Change nginx role to staticweb

Update Vagrantfile to use external settings
No deploy keys without compose deploy variable
2023-08-24 23:18:42 -04:00 · 2023-08-21 18:46:47 -04:00 · 2023-07-21 23:52:18 -04:00 · 2023-07-20 03:51:44 -04:00 · 2023-07-20 00:33:42 -04:00 · 2023-07-08 23:43:52 -04:00
98 changed files with 1413 additions and 521 deletions
--- a/.github/workflows/vagrant.yml
+++ b/.github/workflows/vagrant.yml
@@ -0,0 +1,39 @@
 name: homelab-ci
 on:
  push:
    branches:
      - main
      - testing
 jobs:
  homelab-ci:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v3
      - name: Cache Vagrant boxes
        uses: actions/cache@v3
        with:
          path: ~/.vagrant.d/boxes
          key: ${{ runner.os }}-vagrant-${{ hashFiles('Vagrantfile') }}
          restore-keys: |
            ${{ runner.os }}-vagrant-
      - name: Install Ansible
        run: brew install ansible@7
      - name: Software Versions
        run: |
          printf "VirtualBox "
          vboxmanage --version
          vagrant --version
          export PATH="/usr/local/opt/ansible@7/bin:$PATH"
          ansible --version
      - name: Vagrant Up with Dockerbox Playbook
        run: |
          export PATH="/usr/local/opt/ansible@7/bin:$PATH"
          PLAYBOOK=dockerbox vagrant up
          vagrant ssh -c "docker ps"
--- a/.gitignore
+++ b/.gitignore
@@ -1,12 +1,4 @@
 .vagrant
 .playbook
-/*.yml
+.vagrant*
-/*.yaml
+.vscode
-!backup.yml
+/environments/
 !moxie.yml
 !docker.yml
 !dockerbox.yml
 !hypervisor.yml
 !minecraft.yml
 !unifi.yml
 /environments/
--- a/46
+++ b/46
@@ -1,42 +1,45 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
-SSH_FORWARD=ENV["SSH_FORWARD"]
+require 'yaml'
-if !(SSH_FORWARD == "true")
+settings_path = '.vagrant.yml'
-  SSH_FORWARD = false
+settings = {}
 if File.exist?(settings_path)
  settings = YAML.load_file(settings_path)
 end
 VAGRANT_BOX  = settings['VAGRANT_BOX']  || 'debian/bookworm64'
 VAGRANT_CPUS = settings['VAGRANT_CPUS'] || 2
 VAGRANT_MEM  = settings['VAGRANT_MEM']  || 2048
 SSH_FORWARD  = settings['SSH_FORWARD']  || false
 # Default to shell environment variable: PLAYBOOK (priority #1)
 PLAYBOOK=ENV["PLAYBOOK"]
 if !PLAYBOOK
-  if File.exist?('.playbook')
+  # PLAYBOOK setting in .vagrant.yml (priority #2)
-    PLAYBOOK = IO.read('.playbook').split("\n")[0]
+  PLAYBOOK = settings['PLAYBOOK'] || false
  end
  if !PLAYBOOK || PLAYBOOK.empty?
-    PLAYBOOK = "\nERROR: Set env PLAYBOOK"
+    puts "[VAGRANTFILE ERROR]: Set PLAYBOOK setting in .vagrant.yml"
    abort
  end
 else
  File.write(".playbook", PLAYBOOK)
 end
 Vagrant.configure("2") do |config|
-  config.vm.box = "debian/bullseye64"
+  config.vm.box = VAGRANT_BOX
  config.vm.network "private_network", type: "dhcp"
  config.vm.synced_folder ".", "/vagrant", disabled: true
  config.vm.synced_folder "./scratch", "/vagrant/scratch"
  config.ssh.forward_agent = SSH_FORWARD
-  # Machine Name
+  # Libvrit provider
  config.vm.define :moxie do |moxie| #
  end
  # Disable Machine Name Prefix
  config.vm.provider :libvirt do |libvirt|
-    libvirt.default_prefix = ""
+    libvirt.cpus   = VAGRANT_CPUS
    libvirt.memory = VAGRANT_MEM
  end
-  config.vm.provider "virtualbox" do |vbox|
+  # Virtualbox provider
-    vbox.memory = 4096
+  config.vm.provider :virtualbox do |vbox|
    vbox.cpus   = VAGRANT_CPUS
    vbox.memory = VAGRANT_MEM
  end
  # Provision with Ansible
@@ -45,5 +48,4 @@ Vagrant.configure("2") do |config|
    ansible.compatibility_mode = "2.0"
    ansible.playbook = "dev/" + PLAYBOOK + ".yml"
  end
 end
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,3 +1,6 @@
 [defaults]
 inventory = ./environments/development
 interpreter_python = /usr/bin/python3
 [connection]
 pipelining = true
--- a/dev/dockerbox.yml
+++ b/dev/dockerbox.yml
@@ -8,7 +8,6 @@
    - docker
    - traefik
    - nextcloud
    - gitea
    - jenkins
    - prometheus
    - nginx
--- a/dev/host_vars/dockerbox.yml
+++ b/dev/host_vars/dockerbox.yml
@@ -13,6 +13,7 @@ traefik_domain: traefik.vm.krislamo.org
 traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 #traefik_acme_email: realemail@example.com # Let's Encrypt settings
 #traefik_production: true
 traefik_http_only: true # if behind reverse-proxy
 # nextcloud
 nextcloud_version: stable
--- a/dev/host_vars/jekyll.yml
+++ b/dev/host_vars/jekyll.yml
@@ -1,27 +0,0 @@
 # base
 allow_reboot: false
 manage_network: false
 # docker
 docker_users:
  - vagrant
 # traefik
 traefik_version: latest
 traefik_dashboard: true
 traefik_domain: traefik.vm.krislamo.org
 traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 #traefik_acme_email: realemail@example.com # Let's Encrypt settings
 #traefik_production: true
 # jekyll
 jekyll_project: example
 jekyll_repo_url: https://git.krislamo.org/kris/example-jekyll/
 jekyll_repo_branch: master
 # nginx
 nginx_domain: nginx.vm.krislamo.org
 nginx_name: staticsite
 nginx_repo_url: https://git.krislamo.org/kris/example-website/
 nginx_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 nginx_version: latest
--- a/dev/host_vars/mediaserver.yml
+++ b/dev/host_vars/mediaserver.yml
@@ -0,0 +1,56 @@
 base_domain: vm.krislamo.org
 # base
 allow_reboot: false
 manage_network: false
 users:
  - name: jellyfin
 samba:
  users:
    - name: jellyfin
      password: jellyfin
  shares:
    - name: jellyfin
      path: /srv/jellyfin
      owner: jellyfin
      group: jellyfin
      valid_users: jellyfin
  firewall:
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
 # proxy
 proxy:
  #production: true
  dns_cloudflare:
    opts: --test-cert
    #email: realemail@example.com
    #api_token: CLOUDFLARE_DNS01_API_TOKEN
    wildcard_domains:
      - "{{ base_domain }}"
  servers:
    - domain: "{{ traefik_domain }}"
      proxy_pass: "http://127.0.0.1:8000"
    - domain: "{{ jellyfin_domain }}"
      proxy_pass: "http://127.0.0.1:8000"
 # docker
 docker_users:
  - vagrant
 # traefik
 traefik_version: latest
 traefik_dashboard: true
 traefik_domain: "traefik.{{ base_domain }}"
 traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 #traefik_acme_email: realemail@example.com # Let's Encrypt settings
 #traefik_production: true
 traefik_http_only: true # if behind reverse-proxy
 # jellyfin
 jellyfin_domain: "jellyfin.{{ base_domain }}"
 jellyfin_version: latest
 jellyfin_media: /srv/jellyfin
--- a/dev/host_vars/proxy.yml
+++ b/dev/host_vars/proxy.yml
@@ -0,0 +1,37 @@
 base_domain: vm.krislamo.org
 # base
 allow_reboot: false
 manage_network: false
 # proxy
 proxy:
  #production: true
  dns_cloudflare:
    opts: --test-cert
    #email: realemail@example.com
    #api_token: CLOUDFLARE_DNS01_API_TOKEN
    wildcard_domains:
      - "{{ base_domain }}"
  servers:
    - domain: "{{ bitwarden_domain }}"
      proxy_pass: "http://127.0.0.1:8080"
    - domain: "{{ gitea_domain }}"
      proxy_pass: "http://127.0.0.1:3000"
 # docker
 docker_users:
  - vagrant
 # bitwarden
 # Get Installation ID & Key at https://bitwarden.com/host/
 bitwarden_domain: "vault.{{ base_domain }}"
 bitwarden_dbpass: password
 bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
 bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
 #bitwarden_prodution: true
 # gitea
 gitea_domain: "git.{{ base_domain }}"
 gitea_version: 1
 gitea_dbpass: password
--- a/dev/host_vars/staticweb.yml
+++ b/dev/host_vars/staticweb.yml
@@ -14,7 +14,7 @@ traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 #traefik_acme_email: realemail@example.com # Let's Encrypt settings
 #traefik_production: true
-# nginx
+# staticweb
 nginx_domain: nginx.vm.krislamo.org
 nginx_name: staticsite
 nginx_repo_url: https://git.krislamo.org/kris/example-website/
--- a/dev/jekyll.yml
+++ b/dev/jekyll.yml
@@ -1,11 +0,0 @@
 - name: Install Jekyll server
  hosts: all
  become: true
  vars_files:
    - host_vars/jekyll.yml
  roles:
    - base
    - docker
    #- traefik
    - jekyll
    #- nginx
--- a/dev/mediaserver.yml
+++ b/dev/mediaserver.yml
@@ -0,0 +1,11 @@
 - name: Install Media Server
  hosts: all
  become: true
  vars_files:
    - host_vars/mediaserver.yml
  roles:
    - base
    - proxy
    - docker
    - traefik
    - jellyfin
--- a/dev/proxy.yml
+++ b/dev/proxy.yml
@@ -0,0 +1,12 @@
 - name: Install Proxy Server
  hosts: all
  become: true
  vars_files:
    - host_vars/proxy.yml
  roles:
    - base
    - mariadb
    - proxy
    - docker
    - gitea
    - bitwarden
--- a/dev/staticweb.yml
+++ b/dev/staticweb.yml
@@ -1,10 +1,10 @@
- name: Install nginx server (docker)
+- name: Install a static web container
  hosts: all
  become: true
  vars_files:
-    - host_vars/nginx.yml
+    - host_vars/staticweb.yml
  roles:
    - base
    - docker
    - traefik
-    - nginx
+    - staticweb
--- a/docker.yml
+++ b/docker.yml
@@ -1,21 +1,7 @@
 # Copyright (C) 2020  Kris Lamoureux
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 - name: Install Docker Server
-  hosts: dockerhosts
+  hosts: "{{ PLAYBOOK_HOST | default('none') }}"
  become: true
  roles:
    - base
    - docker
    - jenkins
    - docker
--- a/dockerbox.yml
+++ b/dockerbox.yml
@@ -20,7 +20,6 @@
    - docker
    - traefik
    - nextcloud
    - gitea
    - jenkins
    - prometheus
    - nginx
--- a/mediaserver.yml
+++ b/mediaserver.yml
@@ -0,0 +1,10 @@
 - name: Install Media Server
  hosts: "{{ PLAYBOOK_HOST | default('none') }}"
  become: true
  roles:
    - base
    - jenkins
    - proxy
    - docker
    - traefik
    - jellyfin
--- a/proxy.yml
+++ b/proxy.yml
@@ -0,0 +1,11 @@
 - name: Install Proxy Server
  hosts: proxyhosts
  become: true
  roles:
    - base
    - jenkins
    - mariadb
    - proxy
    - docker
    - gitea
    - bitwarden
--- a/roles/.gitignore
+++ b/roles/.gitignore
@@ -1,17 +0,0 @@
 /*
 !.gitignore
 !requirements.yml
 !base*/
 !bitwarden*/
 !docker*/
 !gitea*/
 !jenkins*/
 !libvirt*/
 !minecraft*/
 !nextcloud*/
 !nginx*/
 !prometheus*/
 !rsnapshot*/
 !traefik*/
 !unifi*/
 !wordpress*/
--- a/roles/base/defaults/main.yml
+++ b/roles/base/defaults/main.yml
@@ -1,8 +1,10 @@
 allow_reboot: true
 manage_firewall: true
 manage_network: false
 network_type: static
 allow_reboot: true
 packages:
  - apache2-utils
  - cryptsetup
  - curl
  - dnsutils
--- a/roles/base/files/buster-backports.list
+++ b/roles/base/files/buster-backports.list
@@ -1 +0,0 @@
 deb http://deb.debian.org/debian buster-backports main
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@@ -1,12 +1,30 @@
 - name: Reboot host
-  reboot:
+  ansible.builtin.reboot:
    msg: "Reboot initiated by Ansible"
    connect_timeout: 5
  listen: reboot_host
  when: allow_reboot
 - name: Restart WireGuard
-  service:
+  ansible.builtin.service:
    name: wg-quick@wg0
    state: restarted
  listen: restart_wireguard
 - name: Restart Fail2ban
  ansible.builtin.service:
    name: fail2ban
    state: restarted
  listen: restart_fail2ban
 - name: Restart ddclient
  ansible.builtin.service:
    name: ddclient
    state: restarted
  listen: restart_ddclient
 - name: Restart Samba
  ansible.builtin.service:
    name: smbd
    state: restarted
  listen: restart_samba
--- a/roles/base/tasks/ansible.yml
+++ b/roles/base/tasks/ansible.yml
@@ -1,15 +1,5 @@
- name: 'Install Ansible dependency: python3-apt'
+- name: Create Ansible's temporary remote directory
-  shell: 'apt-get update && apt-get install python3-apt -y'
+  ansible.builtin.file:
-  args:
+    path: "~/.ansible/tmp"
-    creates: /usr/lib/python3/dist-packages/apt
+    state: directory
-    warn: false
+    mode: 0700
 - name: Install additional Ansible dependencies
  apt:
    name: "{{ item }}"
    state: present
    force_apt_get: true
    update_cache: true
  loop:
    - aptitude
    - python3-docker
--- a/roles/base/tasks/ddclient.yml
+++ b/roles/base/tasks/ddclient.yml
@@ -1,22 +1,17 @@
 - name: Install ddclient
-  apt:
+  ansible.builtin.apt:
    name: ddclient
    state: present
 - name: Install ddclient settings
-  template:
+  ansible.builtin.template:
    src: ddclient.conf.j2
    dest: /etc/ddclient.conf
    mode: 0600
  register: ddclient_settings
 - name: Start ddclient and enable on boot
-  service:
+  ansible.builtin.service:
    name: ddclient
    state: started
    enabled: true
 - name: Restart ddclient
  service:
    name: ddclient
    state: restarted
  when: ddclient_settings.changed
--- a/roles/base/tasks/firewall.yml
+++ b/roles/base/tasks/firewall.yml
@@ -0,0 +1,48 @@
 - name: Install the Uncomplicated Firewall
  ansible.builtin.apt:
    name: ufw
    state: present
 - name: Install Fail2ban
  ansible.builtin.apt:
    name: fail2ban
    state: present
 - name: Deny incoming traffic by default
  community.general.ufw:
    default: deny
    direction: incoming
 - name: Allow outgoing traffic by default
  community.general.ufw:
    default: allow
    direction: outgoing
 - name: Allow OpenSSH with rate limiting
  community.general.ufw:
    name: ssh
    rule: limit
 - name: Remove Fail2ban defaults-debian.conf
  ansible.builtin.file:
    path: /etc/fail2ban/jail.d/defaults-debian.conf
    state: absent
 - name: Install OpenSSH's Fail2ban jail
  ansible.builtin.template:
    src: fail2ban-ssh.conf.j2
    dest: /etc/fail2ban/jail.d/sshd.conf
    mode: 0640
  notify: restart_fail2ban
 - name: Install Fail2ban IP allow list
  ansible.builtin.template:
    src: fail2ban-allowlist.conf.j2
    dest: /etc/fail2ban/jail.d/allowlist.conf
    mode: 0640
  when: fail2ban_ignoreip is defined
  notify: restart_fail2ban
 - name: Enable firewall
  community.general.ufw:
    state: enabled
--- a/roles/base/tasks/mail.yml
+++ b/roles/base/tasks/mail.yml
@@ -1,5 +1,5 @@
 - name: Install msmtp
-  apt:
+  ansible.builtin.apt:
    name: "{{ item }}"
    state: present
  loop:
@@ -8,12 +8,13 @@
    - mailutils
 - name: Install msmtp configuration
-  template:
+  ansible.builtin.template:
    src: msmtprc.j2
    dest: /root/.msmtprc
-    mode: 0700
+    mode: 0600
 - name: Install /etc/aliases
-  copy:
+  ansible.builtin.copy:
    dest: /etc/aliases
    content: "root: {{ mail.rootalias }}"
    mode: 0644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -1,21 +1,37 @@
- import_tasks: ansible.yml
+- name: Import Ansible tasks
  ansible.builtin.import_tasks: ansible.yml
  tags: ansible
- import_tasks: system.yml
+- name: Import System tasks
  ansible.builtin.import_tasks: system.yml
  tags: system
- import_tasks: network.yml
+- name: Import Firewall tasks
  ansible.builtin.import_tasks: firewall.yml
  tags: firewall
  when: manage_firewall
 - name: Import Network tasks
  ansible.builtin.import_tasks: network.yml
  tags: network
  when: manage_network
- import_tasks: mail.yml
+- name: Import Mail tasks
  ansible.builtin.import_tasks: mail.yml
  tags: mail
  when: mail is defined
- import_tasks: ddclient.yml
+- name: Import ddclient tasks
  ansible.builtin.import_tasks: ddclient.yml
  tags: ddclient
  when: ddclient is defined
- import_tasks: wireguard.yml
+- name: Import WireGuard tasks
  ansible.builtin.import_tasks: wireguard.yml
  tags: wireguard
  when: wireguard is defined
 - name: Import Samba tasks
  ansible.builtin.import_tasks: samba.yml
  tags: samba
  when: samba is defined
--- a/roles/base/tasks/network.yml
+++ b/roles/base/tasks/network.yml
@@ -1,5 +1,5 @@
 - name: Install network interfaces file
-  copy:
+  ansible.builtin.copy:
    src: network-interfaces.cfg
    dest: /etc/network/interfaces
    owner: root
@@ -7,13 +7,9 @@
    mode: '0644'
 - name: Install network interfaces
-  template:
+  ansible.builtin.template:
    src: "interface.j2"
    dest: "/etc/network/interfaces.d/{{ item.name }}"
    mode: 0400
  loop: "{{ interfaces }}"
  notify: reboot_host
 - name: Install bridge utilities
  apt:
    name: bridge-utils
    state: present
--- a/roles/base/tasks/samba.yml
+++ b/roles/base/tasks/samba.yml
@@ -0,0 +1,53 @@
 - name: Install Samba
  ansible.builtin.apt:
    name: samba
    state: present
 - name: Create nologin shell accounts for Samba
  ansible.builtin.user:
    name: "{{ item.name }}"
    state: present
    shell: /usr/sbin/nologin
    createhome: false
    system: yes
  loop: "{{ samba.users }}"
  when: item.manage_user is defined and item.manage_user is true
 - name: Create Samba users
  ansible.builtin.shell: "smbpasswd -a {{ item.name }}"
  args:
    stdin: "{{ item.password }}\n{{ item.password }}"
  loop: "{{ samba.users }}"
  register: samba_users
  changed_when: "'User added' in samba_users.stdout"
 - name: Ensure share directories exist
  ansible.builtin.file:
    path: "{{ item.path }}"
    owner: "{{ item.owner }}"
    group: "{{ item.group }}"
    state: directory
    mode: 0755
  loop: "{{ samba.shares }}"
 - name: Configure Samba shares
  ansible.builtin.template:
    src: smb.conf.j2
    dest: /etc/samba/smb.conf
  notify: restart_samba
 - name: Start smbd and enable on boot
  ansible.builtin.service:
    name: smbd
    state: started
    enabled: true
 - name: Allow SMB connections
  community.general.ufw:
    rule: allow
    port: 445
    proto: tcp
    from: "{{ item }}"
    state: enabled
  loop: "{{ samba.firewall }}"
  when: manage_firewall
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@@ -1,23 +1,35 @@
 - name: Install useful software
-  apt:
+  ansible.builtin.apt:
    name: "{{ packages }}"
    state: present
    update_cache: true
 - name: Manage root authorized_keys
-  template:
+  ansible.builtin.template:
    src: authorized_keys.j2
    dest: /root/.ssh/authorized_keys
    mode: 0400
  when: authorized_keys is defined
- name: Install btrfs-tools
+- name: Create system users
-  apt:
+  ansible.builtin.user:
-    name: btrfs-tools
+    name: "{{ item.name }}"
    state: present
-  when: btrfs_support is defined and btrfs_support | bool == true
+    shell: "{{ item.shell | default('/bin/bash') }}"
    create_home: "{{ item.home | default(false) }}"
  loop: "{{ users }}"
  when: users is defined
 - name: Set authorized_keys for system users
  ansible.posix.authorized_key:
    user: "{{ item.key }}"
    key: "{{ item.value.key }}"
    state: present
  loop: "{{ users }}"
  when: users is defined and item.value.key is defined
 - name: Manage filesystem mounts
-  mount:
+  ansible.posix.mount:
    path: "{{ item.path }}"
    src: "UUID={{ item.uuid }}"
    fstype: "{{ item.fstype }}"
--- a/roles/base/tasks/wireguard.yml
+++ b/roles/base/tasks/wireguard.yml
@@ -1,51 +1,39 @@
 # Copyright (C) 2021  Kris Lamoureux
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 - name: Add Debian Buster backports
  copy:
    src: buster-backports.list
    dest: /etc/apt/sources.list.d/buster-backports.list
    owner: root
    group: root
    mode: '0644'
 - name: Install WireGuard
-  apt:
+  ansible.builtin.apt:
    name: wireguard
    state: present
    update_cache: true
 - name: Generate WireGuard keys
-  shell: wg genkey | tee privatekey | wg pubkey > publickey
+  ansible.builtin.shell: |
    set -o pipefail
    wg genkey | tee privatekey | wg pubkey > publickey
  args:
    chdir: /etc/wireguard/
    creates: /etc/wireguard/privatekey
    executable: /usr/bin/bash
 - name: Grab WireGuard private key for configuration
-  slurp:
+  ansible.builtin.slurp:
    src: /etc/wireguard/privatekey
  register: wgkey
 - name: Install WireGuard configuration
-  template:
+  ansible.builtin.template:
    src: wireguard.j2
    dest: /etc/wireguard/wg0.conf
-  notify:
+    mode: 0400
-    - restart_wireguard
+  notify: restart_wireguard
 - name: Start WireGuard interface
-  service:
+  ansible.builtin.service:
    name: wg-quick@wg0
    state: started
    enabled: true
 - name: Add WireGuard firewall rule
  community.general.ufw:
    rule: allow
    port: "{{ wireguard.listenport }}"
    proto: udp
  when: wireguard.listenport is defined
--- a/roles/base/templates/fail2ban-allowlist.conf.j2
+++ b/roles/base/templates/fail2ban-allowlist.conf.j2
@@ -0,0 +1,2 @@
 [DEFAULT]
 ignoreip = {% for host in fail2ban_ignoreip %}{{ host }}{% if not loop.last %} {% endif %}{% endfor %}
--- a/roles/base/templates/fail2ban-ssh.conf.j2
+++ b/roles/base/templates/fail2ban-ssh.conf.j2
@@ -0,0 +1,3 @@
 [sshd]
 mode = aggressive
 enabled = true
--- a/roles/base/templates/smb.conf.j2
+++ b/roles/base/templates/smb.conf.j2
@@ -0,0 +1,28 @@
 [global]
   workgroup = WORKGROUP
   server string = Samba Server %v
   netbios name = {{ ansible_hostname }}
   security = user
   map to guest = bad user
   dns proxy = no
 {% for user in samba.users %}
   smb encrypt = {{ 'mandatory' if user.encrypt | default(false) else 'disabled' }}
 {% endfor %}
 {% for share in samba.shares %}
 [{{ share.name }}]
   path = {{ share.path }}
   browsable = yes
 {% if share.guest_allow is defined and share.guest_allow %}
   guest ok = yes
 {% else %}
   guest ok = no
 {% endif %}
   read only = {{ 'yes' if share.read_only | default(false) else 'no' }}
 {% if share.valid_users is defined %}
   valid users = {{ share.valid_users }}
 {% endif %}
 {% if share.force_user is defined %}
   force user = {{ share.force_user }}
 {% endif %}
 {% endfor %}
--- a/roles/bitwarden/defaults/main.yml
+++ b/roles/bitwarden/defaults/main.yml
@@ -1,4 +1,8 @@
 bitwarden_name: bitwarden
-bitwarden_root: "/opt/{{ bitwarden_name }}"
+bitwarden_root: "/var/lib/{{ bitwarden_name }}"
 bitwarden_logs_identity: "{{ bitwarden_root }}/bwdata/logs/identity/Identity"
 bitwarden_logs_identity_date: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}"
 bitwarden_database: "{{ bitwarden_name }}"
 bitwarden_realips: "172.16.0.0/12"
 bitwarden_standalone: false
 bitwarden_production: false
--- a/roles/bitwarden/handlers/main.yml
+++ b/roles/bitwarden/handlers/main.yml
@@ -1,7 +1,16 @@
- name: Rebuild Bitwarden
+- name: Stop Bitwarden for rebuild
-  shell: "{{ bitwarden_root }}/bitwarden.sh rebuild"
+  ansible.builtin.service:
    name: "{{ bitwarden_name }}"
    state: stopped
  listen: rebuild_bitwarden
- name: Start Bitwarden
+- name: Rebuild Bitwarden
-  shell: "{{ bitwarden_root }}/bitwarden.sh start"
+  ansible.builtin.shell: "{{ bitwarden_root }}/bitwarden.sh rebuild"
-  listen: start_bitwarden
+  listen: rebuild_bitwarden
 - name: Start Bitwarden after rebuild
  ansible.builtin.service:
    name: "{{ bitwarden_name }}"
    state: started
    enabled: true
  listen: rebuild_bitwarden
--- a/roles/bitwarden/tasks/main.yml
+++ b/roles/bitwarden/tasks/main.yml
@@ -1,76 +1,104 @@
 - name: Install expect
-  apt:
+  ansible.builtin.apt:
    name: expect
    state: present
 - name: Create Bitwarden directory
-  file:
+  ansible.builtin.file:
    path: "{{ bitwarden_root }}"
    state: directory
 - name: Download Bitwarden script
-  get_url:
+  ansible.builtin.get_url:
    url: "https://raw.githubusercontent.com/\
-          bitwarden/server/master/scripts/bitwarden.sh"
+          bitwarden/self-host/master/bitwarden.sh"
    dest: "{{ bitwarden_root }}"
    mode: u+x
 - name: Install Bitwarden script wrapper
-  template:
+  ansible.builtin.template:
    src: bw_wrapper.j2
    dest: "{{ bitwarden_root }}/bw_wrapper"
    mode: u+x
 - name: Run Bitwarden installation script
-  shell: "{{ bitwarden_root }}/bw_wrapper"
+  ansible.builtin.shell: "{{ bitwarden_root }}/bw_wrapper"
  args:
    creates: "{{ bitwarden_root }}/bwdata/config.yml"
  notify: start_bitwarden
 - name: Install docker-compose override
-  template:
+  ansible.builtin.template:
    src: compose.override.yml.j2
    dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
-  notify:
+  when: traefik_version is defined
-    - rebuild_bitwarden
+  notify: rebuild_bitwarden
    - start_bitwarden
 - name: Disable bitwarden-nginx HTTP on 80
-  replace:
+  ansible.builtin.replace:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^http_port: 80$"
-    replace: "http_port: 8080"
+    replace: "http_port: 127.0.0.1:8080"
  when: not bitwarden_standalone
-  notify:
+  notify: rebuild_bitwarden
    - rebuild_bitwarden
    - start_bitwarden
 - name: Disable bitwarden-nginx HTTPS on 443
-  replace:
+  ansible.builtin.replace:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^https_port: 443$"
-    replace: "https_port: 8443"
+    replace: "https_port: 127.0.0.1:8443"
  when: not bitwarden_standalone
-  notify:
+  notify: rebuild_bitwarden
    - rebuild_bitwarden
    - start_bitwarden
 - name: Disable Bitwarden managed Lets Encrypt
-  replace:
+  ansible.builtin.replace:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^ssl_managed_lets_encrypt: true$"
    replace: "ssl_managed_lets_encrypt: false"
  when: not bitwarden_standalone or not bitwarden_production
-  notify:
+  notify: rebuild_bitwarden
    - rebuild_bitwarden
    - start_bitwarden
 - name: Disable Bitwarden managed SSL
-  replace:
+  ansible.builtin.replace:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^ssl: true$"
    replace: "ssl: false"
  when: not bitwarden_standalone
-  notify:
+  notify: rebuild_bitwarden
-    - rebuild_bitwarden
+
-    - start_bitwarden
+- name: Define reverse proxy servers
  ansible.builtin.lineinfile:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    line: "- {{ bitwarden_realips }}"
    insertafter: "^real_ips"
  notify: rebuild_bitwarden
 - name: Install Bitwarden systemd service
  ansible.builtin.template:
    src: bitwarden.service.j2
    dest: "/etc/systemd/system/{{ bitwarden_name }}.service"
  register: bitwarden_systemd
  notify: rebuild_bitwarden
 - name: Create Bitwarden's initial logging directory
  ansible.builtin.file:
    path: "{{ bitwarden_logs_identity }}"
    state: directory
  register: bitwarden_logs
 - name: Create Bitwarden's initial log file
  ansible.builtin.file:
    path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
    state: touch
  when: bitwarden_logs.changed
 - name: Install Bitwarden's Fail2ban jail
  ansible.builtin.template:
    src: fail2ban-jail.conf.j2
    dest: /etc/fail2ban/jail.d/bitwarden.conf
  notify: restart_fail2ban
 - name: Reload systemd manager configuration
  ansible.builtin.systemd:
    daemon_reload: true
  when: bitwarden_systemd.changed
  notify: rebuild_bitwarden
--- a/roles/bitwarden/templates/bitwarden.service.j2
+++ b/roles/bitwarden/templates/bitwarden.service.j2
@@ -0,0 +1,13 @@
 [Unit]
 Description=Bitwarden Password Manager Server
 PartOf=docker.service
 After=docker.service
 [Service]
 Type=oneshot
 RemainAfterExit=true
 ExecStart={{ bitwarden_root }}/bitwarden.sh start
 ExecStop={{ bitwarden_root }}/bitwarden.sh stop
 [Install]
 WantedBy=multi-user.target
--- a/roles/bitwarden/templates/bw_wrapper.j2
+++ b/roles/bitwarden/templates/bw_wrapper.j2
@@ -14,6 +14,9 @@ send "y\r"
 send "n\r"
 {% endif %}
 expect "Enter the database name for your Bitwarden instance (ex. vault):"
 send "{{ bitwarden_database }}\r"
 expect "Enter your installation id (get at https://bitwarden.com/host):"
 send "{{ bitwarden_install_id }}\r"
--- a/roles/bitwarden/templates/compose.override.yml.j2
+++ b/roles/bitwarden/templates/compose.override.yml.j2
@@ -1,3 +1,5 @@
 version: '3'
 services:
  nginx:
    networks:
--- a/roles/bitwarden/templates/fail2ban-jail.conf.j2
+++ b/roles/bitwarden/templates/fail2ban-jail.conf.j2
@@ -0,0 +1,9 @@
 # {{ ansible_managed }}
 [bitwarden]
 enabled = true
 filter = bitwarden
 logpath = {{ bitwarden_root }}/bwdata/logs/identity/Identity/*
 maxretry = 10
 findtime = 3600
 bantime = 900
 action = iptables-allports
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -0,0 +1,6 @@
 docker_compose_root: /var/lib/compose
 docker_compose_service: compose
 docker_compose: /usr/bin/docker-compose
 docker_repos_keys: "{{ docker_repos_path }}/.keys"
 docker_repos_keytype: rsa
 docker_repos_path: /srv/compose_repos
--- a/roles/docker/docker-ce.list
+++ b/roles/docker/docker-ce.list
@@ -1 +0,0 @@
 deb [arch=amd64] https://download.docker.com/linux/debian buster stable
--- a/roles/docker/handlers/main.yml
+++ b/roles/docker/handlers/main.yml
@@ -0,0 +1,4 @@
 - name: Reload systemd manager configuration
  ansible.builtin.systemd:
    daemon_reload: true
  listen: compose_systemd
--- a/roles/docker/install-compose.sh
+++ b/roles/docker/install-compose.sh
@@ -1,38 +0,0 @@
 #!/bin/bash
 # Github username and repo name
 user="docker"
 repo="compose"
 # Retrieve the latest version number
 addr="https://github.com/$user/$repo/releases/latest"
 page=$(curl -s $addr | grep -o releases/tag/*.*\")
 version=$(echo $page | awk '{print substr($1, 14, length($1) - 14)}')
 # Download prep
 url="https://github.com/$user/$repo/releases/download/$version"
 file="docker-compose-$(uname -s)-$(uname -m)"
 # Download latest Docker Compose if that version hasn't been downloaded
 if [ ! -f /tmp/docker_compose_$version ]; then
  curl -L $url/$file -o /tmp/docker-compose_$version
 fi
 # Is it already installed?
 if installed=$(which docker-compose); then
  new_chksum=$(sha256sum /tmp/docker-compose_$version)
  old_chksum=$(sha256sum /usr/local/bin/docker-compose)
  # If checksums are different, delete and install new version
  if [ ! "$new_chksum" = "$old_chksum" ]; then
    rm /usr/local/bin/docker-compose
    mv /tmp/docker-compose_$version /usr/local/bin/docker-compose
    chmod +x /usr/local/bin/docker-compose
  fi
 else
  # It's not installed, so no need to remove
  mv /tmp/docker-compose_$version /usr/local/bin/docker-compose
  chmod +x /usr/local/bin/docker-compose
 fi
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -1,61 +1,92 @@
-# Copyright (C) 2019  Kris Lamoureux
+- name: Install Docker
-#
+  ansible.builtin.apt:
-# This program is free software: you can redistribute it and/or modify
+    name: ['docker.io', 'docker-compose']
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 - name: Remove old versions of Docker
  apt:
    name: ['docker', 'docker-engine', 'docker.io', 'containerd', 'runc']
    state: absent
    update_cache: true
 - name: Install HTTPS capability for apt
  apt:
    name: ['apt-transport-https', 'ca-certificates',
           'curl', 'gnupg2', 'software-properties-common']
    state: present
 - name: Install Docker's signing key
  apt_key:
    url: https://download.docker.com/linux/debian/gpg
    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
    state: present
 - name: Install Docker's stable repository
  template:
    src: docker-ce.list
    dest: /etc/apt/sources.list.d/docker-ce.list
 - name: Install Docker CE
  apt:
    name: ['docker-ce', 'docker-ce-cli', 'containerd.io']
    state: present
    update_cache: true
 - name: Create docker-compose root
  ansible.builtin.file:
    path: "{{ docker_compose_root }}"
    state: directory
    mode: 0500
 - name: Install docker-compose systemd service
  ansible.builtin.template:
    src: docker-compose.service.j2
    dest: "/etc/systemd/system/{{ docker_compose_service }}@.service"
    mode: 0400
  notify: compose_systemd
 - name: Create directories to clone docker-compose repositories
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: 0400
  loop:
    - "{{ docker_repos_path }}"
    - "{{ docker_repos_keys }}"
  when: docker_compose_deploy is defined
 - name: Generate OpenSSH deploy keys for docker-compose clones
  community.crypto.openssh_keypair:
    path: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
    type: "{{ docker_repos_keytype }}"
    mode: 0400
    state: present
  when: docker_compose_deploy is defined
 - name: Clone external docker-compose projects
  ansible.builtin.git:
    repo: "{{ item.url }}"
    dest: "{{ docker_repos_path }}/{{ item.name }}"
    version: "{{ item.version | default('main') }}"
    force: true
    key_file: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
  when: docker_compose_deploy is defined
  loop: "{{ docker_compose_deploy }}"
 - name: Create directories for docker-compose projects using the systemd service
  ansible.builtin.file:
    path: "{{ docker_compose_root }}/{{ item.name }}"
    state: directory
    mode: 0400
  loop: "{{ docker_compose_deploy }}"
  when: docker_compose_deploy is defined
 - name: Copy docker-compose.yml files to their service directories
  ansible.builtin.copy:
    src: "{{ docker_repos_path }}/{{ item.name }}/{{ item.path | default('docker-compose.yml') }}"
    dest: "{{ docker_compose_root }}/{{ item.name }}/docker-compose.yml"
    remote_src: yes
  loop: "{{ docker_compose_deploy }}"
  when: docker_compose_deploy is defined
 - name: Set environment variables for docker-compose projects
  ansible.builtin.template:
    src: docker-compose-env.j2
    dest: "{{ docker_compose_root }}/{{ item.name }}/.env"
    mode: 0400
  loop: "{{ docker_compose_deploy }}"
  when: docker_compose_deploy is defined and item.env is defined
 - name: Add users to docker group
-  user:
+  ansible.builtin.user:
    name: "{{ item }}"
    groups: docker
    append: true
  loop: "{{ docker_users }}"
  when: docker_users is defined
 - name: Install docker-compose
  script: install-compose.sh
  args:
    creates: /usr/local/bin/docker-compose
 - name: Start Docker and enable on boot
-  service:
+  ansible.builtin.service:
    name: docker
    state: started
    enabled: true
 - name: Start docker-compose services and enable on boot
  ansible.builtin.service:
    name: "{{ docker_compose_service }}@{{ item.name }}"
    state: started
    enabled: true
  loop: "{{ docker_compose_deploy }}"
  when: item.enabled is defined and item.enabled is true
--- a/roles/docker/templates/docker-compose-env.j2
+++ b/roles/docker/templates/docker-compose-env.j2
@@ -0,0 +1,7 @@
 # {{ ansible_managed }}
 {% if item.env is defined %}
 {% for kvpair in item.env.items() %}
 {{ kvpair.0 }}={{ kvpair.1 }}
 {% endfor %}
 {% endif %}
--- a/roles/docker/templates/docker-compose.service.j2
+++ b/roles/docker/templates/docker-compose.service.j2
@@ -0,0 +1,14 @@
 [Unit]
 Description=%i docker-compose service
 PartOf=docker.service
 After=docker.service
 [Service]
 Type=oneshot
 RemainAfterExit=true
 WorkingDirectory={{ docker_compose_root }}/%i
 ExecStart={{ docker_compose }} up -d --remove-orphans
 ExecStop={{ docker_compose }} down
 [Install]
 WantedBy=multi-user.target
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -1,11 +1,22 @@
 # container settings
 gitea_name: gitea
-gitea_dbname: "{{ gitea_name }}-db"
+gitea_sshport: "222"
-gitea_ports: "222:22"
+gitea_webport: "3000"
 gitea_ssh: "127.0.0.1:{{ gitea_sshport }}"
 gitea_web: "127.0.0.1:{{ gitea_webport }}"
 gitea_volume: "{{ gitea_name }}"
 gitea_rooturl: "https://{{ gitea_domain }}"
 gitea_signup: true
 # database settings
-gitea_dbuser: "{{ gitea_dbname }}"
+gitea_dbtype: mysql
 gitea_dbhost: host.docker.internal
 gitea_dbname: "{{ gitea_name }}"
 gitea_dbuser: "{{ gitea_name }}"
 # proxy settings
 gitea_proxy_limit: "1"
 gitea_trusted_proxies: "172.16.0.0/12"
 # host
-gitea_root: "/opt/{{ gitea_name }}/data"
+gitea_root: "{{ docker_compose_root }}/{{ gitea_name }}"
 gitea_dbroot: "/opt/{{ gitea_name }}/database"
--- a/roles/gitea/handlers/main.yml
+++ b/roles/gitea/handlers/main.yml
@@ -0,0 +1,5 @@
 - name: Restart Gitea
  ansible.builtin.service:
    name: "{{ docker_compose_service }}@{{ gitea_name }}"
    state: restarted
  listen: restart_gitea
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -1,54 +1,111 @@
- name: Create Gitea Network
+- name: Create Gitea directory
-  docker_network:
+  ansible.builtin.file:
-    name: "{{ gitea_name }}"
+    path: "{{ gitea_root }}"
    state: directory
- name: Start Gitea's database container
+- name: Create Gitea database
-  docker_container:
+  community.mysql.mysql_db:
    name: "{{ gitea_dbname }}"
-    image: mariadb:{{ gitea_dbversion }}
+    state: present
-    state: started
+    login_unix_socket: /var/run/mysqld/mysqld.sock
    restart_policy: always
    volumes: "{{ gitea_dbroot }}:/var/lib/mysql"
    networks_cli_compatible: true
    networks:
      - name: "{{ gitea_name }}"
    env:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "{{ gitea_dbname }}"
      MYSQL_USER: "{{ gitea_dbuser }}"
      MYSQL_PASSWORD: "{{ gitea_dbpass }}"
- name: Start Gitea container
+- name: Create Gitea database user
-  docker_container:
+  community.mysql.mysql_user:
-    name: "{{ gitea_name }}"
+    name: "{{ gitea_dbuser }}"
-    image: gitea/gitea:{{ gitea_version }}
+    password: "{{ gitea_dbpass }}"
    host: '%'
    state: present
    priv: "{{ gitea_dbname }}.*:ALL"
    login_unix_socket: /var/run/mysqld/mysqld.sock
 - name: Create git user
  ansible.builtin.user:
    name: git
    state: present
 - name: Git user uid
  ansible.builtin.getent:
    database: passwd
    key: git
 - name: Git user gid
  ansible.builtin.getent:
    database: group
    key: git
 - name: Create git's .ssh directory
  ansible.builtin.file:
    path: /home/git/.ssh
    state: directory
 - name: Generate git's SSH keys
  community.crypto.openssh_keypair:
    path: /home/git/.ssh/id_rsa
 - name: Find git's public SSH key
  ansible.builtin.slurp:
    src: /home/git/.ssh/id_rsa.pub
  register: git_rsapub
 - name: Get stats on git's authorized_keys file
  ansible.builtin.stat:
    path: /home/git/.ssh/authorized_keys
  register: git_authkeys
 - name: Create git's authorized_keys file
  ansible.builtin.file:
    path: /home/git/.ssh/authorized_keys
    state: touch
  when: not git_authkeys.stat.exists
 - name: Add git's public SSH key to authorized_keys
  ansible.builtin.lineinfile:
    path: /home/git/.ssh/authorized_keys
    regex: "^ssh-rsa"
    line: "{{ git_rsapub['content'] | b64decode }}"
 - name: Create Gitea host script for SSH
  ansible.builtin.template:
    src: gitea.sh.j2
    dest: /usr/local/bin/gitea
    mode: 0755
 - name: Install Gitea's docker-compose file
  ansible.builtin.template:
    src: docker-compose.yml.j2
    dest: "{{ gitea_root }}/docker-compose.yml"
  notify: restart_gitea
 - name: Install Gitea's docker-compose variables
  ansible.builtin.template:
    src: compose-env.j2
    dest: "{{ gitea_root }}/.env"
  notify: restart_gitea
 - name: Create Gitea's logging directory
  ansible.builtin.file:
    name: /var/log/gitea
    state: directory
 - name: Create Gitea's initial log file
  ansible.builtin.file:
    name: /var/log/gitea/gitea.log
    state: touch
 - name: Install Gitea's Fail2ban filter
  ansible.builtin.template:
    src: fail2ban-filter.conf.j2
    dest: /etc/fail2ban/filter.d/gitea.conf
  notify: restart_fail2ban
 - name: Install Gitea's Fail2ban jail
  ansible.builtin.template:
    src: fail2ban-jail.conf.j2
    dest: /etc/fail2ban/jail.d/gitea.conf
  notify: restart_fail2ban
 - name: Start and enable Gitea service
  ansible.builtin.service:
    name: "{{ docker_compose_service }}@{{ gitea_name }}"
    state: started
-    restart_policy: always
+    enabled: true
    networks_cli_compatible: true
    ports: "{{ gitea_ports }}"
    networks:
      - name: "{{ gitea_name }}"
      - name: traefik
    volumes:
      - "{{ gitea_root }}:/data"
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    env:
      USER_UID: "1000"
      USER_GID: "1000"
      DB_TYPE: mysql
      DB_HOST: "{{ gitea_dbname }}"
      DB_NAME: "{{ gitea_dbname }}"
      DB_USER: "{{ gitea_dbuser }}"
      DB_PASSWD: "{{ gitea_dbpass }}"
      ROOT_URL: "https://{{ gitea_domain }}/"
      SSH_DOMAIN: "{{ gitea_domain }}"
      DOMAIN: "{{ gitea_domain }}"
    labels:
      traefik.http.routers.gitea.rule: "Host(`{{ gitea_domain }}`)"
      traefik.http.routers.gitea.entrypoints: websecure
      traefik.http.routers.gitea.tls.certresolver: letsencrypt
      traefik.http.routers.gitea.middlewares: "securehttps@file"
      traefik.http.services.gitea.loadbalancer.server.port: "3000"
      traefik.docker.network: traefik
      traefik.enable: "true"
--- a/roles/gitea/templates/compose-env.j2
+++ b/roles/gitea/templates/compose-env.j2
@@ -0,0 +1,19 @@
 # {{ ansible_managed }}
 gitea_version={{ gitea_version }}
 gitea_name={{ gitea_name }}
 gitea_domain={{ gitea_domain }}
 gitea_rooturl={{ gitea_rooturl }}
 gitea_web={{ gitea_web }}
 gitea_ssh={{ gitea_ssh }}
 gitea_dbtype={{ gitea_dbtype }}
 gitea_dbhost={{ gitea_dbhost }}
 gitea_dbname={{ gitea_dbname }}
 gitea_dbuser={{ gitea_dbuser }}
 gitea_dbpass={{ gitea_dbpass }}
 gitea_proxy_limit={{ gitea_proxy_limit }}
 gitea_trusted_proxies={{ gitea_trusted_proxies }}
 {% if not gitea_signup %}
 gitea_disable_registration=true
 {% else %}
 gitea_disable_registration=false
 {% endif %}
--- a/roles/gitea/templates/docker-compose.yml.j2
+++ b/roles/gitea/templates/docker-compose.yml.j2
@@ -0,0 +1,36 @@
 version: '3.7'
 services:
  gitea:
    image: "gitea/gitea:${gitea_version}"
    container_name: "${gitea_name}"
    ports:
      - "${gitea_ssh}:22"
      - "${gitea_web}:3000"
    extra_hosts:
      - "host.docker.internal:host-gateway"
    environment:
      - USER_UID={{ getent_passwd.git[1] }}
      - USER_GID={{ getent_group.git[1] }}
      - GITEA__log__MODE=file
      - GITEA__server__ROOT_URL=${gitea_rooturl}
      - GITEA__server__DOMAIN=${gitea_domain}
      - GITEA__server__SSH_DOMAIN=${gitea_domain}
      - GITEA__database__DB_TYPE=${gitea_dbtype}
      - GITEA__database__HOST=${gitea_dbhost}
      - GITEA__database__NAME=${gitea_dbname}
      - GITEA__database__USER=${gitea_dbuser}
      - GITEA__database__PASSWD=${gitea_dbpass}
      - GITEA__security__INSTALL_LOCK=true
      - GITEA__security__REVERSE_PROXY_LIMIT=${gitea_proxy_limit}
      - GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES=${gitea_trusted_proxies}
      - GITEA__service__DISABLE_REGISTRATION=${gitea_disable_registration}
    volumes:
      - {{ gitea_volume }}:/data
      - /home/git/.ssh:/data/git/.ssh
      - /var/log/gitea:/data/gitea/log
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
 volumes:
  {{ gitea_volume }}:
--- a/roles/gitea/templates/fail2ban-filter.conf.j2
+++ b/roles/gitea/templates/fail2ban-filter.conf.j2
@@ -0,0 +1,4 @@
 # {{ ansible_managed }}
 [Definition]
 failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
 ignoreregex =
--- a/roles/gitea/templates/fail2ban-jail.conf.j2
+++ b/roles/gitea/templates/fail2ban-jail.conf.j2
@@ -0,0 +1,18 @@
 # {{ ansible_managed }}
 [gitea]
 enabled = true
 filter = gitea
 logpath = /var/log/gitea/gitea.log
 maxretry = 10
 findtime = 3600
 bantime = 900
 action = iptables-allports
 [gitea-docker]
 enabled = true
 filter = gitea
 logpath = /var/log/gitea/gitea.log
 maxretry = 10
 findtime = 3600
 bantime = 900
 action = iptables-allports[chain="FORWARD"]
--- a/roles/gitea/templates/gitea.sh.j2
+++ b/roles/gitea/templates/gitea.sh.j2
@@ -0,0 +1,2 @@
 #!/bin/sh
 ssh -p {{ gitea_sshport }} -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
--- a/roles/jellyfin/defaults/main.yml
+++ b/roles/jellyfin/defaults/main.yml
@@ -0,0 +1,4 @@
 jellyfin_name: jellyfin
 jellyfin_router: "{{ jellyfin_name }}"
 jellyfin_rooturl: "https://{{ jellyfin_domain }}"
 jellyfin_root: "{{ docker_compose_root }}/{{ jellyfin_name }}"
--- a/roles/jellyfin/handlers/main.yml
+++ b/roles/jellyfin/handlers/main.yml
@@ -0,0 +1,5 @@
 - name: Restart Jellyfin
  ansible.builtin.service:
    name: "{{ docker_compose_service }}@{{ jellyfin_name }}"
    state: restarted
  listen: restart_jellyfin
--- a/roles/jellyfin/tasks/main.yml
+++ b/roles/jellyfin/tasks/main.yml
@@ -0,0 +1,35 @@
 - name: Create Jellyfin directory
  ansible.builtin.file:
    path: "{{ jellyfin_root }}"
    state: directory
    mode: 0500
 - name: Get user jellyfin uid
  ansible.builtin.getent:
    database: passwd
    key: jellyfin
 - name: Get user jellyfin gid
  ansible.builtin.getent:
    database: group
    key: jellyfin
 - name: Install Jellyfin's docker-compose file
  ansible.builtin.template:
    src: docker-compose.yml.j2
    dest: "{{ jellyfin_root }}/docker-compose.yml"
    mode: 0400
  notify: restart_jellyfin
 - name: Install Jellyfin's docker-compose variables
  ansible.builtin.template:
    src: compose-env.j2
    dest: "{{ jellyfin_root }}/.env"
    mode: 0400
  notify: restart_jellyfin
 - name: Start and enable Jellyfin service
  ansible.builtin.service:
    name: "{{ docker_compose_service }}@{{ jellyfin_name }}"
    state: started
    enabled: true
--- a/roles/jellyfin/templates/compose-env.j2
+++ b/roles/jellyfin/templates/compose-env.j2
@@ -0,0 +1,5 @@
 # {{ ansible_managed }}
 jellyfin_version={{ jellyfin_version }}
 jellyfin_name={{ jellyfin_name }}
 jellyfin_domain={{ jellyfin_domain }}
 jellyfin_rooturl={{ jellyfin_rooturl }}
--- a/roles/jellyfin/templates/docker-compose.yml.j2
+++ b/roles/jellyfin/templates/docker-compose.yml.j2
@@ -0,0 +1,30 @@
 version: '3.7'
 volumes:
  config:
  cache:
 networks:
  traefik:
    external: true
 services:
  jellyfin:
    image: "jellyfin/jellyfin:${jellyfin_version}"
    container_name: "${jellyfin_name}"
    networks:
      - traefik
    labels:
      - "traefik.http.routers.{{ jellyfin_router }}.rule=Host(`{{ jellyfin_domain }}`)"
 {% if traefik_http_only %}
      - "traefik.http.routers.{{ jellyfin_router }}.entrypoints=web"
 {% else %}
      - "traefik.http.routers.{{ jellyfin_router }}.entrypoints=websecure"
 {% endif %}
      - "traefik.http.services.{{ jellyfin_router }}.loadbalancer.server.port=8096"
      - "traefik.docker.network=traefik"
      - "traefik.enable=true"
    volumes:
      - config:/config
      - cache:/cache
      - {{ jellyfin_media }}:/media
--- a/roles/jenkins/files/ansible.list
+++ b/roles/jenkins/files/ansible.list
@@ -1 +0,0 @@
 deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main
--- a/roles/jenkins/tasks/agent.yml
+++ b/roles/jenkins/tasks/agent.yml
@@ -1,10 +1,5 @@
 - name: Install GnuPG
  apt:
    name: gnupg
    state: present
 - name: Create Jenkins user
-  user:
+  ansible.builtin.user:
    name: "{{ jenkins_user }}"
    state: present
    shell: /bin/bash
@@ -12,35 +7,25 @@
    generate_ssh_key: true
 - name: Set Jenkins authorized key
-  authorized_key:
+  ansible.posix.authorized_key:
    user: jenkins
    state: present
    exclusive: true
    key: "{{ jenkins_sshkey }}"
 - name: Give Jenkins user passwordless sudo
-  template:
+  ansible.builtin.template:
    src: jenkins_sudoers.j2
    dest: /etc/sudoers.d/{{ jenkins_user }}
    validate: "visudo -cf %s"
    mode: 0440
 - name: Install Ansible source
  copy:
    src: ansible.list
    dest: /etc/apt/sources.list.d/ansible.list
 - name: Add Ansible source key
  apt_key:
    keyserver: keyserver.ubuntu.com
    id: 93C4A3FD7BB9C367
 - name: Install Ansible
-  apt:
+  ansible.builtin.apt:
    name: ansible
    state: present
 - name: Install Java
-  apt:
+  ansible.builtin.apt:
    name: default-jre
    state: present
--- a/roles/jenkins/tasks/main.yml
+++ b/roles/jenkins/tasks/main.yml
@@ -1,5 +1,5 @@
- import_tasks: agent.yml
+- ansible.builtin.import_tasks: agent.yml
  when: jenkins_sshkey is defined
- import_tasks: server.yml
+- ansible.builtin.import_tasks: server.yml
  when: jenkins_domain is defined
--- a/roles/jenkins/tasks/server.yml
+++ b/roles/jenkins/tasks/server.yml
@@ -1,12 +1,12 @@
 - name: Create Jenkin's directory
-  file:
+  ansible.builtin.file:
    path: "{{ jenkins_root }}"
    state: directory
    owner: "1000"
    group: "1000"
 - name: Start Jenkins Container
-  docker_container:
+  community.general.docker_container:
    name: "{{ jenkins_name }}"
    image: jenkins/jenkins:{{ jenkins_version }}
    state: started
--- a/roles/libvirt/tasks/main.yml
+++ b/roles/libvirt/tasks/main.yml
@@ -1,15 +1,15 @@
 - name: Install QEMU/KVM
-  apt:
+  ansible.builtin.apt:
    name: qemu-kvm
    state: present
 - name: Install Libvirt
-  apt:
+  ansible.builtin.apt:
    name: ["libvirt-clients", "libvirt-daemon-system"]
    state: present
 - name: Add users to libvirt group
-  user:
+  ansible.builtin.user:
    name: "{{ item }}"
    groups: libvirt
    append: yes
@@ -17,12 +17,12 @@
  when: libvirt_users is defined
 - name: Check for NODOWNLOAD file
-  stat:
+  ansible.builtin.stat:
    path: /var/lib/libvirt/images/NODOWNLOAD
  register: NODOWNLOAD
 - name: Download GNU/Linux ISOs
-  get_url:
+  ansible.builtin.get_url:
    url: "{{ item.url }}"
    dest: /var/lib/libvirt/images
    checksum: "{{ item.hash }}"
@@ -34,7 +34,7 @@
 # Prevent downloaded ISOs from being rehashed every run
 - name: Create NODOWNLOAD file
-  file:
+  ansible.builtin.file:
    path: /var/lib/libvirt/images/NODOWNLOAD
    state: touch
  when: download_isos.changed
--- a/roles/mariadb/defaults/main.yml
+++ b/roles/mariadb/defaults/main.yml
@@ -0,0 +1,3 @@
 mariadb_trust:
  - "172.16.0.0/12"
  - "192.168.0.0/16"
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -0,0 +1,25 @@
 - name: Install MariaDB
  ansible.builtin.apt:
    name: mariadb-server
    state: present
 - name: Change the bind-address to allow Docker
  ansible.builtin.lineinfile:
    path: /etc/mysql/mariadb.conf.d/50-server.cnf
    regex: "^bind-address"
    line: "bind-address            = 0.0.0.0"
  register: mariadb_conf
 - name: Restart MariaDB
  ansible.builtin.service:
    name: mariadb
    state: restarted
  when: mariadb_conf.changed
 - name: Allow database connections
  community.general.ufw:
    rule: allow
    port: "3306"
    proto: tcp
    src: "{{ item }}"
  loop: "{{ mariadb_trust }}"
--- a/roles/minecraft/tasks/java.yml
+++ b/roles/minecraft/tasks/java.yml
@@ -1,28 +1,28 @@
 - name: Install GPG
-  apt:
+  ansible.builtin.apt:
    name: gpg
    state: present
 - name: Add AdoptOpenJDK's signing key
-  apt_key:
+  ansible.builtin.apt_key:
    id: 8ED17AF5D7E675EB3EE3BCE98AC3B29174885C03
    url: https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public
 - name: Install AdoptOpenJDK repository
-  apt_repository:
+  ansible.builtin.apt_repository:
    repo: deb https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ buster main
    mode: 0644
    state: present
 - name: Install Java
-  apt:
+  ansible.builtin.apt:
    name: "adoptopenjdk-{{ item.java.version }}-hotspot"
    state: present
  when: item.java.version is defined
  loop: "{{ minecraft }}"
 - name: "Install default Java, version {{ minecraft_java }}"
-  apt:
+  ansible.builtin.apt:
    name: "{{ minecraft_java_pkg }}"
    state: present
  when: item.java.version is not defined
@@ -30,7 +30,7 @@
  register: minecraft_java_default
 - name: "Activate default Java, version {{ minecraft_java }}"
-  alternatives:
+  community.general.alternatives:
    name: java
    path: "/usr/lib/jvm/{{ minecraft_java_pkg }}-amd64/bin/java"
  when: minecraft_java_default.changed
--- a/roles/minecraft/tasks/main.yml
+++ b/roles/minecraft/tasks/main.yml
@@ -1,14 +1,14 @@
- import_tasks: system.yml
+- ansible.builtin.import_tasks: system.yml
  when: minecraft_eula
- import_tasks: java.yml
+- ansible.builtin.import_tasks: java.yml
  when: minecraft_eula
- import_tasks: vanilla.yml
+- ansible.builtin.import_tasks: vanilla.yml
  when: minecraft_eula
- import_tasks: modpacks.yml
+- ansible.builtin.import_tasks: modpacks.yml
  when: minecraft_eula
- import_tasks: service.yml
+- ansible.builtin.import_tasks: service.yml
  when: minecraft_eula
--- a/roles/minecraft/tasks/modpacks.yml
+++ b/roles/minecraft/tasks/modpacks.yml
@@ -1,5 +1,5 @@
 - name: Download Minecraft modpack installer
-  get_url:
+  ansible.builtin.get_url:
    url: "{{ minecraft_modpack_url }}"
    dest: "{{ minecraft_home }}/{{ item.name }}/serverinstall_{{ item.modpack | replace ('/', '_') }}"
    owner: "{{ minecraft_user }}"
@@ -9,7 +9,7 @@
  when: item.modpack is defined and item.sha1 is not defined
 - name: Run Minecraft modpack installer
-  command: "sudo -u {{ minecraft_user }} ./serverinstall_{{ item.modpack | replace ('/', '_') }} --auto"
+  ansible.builtin.command: "sudo -u {{ minecraft_user }} ./serverinstall_{{ item.modpack | replace ('/', '_') }} --auto"
  args:
    creates: "{{ minecraft_home }}/{{ item.name }}/mods"
    chdir: "{{ minecraft_home }}/{{ item.name }}"
@@ -17,7 +17,7 @@
  when: item.modpack is defined and item.sha1 is not defined
 - name: Find Minecraft Forge
-  find:
+  ansible.builtin.find:
    paths: "{{ minecraft_home }}/{{ item.name }}"
    patterns: "forge*.jar"
  register: minecraft_forge
@@ -25,7 +25,7 @@
  when: item.modpack is defined and item.sha1 is not defined
 - name: Link to Minecraft Forge
-  file:
+  ansible.builtin.file:
    src: "{{ item.files[0].path }}"
    dest: "{{ minecraft_home }}/{{ item.item.name }}/minecraft_server.jar"
    owner: "{{ minecraft_user }}"
--- a/roles/minecraft/tasks/service.yml
+++ b/roles/minecraft/tasks/service.yml
@@ -1,11 +1,11 @@
 - name: Deploy Minecraft systemd service
-  template:
+  ansible.builtin.template:
    src: minecraft.service.j2
    dest: "/etc/systemd/system/minecraft@.service"
  register: minecraft_systemd
 - name: Deploy service environmental variables
-  template:
+  ansible.builtin.template:
    src: environment.conf.j2
    dest: "{{ minecraft_home }}/{{ item.name }}/environment.conf"
    owner: "{{ minecraft_user }}"
@@ -13,25 +13,25 @@
  loop: "{{ minecraft }}"
 - name: Reload systemd manager configuration
-  systemd:
+  ansible.builtin.systemd:
    daemon_reload: true
  when: minecraft_systemd.changed
 - name: Disable non-default service instances
-  service:
+  ansible.builtin.service:
    name: "minecraft@{{ item.name }}"
    enabled: false
  loop: "{{ minecraft }}"
  when: item.name != minecraft_onboot
 - name: Enable default service instance
-  service:
+  ansible.builtin.service:
    name: "minecraft@{{ minecraft_onboot }}"
    enabled: true
  when: minecraft_eula and minecraft_onboot is defined
 - name: Run default service instance
-  service:
+  ansible.builtin.service:
    name: "minecraft@{{ minecraft_onboot }}"
    state: started
  when: minecraft_eula and minecraft_onboot is defined and minecraft_onboot_run
--- a/roles/minecraft/tasks/system.yml
+++ b/roles/minecraft/tasks/system.yml
@@ -1,16 +1,16 @@
 - name: Install Screen
-  apt:
+  ansible.builtin.apt:
    name: screen
    state: present
 - name: Create Minecraft user
-  user:
+  ansible.builtin.user:
    name: "{{ minecraft_user }}"
    state: present
-    shell: /bin/bash
+    ansible.builtin.shell: /bin/bash
 - name: Create Minecraft directory
-  file:
+  ansible.builtin.file:
    path: "{{ minecraft_home }}/{{ item.name }}"
    state: directory
    owner: "{{ minecraft_user }}"
@@ -18,7 +18,7 @@
  loop: "{{ minecraft }}"
 - name: Answer to Mojang's EULA
-  template:
+  ansible.builtin.template:
    src: eula.txt.j2
    dest: "{{ minecraft_home }}/{{ item.name }}/eula.txt"
    owner: "{{ minecraft_user }}"
--- a/roles/minecraft/tasks/vanilla.yml
+++ b/roles/minecraft/tasks/vanilla.yml
@@ -1,5 +1,5 @@
 - name: Download Minecraft
-  get_url:
+  ansible.builtin.get_url:
    url: "{{ minecraft_url }}"
    dest: "{{ minecraft_home }}/{{ item.name }}/minecraft_server.jar"
    checksum: "sha1:{{ item.sha1 }}"
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -1,9 +1,9 @@
 - name: Create Nextcloud network
-  docker_network:
+  community.general.docker_network:
    name: "{{ nextcloud_container }}"
 - name: Start Nextcloud's database container
-  docker_container:
+  community.general.docker_container:
    name: "{{ nextcloud_dbcontainer }}"
    image: mariadb:{{ nextcloud_dbversion }}
    state: started
@@ -19,7 +19,7 @@
      MYSQL_PASSWORD: "{{ nextcloud_dbpass }}"
 - name: Start Nextcloud container
-  docker_container:
+  community.general.docker_container:
    name: "{{ nextcloud_container }}"
    image: nextcloud:{{ nextcloud_version }}
    state: started
@@ -29,6 +29,8 @@
    networks:
      - name: "{{ nextcloud_container }}"
      - name: traefik
    env:
      PHP_MEMORY_LIMIT: 1024M
    labels:
      traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
      traefik.http.routers.nextcloud.entrypoints: websecure
@@ -41,34 +43,34 @@
      traefik.enable: "true"
 - name: Grab Nextcloud database container information
-  docker_container_info:
+  community.general.docker_container_info:
    name: "{{ nextcloud_dbcontainer }}"
  register: nextcloud_dbinfo
 - name: Grab Nextcloud container information
-  docker_container_info:
+  community.general.docker_container_info:
    name: "{{ nextcloud_container }}"
  register: nextcloud_info
 - name: Wait for Nextcloud to become available
-  wait_for:
+  ansible.builtin.wait_for:
    host: "{{ nextcloud_info.container.NetworkSettings.Networks.traefik.IPAddress }}"
    port: 80
 - name: Check Nextcloud status
-  command: "docker exec --user www-data {{ nextcloud_container }}
+  ansible.builtin.command: "docker exec --user www-data {{ nextcloud_container }}
            php occ status"
  register: nextcloud_status
  args:
    removes: "{{ nextcloud_root }}/config/CAN_INSTALL"
 - name: Wait for Nextcloud database to become available
-  wait_for:
+  ansible.builtin.wait_for:
    host: "{{ nextcloud_dbinfo.container.NetworkSettings.Networks.nextcloud.IPAddress }}"
    port: 3306
 - name: Install Nextcloud
-  command: 'docker exec --user www-data {{ nextcloud_container }}
+  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
            php occ maintenance:install
              --database "mysql"
              --database-host "{{ nextcloud_dbcontainer }}"
@@ -83,19 +85,19 @@
    - nextcloud_domain is defined
 - name: Set Nextcloud's Trusted Proxy
-  command: 'docker exec --user www-data {{ nextcloud_container }}
+  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
            php occ config:system:set trusted_proxies 0
              --value="{{ traefik_name }}"'
  when: nextcloud_install.changed
 - name: Set Nextcloud's Trusted Domain
-  command: 'docker exec --user www-data {{ nextcloud_container }}
+  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
            php occ config:system:set trusted_domains 0
              --value="{{ nextcloud_domain }}"'
  when: nextcloud_install.changed
 - name: Preform Nextcloud database maintenance
-  command: "docker exec --user www-data {{ nextcloud_container }} {{ item }}"
+  ansible.builtin.command: "docker exec --user www-data {{ nextcloud_container }} {{ item }}"
  loop:
    - "php occ maintenance:mode --on"
    - "php occ db:add-missing-indices"
@@ -103,7 +105,14 @@
    - "php occ maintenance:mode --off"
  when: nextcloud_install.changed
 - name: Install Nextcloud background jobs cron
  ansible.builtin.cron:
    name: Nextcloud background job
    minute: "*/5"
    job: "/usr/bin/docker exec -u www-data nextcloud /usr/local/bin/php -f /var/www/html/cron.php"
    user: root
 - name: Remove Nextcloud's CAN_INSTALL file
-  file:
+  ansible.builtin.file:
    path: "{{ nextcloud_root }}/config/CAN_INSTALL"
    state: absent
--- a/roles/postgresql/defaults/main.yml
+++ b/roles/postgresql/defaults/main.yml
@@ -0,0 +1,5 @@
 postgresql_config: /etc/postgresql/13/main/pg_hba.conf
 postgresql_listen: "*"
 postgresql_trust:
  - "172.16.0.0/12"
  - "192.168.0.0/16"
--- a/roles/postgresql/tasks/main.yml
+++ b/roles/postgresql/tasks/main.yml
@@ -0,0 +1,43 @@
 - name: Install PostgreSQL
  ansible.builtin.apt:
    name: postgresql
    state: present
 - name: Trust connections to PostgreSQL
  community.general.postgresql_pg_hba:
    dest: "{{ postgresql_config }}"
    contype: host
    databases: all
    users: all
    address: "{{ item }}"
    method: trust
  register: postgresql_hba
  loop: "{{ postgresql_trust }}"
 - name: Change PostgreSQL listen addresses
  community.general.postgresql_set:
    name: listen_addresses
    value: "{{ postgresql_listen }}"
  become: true
  become_user: postgres
  register: postgresql_config
 - name: Reload PostgreSQL
  ansible.builtin.service:
    name: postgresql
    state: reloaded
  when: postgresql_hba.changed and not postgresql_config.changed
 - name: Restart PostgreSQL
  ansible.builtin.service:
    name: postgresql
    state: restarted
  when: postgresql_config.changed
 - name: Allow database connections
  community.general.ufw:
    rule: allow
    port: "5432"
    proto: tcp
    src: "{{ item }}"
  loop: "{{ postgresql_trust }}"
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@@ -1,35 +1,35 @@
 - name: Install Prometheus node exporter
-  apt:
+  ansible.builtin.apt:
    name: prometheus-node-exporter
    state: present
 - name: Run Prometheus node exporter
-  service:
+  ansible.builtin.service:
    name: prometheus-node-exporter
    state: started
 - name: Create Prometheus data directory
-  file:
+  ansible.builtin.file:
    path: "{{ prom_root }}/prometheus"
    state: directory
    owner: nobody
 - name: Create Prometheus config directory
-  file:
+  ansible.builtin.file:
    path: "{{ prom_root }}/config"
    state: directory
 - name: Install Prometheus configuration
-  template:
+  ansible.builtin.template:
    src: prometheus.yml.j2
    dest: "{{ prom_root }}/config/prometheus.yml"
 - name: Create Prometheus network
-  docker_network:
+  community.general.docker_network:
    name: "{{ prom_name }}"
 - name: Start Prometheus container
-  docker_container:
+  community.general.docker_container:
    name: "{{ prom_name }}"
    image: prom/prometheus:{{ prom_version }}
    state: started
@@ -51,7 +51,7 @@
      traefik.enable: "true"
 - name: Start Grafana container
-  docker_container:
+  community.general.docker_container:
    name: "{{ grafana_name }}"
    image: grafana/grafana:{{ grafana_version }}
    state: started
--- a/roles/proxy/files/reload-nginx.sh
+++ b/roles/proxy/files/reload-nginx.sh
@@ -0,0 +1,2 @@
 #!/bin/bash
 systemctl reload nginx
--- a/roles/proxy/handlers/main.yml
+++ b/roles/proxy/handlers/main.yml
@@ -0,0 +1,5 @@
 - name: Reload nginx
  ansible.builtin.service:
    name: nginx
    state: reloaded
  listen: reload_nginx
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -0,0 +1,104 @@
 - name: Install nginx
  ansible.builtin.apt:
    name: nginx
    state: present
    update_cache: true
 - name: Start nginx and enable on boot
  ansible.builtin.service:
    name: nginx
    state: started
    enabled: true
 - name: Generate DH Parameters
  community.crypto.openssl_dhparam:
    path: /etc/ssl/dhparams.pem
    size: 4096
 - name: Install nginx base configuration
  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
    mode: 0644
  notify: reload_nginx
 - name: Install nginx sites configuration
  ansible.builtin.template:
    src: server-nginx.conf.j2
    dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
    mode: 0400
  loop: "{{ proxy.servers }}"
  notify: reload_nginx
  register: nginx_sites
 - name: Enable nginx sites configuration
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
    dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
    state: link
    mode: 0400
  loop: "{{ nginx_sites.results }}"
  when: item.changed
  notify: reload_nginx
 - name: Generate self-signed certificate
  ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
          -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
          -keyout /etc/ssl/private/nginx-selfsigned.key \
          -out    /etc/ssl/certs/nginx-selfsigned.crt'
  args:
    creates: /etc/ssl/certs/nginx-selfsigned.crt
  when: proxy.production is not defined or not proxy.production
  notify: reload_nginx
 - name: Install LE's certbot
  ansible.builtin.apt:
    name: ['certbot', 'python3-certbot-dns-cloudflare']
    state: present
  when: proxy.production is defined and proxy.production
 - name: Install Cloudflare API token
  ansible.builtin.template:
    src: cloudflare.ini.j2
    dest: /root/.cloudflare.ini
    mode: 0400
  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
 - name: Create nginx post renewal hook directory
  ansible.builtin.file:
    path: /etc/letsencrypt/renewal-hooks/post
    state: directory
    mode: 0500
  when: proxy.production is defined and proxy.production
 - name: Install nginx post renewal hook
  ansible.builtin.copy:
    src: reload-nginx.sh
    dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
    mode: '0755'
  when: proxy.production is defined and proxy.production
 - name: Run Cloudflare DNS-01 challenges on wildcard domains
  ansible.builtin.shell: '/usr/bin/certbot certonly \
            --non-interactive \
            --agree-tos \
            --email "{{ proxy.dns_cloudflare.email }}" \
            --dns-cloudflare \
            --dns-cloudflare-credentials /root/.cloudflare.ini \
            -d "*.{{ item }}" \
            -d "{{ item }}" \
            {{ proxy.dns_cloudflare.opts | default("") }}'
  args:
    creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
  loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
  notify: reload_nginx
 - name: Add HTTP and HTTPS firewall rule
  community.general.ufw:
    rule: allow
    port: "{{ item }}"
    proto: tcp
  loop:
    - "80"
    - "443"
--- a/roles/proxy/templates/cloudflare.ini.j2
+++ b/roles/proxy/templates/cloudflare.ini.j2
@@ -0,0 +1,2 @@
 # Cloudflare API token used by Certbot
 dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}
--- a/roles/proxy/templates/nginx.conf.j2
+++ b/roles/proxy/templates/nginx.conf.j2
@@ -0,0 +1,34 @@
 user www-data;
 worker_processes auto;
 error_log /var/log/nginx/error.log;
 pid /run/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;
 events {
  worker_connections 1024;
 }
 http {
  include           /etc/nginx/mime.types;
  default_type      application/octet-stream;
  log_format        main '$remote_addr - $remote_user [$time_local]  $status '
                         '"$request" $body_bytes_sent "$http_referer" '
                         '"$http_user_agent" "$http_x_forwarded_for"';
  access_log        /var/log/nginx/access.log  main;
  server_tokens     off;
  sendfile          on;
  tcp_nopush        on;
  keepalive_timeout 65;
  server_names_hash_bucket_size 128;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;
  ssl_dhparam /etc/ssl/dhparams.pem;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;
  include           /etc/nginx/conf.d/*.conf;
  include           /etc/nginx/sites-enabled/*;
 }
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@@ -0,0 +1,57 @@
 server {
  listen 80;
  listen [::]:80;
  server_name {{ item.domain }};
  return 301 https://{{ item.domain }}$request_uri;
 }
 server {
  listen              443      ssl http2;
  listen              [::]:443 ssl http2;
  server_name         {{ item.domain }};
  access_log          /var/log/nginx/{{ item.domain }}.log main;
 {% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
 {% for wildcard in proxy.dns_cloudflare.wildcard_domains %}
 {% set domain_regex = '^\*\.' + wildcard + '$' %}
 {% if item.domain | regex_search(wildcard) %}
  ssl_certificate     /etc/letsencrypt/live/{{ wildcard }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ wildcard }}/privkey.pem;
 {% endif %}
 {% endfor %}
 {% elif proxy.production is defined and proxy.production and item.tls.cert is not defined %}
  ssl_certificate     /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
 {% elif proxy.production is defined and proxy.production and item.tls.cert is defined %}
  ssl_certificate     {{ item.tls.cert }};
  ssl_certificate_key {{ item.tls.key }};
 {% else %}
  ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
 {% endif %}
 {% if item.hsts is defined %}
  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
 {% endif %}
 {% if item.client_max_body_size is defined %}
  client_max_body_size {{ item.client_max_body_size }};
 {% endif %}
  location / {
 {% if item.restrict is defined and item.restrict  %}
    auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
    auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
    proxy_set_header Authorization "";
 {% endif %}
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass {{ item.proxy_pass }};
 {% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
    proxy_ssl_verify off;
 {% endif %}
 {% if item.websockets is defined and item.websockets %}
    proxy_http_version 1.1;
    proxy_set_header Connection $http_connection;
    proxy_set_header Origin http://$host;
    proxy_set_header Upgrade $http_upgrade;
 {% endif %}
  }
 }
--- a/roles/rsnapshot/tasks/main.yml
+++ b/roles/rsnapshot/tasks/main.yml
@@ -13,12 +13,12 @@
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 - name: Install rsnapshot
-  apt:
+  ansible.builtin.apt:
    name: rsnapshot
    state: present
 - name: Create rsnapshot system directories
-  file:
+  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
  loop:
@@ -26,19 +26,19 @@
    - "{{ rsnapshot_logdir }}"
 - name: Create snapshot_root directories
-  file:
+  ansible.builtin.file:
    path: "{{ item.root | default(rsnapshot_root) }}"
    state: directory
  loop: "{{ rsnapshot }}"
 - name: Install rsnapshot configuration
-  template:
+  ansible.builtin.template:
    src: rsnapshot.conf.j2
    dest: "{{ rsnapshot_confdir }}/{{ item.name }}.conf"
  loop: "{{ rsnapshot }}"
 - name: Install rsnapshot crons
-  cron:
+  ansible.builtin.cron:
    name: "{{ item.1.interval }} rsnapshot of {{ item.0.name }}"
    job: "/usr/bin/rsnapshot -c {{ rsnapshot_confdir }}/{{ item.0.name }}.conf {{ item.1.interval }} >/dev/null"
    user: "root"
@@ -53,13 +53,13 @@
    - cron
 - name: Install rsnapshot report script
-  template:
+  ansible.builtin.template:
    src: rsnapshot-report.sh.j2
    dest: /usr/local/bin/rsnapshot-report
    mode: '0750'
 - name: Install rsnapshot report crons
-  cron:
+  ansible.builtin.cron:
    name: "{{ item.name }} rsnapshot report email"
    job: "/usr/local/bin/rsnapshot-report {{ rsnapshot_reportlog }}
          | mail -s '{{ item.report.subject | default('Backup Report') }}' {{ item.report.to }}"
--- a/roles/staticweb/defaults/main.yml
+++ b/roles/staticweb/defaults/main.yml
--- a/roles/staticweb/tasks/main.yml
+++ b/roles/staticweb/tasks/main.yml
@@ -1,15 +1,15 @@
 - name: Create nginx root
-  file:
+  ansible.builtin.file:
    path: "{{ nginx_root }}"
    state: directory
 - name: Generate deploy keys
-  openssh_keypair:
+  community.crypto.openssh_keypair:
    path: "{{ nginx_repo_key }}"
    state: present
 - name: Clone static website files
-  git:
+  ansible.builtin.git:
    repo: "{{ nginx_repo_url }}"
    dest: "{{ nginx_html }}"
    version: "{{ nginx_repo_branch }}"
@@ -17,7 +17,7 @@
    separate_git_dir: "{{ nginx_repo_dest }}"
 - name: Start nginx container
-  docker_container:
+  community.general.docker_container:
    name: "{{ nginx_name }}"
    image: nginx:{{ nginx_version }}
    state: started
@@ -29,9 +29,9 @@
      - "{{ nginx_html }}:/usr/share/nginx/html:ro"
    labels:
      traefik.http.routers.nginx.rule: "Host(`{{ nginx_domain }}`)"
-      traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
+      #traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
      traefik.http.routers.nginx.entrypoints: websecure
-      traefik.http.routers.nginx.tls.certresolver: letsencrypt
+      #traefik.http.routers.nginx.tls.certresolver: letsencrypt
-      traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
+      #traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
      traefik.docker.network: traefik
      traefik.enable: "true"
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -1,10 +1,18 @@
 # Container settings
 traefik_name: traefik
-traefik_dashboard: false
+traefik_standalone: true
-traefik_root: "/opt/{{ traefik_name }}"
+traefik_http_only: false
 traefik_debug: false
 traefik_web_entry: "127.0.0.1:8000"
 traefik_websecure_entry: "127.0.0.1:8443"
 traefik_localonly: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8"
 # HTTPS settings
 traefik_production: false
 traefik_hsts_enable: false
 traefik_hsts_preload: false
 traefik_hsts_seconds: 0
-traefik_ports:
+traefik_http_redirect: true
-  - "80:80"
+
-  - "443:443"
+# Host settings
 traefik_root: "{{ docker_compose_root }}/{{ traefik_name }}"
--- a/roles/traefik/handlers/main.yml
+++ b/roles/traefik/handlers/main.yml
@@ -1,13 +1,12 @@
 - name: Reload Traefik container
-  file:
+  ansible.builtin.file:
    path: "{{ traefik_root }}/config/dynamic"
    state: touch
    mode: 0500
  listen: reload_traefik
- name: Restart Traefik container
+- name: Restart Traefik
-  docker_container:
+  ansible.builtin.service:
-    name: "{{ traefik_name }}"
+    name: "{{ docker_compose_service }}@{{ traefik_name }}"
-    image: traefik:{{ traefik_version }}
+    state: restarted
    state: started
    restart: yes
  listen: restart_traefik
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -1,55 +1,49 @@
- name: Create Traefik configuration directories
+- name: Create Traefik directories
-  file:
+  ansible.builtin.file:
    path: "{{ traefik_root }}/config/dynamic"
    mode: 0500
    state: directory
 - name: Install static Traefik configuration
  template:
    src: traefik.yml.j2
    dest: "{{ traefik_root }}/config/traefik.yml"
  notify: restart_traefik
 - name: Install dynamic security configuration
-  template:
+  ansible.builtin.template:
    src: security.yml.j2
    dest: "{{ traefik_root }}/config/dynamic/security.yml"
    owner: root
    group: root
-    mode: 0600
+    mode: 0400
  notify: reload_traefik
 - name: Install dynamic non-docker configuration
-  template:
+  ansible.builtin.template:
    src: "external.yml.j2"
    dest: "{{ traefik_root }}/config/dynamic/{{ item.name }}.yml"
    mode: 0400
  loop: "{{ traefik_external }}"
  when: traefik_external is defined
- name: Create Traefik network
+- name: Install Traefik's docker-compose file
-  docker_network:
+  ansible.builtin.template:
-    name: traefik
+    src: docker-compose.yml.j2
    dest: "{{ traefik_root }}/docker-compose.yml"
    mode: 0400
  notify: restart_traefik
- name: Start Traefik container
+- name: Install Traefik's docker-compose variables
-  docker_container:
+  ansible.builtin.template:
-    name: "{{ traefik_name }}"
+    src: compose-env.j2
-    image: traefik:{{ traefik_version }}
+    dest: "{{ traefik_root }}/.env"
    mode: 0400
  notify: restart_traefik
 - name: Install static Traefik configuration
  ansible.builtin.template:
    src: traefik.yml.j2
    dest: "{{ traefik_root }}/config/traefik.yml"
    mode: 0400
  notify: restart_traefik
 - name: Start and enable Traefik service
  ansible.builtin.service:
    name: "{{ docker_compose_service }}@{{ traefik_name }}"
    state: started
-    restart_policy: always
+    enabled: true
    ports: "{{ traefik_ports }}"
    networks_cli_compatible: "false"
    networks:
      - name: traefik
    labels:
      traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
      traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
      traefik.http.routers.traefik.tls.certresolver: letsencrypt
      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
      traefik.http.routers.traefik.service: "api@internal"
      traefik.http.routers.traefik.entrypoints: websecure
      traefik.http.routers.traefik.tls: "true"
      traefik.docker.network: traefik
      traefik.enable: "{{ traefik_dashboard | string }}"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - "{{ traefik_root }}/config:/etc/traefik"
--- a/roles/traefik/templates/compose-env.j2
+++ b/roles/traefik/templates/compose-env.j2
@@ -0,0 +1,8 @@
 # {{ ansible_managed }}
 traefik_version={{ traefik_version }}
 traefik_name={{ traefik_name }}
 traefik_domain={{ traefik_domain }}
 traefik_dashboard={{ traefik_dashboard | string | lower }}
 traefik_debug={{ traefik_debug | string | lower }}
 traefik_web_entry={{ traefik_web_entry }}
 traefik_websecure_entry={{ traefik_websecure_entry }}
--- a/roles/traefik/templates/docker-compose.yml.j2
+++ b/roles/traefik/templates/docker-compose.yml.j2
@@ -0,0 +1,25 @@
 version: '3.7'
 networks:
  traefik:
    name: traefik
 services:
  traefik:
    image: "traefik:${traefik_version}"
    container_name: "${traefik_name}"
    ports:
      - "${traefik_web_entry}:80"
 {% if traefik_standalone and not traefik_http_only %}
      - "${traefik_websecure_entry}:443"
 {% endif %}
    networks:
      - traefik
    labels:
      - "traefik.http.routers.traefik.rule=Host(`{{ traefik_domain }}`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.docker.network=traefik"
      - "traefik.enable=${traefik_dashboard}"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - "{{ traefik_root }}/config:/etc/traefik"
--- a/roles/traefik/templates/external.yml.j2
+++ b/roles/traefik/templates/external.yml.j2
@@ -10,10 +10,12 @@ http:
 {% elif item.middlewares is defined %}
      middlewares: "{{ item.middlewares }}"
 {% endif %}
 {% if traefik_acme_email is defined %}
      tls:
        certResolver: letsencrypt
        domains:
          - main: "{{ item.domain }}"
 {% endif %}
      entryPoints:
        - "websecure"
  services:
--- a/roles/traefik/templates/security.yml.j2
+++ b/roles/traefik/templates/security.yml.j2
@@ -11,6 +11,8 @@ http:
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
 {% if traefik_hsts_enable is defined and traefik_hsts_enable %}
        stsPreload: {{ traefik_hsts_preload }}
        stsSeconds: {{ traefik_hsts_seconds }}
 {% endif %}
        customFrameOptionsValue: SAMEORIGIN
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@@ -10,16 +10,20 @@ providers:
 entrypoints:
  web:
    address: ':80'
 {% if traefik_http_redirect is defined and traefik_http_redirect and not traefik_http_only %}
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https
          permanent: true
 {% endif %}
 {% if not traefik_http_only is defined or not traefik_http_only %}
  websecure:
    address: ':443'
    http:
      tls: {}
 {% endif %}
 {% if traefik_acme_email is defined %}
 certificatesResolvers:
--- a/roles/unifi/tasks/main.yml
+++ b/roles/unifi/tasks/main.yml
@@ -1,52 +1,52 @@
 - name: Install GnuPG
-  apt:
+  ansible.builtin.apt:
    name: gnupg
    state: present
 - name: Add AdoptOpenJDK's signing key
-  apt_key:
+  ansible.builtin.apt_key:
    id: 8ED17AF5D7E675EB3EE3BCE98AC3B29174885C03
    url: https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public
 - name: Add MongoDB 3.6's signing key
-  apt_key:
+  ansible.builtin.apt_key:
    id: 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5
    url: https://www.mongodb.org/static/pgp/server-3.6.asc
 - name: Add UniFi's signing key
-  apt_key:
+  ansible.builtin.apt_key:
    id: 4A228B2D358A5094178285BE06E85760C0A52C50
    keyserver: keyserver.ubuntu.com
 - name: Install AdoptOpenJDK repository
-  apt_repository:
+  ansible.builtin.apt_repository:
    repo: deb https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ buster main
    mode: 0644
    state: present
 - name: Install MongoDB 3.6 repository
-  apt_repository:
+  ansible.builtin.apt_repository:
    repo: deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main
    mode: 0644
    state: present
 - name: Install UniFi repository
-  apt_repository:
+  ansible.builtin.apt_repository:
    repo: deb https://www.ui.com/downloads/unifi/debian stable ubiquiti
    mode: 0644
    state: present
 - name: Install MongoDB 3.6
-  apt:
+  ansible.builtin.apt:
    name: mongodb-org
    state: present
 - name: Install OpenJDK 8 LTS
-  apt:
+  ansible.builtin.apt:
    name: adoptopenjdk-8-hotspot
    state: present
 - name: Install UniFi
-  apt:
+  ansible.builtin.apt:
    name: unifi
    state: present
--- a/roles/wordpress/tasks/main.yml
+++ b/roles/wordpress/tasks/main.yml
@@ -1,5 +1,5 @@
 - name: Start WordPress database container
-  docker_container:
+  community.general.docker_container:
    name: "{{ wordpress_dbcontainer }}"
    image: mariadb:{{ wordpress_dbversion }}
    restart_policy: always
@@ -11,7 +11,7 @@
      MYSQL_PASSWORD: "{{ wordpress_dbpass }}"
 - name: Start WordPress container
-  docker_container:
+  community.general.docker_container:
    name: "{{ wordpress_container }}"
    image: wordpress:{{ wordpress_version }}
    restart_policy: always
--- a/update-hosts.sh
+++ b/update-hosts.sh
@@ -14,6 +14,7 @@ HOST[8]="wordpress.${DOMAIN}"
 HOST[9]="site1.wordpress.${DOMAIN}"
 HOST[10]="site2.wordpress.${DOMAIN}"
 HOST[11]="unifi.${DOMAIN}"
 HOST[12]="jellyfin.${DOMAIN}"
 # Get Vagrantbox guest IP
 VAGRANT_OUTPUT=$(vagrant ssh -c "hostname -I | cut -d' ' -f2" 2>/dev/null)
Author	SHA1	Message	Date
Kris Lamoureux	f4f5b10395	Change nginx role to staticweb	2023-08-24 23:18:42 -04:00
Kris Lamoureux	9b5be29a1a	Update Vagrantfile to use external settings	2023-08-21 18:46:47 -04:00
Kris Lamoureux	ef5aacdbbd	No deploy keys without compose deploy variable	2023-07-21 23:52:18 -04:00
Kris Lamoureux	a635c7aa48	Add option to deploy external docker-compose stack	2023-07-20 03:51:44 -04:00
Kris Lamoureux	56aee460ad	Limit Github actions to specific branches	2023-07-20 00:33:42 -04:00
Kris Lamoureux	027ba46f6b	Add Github actions and remove old ansible stuff	2023-07-08 23:43:52 -04:00
Kris Lamoureux	48216db8f9	Updated Nextcloud settings and added cron job	2023-06-18 23:52:10 -04:00
Kris Lamoureux	fa1dc4acb7	Fix WireGuard firewall rule	2023-06-15 03:09:13 -04:00
Kris Lamoureux	228cd5795b	Config adjustments for Jellyfin/Samba deployment - Ignored .vscode - Added firewall exclusion option - Allowed guest access in Samba	2023-06-09 22:26:47 -04:00
Kris Lamoureux	74a559f1f6	Update mediaserver playbook and fix Wireguard task	2023-06-08 03:47:54 -04:00
Kris Lamoureux	4c2a1550c4	Adding samba and general user management	2023-06-07 02:12:17 -04:00
Kris Lamoureux	f02cf7b0cc	Refactor docker playbook - Removed copyright notice - Variablize 'hosts' value in the playbook - Install Jenkins agent before running Docker role	2023-05-08 16:26:16 -04:00
Kris Lamoureux	9142254a57	Improvements for ansible-linting	2023-05-04 01:44:18 -04:00
Kris Lamoureux	dfd93dd5f8	Updated Ansible tasks to FQCN format	2023-05-03 23:42:55 -04:00
Kris Lamoureux	81d2ea447a	Add mediaserver, rm .gitignore, FQCN, Jellyfin - Added development "mediaserver" playbook for testing - rm .gitignore in roles dir since no external ansible roles are used - Update a part of the base role to use FQCN for linting - Added "jellyfin" role to install Jellyfin with docker-compose - Updated Traefik to use the loopback for default web entry points - Simplified Traefik docker-compose vars, Ansible sets defaults	2023-04-26 02:26:50 -04:00
Kris Lamoureux	9512212b84	Refactor Traefik deploy: docker-compose + systemd - Replace docker_container ansible with new setup - Add option to disable HTTPS for alternate reverse proxy use	2023-04-21 03:04:53 -04:00
Kris Lamoureux	c67a39982e	Option to enable websockets for the noVNC console	2022-12-06 00:15:10 -05:00
Kris Lamoureux	f68f57d0cf	ROOT_URL should have HTTPS for the clone URL	2022-09-18 15:21:16 -04:00
Kris Lamoureux	b9f9b0bf3c	Update TLS settings in nginx proxy	2022-08-27 18:56:12 -04:00
Kris Lamoureux	4f4a341b05	Add client_max_body_size for Nextcloud	2022-08-19 01:27:55 -04:00
Kris Lamoureux	cab6ab2d8e	Strip auth header and update external config	2022-08-19 00:51:05 -04:00
Kris Lamoureux	95f54b7f0a	Add Traefik toggles	2022-08-18 23:32:37 -04:00
Kris Lamoureux	7522c333da	Disable Traefik LE resolver and HSTS	2022-08-18 21:53:38 -04:00
Kris Lamoureux	344b79e97f	Add base domain to the wildcard certificate	2022-08-17 02:17:36 -04:00
Kris Lamoureux	e4fed78193	Remove basic auth on static nginx sites	2022-08-17 01:40:11 -04:00
Kris Lamoureux	85a6c3894a	Add basic auth and ignore backend SSL errors	2022-08-17 01:15:15 -04:00
Kris Lamoureux	7677bc25fa	Add WireGuard firewall rule	2022-08-13 00:19:24 -04:00
Kris Lamoureux	b255680a7a	Use host MariaDB in Gitea container	2022-08-11 21:04:07 -04:00
Kris Lamoureux	9eefad0e87	Install Fail2ban IP allow list	2022-06-28 23:43:58 -04:00
Kris Lamoureux	8362230eb4	Add nginx proxy server	2022-06-27 20:21:25 -04:00
Kris Lamoureux	82df91305a	Install aggressive Fail2ban jail for SSH	2022-06-18 19:47:02 -04:00
Kris Lamoureux	dd9f84d498	Create initial log files for fail2ban	2022-06-07 00:25:47 -04:00
Kris Lamoureux	b52ccabd22	Add Fail2ban to Gitea and Bitwarden	2022-05-28 02:31:41 -04:00
Kris Lamoureux	eccd6b7874	Add reverse proxy settings for Gitea and Bitwarden	2022-05-28 00:18:15 -04:00
Kris Lamoureux	3a92921932	Minor cleanup	2022-05-27 23:14:06 -04:00
Kris Lamoureux	330f2b5a91	Add X-Forwarded-For proxy header	2022-05-27 22:33:35 -04:00
Kris Lamoureux	45465ad26b	Add the ufw firewall	2022-05-27 16:29:27 -04:00
Kris Lamoureux	d7838563a1	Gitea SSH container passthrough	2022-05-27 02:28:51 -04:00
Kris Lamoureux	03a57d2531	Only create LE directory if production is true	2022-05-27 00:06:09 -04:00
Kris Lamoureux	e346180b13	Add Bitwarden systemd service	2022-05-27 00:03:49 -04:00
Kris Lamoureux	be6e1596c5	Rehaul Gitea role for compose and PostgreSQL	2022-05-27 00:02:45 -04:00
Kris Lamoureux	dc520a09e9	Add generic docker-compose systemd service	2022-05-26 23:50:14 -04:00
Kris Lamoureux	c0be314268	Add PostgreSQL server role	2022-05-26 23:49:06 -04:00
Kris Lamoureux	9aca035f2d	Redirect HTTP to HTTPS	2022-05-26 23:32:25 -04:00
Kris Lamoureux	209ff57a4a	Determine wildcard cert paths and tidy nginx role	2022-05-23 22:33:17 -04:00
Kris Lamoureux	9a4aece442	Use DNS-01 on Cloudflare for wildcard LE certs	2022-05-23 03:32:56 -04:00
Kris Lamoureux	acd2cefb1e	Setup nginx reverse proxy	2022-05-22 00:19:56 -04:00
Kris Lamoureux	cd11567164	Fix broken Bitwarden provision	2022-05-19 23:19:09 -04:00
Kris Lamoureux	1c321f6ef7	Use Debian repositories for Docker	2022-05-19 21:06:34 -04:00
		`@@ -1 +0,0 @@`
			`deb http://deb.debian.org/debian buster-backports main`
		`@@ -0,0 +1,2 @@`
							`[DEFAULT]`
							`ignoreip = {% for host in fail2ban_ignoreip %}{{ host }}{% if not loop.last %} {% endif %}{% endfor %}`
		`@@ -1 +0,0 @@`
			`deb [arch=amd64] https://download.docker.com/linux/debian buster stable`
		`@@ -0,0 +1,2 @@`
							`#!/bin/sh`
							`ssh -p {{ gitea_sshport }} -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"`
		`@@ -1 +0,0 @@`
			`deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main`
		`@@ -0,0 +1,2 @@`
							`# Cloudflare API token used by Certbot`
							`dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}`