlab.yml
 - name: Install & configure GitLab Runner
  import_playbook: gitlab_runner.yml
 - name: Install & configure camo
  import_playbook: camo.yml
 - name: Install & configure Keycloak
  import_playbook: keycloak.yml
 - name: Install & configure monitoring
  import_playbook: monitoring.yml
 - name: Install & configure MinIO
  import_playbook: minio.yml
 - name: Install & configure Mastodon
  import_playbook: mastodon.yml
 - name: Install & configure HedgeDoc
-  import_playbook: codimd.yml
+  import_playbook: hedgedoc.yml
- name: Install & configure Matrix
+- name: Install & configure Synapse
-  import_playbook: matrix.yml
+  import_playbook: synapse.yml
 - name: Install & configure Matrix Delegate
  import_playbook: matrix_delegate.yml
 - name: Install & configure Element Web
-  import_playbook: matrix_elementweb.yml
+  import_playbook: elementweb.yml
- name: Install & configure Matrix Webhooks
+- name: Install & configure Saiblog
-  import_playbook: matrix_webhooks.yml
+  import_playbook: saiblog.yml
 - name: Install & configure Maubot
  import_playbook: matrix_maubot.yml
 - name: Install & configure static websites
  import_playbook: static_websites.yml
 - name: Install & configure Teamspeak
  import_playbook: teamspeak.yml
 - name: Install & configure Owncast
  import_playbook: owncast.yml
 - name: Install & configure Factorio
  import_playbook: factorio.yml
 - name: Install & configure Penpot
  import_playbook: penpot.yml
 - name: Install & configure Vikunja
  import_playbook: vikunja.yml
--- a/playbooks/static_websites.yml
+++ b/playbooks/static_websites.yml
@ -1,26 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure static websites
  hosts: static_websites
  serial: 1
  roles:
    - docker
    - docker_cleanup
    - traefik
    - static_websites
--- a/playbooks/synapse.yml
+++ b/playbooks/synapse.yml
@ -0,0 +1,17 @@
 - name: Install Synapse.
  hosts: synapse
  roles:
    - role: podman
      become: true
      tags:
        - always
        - podman
    - role: caddy
      become: true
      tags:
        - always
        - caddy
    - role: synapse
      become: true
--- a/playbooks/teamspeak.yml
+++ b/playbooks/teamspeak.yml
@ -1,24 +1,12 @@
---
+- name: Install teamspeak3 server.
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Teamspeak
  hosts: teamspeak
  roles:
-    - docker
+    - role: podman
-    - docker_cleanup
+      become: true
-    - traefik
+      tags:
-    - teamspeak
+        - always
        - podman
    - role: teamspeak
      become: true
--- a/playbooks/unattended_upgrades.yml
+++ b/playbooks/unattended_upgrades.yml
@ -1,22 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Configure unattended upgrades
  hosts: unattended_upgrades
  roles:
    - unattended_upgrades
--- a/playbooks/vikunja.yml
+++ b/playbooks/vikunja.yml
@ -1,24 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2021       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install & configure Vikunja
  hosts: vikunja
  roles:
    - docker
    - docker_cleanup
    - traefik
    - vikunja
--- a/requirements.yml
+++ b/requirements.yml
@ -1,12 +1,16 @@
 ---
 collections:
  - name: devsec.hardening
-    version: 9.0.1
+    version: 10.1.0
  - name: community.general
-    version: 9.0.1
+    version: 10.0.0
  - name: community.docker
-    version: 3.10.3
+    version: 4.0.0
  - name: ansible.posix
-    version: 1.5.4
+    version: 1.6.2
  - name: ansible.utils
-    version: 4.1.0
+    version: 5.1.2
  - name: containers.podman
    version: 1.16.2
  - name: fedora.linux_system_roles
    version: 1.89.1
--- a/roles/caddy/defaults/main.yml
+++ b/roles/caddy/defaults/main.yml
@ -0,0 +1,18 @@
 caddy_install_dir: /srv/caddy
 caddy_container_image: docker.io/library/caddy
 # renovate: depName=docker.io/library/caddy
 caddy_image_tag: "2.8.4-alpine"
 caddy_selinux_level: "{{ omit }}"
 caddy_memory_high: 0
 caddy_memory_low: 128m
 caddy_swap_max: -1
 caddy_letsencrypt_email: no-reply@example.com
 # possible values: ed25519|p256|p384|rsa2048|rsa4096
 caddy_letsencrypt_key_type: rsa4096
 caddy_letsencrypt_ca_server: https://acme-staging-v02.api.letsencrypt.org/directory
 caddy_log_level: warn
--- a/roles/caddy/handlers/main.yml
+++ b/roles/caddy/handlers/main.yml
@ -0,0 +1,20 @@
 - name: Apply new SELinux file context to filesystem.
  ansible.builtin.command: "restorecon -irF {{ caddy_install_dir }}"
  become: true
  changed_when: true
  listen: "caddy selinux context changed"
 - name: Restart caddy service.
  ansible.builtin.systemd:
    state: restarted
    name: "caddy"
    daemon_reload: true
  become: true
  listen: "caddy service changed"
 - name: Reload caddy service.
  ansible.builtin.systemd:
    state: reloaded
    name: "caddy"
  become: true
  listen: "caddy config changed"
--- a/roles/caddy/meta/main.yml
+++ b/roles/caddy/meta/main.yml
@ -0,0 +1,18 @@
 galaxy_info:
  author: histalek
  description: Deploy Caddy with podman and systemd.
  issue_tracker_url: https://git.histalek.de/histalek-de/infrastructure/-/issues
  license: GPL-3.0-only
  min_ansible_version: "2.14"
  platforms:
    - name: Fedora
      versions:
        - "38"
        - "39"
        - "40"
  standalone: true
--- a/roles/caddy/tasks/main.yml
+++ b/roles/caddy/tasks/main.yml
@ -0,0 +1,109 @@
 - name: Update default SELinux contexts.
  community.general.sefcontext:
    target: "{{ item }}(/.*)?"
    setype: "container_file_t"
    selevel: "{{ caddy_selinux_level }}"
    state: present
  loop:
    - "{{ caddy_install_dir }}/config"
    - "{{ caddy_install_dir }}/data"
    - "{{ caddy_install_dir }}/srv"
  become: true
  notify: "caddy selinux context changed"
 - name: Create caddy directories.
  ansible.builtin.file:
    path: "{{ caddy_install_dir }}"
    state: directory
    mode: "0700"
    owner: "root"
    group: "root"
  become: true
 - name: Ensure caddy directories and configs exist.
  block:
    - name: Stat caddy config directory.
      ansible.builtin.stat:
        path: "{{ caddy_install_dir }}/config"
      become: true
      register: caddy_stat_config_dir
    - name: Create caddy directories.
      ansible.builtin.file:
        path: "{{ item.path }}"
        state: directory
        owner: "{{ caddy_stat_config_dir.stat.uid | default('root') }}"
        group: "{{ caddy_stat_config_dir.stat.gid | default('root') }}"
        mode: "0700"
      loop:
        - path: "{{ caddy_install_dir }}/config"
        - path: "{{ caddy_install_dir }}/data"
        - path: "{{ caddy_install_dir }}/srv"
      become: true
    - name: Deploy caddy configs.
      ansible.builtin.template:
        src: Caddyfile.j2
        dest: "{{ caddy_install_dir }}/config/Caddyfile"
        mode: "0600"
        owner: "{{ caddy_stat_config_dir.stat.uid | default('root') }}"
        group: "{{ caddy_stat_config_dir.stat.gid | default('root') }}"
      become: true
      notify: "caddy config changed"
 - name: Ensure container image is present on the host.
  containers.podman.podman_image:
    name: "{{ caddy_container_image }}"
    state: present
    tag: "{{ caddy_image_tag }}"
  become: true
 - name: Allow http and https.
  ansible.posix.firewalld:
    service: "{{ item }}"
    zone: public
    permanent: true
    immediate: true
    state: enabled
  loop:
    - http
    - https
  become: true
 # Ref: https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
 - name: Set maximum udp send/receive buffer size to around 2,5MB for quic.
  ansible.posix.sysctl:
    name: "{{ item.name }}"
    value: 7500000
    sysctl_set: true
    state: present
    reload: true
  loop:
    - name: net.core.rmem_max
    - name: net.core.wmem_max
  become: true
 - name: Create caddy container / network file.
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: "root"
    group: "root"
    mode: "0644"
  loop:
    - src: caddy.container.j2
      dest: /etc/containers/systemd/caddy.container
    - src: caddy.network.j2
      dest: /etc/containers/systemd/caddy.network
  become: true
  notify: "caddy service changed"
 - name: Flush handlers.
  ansible.builtin.meta: flush_handlers
 - name: Start and enable caddy service.
  ansible.builtin.systemd:
    state: started
    enabled: true
    name: "caddy"
  become: true
--- a/roles/caddy/templates/Caddyfile.j2
+++ b/roles/caddy/templates/Caddyfile.j2
@ -0,0 +1,21 @@
 {
    admin
    persist_config off
    log {
        output stdout
        format console
        level warn
    }
    email {{ caddy_letsencrypt_email }}
    skip_install_trust
    acme_ca {{ caddy_letsencrypt_ca_server }}
    key_type {{ caddy_letsencrypt_key_type }}
    servers {
        # metrics
        strict_sni_host
    }
 }
 import /config/*.caddy
--- a/roles/caddy/templates/caddy.container.j2
+++ b/roles/caddy/templates/caddy.container.j2
@ -0,0 +1,50 @@
 {{ ansible_managed | comment }}
 [Unit]
 Description=Caddy reverse proxy
 [Service]
 Restart=always
 RestartSec=5s
 ExecReload=/usr/bin/podman exec \
    -w /config \
    caddy \
    caddy reload
 [Container]
 Image={{ caddy_container_image }}:{{ caddy_image_tag }}
 ContainerName=caddy
 Exec=caddy run \
    --config /config/Caddyfile \
    --adapter caddyfile
 AutoUpdate=registry
 LogDriver=journald
 NoNewPrivileges=true
 ReadOnly=true
 DropCapability=all
 AddCapability=CAP_NET_BIND_SERVICE
 UserNS=auto:size=65535
 {% if caddy_selinux_level != omit %}
 SecurityLabelLevel={{ caddy_selinux_level }}
 {% endif %}
 Network=caddy.network
 PublishPort=80:80/tcp
 PublishPort=443:443/tcp
 PublishPort=443:443/udp
 Volume={{ caddy_install_dir }}/config:/config:ro,U
 Volume={{ caddy_install_dir }}/data:/data:U
 Volume={{ caddy_install_dir }}/srv:/srv:U
 PodmanArgs=--memory={{ caddy_memory_high }}
 PodmanArgs=--memory-swap={{ caddy_swap_max }}
 PodmanArgs=--memory-reservation={{ caddy_memory_low }}
 [Install]
 WantedBy=default.target
--- a/roles/caddy/templates/caddy.network.j2
+++ b/roles/caddy/templates/caddy.network.j2
@ -0,0 +1,6 @@
 {{ ansible_managed | comment }}
 [Network]
 NetworkName=caddy_reverseproxy
 Driver=bridge
 IPv6=true
--- a/roles/camo/README.md
+++ b/roles/camo/README.md
@ -1,35 +0,0 @@
 Camo
 =========
 This will setup a [go-camo](https://github.com/cactus/go-camo) content proxy server with their official docker container and traefik.
 Requirements
 ------------
 You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.  
 **This role assumes that you have setup traefik with an endpoint called `websecure`.**
 Role Variables
 --------------
 **Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
 **Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
 ### Global variables, that are used:
 - `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
 - `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
 Dependencies
 ------------
 - docker
 - docker-compose
 - traefik
 License
 -------
 GPL-3.0-only
--- a/roles/camo/defaults/main.yml
+++ b/roles/camo/defaults/main.yml
@ -1,42 +0,0 @@
 ---
 # Default variables for the camo role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # The install location (where the docker-compose file is stored)
 camo_install_location: "/srv/camo"
 # The camo version that should be used
 # renovate: depName=docker.io/cactus4docker/go-camo
 camo_version: "2.4.13"
 # The domain under which camo should be available using traefik
 camo_domain: camo.example.com
 # The certresolver that is used by traefik for camo's domain
 camo_traefik_certresolver: "letsencrypt_http"
 # The HMAC key to be used
 camo_key: "{{ lookup('passwordstore', camo_domain + '/hmac-key create=true length=128') }}"
 # The maximum allowed response size (in KB). (0 means unlimited)
 camo_max_size: 0
 # Docker image and version
 camo_image: "docker.io/cactus4docker/go-camo"
 camo_image_version: "v{{ camo_version }}"
--- a/roles/camo/meta/main.yml
+++ b/roles/camo/meta/main.yml
@ -1,44 +0,0 @@
 galaxy_info:
  author: saibotk
  description: "Installs a go-camo image proxy server via Docker."
  license: GPL-3.0-only
  min_ansible_version: "2.9"
  standalone: true
  platforms:
    - name: EL
      versions:
        - all
    - name: GenericUNIX
      versions:
        - all
    - name: Fedora
      versions:
        - all
    - name: opensuse
      versions:
        - all
    - name: GenericBSD
      versions:
        - all
    - name: FreeBSD
      versions:
        - all
    - name: Ubuntu
      versions:
        - all
    - name: SLES
      versions:
        - all
    - name: GenericLinux
      versions:
        - all
    - name: Debian
      versions:
        - all
  galaxy_tags: []
 dependencies:
  - role: docker
  - role: traefik
--- a/roles/camo/tasks/main.yml
+++ b/roles/camo/tasks/main.yml
@ -1,54 +0,0 @@
 ---
 # Tasks file for the camo role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Create install directory
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "0700"
    owner: "root"
    group: "root"
  with_items:
    - "{{ camo_install_location }}"
  become: true
  tags:
    - camo
 - name: Deploy docker-compose.yml
  ansible.builtin.template:
    src: docker-compose.yml
    dest: "{{ camo_install_location }}/docker-compose.yml"
    mode: "0600"
    owner: "root"
    group: "root"
    validate: docker compose -f %s config -q
  tags:
    - docker
    - camo
  become: true
 - name: Compose camo container
  community.docker.docker_compose_v2:
    state: present
    project_src: "{{ camo_install_location }}"
    pull: always
    remove_orphans: true
  tags:
    - camo
  become: true
--- a/roles/camo/templates/docker-compose.yml
+++ b/roles/camo/templates/docker-compose.yml
@ -1,62 +0,0 @@
 {{ ansible_managed | comment }}
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 version: '2'
 services:
  camo:
    image: "{{ camo_image }}:{{ camo_image_version }}"
    mem_limit: 64mb
    memswap_limit: 128mb
    security_opt:
      - no-new-privileges
    environment:
      - "GOCAMO_HMAC={{ camo_key }}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.camo.rule=Host(`{{ camo_domain }}`) && PathPrefix(`/`)"
      - "traefik.http.routers.camo.entrypoints=websecure"
      - "traefik.http.routers.camo.tls=true"
      - "traefik.http.routers.camo.tls.certresolver={{ camo_traefik_certresolver }}"
      - "traefik.http.routers.camo.middlewares=camo,compress"
      - "traefik.http.middlewares.camo.headers.sslredirect=true"
      - "traefik.http.middlewares.camo.headers.stsSeconds=63072000"
      - "traefik.http.middlewares.camo.headers.referrerPolicy=no-referrer"
 {% if proxy_network is defined %}
      - "traefik.docker.network={{ proxy_network }}"
 {% endif %}
 {% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
      - "traefik.http.middlewares.camo.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
 {% endif %}
    command:
      - "--max-size={{ camo_max_size }}"
      - "--server-name='go-camo v{{ camo_version }}'"
    restart: always
 {% if proxy_network is defined %}
    networks:
      {{ proxy_network }}:
 {% endif %}
 {% if proxy_network is defined %}
 networks:
  {{ proxy_network }}:
    external: true
 {% endif %}
--- a/roles/codimd/README.md
+++ b/roles/codimd/README.md
@ -1,35 +0,0 @@
 HedgeDoc
 =========
 This will setup a [HedgeDoc](https://github.com/hedgedoc/hedgedoc) server with their official docker container and traefik.
 Requirements
 ------------
 You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.  
 **This role assumes that you have setup traefik with an endpoint called `websecure`.**
 Role Variables
 --------------
 **Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
 **Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
 ### Global variables, that are used:
 - `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
 - `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
 Dependencies
 ------------
 - docker
 - docker-compose
 - traefik
 License
 -------
 GPL-3.0-only
--- a/roles/codimd/defaults/main.yml
+++ b/roles/codimd/defaults/main.yml
@ -1,66 +0,0 @@
 ---
 # Default variables for the codimd role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # Database access variables: Please change/set the password!
 codimd_database_user: codimd
 codimd_database_password: codimdpass
 codimd_database_name: codimd
 # Adjust specific data locations, usually you would want to only adjust the "codimd_install_location" (the base path):
 codimd_install_location: /srv/codimd
 codimd_database_location: "{{ codimd_install_location }}/database"
 codimd_uploads_location: "{{ codimd_install_location }}/uploads"
 # Should a local uploads directory be created and mounted?
 codimd_uploads_local: false
 # Set the certresolver to your desired traefik certresolver.
 # Note: This is `letsencrypt_cf` by default for backwards compatibility, you might want to use `letsencrypt_http` instead, depending on your setup
 codimd_traefik_certresolver: letsencrypt_http
 # The domain under which traefik should make CodiMD reachable
 codimd_domain: pad.example.com
 # This is where all application related environment variables are defined except the database connection.
 # For all possible environment variables look here: https://github.com/codimd/server/blob/master/docs/configuration.md.
 # Note: All variables below will automatically be prefixed with "CMD_", eg. "DOMAIN" will automatically become "CMD_DOMAIN".
 codimd_options:
  ALLOW_FREE_URL: false
  DOMAIN: "{{ codimd_domain }}"
  EMAIL: false
  PROTOCOL_USESSL: true
  URL_ADDPORT: false
  USECDN: true
 # The version of codimd and its postgres server
 # (don't upgrade postgres without a backup etc, as it might have introduced breaking changes!)
 # renovate: depName=quay.io/hedgedoc/hedgedoc
 codimd_version: 1.9.9
 # renovate: depName=docker.io/library/postgres
 codimd_postgres_version: 11.16
 # The image tags that should be used (templated using the versions provided above)
 codimd_image_version: "{{ codimd_version }}"
 codimd_postgres_image_version: "{{ codimd_postgres_version }}-alpine"
 # SELinux level for codimd and the database, which are applied to their data folders and the containers.
 # (By default these will be omitted and ignored)
 codimd_selinux_level: "{{ omit }}"
 codimd_database_selinux_level: "{{ omit }}"
--- a/roles/codimd/meta/main.yml
+++ b/roles/codimd/meta/main.yml
@ -1,44 +0,0 @@
 galaxy_info:
  author: saibotk
  description: "Installs HedgeDoc as a Docker container."
  license: GPL-3.0-only
  min_ansible_version: "2.9"
  standalone: true
  platforms:
    - name: EL
      versions:
        - all
    - name: GenericUNIX
      versions:
        - all
    - name: Fedora
      versions:
        - all
    - name: opensuse
      versions:
        - all
    - name: GenericBSD
      versions:
        - all
    - name: FreeBSD
      versions:
        - all
    - name: Ubuntu
      versions:
        - all
    - name: SLES
      versions:
        - all
    - name: GenericLinux
      versions:
        - all
    - name: Debian
      versions:
        - all
  galaxy_tags: []
 dependencies:
  - role: docker
  - role: traefik
--- a/roles/codimd/tasks/main.yml
+++ b/roles/codimd/tasks/main.yml
@ -1,90 +0,0 @@
 ---
 # Tasks file for the codimd role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Alexander Wellbrock
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Update default SELinux contexts
  community.general.sefcontext:
    target: "{{ item.location }}(/.*)?"
    setype: "container_file_t"
    selevel: "{{ item.selevel | default(omit) }}"
    state: present
  when: item.when | default(true)
  with_items:
    - location: "{{ codimd_database_location }}"
      selevel: "{{ codimd_database_selinux_level }}"
    - location: "{{ codimd_uploads_location }}"
      selevel: "{{ codimd_selinux_level }}"
      when: "{{ codimd_uploads_local }}"
  tags:
    - codimd
  become: true
 - name: Create install directory
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "0700"
    owner: "root"
    group: "root"
  with_items:
    - "{{ codimd_install_location }}"
  tags:
    - codimd
  become: true
 - name: Create data directory
  ansible.builtin.file: # noqa risky-file-permissions # Container adjusts permissions on its own
    path: "{{ item.location }}"
    state: directory
    setype: "container_file_t"
    selevel: "{{ item.selevel | default(omit) }}"
  when: item.when | default(true)
  with_items:
    - location: "{{ codimd_database_location }}"
      selevel: "{{ codimd_database_selinux_level }}"
    - location: "{{ codimd_uploads_location }}"
      selevel: "{{ codimd_selinux_level }}"
      when: "{{ codimd_uploads_local }}"
  tags:
    - codimd
  become: true
 - name: Deploy docker-compose.yml
  ansible.builtin.template:
    src: docker-compose.yml
    dest: "{{ codimd_install_location }}/docker-compose.yml"
    mode: "0600"
    owner: "root"
    group: "root"
    validate: docker compose -f %s config -q
  tags:
    - docker
    - codimd
  become: true
 - name: Compose codimd
  community.docker.docker_compose_v2:
    state: present
    project_src: "{{ codimd_install_location }}"
    pull: always
    remove_orphans: true
  tags:
    - codimd
  become: true
--- a/roles/codimd/templates/docker-compose.yml
+++ b/roles/codimd/templates/docker-compose.yml
@ -1,105 +0,0 @@
 {{ ansible_managed | comment }}
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 version: '2'
 services:
  database:
    image: docker.io/library/postgres:{{ codimd_postgres_image_version }}
    mem_limit: 256mb
    memswap_limit: 512mb
    read_only: true
 {% if codimd_database_selinux_level != omit %}
    security_opt:
      - label=level:{{ codimd_database_selinux_level }}
 {% endif %}
    tmpfs:
      - /run/postgresql:size=512K
      - /tmp:size=128K
    stop_grace_period: 2m
    stop_signal: SIGINT
    environment:
      - POSTGRES_USER={{ codimd_database_user }}
      - POSTGRES_PASSWORD={{ codimd_database_password }}
      - POSTGRES_DB={{ codimd_database_name }}
    volumes:
      - {{ codimd_database_location }}:/var/lib/postgresql/data
    networks:
      backend:
    restart: always
  codimd:
    image:  quay.io/hedgedoc/hedgedoc:{{ codimd_image_version }}
    mem_limit: 256mb
    memswap_limit: 512mb
    restart: always
    read_only: true
 {% if codimd_selinux_level != omit %}
    security_opt:
      - label=level:{{ codimd_selinux_level }}
 {% endif %}
    tmpfs:
      - /tmp:size=10M
 {% if not codimd_uploads_local %}
      - /hedgedoc/public/uploads:size=10M
 {% endif %}
    environment:
      - "CMD_DB_URL=postgres://{{ codimd_database_user }}:{{ codimd_database_password }}@database:5432/{{ codimd_database_name }}"
 {% for key, value in codimd_options.items() %}
      - "CMD_{{ key }}={{ value }}"
 {% endfor %}
    labels:
      - "traefik.http.routers.codimd.rule=Host(`{{ codimd_domain }}`) && PathPrefix(`/`)"
      - "traefik.http.routers.codimd.entrypoints=websecure"
      - "traefik.http.routers.codimd.tls=true"
      - "traefik.http.routers.codimd.tls.certresolver={{ codimd_traefik_certresolver }}"
      - "traefik.http.routers.codimd.middlewares=codimd,compress"
      - "traefik.http.routers.codimd.service=codimd"
      - "traefik.http.services.codimd.loadbalancer.server.port=3000"
      - "traefik.http.middlewares.codimd.headers.sslredirect=true"
      - "traefik.http.middlewares.codimd.headers.stsSeconds=63072000"
      - "traefik.http.middlewares.codimd.headers.browserXssFilter=true"
      - "traefik.http.middlewares.codimd.headers.contentTypeNosniff=true"
      - "traefik.enable=true"
 {% if proxy_network is defined %}
      - "traefik.docker.network={{ proxy_network }}"
 {% endif %}
 {% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
      - "traefik.http.middlewares.codimd.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
 {% endif %}
 {% if codimd_uploads_local %}
    volumes:
      - {{ codimd_uploads_location }}:/hedgedoc/public/uploads
 {% endif %}
    networks:
      backend:
 {% if proxy_network is defined %}
      {{ proxy_network }}:
 {% endif %}
 networks:
  backend:
 {% if proxy_network is defined %}
  {{ proxy_network }}:
    external: true
 {% endif %}
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@ -42,11 +42,11 @@ docker_install_repository: true
 # The repository settings
 # The repository will be added as a repository to allow downloading/installing the package
-docker_yum_repository_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo
+docker_yum_repository_url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/docker-{{ docker_edition }}.repo
 docker_yum_repository_destination: /etc/yum.repos.d/docker-{{ docker_edition }}.repo
 # Where to fetch the docker repository GPG key from
-docker_yum_repository_gpg_key: https://download.docker.com/linux/centos/gpg
+docker_yum_repository_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
 # The apt repository settings
 docker_apt_key_id: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"
--- a/roles/docker/meta/main.yml
+++ b/roles/docker/meta/main.yml
@ -6,9 +6,6 @@ galaxy_info:
  standalone: true
  platforms:
    - name: EL
      versions:
        - all
    - name: Fedora
      versions:
        - all
--- a/roles/docker/tasks/Rocky.yml
+++ b/roles/docker/tasks/Rocky.yml
@ -1,55 +0,0 @@
 ---
 # Tasks file for the docker role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 #
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Ensure old versions of Docker are not installed.
  ansible.builtin.package:
    name:
      - docker
      - docker-common
      - docker-engine
    state: absent
  become: true
 - name: Ensure buildah & runc are not installed.
  ansible.builtin.package:
    name:
      - buildah
      - runc
    state: absent
  become: true
 - name: Add Docker GPG key.
  ansible.builtin.rpm_key:
    key: "{{ docker_yum_repository_gpg_key }}"
    state: present
  when:
    - docker_install_repository
  become: true
 - name: Add Docker repository.
  ansible.builtin.get_url:
    url: "{{ docker_yum_repository_url }}"
    dest: "{{ docker_yum_repository_destination }}"
    owner: root
    group: root
    mode: "0644"
  when:
    - docker_install_repository
  become: true
--- a/roles/docker_cleanup/README.md
+++ b/roles/docker_cleanup/README.md
@ -1,24 +0,0 @@
 docker_cleanup
 =========
 This will prune unused docker images older than 3 days, to keep the system clean.
 Requirements
 ------------
 You will need to have docker installed with its python package to use this role.
 Role Variables
 --------------
 None
 Dependencies
 ------------
 - docker
 License
 -------
 GPL-3.0-only
--- a/roles/docker_cleanup/meta/main.yml
+++ b/roles/docker_cleanup/meta/main.yml
@ -1,43 +0,0 @@
 galaxy_info:
  author: Christoph Kern
  description: "Cleans up the exsting Docker install"
  license: GPL-3.0-only
  min_ansible_version: "2.9"
  standalone: true
  platforms:
    - name: EL
      versions:
        - all
    - name: GenericUNIX
      versions:
        - all
    - name: Fedora
      versions:
        - all
    - name: opensuse
      versions:
        - all
    - name: GenericBSD
      versions:
        - all
    - name: FreeBSD
      versions:
        - all
    - name: Ubuntu
      versions:
        - all
    - name: SLES
      versions:
        - all
    - name: GenericLinux
      versions:
        - all
    - name: Debian
      versions:
        - all
  galaxy_tags: []
 dependencies:
  - role: docker
--- a/roles/docker_cleanup/tasks/main.yml
+++ b/roles/docker_cleanup/tasks/main.yml
@ -1,25 +0,0 @@
 ---
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Prune docker images older than 3 days
  community.docker.docker_prune:
    images: true
    images_filters:
      dangling: false
      until: 72h
  become: true
--- a/roles/docker_ipv6_nat/README.md
+++ b/roles/docker_ipv6_nat/README.md
@ -1,31 +0,0 @@
 docker_ipv6_nat
 ===============
 This will install the [docker-ipv6nat](https://github.com/robbertkl/docker-ipv6nat) container to manage IPv6 with ease on a single IP.
 The container will automatically create ip6table forwarding rules on demand. To use the functionality, make sure that each container, that exposes a port
 also has an `ipv6_enabled: true` user-defined network attached to it, with a ULA IPv6 for the tool to forward to.
 **Note: This will enable the kernel module `ipv6nat` if not enabled!**
 Requirements
 ------------
 You will need to have docker, docker-compose installed or declared as dependencies with their respective roles. 
 Role Variables
 --------------
 **Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
 **Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
 Dependencies
 ------------
 - docker
 - docker-compose
 License
 -------
 GPL-3.0-only
--- a/roles/docker_ipv6_nat/defaults/main.yml
+++ b/roles/docker_ipv6_nat/defaults/main.yml
@ -1,26 +0,0 @@
 ---
 # Default variables for the docker_ipv6_nat role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # The install location (where the docker-compose.yml file will be deployed)
 docker_ipv6_nat_install_location: /srv/docker-ipv6-nat
 # The docker image and version/tag to use
 docker_ipv6_nat_baseimage: docker.io/robbertkl/ipv6nat
 # renovate: depName=docker.io/robbertkl/ipv6nat
 docker_ipv6_nat_version: 0.4.4
--- a/roles/docker_ipv6_nat/meta/main.yml
+++ b/roles/docker_ipv6_nat/meta/main.yml
@ -1,43 +0,0 @@
 galaxy_info:
  author: saibotk
  description: "Deploys a robbertkl/ipv6nat container."
  license: GPL-3.0-only
  min_ansible_version: "2.9"
  standalone: true
  platforms:
    - name: EL
      versions:
        - all
    - name: GenericUNIX
      versions:
        - all
    - name: Fedora
      versions:
        - all
    - name: opensuse
      versions:
        - all
    - name: GenericBSD
      versions:
        - all
    - name: FreeBSD
      versions:
        - all
    - name: Ubuntu
      versions:
        - all
    - name: SLES
      versions:
        - all
    - name: GenericLinux
      versions:
        - all
    - name: Debian
      versions:
        - all
  galaxy_tags: []
 dependencies:
  - role: docker
--- a/roles/docker_ipv6_nat/tasks/main.yml
+++ b/roles/docker_ipv6_nat/tasks/main.yml
@ -1,55 +0,0 @@
 ---
 # Tasks file for the docker_ipv6_nat role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Create install directory
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "0700"
    owner: "root"
    group: "root"
  with_items:
    - "{{ docker_ipv6_nat_install_location }}"
  tags:
    - docker-ipv6-nat
  become: true
 - name: Deploy docker-compose.yml
  ansible.builtin.template:
    src: docker-compose.yml
    dest: "{{ docker_ipv6_nat_install_location }}/docker-compose.yml"
    mode: "0600"
    owner: "root"
    group: "root"
    validate: docker compose -f %s config -q
  tags:
    - docker
    - docker-ipv6-nat
  become: true
 - name: Compose docker-ipv6-nat
  community.docker.docker_compose_v2:
    state: present
    project_src: "{{ docker_ipv6_nat_install_location }}"
    pull: always
    remove_orphans: true
  tags:
    - docker
    - docker-ipv6-nat
  become: true
--- a/roles/docker_ipv6_nat/templates/docker-compose.yml
+++ b/roles/docker_ipv6_nat/templates/docker-compose.yml
@ -1,35 +0,0 @@
 {{ ansible_managed | comment }}
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 version: '2'
 services:
  ipv6nat:
    image: {{ docker_ipv6_nat_baseimage }}:{{ docker_ipv6_nat_version }}
    security_opt:
      - label:disable
    restart: always
    network_mode: "host"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/lib/modules:/lib/modules:ro"
    cap_drop:
      - ALL
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
--- a/roles/elementweb/defaults/main.yml
+++ b/roles/elementweb/defaults/main.yml
@ -0,0 +1,38 @@
 elementweb_install_dir: "/opt/elementweb"
 elementweb_domain: element.example.com
 elementweb_containerimage: docker.io/vectorim/element-web
 # renovate: depName=docker.io/vectorim/element-web
 elementweb_image_tag: "v1.11.90"
 elementweb_selinux_level: "{{ omit }}"
 elementweb_memory_low: 32m
 elementweb_memory_high: 0
 elementweb_swap_max: -1
 # The homeserver URL and display name
 elementweb_base_url: "https://matrix.example.com"
 elementweb_servername: "example.com"
 # Controls whether Element shows the presence feature for all (empty list) or specific servers (key = value list with the key being the server url)
 elementweb_enable_presence_by_hs_url: []
 # Should users only be allowed to use this instance with the given matrix server?
 elementweb_disable_custom_urls: true
 # Should Element-Web disable guests? (without sign-in)
 elementweb_disable_guests: true
 # Should Element-Web disable 3PID login? (Login with Email etc)
 elementweb_disable_3pid_login: false
 # Integration Server URLs to use (see https://github.com/vector-im/element-web/blob/develop/docs/config.md)
 elementweb_integrations_ui_url: "https://scalar.vector.im/"
 elementweb_integrations_rest_url: "https://scalar.vector.im/api"
 elementweb_integrations_widgets_urls: ["https://scalar.vector.im/api"]
 elementweb_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
 # Element Web public room directory server(s)
 elementweb_roomdir_servers: ["matrix.org"]
--- a/roles/elementweb/handlers/main.yml
+++ b/roles/elementweb/handlers/main.yml
@ -0,0 +1,14 @@
 - name: Apply new SELinux file context to filesystem.
  ansible.builtin.command: "restorecon -irF {{ elementweb_install_dir }}"
  become: true
  listen: "elementweb selinux context changed"
 - name: Restart elementweb service.
  ansible.builtin.systemd:
    state: restarted
    name: elementweb.service
    daemon_reload: true
  become: true
  listen:
    - "elementweb service changed"
    - "elementweb selinux context changed"
--- a/roles/elementweb/meta/main.yml
+++ b/roles/elementweb/meta/main.yml
@ -0,0 +1,20 @@
 galaxy_info:
  author: saibotk
  description: Deploy element web with podman and systemd.
  issue_tracker_url: https://git.sipsofcode.de/saibotk-de/infrastructure/issues
  license: GPL-3.0-only
  min_ansible_version: "2.10"
  platforms:
    - name: Fedora
      versions:
        - "41"
  standalone: true
  galaxy_tags: []
 dependencies: []
--- a/roles/elementweb/tasks/main.yml
+++ b/roles/elementweb/tasks/main.yml
@ -0,0 +1,80 @@
 - name: Update default SELinux contexts
  community.general.sefcontext:
    target: "{{ item.target }}"
    setype: "container_file_t"
    selevel: "{{ item.selevel }}"
    state: present
  loop:
    - target: "{{ elementweb_install_dir }}/config.json"
      selevel: "{{ elementweb_selinux_level }}"
  become: true
  notify: "elementweb selinux context changed"
 - name: Create elementweb directories.
  ansible.builtin.file:
    path: "{{ elementweb_install_dir }}"
    owner: "root"
    group: "root"
    mode: "0700"
    state: directory
  become: true
 - name: Stat elementweb config file.
  ansible.builtin.stat:
    path: "{{ elementweb_install_dir }}/config.json"
  become: true
  register: elementweb_stat_config
 - name: Add caddy config file.
  block:
    - name: Check caddy config dir.
      ansible.builtin.stat:
        path: "{{ caddy_install_dir }}/config"
      become: true
      register: caddy_stat_config_dir
    - name: Template caddy config for elementweb.
      ansible.builtin.template:
        src: elementweb.caddy.j2
        dest: "{{ caddy_install_dir }}/config/elementweb.caddy"
        mode: "0600"
        setype: "container_file_t"
        selevel: "{{ caddy_selinux_level }}"
        owner: "{{ caddy_stat_config_dir.stat.uid }}"
        group: "{{ caddy_stat_config_dir.stat.gid }}"
      notify: "caddy config changed"
      become: true
 - name: Create elementweb container file.
  ansible.builtin.template:
    src: elementweb.container.j2
    dest: /etc/containers/systemd/elementweb.container
    owner: "root"
    group: "root"
    mode: "0644"
  become: true
  notify: "elementweb service changed"
 - name: Create elementweb config file.
  ansible.builtin.template:
    src: config.json.j2
    dest: "{{ elementweb_install_dir }}/config.json"
    setype: "container_file_t"
    selevel: "{{ elementweb_selinux_level }}"
    owner: "{{ elementweb_stat_config.stat.uid | default('root') }}"
    group: "{{ elementweb_stat_config.stat.gid | default('root') }}"
    mode: "0644"
  become: true
 - name: Flush handlers
  ansible.builtin.meta: flush_handlers
 - name: Ensure elementweb services are started and enabled.
  ansible.builtin.systemd:
    state: started
    enabled: true
    name: "{{ item }}"
    daemon_reload: true
  loop:
    - elementweb.service
  become: true
--- a/roles/elementweb/templates/config.json.j2
+++ b/roles/elementweb/templates/config.json.j2
@ -0,0 +1,23 @@
 {
 	"default_server_config": {
 		"m.homeserver": {
 			"base_url": {{ elementweb_base_url | string | to_json }},
 			"server_name": {{ elementweb_servername | string | to_json }}
 		}
 	},
 	"disable_custom_urls": {{ elementweb_disable_custom_urls | to_json }},
    "disable_3pid_login": {{ elementweb_disable_3pid_login | to_json }},
 	"disable_guests": {{ elementweb_disable_guests | to_json }},
 	"integrations_ui_url": {{ elementweb_integrations_ui_url | string | to_json }},
 	"integrations_rest_url": {{ elementweb_integrations_rest_url | string | to_json }},
 	"integrations_widgets_urls": {{ elementweb_integrations_widgets_urls | to_json }},
 	"integrations_jitsi_widget_url": {{ elementweb_integrations_jitsi_widget_url | string | to_json }},
 	"bug_report_endpoint_url": "https://element.io/bugreports/submit",
 	"showLabsSettings": true,
 {% if elementweb_enable_presence_by_hs_url %}
 	"enable_presence_by_hs_url": {{ elementweb_enable_presence_by_hs_url | to_json }},
 {% endif %}
 	"roomDirectory": {
 		"servers": {{ elementweb_roomdir_servers | to_json }}
 	}
 }
--- a/roles/elementweb/templates/elementweb.caddy.j2
+++ b/roles/elementweb/templates/elementweb.caddy.j2
@ -0,0 +1,24 @@
 {{ ansible_managed | comment }}
 {{ elementweb_domain }} {
    encode gzip
    header {
        # enable HSTS
        Strict-Transport-Security "max-age=31536000; preload;"
        # disable clients from sniffing the media type
        X-Content-Type-Options nosniff
        # clickjacking protection
        X-Frame-Options DENY
        # keep referrer data off of HTTP connections
        Referrer-Policy no-referrer-when-downgrade
        # Server name removing
        -Server
    }
    reverse_proxy elementweb:8000
 }
--- a/roles/elementweb/templates/elementweb.container.j2
+++ b/roles/elementweb/templates/elementweb.container.j2
@ -0,0 +1,41 @@
 {{ ansible_managed | comment }}
 [Unit]
 Description = Element Web
 [Service]
 Restart = always
 RestartSec = 5s
 [Container]
 Image = {{ elementweb_containerimage }}:{{ elementweb_image_tag }}
 ContainerName = elementweb
 # AutoUpdate = registry
 LogDriver = journald
 ReadOnly = true
 NoNewPrivileges = true
 DropCapability = all
 AddCapability = DAC_OVERRIDE
 UserNS = auto:size=65535
 {% if elementweb_selinux_level != omit %}
 SecurityLabelLevel = {{ elementweb_selinux_level }}
 {% endif %}
 Network = caddy.network
 Environment = ELEMENT_WEB_PORT=8000
 Volume = {{ elementweb_install_dir }}/config.json:/app/config.json:ro,U
 Tmpfs = /var/cache/nginx:rw,noexec,nosuid,nodev,size=1m
 Tmpfs = /var/run:rw,noexec,nosuid,nodev,size=1m
 Tmpfs = /etc/nginx/conf.d:rw,noexec,nosuid,nodev,size=8m,mode=1770,U
 PodmanArgs = --memory={{ elementweb_memory_high }}
 PodmanArgs = --memory-swap={{ elementweb_swap_max }}
 PodmanArgs = --memory-reservation={{ elementweb_memory_low }}
 [Install]
 WantedBy = default.target
--- a/roles/epel/README.md
+++ b/roles/epel/README.md
@ -1,24 +0,0 @@
 EPEL
 =========
 Installs the `epel-release` package via yum.
 Requirements
 ------------
 None
 Role Variables
 --------------
 None
 Dependencies
 ------------
 None, except for a CentOS 7 system.
 License
 -------
 GPL-3.0-only
--- a/roles/epel/meta/main.yml
+++ b/roles/epel/meta/main.yml
@ -1,15 +0,0 @@
 galaxy_info:
  author: saibotk
  description: Installs the epel-release package.
  license: GPL-3.0-only
  min_ansible_version: "2.9"
  standalone: true
  platforms:
    - name: EL
      versions:
        - "7"
  galaxy_tags: []
 dependencies: []
--- a/roles/epel/tasks/main.yml
+++ b/roles/epel/tasks/main.yml
@ -1,24 +0,0 @@
 ---
 # Tasks file for the epel role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Install EPEL repository package # noqa fqcn
  ansible.builtin.yum:
    name: epel-release
    state: present
  become: true
--- a/roles/factorio/README.md
+++ b/roles/factorio/README.md
@ -1,27 +0,0 @@
 Factorio
 =========
 This will setup a [Factorio](https://github.com/factoriotools/factorio-docker) gameserver using a docker container.
 Requirements
 ------------
 You will need to have docker and docker-compose installed or declared as dependencies with their respective roles.  
 Role Variables
 --------------
 **Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
 **Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
 Dependencies
 ------------
 - docker
 - docker-compose
 License
 -------
 GPL-3.0-only
--- a/roles/factorio/defaults/main.yml
+++ b/roles/factorio/defaults/main.yml
@ -1,37 +0,0 @@
 ---
 # Default variables for the factorio role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # The install location (where the docker-compose file is stored)
 factorio_install_location: "/srv/factorio"
 factorio_data_location: "{{ factorio_install_location }}/data"
 # The camo version that should be used
 # renovate: depName=docker.io/factoriotools/factorio
 factorio_version: "1.1.108"
 # Docker image
 factorio_image: "docker.io/factoriotools/factorio"
 # The factorio server port that should be exposed
 factorio_server_port: 34197
 # IPv6 ULA config for the bridge network used by docker-ipv6-nat
 factorio_ipv6:
  enabled: false
  subnet: "fd9e:21a7:a92c:2456::/64"
--- a/roles/factorio/meta/main.yml
+++ b/roles/factorio/meta/main.yml
@ -1,43 +0,0 @@
 galaxy_info:
  author: saibotk
  description: "Installs a factorio server via Docker."
  license: GPL-3.0-only
  min_ansible_version: "2.9"
  standalone: true
  platforms:
    - name: EL
      versions:
        - all
    - name: GenericUNIX
      versions:
        - all
    - name: Fedora
      versions:
        - all
    - name: opensuse
      versions:
        - all
    - name: GenericBSD
      versions:
        - all
    - name: FreeBSD
      versions:
        - all
    - name: Ubuntu
      versions:
        - all
    - name: SLES
      versions:
        - all
    - name: GenericLinux
      versions:
        - all
    - name: Debian
      versions:
        - all
  galaxy_tags: []
 dependencies:
  - role: docker
--- a/roles/factorio/tasks/main.yml
+++ b/roles/factorio/tasks/main.yml
@ -1,79 +0,0 @@
 ---
 # Tasks file for the factorio role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Update default SELinux contexts
  community.general.sefcontext:
    target: "{{ item }}(/.*)?"
    setype: "container_file_t"
    state: present
  with_items:
    - "{{ factorio_data_location }}"
  tags:
    - factorio
  become: true
 - name: Create install directory
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "0700"
    owner: "root"
    group: "root"
  with_items:
    - "{{ factorio_install_location }}"
  become: true
  tags:
    - factorio
 - name: Create data directory
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "0750"
    owner: "845"
    group: "845"
    setype: "container_file_t"
  with_items:
    - "{{ factorio_data_location }}"
  tags:
    - factorio
  become: true
 - name: Deploy docker-compose.yml
  ansible.builtin.template:
    src: docker-compose.yml
    dest: "{{ factorio_install_location }}/docker-compose.yml"
    mode: "0600"
    owner: "root"
    group: "root"
    validate: docker compose -f %s config -q
  tags:
    - docker
    - factorio
  become: true
 - name: Compose factorio container
  community.docker.docker_compose_v2:
    state: present
    project_src: "{{ factorio_install_location }}"
    pull: always
    remove_orphans: true
  tags:
    - factorio
  become: true
--- a/roles/factorio/templates/docker-compose.yml
+++ b/roles/factorio/templates/docker-compose.yml
@ -1,40 +0,0 @@
 {{ ansible_managed | comment }}
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 version: '2.1'
 services:
  factorio:
    image: "{{ factorio_image }}:{{ factorio_version }}"
    ports:
      - "{{ factorio_server_port }}:34197/udp"
    volumes:
      - "{{ factorio_data_location }}:/factorio"
    restart: always
    networks:
      factorio-backend:
 networks:
  factorio-backend:
    driver: bridge
 {% if factorio_ipv6 is defined and factorio_ipv6.enabled %}
    ipam:
      driver: default
      config:
        - subnet: {{ factorio_ipv6.subnet }}
    enable_ipv6: true
 {% endif %}
--- a/roles/gitlab/README.md
+++ b/roles/gitlab/README.md
@ -1,35 +0,0 @@
 Gitlab
 =========
 This will setup a Gitlab instance using their official docker container and traefik as a reverse proxy.
 Requirements
 ------------
 You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
 **This role assumes that you have setup traefik with an endpoint called `websecure`.**
 Role Variables
 --------------
 **Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
 **Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
 ### Global variables, that are used:
 - `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
 - `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
 Dependencies
 ------------
 - docker
 - docker-compose
 - traefik
 License
 -------
 GPL-3.0-only
--- a/roles/gitlab/defaults/main.yml
+++ b/roles/gitlab/defaults/main.yml
@ -1,167 +0,0 @@
 ---
 # Default variables for the gitlab role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # Install location settings
 gitlab_install_location: /srv/gitlab
 gitlab_data_location: "{{ gitlab_install_location }}/data"
 gitlab_config_location: "{{ gitlab_install_location }}/config"
 gitlab_log_location: "{{ gitlab_install_location }}/log"
 gitlab_telegraf_location: "{{ gitlab_install_location }}/telegraf"
 # Put GitLab's logs in a tempfs instead to save headache with diskspace
 gitlab_log_tmpfs: false
 # Set the certresolver to your desired traefik certresolver.
 # Note: This is `letsencrypt_cf` by default for backwards compatibility, you might want to use `letsencrypt_http` instead, depending on your setup
 gitlab_traefik_certresolver: letsencrypt_http
 # The domain under which traefik should make gitlab (and, if enabled, the registry) reachable
 gitlab_domain: gitlab.example.com
 gitlab_registry_domain: registry.gitlab.example.com
 # The Gitlab version, usually you don't need to adjust this for a host.
 # renovate: depName=gitlab/gitlab-ce
 gitlab_version: 16.11.5-ce.0
 # renovate: depName=docker.io/library/telegraf
 gitlab_telegraf_version: "1.26"
 # The port you want Gitlab to listen on for SSH connections
 gitlab_ssh_port: 22
 # The memory limits for the GitLab container
 #
 # Notice the gitlab_memoryswap_limit must be equal
 # or higher than the gitlab_memory_limit
 gitlab_memory_limit: "6096mb"
 gitlab_memoryswap_limit: "6352mb"
 # Enable or disable selinux handling
 gitlab_selinux_enabled: true
 # Email/SMTP settings
 gitlab_smtp_address: smtp.example.com
 gitlab_smtp_port: 465
 gitlab_smtp_user_name: "gitlab@example.com"
 gitlab_smtp_password: "{{ lookup('passwordstore', gitlab_domain + '/' + gitlab_smtp_user_name + ' create=true length=42') }}"
 gitlab_smtp_tls: "{{ gitlab_snmp_tls | default('true') }}" # There was a typo in the config option name, this makes sure it's falling back properly
 gitlab_email_from: "{{ gitlab_smtp_user_name }}"
 gitlab_email_reply_to: "{{ gitlab_smtp_user_name }}"
 gitlab_smtp_starttls_auto: false
 gitlab_smtp_openssl_verify_mode: "peer"
 # Libravatar / Gravatar URLs
 gitlab_libravatar_plain: "cdn.libravatar.org"
 gitlab_libravatar_ssl: "seccdn.libravatar.org"
 # CSP settings
 gitlab_csp:
  enabled: true
  img_src: "https:"
  # yamllint disable-line rule:line-length
  # frame_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
  # script_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
 # SAML settings
 gitlab_saml:
  enabled: false
  label: "SAML"
  groups_attribute: "roles"
  external_groups: "{{ gitlab_domain }}:external"
  idp_cert_fingerprint: "<to be set>"
  idp_sso_target_url: "https://sso.example.com"
  idp_slo_target_url: "https://sso.example.com"
  issuer: "{{ gitlab_domain }}"
  certificate: "<cert without '----BEGIN CERTIFICATE----' (can be omited)>"
  private_key: "<private key without '----BEGIN RSA PRIVATE KEY----' (can be omited)>"
  attribute_statements:
    first_name: "first_name"
    last_name: "last_name"
    name: "name"
    username: "username"
    email: "email"
  name_identifier_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  autologin: false
 # LDAP settings
 gitlab_ldap:
  enabled: false
  label: "LDAP"
  host: "ldap.example.com"
  port: 389
  bind_dn: "_the_full_dn_of_the_user_you_will_bind_with"
  password: "_the_password_of_the_bind_user"
  encryption: "simple_tls"
  verify_certificates: true
  uid: "sAMAccountName"
  active_directory: true
  user_filter: ""
  base: "dc=example,dc=com"
 # IMAP settings (for email replies to comments etc.)
 gitlab_imap:
  enabled: false
  username: "{{ gitlab_smtp_user_name }}"
  password: "{{ gitlab_smtp_password }}"
  server_address: imap.example.com
  email_address: "incoming+%{key}@gitlab.example.com"
 # Gitlab docker registry settings
 gitlab_registry:
  enabled: false
  # Defines the port that is appended to the registry domain used by gitlab.
  # This can be omitted, when no port is needed (eg. registry on its own domain)
  external_port: 5050
  # Defines the entrypoint that traefik should use for the registry.
  # Can be useful to use another port while still using the certificate of the main domain.
  # This can be omitted to use "websecure" by default
  traefik_entrypoint: "websecure"
 # Gitlab telegraf configuration, allows to configure a monitoring setup for Gitlab
 gitlab_telegraf:
  enabled: false
  # Your influxDB hosts
  influxdb_endpoints:
    - "influxdb.example.com"
  influxdb_username: telegraf
  influxdb_password: ""
  influxdb_retention_policy: "gitlab"
  influxdb_retention_policy_tag: ""
  # Token provided by Gitlab on the admin page
  # See https://docs.gitlab.com/ee/administration/monitoring/prometheus/gitlab_metrics.html
  metrics_token: ""
 # Gitlab dependency proxy feature (see https://docs.gitlab.com/ee/administration/packages/dependency_proxy.html)
 gitlab_dependency_proxy:
  enabled: false
 # Enable the packages feature (see https://docs.gitlab.com/ee/administration/packages/index.html)
 gitlab_packages:
  enabled: false
 # IPv6 ULA config for the bridge network used by docker-ipv6-nat
 gitlab_ipv6:
  enabled: false
  subnet: "fd9e:21a7:a92c:2326::/64"
 # Gitlab bundled Mattermost instance settings
 gitlab_mattermost:
  enabled: false
  domain: chat.gitlab.com
--- a/roles/gitlab/meta/main.yml
+++ b/roles/gitlab/meta/main.yml
@ -1,44 +0,0 @@
 galaxy_info:
  author: saibotk
  description: "Installs and configures GitLab via Docker."
  license: GPL-3.0-only
  min_ansible_version: "2.9"
  standalone: true
  platforms:
    - name: EL
      versions:
        - all
    - name: GenericUNIX
      versions:
        - all
    - name: Fedora
      versions:
        - all
    - name: opensuse
      versions:
        - all
    - name: GenericBSD
      versions:
        - all
    - name: FreeBSD
      versions:
        - all
    - name: Ubuntu
      versions:
        - all
    - name: SLES
      versions:
        - all
    - name: GenericLinux
      versions:
        - all
    - name: Debian
      versions:
        - all
  galaxy_tags: []
 dependencies:
  - role: docker
  - role: traefik
--- a/roles/gitlab/tasks/main.yml
+++ b/roles/gitlab/tasks/main.yml
@ -1,101 +0,0 @@
 ---
 # Tasks file for the gitlab role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Update default SELinux contexts
  community.general.sefcontext:
    target: "{{ item }}(/.*)?"
    setype: "container_file_t"
    state: present
  with_items:
    - "{{ gitlab_data_location }}"
    - "{{ gitlab_config_location }}"
    - "{{ gitlab_log_location }}"
    - "{{ gitlab_telegraf_location }}"
  tags:
    - gitlab
  when:
    - gitlab_selinux_enabled
  become: true
 - name: Create install directory
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "0700"
    owner: "root"
    group: "root"
  with_items:
    - "{{ gitlab_install_location }}"
  tags:
    - gitlab
  become: true
 - name: Create data directory
  ansible.builtin.file: # noqa risky-file-permissions # Container manages permissions on its own
    path: "{{ item }}"
    state: directory
    owner: "root"
    group: "root"
    setype: "container_file_t"
  with_items:
    - "{{ gitlab_data_location }}"
    - "{{ gitlab_config_location }}"
    - "{{ gitlab_log_location }}"
    - "{{ gitlab_telegraf_location }}"
  tags:
    - gitlab
  become: true
 - name: Deploy telegraf.conf
  ansible.builtin.template:
    src: telegraf.conf
    dest: "{{ gitlab_telegraf_location }}/telegraf.conf"
    mode: "0600"
    owner: "root"
    group: "root"
  tags:
    - telegraf
    - gitlab
  become: true
  when:
    - gitlab_telegraf.enabled
 - name: Deploy docker-compose.yml
  ansible.builtin.template:
    src: docker-compose.yml
    dest: "{{ gitlab_install_location }}/docker-compose.yml"
    mode: "0600"
    owner: "root"
    group: "root"
    validate: docker compose -f %s config -q
  tags:
    - docker
    - gitlab
  become: true
 - name: Compose GitLab
  community.docker.docker_compose_v2:
    state: present
    project_src: "{{ gitlab_install_location }}"
    pull: always
    remove_orphans: true
  tags:
    - gitlab
  become: true
--- a/roles/gitlab/templates/docker-compose.yml
+++ b/roles/gitlab/templates/docker-compose.yml
@ -1,321 +0,0 @@
 {{ ansible_managed | comment }}
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 version: '2.1'
 services:
  web:
    image: docker.io/gitlab/gitlab-ce:{{ gitlab_version }}
    hostname: '{{ gitlab_domain }}'
    mem_limit: {{ gitlab_memory_limit }}
    memswap_limit: {{ gitlab_memoryswap_limit }}
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://{{ gitlab_domain }}'
        gitlab_rails['gitlab_shell_ssh_port'] = {{ gitlab_ssh_port }}
        letsencrypt['enable'] = false
        nginx['listen_https'] = false
        nginx['listen_port'] = 80
        nginx['real_ip_trusted_addresses'] = [ '172.16.0.0/12' ]
        nginx['gzip_enabled'] = false
        prometheus_monitoring['enable'] = false
        # CSP config
        gitlab_rails['content_security_policy'] = {
            enabled: {{ gitlab_csp.enabled | default(true) | bool | lower }},
            report_only: false,
            directives: {
              default_src: "'self' {{ gitlab_csp.default_src | default("") }}",
              script_src: "'self' {{ gitlab_csp.script_src | default("") }} 'unsafe-eval'",
              frame_ancestor: "'self'",
              frame_src: "'self' {{ gitlab_csp.frame_src | default("") }}",
              img_src: "'self' https://{{ gitlab_libravatar_ssl }} {{ gitlab_csp.img_src | default("") }} data: blob:",
              style_src: "'self' 'unsafe-inline'",
              worker_src: "'self' blob:",
              object_src: "'none'"
            }
        }
        # Mail settings
        gitlab_rails['smtp_enable'] = true
        gitlab_rails['smtp_address'] = "{{ gitlab_smtp_address }}"
        gitlab_rails['smtp_port'] = {{ gitlab_smtp_port }}
        gitlab_rails['smtp_user_name'] = "{{ gitlab_smtp_user_name }}"
        gitlab_rails['smtp_password'] = "{{ gitlab_smtp_password }}"
        gitlab_rails['smtp_authentication'] = "login"
        gitlab_rails['smtp_domain'] = "{{ gitlab_smtp_address }}"
        gitlab_rails['smtp_tls'] = {{ gitlab_smtp_tls | bool | lower }}
        gitlab_rails['smtp_enable_starttls_auto'] = {{ gitlab_smtp_starttls_auto | bool | lower }}
        gitlab_rails['smtp_openssl_verify_mode'] = '{{ gitlab_smtp_openssl_verify_mode }}'
        gitlab_rails['gitlab_email_from'] = '{{ gitlab_email_from }}'
        gitlab_rails['gitlab_email_reply_to'] = '{{ gitlab_email_reply_to }}'
        # Use Libravatar
        gitlab_rails['gravatar_enabled'] = true
        gitlab_rails['gravatar_plain_url'] = "http://{{ gitlab_libravatar_plain }}/avatar/%{hash}?s=%{size}&d=identicon"
        gitlab_rails['gravatar_ssl_url'] = "https://{{ gitlab_libravatar_ssl }}/avatar/%{hash}?s=%{size}&d=identicon"
 {% if gitlab_imap.enabled %}
        gitlab_rails['incoming_email_enabled'] = true
        # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
        # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
        #gitlab_rails['incoming_email_address'] = "incoming+%{key}@gitlab.example.com"
        gitlab_rails['incoming_email_address'] = "{{ gitlab_imap.email_address }}"
        # Email account username
        # With third party providers, this is usually the full email address.
        # With self-hosted email servers, this is usually the user part of the email address.
        gitlab_rails['incoming_email_email'] = "{{ gitlab_imap.username }}"
        # Email account password
        gitlab_rails['incoming_email_password'] = "{{ gitlab_imap.password }}"
        # IMAP server host
        gitlab_rails['incoming_email_host'] = "{{ gitlab_imap.server_address }}"
        # IMAP server port
        gitlab_rails['incoming_email_port'] = 993
        # Whether the IMAP server uses SSL
        gitlab_rails['incoming_email_ssl'] = true
        # Whether the IMAP server uses StartTLS
        gitlab_rails['incoming_email_start_tls'] = false
        # The mailbox where incoming mail will end up. Usually "inbox".
        gitlab_rails['incoming_email_mailbox_name'] = "inbox"
        # The IDLE command timeout.
        gitlab_rails['incoming_email_idle_timeout'] = 60
 {% endif %}
 {% if gitlab_packages.enabled %}
        # Gitlab packages
        gitlab_rails['packages_enabled'] = true
 {% endif %}
 {% if gitlab_dependency_proxy.enabled %}
        # Gitlab dependency proxy
        gitlab_rails['dependency_proxy_enabled'] = true
 {% endif %}
 {% if gitlab_registry.enabled %}
        # Gitlab registry
        gitlab_rails['registry_enabled'] = true
        gitlab_rails['registry_host'] = "{{ gitlab_registry_domain }}"
        registry_external_url "https://{{ gitlab_registry_domain }}{% if gitlab_registry.external_port is defined %}:{{ gitlab_registry.external_port }}{% endif %}"
        registry_nginx['listen_port'] = 5040
        registry_nginx['listen_https'] = false
 {% endif %}
 {% if gitlab_mattermost.enabled %}
        # Mattermost
        mattermost_external_url 'https://{{ gitlab_mattermost.domain }}'
        mattermost_nginx['listen_port'] = 8050
        mattermost_nginx['listen_https'] = false
        mattermost['gitlab_auth_endpoint'] = "http://{{ gitlab_domain }}/oauth/authorize"
        mattermost['gitlab_token_endpoint'] = "http://{{ gitlab_domain }}/oauth/token"
        mattermost['gitlab_user_api_endpoint'] = "http://{{ gitlab_domain }}/api/v4/user"
 {% endif %}
 {% if gitlab_ldap.enabled %}
        gitlab_rails['ldap_enabled'] = true
        gitlab_rails['prevent_ldap_sign_in'] = false
        gitlab_rails['ldap_servers'] = {
        'main' => {
          'label' => '{{ gitlab_ldap.label }}',
          'host' =>  '{{ gitlab_ldap.host }}',
          'port' => {{ gitlab_ldap.port }},
          'uid' => '{{ gitlab_ldap.uid }}',
          'encryption' => '{{ gitlab_ldap.encryption }}',
          'verify_certificates' => {{ gitlab_ldap.verify_certificates | bool | lower }},
          'bind_dn' => '{{ gitlab_ldap.bind_dn }}',
          'password' => '{{ gitlab_ldap.password }}',
          'timeout' => 10,
          'active_directory' => {{ gitlab_ldap.active_directory | bool | lower }},
          'allow_username_or_email_login' => false,
          'block_auto_created_users' => false,
          'base' => '{{ gitlab_ldap.base }}',
          'attributes' => {
            'username' => ['uid', 'userid', 'sAMAccountName'],
            'email' => ['mail', 'email', 'userPrincipalName'],
            'name' => 'cn',
            'first_name' => 'givenName',
            'last_name' => 'sn'
          },
          'lowercase_usernames' => false
          }
        }
 {% endif %}
 {% if gitlab_saml.enabled %}
        # SAML settings
        gitlab_rails['omniauth_enabled'] = true
        gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
        gitlab_rails['omniauth_block_auto_created_users'] = false
        gitlab_rails['omniauth_auto_link_ldap_user'] = false
        gitlab_rails['omniauth_auto_link_saml_user'] = false
        gitlab_rails['omniauth_external_providers'] = []
        gitlab_rails['omniauth_providers'] = [
          {
            name: 'saml',
            label: '{{ gitlab_saml.label }}',
            groups_attribute: '{{ gitlab_saml.groups_attribute }}',
            external_groups: ['{{ gitlab_saml.external_groups }}'],
            args: {
                     assertion_consumer_service_url: 'https://{{ gitlab_domain }}/users/auth/saml/callback',
                     idp_cert_fingerprint: '{{ gitlab_saml.idp_cert_fingerprint }}',
                     idp_sso_target_url: '{{ gitlab_saml.idp_sso_target_url }}',
                     idp_slo_target_url: '{{ gitlab_saml.idp_slo_target_url }}',
 {% if gitlab_saml.certificate is defined and gitlab_saml.private_key is defined %}
                     certificate: '-----BEGIN CERTIFICATE-----
        {{ gitlab_saml.certificate }}
        -----END CERTIFICATE-----',
                     private_key: '-----BEGIN RSA PRIVATE KEY-----
        {{ gitlab_saml.private_key }}
        -----END RSA PRIVATE KEY-----',
                     security: {
                       authn_requests_signed: true,
                       want_assertions_signed: true,
                       embed_sign: true,
                       signature_method: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
                       digest_method: 'http://www.w3.org/2001/04/xmlenc#sha256',
                     },
 {% endif %}
                     issuer: '{{ gitlab_saml.issuer }}',
                     attribute_statements: {
                       first_name: ['{{ gitlab_saml.attribute_statements.first_name }}'],
                       last_name: ['{{ gitlab_saml.attribute_statements.last_name }}'],
                       name: ['{{ gitlab_saml.attribute_statements.name }}'],
                       username: ['{{ gitlab_saml.attribute_statements.username }}'],
                       email: ['{{ gitlab_saml.attribute_statements.email }}'] },
                     name_identifier_format: '{{ gitlab_saml.name_identifier_format }}',
                     upstream_two_factor_authn_contexts:
                       %w(
                         urn:oasis:names:tc:SAML:2.0:ac:classes:CertificateProtectedTransport
                         urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorOTPSMS
                         urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorIGTOKEN
                       )
                   }
          }
        ]
 {% if gitlab_saml.autologin %}
        gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
 {% endif %}
 {% endif %}
 {% if gitlab_log_tmpfs %}
        # Configure logging to only retain 10 log files, of 10MiB each
        # This should prevent the tmpfs from overflowing
        logging['svlogd_size'] = 10 * 1024 * 1024
        logging['svlogd_num'] = 5
        logging['logrotate_maxsize'] = 10 * 1024 * 1024
        logging['logrotate_rotate'] = 5
 {% endif %}
    labels:
      - "traefik.http.routers.gitlab.rule=Host(`{{ gitlab_domain }}`) && PathPrefix(`/`)"
      - "traefik.http.routers.gitlab.entrypoints=websecure"
      - "traefik.http.routers.gitlab.tls=true"
      - "traefik.http.routers.gitlab.tls.certresolver={{ gitlab_traefik_certresolver }}"
      - "traefik.http.routers.gitlab.middlewares=gitlab,compress"
      - "traefik.http.routers.gitlab.service=gitlab"
      - "traefik.http.services.gitlab.loadbalancer.server.port=80"
 {% if gitlab_registry.enabled %}
      - "traefik.http.routers.gitlab-registry.rule=Host(`{{ gitlab_registry_domain }}`) && PathPrefix(`/`)"
      - "traefik.http.routers.gitlab-registry.entrypoints={{ gitlab_registry.traefik_entrypoint | default('websecure') }}"
      - "traefik.http.routers.gitlab-registry.tls=true"
      - "traefik.http.routers.gitlab-registry.tls.certresolver={{ gitlab_traefik_certresolver }}"
      - "traefik.http.routers.gitlab-registry.middlewares=gitlab,compress"
      - "traefik.http.routers.gitlab-registry.service=gitlab-registry"
      - "traefik.http.services.gitlab-registry.loadbalancer.server.port=5040"
 {% endif %}
 {% if gitlab_mattermost.enabled %}
      - "traefik.http.routers.gitlab-mattermost.rule=Host(`{{ gitlab_mattermost.domain }}`) && PathPrefix(`/`)"
      - "traefik.http.routers.gitlab-mattermost.entrypoints=websecure"
      - "traefik.http.routers.gitlab-mattermost.tls=true"
      - "traefik.http.routers.gitlab-mattermost.tls.certresolver={{ gitlab_traefik_certresolver }}"
      - "traefik.http.routers.gitlab-mattermost.middlewares=gitlab,compress"
      - "traefik.http.routers.gitlab-mattermost.service=gitlab-mattermost"
      - "traefik.http.services.gitlab-mattermost.loadbalancer.server.port=8050"
 {% endif %}
      - "traefik.http.middlewares.gitlab.headers.sslredirect=true"
      - "traefik.http.middlewares.gitlab.headers.stsSeconds=63072000"
      - "traefik.enable=true"
 {% if proxy_network is defined %}
      - "traefik.docker.network={{ proxy_network }}"
 {% endif %}
 {% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
      - "traefik.http.middlewares.gitlab.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
 {% endif %}
    volumes:
      - "{{ gitlab_data_location }}:/var/opt/gitlab"
      - "{{ gitlab_config_location }}:/etc/gitlab"
 {% if not gitlab_log_tmpfs %}
      - "{{ gitlab_log_location }}:/var/log/gitlab"
 {% endif %}
 {% if gitlab_log_tmpfs %}
    tmpfs:
      - "/var/log/gitlab:size=256M,noexec,nodev,nosuid,rw"
 {% endif %}
    restart: always
    ports:
      - "{{ gitlab_ssh_port }}:22"
 {% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
    networks:
 {% if proxy_network is defined %}
      {{ proxy_network }}:
 {% endif %}
 {% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
      gitlab-ipv6:
 {% endif %}
 {% endif %}
 {% if gitlab_telegraf.enabled %}
  telegraf:
    image: docker.io/library/telegraf:{{ gitlab_telegraf_version }}
    restart: always
    mem_limit: 256mb
    memswap_limit: 384mb
    read_only: false # TODO: Switch to self-made container
    volumes:
      - {{ gitlab_telegraf_location }}:/etc/telegraf/:ro
 {% endif %}
 {% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
 networks:
 {% if proxy_network is defined %}
  {{ proxy_network }}:
    external: true
 {% endif %}
 {% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
  gitlab-ipv6:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: {{ gitlab_ipv6.subnet }}
    enable_ipv6: true
 {% endif %}
 {% endif %}
--- a/roles/gitlab/templates/telegraf.conf
+++ b/roles/gitlab/templates/telegraf.conf
@ -1,26 +0,0 @@
 {{ ansible_managed | comment }}
 [global_tags]
 [agent]
  interval = "10s"
  round_interval = true
  metric_batch_size = 1000
  metric_buffer_limit = 1000000
  collection_jitter = "5s"
  flush_interval = "10s"
  flush_jitter = "5s"
  precision = ""
  hostname = "{{ ansible_fqdn }}"
  omit_hostname = false
 [[outputs.influxdb]]
  urls = ["https://{{ gitlab_telegraf.influxdb_endpoints | join('","https://') }}"]
  database = "telegraf"
  timeout = "5s"
  retention_policy = "{{ gitlab_telegraf.influxdb_retention_policy }}"
  retention_policy_tag = "{{ gitlab_telegraf.influxdb_retention_policy_tag }}"
  username = "{{ gitlab_telegraf.influxdb_username }}"
  password = "{{ gitlab_telegraf.influxdb_password }}"
 [[inputs.prometheus]]
  urls = ["http://{{ gitlab_domain }}/-/metrics?token={{ gitlab_telegraf.metrics_token }}"]
--- a/roles/gitlab_runner/README.md
+++ b/roles/gitlab_runner/README.md
@ -1,87 +0,0 @@
 gitlab_runner
 =========
 This will set up a [gitlab-runner](https://docs.gitlab.com/runner/) instance via Docker, that is used to run CI jobs from a GitLab instance.  
 Multiple different runners can be created and configured for this runner instance.
 **NOTE: Currently this will only allow to configure a docker, shell & docker+machine runner.**
 **NOTE2: When deploying docker-machines with the privileged flag enabled, only use this in a trusted environment or set max builds to 1 to prevent malicious actions affecting other builds.**
 Requirements
 ------------
 You will need to have docker and docker-compose installed or declared as dependencies with their respective roles.
 Role Variables
 --------------
 **Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
 **Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**  
 ### Example autoscaling Hetzner-Runner configuration:
 ```yaml
 # This image has the hetzner plugin pre-installed
 gitlabrunner_image: "quay.io/shivering-isles/gitlab-hetzner-runner"
 gitlabrunner_image_version: 13.6.0
 # Extra paths that should be created (eg. to be mounted in the container)
 gitlabrunner_extra_paths:
  - "{{ gitlabrunner_install_location }}/hetzner_machine"
 gitlabrunner_runners:
    # The URL of the instance that this runner should be associated with
  - gitlab_url: https://gitlab.example.com
    # The token that you received when registering the runner (not the register token!!!)
    # Register a runner first to obtain a token: https://docs.gitlab.com/runner/register/index.html#docker
    # Can be done via the API and the registration token: eg. `curl --request POST "https://gitlab.example.com/api/v4/runners" --form "token=<registration_token>"`
    gitlab_token: "ENTER_YOUR_TOKEN_HERE"
    # Adjust the name of the runner
    name: "hetzner-docker-auto-scale"
    # Set the docker executor
    executor: "docker+machine"
    # Should the docker runner start containers as privileged? (eg. needed for docker in docker / building with docker etc)
    docker_privileged: true
    # Should the docker socket be mounted into the containers? (SECURITY NOTE: This is critical, as it is effectively the same as root!)
    docker_mount_socket: true
    # The docker-machine driver that should be used (the server provider)
    machine_driver: "hetzner"
    # The template for naming new machines
    machine_name: "machine-%s-gitlab-runner"
    # The maximum amount of builds on a machine (VM) before a new one will be used
    machine_max_builds: 20
    # Time (in seconds) for machine to be in Idle state before it is removed.
    machine_idle_time: 1800
    # Number of machines, that need to be created and are waiting in Idle state.
    machine_idle_count: 0
    # The "MachineOptions" field with parameters that depend on the driver (these usually provide the api token, which machine type is used etc...)
    machine_options:
      hetzner-api-token: "REPLACE_WITH_YOUR_API_TOKEN" # The Hetzner specific API token
      hetzner-image: "debian-10" # The image that should be used for new machines
      hetzner-server-type: "cx11" # The server type (the hardware configuration) to use for a new machine
      hetzner-server-location: "fsn1" # The server location to use for a new machine
      engine-install-url: "https://releases.rancher.com/install-docker/19.03.9.sh" # Workaround until 20.10 gets an update https://github.com/JonasProgrammer/docker-machine-driver-hetzner/issues/54
    # Extra volumes that should be added to the gitlab runner container.
    gitlabrunner_extra_volumes:
      - "./hetzner_machine:/root/.docker/machine"
 ```
 Dependencies
 ------------
 - docker
 - docker-compose
 License
 -------
 GPL-3.0-only
--- a/roles/gitlab_runner/defaults/main.yml
+++ b/roles/gitlab_runner/defaults/main.yml
@ -1,109 +0,0 @@
 ---
 # Default variables for the gitlab_runner role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # Install location settings
 gitlab_runner_install_location: "/srv/gitlab-runner"
 gitlab_runner_config_location: "{{ gitlab_runner_install_location }}/config"
 # The runner image & tag/version to be used
 gitlab_runner_image: "docker.io/gitlab/gitlab-runner"
 # renovate: depName=docker.io/gitlab/gitlab-runner
 gitlab_runner_image_version: "v16.11.1"
 gitlab_runner_image_variant: "alpine-{{ gitlab_runner_image_version }}"
 # Extra paths that should be created (eg. to be mounted in the container)
 gitlab_runner_extra_paths: []
 # Enable or disable selinux handling
 gitlab_runner_selinux_enabled: true
 # Should the docker socket be mounted to the gitlab runner (usually needed for the docker executor)
 gitlab_runner_mount_docker_socket: false
 # Extra volumes that should be added to the gitlab runner container.
 gitlab_runner_extra_volumes: []
 # The maximum overall concurrent running jobs. This is the most upper limit of number of jobs using all defined runners, local and autoscale.
 gitlab_runner_concurrent: 1
 # The interval in seconds, to check for available jobs. (0 means default value is used.
 # See https://docs.gitlab.com/runner/configuration/advanced-configuration.html#how-check_interval-works)
 gitlab_runner_check_interval: 0
 # This is used to define all the runners, that may be served by this gitlab-runner
 # !! YOU WILL NEED TO ADJUST THIS! BELOW IS A FULL EXAMPLE!
 gitlab_runner_runners:
  # The URL of the instance that this runner should be associated with
  - gitlab_url: https://gitlab.example.com
    # The token that you received when registering the runner (not the register token!!!)
    # Register a runner first to obtain a token: https://docs.gitlab.com/runner/register/index.html#docker
    # Can be done via the API and the registration token:
    # curl --request POST "https://gitlab.example.com/api/v4/runners" --form "token=<registration_token>"
    gitlab_token:
    # The name of the runner
    name: "docker-runner"
    # The limit of machines created by the runner and with that also the limit of jobs that can be handled concurrently by this specific runner.
    limit: 1
    # The executor that is used for this runner.
    # Eg. "docker", "shell", "docker+machine"
    executor: "docker"
    # Should the docker runner start containers as privileged? (eg. needed for docker in docker / building with docker etc)
    docker_privileged: false
    # Should the docker socket be mounted into the containers? (SECURITY NOTE: This is critical, as it is effectively the same as root!)
    docker_mount_socket: false
    # The image that should be used for jobs by default
    docker_image: "docker.io/library/docker:stable"
    # The docker-machine driver that should be used (the server provider)
    machine_driver: "hetzner"
    # The template for naming new machines
    machine_name: "machine-%s-gitlab-runner"
    # The maximum amount of builds on a machine (VM) before a new one will be used
    machine_max_builds: 20
    # Time (in seconds) for machine to be in Idle state before it is removed.
    machine_idle_time: 1800
    # Number of machines, that need to be created and are waiting in Idle state.
    machine_idle_count: 0
    # The "MachineOptions" field with parameters that depend on the driver (these usually provide the api token, which machine type is used etc...)
    # This for example are parameters for the Hetzner driver (but remember, that this will need the hetzner docker-machine plugin)
    # The options can also be omitted if you do not need any.
    machine_options:
      # The Hetzner specific API token
      hetzner-api-token: "TOKENHERE"
      # The image that should be used for new machines
      hetzner-image: "debian-10"
      # The server type (the hardware configuration) to use for a new machine
      hetzner-server-type: "cx11"
      # The server location to use for a new machine
      hetzner-server-location: "fsn1"
    # S3 Runner cache configuration to improve performance between runs
    # (see https://docs.gitlab.com/runner/configuration/autoscale.html#distributed-runners-caching)
    # The options can also be omitted if you do not want to configure a cache
    cache_s3:
      server: s3.example.com
      access_key: ""
      secret_key: ""
      bucket: "runner"
--- a/roles/gitlab_runner/meta/main.yml
+++ b/roles/gitlab_runner/meta/main.yml
@ -1,43 +0,0 @@
 galaxy_info:
  author: saibotk
  description: "Deploys a gitlab-runner using Docker."
  license: GPL-3.0-only
  min_ansible_version: "2.9"
  standalone: true
  platforms:
    - name: EL
      versions:
        - all
    - name: GenericUNIX
      versions:
        - all
    - name: Fedora
      versions:
        - all
    - name: opensuse
      versions:
        - all
    - name: GenericBSD
      versions:
        - all
    - name: FreeBSD
      versions:
        - all
    - name: Ubuntu
      versions:
        - all
    - name: SLES
      versions:
        - all
    - name: GenericLinux
      versions:
        - all
    - name: Debian
      versions:
        - all
  galaxy_tags: []
 dependencies:
  - role: docker
--- a/roles/gitlab_runner/tasks/main.yml
+++ b/roles/gitlab_runner/tasks/main.yml
@ -1,86 +0,0 @@
 ---
 # Tasks file for the gitlab_runner role
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Alexander Wellbrock
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 - name: Update default SELinux contexts
  community.general.sefcontext:
    target: "{{ item }}(/.*)?"
    setype: "container_file_t"
    state: present
  with_items:
    - "{{ gitlab_runner_config_location }}"
    - "{{ gitlab_runner_extra_paths }}"
  when:
    - gitlab_runner_selinux_enabled
  become: true
 - name: Create install directory
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "0700"
    owner: "root"
    group: "root"
  with_items:
    - "{{ gitlab_runner_install_location }}"
  become: true
 - name: Create config directory
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "0700"
    owner: "root"
    group: "root"
    setype: "container_file_t"
  with_items:
    - "{{ gitlab_runner_config_location }}"
    - "{{ gitlab_runner_extra_paths }}"
  become: true
 - name: Deploy docker-compose.yml
  ansible.builtin.template:
    src: docker-compose.yml
    dest: "{{ gitlab_runner_install_location }}/docker-compose.yml"
    mode: "0600"
    owner: "root"
    group: "root"
    validate: docker compose -f %s config -q
  tags:
    - docker
  become: true
 - name: Deploy config.toml for gitlab-runner
  ansible.builtin.template:
    src: config.toml
    dest: "{{ gitlab_runner_config_location }}/config.toml"
    mode: "0600"
    owner: "root"
    group: "root"
  become: true
 - name: Compose gitlab-runner
  community.docker.docker_compose_v2:
    state: present
    project_src: "{{ gitlab_runner_install_location }}"
    pull: always
    remove_orphans: true
  tags:
    - gitlab-runner
  become: true
--- a/roles/gitlab_runner/templates/config.toml
+++ b/roles/gitlab_runner/templates/config.toml
@ -1,63 +0,0 @@
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 # Copyright (C) 2020       Saibotk
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 concurrent = {{ gitlab_runner_concurrent }}
 check_interval = {{ gitlab_runner_check_interval }}
 {% for gitlabrunner in gitlab_runner_runners %}
 [[runners]]
  name = "{{ gitlabrunner.name }}"
  limit = {{ gitlabrunner.limit | default(1) }}
  url = "{{ gitlabrunner.gitlab_url }}"
  token = "{{ gitlabrunner.gitlab_token }}"
  executor = "{{ gitlabrunner.executor }}"
 {% if gitlabrunner.executor == "docker" or gitlabrunner.executor == "docker+machine" %}
  [runners.docker]
    image = "{{ gitlabrunner.docker_image | default("docker.io/library/docker:stable") }}"
    privileged = {{ gitlabrunner.docker_privileged | bool | lower }}
    volumes = [
      "/cache",
 {% if gitlabrunner.docker_mount_socket %}
      "/var/run/docker.sock:/var/run/docker.sock"
 {% endif %}
    ]
 {% endif %}
 {% if gitlabrunner.executor == "docker+machine" %}
  [runners.machine]
    IdleCount = {{ gitlabrunner.machine_idle_count }}
    IdleTime = {{ gitlabrunner.machine_idle_time }}
    MaxBuilds = {{ gitlabrunner.machine_max_builds }}
    MachineDriver = "{{ gitlabrunner.machine_driver }}"
    MachineName = "{{ gitlabrunner.machine_name }}"
    MachineOptions = [
 {% for key, value in gitlabrunner.machine_options.items() %}
      "{{ key }}={{ value }}",
 {% endfor %}
    ]
 {% endif %}
  [runners.cache]
 {% if gitlabrunner.cache_s3 is defined %}
    Type = "s3"
    Shared = false
    [runners.cache.s3]
      ServerAddress = "{{ gitlabrunner.cache_s3.server }}"
      AccessKey = "{{ gitlabrunner.cache_s3.access_key }}"
      SecretKey = "{{ gitlabrunner.cache_s3.secret_key }}"
      BucketName = "{{ gitlabrunner.cache_s3.bucket }}"
      Insecure = false
 {% endif %}
 {% endfor %}
--- a/roles/gitlab_runner/templates/docker-compose.yml
+++ b/roles/gitlab_runner/templates/docker-compose.yml
@ -1,33 +0,0 @@
 {{ ansible_managed | comment }}
 # Infrastructure
 # Ansible instructions to deploy the infrastructure
 # Copyright (C) 2019-2020  Christoph (Sheogorath) Kern
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 version: '2'
 services:
  runner:
    image: {{ gitlab_runner_image }}:{{ gitlab_runner_image_variant }}
    mem_limit: 128mb
    memswap_limit: 256mb
    volumes:
      - "{{ gitlab_runner_config_location }}:/etc/gitlab-runner"
 {% if gitlab_runner_mount_docker_socket %}
      - "/var/run/docker.sock:/var/run/docker.sock"
 {% endif %}
 {% for item in gitlab_runner_extra_volumes %}
      - "{{item}}"
 {% endfor %}
    restart: always
--- a/roles/hedgedoc/defaults/main.yml
+++ b/roles/hedgedoc/defaults/main.yml
@ -0,0 +1,46 @@
 hedgedoc_install_dir: "/opt/hedgedoc"
 hedgedoc_domain: hedgedoc.example.com
 hedgedoc_containerimage: quay.io/hedgedoc/hedgedoc
 # renovate: depName=quay.io/hedgedoc/hedgedoc
 hedgedoc_image_tag: "1.10.0"
 hedgedoc_postgres_containerimage: docker.io/library/postgres
 # renovate: depName=docker.io/library/postgres
 hedgedoc_postgres_image_tag: "17.2-alpine"
 hedgedoc_selinux_level: "{{ omit }}"
 hedgedoc_postgres_selinux_level: "{{ omit }}"
 hedgedoc_memory_low: 128m
 hedgedoc_memory_high: 0
 hedgedoc_swap_max: -1
 hedgedoc_postgres_memory_low: 128m
 hedgedoc_postgres_memory_high: 0
 hedgedoc_postgres_swap_max: -1
 hedgedoc_postgres_database_password: "{{ lookup('passwordstore', 'hedgedoc.example.com/postgres/hedgedoc_password' + ' create=true length=64') }}"
 # These are only needed for the inital run to setup the hedgedoc database and user. On subsequent runs you can remove these.
 hedgedoc_postgres_environment_vars:
  POSTGRES_DB: "hedgedoc"
  POSTGRES_USER: "hedgedoc"
  POSTGRES_PASSWORD: "{{ hedgedoc_postgres_database_password }}"
 # This is where all application related environment variables are defined.
 # For all possible environment variables look here: https://github.com/hedgedoc/hedgedoc/blob/a110bef68f52c2153eaea9b31bb91ce76cf4822b/docs/content/configuration.md
 # Note: All variables below will automatically be prefixed with "CMD_", eg. "DOMAIN" will automatically become "CMD_DOMAIN".
 hedgedoc_environment_vars:
  DB_DIALECT: postgres
  DB_USERNAME: hedgedoc
  DB_PASSWORD: "{{ hedgedoc_postgres_database_password }}"
  DB_DATABASE: hedgedoc
  DB_HOST: /var/run/postgresql
  ALLOW_FREE_URL: false
  DOMAIN: "{{ hedgedoc_domain }}"
  EMAIL: false
  PROTOCOL_USESSL: true
  URL_ADDPORT: false
  USECDN: true
--- a/roles/hedgedoc/handlers/main.yml
+++ b/roles/hedgedoc/handlers/main.yml
@ -0,0 +1,24 @@
 - name: Apply new SELinux file context to filesystem.
  ansible.builtin.command: "restorecon -irF {{ hedgedoc_install_dir }}"
  become: true
  listen: "hedgedoc selinux context changed"
 - name: Restart hedgedoc service.
  ansible.builtin.systemd:
    state: restarted
    name: hedgedoc.service
    daemon_reload: true
  become: true
  listen:
    - "hedgedoc service changed"
    - "hedgedoc selinux context changed"
 - name: Restart hedgedoc-postgres service.
  ansible.builtin.systemd:
    state: restarted
    name: hedgedoc-postgres.service
    daemon_reload: true
  become: true
  listen:
    - "hedgedoc postgres service changed"
    - "hedgedoc selinux context changed"
--- a/roles/hedgedoc/meta/main.yml
+++ b/roles/hedgedoc/meta/main.yml
@ -0,0 +1,20 @@
 galaxy_info:
  author: saibotk
  description: Deploy hedgedoc with podman and systemd.
  issue_tracker_url: https://git.sipsofcode.de/saibotk-de/infrastructure/issues
  license: GPL-3.0-only
  min_ansible_version: "2.10"
  platforms:
    - name: Fedora
      versions:
        - "41"
  standalone: true
  galaxy_tags: []
 dependencies: []
--- a/roles/hedgedoc/tasks/main.yml
+++ b/roles/hedgedoc/tasks/main.yml
@ -0,0 +1,140 @@
 - name: Update default SELinux contexts
  community.general.sefcontext:
    target: "{{ item.target }}"
    setype: "container_file_t"
    selevel: "{{ item.selevel }}"
    state: present
  loop:
    - target: "{{ hedgedoc_install_dir }}/uploads(/.*)?"
      selevel: "{{ hedgedoc_selinux_level }}"
    - target: "{{ hedgedoc_install_dir }}/postgres(/.*)?"
      selevel: "{{ hedgedoc_postgres_selinux_level }}"
  become: true
  notify: "hedgedoc selinux context changed"
 - name: Create hedgedoc directories.
  ansible.builtin.file:
    path: "{{ hedgedoc_install_dir }}"
    owner: "root"
    group: "root"
    mode: "0700"
    state: directory
  become: true
 - name: Ensure hedgedoc data directories exist.
  block:
    - name: Stat hedgedoc uploads dir.
      ansible.builtin.stat:
        path: "{{ hedgedoc_install_dir }}/uploads"
      become: true
      register: hedgedoc_stat_uploads_dir
    - name: Stat hedgedoc postgres dir.
      ansible.builtin.stat:
        path: "{{ hedgedoc_install_dir }}/postgres"
      become: true
      register: hedgedoc_stat_postgres_dir
    - name: Create hedgedoc data directories.
      ansible.builtin.file:
        path: "{{ item.path }}"
        state: directory
        mode: "0700"
        owner: "{{ item.owner }}"
        group: "{{ item.group }}"
      loop:
        - path: "{{ hedgedoc_install_dir }}/uploads"
          owner: "{{ hedgedoc_stat_uploads_dir.stat.uid | default('root') }}"
          group: "{{ hedgedoc_stat_uploads_dir.stat.gid | default('root') }}"
        - path: "{{ hedgedoc_install_dir }}/postgres"
          owner: "{{ hedgedoc_stat_postgres_dir.stat.uid | default('root') }}"
          group: "{{ hedgedoc_stat_postgres_dir.stat.gid | default('root') }}"
      become: true
 - name: Deploy hedgedoc environment file.
  ansible.builtin.template:
    src: hedgedoc.env.j2
    dest: "{{ hedgedoc_install_dir }}/hedgedoc.env"
    mode: "0600"
    owner: "root"
    group: "root"
  become: true
  notify:
    - "hedgedoc service changed"
 - name: Deploy postgres environment file.
  ansible.builtin.template:
    src: hedgedoc-postgres.env.j2
    dest: "{{ hedgedoc_install_dir }}/hedgedoc-postgres.env"
    mode: "0600"
    owner: "root"
    group: "root"
  become: true
  notify:
    - "hedgedoc postgres service changed"
 - name: Add caddy config file.
  block:
    - name: Check caddy config dir.
      ansible.builtin.stat:
        path: "{{ caddy_install_dir }}/config"
      become: true
      register: caddy_stat_config_dir
    - name: Template caddy config for hedgedoc.
      ansible.builtin.template:
        src: hedgedoc.caddy.j2
        dest: "{{ caddy_install_dir }}/config/hedgedoc.caddy"
        mode: "0600"
        setype: "container_file_t"
        selevel: "{{ caddy_selinux_level }}"
        owner: "{{ caddy_stat_config_dir.stat.uid }}"
        group: "{{ caddy_stat_config_dir.stat.gid }}"
      notify: "caddy config changed"
      become: true
 - name: Create hedgedoc postgres socket volume.
  ansible.builtin.template:
    src: hedgedoc-postgres-socket.volume
    dest: /etc/containers/systemd/hedgedoc-postgres-socket.volume
    owner: "root"
    group: "root"
    mode: "0644"
  become: true
  notify:
    - "hedgedoc service changed"
    - "hedgedoc postgres service changed"
 - name: Create hedgedoc container file.
  ansible.builtin.template:
    src: hedgedoc.container.j2
    dest: /etc/containers/systemd/hedgedoc.container
    owner: "root"
    group: "root"
    mode: "0644"
  become: true
  notify: "hedgedoc service changed"
 - name: Create hedgedoc postgres container file.
  ansible.builtin.template:
    src: hedgedoc-postgres.container.j2
    dest: /etc/containers/systemd/hedgedoc-postgres.container
    owner: "root"
    group: "root"
    mode: "0644"
  become: true
  notify: "hedgedoc postgres service changed"
 - name: Flush handlers
  ansible.builtin.meta: flush_handlers
 - name: Ensure hedgedoc services are started and enabled.
  ansible.builtin.systemd:
    state: started
    enabled: true
    name: "{{ item }}"
    daemon_reload: true
  loop:
    - hedgedoc.service
    - hedgedoc-postgres.service
  become: true
--- a/roles/hedgedoc/templates/hedgedoc-postgres-socket.volume
+++ b/roles/hedgedoc/templates/hedgedoc-postgres-socket.volume
@ -0,0 +1,5 @@
 {{ ansible_managed | comment }}
 [Volume]
 VolumeName = hedgedoc-postgres-socket
--- a/roles/hedgedoc/templates/hedgedoc-postgres.container.j2
+++ b/roles/hedgedoc/templates/hedgedoc-postgres.container.j2
@ -0,0 +1,39 @@
 {{ ansible_managed | comment }}
 [Unit]
 Description = Postgres for hedgedoc
 [Service]
 Restart = always
 RestartSec = 5s
 [Container]
 Image = {{ hedgedoc_postgres_containerimage }}:{{ hedgedoc_postgres_image_tag }}
 ContainerName = hedgedoc-postgres
 # AutoUpdate = registry
 LogDriver = journald
 # NoNewPrivileges = true
 ReadOnly = true
 DropCapability = all
 AddCapability = CHOWN DAC_OVERRIDE SETUID SETGID
 UserNS = auto:size=65535
 {% if hedgedoc_postgres_selinux_level != omit %}
 SecurityLabelLevel = {{ hedgedoc_postgres_selinux_level }}
 {% endif %}
 EnvironmentFile = {{ hedgedoc_install_dir }}/hedgedoc-postgres.env
 Volume = hedgedoc-postgres-socket:/var/run/postgresql:U,z
 Volume = {{ hedgedoc_install_dir }}/postgres:/var/lib/postgresql/data:U
 Tmpfs = /tmp:rw,noexec,nosuid,nodev,size=1m
 PodmanArgs = --memory={{ hedgedoc_postgres_memory_high }}
 PodmanArgs = --memory-swap={{ hedgedoc_postgres_swap_max }}
 PodmanArgs = --memory-reservation={{ hedgedoc_postgres_memory_low }}
 PodmanArgs = --stop-signal=SIGINT
 [Install]
 WantedBy = default.target
--- a/roles/hedgedoc/templates/hedgedoc-postgres.env.j2
+++ b/roles/hedgedoc/templates/hedgedoc-postgres.env.j2
@ -0,0 +1,7 @@
 {{ ansible_managed | comment}}
 {% if hedgedoc_postgres_environment_vars is mapping %}
 {% for key, value in hedgedoc_postgres_environment_vars.items() %}
 {{ key }}={{ value }}
 {% endfor %}
 {% endif %}
--- a/roles/hedgedoc/templates/hedgedoc.caddy.j2
+++ b/roles/hedgedoc/templates/hedgedoc.caddy.j2
@ -0,0 +1,24 @@
 {{ ansible_managed | comment }}
 {{ hedgedoc_domain }} {
    encode gzip
    header {
        # enable HSTS
        Strict-Transport-Security "max-age=31536000; preload;"
        # disable clients from sniffing the media type
        X-Content-Type-Options nosniff
        # clickjacking protection
        X-Frame-Options DENY
        # keep referrer data off of HTTP connections
        Referrer-Policy no-referrer-when-downgrade
        # Server name removing
        -Server
    }
    reverse_proxy hedgedoc:3000
 }
--- a/Show more
+++ b/Show more