meta: update collection version to 0.1.5, add galaxy tags

README.md

@@ -8,11 +8,26 @@ concise area of concern.
 
 ## Roles
 
-- [`roles/restic-s3`](roles/restic-s3/README.md): Manage backups using restic
-  and persist them to an s3-compatible backend.
+- [`authelia`](roles/authelia/README.md): Deploys an [authelia.com](https://www.authelia.com)
+  instance, an authentication provider with beta OIDC provider support.
 
-- [`roles/minio`](roles/minio/README.md): Deploy [min.io](https://min.io), an
-  s3-compatible object storage server, using docker containers.
+- [`ghost`](roles/ghost/README.md): Deploys [ghost.org](https://ghost.org/), a simple to use
+  blogging and publishing platform.
+
+- [`gitea`](roles/gitea/README.md): Deploy [gitea.io](https://gitea.io), a
+  lightweight, self-hosted git service.
+
+- [`hedgedoc`](roles/hedgedoc/README.md): Deploy [hedgedoc](https://hedgedoc.org/),
+  a collaborative real-time markdown editor using websockts
+
+- [`jellyfin`](roles/jellyfin/README.md): Deploy [jellyfin.org](https://jellyfin.org),
+  the free software media system for streaming stored media to any device.
+
+- [`openproject`](roles/openproject/README.md): Deploys an [openproject.org](https://www.openproject.org)
+  installation using the upstream provided docker-compose setup.
+
+- [`vouch_proxy`](roles/vouch_proxy/README.md): Deploys [vouch-proxy](https://github.com/vouch/vouch-proxy),
+  an authorization proxy for arbitrary webapps working with `nginx`s' `auth_request` module.
 
 ## License
 

galaxy.yml

@@ -1,15 +1,21 @@
 namespace: finallycoffee
 name: services
-version: 0.0.1
+version: 0.1.5
 readme: README.md
 authors:
-- Johanna Dorothea Reichmann <transcaffeine@finallycoffee.eu>
+- transcaffeine <transcaffeine@finally.coffee>
 description: Various ansible roles useful for automating infrastructure
 dependencies:
-  "community.docker": "^1.10.0"
-license:
-- CNPLv7+
+  "community.crypto": "^2.0.0"
+  "community.docker": "^3.0.0"
+license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'
-repository: https://git.finallycoffee.eu/finallycoffee.eu/services
-issues: https://git.finallycoffee.eu/finallycoffee.eu/services/issues
+repository: https://git.finally.coffee/finallycoffee/services
+issues: https://codeberg.org/finallycoffee/ansible-collection-services/issues
+tags:
+  - authelia
+  - gitea
+  - hedgedoc
+  - jellyfin
+  - docker

meta/runtime.yml

@@ -0,0 +1,3 @@
+---
+
+requires_ansible: ">=2.15"

playbooks/hedgedoc.yml

@@ -0,0 +1,6 @@
+---
+- name: Install and configure hedgedoc
+  hosts: "{{ hedgedoc_hosts | default('hedgedoc') }}"
+  become: "{{ hedgedoc_become | default(true, false) }}"
+  roles:
+    - role: finallycoffee.services.hedgedoc

playbooks/jellyfin.yml

@@ -0,0 +1,6 @@
+---
+- name: Install and configure jellyfin
+  hosts: "{{ jellyfin_hosts | default('jellyfin') }}"
+  become: "{{ jellyfin_become | default(true, false) }}"
+  roles:
+    - role: finallycoffee.services.jellyfin

playbooks/openproject.yml

@@ -0,0 +1,6 @@
+---
+- name: Install openproject
+  hosts: "{{ openproject_hosts | default('openproject') }}"
+  become: "{{ openproject_become | default(true, false) }}"
+  roles:
+    - role: finallycoffee.services.openproject

roles/authelia/README.md

@@ -0,0 +1,74 @@
+# `finallycoffee.services.authelia` ansible role
+
+Deploys [authelia](https://www.authelia.com), an open-source full-featured
+authentication server with OIDC beta support.
+
+## Configuration
+
+Most configurations options are exposed to be overrideable by setting
+`authelia_config_{flat_config_key}`, which means `totp.digits: 8`
+would become `authelia_config_totp_digits: 8`.
+
+If configuration is not exposed in [`defaults/main.yml`](defaults/main.yml),
+it can be overridden in `authelia_extra_config`, which is merged recursively
+to the default config. Entire blocks can currently not be easily overridden,
+it's best to rely on the `authelia_extra_config` here.
+
+Below are some configuration hints towards enabling 2nd factor
+providers like TOTP, WebAuthN etc.
+
+### TOTP
+
+See [the authelia docs on TOTP](https://www.authelia.com/docs/configuration/one-time-password.html#algorithm)
+before adjusting some of the fine-grained configuration, as many
+TOTP clients do not properly support all by-spec supported values.
+
+```yaml
+authelia_config_totp_disable: false
+authelia_config_totp_issuer: "your.authelia.domain"
+# Best to stick to authelias guide here
+authelia_config_totp_algorithm: [...]
+authelia_config_totp_digits: [...]
+authelia_config_totp_period: [...]
+```
+
+### WebAuthN
+
+```yaml
+authelia_config_webauthn_disable: false
+authelia_config_webauthn_timeout: 30s
+# Force user to touch the security key's confirmation button
+authelia_config_webauthn_user_verification: required
+```
+
+For more information about possible WebAuthN configuration, see
+[the authelia docs on WebAuthN](https://www.authelia.com/docs/configuration/webauthn.html).
+
+### Database & Redis
+
+While Authelia can use a sqlite DB with in memory store by setting
+`authelia_sqlite_storage_file_path`, it is recommended to use a proper
+database and a redis instance:
+```yaml
+authelia_database_type: postgres
+authelia_database_host: /var/run/postgres/
+authelia_database_user: authelia
+authelia_database_pass: authelia
+
+# Redis
+authelia_redis_host: /var/run/redis/
+authelia_redis_pass: very_long_static_secret
+
+```
+
+### Notifications
+
+For a test setup, notifications can be written into a config file, this behaviour
+is enabled by setting `authelia_config_notifier_filesystem_filename`. For real-world
+use, an SMTP server is strongly recommended, its config is as follows:
+```
+authelia_smtp_host: mail.domain.com
+authelia_smtp_port: 587 # for StartTLS
+authelia_smtp_user: authelia@domain.com
+authelia_smtp_pass: authelia_user_pass
+```

roles/authelia/defaults/main.yml

@@ -0,0 +1,219 @@
+---
+authelia_version: "4.38.16"
+authelia_user: authelia
+authelia_base_dir: /opt/authelia
+authelia_domain: authelia.example.org
+
+authelia_config_dir: "{{ authelia_base_dir }}/config"
+authelia_config_file: "{{ authelia_config_dir }}/config.yaml"
+authelia_data_dir: "{{ authelia_base_dir }}/data"
+authelia_asset_dir: "{{ authelia_base_dir }}/assets"
+authelia_sqlite_storage_file: "{{ authelia_data_dir }}/authelia.sqlite3"
+authelia_notification_storage_file: "{{ authelia_data_dir }}/notifications.txt"
+authelia_user_storage_file: "{{ authelia_data_dir }}/user_database.yml"
+
+authelia_container_name: authelia
+authelia_container_image_server: docker.io
+authelia_container_image_namespace: authelia
+authelia_container_image_name: authelia
+authelia_container_image: >-2
+  {{
+    [
+      authelia_container_image_server,
+      authelia_container_image_namespace,
+      authelia_container_image_name
+    ] | join('/')
+  }}
+authelia_container_image_tag: ~
+authelia_container_image_ref: >-2
+  {{ authelia_container_image }}:{{ authelia_container_image_tag | default(authelia_version, true) }}
+authelia_container_image_force_pull: "{{ authelia_container_image_tag | default(false, True) }}"
+authelia_container_env:
+  PUID: "{{ authelia_run_user }}"
+  PGID: "{{ authelia_run_group }}"
+authelia_container_labels: >-2
+  {{ authelia_container_base_labels | combine(authelia_container_extra_labels) }}
+authelia_container_extra_labels: {}
+authelia_container_extra_volumes: []
+authelia_container_volumes: >-2
+  {{ authelia_container_base_volumes
+    + authelia_container_extra_volumes }}
+authelia_container_ports: ~
+authelia_container_networks: ~
+authelia_container_purge_networks: ~
+authelia_container_restart_policy: unless-stopped
+authelia_container_state: started
+
+authelia_container_listen_port: 9091
+authelia_tls_minimum_version: TLS1.2
+
+authelia_config_theme: auto
+authelia_config_jwt_secret: ~
+authelia_config_default_redirection_url: ~
+authelia_config_server_host: 0.0.0.0
+authelia_config_server_port: "{{ authelia_container_listen_port }}"
+authelia_config_server_address: >-2
+  {{ authelia_config_server_host }}:{{ authelia_config_server_port }}
+authelia_config_server_path: ""
+authelia_config_server_asset_path: "/config/assets/"
+authelia_config_server_buffers_read: 4096
+authelia_config_server_read_buffer_size: >-2
+  {{ authelia_config_server_buffers_read }}
+authelia_config_server_buffers_write: 4096
+authelia_config_server_write_buffer_size: >-2
+  {{ authelia_config_server_buffers_write }}
+authelia_config_server_endpoints_enable_pprof: true
+authelia_config_server_enable_pprof: >-2
+  {{ authelia_config_server_endpoints_enable_pprof }}
+authelia_config_server_endpoints_enable_expvars: true
+authelia_config_server_enable_expvars: >-2
+  {{ authelia_config_server_endpoints_enable_expvars }}
+authelia_config_server_disable_healthcheck:
+authelia_config_server_tls_key: ~
+authelia_config_server_tls_certificate: ~
+authelia_config_server_tls_client_certificates: []
+authelia_config_server_headers_csp_template: ~
+authelia_config_log_level: info
+authelia_config_log_format: json
+authelia_config_log_file_path: ~
+authelia_config_log_keep_stdout: false
+authelia_config_telemetry_metrics_enabled: false
+authelia_config_telemetry_metrics_address: '0.0.0.0:9959'
+authelia_config_totp_disable: true
+authelia_config_totp_issuer: "{{ authelia_domain }}"
+authelia_config_totp_algorithm: sha1
+authelia_config_totp_digits: 6
+authelia_config_totp_period: 30
+authelia_config_totp_skew: 1
+authelia_config_totp_secret_size: 32
+authelia_config_webauthn_disable: true
+authelia_config_webauthn_timeout: 60s
+authelia_config_webauthn_display_name: "Authelia ({{ authelia_domain }})"
+authelia_config_webauthn_attestation_conveyance_preference: indirect
+authelia_config_webauthn_user_verification: preferred
+authelia_config_duo_api_hostname: ~
+authelia_config_duo_api_integration_key: ~
+authelia_config_duo_api_secret_key: ~
+authelia_config_duo_api_enable_self_enrollment: false
+authelia_config_ntp_address: "time.cloudflare.com:123"
+authelia_config_ntp_version: 4
+authelia_config_ntp_max_desync: 3s
+authelia_config_ntp_disable_startup_check: false
+authelia_config_ntp_disable_failure: false
+authelia_config_authentication_backend_refresh_interval: 5m
+authelia_config_authentication_backend_password_reset_disable: false
+authelia_config_authentication_backend_password_reset_custom_url: ~
+authelia_config_authentication_backend_ldap_implementation: custom
+authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1:389
+authelia_config_authentication_backend_ldap_timeout: 5s
+authelia_config_authentication_backend_ldap_start_tls: false
+authelia_config_authentication_backend_ldap_tls_skip_verify: false
+authelia_config_authentication_backend_ldap_minimum_version: "{{ authelia_tls_minimum_version }}"
+authelia_config_authentication_backend_ldap_base_dn: ~
+authelia_config_authentication_backend_ldap_additional_users_dn: "ou=users"
+authelia_config_authentication_backend_ldap_users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))"
+authelia_config_authentication_backend_ldap_additional_groups_dn: "ou=groups"
+authelia_config_authentication_backend_ldap_groups_filter: "(member={dn})"
+authelia_config_authentication_backend_ldap_attributes_username: uid
+authelia_config_authentication_backend_ldap_username_attribute: >-2
+  {{ authelia_config_authentication_backend_ldap_attributes_username }}
+authelia_config_authentication_backend_ldap_attributes_mail: mail
+authelia_config_authentication_backend_ldap_mail_attribute: >-2
+  {{ authelia_config_authentication_backend_ldap_attributes_mail }}
+authelia_config_authentication_backend_ldap_attributes_display_name: displayName
+authelia_config_authentication_backend_ldap_display_name_attribute: >-2
+  {{ authelia_config_authentication_backend_ldap_attributes_display_name }}
+authelia_config_authentication_backend_ldap_group_name_attribute: cn
+authelia_config_authentication_backend_ldap_attributes_group_name: >-2
+  {{ authelia_config_authentication_backend_ldap_group_name_attribute }}
+authelia_config_authentication_backend_ldap_user: ~
+authelia_config_authentication_backend_ldap_password: ~
+authelia_config_authentication_backend_file_path: ~
+authelia_config_authentication_backend_file_password_algorithm: argon2id
+authelia_config_authentication_backend_file_password_iterations: 5
+authelia_config_authentication_backend_file_password_key_length: 32
+authelia_config_authentication_backend_file_password_salt_length: 16
+authelia_config_authentication_backend_file_password_memory: 1024
+authelia_config_authentication_backend_file_password_parallelism: 8
+authelia_config_password_policy_standard_enabled: false
+authelia_config_password_policy_standard_min_length: 12
+authelia_config_password_policy_standard_max_length: 0
+authelia_config_password_policy_standard_require_uppercase: true
+authelia_config_password_policy_standard_require_lowercase: true
+authelia_config_password_policy_standard_require_number: true
+authelia_config_password_policy_standard_require_special: false
+authelia_config_password_policy_zxcvbn_enabled: true
+authelia_config_access_control_default_policy: deny
+authelia_config_access_control_networks: []
+authelia_config_access_control_rules: []
+authelia_config_session_name: authelia_session
+authelia_config_session_domain: example.org
+authelia_config_session_same_site: lax
+authelia_config_session_secret: ~
+authelia_config_session_expiration: 1h
+authelia_config_session_inactivity: 5m
+authelia_config_session_remember_me_duration: 1M
+authelia_config_session_remember_me: >-2
+  {{ authelia_config_session_remember_me_duration }}
+authelia_config_session_redis_host: "{{ authelia_redis_host }}"
+authelia_config_session_redis_port: "{{ authelia_redis_port }}"
+authelia_config_session_redis_username: "{{ authelia_redis_user }}"
+authelia_config_session_redis_password: "{{ authelia_redis_pass }}"
+authelia_config_session_redis_database_index: 0
+authelia_config_session_redis_maximum_active_connections: 8
+authelia_config_session_redis_minimum_idle_connections: 0
+authelia_config_session_redis_enable_tls: false
+authelia_config_session_redis_tls_server_name: ~
+authelia_config_session_redis_tls_skip_verify: false
+authelia_config_session_redis_tls_minimum_version: "{{ authelia_tls_minimum_version }}"
+authelia_config_regulation_max_retries: 3
+authelia_config_regulation_find_time: 2m
+authelia_config_regulation_ban_time: 5m
+authelia_config_storage_encryption_key: ~
+authelia_config_storage_local_path: ~
+authelia_config_storage_mysql_port: 3306
+authelia_config_storage_postgres_port: 5432
+authelia_config_storage_postgres_ssl_mode: disable
+authelia_config_storage_postgres_ssl_root_certificate: disable
+authelia_config_storage_postgres_ssl_certificate: disable
+authelia_config_storage_postgres_ssl_key: disable
+authelia_config_notifier_disable_startup_check: false
+authelia_config_notifier_filesystem_filename: ~
+authelia_config_notifier_smtp_address: "{{ authelia_smtp_host }}:{{ authelia_stmp_port }}"
+authelia_config_notifier_smtp_username: "{{ authelia_smtp_user }}"
+authelia_config_notifier_smtp_password: "{{ authelia_smtp_pass }}"
+authelia_config_notifier_smtp_timeout: 5s
+authelia_config_notifier_smtp_sender: "Authelia on {{ authelia_domain }} <admin@{{ authelia_domain }}>"
+authelia_config_notifier_smtp_identifier: "{{ authelia_domain }}"
+authelia_config_notifier_smtp_subject: "[Authelia @ {{ authelia_domain }}] {title}"
+authelia_config_notifier_smtp_startup_check_address: "authelia-test@{{ authelia_domain }}"
+authelia_config_notifier_smtp_disable_require_tls: false
+authelia_config_notifier_smtp_disable_html_emails: false
+authelia_config_notifier_smtp_tls_skip_verify: false
+authelia_config_notifier_smtp_tls_minimum_version: "{{ authelia_tls_minimum_version }}"
+#authelia_config_identity_provider_
+
+authelia_database_type: ~
+authelia_database_host: ~
+authelia_database_port: ~
+authelia_database_address: >-2
+  {{ authelia_database_host }}{{
+    (authelia_database_port | default(false, true) | bool)
+    | ternary(':' + authelia_database_port, '')
+  }}
+authelia_database_user: authelia
+authelia_database_pass: ~
+authelia_database_name: authelia
+authelia_database_timeout: 5s
+
+authelia_smtp_host: ~
+authelia_stmp_port: 465
+authelia_stmp_user: authelia
+authelia_stmp_pass: ~
+
+authelia_redis_host: ~
+authelia_redis_port: 6379
+authelia_redis_user: ~
+authelia_redis_pass: ~
+
+authelia_extra_config: {}

roles/authelia/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Restart authelia container
+  docker_container:
+    name: "{{ authelia_container_name }}"
+    state: started
+    restart: yes
+  listen: restart-authelia

roles/authelia/meta/main.yml

@@ -0,0 +1,9 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: authelia
+  description: Ansible role to deploy authelia using docker
+  galaxy_tags:
+    - authelia
+    - docker

roles/authelia/tasks/main.yml

@@ -0,0 +1,93 @@
+---
+
+- name: Ensure user {{ authelia_user }} exists
+  ansible.builtin.user:
+    name: "{{ authelia_user }}"
+    state: present
+    system: true
+  register: authelia_user_info
+
+- name: Ensure host directories are created with correct permissions
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner | default(authelia_user) }}"
+    group: "{{ item.group | default(authelia_user) }}"
+    mode: "{{ item.mode | default('0750') }}"
+  when: item.path | default(false, true) | bool
+  loop:
+    - path: "{{ authelia_base_dir }}"
+      mode: "0755"
+    - path: "{{ authelia_config_dir }}"
+      mode: "0750"
+    - path: "{{ authelia_data_dir }}"
+      mode: "0750"
+    - path: "{{ authelia_asset_dir }}"
+      mode: "0750"
+
+- name: Ensure config file is generated
+  ansible.builtin.copy:
+    content: "{{ authelia_config | to_nice_yaml(indent=2, width=10000) }}"
+    dest: "{{ authelia_config_file }}"
+    owner: "{{ authelia_run_user }}"
+    group: "{{ authelia_run_group }}"
+    mode: "0640"
+  notify: restart-authelia
+
+- name: Ensure sqlite database file exists before mounting it
+  ansible.builtin.file:
+    path: "{{ authelia_sqlite_storage_file }}"
+    state: touch
+    owner: "{{ authelia_run_user }}"
+    group: "{{ authelia_run_group }}"
+    mode: "0640"
+    access_time: preserve
+    modification_time: preserve
+  when: authelia_config_storage_local_path | default(false, true)
+
+- name: Ensure user database exists before mounting it
+  ansible.builtin.file:
+    path: "{{ authelia_user_storage_file }}"
+    state: touch
+    owner: "{{ authelia_run_user }}"
+    group: "{{ authelia_run_group }}"
+    mode: "0640"
+    access_time: preserve
+    modification_time: preserve
+  when: authelia_config_authentication_backend_file_path | default(false, true)
+
+- name: Ensure notification reports file exists before mounting it
+  ansible.builtin.file:
+    path: "{{ authelia_notification_storage_file }}"
+    state: touch
+    owner: "{{ authelia_run_user }}"
+    group: "{{ authelia_run_group }}"
+    mode: "0640"
+    access_time: preserve
+    modification_time: preserve
+  when: authelia_config_notifier_filesystem_filename | default(false, true)
+
+- name: Ensure authelia container image is present
+  community.docker.docker_image:
+    name: "{{ authelia_container_image_ref }}"
+    state: present
+    source: pull
+    force_source: "{{ authelia_container_image_force_pull }}"
+  register: authelia_container_image_info
+
+- name: Ensure authelia container is running
+  community.docker.docker_container:
+    name: "{{ authelia_container_name }}"
+    image: "{{ authelia_container_image_ref }}"
+    env: "{{ authelia_container_env }}"
+    user: "{{ authelia_run_user }}:{{ authelia_run_group }}"
+    ports: "{{ authelia_container_ports | default(omit, true) }}"
+    labels: "{{ authelia_container_labels }}"
+    volumes: "{{ authelia_container_volumes }}"
+    networks: "{{ authelia_container_networks | default(omit, true) }}"
+    etc_hosts: "{{ authelia_container_etc_hosts | default(omit, true) }}"
+    purge_networks: "{{ authelia_container_purge_networks | default(omit, true)}}"
+    restart_policy: "{{ authelia_container_restart_policy }}"
+    recreate: "{{ authelia_container_recreate | default(omit, true) }}"
+    state: "{{ authelia_container_state }}"
+  register: authelia_container_info

roles/authelia/vars/main.yml

@@ -0,0 +1,266 @@
+---
+
+authelia_run_user: "{{ (authelia_user_info.uid) if authelia_user_info is defined else authelia_user }}"
+authelia_run_group: "{{ (authelia_user_info.group) if authelia_user_info is defined else authelia_user }}"
+
+authelia_container_base_volumes: >-2
+  {{ [ authelia_config_file + ":/config/configuration.yml:ro"]
+    + ([authelia_asset_dir + '/:' + authelia_config_server_asset_path + ':ro'] if authelia_asset_dir | default(false, true) else [])
+    + ([ authelia_sqlite_storage_file + ":" + authelia_config_storage_local_path + ":z" ]
+      if authelia_config_storage_local_path | default(false, true) else [])
+    + ([ authelia_notification_storage_file + ":" + authelia_config_notifier_filesystem_filename + ":z" ]
+      if authelia_config_notifier_filesystem_filename | default(false, true) else [])
+    + ( [authelia_user_storage_file + ":" + authelia_config_authentication_backend_file_path + ":z"]
+      if authelia_config_authentication_backend_file_path | default(false, true) else [])
+  }}
+
+authelia_container_base_labels:
+  version: "{{ authelia_version }}"
+
+authelia_config: "{{ authelia_base_config | combine(authelia_extra_config, recursive=True) }}"
+authelia_top_level_config:
+  theme: "{{ authelia_config_theme }}"
+  jwt_secret: "{{ authelia_config_jwt_secret }}"
+  log: "{{ authelia_config_log }}"
+  telemetry: "{{ authelia_config_telemetry }}"
+  totp: "{{ authelia_config_totp }}"
+  webauthn: "{{ authelia_config_webauthn }}"
+  duo_api: "{{ authelia_config_duo_api }}"
+  ntp: "{{ authelia_config_ntp }}"
+  authentication_backend: "{{ authelia_config_authentication_backend }}"
+#  password_policy: "{{ authelia_config_password_policy }}"
+  access_control: "{{ authelia_config_access_control }}"
+  session: "{{ authelia_config_session }}"
+  regulation: "{{ authelia_config_regulation }}"
+  storage: "{{ authelia_config_storage }}"
+  notifier: "{{ authelia_config_notifier }}"
+
+authelia_base_config: >-2
+  {{
+    authelia_top_level_config
+    | combine({"default_redirection_url": authelia_config_default_redirection_url}
+      if authelia_config_default_redirection_url | default(false, true) else {})
+    | combine(({"server": authelia_config_server })
+      | combine({"tls": authelia_config_server_tls}
+        if authelia_config_server_tls_key | default(false, true) else {}))
+   }}
+
+authelia_config_server: >-2
+  {{
+    {
+      "address": authelia_config_server_address,
+      "asset_path": authelia_config_server_asset_path,
+      "disable_healthcheck": authelia_config_server_disable_healthcheck,
+      "endpoints": authelia_config_server_endpoints,
+      "buffers": authelia_config_server_buffers,
+    } | combine({"headers": {"csp_template": authelia_config_server_headers_csp_template}}
+        if authelia_config_server_headers_csp_template | default(false, true) else {})
+  }}
+authelia_config_server_endpoints:
+  enable_expvars: "{{ authelia_config_server_endpoints_enable_expvars }}"
+  enable_pprof: "{{ authelia_config_server_endpoints_enable_pprof }}"
+authelia_config_server_buffers:
+  read: "{{ authelia_config_server_buffers_read }}"
+  write: "{{ authelia_config_server_buffers_write }}"
+authelia_config_server_tls:
+  key: "{{ authelia_config_server_tls_key }}"
+  certificate: "{{ authelia_config_server_tls_certificate }}"
+  client_certificates: "{{ authelia_config_server_tls_client_certificates }}"
+authelia_config_log: >-2
+  {{
+    {
+      "level": authelia_config_log_level,
+      "format": authelia_config_log_format
+    }
+    | combine({"file_path": authelia_config_log_file_path}
+      if authelia_config_log_file_path | default(false, true) else {})
+    | combine({"keep_stdout": authelia_config_log_keep_stdout}
+      if authelia_config_log_file_path | default(false, true) else {})
+  }}
+authelia_config_telemetry:
+  metrics:
+    enabled: "{{ authelia_config_telemetry_metrics_enabled }}"
+    address: "{{ authelia_config_telemetry_metrics_address }}"
+authelia_config_totp:
+  disable: "{{ authelia_config_totp_disable }}"
+  issuer: "{{ authelia_config_totp_issuer }}"
+  algorithm: "{{ authelia_config_totp_algorithm }}"
+  digits: "{{ authelia_config_totp_digits }}"
+  period: "{{ authelia_config_totp_period }}"
+  skew: "{{ authelia_config_totp_skew }}"
+#  secret_size: "{{ authelia_config_totp_secret_size }}"
+authelia_config_webauthn:
+  disable: "{{ authelia_config_webauthn_disable }}"
+  timeout: "{{ authelia_config_webauthn_timeout }}"
+  display_name: "{{ authelia_config_webauthn_display_name }}"
+  attestation_conveyance_preference: "{{ authelia_config_webauthn_attestation_conveyance_preference }}"
+  user_verification: "{{ authelia_config_webauthn_user_verification }}"
+authelia_config_duo_api:
+  hostname: "{{ authelia_config_duo_api_hostname }}"
+  integration_key: "{{ authelia_config_duo_api_integration_key }}"
+  secret_key: "{{ authelia_config_duo_api_secret_key }}"
+  enable_self_enrollment: "{{ authelia_config_duo_api_enable_self_enrollment }}"
+authelia_config_ntp:
+  address: "{{ authelia_config_ntp_address }}"
+  version: "{{ authelia_config_ntp_version }}"
+  max_desync: "{{ authelia_config_ntp_max_desync }}"
+  disable_startup_check: "{{ authelia_config_ntp_disable_startup_check }}"
+  disable_failure: "{{ authelia_config_ntp_disable_failure }}"
+
+authelia_config_authentication_backend: >-2
+  {{
+    {
+      "refresh_interval": authelia_config_authentication_backend_refresh_interval,
+    }
+    | combine({"password_reset": authelia_config_authentication_backend_password_reset}
+      if authelia_config_authentication_backend_password_reset_custom_url | default(false, true) else {})
+    | combine({"file": authelia_config_authentication_backend_file}
+      if authelia_config_authentication_backend_file_path | default(false, true)
+      else {"ldap": authelia_config_authentication_backend_ldap})
+  }}
+authelia_config_authentication_backend_password_reset:
+  custom_url: "{{ authelia_config_authentication_backend_password_reset_custom_url }}"
+  disable: "{{ authelia_config_authentication_backend_password_reset_disable }}"
+authelia_config_authentication_backend_ldap:
+  implementation: "{{ authelia_config_authentication_backend_ldap_implementation }}"
+  url: "{{ authelia_config_authentication_backend_ldap_url }}"
+  timeout: "{{ authelia_config_authentication_backend_ldap_timeout }}"
+  start_tls: "{{ authelia_config_authentication_backend_ldap_start_tls }}"
+  tls:
+    skip_verify: "{{ authelia_config_authentication_backend_ldap_tls_skip_verify }}"
+    minimum_version: "{{ authelia_config_authentication_backend_ldap_minimum_version }}"
+  base_dn: "{{ authelia_config_authentication_backend_ldap_base_dn }}"
+  additional_users_dn: "{{ authelia_config_authentication_backend_ldap_additional_users_dn }}"
+  additional_groups_dn: "{{ authelia_config_authentication_backend_ldap_additional_groups_dn }}" 
+  users_filter: "{{ authelia_config_authentication_backend_ldap_users_filter }}" 
+  groups_filter: "{{ authelia_config_authentication_backend_ldap_groups_filter }}"
+  attributes:
+    username: "{{ authelia_config_authentication_backend_ldap_attributes_username }}"
+    mail: "{{ authelia_config_authentication_backend_ldap_attributes_mail }}"
+    display_name: "{{ authelia_config_authentication_backend_ldap_attributes_display_name }}"
+    group_name: "{{ authelia_config_authentication_backend_ldap_attributes_group_name }}"
+  user: "{{ authelia_config_authentication_backend_ldap_user }}"
+  password: "{{ authelia_config_authentication_backend_ldap_password }}"
+authelia_config_authentication_backend_file:
+  path: "{{ authelia_config_authentication_backend_file_path }}"
+  password:
+    algorithm: "{{ authelia_config_authentication_backend_file_password_algorithm }}"
+    iterations: "{{ authelia_config_authentication_backend_file_password_iterations }}"
+    key_length: "{{ authelia_config_authentication_backend_file_password_key_length }}"
+    salt_lenght: "{{ authelia_config_authentication_backend_file_password_salt_length }}"
+    memory: "{{ authelia_config_authentication_backend_file_password_memory }}"
+    parallelism: "{{ authelia_config_authentication_backend_file_password_parallelism }}"
+authelia_config_password_policy: >-2
+  {{
+    {"standard": authelia_config_password_policy_standard}
+    if authelia_config_password_policy_standard_enabled
+    else {"zxcvbn": authelia_config_password_policy_zxcvbn}
+  }}
+authelia_config_password_policy_standard:
+  enabled: "{{ authelia_config_password_policy_standard_enabled }}"
+  min_length: "{{ authelia_config_password_policy_standard_min_length }}"
+  max_length: "{{ authelia_config_password_policy_standard_max_length }}"
+  require_uppercase: "{{ authelia_config_password_policy_standard_require_uppercase }}"
+  require_lowercase: "{{ authelia_config_password_policy_standard_require_lowercase }}"
+  require_number: "{{ authelia_config_password_policy_standard_require_number }}"
+  require_special: "{{ authelia_config_password_policy_standard_require_special }}"
+authelia_config_password_policy_zxcvbn:
+  enabled: "{{ authelia_config_password_policy_zxcvbn_enabled }}"
+authelia_config_access_control:
+  default_policy: "{{ authelia_config_access_control_default_policy }}"
+  networks: "{{ authelia_config_access_control_networks }}"
+  rules: "{{ authelia_config_access_control_rules }}"
+authelia_config_session:
+  name: "{{ authelia_config_session_name }}"
+  domain: "{{ authelia_config_session_domain }}"
+  same_site: "{{ authelia_config_session_same_site }}"
+  secret: "{{ authelia_config_session_secret }}"
+  expiration: "{{ authelia_config_session_expiration }}" 
+  inactivity: "{{ authelia_config_session_inactivity }}"
+  remember_me: "{{ authelia_config_session_remember_me }}"
+authelia_config_session_redis: >-2
+  {{
+    {
+      "host": authelia_config_session_redis_host,
+      "database_index": authelia_config_session_redis_database_index,
+      "maximum_active_connections": authelia_config_session_redis_maximum_active_connections,
+      "minimum_idle_connections": authelia_config_session_redis_minimum_idle_connections
+    }
+    | combine({"password": authelia_config_session_redis_password}
+      if authelia_config_session_redis_password | default(false, true) else {})
+    | combine({"username": authelia_config_session_redis_username}
+      if authelia_config_session_redis_username | default(false, true) else {})
+    | combine({"port": authelia_config_session_redis_port}
+      if '/' not in authelia_config_session_redis_host else {})
+    | combine({"tls": authelia_config_session_redis_tls}
+      if authelia_config_session_redis_enable_tls | default(false, true) else {})
+  }}
+authelia_config_session_redis_tls: >-2
+  {{
+    {
+      "skip_verify": authelia_config_session_redis_tls_skip_verify,
+      "minimum_version": authelia_config_session_redis_tls_minimum_version,
+    }
+    | combine({"server_name": authelia_config_session_redis_tls_server_name}
+      if authelia_config_session_redis_tls_server_name | default(false, true) else {})
+  }}
+authelia_config_regulation:
+  max_retries: "{{ authelia_config_regulation_max_retries }}"
+  find_time: "{{ authelia_config_regulation_find_time }}"
+  ban_time: "{{ authelia_config_regulation_ban_time }}"
+authelia_config_storage: >-2
+  {{
+    { "encryption_key": authelia_config_storage_encryption_key }
+    | combine({"local": authelia_config_storage_local}
+      if authelia_database_type in ['local', 'sqlite'] else {})
+    | combine({"mysql": authelia_config_storage_mysql}
+      if authelia_database_type == 'mysql' else {})
+    | combine({"postgres": authelia_config_storage_postgres}
+      if authelia_database_type in ['postgres', 'postgresql'] else {})
+  }}
+authelia_config_storage_local:
+  path: "{{ authelia_config_storage_local_path }}"
+authelia_config_storage_mysql:
+  host: "{{ authelia_database_address }}"
+  database: "{{ authelia_database_name }}"
+  username: "{{ authelia_database_user }}"
+  password: "{{ authelia_database_pass }}"
+  timeout: "{{ authelia_database_timeout }}"
+authelia_config_storage_postgres:
+  address: "{{ authelia_database_address }}"
+  database: "{{ authelia_database_name }}"
+  schema: public
+  username: "{{ authelia_database_user }}"
+  password: "{{ authelia_database_pass }}"
+  timeout: "{{ authelia_database_timeout }}"
+authelia_config_storage_postgres_ssl:
+  mode: "{{ authelia_config_storage_postgres_ssl_mode }}"
+  root_certificate: "{{ authelia_config_storage_postgres_ssl_root_certificate }}"
+  certificate: "{{ authelia_config_storage_postgres_ssl_certificate }}"
+  key: "{{ authelia_config_storage_postgres_ssl_key }}"
+authelia_config_notifier: >-2
+  {{
+    {
+      "disable_startup_check": authelia_config_notifier_disable_startup_check
+    }
+    | combine({"filesystem": authelia_config_notifier_filesystem}
+      if authelia_config_notifier_filesystem_filename else {})
+    | combine({"smtp": authelia_config_notifier_smtp}
+      if not authelia_config_notifier_filesystem_filename else {})
+  }}
+authelia_config_notifier_filesystem:
+  filename: "{{ authelia_config_notifier_filesystem_filename }}"
+authelia_config_notifier_smtp:
+  address: "{{ authelia_config_notifier_smtp_address }}"
+  timeout: "{{ authelia_config_notifier_smtp_timeout }}"
+  username: "{{ authelia_config_notifier_smtp_username }}"
+  password: "{{ authelia_config_notifier_smtp_password }}"
+  sender: "{{ authelia_config_notifier_smtp_sender }}"
+  identifier: "{{ authelia_config_notifier_smtp_identifier }}"
+  subject: "{{ authelia_config_notifier_smtp_subject }}"
+  startup_check_address: "{{ authelia_config_notifier_smtp_startup_check_address }}"
+  disable_require_tls: "{{ authelia_config_notifier_smtp_disable_require_tls }}"
+  disable_html_emails: "{{ authelia_config_notifier_smtp_disable_html_emails }}"
+  tls:
+    skip_verify: "{{ authelia_config_notifier_smtp_tls_skip_verify }}"
+    minimum_version: "{{ authelia_config_notifier_smtp_tls_minimum_version }}"

roles/ghost/README.md

@@ -0,0 +1,18 @@
+# `finallycoffee.services.ghost` ansible role
+
+[Ghost](https://ghost.org/) is a self-hosted blog with rich media capabilities,
+which this role deploys in a docker container.
+
+## Requirements
+
+Ghost requires a MySQL-database (like mariadb) for storing it's data, which
+can be configured using the `ghost_database_(host|username|password|database)` variables.
+
+Setting `ghost_domain` to a fully-qualified domain on which ghost should be reachable
+is also required.
+
+Ghosts configuration can be changed using the `ghost_config` variable.
+
+Container arguments which are equivalent to `community.docker.docker_container` can be
+provided in the `ghost_container_[...]` syntax (e.g. `ghost_container_ports` to expose
+ghosts port to the host).

roles/ghost/defaults/main.yml

@@ -0,0 +1,38 @@
+---
+ghost_domain: ~
+ghost_version: "5.96.0"
+ghost_user: ghost
+ghost_user_group: ghost
+ghost_base_path: /opt/ghost
+ghost_data_path: "{{ ghost_base_path }}/data"
+ghost_config_path: "{{ ghost_base_path }}/config"
+ghost_config_file: "{{ ghost_config_path }}/ghost.env"
+ghost_database_username: ghost
+ghost_database_password: ~
+ghost_database_database: ghost
+ghost_database_host: ~
+ghost_base_config:
+  url: "https://{{ ghost_domain }}"
+  database__client: mysql
+  database__connection__host: "{{ ghost_database_host }}"
+  database__connection__user: "{{ ghost_database_username }}"
+  database__connection__password: "{{ ghost_database_password }}"
+  database__connection__database: "{{ ghost_database_database }}"
+ghost_config: {}
+
+ghost_container_name: ghost
+ghost_container_image_name: docker.io/ghost
+ghost_container_image_tag: ~
+ghost_container_base_volumes:
+  - "{{ ghost_data_path }}:{{ ghost_container_data_directory }}:rw"
+ghost_container_extra_volumes: []
+ghost_container_volumes:
+  "{{ ghost_container_base_volumes + ghost_container_extra_volumes }}"
+ghost_container_base_labels:
+  version: "{{ ghost_version }}"
+ghost_container_extra_labels: {}
+ghost_container_restart_policy: "unless-stopped"
+ghost_container_networks: ~
+ghost_container_purge_networks: ~
+ghost_container_etc_hosts: ~
+ghost_container_state: started

roles/ghost/meta/main.yml

@@ -0,0 +1,10 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: ghost
+  description: Ansible role to deploy ghost (https://ghost.org) using docker
+  galaxy_tags:
+    - ghost
+    - blog
+    - docker

roles/ghost/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Ensure ghost group is created
+  ansible.builtin.group:
+    name: "{{ ghost_user_group }}"
+    state: present
+    system: true
+
+- name: Ensure ghost user is created
+  ansible.builtin.user:
+    name: "{{ ghost_user }}"
+    groups:
+      - "{{ ghost_user_group }}"
+    append: true
+    state: present
+    system: true
+
+- name: Ensure host paths for docker volumes exist for ghost
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: "0750"
+    owner: "{{ item.owner | default(ghost_user) }}"
+    group: "{{ item.group | default(ghost_user_group) }}"
+  loop:
+    - path: "{{ ghost_base_path }}"
+    - path: "{{ ghost_data_path }}"
+      owner: "1000"
+    - path: "{{ ghost_config_path }}"
+
+- name: Ensure ghost configuration file is templated
+  ansible.builtin.template:
+    src: "ghost.env.j2"
+    dest: "{{ ghost_config_file }}"
+    owner: "{{ ghost_user }}"
+    group: "{{ ghost_user_group }}"
+    mode: "0644"
+
+- name: Ensure ghost container image is present on host
+  community.docker.docker_image:
+    name: "{{ ghost_container_image }}"
+    state: present
+    source: pull
+    force_source: "{{ ghost_container_image_tag is defined }}"
+
+- name: Ensure ghost container '{{ ghost_container_name }}' is {{ ghost_container_state }}
+  community.docker.docker_container:
+    name: "{{ ghost_container_name }}"
+    image: "{{ ghost_container_image }}"
+    ports: "{{ ghost_container_ports | default(omit, true) }}"
+    labels: "{{ ghost_container_labels }}"
+    volumes: "{{ ghost_container_volumes }}"
+    env_file: "{{ ghost_config_file }}"
+    etc_hosts: "{{ ghost_container_etc_hosts | default(omit, true) }}"
+    networks: "{{ ghost_container_networks | default(omit, true) }}"
+    purge_networks: "{{ ghost_container_purge_networks | default(omit, true) }}"
+    restart_policy: "{{ ghost_container_restart_policy }}"
+    state: "{{ ghost_container_state }}"

roles/ghost/templates/ghost.env.j2

@@ -0,0 +1,3 @@
+{% for key, value in ghost_config_complete.items() %}
+{{ key }}={{ value }}
+{% endfor %}

roles/ghost/vars/main.yml

@@ -0,0 +1,10 @@
+---
+
+ghost_container_image: "{{ ghost_container_image_name}}:{{ ghost_container_image_tag | default(ghost_version, true) }}"
+ghost_container_labels: >-2
+  {{ ghost_container_base_labels
+  | combine(ghost_container_extra_labels) }}
+
+ghost_container_data_directory: "/var/lib/ghost/content"
+ghost_config_complete: >-2
+  {{ ghost_base_config | combine(ghost_config, recursive=True) }}

roles/gitea/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
-
-gitea_version: "1.15.6"
+gitea_version: "1.22.3"
 gitea_user: git
+gitea_run_user: "{{ gitea_user }}"
 gitea_base_path: "/opt/gitea"
 gitea_data_path: "{{ gitea_base_path }}/data"
 
@@ -9,17 +9,29 @@ gitea_data_path: "{{ gitea_base_path }}/data"
 gitea_domain: ~
 
 # container config
-gitea_container_name: "git"
-gitea_container_image_name: "docker.io/gitea/gitea"
+gitea_container_name: "{{ gitea_user }}"
+gitea_container_image_server: "docker.io"
+gitea_container_image_name: "gitea"
+gitea_container_image_namespace: gitea
+gitea_container_image_fq_name: >-
+  {{
+    [
+      gitea_container_image_server,
+      gitea_container_image_namespace,
+      gitea_container_image_name
+    ] | join('/')
+  }}
 gitea_container_image_tag: "{{ gitea_version }}"
-gitea_container_image: "{{ gitea_container_image_name }}:{{ gitea_container_image_tag }}"
+gitea_container_image: >-2
+  {{ gitea_container_image_fq_name }}:{{ gitea_container_image_tag }}
 gitea_container_networks: []
 gitea_container_purge_networks: ~
 gitea_container_restart_policy: "unless-stopped"
 gitea_container_extra_env: {}
-gitea_contianer_extra_labels: {}
+gitea_container_extra_labels: {}
 gitea_container_extra_ports: []
 gitea_container_extra_volumes: []
+gitea_container_state: started
 
 # container defaults
 gitea_container_base_volumes:
@@ -40,10 +52,10 @@ gitea_container_base_labels:
 gitea_config_mailer_enabled: false
 gitea_config_mailer_type: ~
 gitea_config_mailer_from_addr: ~
-gitea_config_mailer_host: ~
+gitea_config_mailer_smtp_addr: ~
 gitea_config_mailer_user: ~
 gitea_config_mailer_passwd: ~
-gitea_config_mailer_tls: ~
+gitea_config_mailer_protocol: ~
 gitea_config_mailer_sendmail_path: ~
 gitea_config_metrics_enabled: false
 

roles/gitea/meta/main.yml

@@ -0,0 +1,10 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: gitea
+  description: Ansible role to deploy gitea using docker
+  galaxy_tags:
+    - gitea
+    - git
+    - docker

roles/gitea/tasks/main.yml

@@ -1,14 +1,15 @@
 ---
 
-- name: Create gitea user
-  user:
+- name: Ensure gitea user '{{ gitea_user }}' is present
+  ansible.builtin.user:
     name: "{{ gitea_user }}"
-    state: present
-    system: no
+    state: "present"
+    system: false
+    create_home: true
   register: gitea_user_res
 
 - name: Ensure host directories exist
-  file:
+  ansible.builtin.file:
     path: "{{ item }}"
     owner: "{{ gitea_user_res.uid }}"
     group: "{{ gitea_user_res.group }}"
@@ -18,7 +19,7 @@
     - "{{ gitea_data_path }}"
 
 - name: Ensure .ssh folder for gitea user exists
-  file:
+  ansible.builtin.file:
     path: "/home/{{ gitea_user }}/.ssh"
     state: directory
     owner: "{{ gitea_user_res.uid }}"
@@ -36,25 +37,17 @@
     mode: 0600
   register: gitea_user_ssh_key
 
-- name: Create directory to place forwarding script into
-  file:
-    path: "/app/gitea"
-    state: directory
-    mode: 0770
-    owner: "{{ gitea_user_res.uid }}"
-    group: "{{ gitea_user_res.group }}"
-
 - name: Create forwarding script
-  copy:
-    dest: "/app/gitea/gitea"
+  ansible.builtin.copy:
+    dest: "/usr/local/bin/gitea"
     owner: "{{ gitea_user_res.uid }}"
     group: "{{ gitea_user_res.group }}"
     mode: 0700
     content: |
-      ssh -p {{ gitea_public_ssh_server_port }} -o StrictHostKeyChecking=no {{ gitea_user }}@127.0.0.1 -i /home/{{ gitea_user }}/.ssh/id_ssh_ed25519 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
+      ssh -p {{ gitea_public_ssh_server_port }} -o StrictHostKeyChecking=no {{ gitea_run_user }}@127.0.0.1 -i /home/{{ gitea_user }}/.ssh/id_ssh_ed25519 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
 
 - name: Add host pubkey to git users authorized_keys file
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "/home/{{ gitea_user }}/.ssh/authorized_keys"
     line: "{{ gitea_user_ssh_key.public_key }} Gitea:Host2Container"
     state: present
@@ -64,26 +57,27 @@
     mode: 0600
 
 - name: Ensure gitea container image is present
-  docker_image:
+  community.docker.docker_image:
     name: "{{ gitea_container_image }}"
     state: present
     source: pull
     force_source: "{{ gitea_container_image.endswith(':latest') }}"
 
-- name: Ensure container '{{ gitea_container_name }}' with gitea is running
-  docker_container:
+- name: Ensure container '{{ gitea_container_name }}' with gitea is {{ gitea_container_state }}
+  community.docker.docker_container:
     name: "{{ gitea_container_name }}"
     image: "{{ gitea_container_image }}"
     env: "{{ gitea_container_env }}"
+    labels: "{{ gitea_container_labels }}"
     volumes: "{{ gitea_container_volumes }}"
     networks: "{{ gitea_container_networks | default(omit, True) }}"
     purge_networks: "{{ gitea_container_purge_networks | default(omit, True) }}"
     published_ports: "{{ gitea_container_ports }}"
     restart_policy: "{{ gitea_container_restart_policy }}"
-    state: started
+    state: "{{ gitea_container_state }}"
 
 - name: Ensure given configuration is set in the config file
-  ini_file:
+  ansible.builtin.ini_file:
     path: "{{ gitea_data_path }}/gitea/conf/app.ini"
     section: "{{ section }}"
     option: "{{ option }}"

roles/gitea/vars/main.yml

@@ -14,7 +14,7 @@ gitea_container_port_ssh: 22
 
 gitea_config_base:
   RUN_MODE: prod
-  RUN_USER: "{{ gitea_user }}"
+  RUN_USER: "{{ gitea_run_user }}"
   server:
     SSH_DOMAIN: "{{ gitea_domain }}"
     DOMAIN: "{{ gitea_domain }}"
@@ -24,11 +24,11 @@ gitea_config_base:
   mailer:
     ENABLED: "{{ gitea_config_mailer_enabled }}"
     MAILER_TYP: "{{ gitea_config_mailer_type }}"
-    HOST: "{{ gitea_config_mailer_host }}"
+    SMTP_ADDR: "{{ gitea_config_mailer_smtp_addr }}"
     USER: "{{ gitea_config_mailer_user }}"
     PASSWD: "{{ gitea_config_mailer_passwd }}"
-    IS_TLS_ENABLED: "{{ gitea_config_mailer_tls }}"
-    FROM: "{{ gitea_config_mailer_from_addr }}"
+    PROTOCOL: "{{ gitea_config_mailer_protocol }}"
+    FROM: "{{ gitea_config_mailer_from }}"
     SENDMAIL_PATH: "{{ gitea_config_mailer_sendmail_path }}"
   metrics:
     ENABLED: "{{ gitea_config_metrics_enabled }}"

roles/hedgedoc/README.md

@@ -0,0 +1,21 @@
+# `finallycoffee.services.hedgedoc` ansible role
+
+Role to deploy and configure hedgedoc using `docker` or `podman`.
+To configure hedgedoc, set either the config as complex data
+directly in `hedgedoc_config` or use the flattened variables
+from the `hedgedoc_config_*` prefix (see
+[defaults/main/config.yml](defaults/main/config.yml)).
+
+To remove hedgedoc, set `hedgedoc_state: absent`. Note that this
+will delete all data directories aswell, removing any traces this
+role created on the target (except database contents).
+
+# Required configuration
+
+- `hedgedoc_config_domain` - Domain of the hedgedoc instance
+- `hedgedoc_config_session_secret` - session secret for hedgedoc
+
+## Deployment methods
+
+To set the desired deployment method, set `hedgedoc_deployment_method` to a
+supported deployment methods (see [vars/main.yml](vars/main.yml#5)).

roles/hedgedoc/defaults/main/config.yml

@@ -0,0 +1,52 @@
+---
+hedgedoc_config_domain: ~
+hedgedoc_config_log_level: "info"
+hedgedoc_config_session_secret: ~
+hedgedoc_config_protocol_use_ssl: true
+hedgedoc_config_hsts_enable: true
+hedgedoc_config_csp_enable: true
+hedgedoc_config_cookie_policy: 'lax'
+hedgedoc_config_allow_free_url: true
+hedgedoc_config_allow_email_register: false
+hedgedoc_config_allow_anonymous: true
+hedgedoc_config_allow_gravatar: true
+hedgedoc_config_require_free_url_authentication: true
+hedgedoc_config_default_permission: 'full'
+
+hedgedoc_config_db_username: hedgedoc
+hedgedoc_config_db_password: ~
+hedgedoc_config_db_database: hedgedoc
+hedgedoc_config_db_host: localhost
+hedgedoc_config_db_port: 5432
+hedgedoc_config_db_dialect: postgres
+
+hedgedoc_config_database:
+  username: "{{ hedgedoc_config_db_username }}"
+  password: "{{ hedgedoc_config_db_password }}"
+  database: "{{ hedgedoc_config_db_database }}"
+  host: "{{ hedgedoc_config_db_host }}"
+  port: "{{ hedgedoc_config_db_port | int }}"
+  dialect: "{{ hedgedoc_config_db_dialect }}"
+hedgedoc_config_base:
+  production:
+    domain: "{{ hedgedoc_config_domain }}"
+    loglevel: "{{ hedgedoc_config_log_level }}"
+    sessionSecret: "{{ hedgedoc_config_session_secret }}"
+    protocolUseSSL: "{{ hedgedoc_config_protocol_use_ssl }}"
+    cookiePolicy: "{{ hedgedoc_config_cookie_policy }}"
+    allowFreeURL: "{{ hedgedoc_config_allow_free_url }}"
+    allowAnonymous: "{{ hedgedoc_config_allow_anonymous }}"
+    allowEmailRegister: "{{ hedgedoc_config_allow_email_register }}"
+    allowGravatar: "{{ hedgedoc_config_allow_gravatar }}"
+    requireFreeURLAuthentication: >-2
+      {{ hedgedoc_config_require_free_url_authentication }}
+    defaultPermission: "{{ hedgedoc_config_default_permission }}"
+    hsts:
+      enable: "{{ hedgedoc_config_hsts_enable }}"
+    csp:
+      enable: "{{ hedgedoc_config_csp_enable }}"
+    db: "{{ hedgedoc_config_database }}"
+hedgedoc_config: ~
+hedgedoc_full_config: >-2
+  {{ hedgedoc_config_base | default({}, true)
+    | combine(hedgedoc_config | default({}, true), recursive=True) }}

roles/hedgedoc/defaults/main/container.yml

@@ -0,0 +1,57 @@
+---
+hedgedoc_container_image_registry: quay.io
+hedgedoc_container_image_namespace: hedgedoc
+hedgedoc_container_image_name: hedgedoc
+hedgedoc_container_image_flavour: alpine
+hedgedoc_container_image_tag: ~
+hedgedoc_container_image: >-2
+  {{
+    ([
+      hedgedoc_container_image_registry,
+      hedgedoc_container_image_namespace | default([], true),
+      hedgedoc_container_image_name,
+    ] | flatten | join('/'))
+    + ':'
+    + hedgedoc_container_image_tag | default(
+      hedgedoc_version + (
+        ((hedgedoc_container_image_flavour is string)
+          and (hedgedoc_container_image_flavour | length > 0))
+        | ternary('-' +
+          hedgedoc_container_image_flavour | default('', true),
+          ''
+        )
+      ),
+      true
+    )
+  }}
+hedgedoc_container_image_source: pull
+hedgedoc_container_name: hedgedoc
+hedgedoc_container_state: >-2
+  {{ (hedgedoc_state == 'present') | ternary('started', 'absent') }}
+
+hedgedoc_container_config_file: "/hedgedoc/config.json"
+hedgedoc_container_upload_path: "/hedgedoc/public/uploads"
+
+hedgedoc_container_env: ~
+hedgedoc_container_user: >-2
+  {{ hedgedoc_run_user_id }}:{{ hedgedoc_run_group_id }}
+hedgedoc_container_ports: ~
+hedgedoc_container_networks: ~
+hedgedoc_container_etc_hosts: ~
+hedgedoc_container_base_volumes:
+  - "{{ hedgedoc_config_file }}:{{ hedgedoc_container_config_file }}:ro"
+  - "{{ hedgedoc_uploads_path }}:{{ hedgedoc_container_upload_path }}:rw"
+hedgedoc_container_volumes: ~
+hedgedoc_container_all_volumes: >-2
+  {{ hedgedoc_container_base_volumes | default([], true)
+    + hedgedoc_container_volumes | default([], true) }}
+hedgedoc_container_base_labels:
+  version: "{{ hedgedoc_container_tag | default(hedgedoc_version, true) }}"
+hedgedoc_container_labels: ~
+hedgedoc_container_network_mode: ~
+hedgedoc_container_all_labels: >-2
+  {{ hedgedoc_container_base_labels | default({}, true)
+    | combine(hedgedoc_container_labels | default({}, true)) }}
+hedgedoc_container_restart_policy: >-2
+  {{ (hedgedoc_deployment_method === 'docker')
+      | ternary('unless-stopped', 'on-failure') }}

roles/hedgedoc/defaults/main/main.yml

@@ -0,0 +1,9 @@
+---
+hedgedoc_user: hedgedoc
+hedgedoc_version: "1.10.0"
+
+hedgedoc_state: present
+hedgedoc_deployment_method: docker
+
+hedgedoc_config_file: "/etc/hedgedoc/config.json"
+hedgedoc_uploads_path: "/var/lib/hedgedoc-uploads"

roles/hedgedoc/defaults/main/user.yml

@@ -0,0 +1,5 @@
+---
+hedgedoc_run_user_id: >-2
+  {{ hedgedoc_user_info.uid | default(hedgedoc_user) }}
+hedgedoc_run_group_id: >-2
+  {{ hedgedoc_user_info.group | default(hedgedoc_user) }}

roles/hedgedoc/meta/main.yml

@@ -0,0 +1,12 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: hedgedoc
+  description: >-2
+    Deploy hedgedoc, a collaborative markdown editor, using docker
+  galaxy_tags:
+    - hedgedoc
+    - markdown
+    - collaboration
+    - docker

roles/hedgedoc/tasks/check.yml

@@ -0,0 +1,23 @@
+---
+- name: Check for valid state
+  ansible.builtin.fail:
+    msg: >-2
+      Unsupported state '{{ hedgedoc_state }}'. Supported
+      states are {{ hedgedoc_states | join(', ') }}.
+  when: hedgedoc_state not in hedgedoc_states
+
+- name: Check for valid deployment method
+  ansible.builtin.fail:
+    msg: >-2
+      Deployment method '{{ hedgedoc_deployment_method }}'
+      is not supported. Supported are:
+      {{ hedgedoc_deployment_methods | join(', ') }}
+  when: hedgedoc_deployment_method not in hedgedoc_deployment_methods
+
+- name: Ensure required variables are given
+  ansible.builtin.file:
+    msg: "Required variable '{{ item }}' is undefined!"
+  loop: "{{ hedgedoc_required_arguments }}"
+  when: >-2
+    item not in hostvars[inventory_hostname]
+    or hostvars[inventory_hostname][item] | length == 0

roles/hedgedoc/tasks/deploy-docker.yml

@@ -0,0 +1,31 @@
+---
+- name: Ensure container image '{{ hedgedoc_container_image }}' is {{ hedgedoc_state }}
+  community.docker.docker_image:
+    name: "{{ hedgedoc_container_image }}"
+    state: "{{ hedgedoc_state }}"
+    source: "{{ hedgedoc_container_image_source }}"
+    force_source: >-2
+      {{ hedgedoc_container_force_source | default(
+        hedgedoc_container_image_tag | default(false, true), true) }}
+  register: hedgedoc_container_image_info
+  until: hedgedoc_container_image_info is success
+  retries: 5
+  delay: 3
+
+- name: Ensure container '{{ hedgedoc_container_name }}' is {{ hedgedoc_container_state }}
+  community.docker.docker_container:
+    name: "{{ hedgedoc_container_name }}"
+    image: "{{ hedgedoc_container_image }}"
+    env: "{{ hedgedoc_container_env | default(omit, true) }}"
+    user: "{{ hedgedoc_container_user | default(omit, true) }}"
+    ports: "{{ hedgedoc_container_ports | default(omit, true) }}"
+    labels: "{{ hedgedoc_container_all_labels }}"
+    volumes: "{{ hedgedoc_container_all_volumes }}"
+    etc_hosts: "{{ hedgedoc_container_etc_hosts | default(omit, true) }}"
+    dns_servers: >-2
+      {{ hedgedoc_container_dns_servers | default(omit, true) }}
+    network_mode: >-2
+      {{ hedgedoc_container_network_mode | default(omit, true) }}
+    restart_policy: >-2
+      {{ hedgedoc_container_restart_policy | default(omit, true) }}
+    state: "{{ hedgedoc_container_state }}"

roles/hedgedoc/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Check preconditions
+  ansible.builtin.include_tasks:
+    file: "check.yml"
+
+- name: Ensure user '{{ hedgedoc_user }}' is {{ hedgedoc_state }}
+  ansible.builtin.user:
+    name: "{{ hedgedoc_user }}"
+    state: "{{ hedgedoc_state }}"
+    system: "{{ hedgedoc_user_system | default(true, false) }}"
+  register: hedgedoc_user_info
+
+- name: Ensure configuration file '{{ hedgedoc_config_file }}' is {{ hedgedoc_state }}
+  ansible.builtin.copy:
+    dest: "{{ hedgedoc_config_file }}"
+    content: "{{ hedgedoc_full_config | to_nice_json }}"
+  when: hedgedoc_state == 'present'
+
+- name: Ensure hedgedoc is deployed using {{ hedgedoc_deployment_method }}
+  ansible.builtin.include_tasks:
+    file: "deploy-{{ hedgedoc_deployment_method }}.yml"

roles/hedgedoc/vars/main.yml

@@ -0,0 +1,11 @@
+---
+hedgedoc_states:
+  - present
+  - absent
+hedgedoc_deployment_methods:
+  - docker
+  - podman
+
+hedgedoc_required_arguments:
+  - hedgedoc_config_domain
+  - hedgedoc_config_session_secret

roles/jellyfin/README.md

@@ -0,0 +1,15 @@
+# `finallycoffee.services.jellyfin` ansible role
+
+This role runs [Jellyfin](https://jellyfin.org/), a free software media system,
+in a docker container.
+
+## Usage
+
+`jellyfin_domain` contains the FQDN which jellyfin should listen to. Most configuration
+is done in the software itself.
+
+Jellyfin runs in host networking mode by default, as that is needed for some features like
+network discovery with chromecasts and similar.
+
+Media can be mounted into jellyfin using `jellyfin_media_volumes`, taking a list of strings
+akin to `community.docker.docker_container`'s `volumes` key.

roles/jellyfin/defaults/main.yml

@@ -0,0 +1,36 @@
+---
+jellyfin_user: jellyfin
+jellyfin_version: 10.9.11
+jellyfin_state: present
+
+jellyfin_base_path: /opt/jellyfin
+jellyfin_config_path: "{{ jellyfin_base_path }}/config"
+jellyfin_cache_path: "{{ jellyfin_base_path }}/cache"
+
+jellyfin_media_volumes: []
+
+jellyfin_container_name: jellyfin
+jellyfin_container_image_name: "docker.io/jellyfin/jellyfin"
+jellyfin_container_image_tag: ~
+jellyfin_container_image_ref: >-2
+  {{ jellyfin_container_image_name }}:{{ jellyfin_container_image_tag | default(jellyfin_version, true) }}
+jellyfin_container_image_source: pull
+jellyfin_container_state: >-2
+  {{ (jellyfin_state == 'present') | ternary('started', 'absent') }}
+jellyfin_container_network_mode: host
+jellyfin_container_networks: ~
+jellyfin_container_volumes: "{{ jellyfin_container_base_volumes + jellyfin_media_volumes }}"
+jellyfin_container_labels: "{{ jellyfin_container_base_labels | combine(jellyfin_container_extra_labels) }}"
+jellyfin_container_extra_labels: {}
+jellyfin_container_restart_policy: "unless-stopped"
+
+jellyfin_host_directories:
+  - path: "{{ jellyfin_base_path }}"
+    mode: "0750"
+  - path: "{{ jellyfin_config_path }}"
+    mode: "0750"
+  - path: "{{ jellyfin_cache_path }}"
+    mode: "0750"
+
+jellyfin_uid: "{{ jellyfin_user_info.uid | default(jellyfin_user) }}"
+jellyfin_gid: "{{ jellyfin_user_info.group | default(jellyfin_user) }}"

roles/jellyfin/meta/main.yml

@@ -0,0 +1,10 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: jellyfin
+  description: Ansible role to deploy jellyfin using docker
+  galaxy_tags:
+    - jellyfin
+    - streaming
+    - docker

roles/jellyfin/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+- name: Check if state is valid
+  ansible.builtin.fail:
+    msg: >-2
+      Unsupported state '{{ jellyfin_state }}'. Supported
+      states are {{ jellyfin_states | join(', ') }}.
+  when: jellyfin_state not in jellyfin_states
+
+- name: Ensure jellyfin user '{{ jellyfin_user }}' is {{ jellyfin_state }}
+  ansible.builtin.user:
+    name: "{{ jellyfin_user }}"
+    state: "{{ jellyfin_state }}"
+    system: "{{ jellyfin_user_system | default(true, true) }}"
+  register: jellyfin_user_info
+
+- name: Ensure host directories for jellyfin are {{ jellyfin_state }}
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: >-2
+      {{ (jellyfin_state == 'present') | ternary('directory', 'absent') }}
+    owner: "{{ item.owner  | default(jellyfin_uid) }}"
+    group: "{{ item.group | default(jellyfin_gid) }}"
+    mode: "{{ item.mode }}"
+  loop: "{{ jellyfin_host_directories }}"
+
+- name: Ensure container image '{{ jellyfin_container_image_ref }}' is {{ jellyfin_state }}
+  community.docker.docker_image:
+    name: "{{ jellyfin_container_image_ref }}"
+    state: "{{ jellyfin_state }}"
+    source: "{{ jellyfin_container_image_source }}"
+    force_source: "{{ jellyfin_container_image_tag | default(false, true) }}"
+  register: jellyfin_container_image_pull_result
+  until: jellyfin_container_image_pull_result is succeeded
+  retries: 5
+  delay: 3
+
+- name: Ensure container '{{ jellyfin_container_name }}' is {{ jellyfin_container_state }}
+  community.docker.docker_container:
+    name: "{{ jellyfin_container_name }}"
+    image: "{{ jellyfin_container_image_ref }}"
+    user: "{{ jellyfin_uid }}:{{ jellyfin_gid }}"
+    labels: "{{ jellyfin_container_labels }}"
+    volumes: "{{ jellyfin_container_volumes }}"
+    networks: "{{ jellyfin_container_networks | default(omit, True) }}"
+    network_mode: "{{ jellyfin_container_network_mode }}"
+    restart_policy: "{{ jellyfin_container_restart_policy }}"
+    state: "{{ jellyfin_container_state }}"

roles/jellyfin/vars/main.yml

@@ -0,0 +1,11 @@
+---
+jellyfin_states:
+  - present
+  - absent
+
+jellyfin_container_base_volumes:
+  - "{{ jellyfin_config_path }}:/config:z"
+  - "{{ jellyfin_cache_path }}:/cache:z"
+
+jellyfin_container_base_labels:
+  version: "{{ jellyfin_version }}"

roles/minio/README.md

@@ -1,29 +0,0 @@
-# `finallycoffee.services.minio` ansible role
-
-## Overview
-
-This role deploys a [min.io](https://min.io) server (s3-compatible object storage server)
-using the official docker container image.
-
-## Configuration
-
-The role requires setting the password for the `root` user (name can be changed by
-setting `minio_root_username`) in `minio_root_password`. That user has full control
-over the minio-server instance.
-
-### Useful config hints
-
-Most configuration is done by setting environment variables in
-`minio_container_extra_env`, for example:
-
-```yaml
-minio_container_extra_env:
-  # disable the "console" web browser UI
-  MINIO_BROWSER: off
-  # enable public prometheus metrics on `/minio/v2/metrics/cluster`
-  MINIO_PROMETHEUS_AUTH_TYPE: public
-```
-
-When serving minio (or any s3-compatible server) on a "subfolder",
-see https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTRedirect.html
-and https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html

roles/minio/defaults/main.yml

@@ -1,40 +0,0 @@
----
-
-minio_user: ~
-minio_data_path: /opt/minio
-
-minio_create_user: false
-minio_manage_host_filesystem: false
-
-minio_root_username: root
-minio_root_password: ~
-
-minio_container_name: minio
-minio_container_image_name: docker.io/minio/minio
-minio_container_image_tag: latest
-minio_container_image: "{{ minio_container_image_name }}:{{ minio_container_image_tag }}"
-minio_container_networks: []
-minio_container_ports: []
-
-minio_container_base_volumes:
-  - "{{ minio_data_path }}:{{ minio_container_data_path }}:z"
-minio_container_extra_volumes: []
-
-minio_container_base_env:
-  MINIO_ROOT_USER: "{{ minio_root_username }}"
-  MINIO_ROOT_PASSWORD: "{{ minio_root_password }}"
-minio_container_extra_env: {}
-
-minio_container_labels: {}
-
-minio_container_command:
-  - "server"
-  - "{{ minio_container_data_path }}"
-  - "--console-address \":{{ minio_container_listen_port_console }}\""
-minio_container_restart_policy: "unless-stopped"
-minio_container_image_force_source: "{{ (minio_container_image_tag == 'latest')|bool }}"
-
-minio_container_listen_port_api: 9000
-minio_container_listen_port_console: 8900
-
-minio_container_data_path: /storage

roles/minio/tasks/main.yml

@@ -1,37 +0,0 @@
----
-
-- name: Ensure minio run user is present
-  user:
-    name: "{{ minio_user }}"
-    state: present
-    system: yes
-  when: minio_create_user
-
-- name: Ensure filesystem mounts ({{ minio_data_path }}) for container volumes are present
-  file:
-    path: "{{ minio_data_path }}"
-    state: directory
-    user: "{{ minio_user|default(omit, True) }}"
-    group: "{{ minio_user|default(omit, True) }}"
-  when: minio_manage_host_filesystem
-
-- name: Ensure container image for minio is present
-  community.docker.docker_image:
-    name: "{{ minio_container_image }}"
-    state: present
-    source: pull
-    force_source: "{{ minio_container_image_force_source }}"
-
-- name: Ensure container {{ minio_container_name }} is running
-  docker_container:
-    name: "{{ minio_container_name }}"
-    image: "{{ minio_container_image }}"
-    volumes: "{{ minio_container_volumes }}"
-    env: "{{ minio_container_env }}"
-    labels: "{{ minio_container_labels }}"
-    networks: "{{ minio_container_networks }}"
-    ports: "{{ minio_container_ports }}"
-    user: "{{ minio_user|default(omit, True) }}"
-    command: "{{ minio_container_command }}"
-    restart_policy: "{{ minio_container_restart_policy }}"
-    state: started

roles/minio/vars/main.yml

@@ -1,5 +0,0 @@
----
-
-minio_container_volumes: "{{ minio_container_base_volumes + minio_container_extra_volumes }}"
-
-minio_container_env: "{{ minio_container_base_env | combine(minio_container_extra_env) }}"

roles/openproject/README.md

@@ -0,0 +1,21 @@
+# `finallycoffee.services.openproject` ansible role
+
+Deploys [openproject](https://www.openproject.org/) using docker-compose.
+
+## Configuration
+
+To set configuration variables for OpenProject, set them in `openproject_compose_overrides`:
+```yaml
+openproject_compose_overrides:
+  version: "3.7"
+  services:
+    proxy:
+       [...]
+  volumes:
+    pgdata:
+      driver: local
+      driver_opts:
+        o: bind
+        type: none
+        device: /var/lib/postgresql
+```

roles/openproject/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+openproject_base_path: "/opt/openproject"
+
+openproject_upstream_git_url: "https://github.com/opf/openproject-deploy.git"
+openproject_upstream_git_branch: "stable/13"
+
+openproject_compose_project_path: "{{ openproject_base_path }}/compose"
+openproject_compose_project_name: "openproject"
+openproject_compose_project_env_file: "{{ openproject_compose_project_path }}/.env"
+openproject_compose_project_override_file: "{{ openproject_compose_project_path }}/docker-compose.override.yml"
+openproject_compose_project_env: {}

roles/openproject/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: Ensure base directory '{{ openproject_base_path }}' is present
+  ansible.builtin.file:
+    path: "{{ openproject_base_path }}"
+    state: directory
+
+- name: Ensure upstream repository is cloned
+  ansible.builtin.git:
+    dest: "{{ openproject_base_path }}"
+    repo: "{{ openproject_upstream_git_url }}"
+    version: "{{ openproject_upstream_git_branch }}"
+    clone: true
+    depth: 1
+
+- name: Ensure environment is configured
+  ansible.builtin.lineinfile:
+    line: "{{ item.key}}={{ item.value}}"
+    path: "{{ openproject_compose_project_env_file }}"
+    state: present
+    create: true
+  loop: "{{ openproject_compose_project_env | dict2items(key_name='key', value_name='value') }}"
+
+- name: Ensure docker compose overrides are set
+  ansible.builtin.copy:
+    dest: "{{ openproject_compose_project_override_file }}"
+    content: "{{ openproject_compose_overrides | default({}) | to_nice_yaml }}"
+
+- name: Ensure containers are pulled
+  community.docker.docker_compose:
+    project_src: "{{ openproject_compose_project_path }}"
+    project_name: "{{ openproject_compose_project_name }}"
+    pull: true
+
+- name: Ensure services are running
+  community.docker.docker_compose:
+    project_src: "{{ openproject_compose_project_path }}"
+    project_name: "{{ openproject_compose_project_name }}"
+    state: "present"
+    build: false

roles/restic-s3/README.md

@@ -1,63 +0,0 @@
-# `finallycoffee.services.restic-s3`
-
-Ansible role for backup up data using `restic` to an `s3`-compatible backend,
-utilizing `systemd` timers for scheduling
-
-## Overview
-
-The s3 repository and the credentials for it are specified in `restic_repo_url`,
-`restic_s3_key_id` and `restic_s3_access_key`. As restic encrypts the data before
-storing it, the `restic_repo_password` needs to be populated with a strong key,
-and saved accordingly as only this key can be used to decrypt the data for a restore!
-
-### Backing up data
-
-A job name like `$service-postgres` or similar needs to be set in `restic_job_name`,
-which is used for naming the `systemd` units, their syslog identifiers etc.
-
-If backing up filesystem locations, the paths need to be specified in
-`restic_backup_paths` as lists of strings representing absolute filesystem
-locations.
-
-If backing up f.ex. database or other data which is generating backups using
-a command like `pg_dump`, use `restic_backup_stdin_command` (which needs to output
-to `stdout`) in conjunction with `restic_backup_stdin_command_filename` to name
-the resulting output (required).
-
-### Policy
-
-The backup policy can be adjusted by overriding the `restic_policy_keep_*`
-variables, with the defaults being:
-
-```yaml
-restic_policy_keep_all_within: 1d
-restic_policy_keep_hourly: 6
-restic_policy_keep_daily: 2
-restic_policy_keep_weekly: 7
-restic_policy_keep_monthly: 4
-restic_policy_backup_frequency: hourly
-```
-
-**Note:** `restic_policy_backup_frequency` must conform to `systemd`s
-`OnCalendar` syntax, which can be checked using `systemd-analyze calender $x`.
-
-## Role behaviour
-
-Per default, when the systemd unit for a job changes, the job is not immediately
-started. This can be overridden using `restic_start_job_on_unit_change: true`,
-which will immediately start the backup job if it's configuration changed.
-
-The systemd unit runs with `restic_user`, which is root by default, guaranteeing
-that filesystem paths are always readable. The `restic_user` can be overridden,
-but care needs to be taken to ensure the user has permission to read all the
-provided filesystem paths / the backup command may be executed by the user.
-
-If ansible should create the user, set `restic_create_user` to `true`, which
-will attempt to create the `restic_user` as a system user.
-
-### Installing
-
-For Debian and RedHat, the role attempts to install restic using the default
-package manager's ansible module (apt/dnf). For other distributions, the generic
-`package` module tries to install `restic_package_name` (default: `restic`),
-which can be overridden if needed.

roles/restic-s3/defaults/main.yml

@@ -1,37 +0,0 @@
----
-
-restic_repo_url: ~
-restic_repo_password: ~
-restic_s3_key_id: ~
-restic_s3_access_key: ~
-
-restic_backup_paths: []
-restic_backup_stdin_command: ~
-restic_backup_stdin_command_filename: ~
-
-restic_policy_keep_all_within: 1d
-restic_policy_keep_hourly: 6
-restic_policy_keep_daily: 2
-restic_policy_keep_weekly: 7
-restic_policy_keep_monthly: 4
-restic_policy_backup_frequency: hourly
-
-restic_policy:
-  keep_within: "{{ restic_policy_keep_all_within }}"
-  hourly: "{{ restic_policy_keep_hourly }}"
-  daily: "{{ restic_policy_keep_daily }}"
-  weekly: "{{ restic_policy_keep_weekly }}"
-  monthly: "{{ restic_policy_keep_monthly }}"
-  frequency: "{{ restic_policy_backup_frequency }}"
-
-restic_user: root
-restic_create_user: false
-restic_start_job_on_unit_change: false
-
-restic_job_name: ~
-restic_job_description: "Restic backup job for {{ restic_job_name }}"
-restic_systemd_unit_naming_scheme: "restic.{{ restic_job_name }}"
-restic_systemd_working_directory: /tmp
-restic_systemd_syslog_identifier: "restic-{{ restic_job_name }}"
-
-restic_package_name: restic

roles/restic-s3/handlers/main.yml

@@ -1,13 +0,0 @@
----
-
-- name: Ensure system daemon is reloaded
-  listen: reload-systemd
-  systemd:
-    daemon_reload: true
-
-- name: Ensure systemd service for '{{ restic_job_name }}' is started immediately
-  listen: trigger-restic
-  systemd:
-    name: "{{ restic_systemd_unit_naming_scheme }}.service"
-    state: started
-  when: restic_start_job_on_unit_change

roles/restic-s3/tasks/main.yml

@@ -1,77 +0,0 @@
----
-
-- name: Ensure {{ restic_user }} system user exists
-  user:
-    name: "{{ restic_user }}"
-    state: present
-    system: true
-  when: restic_create_user
-
-- name: Ensure either backup_paths or backup_stdin_command is populated
-  when: restic_backup_paths|length > 0 and restic_backup_stdin_command
-  fail:
-    msg: "Setting both `restic_backup_paths` and `restic_backup_stdin_command` is not supported"
-
-- name: Ensure a filename for stdin_command backup is given
-  when: restic_backup_stdin_command and not restic_backup_stdin_command_filename
-  fail:
-    msg: "`restic_backup_stdin_command` was set but no filename for the resulting output was supplied in `restic_backup_stdin_command_filename`"
-
-- name: Ensure backup frequency adheres to systemd's OnCalender syntax
-  command:
-    cmd: "systemd-analyze calendar {{ restic_policy.frequency }}"
-  register: systemd_calender_parse_res
-  failed_when: systemd_calender_parse_res.rc != 0
-  changed_when: false
-
-- name: Ensure restic is installed
-  block:
-    - name: Ensure restic is installed via apt
-      apt:
-        package: restic
-        state: latest
-      when: ansible_os_family == 'Debian'
-    - name: Ensure restic is installed via dnf
-      dnf:
-        name: restic
-        state: latest
-      when: ansible_os_family == 'RedHat'
-    - name: Ensure restic is installed using the auto-detected package-manager
-      package:
-        name: "{{ restic_package_name }}"
-        state: present
-      when: ansible_os_family not in ['RedHat', 'Debian']
-
-- name: Ensure systemd service file for '{{ restic_job_name }}' is templated
-  template:
-    dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.service"
-    src: restic.service.j2
-    owner: root
-    group: root
-    mode: 0640
-  notify:
-    - reload-systemd
-    - trigger-restic
-
-- name: Ensure systemd service file for '{{ restic_job_name }}' is templated
-  template:
-    dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.timer"
-    src: restic.timer.j2
-    owner: root
-    group: root
-    mode: 0640
-  notify:
-    - reload-systemd
-
-- name: Flush handlers to ensure systemd knows about '{{ restic_job_name }}'
-  meta: flush_handlers
-
-- name: Ensure systemd timer for '{{ restic_job_name }}' is activated
-  systemd:
-    name: "{{ restic_systemd_unit_naming_scheme }}.timer"
-    enabled: true
-
-- name: Ensure systemd timer for '{{ restic_job_name }}' is started
-  systemd:
-    name: "{{ restic_systemd_unit_naming_scheme }}.timer"
-    state: started

roles/restic-s3/templates/restic.service.j2

@@ -1,26 +0,0 @@
-[Unit]
-Description={{ restic_job_description }}
-
-[Service]
-Type=oneshot
-User={{ restic_user }}
-WorkingDirectory={{ restic_systemd_working_directory }}
-SyslogIdentifier={{ restic_systemd_syslog_identifier }}
-
-Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
-Environment=RESTIC_PASSWORD={{ restic_repo_password }}
-Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }}
-Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }}
-
-ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
-{% if restic_backup_stdin_command %}
-ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup --verbose --stdin --stdin-filename {{ restic_backup_stdin_command_filename }}'
-{% else %}
-ExecStart=/usr/bin/restic --verbose backup {{ restic_backup_paths | join(' ') }}
-{% endif %}
-ExecStartPost=/usr/bin/restic forget --prune --keep-within={{ restic_policy.keep_within }} --keep-hourly={{ restic_policy.hourly }} --keep-daily={{ restic_policy.daily }} --keep-weekly={{ restic_policy.weekly }} --keep-monthly={{ restic_policy.monthly }}
-ExecStartPost=-/usr/bin/restic snapshots
-ExecStartPost=/usr/bin/restic check
-
-[Install]
-WantedBy=multi-user.target

roles/restic-s3/templates/restic.timer.j2

@@ -1,10 +0,0 @@
-[Unit]
-Description=Run {{ restic_job_name }}
-
-[Timer]
-OnCalendar={{ restic_policy.frequency }}
-Persistent=True
-Unit={{ restic_systemd_unit_naming_scheme }}.service
-
-[Install]
-WantedBy=timers.target

roles/vouch_proxy/README.md

@@ -0,0 +1,16 @@
+# `finallycoffee.services.vouch-proxy`
+
+[Vouch-Proxy](https://github.com/vouch/vouch-proxy) can be used in combination with
+nginx' `auth_request` module to secure web services with OIDC/OAuth. This role runs
+vouch-proxys' official docker container.
+
+## Usage
+
+The `oauth` config section must be supplied in `vouch_proxy_oauth_config`, and the
+`vouch` config section can be overridden in `vouch_proxy_vouch_config`. For possible
+configuration values, see https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example.
+
+For an example nginx config, see https://github.com/vouch/vouch-proxy#installation-and-configuration.
+
+Passing container arguments in the same way as `community.docker.docker_container` is supported
+using the `vouch_proxy_container_[...]` prefix (e.g. `vouch_proxy_container_ports`).

roles/vouch_proxy/defaults/main.yml

@@ -0,0 +1,51 @@
+---
+
+vouch_proxy_user: vouch-proxy
+vouch_proxy_version: 0.40.0
+vouch_proxy_base_path: /opt/vouch-proxy
+vouch_proxy_config_path: "{{ vouch_proxy_base_path }}/config"
+vouch_proxy_config_file: "{{ vouch_proxy_config_path }}/config.yaml"
+
+vouch_proxy_container_name: vouch-proxy
+vouch_proxy_container_image_name: vouch-proxy
+vouch_proxy_container_image_namespace: vouch/
+vouch_proxy_container_image_registry: quay.io
+
+vouch_proxy_container_image_repository: >-
+  {{
+    (container_registries[vouch_proxy_container_image_registry] | default(vouch_proxy_container_image_registry))
+    + '/' + (vouch_proxy_container_image_namespace | default(''))
+    + vouch_proxy_container_image_name
+  }}
+vouch_proxy_container_image_reference: >-
+  {{
+    vouch_proxy_container_image_repository + ':'
+    + (vouch_proxy_container_image_tag | default(vouch_proxy_version))
+  }}
+
+vouch_proxy_container_image_force_pull: "{{ vouch_proxy_container_image_tag is defined }}"
+
+vouch_proxy_container_default_volumes:
+  - "{{ vouch_proxy_config_file }}:/config/config.yaml:ro"
+vouch_proxy_container_volumes: >-
+  {{ vouch_proxy_container_default_volumes
+     + vouch_proxy_container_extra_volumes | default([]) }}
+vouch_proxy_container_restart_policy: "unless-stopped"
+
+vouch_proxy_config_vouch_log_level: info
+vouch_proxy_config_vouch_listen: 0.0.0.0
+vouch_proxy_config_vouch_port: 9090
+vouch_proxy_config_vouch_domains: []
+vouch_proxy_config_vouch_document_root: ~
+
+vouch_proxy_oauth_config: {}
+vouch_proxy_vouch_config:
+  logLevel: "{{ vouch_proxy_config_vouch_log_level }}"
+  listen: "{{ vouch_proxy_config_vouch_listen }}"
+  port: "{{ vouch_proxy_config_vouch_port }}"
+  domains: "{{ vouch_proxy_config_vouch_domains }}"
+  document_root: "{{ vouch_proxy_config_vouch_document_root }}"
+
+vouch_proxy_config:
+  vouch: "{{ vouch_proxy_vouch_config }}"
+  oauth: "{{ vouch_proxy_oauth_config }}"

roles/vouch_proxy/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Ensure vouch-proxy was restarted
+  community.docker.docker_container:
+    name: "{{ vouch_proxy_container_name }}"
+    state: started
+    restart: yes
+  listen: restart-vouch-proxy

roles/vouch_proxy/meta/main.yml

@@ -0,0 +1,12 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: vouch_proxy
+  description: Ansible role to deploy vouch_proxy using docker
+  galaxy_tags:
+    - vouch_proxy
+    - oidc
+    - authentication
+    - authorization
+    - docker

roles/vouch_proxy/tasks/main.yml

@@ -0,0 +1,50 @@
+---
+
+- name: Ensure vouch-proxy user '{{ vouch_proxy_user }}' exists
+  ansible.builtin.user:
+    name: "{{ vouch_proxy_user }}"
+    state: present
+    system: true
+  register: vouch_proxy_user_info
+
+- name: Ensure mounts are created
+  ansible.builtin.file:
+    dest: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner | default(vouch_proxy_user_info.uid | default(vouch_proxy_user)) }}"
+    group: "{{ item.owner | default(vouch_proxy_user_info.group | default(vouch_proxy_user)) }}"
+    mode: "{{ item.mode | default('0755') }}"
+  loop:
+    - path: "{{ vouch_proxy_base_path }}"
+    - path: "{{ vouch_proxy_config_path }}"
+
+- name: Ensure config file is templated
+  ansible.builtin.copy:
+    dest: "{{ vouch_proxy_config_file }}"
+    content: "{{ vouch_proxy_config | to_nice_yaml }}"
+    owner: "{{ vouch_proxy_user_info.uid | default(vouch_proxy_user) }}"
+    group: "{{ vouch_proxy_user_info.group | default(vouch_proxy_user) }}"
+    mode: "0640"
+  notify:
+    - restart-vouch-proxy
+
+- name: Ensure container image is present on host
+  community.docker.docker_image:
+    name: "{{ vouch_proxy_container_image_reference }}"
+    state: present
+    source: pull
+    force_source: "{{ vouch_proxy_container_image_force_pull | bool }}"
+
+- name: Ensure container '{{ vouch_proxy_container_name }}' is running
+  community.docker.docker_container:
+    name: "{{ vouch_proxy_container_name }}"
+    image: "{{ vouch_proxy_container_image_reference }}"
+    env: "{{ vouch_proxy_container_env | default(omit) }}"
+    user: "{{ vouch_proxy_user_info.uid | default(vouch_proxy_user) }}"
+    ports: "{{ vouch_proxy_container_ports | default(omit) }}"
+    volumes: "{{ vouch_proxy_container_volumes | default(omit) }}"
+    networks: "{{ vouch_proxy_container_networks | default(omit) }}"
+    purge_networks: "{{ vouch_proxy_container_purge_networks | default(omit) }}"
+    etc_hosts: "{{ vouch_proxy_container_etc_hosts | default(omit) }}"
+    restart_policy: "{{ vouch_proxy_container_restart_policy }}"
+    state: started