update(lego): bump version to 4.20.4

README.md

@@ -5,18 +5,21 @@
 This ansible collection provides various roles for installing
 and configuring basic system utilities like gnupg, ssh etc
 
-- [`elasticsearch`](roles/elasticsearch/README.md): Deploy [elasticsearch](https://www.docker.elastic.co/r/elasticsearch/elasticsearch-oss),
+- DEPRECATED: [`elasticsearch`](roles/elasticsearch/README.md): Deploy [elasticsearch](https://www.docker.elastic.co/r/elasticsearch/elasticsearch-oss),
   a popular (distributed) search and analytics engine, mostly known by it's
   letter "E" in the ELK-stack.
+  This role has been moved to the `finallycoffee.databases.elasticsearch` ansible collection.
 
 - [`git`](roles/git/README.md): configures git on the target system
 
 - [`gnupg`](roles/gnupg/README.md): configures gnupg on the target system
 
-- [`lego`](roles/lego/README.md): runs [lego (LetsEncrypt Go]](https://github.com/go-acme/lego),
+- [`lego`](roles/lego/README.md): runs [lego (LetsEncrypt Go)](https://github.com/go-acme/lego),
   a ACME client written in go, using systemd (timers). Multi-instance capable.
 
-- [`mariadb`](roles/mariadb/README.md): runs [MariaDB Server](https://mariadb.org/), one of the world's most popular open source relational database
+- DEPRECATED: [`mariadb`](roles/mariadb/README.md): runs [MariaDB Server](https://mariadb.org/),
+  one of the world's most popular open source relational database.
+  Moved to `finallycoffee.databases.mariadb`.
 
 - [`minio`](roles/minio/README.md): Deploy [min.io](https://min.io), an
   s3-compatible object storage server, using docker containers.

galaxy.yml

@@ -1,14 +1,20 @@
 namespace: finallycoffee
 name: base
-version: 0.1.1
+version: 0.1.3
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
 description: Roles for base services which are common dependencies other services like databases
 dependencies:
-  "community.docker": "^1.10.0"
+  "community.docker": "^3.0.0"
 license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'
 repository: https://git.finally.coffee/finallycoffee/base
-issues: https://git.finally.coffee/finallycoffee/base/issues
+issues: https://codeberg.org/finallycoffee/ansible-collection-base/issues
+tags:
+  - docker
+  - lego
+  - minio
+  - nginx
+  - restic

roles/elasticsearch/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: Warn about deprecation and move of role
+  ansible.builtin.debug:
+    msg: >-2
+      This ansible role has been moved to the finallycoffee.databases
+      ansible collection and will no longer be maintained here!
 
 - name: Ensure host directories are present
   file:

roles/lego/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 lego_user: "lego"
-lego_version: "4.18.0"
+lego_version: "4.20.4"
 lego_instance: default
 lego_base_path: "/opt/lego"
 lego_cert_user: "acme-{{ lego_instance }}"
@@ -58,7 +58,7 @@ lego_systemd_timer_name: "lego-{{ lego_instance }}.timer"
 lego_systemd_timer_template: lego.timer.j2
 lego_systemd_timer_calendar: "*-*-* *:00/15:00"
 
-lego_architecture: "amd64"
+lego_architecture: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
 lego_os: "linux"
 lego_binary_allow_net_bind_service: false
 

roles/mariadb/defaults/main.yml

@@ -1,8 +1,9 @@
 ---
-
 mariadb_version: "10.11.9"
 mariadb_base_path: /var/lib/mariadb
-mariadb_data_path: "{{ mariadb_base_path }}/{{ mariadb_version }}"
+mariadb_data_path: >-2
+  {{ mariadb_base_path }}/{{ mariadb_version | split('.') | first }}
+mariadb_state: present
 
 mariadb_root_password: ~
 mariadb_database: ~
@@ -13,10 +14,24 @@ mariadb_container_base_environment:
   MARIADB_ROOT_PASSWORD: "{{ mariadb_root_password }}"
 mariadb_container_extra_environment: {}
 
-mariadb_container_name: mariadb
+mariadb_container_image_registry: docker.io
-mariadb_container_image_name: docker.io/mariadb
+mariadb_container_image_namespace: ~
+mariadb_container_image_name: mariadb
 mariadb_container_image_tag: ~
-mariadb_container_image: "{{ mariadb_container_image_name }}:{{ mariadb_container_image_tag | default(mariadb_version, true) }}"
+mariadb_container_image: >-2
+  {{
+    ([
+      mariadb_container_image_registry | default([], true),
+      mariadb_container_image_namespace | default([], true),
+      mariadb_container_image_name,
+    ] | flatten | join('/'))
+    + ':' + mariadb_container_image_tag | default(mariadb_version, true)
+  }}
+mariadb_container_image_source: pull
+mariadb_container_image_force_source: >-2
+  {{ mariadb_container_image_tag | default(false, true) | bool }}
+
+mariadb_container_name: mariadb
 mariadb_container_base_volumes:
   - "{{ mariadb_data_path }}:{{ mariadb_container_data_path }}:z"
 mariadb_container_extra_volumes: []
@@ -30,3 +45,5 @@ mariadb_container_environment: >-2
       if (mariadb_database and mariadb_username and mariadb_password)
       else {}, recursive=True)
   | combine(mariadb_container_extra_environment) }}
+mariadb_container_state: >-2
+  {{ (mariadb_state == 'present') | ternary('started', 'absent') }}

roles/mariadb/tasks/main.yml

@@ -1,20 +1,27 @@
 ---
-- name: Ensure mariaDB container image is present on host
+- name: Warn about deprecation
+  ansible.builtin.debug:
+    msg: >-2
+      This ansible role is moved to the finallycoffee.databases collection
+      and will be removed soon!
+
+- name: Ensure mariadb container image '{{ mariadb_container_image }}' is {{ mariadb_state }}
   community.docker.docker_image:
     name: "{{ mariadb_container_image }}"
-    state: present
+    state: "{{ mariadb_state }}"
-    source: pull
+    source: "{{ mariadb_container_image_source }}"
+    force_source: "{{ mariadb_container_image_force_source }}"
 
-- name: Ensure mariaDB {{ mariadb_version }} is running as '{{ mariadb_container_name }}'
+- name: Ensure mariadb container '{{ mariadb_container_name }}' is {{ mariadb_container_state }}
   community.docker.docker_container:
     name: "{{ mariadb_container_name }}"
     image: "{{ mariadb_container_image }}"
     env: "{{ mariadb_container_environment }}"
-    ports: "{{ mariadb_container_ports }}"
+    ports: "{{ mariadb_container_ports | default(omit, true) }}"
-    labels: "{{ mariadb_container_labels }}"
+    labels: "{{ mariadb_container_labels | default(omit, true) }}"
     volumes: "{{ mariadb_container_volumes }}"
     networks: "{{ mariadb_container_networks | default(omit, true) }}"
     etc_hosts: "{{ mariadb_container_etc_hosts | default(omit, true) }}"
     purge_networks: "{{ mariadb_container_purge_networks | default(omit, true) }}"
     restart_policy: "{{ mariadb_container_restart_policy }}"
-    state: started
+    state: "{{ mariadb_container_state }}"

roles/nginx/README.md

@@ -26,3 +26,8 @@ For exposing this server to the host and/or internet, the `nginx_container_ports
 from host to container), `nginx_container_networks` (docker networking) or `nginx_container_labels`
 (for label-based routing discovery like traefik) can be used. The options correspond to the arguments
 of the `community.docker.docker_container` module.
+
+## Deployment methods
+
+Set `nginx_deployment_method` to either `docker` or `podman` to use the respective ansible modules for
+creating and managing the container and its image. See all supported methods in `nginx_deployment_methods`.

roles/nginx/defaults/main.yml

@@ -1,9 +1,10 @@
 ---
-
+nginx_version: "1.27.2"
-nginx_version: "1.26.2"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"
+nginx_state: present
+nginx_deployment_method: docker
 
 nginx_container_name: nginx
 nginx_container_image_reference: >-
@@ -26,6 +27,9 @@ nginx_container_image_repository: >-
 nginx_container_image_registry: "docker.io"
 nginx_container_image_name: "nginx"
 nginx_container_image_tag: ~
+nginx_container_image_source: pull
+nginx_container_state: >-2
+  {{ (nginx_state == 'present') | ternary('started', 'absent') }}
 
 nginx_container_restart_policy: "unless-stopped"
 nginx_container_volumes:

roles/nginx/meta/main.yml

@@ -0,0 +1,12 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: nginx
+  description: Deploy nginx, a webserver
+  galaxy_tags:
+    - nginx
+    - http
+    - webserver
+    - docker
+    - podman

roles/nginx/tasks/deploy-docker.yml

@@ -0,0 +1,28 @@
+---
+- name: Ensure docker container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
+  community.docker.docker_image:
+    name: "{{ nginx_container_image_reference }}"
+    state: "{{ nginx_state }}"
+    source: "{{ nginx_container_image_source }}"
+    force_source: >-2
+      {{ nginx_container_image_force_source
+        | default(nginx_container_image_tag | default(false, true)) }}
+  register: nginx_container_image_info
+  until: nginx_container_image_info is success
+  retries: 5
+  delay: 3
+
+- name: Ensure docker container '{{ nginx_container_name }}' is {{ nginx_container_state }}
+  community.docker.docker_container:
+    name: "{{ nginx_container_name }}"
+    image: "{{ nginx_container_image_reference }}"
+    env: "{{ nginx_container_env | default(omit, true) }}"
+    user: "{{ nginx_container_user | default(omit, true) }}"
+    ports: "{{ nginx_container_ports | default(omit, true) }}"
+    labels: "{{ nginx_container_labels | default(omit, true) }}"
+    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
+    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
+    networks: "{{ nginx_container_networks | default(omit, true) }}"
+    purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
+    restart_policy: "{{ nginx_container_restart_policy }}"
+    state: "{{ nginx_container_state }}"

roles/nginx/tasks/deploy-podman.yml

@@ -0,0 +1,27 @@
+---
+- name: Ensure container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
+  containers.podman.podman_image:
+    name: "{{ nginx_container_image_reference }}"
+    state: "{{ nginx_state }}"
+    pull: "{{ nginx_container_image_source == 'pull' }}"
+    force: >-2
+      {{ nginx_container_image_force_source
+        | default(nginx_container_image_tag | default(false, true)) }}
+  register: nginx_container_image_info
+  until: nginx_container_image_info is success
+  retries: 5
+  delay: 3
+
+- name: Ensure container '{{ nginx_container_name }}' is {{ nginx_container_state }}
+  containers.podman.podman_container:
+    name: "{{ nginx_container_name }}"
+    image: "{{ nginx_container_image_reference }}"
+    env: "{{ nginx_container_env | default(omit, true) }}"
+    user: "{{ nginx_container_user | default(omit, true) }}"
+    ports: "{{ nginx_container_ports | default(omit, true) }}"
+    labels: "{{ nginx_container_labels | default(omit, true) }}"
+    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
+    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
+    network: "{{ nginx_container_networks | default(omit, true) }}"
+    restart_policy: "{{ nginx_container_restart_policy }}"
+    state: "{{ nginx_container_state }}"

roles/nginx/tasks/main.yml

@@ -1,10 +1,30 @@
 ---
+- name: Check if state is supported
+  ansible.builtin.fail:
+    msg: >-2
+      Unsupported state '{{ nginx_state }}'. Supported
+      states are {{ nginx_states | join(', ') }}.
+  when: nginx_state not in nginx_states
 
-- name: Ensure base path '{{ nginx_base_path }}' exists
+- name: Check if deployment_method is supported
+  ansible.builtin.fail:
+    msg: >-2
+      Unsupported state '{{ nginx_deployment_method }}'. Supported
+      states are {{ nginx_deployment_methods | join(', ') }}.
+  when: nginx_deployment_method not in nginx_deployment_methods
+
+- name: Ensure nginx config file is {{ nginx_state }}
+  ansible.builtin.file:
+    path: "{{ nginx_config_file }}"
+    state: "{{ nginx_state }}"
+  when: nginx_state == 'absent'
+
+- name: Ensure base path '{{ nginx_base_path }}' is {{ nginx_state }}
   ansible.builtin.file:
     path: "{{ nginx_base_path }}"
-    state: directory
+    mode: "0755"
-    mode: 0755
+    state: >-2
+      {{ (nginx_state == 'present') | ternary('directory', 'absent') }}
 
 - name: Ensure nginx config file is templated
   ansible.builtin.copy:
@@ -13,25 +33,8 @@
     mode: 0640
   notify:
     - restart-nginx
+  when: nginx_state == 'present'
 
-- name: Ensure docker container image is present
+- name: Deploy using {{ nginx_deployment_method }}
-  community.docker.docker_image:
+  ansible.builtin.include_tasks:
-    name: "{{ nginx_container_image_reference }}"
+    file: "deploy-{{ nginx_deployment_method }}.yml"
-    state: present
-    source: pull
-    force_source: "{{ nginx_container_image_tag is defined and nginx_container_image_tag | string != '' }}"
-
-- name: Ensure docker container '{{ nginx_container_name }}' is running
-  community.docker.docker_container:
-    name: "{{ nginx_container_name }}"
-    image: "{{ nginx_container_image_reference }}"
-    env: "{{ nginx_container_env | default(omit, true) }}"
-    user: "{{ nginx_container_user | default(omit, true) }}"
-    ports: "{{ nginx_container_ports | default(omit, true) }}"
-    labels: "{{ nginx_container_labels | default(omit, true) }}"
-    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
-    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
-    networks: "{{ nginx_container_networks | default(omit, true) }}"
-    purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
-    restart_policy: "{{ nginx_container_restart_policy }}"
-    state: started

roles/nginx/vars/main.yml

@@ -0,0 +1,7 @@
+---
+nginx_states:
+  - present
+  - absent
+nginx_deployment_methods:
+  - docker
+  - podman

roles/powerdns_tsig_key/README.md

@@ -21,5 +21,5 @@ The usage example below assumes `powerdns` is running in a container named `powe
         powerdns_tsig_key_container_name: 'powerdns'
 ```
 
-> [!INFO]
+> [!NOTE]
 > Support for non-docker deployments is pending.