fix: capture exit code instead of std-out

README.md

@@ -5,8 +5,6 @@
 This ansible collection provides various roles for installing
 and configuring basic system utilities like gnupg, ssh etc
 
-- [`caddy`](roles/caddy/README.md): configures and runs caddy
-
 - [`git`](roles/git/README.md): configures git on the target system
 
 - [`gnupg`](roles/gnupg/README.md): configures gnupg on the target system

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: finallycoffee
 name: base
-version: 0.4.0
+version: 0.3.0
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
@@ -8,9 +8,8 @@ description: >-2
   Roles for base services which are core functionality like managing packages
   and ssh or common dependencies other services like databases
 dependencies:
-  "community.docker": "^4.7.0"
+  "community.docker": "^4.2.0"
-  "community.general": "^11.1.2"
+  "community.general": "^10.0.0"
-  "containers.podman": "^1.17.0"
 license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'
@@ -24,7 +23,5 @@ tags:
   - lego
   - minio
   - nginx
-  - caddy
   - restic
   - user_management
-  - openldap

playbooks/caddy.yml

@@ -1,7 +0,0 @@
----
-- name: Install and configure caddy
-  hosts: "{{ caddy_hosts | default('caddy') }}"
-  become: "{{ caddy_become | default(false) }}"
-  gather_facts: "{{ caddy_gather_facts | default(false) }}"
-  roles:
-    - role: finallycoffee.base.caddy

playbooks/caddy_reverse_proxy.yml

@@ -1,24 +0,0 @@
----
-- name: Ensure reverse proxy configuration is created
-  hosts: "{{ target_hosts }}"
-  become: "{{ target_become | default(false) }}"
-  gather_facts: "{{ target_gather_facts | default(false) }}"
-  roles:
-    - role: finallycoffee.base.caddy_site
-  vars:
-    caddy_site_cert_basepath: >-2
-      {{ caddy_site_tls_store | default('/tls') }}/{{ caddy_site_name }}/certificates/{{ caddy_site_name }}
-    caddy_site_config: |+2
-      https://{{ caddy_site_name }} {
-          tls {{ caddy_site_cert_basepath}}.crt {{ caddy_site_cert_basepath }}.key
-          header {
-              Strict-Transport-Security "max-age=31536000"
-          }
-          encode zstd gzip
-          reverse_proxy {{ caddy_reverse_proxy_backend_addr | mandatory }} {
-            {% if caddy_reverse_proxy_import_proxyheaders | default(true, true) -%}
-            import proxyheaders
-            {%- endif +%}
-          }
-      }
-

playbooks/ldap.yml

@@ -1,109 +0,0 @@
----
-- name: Configure LDAP directory information tree
-  hosts: "{{ ldap_hosts | default('ldap') }}"
-  become: "{{ ldap_become | default(false) }}"
-  gather_facts: "{{ ldap_gather_facts | default(false) }}"
-  vars:
-    _state: "{{ ldap_state | default('present') }}"
-    _ldap_bind_info: &ldap_bind_info
-      server_uri: "{{ ldap_server_uri }}"
-      bind_dn: "{{ ldap_bind_dn }}"
-      bind_pw: "{{ ldap_bind_pw }}"
-  roles:
-    # Ensure all defaults from openldap role are in scope
-    - role: finallycoffee.base.openldap
-      when: false
-  tasks:
-    - name: Ensure org units in '{{ ldap_base_dn }}' are {{ _state }}
-      community.general.ldap_entry:
-        <<: *ldap_bind_info
-        dn: "ou={{ org_unit }},{{ ldap_base_dn }}"
-        objectClass: "organizationalUnit"
-        state: "{{ _state }}"
-      loop: "{{ ldap_org_units | default([], true) }}"
-      loop_control:
-        loop_var: org_unit
-
-    - name: Ensure admin user is {{ _state }}
-      community.general.ldap_entry:
-        <<: *ldap_bind_info
-        dn: "uid={{ ldap_admin_user_rdn }},{{ ldap_admin_user_base }}"
-        objectClass: "{{ ldap_admin_user_object_classes }}"
-        attributes: "{{ ldap_admin_user_attributes }}"
-        state: "{{ _state }}"
-      vars:
-        ldap_admin_user_base: >-2
-          {{ ldap_admin_user_base_dn | default(ldap_base_dn, true) }}
-      when: ldap_admin_user_rdn is defined
-
-    - name: Ensure admin user attributes are correct
-      community.general.ldap_attrs:
-        <<: *ldap_bind_info
-        dn: "uid={{ ldap_admin_user_rdn }},{{ ldap_admin_user_base }}"
-        attributes: "{{ ldap_admin_user_attributes }}"
-        state: "{{ _state }}"
-      vars:
-        ldap_admin_user_base: >-2
-          {{ ldap_admin_user_base_dn | default(ldap_base_dn, true) }}
-      when:
-        - ldap_admin_user_rdn is defined
-        - _state == 'present'
-
-    - name: Ensure ldap groups are {{ _state }}
-      community.general.ldap_entry:
-        <<: *ldap_bind_info
-        dn: "{{ _ldap_group_dn }}"
-        objectClass: "{{ _ldap_group_object_classes }}"
-        attributes: "{{ _ldap_group_attributes }}"
-        state: "{{ _state }}"
-      vars:
-        _ldap_group_dn: >-2
-          cn={{ _ldap_group.name }},{{ ldap_group_base_dn }}
-        _ldap_group_object_classes:
-          - "groupOfNames"
-        _ldap_group_attributes:
-          cn: "{{ _ldap_group.name }}"
-          member: >-2
-            {{ _ldap_group.members | default([]) }}
-      loop: "{{ ldap_groups | default([], true) }}"
-      loop_control:
-        loop_var: _ldap_group
-        label: "{{ _ldap_group.name }}"
-      when:
-        - ldap_groups is defined
-        - ldap_group_base_dn is defined
-
-    - name: Ensure service accounts are {{ _state }}
-      community.general.ldap_entry:
-        <<: *ldap_bind_info
-        dn: "{{ _ldap_service_account_dn }}"
-        objectClass: "{{ _ldap_service_account_object_classes }}"
-        attributes: "{{ _ldap_service_account_attributes }}"
-        state: "{{ _state }}"
-      loop: &ldap_service_account_loop "{{ ldap_service_accounts | default([]) }}"
-      loop_control: &ldap_service_account_loop_control
-        loop_var: "_ldap_service_account"
-        label: "{{ _ldap_service_account.name }}"
-      vars: &ldap_service_account_vars
-        _ldap_service_account_dn: >-2
-          uid={{ _ldap_service_account.name }},{{ ldap_service_account_base_dn }}
-        _ldap_service_account_object_classes:
-          - "account"
-          - "simpleSecurityObject"
-        _ldap_service_account_attributes:
-          uid: "{{ _ldap_service_account.name }}"
-          userPassword: "{{ _ldap_service_account.password }}"
-      when: &ldap_service_account_when
-        - ldap_service_accounts is defined
-        - ldap_service_account_base_dn is defined
-
-    - name: Ensure service accounts attributes are correct
-      community.general.ldap_attrs:
-        <<: *ldap_bind_info
-        dn: "{{ _ldap_service_account_dn }}"
-        attributes: "{{ _ldap_service_account_attributes }}"
-        state: exact
-      loop: *ldap_service_account_loop
-      loop_control: *ldap_service_account_loop_control
-      vars: *ldap_service_account_vars
-      when: *ldap_service_account_when

playbooks/lego_certificate.yml

@@ -1,85 +0,0 @@
----
-- name: Populate DNS, acquire TSIG key and obtain certificate
-  hosts: "{{ target_hosts | default('all') }}"
-  become: "{{ target_become | default(true) }}"
-  gather_facts: "{{ target_gather_facts | default(false) }}"
-  pre_tasks:
-    - name: Build target dns records
-      ansible.builtin.set_fact:
-        target_dns_records: "{{ target_dns_records + [ _dns_record ] }}"
-      vars:
-        _dns_record:
-          type: "CNAME"
-          name: "_acme-challenge.{{ _domain }}."
-          content: "{{ target_tsig_key_name }}.{{ target_acme_zone }}."
-      loop: "{{ target_domains }}"
-      loop_control:
-        loop_var: "_domain"
-    - name: Populate dns_server if not given
-      ansible.builtin.set_fact:
-        dns_server: "{{ target_dns_server }}"
-      when: dns_server is not defined
-  roles:
-    - role: finallycoffee.base.dns
-      vars:
-        dns_records: "{{ target_dns_records + target_dns_additional_records }}"
-        dns_tsig_name: "{{ target_dns_tsig_key.name }}"
-        dns_tsig_algo: "{{ target_dns_tsig_key.algorithm }}"
-        dns_tsig_key: "{{target_dns_tsig_key.key }}"
-      delegate_to: localhost
-    - role: finallycoffee.base.powerdns_tsig_key
-      vars:
-        powerdns_tsig_key_algo: "{{ target_powerdns_tsig_key_algo }}"
-        powerdns_tsig_key_name: "{{ target_tsig_key_name }}"
-        powerdns_tsig_key_path: "{{ target_tsig_key_path }}"
-        powerdns_tsig_key_path_owner: "{{ target_acme_user }}"
-        powerdns_tsig_key_path_group: "{{ target_acme_group }}"
-    - role: finallycoffee.base.lego
-      vars:
-        lego_instance: "{{ target_lego_instance }}"
-        lego_instance_base_path: "{{ target_lego_instance_base_path }}"
-        lego_environment: "{{ target_lego_environment }}"
-        lego_cert_domains: "{{ target_lego_domains }}"
-        lego_acme_account_email: "{{ target_acme_account_email }}"
-        lego_acme_challenge_type: "{{ target_lego_acme_challenge_type }}"
-        lego_acme_challenge_provider: "{{ target_lego_acme_challenge_provider }}"
-        lego_acme_server_url: "{{ target_lego_acme_server_url }}"
-  vars:
-    target_domains: []
-    target_acme_zone: ~
-    target_acme_account_email: ~
-    target_dns_server: ~
-    target_dns_additional_records: []
-    target_dns_tsig_key: {}
-    target_lego_instance: "{{ target_domains | first }}"
-    target_lego_instance_base_path: "/opt/acme"
-    target_lego_domains: "{{ target_domains }}"
-    target_lego_acme_challenge_type: "dns"
-    target_lego_acme_challenge_provider: "rfc2136"
-    target_lego_acme_server_url: >-2
-      {{ lego_letsencrypt_server_urls.prod }}
-    target_lego_environment:
-      RFC2136_TSIG_KEY: "{{ target_tsig_key_name }}"
-      RFC2136_TSIG_SECRET_FILE: "{{ target_tsig_key_path }}"
-      RFC2136_TSIG_ALGORITHM: "{{ target_powerdns_tsig_key_algo }}"
-      RFC2136_NAMESERVER: "{{ target_dns_server }}"
-      RFC2136_DNS_TIMEOUT: 15
-      RFC2136_TTL: 60
-      RFC2136_SEQUENCE_INTERVAL: 5
-      RFC2136_POLLING_INTERVAL: 10
-      RFC2136_PROPAGATION_TIMEOUT: >-2
-        {{ (target_lego_domains | length * 120) | int }}
-      LEGO_EXPERIMENTAL_CNAME_SUPPORT: "true"
-    target_tsig_key_name: "{{ target_lego_instance | hash('sha1') }}"
-    target_tsig_key_path: >-2
-      {{ target_lego_instance_base_path }}/{{ target_lego_instance }}/secrets/rfc2136_tsig.key
-    target_tsig_key_path_owner:
-    target_tsig_key_path_group:
-    target_acme_user: "acme-{{ target_lego_instance }}"
-    target_acme_user_id: >-2
-      {{ powerdns_tsig_key_path_owner_info.uid }}
-    target_acme_group: "acme-{{ target_lego_instance }}"
-    target_acme_group_id: >-2
-      {{ powerdns_tsig_key_path_owner_info.gid }}
-    target_powerdns_tsig_key_algo: "hmac-sha256"
-    target_dns_records: []

playbooks/openldap.yml

@@ -1,7 +0,0 @@
----
-- name: Deploy and configure openLDAP
-  hosts: "{{ openldap_hosts | default('openldap', true) }}"
-  become: "{{ openldap_become | default(true) }}"
-  gather_facts: "{{ openldap_playbook_gather_facts | default(false) }}"
-  roles:
-    - role: finallycoffee.base.openldap

roles/caddy/README.md

@@ -1,10 +0,0 @@
-# `finallycoffee.base.caddy` ansible role
-
-Deploy a (pre-)configure [caddy v2](https://caddyserver.com) web
-server / proxy using ansible.
-
-## Configuration
-
-To change the default configuration of reading all files from
-`/etc/caddy/sites.d/` (see `caddy_dynamic_config_dir`), specify
-your desired configuration in `caddy_config`.

roles/caddy/defaults/main/config.yml

@@ -1,23 +0,0 @@
----
-caddy_config: |+2
-  {
-        auto_https disable_redirects
-  }
-
-  (proxyheaders) {
-      header_up X-Forwarded-Ssl on
-      header_up Host {host}
-      header_up X-Real-IP {remote}
-      header_up X-Forwarded-For {remote}
-      # header_up X-Forwarded-Port {port}
-      header_up X-Forwarded-Proto {scheme}
-      header_up X-Url-Scheme {scheme}
-      header_up X-Forwarded-Host {host}
-  }
-  
-  # Import all configurations
-  import {{ caddy_dynamic_configs_dir }}/*/Caddyfile
-  
-  :80 {
-      redir /  https://{host}{uri} 301
-  }

roles/caddy/defaults/main/container.yml

@@ -1,43 +0,0 @@
----
-caddy_container_image_registry: "docker.io"
-caddy_container_image_namespace: "library"
-caddy_container_image_repository: "caddy"
-caddy_container_image_name: >-2
-  {{ [
-    caddy_container_image_registry | default([], true),
-    caddy_container_image_namespace | default([], true),
-    caddy_container_image_repository
-  ] | flatten | join('/') }}
-
-caddy_container_image_tag: ~
-caddy_container_image: >-2
-  {{ [
-    caddy_container_image_name,
-    caddy_container_image_tag | default(caddy_version, true)
-  ] | join(':') }}
-caddy_container_image_source: "pull"
-caddy_container_image_force_source: >-2
-  {{ caddy_container_image_tag | ansible.builtin.type_debug != 'NoneType' }}
-caddy_container_image_state: "{{ caddy_state }}"
-
-caddy_container_name: "caddy"
-caddy_container_env: ~
-caddy_container_ports: ~
-caddy_container_user: ~
-caddy_container_labels: ~
-caddy_container_volumes: ~
-caddy_container_config_dir: "/etc/caddy"
-caddy_container_default_volumes:
-  - "{{ caddy_config_dir }}:{{ caddy_container_config_dir }}:ro"
-  - "{{ caddy_dynamic_configs_dir }}:{{ caddy_dynamic_configs_dir }}:ro"
-  - "{{ caddy_config_internal_dir }}:/config:rw"
-  - "{{ caddy_state_dir }}:/data:rw"
-caddy_container_all_volumes: >-2
-  {{ caddy_container_default_volumes | default([], true)
-  + caddy_container_volumes | default([], true) }}
-caddy_container_state: >-2
-  {{ (caddy_state == 'present') | ternary('started', 'absent') }}
-caddy_container_restart_policy: "on-failure"
-caddy_container_networks: ~
-caddy_container_network_mode: ~
-caddy_container_etc_hosts: ~

roles/caddy/defaults/main/main.yml

@@ -1,11 +0,0 @@
----
-caddy_user: "caddy"
-caddy_version: "2.10.2"
-caddy_config_file: "/etc/caddy/Caddyfile"
-caddy_config_dir: "{{ caddy_config_file | ansible.builtin.dirname }}"
-caddy_config_internal_dir: "{{ caddy_config_dir }}/config"
-caddy_dynamic_configs_dir: "{{ caddy_config_dir }}/sites.d"
-caddy_state_dir: "/var/lib/caddy"
-
-caddy_state: "present"
-caddy_deployment_method: "docker"

roles/caddy/defaults/main/user.yml

@@ -1,7 +0,0 @@
----
-caddy_user_state: "{{ caddy_state }}"
-caddy_user_system: true
-caddy_user_create_home: false
-
-caddy_run_uid: "{{ caddy_user_info.uid | default(caddy_user) }}"
-caddy_run_gid: "{{ caddy_user_info.group | default(caddy_user) }}"

roles/caddy/meta/main.yml

@@ -1,13 +0,0 @@
----
-allow_duplicates: true
-dependencies: []
-galaxy_info:
-  role_name: caddy
-  description: Deploy caddy, a webserver
-  galaxy_tags:
-    - caddy
-    - zerossl
-    - http
-    - webserver
-    - docker
-    - podman

roles/caddy/tasks/deploy-docker.yml

@@ -1,26 +0,0 @@
----
-- name: Ensure container image '{{ caddy_container_image }}' is {{ caddy_container_image_state }}
-  community.docker.docker_image:
-    name: "{{ caddy_container_image }}"
-    state: "{{ caddy_container_image_state }}"
-    source: "{{ caddy_container_image_source }}"
-    force_source: "{{ caddy_container_image_force_source }}"
-  register: caddy_container_image_info
-  until: caddy_container_image_info is success
-  retries: 10
-  delay: 3
-
-- name: Ensure container '{{ caddy_container_name }}' is {{ caddy_container_state }}
-  community.docker.docker_container:
-    name: "{{ caddy_container_name }}"
-    image: "{{ caddy_container_image }}"
-    state: "{{ caddy_container_state }}"
-    env: "{{ caddy_container_env | default(omit, true) }}"
-    user: "{{ caddy_container_user | default(omit, true) }}"
-    ports: "{{ caddy_container_ports | default(omit, true) }}"
-    labels: "{{ caddy_container_labels | default(omit, true) }}"
-    volumes: "{{ caddy_container_all_volumes }}"
-    networks: "{{ caddy_container_networks | default(omit, true) }}"
-    etc_hosts: "{{ caddy_container_etc_hosts | default(omit, true) }}"
-    network_mode: "{{ caddy_container_network_mode | default(omit, true) }}"
-    restart_policy: "{{ caddy_container_restart_policy }}"

roles/caddy/tasks/main.yml

@@ -1,52 +0,0 @@
----
-- name: Ensure state '{{ caddy_state }}' is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported caddy_state '{{ caddy_state }}'.
-      Supported states are {{ caddy_states | join(', ') }}.
-  when: caddy_state not in caddy_states
-
-- name: Ensure deployment method '{{ caddy_deployment_method }}' is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported caddy_deployment_method '{{ caddy_deployment_method }}'.
-      Supported deployment methods are {{ caddy_deployment_methods | join(', ') }}.
-  when: caddy_deployment_method not in caddy_deployment_methods
-
-- name: Ensure caddy user '{{ caddy_user }}' is {{ caddy_user_state }}
-  ansible.builtin.user:
-    name: "{{ caddy_user }}"
-    state: "{{ caddy_user_state }}"
-    system: "{{ caddy_user_system }}"
-    create_home: "{{ caddy_user_create_home }}"
-  register: "caddy_user_info"
-
-- name: Ensure base directories are present
-  ansible.builtin.file:
-    path: "{{ dir.name }}"
-    state: "directory"
-    owner: "{{ dir.owner | default(caddy_run_uid) }}"
-    group: "{{ dir.group | default(caddy_run_uid) }}"
-    mode: "{{ dir.mode | default('0750') }}"
-  when: caddy_state == 'present'
-  loop:
-    - name: "{{ caddy_config_dir }}"
-    - name: "{{ caddy_dynamic_configs_dir }}"
-    - name: "{{ caddy_config_internal_dir }}"
-    - name: "{{ caddy_state_dir }}"
-  loop_control:
-    loop_var: "dir"
-    label: "{{ dir.name }}"
-
-- name: Ensure caddy configuration is up to date
-  ansible.builtin.copy:
-    dest: "{{ caddy_config_file }}"
-    content: "{{ caddy_config }}"
-    owner: "{{ caddy_run_uid }}"
-    group: "{{ caddy_run_gid }}"
-    mode: "0640"
-  when: caddy_state == 'present'
-
-- name: Ensure caddy is deployed using {{ caddy_deployment_method }}
-  ansible.builtin.include_tasks:
-    file: "deploy-{{ caddy_deployment_method }}.yml"

roles/caddy/vars/main.yml

@@ -1,6 +0,0 @@
----
-caddy_states:
-  - "present"
-  - "absent"
-caddy_deployment_methods:
-  - "docker"

roles/caddy_site/README.md

@@ -1,7 +0,0 @@
-# `finallycoffee.base.caddy_site` ansible role
-
-Provision a single site configuration in caddy.
-
-Set `caddy_site_name` as a unique
-site identifier (needs to be a valid filename) and `caddy_site_config`
-to contain the actual `Caddyfile` contents.

roles/caddy_site/defaults/main.yml

@@ -1,13 +0,0 @@
----
-caddy_site_name: ~
-caddy_site_config: ~
-caddy_site_state: "present"
-
-caddy_site_configs: "/etc/caddy/sites.d"
-caddy_site_config_dir: >-2
-  {{ caddy_site_configs }}/{{ caddy_site_name }}
-caddy_site_config_file: >-2
-  {{ caddy_site_config_dir }}/Caddyfile
-
-caddy_site_owner: "caddy"
-caddy_site_group: "caddy"

roles/caddy_site/meta/main.yml

@@ -1,11 +0,0 @@
----
-allow_duplicates: true
-dependencies: []
-galaxy_info:
-  role_name: caddy_site
-  description: Deploy a sites' configuration in caddy
-  galaxy_tags:
-    - caddy
-    - zerossl
-    - http
-    - webserver

roles/caddy_site/tasks/main.yml

@@ -1,26 +0,0 @@
----
-- name: Fail if required variables are not populated
-  ansible.builtin.fail:
-    msg: "Either `caddy_site_name` or `caddy_site_config` is not provided"
-  when: >-2
-    (caddy_site_name | ansible.builtin.type_debug == 'NoneType')
-    or
-    (caddy_site_config | ansible.builtin.type_debug == 'NoneType')
-
-- name: Ensure directory for caddy site config '{{ caddy_site_name }}' is {{ caddy_site_state }}
-  ansible.builtin.file:
-    path: "{{ caddy_site_config_dir }}"
-    state: >-2
-      {{ (caddy_site_state == 'present') | ternary('directory', 'absent') }}
-    owner: "{{ caddy_site_owner }}"
-    group: "{{ caddy_site_group }}"
-    mode: "0750"
-
-- name: Ensure caddy site configuration is templated
-  ansible.builtin.copy:
-    dest: "{{ caddy_site_config_file }}"
-    content: "{{ caddy_site_config }}"
-    owner: "{{ caddy_site_owner }}"
-    group: "{{ caddy_site_group }}"
-    mode: "0640"
-  when: caddy_site_state == 'present'

roles/lego/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 lego_user: "lego"
-lego_version: "4.30.1"
+lego_version: "4.23.0"
 lego_instance: default
 lego_base_path: "/opt/lego"
 lego_cert_user: "acme-{{ lego_instance }}"

roles/lego/files/lego_run.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-set -euo pipefail
+set -xeuo pipefail
 
 LEGO_BINARY=$(/usr/bin/env which lego)
 
@@ -8,8 +8,11 @@ if [[ -n "${LEGO_HTTP_FALLBACK_PORT:-}" ]]; then
     echo "nc not found (in PATH), exiting"
     exit 1
   fi
+  set +e
   nc -z 127.0.0.1 $LEGO_HTTP_PORT;
-  if [[ $? -eq 0 ]]; then
+  nc_exit_code=$?;
+  set -e
+  if [[ $nc_exit_code -eq 0 ]]; then
       LEGO_HTTP_PORT=$LEGO_HTTP_FALLBACK_PORT
   fi
 fi

roles/minio/defaults/main/container.yml

@@ -1,7 +1,7 @@
 ---
 minio_container_name: minio
 minio_container_image_name: "docker.io/minio/minio"
-minio_container_image_tag: "RELEASE.2025-10-15T17-29-55Z"
+minio_container_image_tag: "RELEASE.2025-04-22T22-12-26Z"
 minio_container_image: "{{ minio_container_image_name }}:{{ minio_container_image_tag }}"
 minio_container_networks: []
 minio_container_ports: []

roles/nginx/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-nginx_version: "1.29.4"
+nginx_version: "1.28.0"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"

roles/openldap/README.md

@@ -1,3 +0,0 @@
-# `finallycoffee.base.openldap` ansible role
-
-Deploy and configure [OpenLDAP](https://www.openldap.org/).

roles/openldap/defaults/main/container.yml

@@ -1,61 +0,0 @@
----
-openldap_container_name: "openldap"
-openldap_container_image_registry: docker.finally.coffee
-openldap_container_image_namespace: containers
-openldap_container_image_name: "openldap"
-openldap_container_image_tag: ~
-openldap_container_image_source: "pull"
-openldap_container_image_force_source: >-2
-  {{ openldap_container_image_tag | default(false, true) }}
-openldap_container_image_repository: >-2
-  {{
-    [
-      openldap_container_image_registry | default([], true),
-      openldap_container_image_namespace | default([], true),
-      openldap_container_image_name
-    ] | flatten | join('/')
-  }}
-openldap_container_image: >-2
-  {{
-    [
-      openldap_container_image_repository,
-      openldap_container_image_tag
-        | default(openldap_alpine_package_version, true),
-    ] | join(':')
-  }}
-openldap_container_env: ~
-openldap_container_user: ~
-openldap_container_ports: ~
-openldap_container_labels: ~
-openldap_container_volumes: ~
-openldap_container_networks: ~
-openldap_container_network_mode: ~
-openldap_container_dns_servers: ~
-openldap_container_etc_hosts: ~
-openldap_container_ulimits:
-  - "nofile:{{ openldap_fd_soft_limit }}:{{ openldap_fd_hard_limit }}"
-openldap_container_memory: "256M"
-openldap_container_memory_swap: ~
-openldap_container_memory_reservation: "128M"
-openldap_container_restart_policy: "on-failure"
-openldap_container_state: >-2
-  {{ (openldap_state == 'present') | ternary('started', 'absent') }}
-
-openldap_container_data_path: "{{ openldap_data_path }}"
-openldap_container_config_path: "{{ openldap_config_path }}"
-openldap_container_socket_path: "{{ openldap_socket_path }}"
-openldap_container_base_volumes:
-  - "{{ openldap_config_path }}:{{ openldap_container_config_path }}:Z"
-  - "{{ openldap_data_path }}:{{ openldap_container_data_path }}:rw"
-  - "{{ openldap_socket_path }}:{{ openldap_container_socket_path }}:rw"
-openldap_container_all_volumes: >-2
-  {{ openldap_container_base_volumes | default([], true)
-    + openldap_container_volumes | default([], true) }}
-openldap_init_container_volumes:
-  - "{{ [openldap_slapd_path, openldap_slapd_path, 'ro'] | join(':') }}"
-
-openldap_container_healthcheck:
-  test: >-2
-    [[ $(netstat -plnte | grep slapd | wc -l) -ge 1 ]]
-    && [[ $(ps aux | grep slapd | wc -l) -ge 1 ]]
-    || exit 1

roles/openldap/defaults/main/main.yml

@@ -1,24 +0,0 @@
----
-openldap_version: "2.6.8"
-openldap_alpine_revision: "0"
-openldap_alpine_package_version: >-2
-  v{{ openldap_version }}-r{{ openldap_alpine_revision | string }}
-
-openldap_domain: ~
-openldap_organization: ~
-
-openldap_config_path: "/etc/openldap/"
-openldap_olc_path: "{{ openldap_config_path }}/{0}config"
-openldap_slapd_path: "{{ openldap_config_path }}/slapd.ldif"
-openldap_schema_path: "{{ openldap_config_path }}/schema"
-openldap_data_path: "/var/lib/openldap"
-openldap_socket_path: "/run/openldap"
-openldap_socket: "{{ openldap_socket_path }}/slapd.sock"
-openldap_socket_url: >-2
-  ldapi://{{ openldap_socket | urlencode | replace('/', '%2F') }}
-
-openldap_state: "present"
-openldap_deployment_method: "docker"
-
-openldap_slapadd_init_command: >-2
-  slapadd -v -F {{ openldap_olc_path }} -n 0 -l {{ openldap_slapd_path }}

roles/openldap/defaults/main/openldap.yml

@@ -1,65 +0,0 @@
----
-openldap_dn: >-2
-  dc={{ openldap_domain | regex_replace('\.', ',dc=') }}
-openldap_root_username: "admin"
-openldap_root_pw: ~
-openldap_root_node_object_classes:
-  - "top"
-  - "dcObject"
-  - "organization"
-openldap_root_node_dc: "{{ openldap_domain | regex_replace('\\..+', '') }}"
-openldap_root_node_o: "{{ openldap_organization | default('not set!', true) }}"
-
-openldap_fd_soft_limit: "8192"
-openldap_fd_hard_limit: "8192"
-
-openldap_module_path: "/usr/lib/openldap"
-openldap_modules:
-  - "mdb"
-  - "hdb"
-
-openldap_core_schema_path: "{{ openldap_schema_path }}/core.ldif"
-openldap_enabled_schemas:
-  - name: "cosine"
-  - name: "inetorgperson"
-openldap_additional_schemas: []
-openldap_schemas: >-2
-  {{ openldap_enabled_schemas + openldap_additional_schemas }}
-
-openldap_config_dn: "cn=config"
-openldap_config_db_dn: "olcDatabase={0}config,cn=config"
-openldap_config_db_olc_access:
-  - '{0} to *
-      by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
-      by * none'
-openldap_config_attributes: {}
-openldap_config_db_attributes:
-  olcAccess: "{{ openldap_config_db_olc_access }}"
-
-openldap_default_indices:
-  - "objectClass eq"
-openldap_indices: []
-
-openldap_default_database_name: "mdb"
-openldap_default_database_object_class: "olcMdbConfig"
-openldap_default_database_suffix: "{{ openldap_dn }}"
-openldap_default_database_root_dn: >-2
-  cn={{ openldap_root_username }},{{ openldap_default_database_suffix }}
-openldap_default_database_root_pw: "{{ openldap_root_pw }}"
-openldap_default_database_directory: >-2
-  {{ openldap_data_path }}/{{ openldap_default_database_name }}
-openldap_default_database_indices: >-2
-  {{ openldap_default_indices + openldap_indices }}
-openldap_default_database_config: >-2
-  olcDatabase={1}{{ openldap_default_database_name }},{{ openldap_config_dn }}
-openldap_default_database:
-  name: "{{ openldap_default_database_name }}"
-  object_class: "{{ openldap_default_database_object_class }}"
-  suffix: "{{ openldap_default_database_suffix }}"
-  root_dn: "{{ openldap_default_database_root_dn }}"
-  root_pw: "{{ openldap_default_database_root_pw }}"
-  directory: "{{ openldap_default_database_directory }}"
-  indices: "{{ openldap_default_database_indices }}"
-openldap_default_database_olc_access: "{{ openldap_config_db_olc_access }}"
-openldap_databases:
-  - "{{ openldap_default_database }}" 

roles/openldap/tasks/configure.yml

@@ -1,80 +0,0 @@
----
-- name: Ensure config attributes are configured
-  community.general.ldap_attrs:
-    dn: "{{ openldap_config_dn }}"
-    attributes: "{{ { entry.key : entry.value } }}"
-    state: exact
-    server_uri: "{{ openldap_socket_url }}"
-  loop: "{{ openldap_config_attributes | dict2items }}"
-  loop_control:
-    loop_var: "entry"
-    label: "{{ entry.key }}"
-
-- name: Ensure config db attributes are configured
-  community.general.ldap_attrs:
-    dn: "{{ openldap_config_db_dn }}"
-    attributes: "{{ { entry.key : entry.value } }}"
-    state: exact
-    server_uri: "{{ openldap_socket_url }}"
-  loop: "{{ openldap_config_db_attributes | dict2items }}"
-  loop_control:
-    loop_var: "entry"
-    label: "{{ entry.key }}"
-
-- name: Ensure ACLs for default database are configured
-  community.general.ldap_attrs:
-    dn: "{{ openldap_default_database_config }}"
-    attributes:
-      olcAccess: "{{ openldap_default_database_olc_access }}"
-    state: "exact"
-    server_uri: "{{ openldap_socket_url }}"
-  retries: 3
-  delay: 3
-  register: openldap_acl_result
-  until: openldap_acl_result is succeeded
-
-- name: Ensure LDAP DIT is configured
-  when:
-    - openldap_default_database_root_dn is defined
-    - openldap_default_database_root_pw is defined
-  vars:
-    _meta: &openldap_bind_info
-      bind_dn: "{{ openldap_default_database_root_dn }}"
-      bind_pw: "{{ openldap_default_database_root_pw }}"
-      server_uri: "{{ openldap_socket_url }}"
-  block:
-    - name: Ensure rootDN + credentials are correct
-      community.general.ldap_attrs:
-        dn: "{{ openldap_default_database_config }}"
-        attributes: "{{ {entry.key: entry.value} }}"
-        state: "exact"
-        server_uri: "{{ openldap_socket_url }}"
-      no_log: "{{ entry.log is defined and not entry.log }}"
-      loop:
-        - key: "olcRootDN"
-          value: "{{ openldap_default_database_root_dn }}"
-        - key: "olcRootPW"
-          value: "{{ openldap_default_database_root_pw }}"
-          log: false
-      loop_control:
-        loop_var: "entry"
-        label: "{{ entry.key }}"
-
-    - name: Ensure root node is {{ openldap_state }}
-      community.general.ldap_entry:
-        dn: "{{ openldap_dn }}"
-        objectClass: "{{ openldap_root_node_object_classes }}"
-        attributes:
-          dc: "{{ openldap_root_node_dc }}"
-          o: "{{ openldap_root_node_o }}"
-        <<: *openldap_bind_info
-
-    - name: Ensure root node attributes are up to date
-      community.general.ldap_attrs:
-        dn: "{{ openldap_dn }}"
-        attributes:
-          dc: "{{ openldap_root_node_dc }}"
-          o: "{{ openldap_root_node_o }}"
-        state: exact
-        <<: *openldap_bind_info
-      when: openldap_state == 'present'

roles/openldap/tasks/deploy-docker.yml

@@ -1,25 +0,0 @@
----
-- name: Ensure container '{{ openldap_container_name }}' is {{ openldap_container_state }}
-  community.docker.docker_container:
-    name: "{{ openldap_container_name }}"
-    image: "{{ openldap_container_image }}"
-    env: "{{ openldap_container_env | default(omit, true) }}"
-    user: "{{ openldap_container_user | default(omit, true) }}"
-    ports: "{{ openldap_container_ports | default(omit, true) }}"
-    labels: "{{ openldap_container_labels | default(omit, true) }}"
-    volumes: "{{ openldap_container_all_volumes | default(omit, true) }}"
-    networks: "{{ openldap_container_networks | default(omit, true) }}"
-    network_mode: "{{ openldap_container_network_mode | default(omit, true) }}"
-    dns_servers: "{{ openldap_container_dns_servers | default(omit, true) }}"
-    etc_hosts: "{{ openldap_container_etc_hosts | default(omit, true) }}"
-    command: "{{ openldap_container_command | default(omit, true) }}"
-    ulimits: "{{ openldap_container_ulimits | default(omit, true) }}"
-    memory: "{{ openldap_container_memory | default(omit, true) }}"
-    memory_swap: "{{ openldap_container_memory_swap | default(omit, true) }}"
-    memory_reservation: >-2
-      {{ openldap_container_memory_reservation | default(omit, true) }}
-    restart_policy: >-2
-      {{ openldap_container_restart_policy | default(omit, true) }}
-    healthcheck: "{{ openldap_container_healthcheck | default(omit, true) }}"
-    state: "{{ openldap_container_state }}"
-

roles/openldap/tasks/initialize-docker.yml

@@ -1,37 +0,0 @@
----
-- name: Ensure additional schemas are mapped to container
-  ansible.builtin.set_fact:
-    openldap_init_container_volumes: >-2
-      {{ openldap_init_container_volumes + [ schema_mount ] }}
-  vars:
-    schema_file: "{{ openldap_schema_path }}/{{ schema.name }}.ldif"
-    schema_mount: >-2
-      {{ schema_file }}:{{ schema_file }}:ro
-  loop: "{{ openldap_additional_schemas }}"
-  loop_control:
-    loop_var: "schema"
-    label: "{{ schema.name }}"
-
-- name: Ensure ldap container is initialized
-  community.docker.docker_container:
-    name: "{{ openldap_container_name }}"
-    image: "{{ openldap_container_image }}"
-    env: "{{ openldap_container_env | default(omit, true) }}"
-    user: "{{ openldap_container_user | default(omit, true) }}"
-    ports: "{{ openldap_container_ports | default(omit, true) }}"
-    labels: "{{ openldap_container_labels | default(omit, true) }}"
-    volumes: "{{ openldap_container_merged_volumes | default(omit, true) }}"
-    networks: "{{ openldap_container_networks | default(omit, true) }}"
-    network_mode: "{{ openldap_container_network_mode | default(omit, true) }}"
-    dns_servers: "{{ openldap_container_dns_servers | default(omit, true) }}"
-    etc_hosts: "{{ openldap_container_etc_hosts | default(omit, true) }}"
-    memory: "{{ openldap_container_memory | default(omit, true) }}"
-    memory_swap: "{{ openldap_container_memory_swap | default(omit, true) }}"
-    memory_reservation: >-2
-      {{ openldap_container_memory_reservation | default(omit, true) }}
-    command: "{{ openldap_slapadd_init_command }}"
-    detach: false
-    cleanup: true
-  vars:
-    openldap_container_merged_volumes: >-2
-      {{ openldap_container_all_volumes + openldap_init_container_volumes }}

roles/openldap/tasks/initialize.yml

@@ -1,47 +0,0 @@
----
-- name: Determine if persisted OLC config exists
-  ansible.builtin.stat:
-    path: "{{ openldap_olc_path }}/cn=config"
-  register: openldap_olc_stat_info
-
-- name: Ensure openldap databases are initialized
-  when: not openldap_olc_stat_info.stat.exists
-  block:
-    - name: Ensure initial slapd.ldif is templated
-      ansible.builtin.template:
-        src: "slapd.ldif.j2"
-        dest: "{{ openldap_slapd_path }}"
-        mode: "0644"
-    - name: Ensure additional schemas to install are present
-      ansible.builtin.copy:
-        content: "{{ schema.content }}"
-        dest: "{{ openldap_schema_path }}/{{ schema.name }}.ldif"
-        mode: "0644"
-      loop: "{{ openldap_additional_schemas }}"
-      loop_control:
-        loop_var: "schema"
-        label: "{{ schema.name }}"
-    - name: Ensure db data directory exists
-      ansible.builtin.file:
-        path: "{{ openldap_default_database_directory }}"
-        state: directory
-        mode: "0750"
-    - name: Ensure container is initialized using {{ openldap_deployment_method }}
-      ansible.builtin.include_tasks:
-        file: "initialize-{{ openldap_deployment_method }}.yml"
-  rescue:
-    - name: Ensure temporary schema files are absent
-      ansible.builtin.file:
-        path: "{{ openldap_schema_path }}/{{ file.name }}.ldif"
-        state: absent
-      loop: >-2
-        {{ openldap_additional_schemas }}
-      loop_control:
-        loop_var: "file"
-        label: "{{ file.name }}"
-      ignore_errors: true
-    - name: Ensure intial slapd.ldif file is absent
-      ansible.builtin.file:
-        path: "{{ openldap_slapd_path }}"
-        state: absent
-      ignore_errors: true

roles/openldap/tasks/main.yml

@@ -1,26 +0,0 @@
----
-- name: Check if 'openldap_state' is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Invalid state '{{ openldap_state }}'!
-      Supported states are {{ openldap_states | join(', ') }}.
-  when: openldap_state not in openldap_states
-
-- name: Check if 'openldap_deployment_method' is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Invalid state '{{ openldap_deployment_method }}'!
-      Supported states are {{ openldap_deployment_methods | join(', ') }}.
-  when: openldap_deployment_method not in openldap_deployment_methods
-
-- name: Ensure openldap deployment is prepared
-  ansible.builtin.include_tasks:
-    file: "prepare-{{ openldap_deployment_method }}.yml"
-
-- name: Ensure openldap is deployed using {{ openldap_deployment_method }}
-  ansible.builtin.include_tasks:
-    file: "deploy-{{ openldap_deployment_method }}.yml"
-
-- name: Ensure openldap is configured
-  ansible.builtin.include_tasks:
-    file: "configure.yml"

roles/openldap/tasks/prepare-docker.yml

@@ -1,7 +0,0 @@
----
-- name: Ensure container image '{{ openldap_container_image }}' is {{ openldap_state }}
-  community.docker.docker_image:
-    name: "{{ openldap_container_image }}"
-    state: "{{ openldap_state }}"
-    source: "{{ openldap_container_image_source }}"
-    force_source: "{{ openldap_container_image_force_source }}"

roles/openldap/templates/slapd.ldif.j2

@@ -1,64 +0,0 @@
-dn: cn=config
-objectClass: olcGlobal
-cn: config
-olcPidFile: /run/openldap/slapd.pid
-olcArgsFile: /run/openldap/slapd.args
-
-
-# Dynamic backend modules
-dn: cn=module,cn=config
-objectClass: olcModuleList
-cn: module
-olcModulepath: {{ openldap_module_path }}
-{% for mod in openldap_modules | default([]) %}
-olcModuleload: back_{{ mod }}.so
-{% endfor %}
-
-# Schema config
-dn: cn=schema,cn=config
-objectClass: olcSchemaConfig
-cn: schema
-
-include: file://{{ openldap_core_schema_path }}
-{% for schema in openldap_schemas %}
-include: file://{{ openldap_schema_path }}/{{ schema.name }}.ldif
-{% endfor %}
-
-# Frontend settings
-dn: olcDatabase=frontend,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcFrontendConfig
-olcDatabase: frontend
-
-
-# Config-DB settings
-dn: olcDatabase=config,cn=config
-objectClass: olcDatabaseConfig
-olcDatabase: config
-{% for attr in openldap_config_db_attributes | dict2items %}
-{% if attr is string %}
-{{ attr.key }}: {{ attr.value }}
-{% else %}
-{% for val in attr.value %}
-{{ attr.key }}: {{ val }}
-{% endfor %}
-{% endif %}
-{% endfor %}
-
-
-# database settings
-{% for db in openldap_databases %}
-dn: olcDatabase={{ db.name }},cn=config
-objectClass: olcDatabaseConfig
-objectClass: {{ db.object_class }}
-olcDatabase: {{ db.name }}
-olcSuffix: {{ db.suffix }}
-olcRootDN: {{ db.root_dn }}
-olcRootPW: {{ db.root_pw }}
-olcDbDirectory: {{ db.directory }}
-{% for idx in db.indices %}
-olcDbIndex: {{ idx }}
-{% endfor %}
-
-
-{% endfor %}

roles/openldap/vars/main.yml

@@ -1,6 +0,0 @@
----
-openldap_states:
-  - "present"
-  - "absent"
-openldap_deployment_methods:
-  - "docker"

roles/powerdns_tsig_key/tasks/main.yml

@@ -41,7 +41,7 @@
       community.docker.docker_container_exec:
         container: "{{ powerdns_tsig_key_container_name }}"
         command: "pdnsutil list-tsig-keys"
-      delegate_to: "{{ powerdns_tsig_key_hostname | default(inventory_hostname) }}"
+      delegate_to: "{{ powerdns_tsig_key_hostname }}"
       register: powerdns_tsig_key_powerdns_info
       changed_when: false
       check_mode: false
@@ -54,7 +54,7 @@
       when: >-
         (powerdns_tsig_key_name ~ '. ' ~ powerdns_tsig_key_algo ~ '. ')
         not in powerdns_tsig_key_powerdns_info.stdout
-      delegate_to: "{{ powerdns_tsig_key_hostname | default(inventory_hostname) }}"
+      delegate_to: "{{ powerdns_tsig_key_hostname }}"
       register: powerdns_tsig_key_powerdns_generated_tsig_key
       throttle: 1
       become: true
@@ -67,7 +67,7 @@
       when: >-
         (powerdns_tsig_key_name ~ '. ' ~ powerdns_tsig_key_algo ~ '. ')
         not in powerdns_tsig_key_powerdns_info.stdout
-      delegate_to: "{{ powerdns_tsig_key_hostname | default(inventory_hostname) }}"
+      delegate_to: "{{ powerdns_tsig_key_hostname }}"
       throttle: 1
       become: true
 

roles/restic/templates/restic.timer.j2

@@ -4,9 +4,6 @@ Description=Run {{ restic_timer_description | default(restic_job_name) }}
 [Timer]
 OnCalendar={{ restic_policy.frequency }}
 Unit={{ restic_systemd_unit_naming_scheme }}.service
-{% if restic_systemd_timer_randomized_delay_sec %}
-RandomizedDelaySec={{ restic_systemd_timer_randomized_delay_sec }}
-{% endif %}
 
 [Install]
 WantedBy=timers.target