feat(vaultwarden): add ansible role

2024-10-18 20:34:26 +02:00
71 changed files with 118 additions and 1585 deletions
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# `finallycoffee.services` ansible collection
+# `finallycoffee.service` ansible collection

 ## Overview

@@ -23,17 +23,9 @@ concise area of concern.
 - [`jellyfin`](roles/jellyfin/README.md): Deploy [jellyfin.org](https://jellyfin.org),
  the free software media system for streaming stored media to any device.

- [`keycloak`](roles/keycloak/README.md): Deploy [keycloak](https://www.keycloak.org/),
-  the open source identity and access management solution.
-
 - [`openproject`](roles/openproject/README.md): Deploys an [openproject.org](https://www.openproject.org)
  installation using the upstream provided docker-compose setup.

- [`pretix`](roles/pretix/README.md): Deploy [pretix](https://pretix.eu), the open source online ticketing solution.
-
- [`snipe_it`](roles/snipe_it/README.md): Deploys [Snipe-IT](https://snipeitapp.com/),
-  the free and open-source IT asset (and license) management with a powerful REST API
-
 - [`vaultwarden`](roles/vaultwarden/README.md): Deploy [vaultwarden](https://github.com/dani-garcia/vaultwarden/),
  an open-source implementation of the Bitwarden Server (formerly Bitwarden\_RS).

--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,15 +1,13 @@
 namespace: finallycoffee
 name: services
-version: "0.2.1"
+version: 0.1.5
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
 description: Various ansible roles useful for automating infrastructure
 dependencies:
-  "community.general": "^11.0.0"
-  "community.crypto": "^3.0.3"
-  "community.docker": "^4.7.0"
-  "containers.podman": "^1.16.0"
+  "community.crypto": "^2.0.0"
+  "community.docker": "^3.0.0"
 license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'
@@ -21,7 +19,4 @@ tags:
  - hedgedoc
  - jellyfin
  - vaultwarden
-  - snipeit
  - docker
-  - phpldapadmin
-  - pretix
--- a/playbooks/phpldapadmin.yml
+++ b/playbooks/phpldapadmin.yml
@@ -1,7 +0,0 @@
---
- name: Configure and run phpldapadmin
-  hosts: "{{ phpldapadmin_hosts | default('phpldapadmin', true) }}"
-  become: "{{ phpldapadmin_become | default(false) }}"
-  gather_facts: "{{ phpldapadmin_gather_facts | default(false) }}"
-  roles:
-    - role: finallycoffee.services.phpldapadmin
--- a/playbooks/pretix.yml
+++ b/playbooks/pretix.yml
@@ -1,112 +0,0 @@
---
- import_playbook: finallycoffee.databases.postgresql_client
-  when: pretix_configure_postgresql | default(true)
-  vars:
-    postgresql_hosts: "{{ pretix_hosts | default('pretix') }}"
-    postgresql_become: >-2
-      {{ pretix_postgresql_client_become | default(pretix_become | default(true)) }}
-    postgresql_client_database: "{{ pretix_postgresql_database | default('pretix') }}"
-    postgresql_client_username: "{{ pretix_postgresql_user | default('pretix') }}"
-    postgresql_client_password: >-2
-      {{ pretix_postgresql_password | mandatory(msg='pretix postgresql password is required') }}
-
- import_playbook: finallycoffee.base.lego_certificate
-  when: pretix_acquire_lego_certificate | default(false)
-  vars:
-    target_hosts: "pretix"
-    target_domains:
-      - "{{ pretix_domain }}"
-    target_acme_zone: "{{ acme_domain }}"
-    target_acme_account_email: "{{ pretix_lego_acme_account_email }}"
-    target_dns_server: "{{ dns_server }}"
-    target_dns_additional_records: "{{ pretix_dns_records }}"
-    target_dns_tsig_key: "{{ dns_tsig_keydata }}"
-    target_gather_facts: "{{ pretix_gather_facts | default(false) }}"
-
- import_playbook: finallycoffee.databases.valkey
-  when: pretix_configure_valkey | default(true)
-  vars:
-    valkey_hosts: "{{ pretix_hosts | default('pretix') }}"
-    valkey_instance: "pretix"
-    valkey_secret: "{{ pretix_redis_secret | mandatory(msg='pretix valkey secret is required') }}"
-    valkey_config_user:
-      - "default on +@all -DEBUG ~* &* >{{ pretix_redis_secret }}"
-    valkey_container_ports:
-      - "{{ pretix_redis_bind_addr | default('127.0.10.1:6739') }}:{{ valkey_config_port }}"
-    valkey_config_bind:
-      - "0.0.0.0"
-      - "-::"
-
- name: Install and configure pretix
-  hosts: "{{ pretix_hosts | default('pretix') }}"
-  become: "{{ pretix_become | default(true) }}"
-  gather_facts: "{{ pretix_gather_facts | default(false) }}"
-  roles:
-    - role: finallycoffee.services.pretix
-      vars:
-        pretix_config_url: "https://{{ pretix_domain }}"
-        pretix_config_database_name: "{{ pretix_postgresql_database | default('pretix') }}"
-        pretix_config_database_user: "{{ pretix_postgresql_user | default('pretix') }}"
-        pretix_config_database_password: "{{ pretix_postgresql_password }}"
-        pretix_config_redis_location: >-2
-          redis://:{{ pretix_redis_secret }}@{{ pretix_redis_bind_addr }}/0
-        pretix_config_celery_backend: >-2
-          redis://:{{ pretix_redis_secret }}@{{ pretix_redis_bind_addr }}/1
-        pretix_config_celery_broker: >-2
-          redis://:{{ pretix_redis_secret }}@{{ pretix_redis_bind_addr }}/2
-    - role: finallycoffee.base.nginx
-      when: pretix_configure_nginx | default(true)
-      vars:
-        nginx_container_name: "nginx-pretix"
-        nginx_container_labels: "{{ pretix_nginx_container_labels | default({}, true) }}"
-        nginx_config_file: "{{ nginx_base_path }}/nginx-pretix.conf"
-        nginx_config: |+
-          server {
-              listen 80 default_server;
-              server_name {{ pretix_domain }};
-              add_header Referrer-Policy same-origin;
-              add_header X-Content-Type-Options nosniff;
-              location / {
-                  proxy_pass http://{{ pretix_config_wsgi_bind_addr }};
-                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                  proxy_set_header X-Forwarded-Proto https;
-                  proxy_set_header Host $http_host;
-              }
-              location /media/ {
-                  alias {{ pretix_media_dir }}/;
-                  expires 7d;
-                  access_log off;
-              }
-              location ^~ /media/cachedfiles {
-                  deny all;
-                  return 404;
-              }
-              location ^~ /media/invoices {
-                  deny all;
-                  return 404;
-              }
-              location /static/staticfiles.json {
-                  deny all;
-                  return 404;
-              }
-              location /static/CACHE/manifest.json {
-                  deny all;
-                  return 404;
-              }
-              location /static/ {
-                  alias {{ pretix_static_asset_dir }};
-                  access_log off;
-                  expires 365d;
-                  add_header Cache-Control "public";
-              }
-          }
-        pretix_detected_python_version: >-2
-          python{{ ansible_python.version.major }}.{{ ansible_python.version.minor }}
-        pretix_static_asset_dir: >-2
-          {{ pretix_virtualenv_dir }}/lib/{{ pretix_python_version | default(pretix_detected_python_version) }}/site-packages/pretix/static.dist/
-        nginx_container_volumes:
-          - "{{ nginx_config_file }}:/etc/nginx/conf.d/nginx.conf:ro"
-          - "{{ pretix_media_dir }}:{{ pretix_media_dir }}:ro"
-          - "{{ pretix_static_asset_dir }}:{{ pretix_static_asset_dir }}:ro"
-  vars:
-    pretix_redis_bind_addr: "127.0.10.1:6739"
--- a/playbooks/snipe_it.yml
+++ b/playbooks/snipe_it.yml
@@ -1,6 +0,0 @@
---
- name: Install and configure Snipe-IT
-  hosts: "{{ snipe_it_hosts | default('snipe_it') }}"
-  become: "{{ snipe_it_become | default(true, false) }}"
-  roles:
-    - role: finallycoffee.services.snipe_it
--- a/roles/authelia/defaults/main.yml
+++ b/roles/authelia/defaults/main.yml
@@ -1,10 +1,8 @@
 ---
-authelia_version: "4.39.13"
+authelia_version: "4.38.16"
 authelia_user: authelia
 authelia_base_dir: /opt/authelia
 authelia_domain: authelia.example.org
-authelia_state: present
-authelia_deployment_method: docker

 authelia_config_dir: "{{ authelia_base_dir }}/config"
 authelia_config_file: "{{ authelia_config_dir }}/config.yaml"
@@ -15,7 +13,7 @@ authelia_notification_storage_file: "{{ authelia_data_dir }}/notifications.txt"
 authelia_user_storage_file: "{{ authelia_data_dir }}/user_database.yml"

 authelia_container_name: authelia
-authelia_container_image_server: ghcr.io
+authelia_container_image_server: docker.io
 authelia_container_image_namespace: authelia
 authelia_container_image_name: authelia
 authelia_container_image: >-2
@@ -92,11 +90,7 @@ authelia_config_webauthn_disable: true
 authelia_config_webauthn_timeout: 60s
 authelia_config_webauthn_display_name: "Authelia ({{ authelia_domain }})"
 authelia_config_webauthn_attestation_conveyance_preference: indirect
-authelia_config_webauthn_user_verification: "preferred"
-authelia_config_webauthn_selection_criteria_user_verification: >-2
-  {{ authelia_config_webauthn_user_verification }}
-authelia_config_webauthn_selection_criteria_discoverability: "preferred"
-authelia_config_webauthn_selection_criteria_attachment: ""
+authelia_config_webauthn_user_verification: preferred
 authelia_config_duo_api_hostname: ~
 authelia_config_duo_api_integration_key: ~
 authelia_config_duo_api_secret_key: ~
@@ -111,8 +105,6 @@ authelia_config_authentication_backend_password_reset_disable: false
 authelia_config_authentication_backend_password_reset_custom_url: ~
 authelia_config_authentication_backend_ldap_implementation: custom
 authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1:389
-authelia_config_authentication_backend_ldap_address: >-2
-  {{ authelia_config_authentication_backend_ldap_url }}
 authelia_config_authentication_backend_ldap_timeout: 5s
 authelia_config_authentication_backend_ldap_start_tls: false
 authelia_config_authentication_backend_ldap_tls_skip_verify: false
@@ -163,19 +155,6 @@ authelia_config_session_inactivity: 5m
 authelia_config_session_remember_me_duration: 1M
 authelia_config_session_remember_me: >-2
  {{ authelia_config_session_remember_me_duration }}
-authelia_config_session_cookies:
-  - "{{ authelia_config_session_cookies_default }}"
-authelia_config_session_cookies_default_domain: >-2
-  {{ authelia_config_session_domain }}
-authelia_config_session_cookies_default_authelia_url: >-2
-  https://{{ authelia_config_session_cookies_default_domain }}
-authelia_config_session_cookies_default_default_redirection_url: >-2
-  {{ authelia_config_default_redirection_url }}
-authelia_config_session_cookies_default:
-  domain: "{{ authelia_config_session_cookies_default_domain }}"
-  authelia_url: "{{ authelia_config_session_cookies_default_authelia_url }}"
-  default_redirection_url: >-2
-    {{ authelia_config_session_cookies_default_default_redirection_url }}
 authelia_config_session_redis_host: "{{ authelia_redis_host }}"
 authelia_config_session_redis_port: "{{ authelia_redis_port }}"
 authelia_config_session_redis_username: "{{ authelia_redis_user }}"
@@ -212,10 +191,7 @@ authelia_config_notifier_smtp_disable_require_tls: false
 authelia_config_notifier_smtp_disable_html_emails: false
 authelia_config_notifier_smtp_tls_skip_verify: false
 authelia_config_notifier_smtp_tls_minimum_version: "{{ authelia_tls_minimum_version }}"
-authelia_config_identity_validation_reset_password_jwt_secret: >-2
-  {{ authelia_config_jwt_secret }}
-authelia_config_identity_validation_reset_password_jwt_lifespan: "5 minutes"
-authelia_config_identity_validation_reset_password_jwt_algorithm: "HS256"
+#authelia_config_identity_provider_

 authelia_database_type: ~
 authelia_database_host: ~
--- a/roles/authelia/handlers/main.yml
+++ b/roles/authelia/handlers/main.yml
@@ -4,7 +4,5 @@
  docker_container:
    name: "{{ authelia_container_name }}"
    state: started
-    restart: true
-    comparisons:
-      '*': ignore
+    restart: yes
  listen: restart-authelia
--- a/roles/authelia/tasks/deploy-docker.yml
+++ b/roles/authelia/tasks/deploy-docker.yml
@@ -1,61 +0,0 @@
---
- name: Ensure container mounts are present
-  when: authelia_state == 'present'
-  block:
-    - name: Ensure sqlite database file exists before mounting it
-      ansible.builtin.file:
-        path: "{{ authelia_sqlite_storage_file }}"
-        state: touch
-        owner: "{{ authelia_run_user }}"
-        group: "{{ authelia_run_group }}"
-        mode: "0640"
-        access_time: preserve
-        modification_time: preserve
-      when: authelia_config_storage_local_path | default(false, true)
-
-    - name: Ensure user database exists before mounting it
-      ansible.builtin.file:
-        path: "{{ authelia_user_storage_file }}"
-        state: touch
-        owner: "{{ authelia_run_user }}"
-        group: "{{ authelia_run_group }}"
-        mode: "0640"
-        access_time: preserve
-        modification_time: preserve
-      when: authelia_config_authentication_backend_file_path | default(false, true)
-
-    - name: Ensure notification reports file exists before mounting it
-      ansible.builtin.file:
-        path: "{{ authelia_notification_storage_file }}"
-        state: touch
-        owner: "{{ authelia_run_user }}"
-        group: "{{ authelia_run_group }}"
-        mode: "0640"
-        access_time: preserve
-        modification_time: preserve
-      when: authelia_config_notifier_filesystem_filename | default(false, true)
-
- name: Ensure authelia container image is {{ authelia_state }}
-  community.docker.docker_image:
-    name: "{{ authelia_container_image_ref }}"
-    state: "{{ authelia_state }}"
-    source: pull
-    force_source: "{{ authelia_container_image_force_pull }}"
-  register: authelia_container_image_info
-
- name: Ensure authelia container is {{ authelia_container_state }}
-  community.docker.docker_container:
-    name: "{{ authelia_container_name }}"
-    image: "{{ authelia_container_image_ref }}"
-    env: "{{ authelia_container_env }}"
-    user: "{{ authelia_run_user }}:{{ authelia_run_group }}"
-    ports: "{{ authelia_container_ports | default(omit, true) }}"
-    labels: "{{ authelia_container_labels }}"
-    volumes: "{{ authelia_container_volumes }}"
-    networks: "{{ authelia_container_networks | default(omit, true) }}"
-    etc_hosts: "{{ authelia_container_etc_hosts | default(omit, true) }}"
-    purge_networks: "{{ authelia_container_purge_networks | default(omit, true)}}"
-    restart_policy: "{{ authelia_container_restart_policy }}"
-    recreate: "{{ authelia_container_recreate | default(omit, true) }}"
-    state: "{{ authelia_container_state }}"
-  register: authelia_container_info
--- a/roles/authelia/tasks/main.yml
+++ b/roles/authelia/tasks/main.yml
@@ -1,30 +1,16 @@
 ---
- name: Check for valid state
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported state '{{ authelia_state }}'.
-      Supported states are {{ authelia_states | join(', ') }}.
-  when: authelia_state not in authelia_states

- name: Check for valid authelia deployment method
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported deployment method '{{ authelia_deployment_method }}'.
-      Supported states are {{ authelia_deployment_methods | join(', ') }}.
-  when: authelia_deployment_method not in authelia_deployment_methods
-
- name: Ensure user {{ authelia_user }} is {{ authelia_state }}
+- name: Ensure user {{ authelia_user }} exists
  ansible.builtin.user:
    name: "{{ authelia_user }}"
-    state: "{{ authelia_state }}"
+    state: present
    system: true
-    create_home: false
  register: authelia_user_info

- name: Ensure host directories are {{ authelia_state }}
+- name: Ensure host directories are created with correct permissions
  ansible.builtin.file:
    path: "{{ item.path }}"
-    state: "{{ (authelia_state == 'present') | ternary('directory', 'absent') }}"
+    state: directory
    owner: "{{ item.owner | default(authelia_user) }}"
    group: "{{ item.group | default(authelia_user) }}"
    mode: "{{ item.mode | default('0750') }}"
@@ -39,7 +25,7 @@
    - path: "{{ authelia_asset_dir }}"
      mode: "0750"

- name: Ensure config file is {{ authelia_state }}
+- name: Ensure config file is generated
  ansible.builtin.copy:
    content: "{{ authelia_config | to_nice_yaml(indent=2, width=10000) }}"
    dest: "{{ authelia_config_file }}"
@@ -47,8 +33,61 @@
    group: "{{ authelia_run_group }}"
    mode: "0640"
  notify: restart-authelia
-  when: authelia_state == 'present'

- name: Deploy authelia using {{ authelia_deployment_method }}
-  ansible.builtin.include_tasks:
-    file: "deploy-{{ authelia_deployment_method }}.yml"
+- name: Ensure sqlite database file exists before mounting it
+  ansible.builtin.file:
+    path: "{{ authelia_sqlite_storage_file }}"
+    state: touch
+    owner: "{{ authelia_run_user }}"
+    group: "{{ authelia_run_group }}"
+    mode: "0640"
+    access_time: preserve
+    modification_time: preserve
+  when: authelia_config_storage_local_path | default(false, true)
+
+- name: Ensure user database exists before mounting it
+  ansible.builtin.file:
+    path: "{{ authelia_user_storage_file }}"
+    state: touch
+    owner: "{{ authelia_run_user }}"
+    group: "{{ authelia_run_group }}"
+    mode: "0640"
+    access_time: preserve
+    modification_time: preserve
+  when: authelia_config_authentication_backend_file_path | default(false, true)
+
+- name: Ensure notification reports file exists before mounting it
+  ansible.builtin.file:
+    path: "{{ authelia_notification_storage_file }}"
+    state: touch
+    owner: "{{ authelia_run_user }}"
+    group: "{{ authelia_run_group }}"
+    mode: "0640"
+    access_time: preserve
+    modification_time: preserve
+  when: authelia_config_notifier_filesystem_filename | default(false, true)
+
+- name: Ensure authelia container image is present
+  community.docker.docker_image:
+    name: "{{ authelia_container_image_ref }}"
+    state: present
+    source: pull
+    force_source: "{{ authelia_container_image_force_pull }}"
+  register: authelia_container_image_info
+
+- name: Ensure authelia container is running
+  community.docker.docker_container:
+    name: "{{ authelia_container_name }}"
+    image: "{{ authelia_container_image_ref }}"
+    env: "{{ authelia_container_env }}"
+    user: "{{ authelia_run_user }}:{{ authelia_run_group }}"
+    ports: "{{ authelia_container_ports | default(omit, true) }}"
+    labels: "{{ authelia_container_labels }}"
+    volumes: "{{ authelia_container_volumes }}"
+    networks: "{{ authelia_container_networks | default(omit, true) }}"
+    etc_hosts: "{{ authelia_container_etc_hosts | default(omit, true) }}"
+    purge_networks: "{{ authelia_container_purge_networks | default(omit, true)}}"
+    restart_policy: "{{ authelia_container_restart_policy }}"
+    recreate: "{{ authelia_container_recreate | default(omit, true) }}"
+    state: "{{ authelia_container_state }}"
+  register: authelia_container_info
--- a/roles/authelia/vars/main.yml
+++ b/roles/authelia/vars/main.yml
@@ -1,9 +1,4 @@
 ---
-authelia_states:
-  - "present"
-  - "absent"
-authelia_deployment_methods:
-  - "docker"

 authelia_run_user: "{{ (authelia_user_info.uid) if authelia_user_info is defined else authelia_user }}"
 authelia_run_group: "{{ (authelia_user_info.group) if authelia_user_info is defined else authelia_user }}"
@@ -25,6 +20,7 @@ authelia_container_base_labels:
 authelia_config: "{{ authelia_base_config | combine(authelia_extra_config, recursive=True) }}"
 authelia_top_level_config:
  theme: "{{ authelia_config_theme }}"
+  jwt_secret: "{{ authelia_config_jwt_secret }}"
  log: "{{ authelia_config_log }}"
  telemetry: "{{ authelia_config_telemetry }}"
  totp: "{{ authelia_config_totp }}"
@@ -38,11 +34,12 @@ authelia_top_level_config:
  regulation: "{{ authelia_config_regulation }}"
  storage: "{{ authelia_config_storage }}"
  notifier: "{{ authelia_config_notifier }}"
-  identity_validation: "{{ authelia_config_identity_validation }}"

 authelia_base_config: >-2
  {{
    authelia_top_level_config
+    | combine({"default_redirection_url": authelia_config_default_redirection_url}
+      if authelia_config_default_redirection_url | default(false, true) else {})
    | combine(({"server": authelia_config_server })
      | combine({"tls": authelia_config_server_tls}
        if authelia_config_server_tls_key | default(false, true) else {}))
@@ -97,10 +94,7 @@ authelia_config_webauthn:
  timeout: "{{ authelia_config_webauthn_timeout }}"
  display_name: "{{ authelia_config_webauthn_display_name }}"
  attestation_conveyance_preference: "{{ authelia_config_webauthn_attestation_conveyance_preference }}"
-  selection_criteria:
-    attachment: "{{ authelia_config_webauthn_selection_criteria_attachment }}"
-    discoverability: "{{ authelia_config_webauthn_selection_criteria_discoverability }}"
-    user_verification: "{{ authelia_config_webauthn_selection_criteria_user_verification }}"
+  user_verification: "{{ authelia_config_webauthn_user_verification }}"
 authelia_config_duo_api:
  hostname: "{{ authelia_config_duo_api_hostname }}"
  integration_key: "{{ authelia_config_duo_api_integration_key }}"
@@ -129,7 +123,7 @@ authelia_config_authentication_backend_password_reset:
  disable: "{{ authelia_config_authentication_backend_password_reset_disable }}"
 authelia_config_authentication_backend_ldap:
  implementation: "{{ authelia_config_authentication_backend_ldap_implementation }}"
-  address: "{{ authelia_config_authentication_backend_ldap_address }}"
+  url: "{{ authelia_config_authentication_backend_ldap_url }}"
  timeout: "{{ authelia_config_authentication_backend_ldap_timeout }}"
  start_tls: "{{ authelia_config_authentication_backend_ldap_start_tls }}"
  tls:
@@ -176,19 +170,14 @@ authelia_config_access_control:
  default_policy: "{{ authelia_config_access_control_default_policy }}"
  networks: "{{ authelia_config_access_control_networks }}"
  rules: "{{ authelia_config_access_control_rules }}"
-authelia_config_session: >-2
-  {{ authelia_config_session_base
-    | combine(({'redis': authelia_config_session_redis}
-      if authelia_config_session_redis_host else {}), recursive=true)
-  }}
-authelia_config_session_base:
+authelia_config_session:
  name: "{{ authelia_config_session_name }}"
+  domain: "{{ authelia_config_session_domain }}"
  same_site: "{{ authelia_config_session_same_site }}"
  secret: "{{ authelia_config_session_secret }}"
  expiration: "{{ authelia_config_session_expiration }}" 
  inactivity: "{{ authelia_config_session_inactivity }}"
  remember_me: "{{ authelia_config_session_remember_me }}"
-  cookies: "{{ authelia_config_session_cookies }}"
 authelia_config_session_redis: >-2
  {{
    {
@@ -275,9 +264,3 @@ authelia_config_notifier_smtp:
  tls:
    skip_verify: "{{ authelia_config_notifier_smtp_tls_skip_verify }}"
    minimum_version: "{{ authelia_config_notifier_smtp_tls_minimum_version }}"
-authelia_config_identity_validation:
-  reset_password: "{{ authelia_config_identity_validation_reset_password }}"
-authelia_config_identity_validation_reset_password:
-  jwt_secret: "{{ authelia_config_identity_validation_reset_password_jwt_secret }}"
-  jwt_lifespan: "{{ authelia_config_identity_validation_reset_password_jwt_lifespan }}"
-  jwt_algorithm: "{{ authelia_config_identity_validation_reset_password_jwt_algorithm }}"
--- a/roles/ghost/defaults/main.yml
+++ b/roles/ghost/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 ghost_domain: ~
-ghost_version: "6.5.1"
+ghost_version: "5.96.0"
 ghost_user: ghost
 ghost_user_group: ghost
 ghost_base_path: /opt/ghost
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-gitea_version: "1.25.1"
+gitea_version: "1.22.3"
 gitea_user: git
 gitea_run_user: "{{ gitea_user }}"
 gitea_base_path: "/opt/gitea"
@@ -32,7 +32,6 @@ gitea_container_extra_labels: {}
 gitea_container_extra_ports: []
 gitea_container_extra_volumes: []
 gitea_container_state: started
-gitea_container_user: ~

 # container defaults
 gitea_container_base_volumes:
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: Ensure gitea user '{{ gitea_user }}' is present
  ansible.builtin.user:
    name: "{{ gitea_user }}"
@@ -74,7 +75,6 @@
    published_ports: "{{ gitea_container_ports }}"
    restart_policy: "{{ gitea_container_restart_policy }}"
    state: "{{ gitea_container_state }}"
-    user: "{{ gitea_container_user | default(omit, true) }}"

 - name: Ensure given configuration is set in the config file
  ansible.builtin.ini_file:
--- a/roles/hedgedoc/defaults/main/container.yml
+++ b/roles/hedgedoc/defaults/main/container.yml
@@ -53,5 +53,5 @@ hedgedoc_container_all_labels: >-2
  {{ hedgedoc_container_base_labels | default({}, true)
    | combine(hedgedoc_container_labels | default({}, true)) }}
 hedgedoc_container_restart_policy: >-2
-  {{ (hedgedoc_deployment_method == 'docker')
+  {{ (hedgedoc_deployment_method === 'docker')
      | ternary('unless-stopped', 'on-failure') }}
--- a/roles/hedgedoc/defaults/main/main.yml
+++ b/roles/hedgedoc/defaults/main/main.yml
@@ -1,6 +1,6 @@
 ---
 hedgedoc_user: hedgedoc
-hedgedoc_version: "1.10.3"
+hedgedoc_version: "1.10.0"

 hedgedoc_state: present
 hedgedoc_deployment_method: docker
--- a/roles/hedgedoc/tasks/check.yml
+++ b/roles/hedgedoc/tasks/check.yml
@@ -15,7 +15,7 @@
  when: hedgedoc_deployment_method not in hedgedoc_deployment_methods

 - name: Ensure required variables are given
-  ansible.builtin.fail:
+  ansible.builtin.file:
    msg: "Required variable '{{ item }}' is undefined!"
  loop: "{{ hedgedoc_required_arguments }}"
  when: >-2
--- a/roles/hedgedoc/tasks/deploy-podman.yml
+++ b/roles/hedgedoc/tasks/deploy-podman.yml
@@ -1,31 +0,0 @@
---
- name: Ensure container image '{{ hedgedoc_container_image }}' is {{ hedgedoc_state }}
-  containers.podman.podman_image:
-    name: "{{ hedgedoc_container_image }}"
-    state: "{{ hedgedoc_state }}"
-    pull: "{{ (hedgedoc_container_image_source == 'pull') | bool }}"
-    force: >-2
-      {{ hedgedoc_container_force_source | default(
-        hedgedoc_container_image_tag | default(false, true), true) }}
-  register: hedgedoc_container_image_info
-  until: hedgedoc_container_image_info is success
-  retries: 5
-  delay: 3
-
- name: Ensure container '{{ hedgedoc_container_name }}' is {{ hedgedoc_container_state }}
-  containers.podman.podman_container:
-    name: "{{ hedgedoc_container_name }}"
-    image: "{{ hedgedoc_container_image }}"
-    env: "{{ hedgedoc_container_env | default(omit, true) }}"
-    user: "{{ hedgedoc_container_user | default(omit, true) }}"
-    ports: "{{ hedgedoc_container_ports | default(omit, true) }}"
-    labels: "{{ hedgedoc_container_all_labels }}"
-    volumes: "{{ hedgedoc_container_all_volumes }}"
-    etc_hosts: "{{ hedgedoc_container_etc_hosts | default(omit, true) }}"
-    dns_servers: >-2
-      {{ hedgedoc_container_dns_servers | default(omit, true) }}
-    network_mode: >-2
-      {{ hedgedoc_container_network_mode | default(omit, true) }}
-    restart_policy: >-2
-      {{ hedgedoc_container_restart_policy | default(omit, true) }}
-    state: "{{ hedgedoc_container_state }}"
--- a/roles/jellyfin/defaults/main.yml
+++ b/roles/jellyfin/defaults/main.yml
@@ -1,8 +1,7 @@
 ---
 jellyfin_user: jellyfin
-jellyfin_version: "10.11.2"
+jellyfin_version: 10.9.11
 jellyfin_state: present
-jellyfin_deployment_method: docker

 jellyfin_base_path: /opt/jellyfin
 jellyfin_config_path: "{{ jellyfin_base_path }}/config"
--- a/roles/jellyfin/tasks/deploy-docker.yml
+++ b/roles/jellyfin/tasks/deploy-docker.yml
@@ -1,26 +0,0 @@
---
- name: Ensure container image '{{ jellyfin_container_image_ref }}' is {{ jellyfin_state }}
-  community.docker.docker_image:
-    name: "{{ jellyfin_container_image_ref }}"
-    state: "{{ jellyfin_state }}"
-    source: "{{ jellyfin_container_image_source }}"
-    force_source: "{{ jellyfin_container_image_tag | default(false, true) }}"
-  register: jellyfin_container_image_pull_result
-  until: jellyfin_container_image_pull_result is succeeded
-  retries: 5
-  delay: 3
-
- name: Ensure container '{{ jellyfin_container_name }}' is {{ jellyfin_container_state }}
-  community.docker.docker_container:
-    name: "{{ jellyfin_container_name }}"
-    image: "{{ jellyfin_container_image_ref }}"
-    env: "{{ jellyfin_container_env | default(omit, true) }}"
-    user: "{{ jellyfin_uid }}:{{ jellyfin_gid }}"
-    labels: "{{ jellyfin_container_labels }}"
-    volumes: "{{ jellyfin_container_volumes }}"
-    ports: "{{ jellyfin_container_ports | default(omit, true) }}"
-    networks: "{{ jellyfin_container_networks | default(omit, true) }}"
-    network_mode: "{{ jellyfin_container_network_mode }}"
-    etc_hosts: "{{ jellyfin_container_etc_hosts | default(omit, true) }}"
-    restart_policy: "{{ jellyfin_container_restart_policy }}"
-    state: "{{ jellyfin_container_state }}"
--- a/roles/jellyfin/tasks/deploy-podman.yml
+++ b/roles/jellyfin/tasks/deploy-podman.yml
@@ -1,22 +0,0 @@
---
- name: Ensure container image '{{ jellyfin_container_image_ref }}' is {{ jellyfin_state }}
-  containers.podman.podman_image:
-    name: "{{ jellyfin_container_image_ref }}"
-    state: "{{ jellyfin_state }}"
-    pull: "{{ (jellyfin_container_image_source == 'pull') | bool }}"
-    force: "{{ jellyfin_container_image_tag | default(false, true) }}"
-  register: jellyfin_container_image_pull_result
-  until: jellyfin_container_image_pull_result is succeeded
-  retries: 5
-  delay: 3
-
- name: Ensure container '{{ jellyfin_container_name }}' is {{ jellyfin_container_state }}
-  containers.podman.podman_container:
-    name: "{{ jellyfin_container_name }}"
-    image: "{{ jellyfin_container_image_ref }}"
-    user: "{{ jellyfin_uid }}:{{ jellyfin_gid }}"
-    labels: "{{ jellyfin_container_labels }}"
-    volumes: "{{ jellyfin_container_volumes }}"
-    network: "{{ jellyfin_container_networks | default(omit, True) }}"
-    restart_policy: "{{ jellyfin_container_restart_policy }}"
-    state: "{{ jellyfin_container_state }}"
--- a/roles/jellyfin/tasks/main.yml
+++ b/roles/jellyfin/tasks/main.yml
@@ -6,13 +6,6 @@
      states are {{ jellyfin_states | join(', ') }}.
  when: jellyfin_state not in jellyfin_states

- name: Check if deployment method is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported state '{{ jellyfin_deployment_method }}'. Supported
-      states are {{ jellyfin_deployment_methods | join(', ') }}.
-  when: jellyfin_deployment_method not in jellyfin_deployment_methods
-
 - name: Ensure jellyfin user '{{ jellyfin_user }}' is {{ jellyfin_state }}
  ansible.builtin.user:
    name: "{{ jellyfin_user }}"
@@ -30,6 +23,25 @@
    mode: "{{ item.mode }}"
  loop: "{{ jellyfin_host_directories }}"

- name: Ensure jellyfin is deployed using {{ jellyfin_deployment_method }}
-  ansible.builtin.include_tasks:
-    file: "deploy-{{ jellyfin_deployment_method }}.yml"
+- name: Ensure container image '{{ jellyfin_container_image_ref }}' is {{ jellyfin_state }}
+  community.docker.docker_image:
+    name: "{{ jellyfin_container_image_ref }}"
+    state: "{{ jellyfin_state }}"
+    source: "{{ jellyfin_container_image_source }}"
+    force_source: "{{ jellyfin_container_image_tag | default(false, true) }}"
+  register: jellyfin_container_image_pull_result
+  until: jellyfin_container_image_pull_result is succeeded
+  retries: 5
+  delay: 3
+
+- name: Ensure container '{{ jellyfin_container_name }}' is {{ jellyfin_container_state }}
+  community.docker.docker_container:
+    name: "{{ jellyfin_container_name }}"
+    image: "{{ jellyfin_container_image_ref }}"
+    user: "{{ jellyfin_uid }}:{{ jellyfin_gid }}"
+    labels: "{{ jellyfin_container_labels }}"
+    volumes: "{{ jellyfin_container_volumes }}"
+    networks: "{{ jellyfin_container_networks | default(omit, True) }}"
+    network_mode: "{{ jellyfin_container_network_mode }}"
+    restart_policy: "{{ jellyfin_container_restart_policy }}"
+    state: "{{ jellyfin_container_state }}"
--- a/roles/jellyfin/vars/main.yml
+++ b/roles/jellyfin/vars/main.yml
@@ -2,9 +2,6 @@
 jellyfin_states:
  - present
  - absent
-jellyfin_deployment_methods:
-  - docker
-  - podman

 jellyfin_container_base_volumes:
  - "{{ jellyfin_config_path }}:/config:z"
--- a/roles/keycloak/README.md
+++ b/roles/keycloak/README.md
@@ -1,16 +0,0 @@
-# `finallycoffee.services.keycloak` ansible role
-
-Ansible role for deploying keycloak, currently only supports docker.
-
-Migrated from `entropia.sso.keycloak`.
-
-## Required variables
-
- `keycloak_database_password` - password for the database user
- `keycloak_config_hostname` - public domain of the keycloak server
-
-## Database configuration
-
- `keycloak_database_hostname` - hostname of the database server, defaults to `localhost`
- `keycloak_database_username` - username to use when connecting to the database server, defaults to `keycloak`
- `keycloak_database_database` - name of the database to use, defaults to `keycloak`
--- a/roles/keycloak/defaults/main.yml
+++ b/roles/keycloak/defaults/main.yml
@@ -1,51 +0,0 @@
---
-keycloak_version: "26.4.2"
-keycloak_container_name: keycloak
-
-keycloak_container_image_upstream_registry: quay.io
-keycloak_container_image_upstream_namespace: keycloak
-keycloak_container_image_upstream_name: keycloak
-keycloak_container_image_upstream: >-2
-  {{
-    ([
-      keycloak_container_image_upstream_registry | default([]),
-      keycloak_container_image_upstream_namespace | default([]),
-      keycloak_container_image_upstream_name,
-    ] | flatten | join('/'))
-  }}
-keycloak_container_image_name: "keycloak:{{ keycloak_version }}-custom"
-
-keycloak_container_database_vendor: postgres
-keycloak_base_path: /opt/keycloak
-keycloak_container_build_directory: "{{ keycloak_base_path }}/build"
-keycloak_container_build_jar_directory: providers
-keycloak_container_build_flags: {}
-keycloak_provider_jars_directory: "{{ keycloak_base_path }}/providers"
-keycloak_build_provider_jars_directory: "{{ keycloak_container_build_directory }}/{{ keycloak_container_build_jar_directory }}"
-
-keycloak_database_hostname: localhost
-keycloak_database_port: 5432
-keycloak_database_username: keycloak
-keycloak_database_password: ~
-keycloak_database_database: keycloak
-
-keycloak_container_env: {}
-keycloak_container_labels: ~
-keycloak_container_volumes: ~
-keycloak_container_restart_policy: unless-stopped
-keycloak_container_command: >-2
-  start
-  --db-username {{ keycloak_database_username }}
-  --db-password {{ keycloak_database_password }}
-  --db-url jdbc:postgresql://{{ keycloak_database_hostname }}{{ keycloak_database_port | ternary(':' ~ keycloak_database_port, '') }}/{{ keycloak_database_database }}
-  {{ keycloak_container_extra_start_flags | default([]) | join(' ') }}
-  --proxy-headers=xforwarded
-  --hostname {{ keycloak_config_hostname }}
-  --optimized
-
-keycloak_config_health_enabled: true
-keycloak_config_metrics_enabled: true
-
-keycloak_config_hostname: localhost
-keycloak_config_admin_username: admin
-keycloak_config_admin_password: ~
--- a/roles/keycloak/meta/main.yml
+++ b/roles/keycloak/meta/main.yml
@@ -1,13 +0,0 @@
---
-allow_duplicates: true
-dependencies: []
-galaxy_info:
-  role_name: keycloak
-  description: Deploy keycloak, the opensource identity and access management solution
-  galaxy_tags:
-    - keycloak
-    - sso
-    - oidc
-    - oauth2
-    - iam
-    - docker
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -1,72 +0,0 @@
---
-
- name: Ensure build directory exists
-  ansible.builtin.file:
-    name: "{{ keycloak_container_build_directory }}"
-    state: directory
-    recurse: yes
-    mode: 0700
-  tags:
-    - keycloak-build-container
-
- name: Ensure provider jars directory exists
-  ansible.builtin.file:
-    name: "{{ keycloak_provider_jars_directory }}"
-    state: directory
-    mode: 0775
-  tags:
-    - keycloak-build-container
-
- name: Ensure Dockerfile is templated
-  ansible.builtin.template:
-    src: Dockerfile.j2
-    dest: "{{ keycloak_container_build_directory }}/Dockerfile"
-    mode: 0700
-  register: keycloak_buildfile_info
-  tags:
-    - keycloak-container
-    - keycloak-build-container
-
- name: Ensure upstream Keycloak container image '{{ keycloak_container_image_upstream }}:{{ keycloak_version }}' is present
-  community.docker.docker_image:
-    name: "{{ keycloak_container_image_upstream }}:{{ keycloak_version }}"
-    source: pull
-    state: present
-  register: keycloak_container_image_upstream_status
-  tags:
-    - keycloak-container
-    - keycloak-build-container
-
- name: Ensure custom keycloak container image '{{ keycloak_container_image_name }}' is built
-  community.docker.docker_image:
-    name: "{{ keycloak_container_image_name }}"
-    build:
-      args:
-        DB_VENDOR: "{{ keycloak_container_database_vendor }}"
-        KC_ADMIN_PASSWORD: "{{ keycloak_config_admin_password }}"
-      dockerfile: "{{ keycloak_container_build_directory }}/Dockerfile"
-      path: "{{ keycloak_container_build_directory }}"
-    source: build
-    state: present
-    force_source: "{{ keycloak_buildfile_info.changed or keycloak_container_image_upstream_status.changed or (keycloak_force_rebuild_container | default(false))}}"
-  register: keycloak_container_image_status
-  tags:
-    - keycloak-container
-    - keycloak-build-container
-
- name: Ensure keycloak container is running
-  community.docker.docker_container:
-    name: "{{ keycloak_container_name }}"
-    image: "{{ keycloak_container_image_name }}"
-    env: "{{ keycloak_container_env | default(omit, true) }}"
-    ports: "{{ keycloak_container_ports | default(omit, true) }}"
-    hostname: "{{ keycloak_container_hostname | default(omit) }}"
-    labels: "{{ keycloak_container_labels | default(omit, true) }}"
-    volumes: "{{ keycloak_container_volumes | default(omit, true) }}"
-    restart_policy: "{{ keycloak_container_restart_policy }}"
-    recreate: "{{ keycloak_container_force_recreate | default(false) or (keycloak_container_image_status.changed if keycloak_container_image_status is defined else false) }}"
-    etc_hosts: "{{ keycloak_container_etc_hosts | default(omit) }}"
-    state: started
-    command: "{{ keycloak_container_command }}"
-  tags:
-    - keycloak-container
--- a/roles/keycloak/templates/Dockerfile.j2
+++ b/roles/keycloak/templates/Dockerfile.j2
@@ -1,43 +0,0 @@
-FROM {{ keycloak_container_image_upstream }}:{{ keycloak_version }} as builder
-
-# Enable health and metrics support
-ENV KC_HEALTH_ENABLED={{ keycloak_config_health_enabled | ternary('true', 'false') }}
-ENV KC_METRICS_ENABLED={{ keycloak_config_metrics_enabled | ternary('true', 'false') }}
-
-# Configure a database vendor
-ARG DB_VENDOR
-ENV KC_DB=$DB_VENDOR
-
-WORKDIR {{ keycloak_container_working_directory }}
-
-{% if keycloak_container_image_add_local_providers | default(true) %}
-ADD ./providers/* providers/
-{% endif %}
-# Workaround to set correct mode on jar files
-USER root
-RUN chmod -R 0770 providers/*
-USER keycloak
-
-RUN {{ keycloak_container_working_directory }}/bin/kc.sh --verbose \
-{% for argument in keycloak_container_build_flags | dict2items(key_name='flag', value_name='value') %}
-  --{{- argument['flag'] -}}{{- argument['value'] | default(false, true) | ternary('=' + argument['value'], '') }} \
-{% endfor%}
-  build{% if keycloak_container_build_features | default([]) | length > 0 %} \
-{% endif %}
-{% if keycloak_container_build_features | default([]) | length > 0 %}
-  --features="{{ keycloak_container_build_features | join(',') }}"
-{% endif %}
-
-
-FROM {{ keycloak_container_image_upstream }}:{{ keycloak_version }}
-COPY --from=builder {{ keycloak_container_working_directory }}/ {{ keycloak_container_working_directory }}/
-
-ENV KC_HOSTNAME={{ keycloak_config_hostname }}
-ENV KEYCLOAK_ADMIN={{ keycloak_config_admin_username }}
-ARG KC_ADMIN_PASSWORD
-{% if keycloak_version | split('.') | first | int > 21 %}
-ENV KEYCLOAK_ADMIN_PASSWORD=$KC_ADMIN_PASSWORD
-{% else %}
-ENV KEYCLOAK_PASSWORD=$KC_ADMIN_PASSWORD
-{% endif %}
-ENTRYPOINT ["{{ keycloak_container_working_directory }}/bin/kc.sh"]
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@@ -1,3 +0,0 @@
---
-
-keycloak_container_working_directory: /opt/keycloak
--- a/roles/openproject/defaults/main.yml
+++ b/roles/openproject/defaults/main.yml
@@ -2,9 +2,9 @@
 openproject_base_path: "/opt/openproject"

 openproject_upstream_git_url: "https://github.com/opf/openproject-deploy.git"
-openproject_upstream_git_branch: "stable/14"
+openproject_upstream_git_branch: "stable/13"

-openproject_compose_project_path: "{{ openproject_base_path }}"
+openproject_compose_project_path: "{{ openproject_base_path }}/compose"
 openproject_compose_project_name: "openproject"
 openproject_compose_project_env_file: "{{ openproject_compose_project_path }}/.env"
 openproject_compose_project_override_file: "{{ openproject_compose_project_path }}/docker-compose.override.yml"
--- a/roles/openproject/tasks/main.yml
+++ b/roles/openproject/tasks/main.yml
@@ -26,13 +26,14 @@
    content: "{{ openproject_compose_overrides | default({}) | to_nice_yaml }}"

 - name: Ensure containers are pulled
-  community.docker.docker_compose_v2:
+  community.docker.docker_compose:
    project_src: "{{ openproject_compose_project_path }}"
    project_name: "{{ openproject_compose_project_name }}"
-    pull: "missing"
+    pull: true

 - name: Ensure services are running
-  community.docker.docker_compose_v2:
+  community.docker.docker_compose:
    project_src: "{{ openproject_compose_project_path }}"
    project_name: "{{ openproject_compose_project_name }}"
    state: "present"
+    build: false
--- a/roles/phpldapadmin/README.md
+++ b/roles/phpldapadmin/README.md
@@ -1,3 +0,0 @@
-# `finallycoffee.services.phpldapadmin`
-
-Role to deploy and configure [phpldapadmin](https://github.com/leenooks/phpLDAPadmin).
--- a/roles/phpldapadmin/defaults/main/container.yml
+++ b/roles/phpldapadmin/defaults/main/container.yml
@@ -1,39 +0,0 @@
---
-phpldapadmin_container_name: phpldapadmin
-phpldapadmin_container_image_registry: docker.io
-phpldapadmin_container_image_namespace: phpldapadmin
-phpldapadmin_container_image_name: phpldapadmin
-phpldapadmin_container_image_repository: >-2
-  {{
-    [
-      phpldapadmin_container_image_registry | default([], true),
-      phpldapadmin_container_image_namespace | default([], true),
-      phpldapadmin_container_image_name
-    ] | flatten | join('/')
-  }}
-phpldapadmin_container_image: >-2
-  {{
-    [
-      phpldapadmin_container_image_repository,
-      phpldapadmin_container_image_tag | default(phpldapadmin_version, true)
-    ] | join(':')
-  }}
-phpldapadmin_container_image_tag: ~
-phpldapadmin_container_image_source: pull
-phpldapadmin_container_image_force_source: >-2
-  {{ phpldapadmin_container_image_tag | default(false, true) }}
-phpldapadmin_container_env: ~
-phpldapadmin_container_user: ~
-phpldapadmin_container_ports: ~
-phpldapadmin_container_labels: ~
-phpldapadmin_container_volumes: ~
-phpldapadmin_container_networks: ~
-phpldapadmin_container_network_mode: ~
-phpldapadmin_container_dns_servers: ~
-phpldapadmin_container_etc_hosts: ~
-phpldapadmin_container_memory: ~
-phpldapadmin_container_memory_swap: ~
-phpldapadmin_container_memory_reservation: ~
-phpldapadmin_container_restart_policy: "on-failure"
-phpldapadmin_container_state: >-2
-  {{ (phpldapadmin_state == 'present') | ternary('started', 'absent') }}
--- a/roles/phpldapadmin/defaults/main/main.yml
+++ b/roles/phpldapadmin/defaults/main/main.yml
@@ -1,5 +0,0 @@
---
-phpldapadmin_version: "2.3.4"
-
-phpldapadmin_state: present
-phpldapadmin_deployment_method: docker
--- a/roles/phpldapadmin/tasks/deploy-docker.yml
+++ b/roles/phpldapadmin/tasks/deploy-docker.yml
@@ -1,27 +0,0 @@
---
- name: Ensure phpldapadmin container image '{{ phpldapadmin_container_image }}' is {{ phpldapadmin_state }}
-  community.docker.docker_image:
-    name: "{{ phpldapadmin_container_image }}"
-    state: "{{ phpldapadmin_state }}"
-    source: "{{ phpldapadmin_container_image_source }}"
-    force_source: "{{ phpldapadmin_container_image_force_source }}"
-
- name: Ensure phpldapadmin container '{{ phpldapadmin_container_name }}' is {{ phpldapadmin_container_state }}
-  community.docker.docker_container:
-    name: "{{ phpldapadmin_container_name }}"
-    image: "{{ phpldapadmin_container_image }}"
-    env: "{{ phpldapadmin_container_env | default(omit, true) }}"
-    user: "{{ phpldapadmin_container_user | default(omit, true) }}"
-    ports: "{{ phpldapadmin_container_ports | default(omit, true) }}"
-    labels: "{{ phpldapadmin_container_labels | default(omit, true) }}"
-    volumes: "{{ phpldapadmin_container_volumes | default(omit, true) }}"
-    networks: "{{ phpldapadmin_container_networks | default(omit, true) }}"
-    network_mode: "{{ phpldapadmin_container_network_mode | default(omit, true) }}"
-    dns_servers: "{{ phpldapadmin_container_dns_servers | default(omit, true) }}"
-    etc_hosts: "{{ phpldapadmin_container_etc_hosts | default(omit, true) }}"
-    memory: "{{ phpldapadmin_container_memory | default(omit, true) }}"
-    memory_swap: "{{ phpldapadmin_container_memory_swap | default(omit, true) }}"
-    memory_reservation: >-2
-      {{ phpldapadmin_container_memory_reservation | default(omit, true) }}
-    restart_policy: "{{ phpldapadmin_container_restart_policy | default(omit, true) }}"
-    state: "{{ phpldapadmin_container_state }}"
--- a/roles/phpldapadmin/tasks/main.yml
+++ b/roles/phpldapadmin/tasks/main.yml
@@ -1,18 +0,0 @@
---
- name: Ensure 'phpldapadmin_state' is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported state '{{ phpldapadmin_state }}'!
-      Supported states are {{ phpldapadmin_states | join(', ') }}
-  when: phpldapadmin_state not in phpldapadmin_states
-
- name: Ensure 'phpldapadmin_deployment_method' is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported deployment method '{{ phpldapadmin_deployment_method }}'!
-      Supported deployment methods are {{ phpldapadmin_deployment_methods | join(', ') }}
-  when: phpldapadmin_deployment_method not in phpldapadmin_deployment_methods
-
- name: Deploy using {{ phpldapadmin_deployment_method }}
-  ansible.builtin.import_tasks:
-    file: "deploy-{{ phpldapadmin_deployment_method }}.yml"
--- a/roles/phpldapadmin/vars/main.yml
+++ b/roles/phpldapadmin/vars/main.yml
@@ -1,6 +0,0 @@
---
-phpldapadmin_states:
-  - "present"
-  - "absent"
-phpldapadmin_deployment_methods:
-  - "docker"
--- a/roles/pretix/README.md
+++ b/roles/pretix/README.md
@@ -1,54 +0,0 @@
-# `finallycoffee.services.pretix` ansible role
-
-Deploy [pretix](https://pretix.eu) using ansible. Note that this
-role does not configure pretix beyond its own configuration file,
-and requires changing a default admin password after a successful
-installation.
-
-## Configuration
-
-For all available configuration options, see [`defaults/main/config.yml`](defaults/main/config.yml)
-and other supporting files in the [`defaults/main/`](defaults/main/) folder.
-
-To add custom configuration to pretix, populate them in `pretix_config`,
-where they will be (recusively) merged into the default configuration.
-
-### Required
-
- `pretix_domain`: domain of the pretix instance
- `pretix_postgresql_password`: password for the (default: postgresql) database
- `pretix_config_redis_location`: connection string for the main pretix redis database
- `pretix_config_celery_backend`: connection string for the celery backend, can be a (different!) redis database
- `pretix_config_celery_broker`: connection string for the celery broker, can be a (yet another different) redis database
-
-For examples on how a redis server (like valkey) can be configured
-for redis, see [`playbooks/pretix.yml`](../../playbooks/pretix.yml).
-
-### Mailing
-
-Set up mails in pretix by populating the following variables:
- `pretix_config_mail_host`: domain/IP and optional port of the SMTP server
- `pretix_config_mail_user`: SMTP user to authenticate
- `pretix_config_mail_password`: password for the SMTP user
-
-### Plugins
-
-To install more plugins, list the wanted `pypi` packages as a list in
-`pretix_plugins`. They will be installed in the created virtualenv, and migrations and an asset rebuild will be automatically started.
-
-If your plugin requires custom configuration (f.ex.: `pretix-oidc`),
-add the configuration into `pretix_config`.
-
-## Troubleshooting
-
-### virtualenv
-
-By default, the virtualenv is located in `/var/lib/pretix/virtualenv`.
-This can be controlled by setting `pretix_virtualenv_dir`.
-
-NOTE: To fix a broken virtualenv, try setting `pretix_virtualenv_state` to `forcereinstall` (see
-[`ansible.builtin.pip` on docs.ansible.com](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/pip_module.html)).
-
-NOTE: To install pip packages or execute migrations in the virtualenv, ansible
-needs to become the unprivilated `pretix_user` (default: `pretix`). This might
-require having the `acl` system package installed.
--- a/roles/pretix/defaults/main/config.yml
+++ b/roles/pretix/defaults/main/config.yml
@@ -1,86 +0,0 @@
---
-pretix_config_instance_name: "My pretix installation"
-pretix_config_url: "https://pretix.example.org"
-pretix_config_currency: "EUR"
-pretix_config_data_dir: "{{ pretix_data_dir }}"
-pretix_config_trust_x_forwarded_for: "on"
-pretix_config_trust_x_forwarded_proto: "on"
-
-pretix_config_wsgi_name: "pretix"
-pretix_config_wsgi_workers: 4
-pretix_config_wsgi_max_requests: 100
-pretix_config_wsgi_log_level: "info"
-pretix_config_wsgi_bind_addr: "127.0.0.1:8345"
-pretix_config_worker_log_level: "{{ pretix_config_wsgi_log_level }}"
-
-pretix_config_database_backend: postgresql
-pretix_config_database_name: pretix
-pretix_config_database_user: pretix
-pretix_config_database_password: ~
-pretix_config_database_host: ""
-
-pretix_config_mail_host: ~
-pretix_config_mail_from: "tickets@example.org"
-pretix_config_mail_user: ~
-pretix_config_mail_password: ~
-pretix_config_mail_tls: true
-pretix_config_mail_ssl: false
-
-pretix_config_redis_location: ~
-pretix_config_redis_sessions: true
-
-pretix_config_celery_backend: ~
-pretix_config_celery_broker: ~
-
-pretix_app_config:
-  url: "{{ pretix_config_url }}"
-  instance_name: "{{ pretix_config_instance_name }}"
-  datadir: "{{ pretix_config_data_dir }}"
-  trust_x_forwarded_for: "{{ pretix_config_trust_x_forwarded_for }}"
-  trust_x_forwarded_proto: "{{ pretix_config_trust_x_forwarded_proto }}"
-  currency: "{{ pretix_config_currency }}"
-
-pretix_database_config:
-  backend: "{{ pretix_config_database_backend }}"
-  name: "{{ pretix_config_database_name }}"
-  user: "{{ pretix_config_database_user }}"
-  password: "{{ pretix_config_database_password }}"
-  host: "{{ pretix_config_database_host }}"
-
-pretix_mail_minimal_config:
-  host: "{{ pretix_config_mail_host }}"
-  from: "{{ pretix_config_mail_from }}"
-pretix_mail_config: >-2
-  {{ pretix_mail_minimal_config
-    | combine({'user': pretix_config_mail_user} if pretix_config_mail_user else {})
-    | combine({'password': pretix_config_mail_password} if pretix_config_mail_password else {})
-    | combine({'ssl': pretix_config_mail_ssl | bool | ternary('on', 'off')} if pretix_config_mail_ssl else {})
-    | combine({'tls': pretix_config_mail_tls | bool | ternary('on', 'off')} if pretix_config_mail_tls else {})
-  }}
-
-pretix_redis_config:
-  location: "{{ pretix_config_redis_location }}"
-  sessions: "{{ pretix_config_redis_sessions | bool | ternary('true', 'false') }}"
-
-pretix_celery_config:
-  backend: "{{ pretix_config_celery_backend }}"
-  broker: "{{ pretix_config_celery_broker }}"
-
-pretix_config: {}
-pretix_default_config:
-  pretix: "{{ pretix_app_config }}"
-  database: "{{ pretix_database_config }}"
-  mail: "{{ pretix_mail_config }}"
-  redis: "{{ pretix_redis_config }}"
-  celery: "{{ pretix_celery_config }}"
-
-pretix_config_merged: >-2
-  {{ pretix_default_config | combine(pretix_config | default({}), recursive=True) }}
-
-pretix_config_file_content: |+2
-  {% for kv in (pretix_config_merged | dict2items) %}
-  [{{ kv.key }}]
-  {% for entry in ((kv.value | default({}, true)) | dict2items) %}
-  {{ entry.key }}={{ entry.value }}
-  {% endfor %}
-  {% endfor %}
--- a/roles/pretix/defaults/main/main.yml
+++ b/roles/pretix/defaults/main/main.yml
@@ -1,16 +0,0 @@
---
-pretix_version: "2025.9.0"
-pretix_state: "present"
-pretix_deployment_method: "systemd"
-
-pretix_config_file: "/etc/pretix/pretix.cfg"
-pretix_config_file_owner: "{{ pretix_user_id }}"
-pretix_config_file_group: "{{ pretix_group_id }}"
-pretix_config_file_mode: "0640"
-pretix_config_dir: "{{ pretix_config_file | dirname }}"
-pretix_install_dir: "/var/lib/pretix"
-pretix_virtualenv_dir: "{{ pretix_install_dir }}/virtualenv"
-pretix_data_dir: "{{ pretix_install_dir }}/data"
-pretix_media_dir: "{{ pretix_data_dir }}/media"
-
-pretix_plugins: []
--- a/roles/pretix/defaults/main/system_packages.yml
+++ b/roles/pretix/defaults/main/system_packages.yml
@@ -1,22 +0,0 @@
---
-pretix_debian_packages:
-  - "git"
-  - "build-essential"
-  - "python3-dev"
-  - "python3-venv"
-  - "python3"
-  - "python3-pip"
-  - "libxml2-dev"
-  - "libxslt1-dev"
-  - "libffi-dev"
-  - "zlib1g-dev"
-  - "libssl-dev"
-  - "gettext"
-  - "libpq-dev"
-  - "libjpeg-dev"
-  - "libopenjp2-7-dev"
-  - "nodejs"
-
-pretix_packages:
-  "debian":
-    "12": "{{ pretix_debian_packages }}"
--- a/roles/pretix/defaults/main/systemd.yml
+++ b/roles/pretix/defaults/main/systemd.yml
@@ -1,50 +0,0 @@
---
-pretix_systemd_unit_description: "pretix web service"
-pretix_systemd_unit_after: "network.target"
-pretix_systemd_unit_file_path: >-2
-  /etc/systemd/system/{{ pretix_systemd_service_name }}
-
-pretix_systemd_service_name: "pretix.service"
-pretix_systemd_service_user: "{{ pretix_user }}"
-pretix_systemd_service_group: "{{ pretix_user }}"
-pretix_systemd_service_environment:
-  VIRTUAL_ENV: "{{ pretix_virtualenv_dir }}"
-  PATH: "{{ pretix_virtualenv_dir }}/bin:/usr/local/bin:/usr/bin:/bin"
-pretix_systemd_service_working_directory: "{{ pretix_install_dir }}"
-pretix_systemd_service_exec_start: >-2
-  {{ pretix_virtualenv_dir }}/bin/gunicorn pretix.wsgi
-  --name {{ pretix_config_wsgi_name }}
-  --workers {{ pretix_config_wsgi_workers }}
-  --max-requests {{ pretix_config_wsgi_max_requests }}
-  --log-level={{ pretix_config_wsgi_log_level }}
-  --bind={{ pretix_config_wsgi_bind_addr }}
-pretix_systemd_service_restart: "on-failure"
-
-pretix_systemd_install_wanted_by: "multi-user.target"
-
-# pretix worker
-pretix_worker_systemd_service_name: "pretix-worker.service"
-pretix_worker_systemd_service_description: "pretix worker service"
-pretix_worker_systemd_unit_file_path: >-2
-  /etc/systemd/system/{{ pretix_worker_systemd_service_name }}
-pretix_worker_systemd_service_exec_start: >-2
-  {{ pretix_virtualenv_dir }}/bin/celery
-  -A pretix.celery_app worker
-  -l  {{ pretix_config_worker_log_level }}
-
-# pretix cron
-pretix_cron_systemd_service_name: "pretix-cron.service"
-pretix_cron_systemd_service_description: "pretix cron service"
-pretix_cron_systemd_unit_file_path: >-2
-  /etc/systemd/system/{{ pretix_cron_systemd_service_name }}
-pretix_cron_systemd_service_exec_start: >-2
-  python3 -m pretix runperiodic
-
-pretix_cron_systemd_timer_name: "pretix-cron.timer"
-pretix_cron_systemd_timer_description: "pretix cron timer"
-pretix_cron_systemd_timer_file_path: >-2
-  /etc/systemd/system/{{ pretix_cron_systemd_timer_name }}
-pretix_cron_systemd_timer_on_active_sec: 1800
-pretix_cron_systemd_timer_on_startup_sec: >-2
-  {{ pretix_cron_systemd_timer_on_active_sec }}
-pretix_cron_systemd_timer_accuracy_sec: 60
--- a/roles/pretix/defaults/main/user.yml
+++ b/roles/pretix/defaults/main/user.yml
@@ -1,7 +0,0 @@
---
-pretix_user: "pretix"
-pretix_user_system: true
-pretix_user_create_home: false
-
-pretix_user_id: "{{ pretix_user_info.uid | default(pretix_user) }}"
-pretix_group_id: "{{ pretix_user_info.group | default(pretix_user) }}"
--- a/roles/pretix/defaults/main/virtualenv.yml
+++ b/roles/pretix/defaults/main/virtualenv.yml
@@ -1,11 +0,0 @@
---
-pretix_virtualenv_state: "{{ pretix_state }}"
-pretix_virtualenv_packages:
-  - "pip"
-  - "setuptools"
-  - "wheel"
-  - "gunicorn"
-  - "pretix=={{ pretix_version }}"
-
-pretix_virtualenv_site_packages: false
-pretix_virtualenv_command: "python3 -m venv"
--- a/roles/pretix/handlers/main.yml
+++ b/roles/pretix/handlers/main.yml
@@ -1,6 +0,0 @@
---
- name: Ensure pretix systemd service is restarted
-  listen: pretix_restart
-  ansible.builtin.systemd_service:
-    name: "{{ pretix_systemd_service_name }}"
-    state: "restarted"
--- a/roles/pretix/meta/main.yml
+++ b/roles/pretix/meta/main.yml
@@ -1,9 +0,0 @@
---
-allow_duplicates: true
-dependencies: []
-galaxy_info:
-  role_name: pretix
-  description: Ansible role to deploy pretix (https://pretix.eu)
-  galaxy_tags:
-    - pretix
-    - ticketing
--- a/roles/pretix/tasks/check.yml
+++ b/roles/pretix/tasks/check.yml
@@ -1,14 +0,0 @@
---
- name: Ensure 'pretix_state' is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported pretix_state '{{ pretix_state }}'.
-      Supported states are {{ pretix_states | join(', ') }}
-  when: pretix_state not in pretix_states
-
- name: Ensure 'pretix_deployment_method' is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported pretix_state '{{ pretix_deployment_method }}'.
-      Supported states are {{ pretix_deployment_methods | join(', ') }}
-  when: pretix_deployment_method not in pretix_deployment_methods
--- a/roles/pretix/tasks/configure.yml
+++ b/roles/pretix/tasks/configure.yml
@@ -1,10 +0,0 @@
---
- name: Ensure configuration file is written
-  ansible.builtin.copy:
-    dest: "{{ pretix_config_file }}"
-    content: "{{ pretix_config_file_content }}"
-    owner: "{{ pretix_config_file_owner }}"
-    group: "{{ pretix_config_file_group }}"
-    mode: "{{ pretix_config_file_mode }}"
-  when: pretix_state == 'present'
-  register: pretix_config_file_info
--- a/roles/pretix/tasks/deploy-systemd.yml
+++ b/roles/pretix/tasks/deploy-systemd.yml
@@ -1,64 +0,0 @@
---
- name: Ensure virtualenv in {{ pretix_virtualenv_dir }} is present
-  ansible.builtin.pip:
-    name: "{{ pretix_virtualenv_packages + pretix_plugins }}"
-    state: "{{ pretix_virtualenv_state }}"
-    chdir: "{{ pretix_install_dir }}"
-    virtualenv: "{{ pretix_virtualenv_dir }}"
-    virtualenv_command: "{{ pretix_virtualenv_command | default(omit, true) }}"
-    virtualenv_site_packages: "{{ pretix_virtualenv_site_packages }}"
-  become: true
-  become_user: "{{ pretix_user }}"
-  register: pretix_virtualenv_info
-
-# TODO: determine to only do this on a) upgrades or b) initial deployis
- name: Ensure pretix database migrations are run
-  ansible.builtin.command:
-    cmd: "{{ pretix_virtualenv_dir }}/bin/python -m pretix migrate"
-    chdir: "{{ pretix_install_dir }}"
-  environment:
-    VIRTUAL_ENV: "{{ pretix_virtualenv_dir }}"
-  become: true
-  become_user: "{{ pretix_user }}"
-  notify: pretix_restart
-  when:
-    - pretix_state == 'present'
-    - pretix_virtualenv_info.changed or pretix_config_file_info.changed
-
-# TODO: determine to only do this on a) upgrades or b) initial deployis
- name: Ensure pretix static assets are built
-  ansible.builtin.command:
-    cmd: "{{ pretix_virtualenv_dir }}/bin/python -m pretix rebuild"
-    chdir: "{{ pretix_install_dir }}"
-  environment:
-    VIRTUAL_ENV: "{{ pretix_virtualenv_dir }}"
-  become: true
-  become_user: "{{ pretix_user }}"
-  notify: pretix_restart
-  when:
-    - pretix_state == 'present'
-    - pretix_virtualenv_info.changed or pretix_config_file_info.changed
-
- name: Ensure pretix systemd service is enabled
-  ansible.builtin.systemd_service:
-    name: "{{ _service }}"
-    enabled: true
-  when: pretix_state == 'present'
-  loop:
-    - "{{ pretix_systemd_service_name }}"
-    - "{{ pretix_worker_systemd_service_name }}"
-    - "{{ pretix_cron_systemd_service_name }}"
-    - "{{ pretix_cron_systemd_timer_name }}"
-  loop_control:
-    loop_var: _service
-
- name: Ensure pretix systemd service is {{ pretix_state }}
-  ansible.builtin.systemd_service:
-    name: "{{ _service }}"
-    state: "{{ (pretix_state == 'present') | ternary('started', 'stopped') }}"
-  loop:
-    - "{{ pretix_systemd_service_name }}"
-    - "{{ pretix_worker_systemd_service_name }}"
-    - "{{ pretix_cron_systemd_timer_name }}"
-  loop_control:
-    loop_var: _service
--- a/roles/pretix/tasks/deploy.yml
+++ b/roles/pretix/tasks/deploy.yml
@@ -1,5 +0,0 @@
---
- name: Ensure pretix is deployed using {{ pretix_deployment_method }}
-  ansible.builtin.include_tasks:
-    file: "deploy-{{ pretix_deployment_method }}.yml"
-  when: pretix_state == 'present'
--- a/roles/pretix/tasks/main.yml
+++ b/roles/pretix/tasks/main.yml
@@ -1,16 +0,0 @@
---
- name: Ensure preconditions are met
-  ansible.builtin.include_tasks:
-    file: "check.yml"
-
- name: Ensure deployment preparations are done
-  ansible.builtin.include_tasks:
-    file: "prepare.yml"
-
- name: Ensure pretix is configured
-  ansible.builtin.include_tasks:
-    file: "configure.yml"
-
- name: Ensure pretix is deployed
-  ansible.builtin.include_tasks:
-    file: "deploy.yml"
--- a/roles/pretix/tasks/prepare-systemd.yml
+++ b/roles/pretix/tasks/prepare-systemd.yml
@@ -1,61 +0,0 @@
---
- name: Ensure ansible facts are collected
-  ansible.builtin.setup:
-    gather_subset:
-      - "!all"
-      - "pkg_mgr"
-      - "distribution"
-      - "distribution_release"
-      - "distribution_version"
-      - "distribution_major_version"
-
- name: Ensure system packages are present (apt)
-  ansible.builtin.apt:
-    name: "{{ package }}"
-    state: "{{ pretix_state }}"
-  loop: "{{ pretix_packages[ansible_distribution | lower][ansible_distribution_major_version] }}"
-  loop_control:
-    loop_var: "package"
-  when: ansible_facts['pkg_mgr'] == 'apt'
-
-# TODO: add pretix worker and cron
- name: Ensure systemd unit {{ pretix_systemd_unit_name }} is {{ pretix_state }}
-  ansible.builtin.template:
-    src: "pretix.service.j2"
-    dest: "{{ pretix_systemd_unit_file_path }}"
-  register: pretix_systemd_unit_info
-  notify:
-    - pretix_restart
-
- name: Ensure systemd unit {{ pretix_worker_systemd_unit_name }} is {{ pretix_state }}
-  ansible.builtin.template:
-    src: "pretix.service.j2"
-    dest: "{{ pretix_worker_systemd_unit_file_path }}"
-  register: pretix_worker_systemd_unit_info
-  vars:
-    pretix_systemd_service_exec_start: "{{ pretix_worker_systemd_service_exec_start }}"
-    pretix_systemd_service_description: "{{ pretix_worker_systemd_service_description }}"
-
- name: Ensure systemd unit {{ pretix_cron_systemd_service_name }} is {{ pretix_state }}
-  ansible.builtin.template:
-    src: "pretix.service.j2"
-    dest: "{{ pretix_cron_systemd_unit_file_path }}"
-  register: pretix_cron_systemd_unit_info
-  vars:
-    pretix_systemd_service_exec_start: "{{ pretix_cron_systemd_service_exec_start }}"
-    pretix_systemd_service_description: "{{ pretix_cron_systemd_service_description }}"
-
- name: Ensure systemd timer unit {{ pretix_cron_systemd_timer_name }} is {{ pretix_state }}
-  ansible.builtin.template:
-    src: "pretix-cron.timer.j2"
-    dest: "{{ pretix_cron_systemd_timer_file_path }}"
-  register: pretix_cron_systemd_timer_info
-
- name: Ensure systemd is reloaded
-  ansible.builtin.systemd_service:
-    daemon_reload: true
-  when: >-2
-    pretix_systemd_unit_info.changed
-    or pretix_worker_systemd_unit_info.changed
-    or pretix_cron_systemd_unit_info.changed
-    or pretix_cron_systemd_timer_info.changed
--- a/roles/pretix/tasks/prepare.yml
+++ b/roles/pretix/tasks/prepare.yml
@@ -1,29 +0,0 @@
---
- name: Ensure pretix user '{{ pretix_user }}' is {{ pretix_state }}
-  ansible.builtin.user:
-    name: "{{ pretix_user }}"
-    state: "{{ pretix_state }}"
-    system: "{{ pretix_user_system }}"
-    create_home: "{{ pretix_user_create_home }}"
-  register: pretix_user_info
-
- name: Ensure host directories are {{ pretix_state }}
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    owner: "{{ item.owner | default(pretix_user_id) }}"
-    group: "{{ item.group | default(pretix_group_id) }}"
-    mode: "{{ item.mode | default('0750') }}"
-    state: "directory"
-  loop:
-    - path: "{{ pretix_config_dir }}"
-    - path: "{{ pretix_virtualenv_dir }}"
-    - path: "{{ pretix_data_dir }}"
-    - path: "{{ pretix_media_dir }}"
-  when: pretix_state == 'present'
-
- name: Ensure deployment-type specific preparations for '{{ pretix_deployment_method }}' are run
-  ansible.builtin.include_tasks:
-    file: "prepare-{{ pretix_deployment_method }}.yml"
-  when:
-    - pretix_state == 'present'
-    - pretix_deployment_method in ['systemd']
--- a/roles/pretix/templates/pretix-cron.timer.j2
+++ b/roles/pretix/templates/pretix-cron.timer.j2
@@ -1,10 +0,0 @@
-[Unit]
-Description={{ pretix_cron_systemd_timer_description }}
-
-[Timer]
-OnActiveSec={{ pretix_cron_systemd_timer_on_active_sec }}
-OnStartupSec={{ pretix_cron_systemd_timer_on_startup_sec }}
-AccuracySec={{ pretix_cron_systemd_timer_accuracy_sec }}
-
-[Install]
-WantedBy=timers.target
--- a/roles/pretix/templates/pretix.service.j2
+++ b/roles/pretix/templates/pretix.service.j2
@@ -1,16 +0,0 @@
-[Unit]
-Description={{ pretix_systemd_unit_description }}
-After={{ pretix_systemd_unit_after }}
-
-[Service]
-User={{ pretix_systemd_service_user }}
-Group={{ pretix_systemd_service_group }}
-{% for kv in pretix_systemd_service_environment | dict2items %}
-Environment="{{ kv.key }}={{ kv.value }}"
-{% endfor %}
-WorkingDirectory={{ pretix_systemd_service_working_directory }}
-ExecStart={{ pretix_systemd_service_exec_start }}
-Restart={{ pretix_systemd_service_restart }}
-
-[Install]
-WantedBy={{ pretix_systemd_install_wanted_by }}
--- a/roles/pretix/vars/main.yml
+++ b/roles/pretix/vars/main.yml
@@ -1,7 +0,0 @@
---
-pretix_states:
-  - "present"
-  - "absent"
-
-pretix_deployment_methods:
-  - "systemd"
--- a/roles/snipe_it/README.md
+++ b/roles/snipe_it/README.md
@@ -1,46 +0,0 @@
-# `finallycoffee.services.snipe_it` ansible role
-
-[Snipe-IT](https://snipeitapp.com/) is an open-source asset management with
-a powerful JSON-REST API. This ansible role deploys and configures Snipe-IT.
-
-## Requirements
-
-Snipe-IT requires a MySQL-Database like MariaDB and a working email service
-for sending email. For installing and configuring MariaDB, see
-[`finallycoffee.base.mariadb`](https://galaxy.ansible.com/ui/repo/published/finallycoffee/base/content/role/mariadb/).
-
-## Configuration
-
-Required variables to set are:
-
- `snipe_it_domain` - domain name of the snipe-it instance
- `snipe_it_config_app_url` - URL where snipe-it will be reachable including protocol and port
- `snipe_it_config_app_key` - Laravel application key
-
-### Database configuration
-
-All (database) options from the upstream laravel `.env` file are available
-under the `snipe_it_config_db_*` prefix. Configure a database as follows:
-```
-snipe_it_config_db_host: localhost # defaults to localhost
-snipe_it_config_db_port: "3306" # defaults to 3306
-snipe_it_config_db_database: my_snipe_db_name # defaults to 'snipeit'
-snipe_it_config_db_username: my_snipe_db_user # defaults to 'snipeit'
-snipe_it_config_db_password: my_snipe_db_password
-# Set this if the database is shared with
-# other applications. defaults to not set
-snipe_it_config_db_prefix: snipe_
-```
-
-### Email configuration
-
-Configuring an email server is mandatory. An example is provided below:
-```yaml
-snipe_it_config_mail_host: smtp.example.com
-snipe_it_config_mail_username: snipe_user@snipe.example.com
-snipe_it_config_mail_password: i_want_to_be_strong_and_long
-snipe_it_config_mail_from_addr: "noreply@snipe.example.com"
-snipe_it_config_mail_from_name: "Example.com SnipeIT instance"
-```
-
-The default smtp port is `587` and can be set in `snipe_it_config_mail_port`.
--- a/roles/snipe_it/defaults/main/config.yml
+++ b/roles/snipe_it/defaults/main/config.yml
@@ -1,131 +0,0 @@
---
-snipe_it_config_app_version: "v{{ snipe_it_version }}"
-snipe_it_config_app_port: 8000
-snipe_it_config_app_env: "production"
-snipe_it_config_app_debug: false
-snipe_it_config_app_key: ~
-snipe_it_config_app_url: "http://localhost:{{ snipe_it_config_app_port }}"
-snipe_it_config_app_timezone: UTC
-snipe_it_config_app_locale: en-US
-snipe_it_config_app_locked: false
-snipe_it_config_app_cipher: "AES-256-GCM"
-snipe_it_config_app_force_tls: false
-snipe_it_config_app_trusted_proxies:
-  - '192.168.0.0/16'
-  - '172.16.0.0/12'
-  - '10.0.0.0/8'
-
-snipe_it_config_db_connection: mysql
-snipe_it_config_db_host: localhost
-snipe_it_config_db_port: "3306"
-snipe_it_config_db_database: snipeit
-snipe_it_config_db_username: snipeit
-snipe_it_config_db_password: ~
-snipe_it_config_db_prefix: ~
-snipe_it_config_db_dump_path: /usr/bin/
-snipe_it_config_db_charset: utf8mb4
-snipe_it_config_db_collation: utf8mb4_unicode_ci
-snipe_it_config_db_ssl: false
-snipe_it_config_db_ssl_is_paas: false
-snipe_it_config_db_ssl_key_path: ~
-snipe_it_config_db_ssl_cert_path: ~
-snipe_it_config_db_ssl_ca_path: ~
-snipe_it_config_db_ssl_cipher: ~
-snipe_it_config_db_ssl_verify_server: ~
-
-snipe_it_config_mail_mailer: smtp
-snipe_it_config_mail_host: ~
-snipe_it_config_mail_port: 587
-snipe_it_config_mail_username: ~
-snipe_it_config_mail_password: ~
-snipe_it_config_mail_tls_verify_peer: true
-snipe_it_config_mail_from_addr: ~
-snipe_it_config_mail_from_name: ~
-snipe_it_config_mail_replyto_addr: "{{ snipe_it_config_mail_from_addr }}"
-snipe_it_config_mail_replyto_name: "{{ snipe_it_config_mail_from_name }}"
-snipe_it_config_mail_auto_embed_method: attachment
-snipe_it_config_mail_backup_notification_driver: ~
-snipe_it_config_mail_backup_notification_address: ~
-
-snipe_it_config_private_filesystem_disk: "local"
-snipe_it_config_public_filesystem_disk: "local_public"
-snipe_it_config_allow_backup_delete: false
-snipe_it_config_allow_data_purge: false
-snipe_it_config_image_lib: 'gd'
-
-snipe_it_config_log_channel: 'stderr'
-snipe_it_config_log_max_days: 10
-
-snipe_it_config_cookie_name: "_snipe_session"
-snipe_it_config_cookie_domain: "{{ snipe_it_domain }}"
-snipe_it_config_secure_cookies: true
-
-snipe_it_config_session_driver: file
-snipe_it_config_session_lifetime: 12000
-snipe_it_config_cache_driver: file
-snipe_it_config_cache_prefix: snipeit
-snipe_it_config_queue_driver: file
-
-snipe_it_base_config:
-  APP_VERSION: "{{ snipe_it_config_app_version }}"
-  APP_PORT: "{{ snipe_it_config_app_port }}"
-  APP_ENV: "{{ snipe_it_config_app_env }}"
-  APP_DEBUG: "{{ snipe_it_config_app_debug }}"
-  APP_KEY: "{{ snipe_it_config_app_key }}"
-  APP_URL: "{{ snipe_it_config_app_url }}"
-  APP_TIMEZONE: "{{ snipe_it_config_app_timezone }}"
-  APP_LOCALE: "{{ snipe_it_config_app_locale }}"
-  APP_LOCKED: "{{ snipe_it_config_app_locked }}"
-  APP_CIPHER: "{{ snipe_it_config_app_cipher }}"
-  APP_FORCE_TLS: "{{ snipe_it_config_app_force_tls }}"
-  APP_TRUSTED_PROXIES: "{{ snipe_it_config_app_trusted_proxies | join(',') }}"
-  DB_CONNECTION: "{{ snipe_it_config_db_connection }}"
-  DB_HOST: "{{ snipe_it_config_db_host }}"
-  DB_PORT: "{{ snipe_it_config_db_port }}"
-  DB_DATABASE: "{{ snipe_it_config_db_database }}"
-  DB_USERNAME: "{{ snipe_it_config_db_username }}"
-  DB_PASSWORD: "{{ snipe_it_config_db_password }}"
-  DB_PREFIX: "{{ snipe_it_config_db_prefix | default('null', true) }}"
-  DB_DUMP_PATH: "{{ snipe_it_config_db_dump_path }}"
-  DB_CHARSET: "{{ snipe_it_config_db_charset }}"
-  DB_COLLATION: "{{ snipe_it_config_db_collation }}"
-  DB_SSL: "{{ snipe_it_config_db_ssl }}"
-  DB_SSL_IS_PAAS: "{{ snipe_it_config_db_ssl_is_paas }}"
-  DB_SSL_KEY_PATH: "{{ snipe_it_config_db_ssl_key_path | default('null', true) }}"
-  DB_SSL_CERT_PATH: "{{ snipe_it_config_db_ssl_cert_path | default('null', true) }}"
-  DB_SSL_CA_PATH: "{{ snipe_it_config_db_ssl_ca_path | default('null', true) }}"
-  DB_SSL_CIPHER: "{{ snipe_it_config_db_ssl_cipher | default('null', true) }}"
-  DB_SSL_VERIFY_SERVER: "{{ snipe_it_config_db_ssl_verify_server | default('null', true) }}"
-  MAIL_MAILER: "{{ snipe_it_config_mail_mailer }}"
-  MAIL_HOST: "{{ snipe_it_config_mail_host }}"
-  MAIL_PORT: "{{ snipe_it_config_mail_port }}"
-  MAIL_USERNAME: "{{ snipe_it_config_mail_username }}"
-  MAIL_PASSWORD: "{{ snipe_it_config_mail_password }}"
-  MAIL_TLS_VERIFY_PEER: "{{ snipe_it_config_mail_tls_verify_peer }}"
-  MAIL_FROM_ADDR: "{{ snipe_it_config_mail_from_addr | default('null', true) }}"
-  MAIL_FROM_NAME: "{{ snipe_it_config_mail_from_name | default('null', true) }}"
-  MAIL_REPLYTO_ADDR: "{{ snipe_it_config_mail_replyto_addr | default('null', true) }}"
-  MAIL_REPLYTO_NAME: "{{ snipe_it_config_mail_replyto_name | default('null', true) }}"
-  MAIL_AUTO_EMBED_METHOD: "{{ snipe_it_config_mail_auto_embed_method }}"
-  MAIL_BACKUP_NOTIFICATION_DRIVER: "{{ snipe_it_config_mail_backup_notification_driver }}"
-  MAIL_BACKUP_NOTIFICATION_ADDRESS: "{{ snipe_it_config_mail_backup_notification_address }}"
-  SESSION_DRIVER: "{{ snipe_it_config_session_driver }}"
-  SESSION_LIFETIME: "{{ snipe_it_config_session_lifetime }}"
-  CACHE_DRIVER: "{{ snipe_it_config_cache_driver }}"
-  CACHE_PREFIX: "{{ snipe_it_config_cache_prefix }}"
-  QUEUE_DRIVER: "{{ snipe_it_config_queue_driver }}"
-  PRIVATE_FILESYSTEM_DISK: "{{ snipe_it_config_private_filesystem_disk }}"
-  PUBLIC_FILESYSTEM_DISK: "{{ snipe_it_config_public_filesystem_disk }}"
-  ALLOW_BACKUP_DELETE: "{{ snipe_it_config_allow_backup_delete }}"
-  ALLOW_DATA_PURGE: "{{ snipe_it_config_allow_data_purge }}"
-  IMAGE_LIB: "{{ snipe_it_config_image_lib }}"
-  LOG_CHANNEL: "{{ snipe_it_config_log_channel }}"
-  LOG_MAX_DAYS: "{{ snipe_it_config_log_max_days }}"
-  COOKIE_NAME: "{{ snipe_it_config_cookie_name }}"
-  COOKIE_DOMAIN: "{{ snipe_it_config_cookie_domain }}"
-  SECURE_COOKIES: "{{ snipe_it_config_secure_cookies }}"
-
-snipe_it_config: ~
-snipe_it_merged_config: >-2
-  {{ (snipe_it_base_config | default({}, true))
-    | combine((snipe_it_config | default({}, true)), recursive=True) }}
--- a/roles/snipe_it/defaults/main/container.yml
+++ b/roles/snipe_it/defaults/main/container.yml
@@ -1,48 +0,0 @@
---
-snipe_it_container_image_registry: docker.io
-snipe_it_container_image_namespace: 'snipe'
-snipe_it_container_image_name: 'snipe-it'
-snipe_it_container_image_tag: ~
-snipe_it_container_image_flavour: alpine
-snipe_it_container_image_source: pull
-snipe_it_container_image_force_source: >-2
-  {{ snipe_it_container_image_tag | default(false, true) | bool }}
-snipe_it_container_image: >-2
-  {{
-    ([
-      snipe_it_container_image_registry | default([], true),
-      snipe_it_container_image_namespace | default([], true),
-      snipe_it_container_image_name,
-    ] | flatten | join('/'))
-    + ':'
-    + (snipe_it_container_image_tag | default(
-        'v' + snipe_it_version + (
-          ((snipe_it_container_image_flavour is string)
-            and (snipe_it_container_image_flavour | length > 0))
-          | ternary(
-            '-' + snipe_it_container_image_flavour | default('', true),
-            ''
-          )
-        ),
-        true
-    ))
-  }}
-
-snipe_it_container_env_file: "/var/www/html/.env"
-snipe_it_container_data_directory: "/var/lib/snipeit/"
-snipe_it_container_volumes:
-  - "{{ snipe_it_data_directory }}:{{ snipe_it_container_data_directory }}:z"
-
-snipe_it_container_name: 'snipe-it'
-snipe_it_container_state: >-2
-  {{ (snipe_it_state == 'present') | ternary('started', 'absent') }}
-snipe_it_container_env: ~
-snipe_it_container_user: ~
-snipe_it_container_ports: ~
-snipe_it_container_labels: ~
-snipe_it_container_recreate: ~
-snipe_it_container_networks: ~
-snipe_it_container_etc_hosts: ~
-snipe_it_container_dns_servers: ~
-snipe_it_container_network_mode: ~
-snipe_it_container_restart_policy: 'unless-stopped'
--- a/roles/snipe_it/defaults/main/main.yml
+++ b/roles/snipe_it/defaults/main/main.yml
@@ -1,9 +0,0 @@
---
-snipe_it_user: snipeit
-snipe_it_version: "8.3.4"
-snipe_it_domain: ~
-snipe_it_state: present
-snipe_it_deployment_method: docker
-
-snipe_it_env_file: /etc/snipeit/env
-snipe_it_data_directory: /var/lib/snipeit
--- a/roles/snipe_it/defaults/main/user.yml
+++ b/roles/snipe_it/defaults/main/user.yml
@@ -1,5 +0,0 @@
---
-snipe_it_run_user_id: >-2
-  {{ snipe_it_user_info.uid | default(snipe_it_user) }}
-snipe_it_run_group_id: >-2
-  {{ snipe_it_user_info.group | default(snipe_it_user) }}
--- a/roles/snipe_it/meta/main.yml
+++ b/roles/snipe_it/meta/main.yml
@@ -1,12 +0,0 @@
---
-allow_duplicates: true
-dependencies: []
-galaxy_info:
-  role_name: snipe_it
-  description: >-2
-    Deploy Snipe-IT, an open-source asset / license management system with
-    powerful JSON REST API
-  galaxy_tags:
-    - snipeit
-    - asset-management
-    - docker
--- a/roles/snipe_it/tasks/check.yml
+++ b/roles/snipe_it/tasks/check.yml
@@ -1,14 +0,0 @@
---
- name: Ensure state is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported state '{{ snipe_it_state }}'!
-      Supported states are {{ snipe_it_states | join(', ') }}.
-  when: snipe_it_state is not in snipe_it_states
-
- name: Ensure deployment method is valid
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported deployment_method '{{ snipe_it_deployment_method }}'!
-      Supported values are {{ snipe_it_deployment_methods | join(', ') }}.
-  when: snipe_it_deployment_method is not in snipe_it_deployment_methods
--- a/roles/snipe_it/tasks/deploy-docker.yml
+++ b/roles/snipe_it/tasks/deploy-docker.yml
@@ -1,30 +0,0 @@
---
- name: Ensure container image '{{ snipe_it_container_image }}' is {{ snipe_it_state }}
-  community.docker.docker_image:
-    name: "{{ snipe_it_container_image }}"
-    state: "{{ snipe_it_state }}"
-    source: "{{ snipe_it_container_image_source }}"
-    force_source: "{{ snipe_it_container_image_force_source }}"
-  register: snipe_it_container_image_info
-  until: snipe_it_container_image_info is success
-  retries: 5
-  delay: 3
-
- name: Ensure container '{{ snipe_it_container_name }}' is {{ snipe_it_container_state }}
-  community.docker.docker_container:
-    name: "{{ snipe_it_container_name }}"
-    image: "{{ snipe_it_container_image }}"
-    env_file: "{{ snipe_it_env_file }}"
-    env: "{{ snipe_it_container_env | default(omit, true) }}"
-    user: "{{ snipe_it_container_user | default(omit, true) }}"
-    ports: "{{ snipe_it_container_ports | default(omit, true) }}"
-    labels: "{{ snipe_it_container_labels | default(omit, true) }}"
-    volumes: "{{ snipe_it_container_volumes | default(omit, true) }}"
-    networks: "{{ snipe_it_container_networks | default(omit, true) }}"
-    etc_hosts: "{{ snipe_it_container_etc_hosts | default(omit, true) }}"
-    dns_servers: "{{ snipe_it_container_dns_servers | default(omit, true) }}"
-    network_mode: "{{ snipe_it_container_network_mode | default(omit, true) }}"
-    restart_policy: >-2
-      {{ snipe_it_container_restart_policy | default(omit, true) }}
-    recreate: "{{ snipe_it_container_recreate | default(omit, true) }}"
-    state: "{{ snipe_it_container_state }}"
--- a/roles/snipe_it/tasks/main.yml
+++ b/roles/snipe_it/tasks/main.yml
@@ -1,59 +0,0 @@
---
- name: Check preconditions
-  ansible.builtin.include_tasks:
-    file: "check.yml"
-
- name: Ensure snipe-it user '{{ snipe_it_user }}' is {{ snipe_it_state }}
-  ansible.builtin.user:
-    name: "{{ snipe_it_user }}"
-    state: "{{ snipe_it_state }}"
-    system: "{{ snipe_it_user_system | default(true, true) }}"
-    create_home: "{{ snipe_it_user_create_home | default(false, true) }}"
-    groups: "{{ snipe_it_user_groups | default(omit, true) }}"
-    append: >-2
-      {{
-        snipe_it_user_groups_append | default(
-            snipe_it_user_groups | default([], true) | length > 0,
-            true,
-        )
-      }}
-  register: snipe_it_user_info
-
- name: Ensure snipe-it environment file is {{ snipe_it_state }}
-  ansible.builtin.file:
-    path: "{{ snipe_it_env_file }}"
-    state: "{{ snipe_it_state }}"
-  when: snipe_it_state == 'absent'
-
- name: Ensure snipe-it config directory is {{ snipe_it_state }}
-  ansible.builtin.file:
-    path: "{{ snipe_it_env_file | dirname }}"
-    state: "{{ (snipe_it_state == 'present') | ternary('directory', 'absent') }}"
-    owner: "{{ snipe_it_run_user_id }}"
-    group: "{{ snipe_it_run_group_id }}"
-    mode: "0755"
-  when: snipe_it_state == 'present'
-
- name: Ensure snipe-it data directory '{{ snipe_it_data_directory }}' is {{ snipe_it_state }}
-  ansible.builtin.file:
-    path: "{{ snipe_it_data_directory }}"
-    state: "{{ (snipe_it_state == 'present') | ternary('directory', 'absent') }}"
-    owner: "{{ snipe_it_run_user_id }}"
-    group: "{{ snipe_it_run_group_id }}"
-    mode: "0755"
-
- name: Ensure snipe-it environment file is templated
-  ansible.builtin.copy:
-    content: |+2
-      {% for entry in snipe_it_merged_config | dict2items %}
-      {{ entry.key }}={{ entry.value }}
-      {% endfor %}
-    dest: "{{ snipe_it_env_file }}"
-    owner: "{{ snipe_it_run_user_id }}"
-    group: "{{ snipe_it_run_group_id }}"
-    mode: "0640"
-  when: snipe_it_state == 'present'
-
- name: Deploy using {{ snipe_it_deployment_method }}
-  ansible.builtin.include_tasks:
-    file: "deploy-{{ snipe_it_deployment_method }}.yml"
--- a/roles/snipe_it/vars/main.yml
+++ b/roles/snipe_it/vars/main.yml
@@ -1,6 +0,0 @@
---
-snipe_it_states:
-  - present
-  - absent
-snipe_it_deployment_methods:
-  - docker
--- a/roles/vaultwarden/README.md
+++ b/roles/vaultwarden/README.md
@@ -1,12 +1,5 @@
 # `finallycoffee.services.vaultwarden` ansible role

-Vaultwarden is an unofficial (not associated with Bitwarden) bitwarden API compatible
-server backend, formally called `bitwarden_rs`, written in rust.
-
-This ansible role can deploy and configure `vaultwarden`, and supports removing
-itself using `vaultwarden_state: absent` (Warning: It does not ask for confirmation,
-and will remove all user data when instructed to remove it).
-
 ## Configuration

 To use this role, the following variables need to be populated:
@@ -14,14 +7,9 @@ To use this role, the following variables need to be populated:
 - `vaultwarden_config_domain` - always. Changing this will lead to two-factor not working for two-factor methods registered in the past.
 - `vaultwarden_config_admin_token` - if `vaultwarden_config_disable_admin_token` is `false`.

-Setting other configuration values for vaultwarden can be done using role-provided flattened keys in the
-`vaultwarden_config_*` namespace (see [`defaults/main/config.yml`](defaults/main/config.yml) for available variables),
-or by setting the configuration directly in the same structure as the `config.json` would be in `vaultwarden_config`.
-
 ### Email

-Configure mailing by first enabling SMTP using `vaultwarden_config_enable_smtp: true`,
-then configure your email server like this:
+Configure mailing by first enabling SMTP using `vaultwarden_config_enable_smtp: true`, then configure your email server like this:
 ```yaml
 vaultwarden_config:
  smtp_host: "mail.example.com"
@@ -36,8 +24,7 @@ vaultwarden_config:

 ### 2FA via email

-To enable email-based two-factor-authentication, set `vaultwarden_config_enable_email_2fa: true`
-and optionally set the following configuration:
+To enable email-based two-factor-authentication, set `vaultwarden_config_enable_email_2fa: true` and optionally set the following configuration:
 ```yaml
 vaultwarden_config:
  email_token_size: 8
@@ -45,10 +32,3 @@ vaultwarden_config:
  email_attempts_limit: 3
 ```

-### Feature flags
-
-To enable more authentication methods, toggles are provided in
-[`vaultwarden_config_enable_*`](defaults/main/config.yml#L18).
-It is genereally recommended to simply keep unused methods off.
-
-Per default, 'Sends' are allowed.
--- a/roles/vaultwarden/defaults/main/main.yml
+++ b/roles/vaultwarden/defaults/main/main.yml
@@ -1,6 +1,6 @@
 ---
 vaultwarden_user: vaultwarden
-vaultwarden_version: "1.34.3"
+vaultwarden_version: "1.32.2"

 vaultwarden_config_file: "/etc/vaultwarden/config.json"
 vaultwarden_config_directory: "{{ vaultwarden_config_file | dirname }}"
--- a/roles/vaultwarden/tasks/deploy-docker.yml
+++ b/roles/vaultwarden/tasks/deploy-docker.yml
@@ -20,5 +20,3 @@
    dns_servers: "{{ vaultwarden_container_dns_servers | default(omit, true) }}"
    restart_policy: "{{ vaultwarden_container_restart_policy | default(omit, true) }}"
    state: "{{ vaultwarden_container_state | default(omit, true) }}"
-    comparisons:
-      'env': 'strict'
--- a/roles/vaultwarden/tasks/deploy-podman.yml
+++ b/roles/vaultwarden/tasks/deploy-podman.yml
@@ -1,22 +0,0 @@
---
- name: Ensure container image '{{ vaultwarden_container_image }}' is {{ vaultwarden_state }}
-  containers.podman.podman_image:
-    name: "{{ vaultwarden_container_image }}"
-    state: "{{ vaultwarden_state }}"
-    pull: "{{ (vaultwarden_container_image_source == 'pull') | bool }}"
-    force: "{{ vaultwarden_container_image_force_source }}"
-
- name: Ensure container '{{ vaultwarden_container_name }}' is {{ vaultwarden_container_state }}
-  containers.podman.podman_container:
-    name: "{{ vaultwarden_container_name }}"
-    image: "{{ vaultwarden_container_image }}"
-    env: "{{ vaultwarden_container_env | default(omit, true) }}"
-    user: "{{ vaultwarden_container_user | default(omit, true) }}"
-    ports: "{{ vaultwarden_container_ports | default(omit, true) }}"
-    labels: "{{ vaultwarden_container_labels | default(omit, true) }}"
-    volumes: "{{ vaultwarden_container_volumes }}"
-    network: "{{ vaultwarden_container_networks | default(omit, true) }}"
-    etc_hosts: "{{ vaultwarden_container_etc_hosts | default(omit, true) }}"
-    dns_servers: "{{ vaultwarden_container_dns_servers | default(omit, true) }}"
-    restart_policy: "{{ vaultwarden_container_restart_policy | default(omit, true) }}"
-    state: "{{ vaultwarden_container_state | default(omit, true) }}"
--- a/roles/vaultwarden/vars/main.yml
+++ b/roles/vaultwarden/vars/main.yml
@@ -4,7 +4,6 @@ vaultwarden_states:
  - absent
 vaultwarden_deployment_methods:
  - docker
-  - podman
 vaultwarden_required_variables:
  - vaultwarden_config_domain
 vaultwarden_conditionally_required_variables:
--- a/roles/vouch_proxy/defaults/main.yml
+++ b/roles/vouch_proxy/defaults/main.yml
@@ -1,6 +1,7 @@
 ---
+
 vouch_proxy_user: vouch-proxy
-vouch_proxy_version: "0.45.1"
+vouch_proxy_version: 0.40.0
 vouch_proxy_base_path: /opt/vouch-proxy
 vouch_proxy_config_path: "{{ vouch_proxy_base_path }}/config"
 vouch_proxy_config_file: "{{ vouch_proxy_config_path }}/config.yaml"