testing

dev/host_vars/gitea.yml

@@ -7,7 +7,6 @@ users:
     uid: 1001
     gid: 1001
     home: true
-    system: true
 
 # Import my GPG key for git signature verification
 root_gpgkeys:
@@ -15,7 +14,6 @@ root_gpgkeys:
     id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
 
 # docker
-docker_official: true # docker's apt repos
 docker_users:
   - vagrant
 
@@ -35,9 +33,6 @@ docker_compose_deploy:
   - name: gitea
     url: https://github.com/krislamo/gitea
     version: b0ce66f6a1ab074172eed79eeeb36d7e9011ef8f
-    enabled: true
-    trusted_keys:
-      - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
     env:
       USER_UID: "{{ users.git.uid }}"
       USER_GID: "{{ users.git.gid }}"

dev/host_vars/mediaserver.yml

@@ -5,12 +5,7 @@ allow_reboot: false
 manage_network: false
 
 users:
-  jellyfin:
-    uid: 1001
-    gid: 1001
-    shell: /usr/sbin/nologin
-    home: false
-    system: true
+  - name: jellyfin
 
 samba:
   users:

dev/host_vars/proxy.yml

@@ -4,18 +4,6 @@ base_domain: local.krislamo.org
 allow_reboot: false
 manage_network: false
 
-users:
-  git:
-    uid: 1001
-    gid: 1001
-    home: true
-    system: true
-
-# Import my GPG key for git signature verification
-root_gpgkeys:
-  - name: kris@lamoureux.io
-    id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
-
 # proxy
 proxy:
   #production: true
@@ -27,49 +15,14 @@ proxy:
       - "{{ base_domain }}"
   servers:
     - domain: "{{ bitwarden_domain }}"
-      proxy_pass: "http://127.0.0.1"
+      proxy_pass: "http://127.0.0.1:8080"
     - domain: "{{ gitea_domain }}"
-      proxy_pass: "http://127.0.0.1"
+      proxy_pass: "http://127.0.0.1:3000"
 
 # docker
-docker_official: true # docker's apt repos
 docker_users:
   - vagrant
 
-docker_compose_env_nolog: false # dev only setting
-docker_compose_deploy:
-  # Traefik
-  - name: traefik
-    url: https://github.com/krislamo/traefik
-    version: e97db75e2e214582fac5f5e495687ab5cdf855ad
-    path: docker-compose.web.yml
-    enabled: true
-    accept_newhostkey: true
-    trusted_keys:
-      - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
-    env:
-      ENABLE: true
-  # Gitea
-  - name: gitea
-    url: https://github.com/krislamo/gitea
-    version: b0ce66f6a1ab074172eed79eeeb36d7e9011ef8f
-    enabled: true
-    trusted_keys:
-      - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
-    env:
-      ENTRYPOINT: web
-      ENABLE_TLS: false
-      USER_UID: "{{ users.git.uid }}"
-      USER_GID: "{{ users.git.gid }}"
-      DB_PASSWD: "{{ gitea.DB_PASSWD }}"
-
-# gitea
-gitea_domain: "git.{{ base_domain }}"
-gitea:
-  DB_NAME: gitea
-  DB_USER: gitea
-  DB_PASSWD: password
-
 # bitwarden
 # Get Installation ID & Key at https://bitwarden.com/host/
 bitwarden_domain: "vault.{{ base_domain }}"
@@ -77,3 +30,8 @@ bitwarden_dbpass: password
 bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
 bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
 #bitwarden_prodution: true
+
+# gitea
+gitea_domain: "git.{{ base_domain }}"
+gitea_version: 1
+gitea_dbpass: password

dev/proxy.yml

@@ -5,8 +5,8 @@
     - host_vars/proxy.yml
   roles:
     - base
+    - mariadb
     - proxy
     - docker
-    - mariadb
     - gitea
     - bitwarden

forward-ssh.sh

@@ -1,24 +1,7 @@
 #!/bin/bash
 
 # Finds the SSH private key under ./.vagrant and connects to
-# the Vagrant box, port forwarding localhost ports: 8443, 443, 80, 22
-#
-# Download the latest script:
-# https://git.krislamo.org/kris/homelab/raw/branch/main/forward-ssh.sh
-#
-# Copyright (C) 2023  Kris Lamoureux
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+# the Vagrant box, port forwarding localhost ports: 8443, 80, 443
 
 # Root check
 if [ "$EUID" -ne 0 ]; then
@@ -58,38 +41,21 @@ function ssh_connect {
 }
 
 # Check for valid PRIVATE_KEY location
-PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null | sort)"
-
-# Single vagrant machine or multiple
-if [ "$(echo "$PRIVATE_KEY" | wc -l)" -gt 1 ]; then
-  while IFS= read -r KEYFILE; do
-    if ! ssh-keygen -l -f "$KEYFILE" &>/dev/null; then
-      echo "[ERROR]: The SSH key '$KEYFILE' is not valid. Is your virtual machines running?"
-      exit 1
-    fi
-    echo "[CHECK]: Valid key at $KEYFILE"
-  done < <(echo "$PRIVATE_KEY")
-  PRIVATE_KEY="$(echo "$PRIVATE_KEY" | grep -m1 "${1:-default}")"
-elif ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
+PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null)"
+if ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
   echo "[ERROR]: The SSH key '$PRIVATE_KEY' is not valid. Is your virtual machine running?"
   exit 1
-else
-  echo "[CHECK]: Valid key at $PRIVATE_KEY"
 fi
+echo "[CHECK]: Valid key at $PRIVATE_KEY"
 
 # Grab first IP or use whatever HOST_IP_FIELD is set to and check that the guest is up
-HOST_IP="$(vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" "${1:-default}" 2>/dev/null)"
-if [ -z "$HOST_IP" ]; then
-  echo "[ERROR]: Failed to find ${1:-default}'s IP"
-  exit 1
-fi
+HOST_IP="$(vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" 2>/dev/null)"
 HOST_IP="${HOST_IP::-1}" # trim
-
 if ! ping -c 1 "$HOST_IP" &>/dev/null; then
   echo "[ERROR]: Cannot ping the host IP '$HOST_IP'"
   exit 1
 fi
-echo "[CHECK]: Host at $HOST_IP (${1:-default}) is up"
+echo "[CHECK]: Host at $HOST_IP is up"
 
 # Pattern for matching processes running
 MATCH_PATTERN="ssh -fNT -i ${PRIVATE_KEY}.*vagrant@"

roles/base/handlers/main.yml

@@ -5,10 +5,6 @@
   listen: reboot_host
   when: allow_reboot
 
-- name: Reconfigure locales
-  ansible.builtin.command: dpkg-reconfigure -f noninteractive locales
-  listen: reconfigure_locales
-
 - name: Restart WireGuard
   ansible.builtin.service:
     name: wg-quick@wg0

roles/base/tasks/ansible.yml

@@ -2,4 +2,4 @@
   ansible.builtin.file:
     path: "~/.ansible/tmp"
     state: directory
-    mode: "700"
+    mode: 0700

roles/base/tasks/ddclient.yml

@@ -7,7 +7,7 @@
   ansible.builtin.template:
     src: ddclient.conf.j2
     dest: /etc/ddclient.conf
-    mode: "600"
+    mode: 0600
   register: ddclient_settings
 
 - name: Start ddclient and enable on boot

roles/base/tasks/firewall.yml

@@ -32,14 +32,14 @@
   ansible.builtin.template:
     src: fail2ban-ssh.conf.j2
     dest: /etc/fail2ban/jail.d/sshd.conf
-    mode: "640"
+    mode: 0640
   notify: restart_fail2ban
 
 - name: Install Fail2ban IP allow list
   ansible.builtin.template:
     src: fail2ban-allowlist.conf.j2
     dest: /etc/fail2ban/jail.d/allowlist.conf
-    mode: "640"
+    mode: 0640
   when: fail2ban_ignoreip is defined
   notify: restart_fail2ban
 

roles/base/tasks/mail.yml

@@ -11,10 +11,10 @@
   ansible.builtin.template:
     src: msmtprc.j2
     dest: /root/.msmtprc
-    mode: "600"
+    mode: 0600
 
 - name: Install /etc/aliases
   ansible.builtin.copy:
     dest: /etc/aliases
     content: "root: {{ mail.rootalias }}"
-    mode: "644"
+    mode: 0644

roles/base/tasks/network.yml

@@ -10,6 +10,6 @@
   ansible.builtin.template:
     src: "interface.j2"
     dest: "/etc/network/interfaces.d/{{ item.name }}"
-    mode: "400"
+    mode: 0400
   loop: "{{ interfaces }}"
   notify: reboot_host

roles/base/tasks/samba.yml

@@ -3,15 +3,23 @@
     name: samba
     state: present
 
+- name: Create nologin shell accounts for Samba
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    state: present
+    shell: /usr/sbin/nologin
+    createhome: false
+    system: yes
+  loop: "{{ samba.users }}"
+  when: item.manage_user is defined and item.manage_user is true
+
 - name: Create Samba users
-  ansible.builtin.command: "smbpasswd -a {{ item.name }}"
+  ansible.builtin.shell: "smbpasswd -a {{ item.name }}"
   args:
     stdin: "{{ item.password }}\n{{ item.password }}"
   loop: "{{ samba.users }}"
-  loop_control:
-    label: "{{ item.name }}"
   register: samba_users
-  changed_when: "'Added user' in samba_users.stdout"
+  changed_when: "'User added' in samba_users.stdout"
 
 - name: Ensure share directories exist
   ansible.builtin.file:
@@ -19,14 +27,13 @@
     owner: "{{ item.owner }}"
     group: "{{ item.group }}"
     state: directory
-    mode: "755"
+    mode: 0755
   loop: "{{ samba.shares }}"
 
 - name: Configure Samba shares
   ansible.builtin.template:
     src: smb.conf.j2
     dest: /etc/samba/smb.conf
-    mode: "700"
   notify: restart_samba
 
 - name: Start smbd and enable on boot

roles/base/tasks/system.yml

@@ -10,7 +10,7 @@
     state: present
 
 - name: Check for existing GPG keys
-  ansible.builtin.command: "gpg --list-keys {{ item.id }} 2>/dev/null"
+  command: "gpg --list-keys {{ item.id }} 2>/dev/null"
   register: gpg_check
   loop: "{{ root_gpgkeys }}"
   failed_when: false
@@ -18,22 +18,20 @@
   when: root_gpgkeys is defined
 
 - name: Import GPG keys
-  ansible.builtin.command:
-    "gpg --keyserver {{ item.item.server | default('keys.openpgp.org') }} --recv-key {{ item.item.id }}"
+  command: "gpg --keyserver {{ item.item.server | default('keys.openpgp.org') }} --recv-key {{ item.item.id }}"
   register: gpg_check_import
   loop: "{{ gpg_check.results }}"
   loop_control:
     label: "{{ item.item }}"
-  changed_when: false
   when: root_gpgkeys is defined and item.rc != 0
 
 - name: Check GPG key imports
-  ansible.builtin.fail:
+  fail:
     msg: "{{ item.stderr }}"
   loop: "{{ gpg_check_import.results }}"
   loop_control:
     label: "{{ item.item.item }}"
-  when: root_gpgkeys is defined and (not item.skipped | default(false)) and ('imported' not in item.stderr)
+  when: (item.skipped | default(false) == false) and ('imported' not in item.stderr)
 
 - name: Install NTPsec
   ansible.builtin.apt:
@@ -49,7 +47,7 @@
   community.general.locale_gen:
     name: "{{ locale_default }}"
     state: present
-  notify: reconfigure_locales
+  register: locale_gen_output
 
 - name: Set the default locale
   ansible.builtin.lineinfile:
@@ -57,11 +55,15 @@
     regexp: "^LANG="
     line: "LANG={{ locale_default }}"
 
+- name: Reconfigure locales
+  ansible.builtin.command: dpkg-reconfigure -f noninteractive locales
+  when: locale_gen_output.changed
+
 - name: Manage root authorized_keys
   ansible.builtin.template:
     src: authorized_keys.j2
     dest: /root/.ssh/authorized_keys
-    mode: "400"
+    mode: 0400
   when: authorized_keys is defined
 
 - name: Create system user groups
@@ -82,7 +84,6 @@
     group: "{{ item.value.gid }}"
     shell: "{{ item.value.shell | default('/bin/bash') }}"
     create_home: "{{ item.value.home | default(false) }}"
-    system: "{{ item.value.system | default(false) }}"
   loop: "{{ users | dict2items }}"
   loop_control:
     label: "{{ item.key }}"

roles/base/tasks/wireguard.yml

@@ -22,7 +22,7 @@
   ansible.builtin.template:
     src: wireguard.j2
     dest: /etc/wireguard/wg0.conf
-    mode: "400"
+    mode: 0400
   notify: restart_wireguard
 
 - name: Start WireGuard interface

roles/bitwarden/handlers/main.yml

@@ -5,12 +5,7 @@
   listen: rebuild_bitwarden
 
 - name: Rebuild Bitwarden
-  ansible.builtin.command: "{{ bitwarden_root }}/bitwarden.sh rebuild"
-  listen: rebuild_bitwarden
-
-- name: Reload systemd manager configuration
-  ansible.builtin.systemd:
-    daemon_reload: true
+  ansible.builtin.shell: "{{ bitwarden_root }}/bitwarden.sh rebuild"
   listen: rebuild_bitwarden
 
 - name: Start Bitwarden after rebuild
@@ -19,10 +14,3 @@
     state: started
     enabled: true
   listen: rebuild_bitwarden
-
-- name: Create Bitwarden's initial log file
-  ansible.builtin.file:
-    path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
-    state: touch
-    mode: "644"
-  listen: touch_bitwarden

roles/bitwarden/tasks/main.yml

@@ -7,7 +7,6 @@
   ansible.builtin.file:
     path: "{{ bitwarden_root }}"
     state: directory
-    mode: "755"
 
 - name: Download Bitwarden script
   ansible.builtin.get_url:
@@ -23,23 +22,22 @@
     mode: u+x
 
 - name: Run Bitwarden installation script
-  ansible.builtin.command: "{{ bitwarden_root }}/bw_wrapper"
+  ansible.builtin.shell: "{{ bitwarden_root }}/bw_wrapper"
   args:
     creates: "{{ bitwarden_root }}/bwdata/config.yml"
 
-- name: Install compose override
+- name: Install docker-compose override
   ansible.builtin.template:
     src: compose.override.yml.j2
     dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
-    mode: "644"
-  when: bitwarden_override | default(true)
+  when: traefik_version is defined
   notify: rebuild_bitwarden
 
 - name: Disable bitwarden-nginx HTTP on 80
   ansible.builtin.replace:
     path: "{{ bitwarden_root }}/bwdata/config.yml"
     regexp: "^http_port: 80$"
-    replace: "http_port: {{ bitwarden_http_port | default('127.0.0.1:9080') }}"
+    replace: "http_port: 127.0.0.1:8080"
   when: not bitwarden_standalone
   notify: rebuild_bitwarden
 
@@ -47,7 +45,7 @@
   ansible.builtin.replace:
     path: "{{ bitwarden_root }}/bwdata/config.yml"
     regexp: "^https_port: 443$"
-    replace: "https_port: {{ bitwarden_https_port | default('127.0.0.1:9443') }}"
+    replace: "https_port: 127.0.0.1:8443"
   when: not bitwarden_standalone
   notify: rebuild_bitwarden
 
@@ -78,7 +76,6 @@
   ansible.builtin.template:
     src: bitwarden.service.j2
     dest: "/etc/systemd/system/{{ bitwarden_name }}.service"
-    mode: "644"
   register: bitwarden_systemd
   notify: rebuild_bitwarden
 
@@ -86,12 +83,22 @@
   ansible.builtin.file:
     path: "{{ bitwarden_logs_identity }}"
     state: directory
-    mode: "755"
-  notify: touch_bitwarden
+  register: bitwarden_logs
+
+- name: Create Bitwarden's initial log file
+  ansible.builtin.file:
+    path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
+    state: touch
+  when: bitwarden_logs.changed
 
 - name: Install Bitwarden's Fail2ban jail
   ansible.builtin.template:
     src: fail2ban-jail.conf.j2
     dest: /etc/fail2ban/jail.d/bitwarden.conf
-    mode: "640"
   notify: restart_fail2ban
+
+- name: Reload systemd manager configuration
+  ansible.builtin.systemd:
+    daemon_reload: true
+  when: bitwarden_systemd.changed
+  notify: rebuild_bitwarden

roles/bitwarden/templates/bw_wrapper.j2

@@ -23,13 +23,10 @@ send "{{ bitwarden_install_id }}\r"
 expect "Enter your installation key:"
 send "{{ bitwarden_install_key }}\r"
 
-expect "Enter your region (US/EU) \\\[US\\\]:"
-send "US\r"
-
-expect "Do you have a SSL certificate to use? (y/N):"
+expect "Do you have a SSL certificate to use? (y/n):"
 send "n\r"
 
-expect "Do you want to generate a self-signed SSL certificate? (y/N):"
+expect "Do you want to generate a self-signed SSL certificate? (y/n):"
 {% if bitwarden_standalone and not bitwarden_production %}
 send "y\r"
 {% else %}

roles/bitwarden/templates/compose.override.yml.j2

@@ -6,11 +6,13 @@ services:
       - traefik
     labels:
       traefik.http.routers.bitwarden.rule: "Host(`{{ bitwarden_domain }}`)"
-      traefik.http.routers.bitwarden.entrypoints: {{ bitwarden_entrypoint | default('web') }}
-      traefik.http.routers.bitwarden.tls: {{ bitwarden_traefik_tls | default('false') }}
+      traefik.http.routers.bitwarden.entrypoints: websecure
+      traefik.http.routers.bitwarden.tls.certresolver: letsencrypt
+      traefik.http.routers.bitwarden.middlewares: "securehttps@file"
       traefik.http.services.bitwarden.loadbalancer.server.port: 8080
       traefik.docker.network: traefik
       traefik.enable: "true"
+
 networks:
   traefik:
     external: true

roles/docker/defaults/main.yml

@@ -1,11 +1,6 @@
-docker_apt_keyring: /etc/apt/keyrings/docker.asc
-docker_apt_keyring_hash: 1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570
-docker_apt_keyring_url: https://download.docker.com/linux/debian/gpg
-docker_apt_repo: https://download.docker.com/linux/debian
 docker_compose_root: /var/lib/compose
 docker_compose_service: compose
-docker_compose: "{{ (docker_official | bool) | ternary('/usr/bin/docker compose', '/usr/bin/docker-compose') }}"
-docker_official: false
+docker_compose: /usr/bin/docker-compose
 docker_repos_keys: "{{ docker_repos_path }}/.keys"
 docker_repos_keytype: rsa
-docker_repos_path: /srv/.compose_repos
+docker_repos_path: /srv/.compose_repos

roles/docker/handlers/main.yml

@@ -4,7 +4,7 @@
   listen: compose_systemd
 
 - name: Find which services had a docker-compose.yml updated
-  ansible.builtin.set_fact:
+  set_fact:
     compose_restart_list: "{{ (compose_restart_list | default([])) + [item.item.name] }}"
   loop: "{{ compose_update.results }}"
   loop_control:
@@ -13,7 +13,7 @@
   listen: compose_restart
 
 - name: Find which services had their .env updated
-  ansible.builtin.set_fact:
+  set_fact:
     compose_restart_list: "{{ (compose_restart_list | default([])) + [item.item.name] }}"
   loop: "{{ compose_env_update.results }}"
   loop_control:
@@ -21,34 +21,10 @@
   when: item.changed
   listen: compose_restart
 
-- name: Restart MariaDB
-  ansible.builtin.service:
-    name: mariadb
-    state: restarted
-  when: not mariadb_restarted
-  listen: restart_mariadb # hijack handler for early restart
-
-- name: Set MariaDB as restarted
-  ansible.builtin.set_fact:
-    mariadb_restarted: true
-  when: not mariadb_restarted
-  listen: restart_mariadb
-
-- name: Restart compose services
+- name: Restart {{ docker_compose_service }} services
   ansible.builtin.systemd:
     state: restarted
     name: "{{ docker_compose_service }}@{{ item }}"
-  loop: "{{ compose_restart_list | default([]) | unique }}"
+  loop: "{{ compose_restart_list | unique }}"
   when: compose_restart_list is defined
   listen: compose_restart
-
-- name: Start compose services and enable on boot
-  ansible.builtin.service:
-    name: "{{ docker_compose_service }}@{{ item.name }}"
-    state: started
-    enabled: true
-  loop: "{{ docker_compose_deploy }}"
-  loop_control:
-    label: "{{ docker_compose_service }}@{{ item.name }}"
-  when: item.enabled is defined and item.enabled is true
-  listen: compose_enable

roles/docker/tasks/main.yml

@@ -1,40 +1,7 @@
-- name: Add official Docker APT key
-  ansible.builtin.get_url:
-    url: "{{ docker_apt_keyring_url }}"
-    dest: "{{ docker_apt_keyring }}"
-    checksum: "sha256:{{ docker_apt_keyring_hash }}"
-    mode: "644"
-    owner: root
-    group: root
-  when: docker_official
-
-- name: Remove official Docker APT key
-  ansible.builtin.file:
-    path: "{{ docker_apt_keyring }}"
-    state: absent
-  when: not docker_official
-
-- name: Add/remove official Docker APT repository
-  ansible.builtin.apt_repository:
-    repo: >
-      deb [arch=amd64 signed-by={{ docker_apt_keyring }}]
-      {{ docker_apt_repo }} {{ ansible_distribution_release }} stable
-    state: "{{ 'present' if docker_official else 'absent' }}"
-    filename: "{{ docker_apt_keyring | regex_replace('^.*/', '') }}"
-
-- name: Install/uninstall Docker from Debian repositories
+- name: Install Docker
   ansible.builtin.apt:
-    name: ['docker.io', 'docker-compose', 'containerd', 'runc']
-    state: "{{ 'absent' if docker_official else 'present' }}"
-    autoremove: true
-    update_cache: true
-
-- name: Install/uninstall Docker from Docker repositories
-  ansible.builtin.apt:
-    name: ['docker-ce', 'docker-ce-cli', 'containerd.io',
-           'docker-buildx-plugin', 'docker-compose-plugin']
-    state: "{{ 'present' if docker_official else 'absent' }}"
-    autoremove: true
+    name: ['docker.io', 'docker-compose']
+    state: present
     update_cache: true
 
 - name: Login to private registry
@@ -48,20 +15,20 @@
   ansible.builtin.file:
     path: "{{ docker_compose_root }}"
     state: directory
-    mode: "500"
+    mode: 0500
 
 - name: Install docker-compose systemd service
   ansible.builtin.template:
     src: docker-compose.service.j2
     dest: "/etc/systemd/system/{{ docker_compose_service }}@.service"
-    mode: "400"
+    mode: 0400
   notify: compose_systemd
 
 - name: Create directories to clone docker-compose repositories
   ansible.builtin.file:
     path: "{{ item }}"
     state: directory
-    mode: "400"
+    mode: 0400
   loop:
     - "{{ docker_repos_path }}"
     - "{{ docker_repos_keys }}"
@@ -72,13 +39,7 @@
     path: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
     type: "{{ docker_repos_keytype }}"
     comment: "{{ ansible_hostname }}-deploy-key"
-    mode: "400"
-    state: present
-  when: docker_compose_deploy is defined
-
-- name: Check for git installation
-  ansible.builtin.apt:
-    name: git
+    mode: 0400
     state: present
   when: docker_compose_deploy is defined
 
@@ -87,7 +48,7 @@
     repo: "{{ item.url }}"
     dest: "{{ docker_repos_path }}/{{ item.name }}"
     version: "{{ item.version }}"
-    accept_newhostkey: "{{ item.accept_newhostkey | default(false) }}"
+    accept_newhostkey: "{{ item.accept_newhostkey | default('false') }}"
     gpg_whitelist: "{{ item.trusted_keys | default([]) }}"
     verify_commit: "{{ true if (item.trusted_keys is defined and item.trusted_keys) else false }}"
     key_file: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
@@ -100,7 +61,7 @@
   ansible.builtin.file:
     path: "{{ docker_compose_root }}/{{ item.name }}"
     state: directory
-    mode: "400"
+    mode: 0400
   loop: "{{ docker_compose_deploy }}"
   loop_control:
     label: "{{ item.name }}"
@@ -112,9 +73,7 @@
     dest: "{{ docker_compose_root }}/{{ item.name }}/docker-compose.yml"
   delegate_to: "{{ inventory_hostname }}"
   register: compose_update
-  notify:
-    - compose_restart
-    - compose_enable
+  notify: compose_restart
   loop: "{{ docker_compose_deploy | default([]) }}"
   loop_control:
     label: "{{ item.name }}"
@@ -124,12 +83,10 @@
   ansible.builtin.template:
     src: docker-compose-env.j2
     dest: "{{ docker_compose_root }}/{{ item.name }}/.env"
-    mode: "400"
+    mode: 0400
   register: compose_env_update
-  notify:
-    - compose_restart
-    - compose_enable
-  no_log: "{{ docker_compose_env_nolog | default(true) }}"
+  notify: compose_restart
+  no_log: "{{ docker_compose_env_nolog | default('true') }}"
   loop: "{{ docker_compose_deploy }}"
   loop_control:
     label: "{{ item.name }}"
@@ -148,4 +105,13 @@
     name: docker
     state: started
     enabled: true
-  when: docker_managed | default(true)
+
+- name: Start docker-compose services and enable on boot
+  ansible.builtin.service:
+    name: "{{ docker_compose_service }}@{{ item.name }}"
+    state: started
+    enabled: true
+  loop: "{{ docker_compose_deploy }}"
+  loop_control:
+    label: "{{ docker_compose_service }}@{{ item.name }}"
+  when: item.enabled is defined and item.enabled is true

roles/docker/templates/docker-compose.service.j2

@@ -1,5 +1,5 @@
 [Unit]
-Description=%i {{ docker_compose_service }} service
+Description=%i docker-compose service
 PartOf=docker.service
 After=docker.service
 

roles/gitea/tasks/main.yml

@@ -21,7 +21,6 @@
 - name: Create git's .ssh directory
   ansible.builtin.file:
     path: /home/git/.ssh
-    mode: "700"
     state: directory
 
 - name: Generate git's SSH keys
@@ -41,7 +40,6 @@
 - name: Create git's authorized_keys file
   ansible.builtin.file:
     path: /home/git/.ssh/authorized_keys
-    mode: "600"
     state: touch
   when: not git_authkeys.stat.exists
 
@@ -55,24 +53,27 @@
   ansible.builtin.template:
     src: gitea.sh.j2
     dest: /usr/local/bin/gitea
-    mode: "755"
+    mode: 0755
 
 - name: Create Gitea's logging directory
   ansible.builtin.file:
     name: /var/log/gitea
     state: directory
-    mode: "755"
 
 - name: Install Gitea's Fail2ban filter
   ansible.builtin.template:
     src: fail2ban-filter.conf.j2
     dest: /etc/fail2ban/filter.d/gitea.conf
-    mode: "644"
   notify: restart_fail2ban
 
 - name: Install Gitea's Fail2ban jail
   ansible.builtin.template:
     src: fail2ban-jail.conf.j2
     dest: /etc/fail2ban/jail.d/gitea.conf
-    mode: "640"
   notify: restart_fail2ban
+
+- name: Start and enable Gitea service
+  ansible.builtin.service:
+    name: "{{ docker_compose_service }}@{{ gitea_name }}"
+    state: started
+    enabled: true

roles/mariadb/handlers/main.yml

@@ -2,11 +2,4 @@
   ansible.builtin.service:
     name: mariadb
     state: restarted
-  when: not mariadb_restarted
-  listen: restart_mariadb
-
-- name: Set MariaDB as restarted
-  ansible.builtin.set_fact:
-    mariadb_restarted: true
-  when: not mariadb_restarted
   listen: restart_mariadb

roles/mariadb/tasks/main.yml

@@ -3,10 +3,6 @@
     name: mariadb-server
     state: present
 
-- name: Set MariaDB restarted fact
-  ansible.builtin.set_fact:
-    mariadb_restarted: false
-
 - name: Regather facts for the potentially new docker0 interface
   ansible.builtin.setup:
 

roles/proxy/handlers/main.yml

@@ -1,13 +1,3 @@
-- name: Enable nginx sites configuration
-  ansible.builtin.file:
-    src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
-    dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
-    state: link
-    mode: "400"
-  loop: "{{ nginx_sites.results }}"
-  when: item.changed
-  listen: reload_nginx
-
 - name: Reload nginx
   ansible.builtin.service:
     name: nginx

roles/proxy/tasks/main.yml

@@ -19,18 +19,28 @@
   ansible.builtin.template:
     src: nginx.conf.j2
     dest: /etc/nginx/nginx.conf
-    mode: "644"
+    mode: 0644
   notify: reload_nginx
 
 - name: Install nginx sites configuration
   ansible.builtin.template:
     src: server-nginx.conf.j2
     dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
-    mode: "400"
+    mode: 0400
   loop: "{{ proxy.servers }}"
   notify: reload_nginx
   register: nginx_sites
 
+- name: Enable nginx sites configuration
+  ansible.builtin.file:
+    src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
+    dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
+    state: link
+    mode: 0400
+  loop: "{{ nginx_sites.results }}"
+  when: item.changed
+  notify: reload_nginx
+
 - name: Generate self-signed certificate
   ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
           -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
@@ -51,14 +61,14 @@
   ansible.builtin.template:
     src: cloudflare.ini.j2
     dest: /root/.cloudflare.ini
-    mode: "400"
+    mode: 0400
   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
 
 - name: Create nginx post renewal hook directory
   ansible.builtin.file:
     path: /etc/letsencrypt/renewal-hooks/post
     state: directory
-    mode: "500"
+    mode: 0500
   when: proxy.production is defined and proxy.production
 
 - name: Install nginx post renewal hook