Semi bsr for applications[] to prevent heavy to debug bugs in j2 - part 1

roles/desk-chromium/templates/extensions_policy.json.j2

@@ -1,14 +1,14 @@
 {
   "ExtensionInstallForcelist": [
-    {% for plugin in applications[application_id].chromium.plugins -%}
+    {% for plugin in applications | get_app_conf(application_id, 'chromium.plugins', True) -%}
     "{{ plugin.id }};{{ plugin.update_url }}"{% if not loop.last %},{% endif %}
     {% endfor %}
   ],
   "ExtensionSettings": {
     "*": {
-      "installation_mode": "{{ applications[application_id].default_installation_mode }}"
+      "installation_mode": "{{ applications | get_app_conf(application_id, 'default_installation_mode', True) }}"
     }
-    {% for plugin in applications[application_id].chromium.plugins -%},
+    {% for plugin in applications | get_app_conf(application_id, 'chromium.plugins', True) -%},
     "{{ plugin.id }}": {
       "installation_mode": "{{ plugin.installation_mode }}",
       "update_url": "{{ plugin.update_url }}",
@@ -16,5 +16,5 @@
     }
     {% endfor %}
   },
-  "PasswordManagerEnabled": {{ applications[application_id].password_manager_enabled }}
+  "PasswordManagerEnabled": {{ applications | get_app_conf(application_id, 'password_manager_enabled', True) }}
 }

roles/desk-firefox/templates/policies.json.j2

@@ -2,7 +2,7 @@
     "policies": {
       "Extensions": {
         "Install": [
-          {% for plugin in applications[application_id].plugins -%}
+          {% for plugin in applications | get_app_conf(application_id, 'plugins', True) -%}
             "{{ plugin }}"{% if not loop.last %},{% endif %}
           {% endfor %}
         ]

roles/desk-gnome-extensions/tasks/main.yml

@@ -10,5 +10,5 @@
 
 - name: Execute CLI GNOME Extension manager script
   ansible.builtin.shell: cli-gnome-extension-manager "{{ item[0] }}" "{{ item[1] }}" "{{ item[2] }}"
-  loop: "{{ applications[application_id].plugins }}"
+  loop: "{{ applications | get_app_conf(application_id, 'plugins', True) }}"
   become: false

roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2

@@ -16,7 +16,7 @@ server
   {% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %}
 
   {% if applications | is_feature_enabled('oauth2', application_id) %}
-    {% set acl = applications[application_id].oauth2_proxy.acl | default({}) %}
+    {% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', True) | default({}) %}
 
     {% if acl.blacklist is defined %}
       {# 1. Expose everything by default, then protect blacklisted paths #}

roles/svc-db-openldap/handlers/main.yml

@@ -1,6 +1,6 @@
 - name: Load memberof module from file in OpenLDAP container
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/01_member_of_configuration.ldif
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/01_member_of_configuration.ldif
   listen: 
     - "Import configuration LDIF files"
     - "Import all LDIF files"
@@ -10,7 +10,7 @@
 
 - name: Refint Module Activation for OpenLDAP
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapadd -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/02_member_of_configuration.ldif
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapadd -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/02_member_of_configuration.ldif
   listen: 
     - "Import configuration LDIF files"
     - "Import all LDIF files"
@@ -22,7 +22,7 @@
 
 - name: "Import schemas"
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ldif_docker_path}}schema/{{ item | basename | regex_replace('\.j2$', '') }}"
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ldif_docker_path}}schema/{{ item | basename | regex_replace('\.j2$', '') }}"
   register: ldapadd_result
   changed_when: "'adding new entry' in ldapadd_result.stdout"
   failed_when: ldapadd_result.rc not in [0, 80]
@@ -33,7 +33,7 @@
 
 - name: Refint Overlay Configuration for OpenLDAP
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/03_member_of_configuration.ldif
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/03_member_of_configuration.ldif
   listen:
     - "Import configuration LDIF files"
     - "Import all LDIF files"
@@ -45,7 +45,7 @@
 
 - name: "Import users, groups, etc. to LDAP"
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapadd -x -D "{{ldap.dn.administrator.data}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}data/{{ item | basename | regex_replace('\.j2$', '') }}"
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapadd -x -D "{{ldap.dn.administrator.data}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}data/{{ item | basename | regex_replace('\.j2$', '') }}"
   register: ldapadd_result
   changed_when: "'adding new entry' in ldapadd_result.stdout"
   failed_when: ldapadd_result.rc not in [0, 20, 68]

roles/svc-db-openldap/tasks/main.yml

@@ -9,17 +9,17 @@
     src:  "nginx.stream.conf.j2" 
     dest: "{{nginx.directories.streams}}{{domains | get_domain(application_id)}}.conf"
   notify: restart nginx
-  when: applications[application_id].network.public | bool
+  when: applications | get_app_conf(application_id, 'network.public', True) | bool
 
 - name: Remove {{domains | get_domain(application_id)}}.conf if LDAP is not exposed to internet
   file:
     path: "{{ nginx.directories.streams }}{{ domains | get_domain(application_id) }}.conf"
     state: absent
-  when: not applications[application_id].network.public | bool
+  when: not applications | get_app_conf(application_id, 'network.public', True) | bool
 
 - name: create docker network for LDAP, so that other applications can access it
   docker_network:
-    name: "{{ applications[application_id].network.name }}"
+    name: "{{ applications | get_app_conf(application_id, 'network', True).name }}"
     state: present
     ipam_config:
       - subnet: "{{ networks.local['svc-db-openldap'].subnet }}"
@@ -36,7 +36,7 @@
 
 - name: "Reset LDAP admin passwords"
   include_tasks: reset_admin_passwords.yml
-  when: applications[application_id].network.local
+  when: applications | get_app_conf(application_id, 'network.local', True)
 
 - name: "create directory {{ldif_host_path}}{{item}}"
   file:

roles/svc-db-openldap/tasks/reset_admin_passwords.yml

@@ -3,7 +3,7 @@
 
 - name: "Query available LDAP databases"
   shell: |
-    docker exec {{ applications[application_id].hostname }} \
+    docker exec {{ applications | get_app_conf(application_id, 'hostname', True) }} \
       ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config "(olcDatabase=*)" dn
   register: ldap_databases
 
@@ -27,13 +27,13 @@
 
 - name: "Generate hash for Database Admin password"
   shell: |
-    docker exec {{ applications[application_id].hostname }} \
+    docker exec {{ applications | get_app_conf(application_id, 'hostname', True) }} \
       slappasswd -s "{{ ldap.bind_credential }}"
   register: database_admin_pw_hash
 
 - name: "Reset Database Admin password in LDAP (olcRootPW)"
   shell: |
-    docker exec -i {{ applications[application_id].hostname }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
     dn: {{ data_backend_dn }}
     changetype: modify
     replace: olcRootPW
@@ -42,13 +42,13 @@
 
 - name: "Generate hash for Configuration Admin password"
   shell: |
-    docker exec {{ applications[application_id].hostname }} \
+    docker exec {{ applications | get_app_conf(application_id, 'hostname', True) }} \
-      slappasswd -s "{{ applications[application_id].credentials.administrator_password }}"
+      slappasswd -s "{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}"
   register: config_admin_pw_hash
 
 - name: "Reset Configuration Admin password in LDAP (olcRootPW)"
   shell: |
-    docker exec -i {{ applications[application_id].hostname }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
     dn: {{ config_backend_dn }}
     changetype: modify
     replace: olcRootPW

roles/svc-db-openldap/templates/docker-compose.yml.j2

@@ -1,10 +1,10 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images.openldap }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.openldap', True) }}"
-    container_name: {{ applications[application_id].hostname }}
+    container_name: {{ applications | get_app_conf(application_id, 'hostname', True) }}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-{% if applications[application_id].network.public | bool or applications[application_id].network.local | bool %}
+{% if applications | get_app_conf(application_id, 'network.public', True) | bool or applications | get_app_conf(application_id, 'network.local', True) | bool %}
     ports:
       - 127.0.0.1:{{ports.localhost.ldap['svc-db-openldap']}}:{{ldap_docker_port}}
 {% endif %}

roles/svc-db-openldap/templates/env.j2

@@ -3,7 +3,7 @@
       
 # GENERAL
 ## Admin (Data)
-LDAP_ADMIN_USERNAME=        {{applications[application_id].users.administrator.username}} # LDAP database admin user.
+LDAP_ADMIN_USERNAME=        {{applications | get_app_conf(application_id, 'users.administrator.username', True)}} # LDAP database admin user.
 LDAP_ADMIN_PASSWORD=        {{ldap.bind_credential}}                                      # LDAP database admin password.
 
 ## Users
@@ -14,8 +14,8 @@ LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or su
 ## Admin (Config)
 LDAP_ADMIN_DN=              {{ldap.dn.administrator.data}}
 LDAP_CONFIG_ADMIN_ENABLED=  yes
-LDAP_CONFIG_ADMIN_USERNAME= {{applications[application_id].users.administrator.username}}
+LDAP_CONFIG_ADMIN_USERNAME= {{applications | get_app_conf(application_id, 'users.administrator.username', True)}}
-LDAP_CONFIG_ADMIN_PASSWORD= {{applications[application_id].credentials.administrator_password}}
+LDAP_CONFIG_ADMIN_PASSWORD= {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}
   
 # Network
 LDAP_PORT_NUMBER=           {{ldap_docker_port}}            # Route to default port

roles/svc-db-openldap/vars/main.yml

@@ -4,9 +4,9 @@ application_id:     "svc-db-openldap"
 ldaps_docker_port:  636
 ldap_docker_port:   389
 ldap_server_uri:    "ldap://127.0.0.1:{{ ports.localhost.ldap['svc-db-openldap'] }}"
-ldap_hostname:      "{{ applications[application_id].hostname }}"
+ldap_hostname:      "{{ applications | get_app_conf(application_id, 'hostname', True) }}"
 ldap_bind_dn:       "{{ ldap.dn.administrator.configuration }}"
-ldap_bind_pw:       "{{ applications[application_id].credentials.administrator_password }}"
+ldap_bind_pw:       "{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}"
 
 # LDIF Variables
 ldif_host_path:     "{{docker_compose.directories.volumes}}ldif/"

roles/svc-db-postgres/tasks/init_database.yml

@@ -13,7 +13,7 @@
     name: "{{ database_name }}"
     state: present
     login_user: postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host: 127.0.0.1
     login_port: "{{ database_port }}"
 
@@ -25,7 +25,7 @@
     db:             "{{ database_name }}"
     state:          present
     login_user:     postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host:     127.0.0.1
     login_port:     "{{ database_port }}"
 
@@ -34,7 +34,7 @@
   postgresql_query:
     db: postgres
     login_user: postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host: 127.0.0.1
     login_port: "{{ database_port }}"
     query: |
@@ -52,7 +52,7 @@
     schema: public
     state:  present
     login_user:     postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host:     127.0.0.1
     login_port:     "{{ database_port }}"
 
@@ -65,7 +65,7 @@
     privs: ALL
     state: present
     login_user:     postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host:     127.0.0.1
     login_port:     "{{ database_port }}"
 
@@ -74,7 +74,7 @@
   postgresql_query:
     db: "{{ database_name }}"
     login_user: postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host: 127.0.0.1
     login_port: "{{ database_port }}"
     query: |
@@ -90,7 +90,7 @@
     ext:        "{{ item }}"
     state:      present
     login_user:     postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host:     127.0.0.1
     login_port:     "{{ database_port }}"
   loop:

roles/svc-db-postgres/tasks/main.yml

@@ -1,6 +1,6 @@
 - name: Create Docker network for PostgreSQL
   docker_network:
-    name: "{{ applications[application_id].network }}"
+    name: "{{ applications | get_app_conf(application_id, 'network', True) }}"
     state: present
     ipam_config:
       - subnet: "{{ networks.local['svc-db-postgres'].subnet }}"
@@ -8,16 +8,16 @@
 
 - name: Install PostgreSQL
   docker_container:
-    name: "{{ applications[application_id].hostname }}"
+    name: "{{ applications | get_app_conf(application_id, 'hostname', True) }}"
     image: "{{ applications | get_docker_image(application_id) }}"
     detach: yes
     env:
-      POSTGRES_PASSWORD: "{{ applications[application_id].credentials.postgres_password }}"
+      POSTGRES_PASSWORD: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
       POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C" # Necessary for web-app-matrix
     networks:
-      - name: "{{ applications[application_id].network }}"
+      - name: "{{ applications | get_app_conf(application_id, 'network', True) }}"
     published_ports:
-      - "127.0.0.1:{{ applications[application_id].port }}:5432"
+      - "127.0.0.1:{{ applications | get_app_conf(application_id, 'port', True) }}:5432"
     volumes:
       - "{{ applications['svc-db-postgres'].volume }}:/var/lib/postgresql/data"
     restart_policy: "{{ docker_restart_policy }}"
@@ -31,7 +31,7 @@
   when: run_once_docker_postgres is not defined
 
 - name: Wait for Postgres inside the container
-  shell: "docker exec {{ applications[application_id].hostname }} pg_isready -U postgres"
+  shell: "docker exec {{ applications | get_app_conf(application_id, 'hostname', True) }} pg_isready -U postgres"
   register: pg_ready
   until: pg_ready.rc == 0
   retries: 30

roles/web-app-akaunting/templates/docker-compose.yml.j2

@@ -3,7 +3,7 @@
 
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
     build:
       context: .
     ports:

roles/web-app-akaunting/templates/env.j2

@@ -14,9 +14,9 @@ DB_PASSWORD={{database_password}}
 DB_PREFIX=asd_
 
 # These define the first company to exist on this instance. They are only used during setup.
-COMPANY_NAME={{applications[application_id].company_name}}
+COMPANY_NAME={{applications | get_app_conf(application_id, 'company_name', True)}}
-COMPANY_EMAIL={{applications[application_id].company_email}}
+COMPANY_EMAIL={{applications | get_app_conf(application_id, 'company_email', True)}}
 
 # This will be the first administrative user created on setup.
 ADMIN_EMAIL={{applications.akaunting.setup_admin_email}}
-ADMIN_PASSWORD={{applications[application_id].credentials.setup_admin_password}}
+ADMIN_PASSWORD={{applications | get_app_conf(application_id, 'credentials.setup_admin_password', True)}}

roles/web-app-attendize/templates/docker-compose.yml.j2

@@ -1,7 +1,7 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   web:
-    image: "{{ applications[application_id].images.web }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.web', True) }}"
     ports:
     - "{{ports.localhost.http[application_id]}}:80"
     volumes:
@@ -15,7 +15,7 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 
   worker:
-    image: "{{ applications[application_id].images.worker }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.worker', True) }}"
 {% include 'roles/docker-container/templates/depends_on/dmbs_incl.yml.j2' %}
       maildev:
 {% include 'roles/docker-container/templates/networks.yml.j2' %}

roles/web-app-baserow/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
 
   application:
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].images.baserow }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.baserow', True) }}"
     container_name: baserow-application
     volumes:
       - data:/baserow/data

roles/web-app-bigbluebutton/tasks/main.yml

@@ -5,7 +5,7 @@
     name: docker-compose
   vars:
     database_instance:  "{{ application_id }}"
-    database_password:  "{{ applications[application_id].credentials.postgresql_secret }}"
+    database_password:  "{{ applications | get_app_conf(application_id, 'credentials.postgresql_secret', True) }}"
     database_username:  "postgres"
     database_name:      ""                              # Multiple databases
 
@@ -13,7 +13,7 @@
   include_tasks:        "{{ playbook_dir }}/roles/sys-bkp-docker-to-local/tasks/seed-database-to-backup.yml"
   vars:
     database_instance:  "{{ application_id }}"
-    database_password:  "{{ applications[application_id].credentials.postgresql_secret }}"
+    database_password:  "{{ applications | get_app_conf(application_id, 'credentials.postgresql_secret', True) }}"
     database_username:  "postgres"
     database_name:      ""                              # Multiple databases
 

roles/web-app-bigbluebutton/templates/env.j2

@@ -1,7 +1,7 @@
 ENABLE_COTURN=true
 COTURN_TLS_CERT_PATH={{ certbot_cert_path }}/{{ ssl_cert_folder }}/fullchain.pem
 COTURN_TLS_KEY_PATH={{ certbot_cert_path }}/{{ ssl_cert_folder }}/privkey.pem
-ENABLE_GREENLIGHT={{applications[application_id].enable_greenlight}}
+ENABLE_GREENLIGHT={{applications | get_app_conf(application_id, 'enable_greenlight', True)}}
 
 # Enable Webhooks
 # used by some integrations
@@ -27,11 +27,11 @@ RECORDING_MAX_AGE_DAYS=365
 # SECRETS
 # ====================================
 # important! change these to any random values
-SHARED_SECRET={{applications[application_id].credentials.shared_secret}}
+SHARED_SECRET={{applications | get_app_conf(application_id, 'credentials.shared_secret', True)}}
-ETHERPAD_API_KEY={{applications[application_id].credentials.etherpad_api_key}}
+ETHERPAD_API_KEY={{applications | get_app_conf(application_id, 'credentials.etherpad_api_key', True)}}
-RAILS_SECRET={{applications[application_id].credentials.rails_secret}}
+RAILS_SECRET={{applications | get_app_conf(application_id, 'credentials.rails_secret', True)}}
-POSTGRESQL_SECRET={{applications[application_id].credentials.postgresql_secret}}
+POSTGRESQL_SECRET={{applications | get_app_conf(application_id, 'credentials.postgresql_secret', True)}}
-FSESL_PASSWORD={{applications[application_id].credentials.fsesl_password}}
+FSESL_PASSWORD={{applications | get_app_conf(application_id, 'credentials.fsesl_password', True)}}
 
 # ====================================
 # CONNECTION
@@ -51,7 +51,7 @@ STUN_PORT={{ ports.public.stun[application_id] }}
 # TURN SERVER
 # uncomment and adjust following two lines to add an external TURN server
 TURN_SERVER=turns:{{domains | get_domain(application_id)}}:{{ ports.public.turn[application_id] }}?transport=tcp
-TURN_SECRET={{applications[application_id].credentials.turn_secret}}
+TURN_SECRET={{applications | get_app_conf(application_id, 'credentials.turn_secret', True)}}
 
 # Allowed SIP IPs
 # due to high traffic caused by bots, by default the SIP port is blocked.

roles/web-app-bluesky/templates/docker-compose.yml.j2

@@ -3,7 +3,7 @@
   pds:
 {% set container_port = 3000 %}
 {% set container_healthcheck = 'xrpc/_health' %}
-    image: "{{ applications[application_id].images.pds }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.pds', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
         - pds_data:/opt/pds

roles/web-app-discourse/handlers/main.yml

@@ -1,14 +1,14 @@
 ---
 - name: "stop and remove discourse container if it exist"
   docker_container:
-    name: "{{applications[application_id].container}}"
+    name: "{{applications | get_app_conf(application_id, 'container', True)}}"
     state: absent
   register: container_action
   failed_when: container_action.failed and 'No such container' not in container_action.msg
   listen: recreate discourse
   
 - name: "add central database temporary to {{application_id}}_default"
-  command: docker network connect {{applications[application_id].network}} {{ database_host }}
+  command: docker network connect {{applications | get_app_conf(application_id, 'network', True)}} {{ database_host }}
   failed_when: >
     result.rc != 0 and
     'already exists in network' not in result.stderr
@@ -17,7 +17,7 @@
   listen: recreate discourse
 
 - name: rebuild discourse
-  shell: ./launcher rebuild {{applications[application_id].container}}
+  shell: ./launcher rebuild {{applications | get_app_conf(application_id, 'container', True)}}
   args:
     executable: /bin/bash  
     chdir: "{{docker_repository_directory }}"

roles/web-app-discourse/tasks/main.yml

@@ -43,26 +43,26 @@
   meta: flush_handlers
   when: run_once_docker_discourse is not defined
 
-- name: "Connect {{ applications[application_id].container }} to network {{ applications['svc-db-postgres'].network }}"
+- name: "Connect {{ applications | get_app_conf(application_id, 'container', True) }} to network {{ applications['svc-db-postgres'].network }}"
   command: >
-    docker network connect {{ applications['svc-db-postgres'].network }} {{ applications[application_id].container }}
+    docker network connect {{ applications['svc-db-postgres'].network }} {{ applications | get_app_conf(application_id, 'container', True) }}
   register: network_connect
   failed_when: >
     network_connect.rc != 0 and
-    'Error response from daemon: endpoint with name {{ applications[application_id].container }} already exists in network {{ applications["svc-db-postgres"].network }}'
+    'Error response from daemon: endpoint with name {{ applications | get_app_conf(application_id, 'container', True) }} already exists in network {{ applications["svc-db-postgres"].network }}'
     not in network_connect.stderr
   changed_when: network_connect.rc == 0
   when:
     - applications | is_feature_enabled('central_database', application_id)
     - run_once_docker_discourse is not defined
 
-- name: "Remove {{ applications[application_id].network }} from {{ database_host }}"
+- name: "Remove {{ applications | get_app_conf(application_id, 'network', True) }} from {{ database_host }}"
   command: >
-    docker network disconnect {{ applications[application_id].network }} {{ database_host }}
+    docker network disconnect {{ applications | get_app_conf(application_id, 'network', True) }} {{ database_host }}
   register: network_disconnect
   failed_when: >
     network_disconnect.rc != 0 and
-    'is not connected to network {{ applications[application_id].network }}' not in network_disconnect.stderr
+    'is not connected to network {{ applications | get_app_conf(application_id, 'network', True) }}' not in network_disconnect.stderr
   changed_when: network_disconnect.rc == 0
   when:
     - applications | is_feature_enabled('central_database', application_id)

roles/web-app-discourse/tasks/reset.yml

@@ -3,7 +3,7 @@
 
 - name: "cleanup central database from {{application_id}}_default network"
   command:
-    cmd: "docker network disconnect {{applications[application_id].network}} {{ database_host }}"
+    cmd: "docker network disconnect {{applications | get_app_conf(application_id, 'network', True)}} {{ database_host }}"
   ignore_errors: true
 
 - name: "destroy container discourse_application"

roles/web-app-discourse/templates/discourse_application.yml.j2

@@ -178,4 +178,4 @@ run:
 
 docker_args:
   - --network={{application_id}}_default
-  - --name={{applications[application_id].container}}
+  - --name={{applications | get_app_conf(application_id, 'container', True)}}

roles/web-app-discourse/vars/main.yml

@@ -1,6 +1,6 @@
 application_id:                         "discourse"
-database_password:                      "{{ applications[application_id].credentials.database_password }}"
+database_password:                      "{{ applications | get_app_conf(application_id, 'credentials.database_password', True) }}"
 database_type:                          "postgres"
-docker_repository_directory :           "{{docker_compose.directories.services}}{{applications[application_id].repository}}/"
+docker_repository_directory :           "{{docker_compose.directories.services}}{{applications | get_app_conf(application_id, 'repository', True)}}/"
-discourse_application_yml_destination:  "{{docker_repository_directory }}containers/{{applications[application_id].container}}.yml"
+discourse_application_yml_destination:  "{{docker_repository_directory }}containers/{{applications | get_app_conf(application_id, 'container', True)}}.yml"
 docker_compose_flush_handlers:          false

roles/web-app-espocrm/templates/docker-compose.yml.j2

@@ -1,6 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   web:
-    image: "{{ applications[application_id].images.espocrm }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.espocrm', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
     ports:
@@ -11,7 +11,7 @@
       - data:/var/www/html
 
   daemon:
-    image: "{{ applications[application_id].images.espocrm }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.espocrm', True) }}"
     restart: {{docker_restart_policy}}
     logging:
       driver: journald
@@ -21,7 +21,7 @@
       - data:/var/www/html
 
   websocket:
-    image: "{{ applications[application_id].images.espocrm }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.espocrm', True) }}"
     restart: {{docker_restart_policy}}
     logging:
       driver: journald

roles/web-app-espocrm/templates/env.j2

@@ -19,8 +19,8 @@ CRON_DISABLED=true
 # ------------------------------------------------
 # Initial admin account
 # ------------------------------------------------
-ESPOCRM_ADMIN_USERNAME={{ applications[application_id].users.administrator.username }}
+ESPOCRM_ADMIN_USERNAME={{ applications | get_app_conf(application_id, 'users.administrator.username', True) }}
-ESPOCRM_ADMIN_PASSWORD={{ applications[application_id].credentials.administrator_password }}
+ESPOCRM_ADMIN_PASSWORD={{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}
 
 # Public base URL of the EspoCRM instance
 ESPOCRM_SITE_URL={{ domains | get_url(application_id, web_protocol) }}
@@ -54,7 +54,7 @@ ESPOCRM_CONFIG_SMTP_SECURITY={{ "TLS" if system_email.start_tls else "SSL"}}
 ESPOCRM_CONFIG_SMTP_AUTH=true
 ESPOCRM_CONFIG_SMTP_USERNAME={{ users['contact'].email }}
 ESPOCRM_CONFIG_SMTP_PASSWORD={{ users['contact'].mailu_token }}
-ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_NAME={{ applications[application_id].email.from_name}}
+ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_NAME={{ applications | get_app_conf(application_id, 'email.from_name', True)}}
 ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_ADDRESS={{ users['contact'].email }}
 
 # ------------------------------------------------

roles/web-app-friendica/tasks/main.yml

@@ -22,15 +22,15 @@
         + [{
             'name': item.key,
             'enabled': (
-              applications[application_id].features.oidc
+              applications | get_app_conf(application_id, 'features.oidc', True)
                 if item.key == 'keycloakpassword'
-              else applications[application_id].features.ldap
+              else applications | get_app_conf(application_id, 'features.ldap', True)
                 if item.key == 'ldapauth'
               else (item.value.enabled if item.value is mapping and 'enabled' in item.value else False)
             )
           }]
       }}
-  loop: "{{ applications[application_id].addons | dict2items }}"
+  loop: "{{ applications | get_app_conf(application_id, 'addons', True) | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
 

roles/web-app-friendica/templates/docker-compose.yml.j2

@@ -1,6 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   application:
-    image: "{{ applications[application_id].images.friendica }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.friendica', True) }}"
     {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
       - html:{{ friendica_application_base }}

roles/web-app-friendica/vars/main.yml

@@ -1,7 +1,7 @@
 application_id:     "friendica"
 database_type:      "mariadb"
 
-friendica_no_validation:       "{{ applications[application_id].features.oidc }}" # Email validation is not neccessary if OIDC is active
+friendica_no_validation:       "{{ applications | get_app_conf(application_id, 'features.oidc', True) }}" # Email validation is not neccessary if OIDC is active
 friendica_application_base:    "/var/www/html"
 friendica_docker_ldap_config:  "{{friendica_application_base}}/config/ldapauth.config.php"
 friendica_host_ldap_config:    "{{ docker_compose.directories.volumes }}ldapauth.config.php"

roles/web-app-funkwhale/templates/docker-compose.yml.j2

@@ -53,7 +53,7 @@
   
   typesense:
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].docker.images.typesense }}"
+    image: "{{ applications | get_app_conf(application_id, 'docker.images.typesense', True) }}"
     volumes:
       - ./typesense/data:/data
     command: --data-dir /data --enable-cors

roles/web-app-funkwhale/templates/env.j2

@@ -97,7 +97,7 @@ STATIC_ROOT={{funkwhale_static_root}}
 DJANGO_SETTINGS_MODULE=config.settings.production
 
 # Generate one using `openssl rand -base64 45`, for example
-DJANGO_SECRET_KEY={{applications[application_id].credentials.django_secret}}
+DJANGO_SECRET_KEY={{applications | get_app_conf(application_id, 'credentials.django_secret', True)}}
 
 {% if applications | is_feature_enabled('ldap',application_id) %}
 # LDAP settings

roles/web-app-fusiondirectory/templates/env.j2

@@ -2,7 +2,7 @@
 # https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env  
       
 # Basic Configuration   
-LAM_PASSWORD=               {{applications[application_id].credentials.administrator_password}}    # LAM configuration master password and password for server profile "lam
+LAM_PASSWORD=               {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}    # LAM configuration master password and password for server profile "lam
      
 # Database
 LAM_CONFIGURATION_DATABASE= files                                               # configuration database (files or mysql) @todo implement mariadb

roles/web-app-gitea/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
 
   application:
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].images.gitea }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.gitea', True) }}"
     ports:
       - "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}"
       - "{{ports.public.ssh[application_id]}}:22"

roles/web-app-gitea/templates/env.j2

@@ -5,7 +5,7 @@
 DOMAIN={{domains | get_domain(application_id)}}
 RUN_MODE="{{ 'dev' if (CYMAIS_ENVIRONMENT | lower) == 'development' else 'prod' }}"
 ROOT_URL="{{ domains | get_url(application_id, web_protocol) }}/"
-APP_NAME="{{ applications[application_id].title }}"
+APP_NAME="{{ applications | get_app_conf(application_id, 'title', True) }}"
 USER_UID=1000
 USER_GID=1000
 
@@ -38,9 +38,9 @@ GITEA__mailer__PASSWD={{ users['no-reply'].mailu_token }}
 
 # Allow push creation
 # @see https://github.com/go-gitea/gitea/issues/17619
-GITEA__REPOSITORY__ENABLE_PUSH_CREATE_USER={{ applications[application_id].configuration.repository.enable_push_create_user | lower }}
+GITEA__REPOSITORY__ENABLE_PUSH_CREATE_USER={{ applications | get_app_conf(application_id, 'configuration.repository.enable_push_create_user', True) | lower }}
-GITEA__REPOSITORY__DEFAULT_PRIVATE={{ applications[application_id].configuration.repository.default_private | lower }}
+GITEA__REPOSITORY__DEFAULT_PRIVATE={{ applications | get_app_conf(application_id, 'configuration.repository.default_private', True) | lower }}
-GITEA__REPOSITORY__DEFAULT_PUSH_CREATE_PRIVATE={{ applications[application_id].configuration.repository.default_push_create_private | lower }}
+GITEA__REPOSITORY__DEFAULT_PUSH_CREATE_PRIVATE={{ applications | get_app_conf(application_id, 'configuration.repository.default_push_create_private', True) | lower }}
 
 GITEA__security__INSTALL_LOCK=true # Locks the installation page
 

roles/web-app-gitlab/templates/docker-compose.yml.j2

@@ -1,7 +1,7 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   web:
-    image: "{{ applications[application_id].images.gitlab }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.gitlab', True) }}"
     hostname: '{{domains | get_domain(application_id)}}'
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     ports:

roles/web-app-joomla/templates/docker-compose.yml.j2

@@ -1,6 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   application:
-    image: "{{ applications[application_id].images.joomla }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.joomla', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
       - data:/var/www/html

roles/web-app-keycloak/templates/docker-compose.yml.j2

@@ -1,9 +1,9 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images.keycloak }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.keycloak', True) }}"
     container_name: {{container_name}}
-    command: start {% if applications[application_id].import_realm | bool %}--import-realm{% endif %}
+    command: start {% if applications | get_app_conf(application_id, 'import_realm', True) | bool %}--import-realm{% endif %}
     {% include 'roles/docker-container/templates/base.yml.j2' %}
     ports:
       - "{{ keycloak_server_host }}:8080"

roles/web-app-keycloak/templates/env.j2

@@ -11,8 +11,8 @@ KC_HEALTH_ENABLED=              true
 KC_METRICS_ENABLED=             true
 
 # Administrator
-KEYCLOAK_ADMIN=                 "{{applications[application_id].users.administrator.username}}"
+KEYCLOAK_ADMIN=                 "{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}"
-KEYCLOAK_ADMIN_PASSWORD=        "{{applications[application_id].credentials.administrator_password}}"
+KEYCLOAK_ADMIN_PASSWORD=        "{{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}"
 
 # Database
 KC_DB=                          postgres
@@ -21,5 +21,5 @@ KC_DB_USERNAME=                 {{database_username}}
 KC_DB_PASSWORD=                 {{database_password}}
 
 # If the initial administrator already exists and the environment variables are still present at startup, an error message stating the failed creation of the initial administrator is shown in the logs. Keycloak ignores the values and starts up correctly.
-KC_BOOTSTRAP_ADMIN_USERNAME=    "{{applications[application_id].users.administrator.username}}"
+KC_BOOTSTRAP_ADMIN_USERNAME=    "{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}"
-KC_BOOTSTRAP_ADMIN_PASSWORD=    "{{applications[application_id].credentials.administrator_password}}"
+KC_BOOTSTRAP_ADMIN_PASSWORD=    "{{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}"

roles/web-app-keycloak/templates/import/realm.json.j2

@@ -890,8 +890,8 @@
         "organization",
         "offline_access",
         "microprofile-jwt",
-        "{{ applications[application_id].scopes.rbac_roles }}",
+        "{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
-        "{{ applications[application_id].scopes.nextcloud }}"
+        "{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}"
 
       ]
     }
@@ -1197,7 +1197,7 @@
     },
     {
       "id": "15dd4961-5b4f-4635-a3f1-a21e1fa7bf3a",
-      "name": "{{ applications[application_id].scopes.nextcloud }}",
+      "name": "{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}",
       "description": "Optimized mappers for nextcloud oidc_login with ldap.",
       "protocol": "openid-connect",
       "attributes": {
@@ -1249,7 +1249,7 @@
     },
     {
       "id": "59917c48-a7ef-464a-a8b0-ea24316db18e",
-      "name": "{{ applications[application_id].scopes.rbac_roles }}",
+      "name": "{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
       "description": "RBAC Groups",
       "protocol": "openid-connect",
       "attributes": {
@@ -1675,8 +1675,8 @@
     "phone",
     "microprofile-jwt",
     "organization",
-    "{{ applications[application_id].scopes.rbac_roles }}",
+    "{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
-    "{{ applications[application_id].scopes.nextcloud }}"
+    "{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}"
   ],
   "browserSecurityHeaders": {
     "contentSecurityPolicyReportOnly": "",
@@ -1994,7 +1994,7 @@
                   "false"
                 ],
                 "groups.path": [
-                  "{{ applications[application_id].rbac_groups }}"
+                  "{{ applications | get_app_conf(application_id, 'rbac_groups', True) }}"
                 ]
               }
             },
@@ -2920,8 +2920,8 @@
         "action": "register",
         "useRecaptchaNet": "false",
         "recaptcha.v3": "true",
-        "secret.key": "{{ applications[application_id].credentials.recaptcha.secret_key }}",
+        "secret.key": "{{ applications | get_app_conf(application_id, 'credentials.recaptcha.secret_key', True) }}",
-        "site.key": "{{ applications[application_id].credentials.recaptcha.website_key }}"
+        "site.key": "{{ applications | get_app_conf(application_id, 'credentials.recaptcha.website_key', True) }}"
       }
     },
 {%- endif %}

roles/web-app-keycloak/vars/main.yml

@@ -4,7 +4,7 @@ container_name:                   "{{application_id}}_application"
 import_directory_host:            "{{docker_compose.directories.volumes}}import/"           # Directory in which keycloack import files are placed on the host
 import_directory_docker:          "/opt/keycloak/data/import/"                              # Directory in which keycloack import files are placed in the running docker container
 keycloak_realm:                   "{{ primary_domain}}"                                     # This is the name of the default realm which is used by the applications
-keycloak_administrator:           "{{ applications[application_id].users.administrator }}"  # Master Administrator
+keycloak_administrator:           "{{ applications | get_app_conf(application_id, 'users.administrator', True) }}"  # Master Administrator
 keycloak_administrator_username:  "{{ keycloak_administrator.username}}"                    # Master Administrator Username
 keycloak_administrator_password:  "{{ keycloak_administrator.password}}"                    # Master Administrator Password
 keycloak_kcadm_path:              "docker exec -i {{ container_name }} /opt/keycloak/bin/kcadm.sh"

roles/web-app-lam/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
 
   application:
     container_name: {{ application_id }}
-    image: "{{ applications[application_id].images.lam }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.lam', True) }}"
     ports:
       - 127.0.0.1:{{ports.localhost.http[application_id]}}:80 
 {% include 'roles/docker-container/templates/base.yml.j2' %}

roles/web-app-lam/templates/env.j2

@@ -2,7 +2,7 @@
 # https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env  
       
 # Basic Configuration   
-LAM_PASSWORD=               {{applications[application_id].credentials.administrator_password}}    # LAM configuration master password and password for server profile "lam
+LAM_PASSWORD=               {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}    # LAM configuration master password and password for server profile "lam
      
 # Database
 LAM_CONFIGURATION_DATABASE= files                                               # configuration database (files or mysql) @todo implement mariadb

roles/web-app-libretranslate/templates/docker-compose.yml.j2

@@ -3,7 +3,7 @@ services:
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
     volumes: []
     ports:
       - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"

roles/web-app-listmonk/tasks/main.yml

@@ -1,8 +1,8 @@
 ---
-- name: Set proxy_extra_configuration based on applications[application_id].public_api_activated
+- name: Set proxy_extra_configuration based on applications | get_app_conf(application_id, 'public_api_activated', True)
   set_fact:
     proxy_extra_configuration: >-
-      {% if not applications[application_id].public_api_activated %}
+      {% if not applications | get_app_conf(application_id, 'public_api_activated', True) %}
       {{ lookup('file', '{{ role_path }}/files/deactivate-public-api.conf') }}
       {% else %}
       ""
@@ -50,7 +50,7 @@
       -d {{ database_name }} << 'EOSQL'
     UPDATE users
     SET email = '{{ users.administrator.email }}',
-        password_login = {{ 'false' if applications[application_id].features.oidc else 'true' }}
+        password_login = {{ 'false' if applications | get_app_conf(application_id, 'features.oidc', True) else 'true' }}
     WHERE username = 'administrator';
     EOSQL
   args:

roles/web-app-listmonk/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
   application:
 {% set container_healthcheck = 'health' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].images.listmonk }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.listmonk', True) }}"
     ports:
       - "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}"
     volumes:

roles/web-app-listmonk/templates/env.j2

@@ -2,5 +2,5 @@ TZ={{ HOST_TIMEZONE }}
 
 # Administrator setup
 
-LISTMONK_ADMIN_USER={{ applications[application_id].users.administrator.username }}
+LISTMONK_ADMIN_USER={{ applications | get_app_conf(application_id, 'users.administrator.username', True) }}
-LISTMONK_ADMIN_PASSWORD={{ applications[application_id].credentials.administrator_password }}
+LISTMONK_ADMIN_PASSWORD={{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}

roles/web-app-listmonk/vars/main.yml

@@ -25,10 +25,10 @@ listmonk_settings:
     value: 'true'
 
   - key: "security.captcha_key"
-    value: '"{{ applications[application_id].credentials.hcaptcha_site_key }}"'
+    value: '"{{ applications | get_app_conf(application_id, "credentials.hcaptcha_site_key", True) }}"'
 
   - key: "security.captcha_secret"
-    value: '"{{ applications[application_id].credentials.hcaptcha_secret }}"'
+    value: '"{{ applications | get_app_conf(application_id, "credentials.hcaptcha_secret", True) }}"'
 
   # SMTP servers
   - key: "smtp"

roles/web-app-mailu/tasks/generate-and-read-dkim.yml

@@ -11,7 +11,7 @@
 - name: Generate DKIM key
   command: >
     docker compose exec -T antispam
-    rspamadm dkim_keygen -s dkim -d {{ applications[application_id].domain }} -k {{ mailu_dkim_key_path }}
+    rspamadm dkim_keygen -s dkim -d {{ applications | get_app_conf(application_id, 'domain', True) }} -k {{ mailu_dkim_key_path }}
   register: dkim_keygen_output
   when: dkim_key_file_stat.rc != 0
   args:

roles/web-app-mailu/templates/env.j2

@@ -189,7 +189,7 @@ OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True
 # Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password
 OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}}
 
-{% if applications[application_id].oidc.email_by_username | bool %}
+{% if applications | get_app_conf(application_id, 'oidc.email_by_username', True) | bool %}
 
 # The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., sub), the email address will be constructed as <OIDC_USERNAME_CLAIM>@<OIDC_USER_DOMAIN>. Defaults to email.
 OIDC_USERNAME_CLAIM={{oidc.attributes.username}}
@@ -199,5 +199,5 @@ OIDC_USER_DOMAIN={{primary_domain}}
 {% endif %}
 
 # If enabled, users who authenticate successfully but do not yet have an account will have one created for them. If disabled, only existing users can log in, and authentication will fail for users without a pre-existing account. Defaults to True.
-OIDC_ENABLE_USER_CREATION={{ applications[application_id].oidc.enable_user_creation | string | capitalize }}
+OIDC_ENABLE_USER_CREATION={{ applications | get_app_conf(application_id, 'oidc.enable_user_creation', True) | string | capitalize }}
 {% endif %}

roles/web-app-mailu/vars/mailu-dns.yml

@@ -1,13 +1,13 @@
 # vars/mailu-dns.yml
 
-mailu_dns_zone: "{{ applications[application_id].domain }}"
+mailu_dns_zone: "{{ applications | get_app_conf(application_id, 'domain', True) }}"
 mailu_dns_ip:   "{{ networks.internet.ip4 }}"
 
 cloudflare_record_api_token: "{{ certbot_dns_api_token }}"
 
-mailu_dmarc_ruf:    "{{ applications[application_id].users.administrator.email }}"
+mailu_dmarc_ruf:    "{{ applications | get_app_conf(application_id, 'users.administrator.email', True) }}"
 
-mailu_dkim_key_file: "{{ applications[application_id].domain }}.dkim.key"
+mailu_dkim_key_file: "{{ applications | get_app_conf(application_id, 'domain', True) }}.dkim.key"
 mailu_dkim_key_path: "/dkim/{{ mailu_dkim_key_file }}"
 
 mailu_dns_srv_records:

roles/web-app-mastodon/templates/docker-compose.yml.j2

@@ -3,7 +3,7 @@
   web:
 {% set container_port = 3000 %}
 {% set container_healthcheck = 'health' %}
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p {{ container_port }}"
 {% include 'roles/docker-container/templates/healthcheck/wget.yml.j2' %}
@@ -17,7 +17,7 @@
   streaming:
 {% set container_port = 4000 %}
 {% set container_healthcheck = 'api/v1/streaming/health' %}
-    image: "{{ applications[application_id].images.streaming }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.streaming', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     command: node ./streaming
 {% include 'roles/docker-container/templates/healthcheck/wget.yml.j2' %}
@@ -27,7 +27,7 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 
   sidekiq:
-    image: "{{ applications[application_id].images.mastodon }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.mastodon', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     command: bundle exec sidekiq
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}

roles/web-app-matomo/config/main.yml

@@ -1,5 +1,3 @@
-images:
-  matomo:             "matomo:latest"
 features:
   # If you want to use Matomo on the Matomo page, you 
   # have to set it here manual to true. 
@@ -7,7 +5,7 @@ features:
   # itself wouldn't be possible 
   matomo:             false 
   css:                false
-  port-ui-desktop:   true
+  port-ui-desktop:    true
   central_database:   true
   oauth2:             false
 csp:
@@ -34,6 +32,8 @@ excluded_ips: "{{ networks.internet.values() | list }}"
 
 docker:
   services:
+    matomo:
+      image:  "matomo:latest"
     database:
       enabled: true
     redis:

roles/web-app-matomo/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
   application:
 {% set container_port = 80 %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].images['matomo'] }}"
+    image: "{{ applications | get_app_conf(application_id, 'docker.services.matomo.image']', True) }}"
     ports:
       - "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}"
     volumes:

roles/web-app-matomo/vars/main.yml

@@ -1,9 +1,9 @@
 ---
 application_id:       "web-app-matomo"
 database_type:        "mariadb"
-matomo_excluded_ips:  "{{ applications[application_id].excluded_ips }}"
+matomo_excluded_ips:  "{{ applications | get_app_conf(application_id, 'excluded_ips', True) }}"
 matomo_index_php_url: "{{ domains | get_url(application_id, web_protocol) }}/index.php"
-matomo_auth_token:    "{{ applications[application_id].credentials.auth_token }}"
+matomo_auth_token:    "{{ applications | get_app_conf(application_id, 'credentials.auth_token', True) }}"
 
 
 # I don't know if this is still necessary

roles/web-app-matrix-deprecated/templates/vars.yml.j2

@@ -18,7 +18,7 @@ matrix_homeserver_implementation: synapse
 
 # A secret used as a base, for generating various other secrets.
 # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
-matrix_homeserver_generic_secret_key: "{{applications[application_id].credentials.generic_secret_key}}"
+matrix_homeserver_generic_secret_key: "{{applications | get_app_conf(application_id, 'credentials.generic_secret_key', True)}}"
 
 # By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server.
 # It will retrieve SSL certificates for you on-demand and forward requests to all other components.

roles/web-app-matrix/Administration.md

@@ -3,7 +3,7 @@
 ## Cleanup 
 ```
 # Cleanup Database
-for db in matrix applications[application_id].credentials.mautrix_whatsapp_bridge applications[application_id].credentials.mautrix_telegram_bridge applications[application_id].credentials.mautrix_signal_bridge applications[application_id].credentials.mautrix_slack_bridge; do python reset-database-in-central-postgres.py $db; done
+for db in matrix applications | get_app_conf(application_id, 'credentials.mautrix_whatsapp_bridge', True) applications | get_app_conf(application_id, 'credentials.mautrix_telegram_bridge', True) applications | get_app_conf(application_id, 'credentials.mautrix_signal_bridge', True) applications | get_app_conf(application_id, 'credentials.mautrix_slack_bridge', True); do python reset-database-in-central-postgres.py $db; done
 # Cleanup Docker and Volumes
 docker compose down -v
 ```

roles/web-app-matrix/Installation.md

@@ -15,7 +15,7 @@ For login with Token checkout [this guide](https://docs.mau.fi/bridges/go/slack/
 
 ### ChatGPT
 - Create API Token: https://platform.openai.com/api-keys
-- Set ``applications[application_id].credentials.chatgpt_bridge_access_token`` 
+- Set ``applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_access_token', True)`` 
 
 ## Debug:
 - https://federationtester.matrix.org/

roles/web-app-matrix/tasks/main.yml

@@ -5,7 +5,7 @@
 
 - name: Filter enabled bridges and register as fact
   set_fact:
-    bridges: "{{ bridges_configuration | filter_enabled_bridges(applications[application_id].plugins) }}"
+    bridges: "{{ bridges_configuration | filter_enabled_bridges(applications | get_app_conf(application_id, 'plugins', True)) }}"
   changed_when: false
 
 - name: "load docker and db for {{application_id}}"
@@ -143,14 +143,14 @@
 
 - name: create admin account
   command:
-    cmd: docker compose exec -it synapse register_new_matrix_user -u {{applications[application_id].users.administrator.username}} -p {{applications[application_id].credentials.administrator_password}} -a -c /data/homeserver.yaml http://localhost:8008
+    cmd: docker compose exec -it synapse register_new_matrix_user -u {{applications | get_app_conf(application_id, 'users.administrator.username', True)}} -p {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}} -a -c /data/homeserver.yaml http://localhost:8008
     chdir: "{{ docker_compose.directories.instance }}"
   ignore_errors: true
-  when: applications[application_id].setup | bool
+  when: applications | get_app_conf(application_id, 'setup', True) | bool
 
 - name: create chatgpt bot
   command:
-    cmd: docker compose exec -it synapse register_new_matrix_user -u chatgptbot -p {{applications[application_id].credentials.chatgpt_bridge_user_password}} -a -c /data/homeserver.yaml http://localhost:8008
+    cmd: docker compose exec -it synapse register_new_matrix_user -u chatgptbot -p {{applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_user_password', True)}} -a -c /data/homeserver.yaml http://localhost:8008
     chdir: "{{ docker_compose.directories.instance }}"
   ignore_errors: true
-  when: applications[application_id].setup | bool
+  when: applications | get_app_conf(application_id, 'setup', True) | bool

roles/web-app-matrix/templates/docker-compose.yml.j2

@@ -1,7 +1,7 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   synapse:
 {% set container_port = 8008 %}
-    image: "{{ applications[application_id].images.synapse }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.synapse', True) }}"
     container_name: matrix-synapse
     restart: {{docker_restart_policy}}
     logging:
@@ -30,7 +30,7 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
   element:
 {% set container_port = 80 %}
-    image: "{{ applications[application_id].images.element }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.element', True) }}"
     container_name: matrix-element
     restart: {{docker_restart_policy}}
     volumes:
@@ -54,7 +54,7 @@
       retries: 3
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 {% endfor %}
-{% if applications[application_id].plugins.chatgpt | bool %}
+{% if applications | get_app_conf(application_id, 'plugins', True).chatgpt | bool %}
   matrix-chatgpt-bot:
     restart: {{docker_restart_policy}}
     container_name: matrix-chatgpt
@@ -62,7 +62,7 @@
     volumes:
       - chatgpt_data:/storage
     environment:
-      OPENAI_API_KEY: '{{applications[application_id].credentials.chatgpt_bridge_openai_api_key}}'
+      OPENAI_API_KEY: '{{applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_openai_api_key', True)}}'
       # Uncomment the next two lines if you are using Azure OpenAI API
       # OPENAI_AZURE: 'false'
       # CHATGPT_REVERSE_PROXY: 'your-completion-endpoint-here'
@@ -82,13 +82,13 @@
       KEYV_BOT_ENCRYPTION: 'false'
       KEYV_BOT_STORAGE: 'true'
       MATRIX_HOMESERVER_URL: 'https://{{domains.matrix.synapse}}'
-      MATRIX_BOT_USERNAME: '@chatgptbot:{{applications[application_id].server_name}}'
+      MATRIX_BOT_USERNAME: '@chatgptbot:{{applications | get_app_conf(application_id, 'server_name', True)}}'
-      MATRIX_ACCESS_TOKEN: '{{ applications[application_id].credentials.chatgpt_bridge_access_token | default('') }}'
+      MATRIX_ACCESS_TOKEN: '{{ applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_access_token', True) | default('') }}'
-      MATRIX_BOT_PASSWORD: '{{applications[application_id].credentials.chatgpt_bridge_user_password}}'
+      MATRIX_BOT_PASSWORD: '{{applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_user_password', True)}}'
       MATRIX_DEFAULT_PREFIX: '!chatgpt'
       MATRIX_DEFAULT_PREFIX_REPLY: 'false'
       #MATRIX_BLACKLIST: ''
-      MATRIX_WHITELIST: ':{{applications[application_id].server_name}}'
+      MATRIX_WHITELIST: ':{{applications | get_app_conf(application_id, 'server_name', True)}}'
       MATRIX_AUTOJOIN: 'true'
       MATRIX_ENCRYPTION: 'true'
       MATRIX_THREADS: 'true'
@@ -98,7 +98,7 @@
 
 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
   synapse_data:
-{% if applications[application_id].plugins.chatgpt | bool %}
+{% if applications | get_app_conf(application_id, 'plugins', True).chatgpt | bool %}
     chatgpt_data:
 {% endif %}
 

roles/web-app-matrix/templates/mautrix/facebook.config.yml.j2

@@ -3,7 +3,7 @@ homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: http://synapse:8008
     # The domain of the homeserver (for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
     # Whether or not to verify the SSL certificate of the homeserver.
     # Only applies if address starts with https://
     verify_ssl: true
@@ -39,7 +39,7 @@ appservice:
     # Format examples:
     #   SQLite:   sqlite:filename.db
     #   Postgres: postgres://username:password@hostname/dbname
-    database: postgres://mautrix_facebook_bridge:{{applications[application_id].credentials.mautrix_facebook_bridge_database_password}}@{{database_host}}/mautrix_facebook_bridge
+    database: postgres://mautrix_facebook_bridge:{{applications | get_app_conf(application_id, 'credentials.mautrix_facebook_bridge_database_password', True)}}@{{database_host}}/mautrix_facebook_bridge
     # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
     # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
     # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
@@ -143,7 +143,7 @@ bridge:
     sync_direct_chat_list: false
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications[application_id].server_name}}: {{domains.matrix.synapse}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{domains.matrix.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
@@ -154,7 +154,7 @@ bridge:
     # If using this for other servers than the bridge's server,
     # you must also set the URL in the double_puppet_server_map.
     login_shared_secret_map:
-        {{applications[application_id].server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}
     # Should presence from Facebook be bridged? This doesn't use the same API as the Android app,
     # so it might be more suspicious to Facebook.
     presence_from_facebook: false
@@ -380,8 +380,8 @@ bridge:
     #     mxid - Specific user
     permissions:
         "*": relay
-        "{{applications[application_id].server_name}}": user
+        "{{applications | get_app_conf(application_id, 'server_name', True)}}": user
-        "@{{applications[application_id].users.administrator.username}}:{{applications[application_id].server_name}}": admin
+        "@{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}:{{applications | get_app_conf(application_id, 'server_name', True)}}": admin
 
     relay:
         # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any

roles/web-app-matrix/templates/mautrix/imessage.config.yml.j2

@@ -10,7 +10,7 @@ homeserver:
     # How often should the websocket be pinged? Pinging will be disabled if this is zero.
     ping_interval_seconds: 0
     # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
 
     # What software is the homeserver running?
     # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.

roles/web-app-matrix/templates/mautrix/instagram.config.yml.j2

@@ -3,7 +3,7 @@ homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: http://synapse:8008
     # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
     # Whether or not to verify the SSL certificate of the homeserver.
     # Only applies if address starts with https://
     verify_ssl: true
@@ -42,7 +42,7 @@ appservice:
     # Format examples:
     #   SQLite:   sqlite:filename.db
     #   Postgres: postgres://username:password@hostname/dbname
-    database: postgres://mautrix_instagram_bridge:{{applications[application_id].credentials.mautrix_instagram_bridge_database_password}}@{{database_host}}/mautrix_instagram_bridge
+    database: postgres://mautrix_instagram_bridge:{{applications | get_app_conf(application_id, 'credentials.mautrix_instagram_bridge_database_password', True)}}@{{database_host}}/mautrix_instagram_bridge
     # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
     # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
     # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
@@ -134,7 +134,7 @@ bridge:
     double_puppet_allow_discovery: false
     # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
     double_puppet_server_map:
-        {{applications[application_id].server_name}}: https://{{domains.matrix.synapse}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: https://{{domains.matrix.synapse}}
     # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
     #
     # If set, custom puppets will be enabled automatically for local users
@@ -143,7 +143,7 @@ bridge:
     # If using this for other servers than the bridge's server,
     # you must also set the URL in the double_puppet_server_map.
     login_shared_secret_map:
-        {{applications[application_id].server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}
     # Whether or not created rooms should have federation enabled.
     # If false, created portal rooms will never be federated.
     federate_rooms: true
@@ -359,8 +359,8 @@ bridge:
     #     mxid - Specific user
     permissions:
         "*": relay
-        "{{applications[application_id].server_name}}": user
+        "{{applications | get_app_conf(application_id, 'server_name', True)}}": user
-        "@{{applications[application_id].users.administrator.username}}:{{applications[application_id].server_name}}": admin
+        "@{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}:{{applications | get_app_conf(application_id, 'server_name', True)}}": admin
 
     relay:
         # Whether relay mode should be allowed. If allowed, `!ig set-relay` can be used to turn any

roles/web-app-matrix/templates/mautrix/signal.config.yml.j2

@@ -3,7 +3,7 @@ homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: http://synapse:8008
     # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
 
     # What software is the homeserver running?
     # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
@@ -43,7 +43,7 @@ appservice:
         #           https://github.com/mattn/go-sqlite3#connection-string
         #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
         #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-        uri: postgres://mautrix_signal_bridge:{{applications[application_id].credentials.mautrix_signal_bridge_database_password}}@{{database_host}}/mautrix_signal_bridge?sslmode=disable
+        uri: postgres://mautrix_signal_bridge:{{applications | get_app_conf(application_id, 'credentials.mautrix_signal_bridge_database_password', True)}}@{{database_host}}/mautrix_signal_bridge?sslmode=disable
         # Maximum number of connections. Mostly relevant for Postgres.
         max_open_conns: 20
         max_idle_conns: 2
@@ -141,7 +141,7 @@ bridge:
     federate_rooms: true
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications[application_id].server_name}}: https://{{domains.matrix.synapse}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: https://{{domains.matrix.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
@@ -150,7 +150,7 @@ bridge:
     # instead of users having to find an access token and run `login-matrix`
     # manually.
     login_shared_secret_map:
-        {{applications[application_id].server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}
 
     # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration
     # Null means there's no enforced timeout.
@@ -274,8 +274,8 @@ bridge:
     #     mxid - Specific user
     permissions:
         "*": relay
-        "{{applications[application_id].server_name}}": user
+        "{{applications | get_app_conf(application_id, 'server_name', True)}}": user
-        "@{{applications[application_id].users.administrator.username}}:{{applications[application_id].server_name}}": admin
+        "@{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}:{{applications | get_app_conf(application_id, 'server_name', True)}}": admin
 
     # Settings for relay mode
     relay:

roles/web-app-matrix/templates/mautrix/slack.config.yml.j2

@@ -3,7 +3,7 @@ homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: http://synapse:8008
     # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
 
     # What software is the homeserver running?
     # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
@@ -43,7 +43,7 @@ appservice:
         #           https://github.com/mattn/go-sqlite3#connection-string
         #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
         #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-        uri: postgres://mautrix_slack_bridge:{{applications[application_id].credentials.mautrix_slack_bridge_database_password}}@{{database_host}}/mautrix_slack_bridge?sslmode=disable
+        uri: postgres://mautrix_slack_bridge:{{applications | get_app_conf(application_id, 'credentials.mautrix_slack_bridge_database_password', True)}}@{{database_host}}/mautrix_slack_bridge?sslmode=disable
         # Maximum number of connections. Mostly relevant for Postgres.
         max_open_conns: 20
         max_idle_conns: 2
@@ -118,7 +118,7 @@ bridge:
 
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications[application_id].server_name}}: https://{{domains.matrix.synapse}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: https://{{domains.matrix.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
@@ -127,7 +127,7 @@ bridge:
     # instead of users having to find an access token and run `login-matrix`
     # manually.
     login_shared_secret_map:
-        {{applications[application_id].server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}
 
     message_handling_timeout:
         # Send an error message after this timeout, but keep waiting for the response until the deadline.
@@ -278,8 +278,8 @@ bridge:
     #     mxid - Specific user
     permissions:
         "*": relay
-        "{{applications[application_id].server_name}}": user
+        "{{applications | get_app_conf(application_id, 'server_name', True)}}": user
-        "@{{applications[application_id].users.administrator.username}}:{{applications[application_id].server_name}}": admin
+        "@{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}:{{applications | get_app_conf(application_id, 'server_name', True)}}": admin
 
 # Logging config. See https://github.com/tulir/zeroconfig for details.
 logging:

roles/web-app-matrix/templates/mautrix/telegram.config.yml.j2

@@ -3,7 +3,7 @@ homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: http://synapse:8008
     # The domain of the homeserver (for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
     # Whether or not to verify the SSL certificate of the homeserver.
     # Only applies if address starts with https://
     verify_ssl: true
@@ -42,7 +42,7 @@ appservice:
     # Format examples:
     #   SQLite:   sqlite:filename.db
     #   Postgres: postgres://username:password@hostname/dbname
-    database: postgres://mautrix_telegram_bridge:{{applications[application_id].credentials.mautrix_telegram_bridge_database_password}}@{{database_host}}/mautrix_telegram_bridge
+    database: postgres://mautrix_telegram_bridge:{{applications | get_app_conf(application_id, 'credentials.mautrix_telegram_bridge_database_password', True)}}@{{database_host}}/mautrix_telegram_bridge
     # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
     # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
     # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
@@ -62,7 +62,7 @@ appservice:
         prefix: /public
         # The base URL where the public-facing endpoints are available. The prefix is not added
         # implicitly.
-        external: https://{{applications[application_id].server_name}}/public
+        external: https://{{applications | get_app_conf(application_id, 'server_name', True)}}/public
 
     # Provisioning API part of the web server for automated portal creation and fetching information.
     # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
@@ -198,7 +198,7 @@ bridge:
     sync_direct_chat_list: false
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications[application_id].server_name}}: https://{{domains.matrix.synapse}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: https://{{domains.matrix.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
@@ -209,7 +209,7 @@ bridge:
     # If using this for other servers than the bridge's server,
     # you must also set the URL in the double_puppet_server_map.
     login_shared_secret_map:
-        {{applications[application_id].server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}
     # Set to false to disable link previews in messages sent to Telegram.
     telegram_link_preview: true
     # Whether or not the !tg join command should do a HTTP request
@@ -530,9 +530,9 @@ bridge:
     #     mxid - Specific user
     permissions:
         "*": "relaybot"
-        "public.{{applications[application_id].server_name}}": "user"
+        "public.{{applications | get_app_conf(application_id, 'server_name', True)}}": "user"
-        "{{applications[application_id].server_name}}": "full"
+        "{{applications | get_app_conf(application_id, 'server_name', True)}}": "full"
-        "@{{applications[application_id].users.administrator.username}}:{{applications[application_id].server_name}}": "admin"
+        "@{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}:{{applications | get_app_conf(application_id, 'server_name', True)}}": "admin"
 
     # Options related to the message relay Telegram bot.
     relaybot:
@@ -564,8 +564,8 @@ bridge:
 # Telegram config
 telegram:
     # Get your own API keys at https://my.telegram.org/apps
-    api_id: {{applications[application_id].credentials.mautrix_telgegram_bridge_api_id}}
+    api_id: {{applications | get_app_conf(application_id, 'credentials.mautrix_telgegram_bridge_api_id', True)}}
-    api_hash: {{applications[application_id].credentials.mautrix_telgegram_bridge_api_pin}}
+    api_hash: {{applications | get_app_conf(application_id, 'credentials.mautrix_telgegram_bridge_api_pin', True)}}
     # (Optional) Create your own bot at https://t.me/BotFather
     bot_token: disabled
 

roles/web-app-matrix/templates/mautrix/whatsapp.config.yml.j2

@@ -3,7 +3,7 @@ homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: http://synapse:8008
     # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
     
     # What software is the homeserver running?
     # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
@@ -42,7 +42,7 @@ appservice:
         #           https://github.com/mattn/go-sqlite3#connection-string
         #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
         #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-        uri: postgres://mautrix_whatsapp_bridge:{{applications[application_id].credentials.mautrix_whatsapp_bridge_database_password}}@{{database_host}}/mautrix_whatsapp_bridge?sslmode=disable
+        uri: postgres://mautrix_whatsapp_bridge:{{applications | get_app_conf(application_id, 'credentials.mautrix_whatsapp_bridge_database_password', True)}}@{{database_host}}/mautrix_whatsapp_bridge?sslmode=disable
         # Maximum number of connections. Mostly relevant for Postgres.
         max_open_conns: 20
         max_idle_conns: 2
@@ -236,7 +236,7 @@ bridge:
     force_active_delivery_receipts: false
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications[application_id].server_name}}: https://{{domains.matrix.synapse}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: https://{{domains.matrix.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
@@ -245,7 +245,7 @@ bridge:
     # instead of users having to find an access token and run `login-matrix`
     # manually.
     login_shared_secret_map:
-        {{applications[application_id].server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}
     # Whether to explicitly set the avatar and room name for private chat portal rooms.
     # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
     # If set to `always`, all DM rooms will have explicit names and avatars set.
@@ -434,8 +434,8 @@ bridge:
     #     mxid - Specific user
     permissions:
         "*": relay
-        "{{applications[application_id].server_name}}": user
+        "{{applications | get_app_conf(application_id, 'server_name', True)}}": user
-        "@{{applications[application_id].users.administrator.username}}:{{applications[application_id].server_name}}": admin
+        "@{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}:{{applications | get_app_conf(application_id, 'server_name', True)}}": admin
     
     # Settings for relay mode
     relay:

roles/web-app-matrix/templates/synapse/homeserver.yaml.j2

@@ -1,4 +1,4 @@
-server_name: "{{applications[application_id].server_name}}"
+server_name: "{{applications | get_app_conf(application_id, 'server_name', True)}}"
 pid_file: /data/homeserver.pid
 listeners:
   - port: 8008
@@ -19,10 +19,10 @@ database:
     cp_max: 10
 log_config:                     "/data/{{domains.matrix.synapse}}.log.config"
 media_store_path:               "/data/media_store"
-registration_shared_secret:     "{{applications[application_id].credentials.registration_shared_secret}}"
+registration_shared_secret:     "{{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}"
 report_stats:                   true
-macaroon_secret_key:            "{{applications[application_id].credentials.macaroon_secret_key}}"
+macaroon_secret_key:            "{{applications | get_app_conf(application_id, 'credentials.macaroon_secret_key', True)}}"
-form_secret:                    "{{applications[application_id].credentials.form_secret}}"
+form_secret:                    "{{applications | get_app_conf(application_id, 'credentials.form_secret', True)}}"
 signing_key_path:               "/data/{{domains.matrix.synapse}}.signing.key"
 web_client_location:            "{{ web_protocol }}://{{domains.matrix.element}}"
 public_baseurl:                 "{{ web_protocol }}://{{domains.matrix.synapse}}"

roles/web-app-matrix/vars/bridges.yml

@@ -1,30 +1,30 @@
 bridges_configuration:
-  - database_password: "{{ applications[application_id].credentials.mautrix_whatsapp_bridge_database_password }}"
+  - database_password: "{{ applications | get_app_conf(application_id, 'credentials.mautrix_whatsapp_bridge_database_password', True) }}"
     database_username:  "mautrix_whatsapp_bridge"
     database_name:      "mautrix_whatsapp_bridge"
     bridge_name:        "whatsapp"   
 
-  - database_password:  "{{ applications[application_id].credentials.mautrix_telegram_bridge_database_password }}"
+  - database_password:  "{{ applications | get_app_conf(application_id, 'credentials.mautrix_telegram_bridge_database_password', True) }}"
     database_username:  "mautrix_telegram_bridge"
     database_name:      "mautrix_telegram_bridge"
     bridge_name:        "telegram"
 
-  - database_password:  "{{ applications[application_id].credentials.mautrix_signal_bridge_database_password }}"
+  - database_password:  "{{ applications | get_app_conf(application_id, 'credentials.mautrix_signal_bridge_database_password', True) }}"
     database_username:  "mautrix_signal_bridge"
     database_name:      "mautrix_signal_bridge"
     bridge_name:        "signal"
 
-  - database_password:  "{{ applications[application_id].credentials.mautrix_slack_bridge_database_password }}"
+  - database_password:  "{{ applications | get_app_conf(application_id, 'credentials.mautrix_slack_bridge_database_password', True) }}"
     database_username:  "mautrix_slack_bridge"
     database_name:      "mautrix_slack_bridge"
     bridge_name:        "slack"
 
-  - database_password:  "{{ applications[application_id].credentials.mautrix_facebook_bridge_database_password }}"
+  - database_password:  "{{ applications | get_app_conf(application_id, 'credentials.mautrix_facebook_bridge_database_password', True) }}"
     database_username:  "mautrix_facebook_bridge"
     database_name:      "mautrix_facebook_bridge"
     bridge_name:        "facebook"
 
-  - database_password:  "{{ applications[application_id].credentials.mautrix_instagram_bridge_database_password }}"
+  - database_password:  "{{ applications | get_app_conf(application_id, 'credentials.mautrix_instagram_bridge_database_password', True) }}"
     database_username:  "mautrix_instagram_bridge"
     database_name:      "mautrix_instagram_bridge"
     bridge_name:        "instagram"

roles/web-app-mobilizon/templates/docker-compose.yml.j2

@@ -1,6 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   application:
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
     volumes:
       - uploads:/var/lib/mobilizon/uploads
       - {{ mobilizon_host_conf_exs_file }}:/etc/mobilizon/config.exs:ro

roles/web-app-mobilizon/templates/env.j2

@@ -6,7 +6,7 @@
 ######################################################
 
 # The name for your instance
-MOBILIZON_INSTANCE_NAME={{ applications[application_id].titel }}
+MOBILIZON_INSTANCE_NAME={{ applications | get_app_conf(application_id, 'titel', True) }}
 
 # Your domain
 MOBILIZON_INSTANCE_HOST={{ domains | get_domain(application_id) }}
@@ -67,12 +67,12 @@ MOBILIZON_DATABASE_PORT={{ database_port }}
 # A secret key used as a base to generate secrets for encrypting and signing data.
 # Make sure it's long enough (~64 characters should be fine)
 # You can run `openssl rand -base64 48` to generate such a secret
-MOBILIZON_INSTANCE_SECRET_KEY_BASE={{ applications[application_id].credentials.secret_key_base }}
+MOBILIZON_INSTANCE_SECRET_KEY_BASE={{ applications | get_app_conf(application_id, 'credentials.secret_key_base', True) }}
 
 # A secret key used as a base to generate JWT tokens
 # Make sure it's long enough (~64 characters should be fine)
 # You can run `openssl rand -base64 48` to generate such a secret
-MOBILIZON_INSTANCE_SECRET_KEY={{ applications[application_id].credentials.secret_key }}
+MOBILIZON_INSTANCE_SECRET_KEY={{ applications | get_app_conf(application_id, 'credentials.secret_key', True) }}
 
 
 ######################################################

roles/web-app-moodle/templates/Dockerfile.j2

@@ -1,10 +1,10 @@
-FROM bitnami/moodle:{{ applications[application_id].version }}
+FROM bitnami/moodle:{{ applications | get_app_conf(application_id, 'version', True) }}
 
 {% if applications | is_feature_enabled('oidc', application_id) %}
 RUN install_packages unzip curl jq \
  && VERSION=$(curl -s https://api.github.com/repos/microsoft/moodle-auth_oidc/tags \
       | jq -r '.[].name' \
-      | grep v{{ applications[application_id].version }} \
+      | grep v{{ applications | get_app_conf(application_id, 'version', True) }} \
       | sort -Vr \
       | head -n1) \
  && echo "Using version $VERSION" \

roles/web-app-moodle/templates/env.j2

@@ -1,12 +1,12 @@
 
 # General 
-MOODLE_SITE_NAME="{{applications[application_id].site_titel}}"
+MOODLE_SITE_NAME="{{applications | get_app_conf(application_id, 'site_titel', True)}}"
 MOODLE_HOST="{{ domains | get_domain(application_id) }}"
 MOODLE_SSLPROXY=yes
 MOODLE_REVERSE_PROXY=yes
-MOODLE_USERNAME={{applications[application_id].users.administrator.username}}
+MOODLE_USERNAME={{applications | get_app_conf(application_id, 'users.administrator.username', True)}}
-MOODLE_PASSWORD={{applications[application_id].credentials.user_password}}
+MOODLE_PASSWORD={{applications | get_app_conf(application_id, 'credentials.user_password', True)}}
-MOODLE_EMAIL={{applications[application_id].users.administrator.email}}
+MOODLE_EMAIL={{applications | get_app_conf(application_id, 'users.administrator.email', True)}}
 BITNAMI_DEBUG={% if enable_debug | bool %}true{% else %}false{% endif %}
 
 # Database

roles/web-app-nextcloud/tasks/main.yml

@@ -43,7 +43,7 @@
 
 - name: Setup Nextcloud Plugins
   include_tasks: plugin.yml
-  loop: "{{applications[application_id].plugins | dict2items }}"
+  loop: "{{applications | get_app_conf(application_id, 'plugins', True) | dict2items }}"
   loop_control:
     loop_var: plugin_item
   vars:

roles/web-app-nextcloud/templates/config/oidc.config.php.j2

@@ -1,7 +1,7 @@
 <?php
 # Implementing OICD configuration
 
-{% if applications[application_id].oidc.flavor == "oidc_login" %}
+{% if applications | get_app_conf(application_id, 'oidc.flavor', True) == "oidc_login" %}
 
 # Check out: https://github.com/pulsejet/nextcloud-oidc-login
 
@@ -33,7 +33,7 @@ return array (
     //
     // NOTE: If you want to allow NextCloud to manage quotas, omit this option. Do not set it to
     // zero or -1 or ''.
-    'oidc_login_default_quota' => '{{applications[application_id].default_quota}}',
+    'oidc_login_default_quota' => '{{applications | get_app_conf(application_id, 'default_quota', True)}}',
 
     // Login button text
     'oidc_login_button_text' => '{{oidc.button_text}}',

roles/web-app-nextcloud/templates/env.j2

@@ -8,9 +8,9 @@ MYSQL_PASSWORD=                 "{{database_password}}"
 MYSQL_HOST=                     "{{database_host}}:{{database_port}}"
       
 # PHP
-PHP_MEMORY_LIMIT=               "{{applications[application_id].performance.php.memory_limit}}"
+PHP_MEMORY_LIMIT=               "{{applications | get_app_conf(application_id, 'performance.php.memory_limit', True)}}"
-PHP_UPLOAD_LIMIT=               "{{applications[application_id].performance.php.upload_limit}}"
+PHP_UPLOAD_LIMIT=               "{{applications | get_app_conf(application_id, 'performance.php.upload_limit', True)}}"
-PHP_OPCACHE_MEMORY_CONSUMPTION= "{{applications[application_id].performance.php.opcache_memory_consumption}}"
+PHP_OPCACHE_MEMORY_CONSUMPTION= "{{applications | get_app_conf(application_id, 'performance.php.opcache_memory_consumption', True)}}"
       
 # Email Configuration
 SMTP_HOST=                      {{system_email.host}}
@@ -24,8 +24,8 @@ MAIL_FROM_ADDRESS=              "{{ users['no-reply'].username }}"
 MAIL_DOMAIN=                    "{{system_email.domain}}"
 
 # Initial Admin Data
-NEXTCLOUD_ADMIN_USER=           "{{applications[application_id].users.administrator.username}}"
+NEXTCLOUD_ADMIN_USER=           "{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}"
-NEXTCLOUD_ADMIN_PASSWORD=       "{{applications[application_id].credentials.administrator_password}}"
+NEXTCLOUD_ADMIN_PASSWORD=       "{{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}"
 
 # Security
 

roles/web-app-nextcloud/vars/plugins/user_ldap.yml

@@ -164,7 +164,7 @@ plugin_configuration:
     appid: "user_ldap"
     configkey: "s01ldap_userlist_filter"
     configvalue: |-
-      {% if applications[application_id].plugins.user_ldap.user_directory.enabled %}
+      {% if applications | get_app_conf(application_id, 'plugins', True).user_ldap.user_directory.enabled %}
       {{ ldap.filters.users.all }}
       {% else %}
       ()

roles/web-app-nextcloud/vars/system.yml

@@ -1,11 +1,11 @@
 nextcloud_system_config:
   - parameter: "hide_login_form"
     type: "boolean"
-    value: "{{ (not applications[application_id].legacy_login_mask.enabled) | lower }}"
+    value: "{{ (not applications | get_app_conf(application_id, 'legacy_login_mask.enabled', True)) | lower }}"
 
   - parameter: "auth.webauthn.enabled"
     type: "boolean"
-    value: "{{ applications[application_id].legacy_login_mask.enabled | lower }}"
+    value: "{{ applications | get_app_conf(application_id, 'legacy_login_mask.enabled', True) | lower }}"
 
   - parameter: "maintenance_window_start"
     type: "integer"

roles/web-app-openproject/tasks/main.yml

@@ -35,4 +35,4 @@
 
 - name: Setup LDAP
   include_tasks: ldap.yml
-  when: applications[application_id].features.ldap | bool
+  when: applications | get_app_conf(application_id, 'features.ldap', True) | bool

roles/web-app-openproject/vars/main.yml

@@ -21,8 +21,8 @@ openproject_rails_settings:
 openproject_filters:
   administrators: >-
     {{ '(memberOf=cn=openproject-admins,' ~ ldap.dn.ou.roles ~ ')' 
-       if applications[application_id].ldap.filters.administrators else '' }}
+       if applications | get_app_conf(application_id, 'ldap.filters.administrators', True) else '' }}
 
   users: >-
     {{ '(memberOf=cn=openproject-users,' ~ ldap.dn.ou.roles ~ ')' 
-       if applications[application_id].ldap.filters.users else '' }}
+       if applications | get_app_conf(application_id, 'ldap.filters.users', True) else '' }}

roles/web-app-peertube/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
 
   application:
 {% set container_port = 9000 %}
-    image: chocobozzz/peertube:production-{{ applications[application_id].version }}
+    image: chocobozzz/peertube:production-{{ applications | get_app_conf(application_id, 'version', True) }}
     container_name: {{ container_name }}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     ports:

roles/web-app-peertube/templates/env.j2

@@ -11,7 +11,7 @@ PEERTUBE_DB_HOSTNAME={{database_host}}
 PEERTUBE_WEBSERVER_HOSTNAME={{domains | get_domain(application_id)}}
 PEERTUBE_TRUST_PROXY=["127.0.0.1", "loopback"]
 
-PEERTUBE_SECRET={{applications[application_id].credentials.secret}}
+PEERTUBE_SECRET={{applications | get_app_conf(application_id, 'credentials.secret', True)}}
 
 # E-mail configuration
 PEERTUBE_SMTP_USERNAME={{ users['no-reply'].email }}

roles/web-app-pgadmin/tasks/main.yml

@@ -5,4 +5,4 @@
 
 - name: "configure pgadmin servers"
   include_tasks: configuration.yml
-  when: applications[application_id].server_mode | bool
+  when: applications | get_app_conf(application_id, 'server_mode', True) | bool

roles/web-app-pgadmin/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
 
   application:
 {% set container_port = 80 %}
-    image: dpage/pgadmin4:{{applications[application_id].version}}
+    image: dpage/pgadmin4:{{applications | get_app_conf(application_id, 'version', True)}}
     container_name: pgadmin
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     ports:
@@ -12,7 +12,7 @@
 {% include 'roles/docker-container/templates/healthcheck/wget.yml.j2' %}
     volumes:
       - "data:/var/lib/pgadmin"
-{% if applications[application_id].server_mode | bool %}
+{% if applications | get_app_conf(application_id, 'server_mode', True) | bool %}
       - "{{ pgadmin_host_server_file }}:{{ pgadmin_docker_server_file }}"
       - "{{ pgadmin_host_password_file }}:{{ pgadmin_docker_password_file }}"
 {% endif %}

roles/web-app-pgadmin/templates/env.j2

@@ -4,12 +4,12 @@
 PGADMIN_DISABLE_POSTFIX=True
 
 # Default login email for server mode
-PGADMIN_DEFAULT_EMAIL={{ applications[application_id].users.administrator.email }}
+PGADMIN_DEFAULT_EMAIL={{ applications | get_app_conf(application_id, 'users.administrator.email', True) }}
 
 # Default login password for server mode
-PGADMIN_DEFAULT_PASSWORD={{ applications[application_id].credentials.administrator_password }}
+PGADMIN_DEFAULT_PASSWORD={{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}
 
-{% if applications[application_id].server_mode | bool %}
+{% if applications | get_app_conf(application_id, 'server_mode', True) | bool %}
 # Load server connection settings from this JSON file
 PGADMIN_SERVER_JSON_FILE={{ pgadmin_docker_server_file }}
 
@@ -17,5 +17,5 @@ PGADMIN_SERVER_JSON_FILE={{ pgadmin_docker_server_file }}
 PGADMIN_CONFIG_SERVER_MODE=False
 
 # Disable master password prompt for stored credentials
-PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED={{ applications[application_id].master_password_required | capitalize }}
+PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED={{ applications | get_app_conf(application_id, 'master_password_required', True) | capitalize }}
 {% endif %}

roles/web-app-phpldapadmin/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
 
   application:
     container_name: {{ application_id }}
-    image: leenooks/phpldapadmin:{{applications[application_id].version}}
+    image: leenooks/phpldapadmin:{{applications | get_app_conf(application_id, 'version', True)}}
     ports:
       - 127.0.0.1:{{ports.localhost.http[application_id]}}:8080
 {% include 'roles/docker-container/templates/base.yml.j2' %}

roles/web-app-phpmyadmin/templates/env.j2

@@ -1,7 +1,7 @@
 # Configuration @see https://hub.docker.com/_/phpmyadmin
 
 PMA_HOST={{applications['svc-db-mariadb'].hostname}}
-{% if applications[application_id].autologin | bool %}
+{% if applications | get_app_conf(application_id, 'autologin', True) | bool %}
 PMA_USER= root
 PMA_PASSWORD= "{{applications['svc-db-mariadb'].credentials.root_password}}"
 {% endif %}

roles/web-app-pixelfed/templates/docker-compose.yml.j2

@@ -1,7 +1,7 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images.pixelfed }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.pixelfed', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
       - "data:/var/www/storage"
@@ -11,7 +11,7 @@
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
   worker:
-    image: "{{ applications[application_id].images.pixelfed }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.pixelfed', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
       - "data:/var/www/storage"

roles/web-app-pixelfed/templates/env.j2

@@ -1,5 +1,5 @@
 ## Crypto
-APP_KEY={{applications[application_id].credentials.app_key}}
+APP_KEY={{applications | get_app_conf(application_id, 'credentials.app_key', True)}}
 
 ## General Settings
 APP_NAME="{{applications.pixelfed.titel}}"

roles/web-app-port-ui/lookup_plugins/docker_cards.py

@@ -22,7 +22,7 @@ class LookupModule(LookupBase):
           - Retrieves the icon class from galaxy_info.logo.class
           - Retrieves the tags from galaxy_info.galaxy_tags
           - Builds the URL using the 'domains' variable
-          - Sets the iframe flag from applications[application_id].features.port-ui-desktop
+          - Sets the iframe flag from applications | get_app_conf(application_id, 'features.port-ui-desktop', True)
 
         Only cards whose application_id is included in the variable group_names are returned.
         """

roles/web-app-pretix/templates/docker-compose.yml.j2

@@ -4,7 +4,7 @@ services:
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
     volumes: []
     ports:
       - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"

roles/web-app-snipe-it/tasks/ldap.yml

@@ -17,7 +17,7 @@
     docker-compose exec -T \
       -u www-data \
       -e XDG_CONFIG_HOME=/tmp \
-      -e APP_KEY='{{ applications[application_id].credentials.app_key }}' \
+      -e APP_KEY='{{ applications | get_app_conf(application_id, 'credentials.app_key', True) }}' \
       application \
       sh -c 'echo "SHELL sees APP_KEY=$APP_KEY"'
   args:
@@ -27,7 +27,7 @@
   shell: |
     docker-compose exec -T -u www-data \
     -e XDG_CONFIG_HOME=/tmp \
-    -e APP_KEY="{{ applications[application_id].credentials.app_key }}" \
+    -e APP_KEY="{{ applications | get_app_conf(application_id, 'credentials.app_key', True) }}" \
     application \
     php artisan tinker --execute="echo 'CONFIG app.key: ' . config('app.key') . PHP_EOL;"
   args:
@@ -36,7 +36,7 @@
 - name: "Set all LDAP settings via Laravel Setting model (inside container as www-data)"
   shell: |
     docker-compose exec -T \
-    -e APP_KEY='{{ applications[application_id].credentials.app_key }}' \ 
+    -e APP_KEY='{{ applications | get_app_conf(application_id, 'credentials.app_key', True) }}' \ 
     -e XDG_CONFIG_HOME=/tmp \ 
     -u www-data application \ 
     sh -c 'php artisan tinker << "EOF"
@@ -75,7 +75,7 @@
   shell: |
     docker-compose exec -T \
       -u www-data \
-      -e APP_KEY="{{ applications[application_id].credentials.app_key }}" \
+      -e APP_KEY="{{ applications | get_app_conf(application_id, 'credentials.app_key', True) }}" \
       -e XDG_CONFIG_HOME=/tmp \
       application \
       php artisan tinker --execute="

roles/web-app-snipe-it/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
 
   application:
 {% set container_port = 80 %}
-    image: grokability/snipe-it:{{applications[application_id].version}}
+    image: grokability/snipe-it:{{applications | get_app_conf(application_id, 'version', True)}}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
       - data:/var/lib/snipeit

roles/web-app-snipe-it/templates/env.j2

@@ -3,7 +3,7 @@
 # --------------------------------------------
 APP_ENV={{ CYMAIS_ENVIRONMENT | lower }}
 APP_DEBUG={{enable_debug | string | lower }}
-APP_KEY={{ applications[application_id].credentials.app_key}}
+APP_KEY={{ applications | get_app_conf(application_id, 'credentials.app_key', True)}}
 APP_URL={{ snipe_it_url }}
 # https://en.wikipedia.org/wiki/List_of_tz_database_time_zones - TZ identifier
 APP_TIMEZONE='{{ HOST_TIMEZONE }}'

roles/web-app-snipe-it/vars/main.yml

@@ -1,4 +1,4 @@
 application_id:     "snipe-it"
-database_password:  "{{ applications[application_id].credentials.database_password }}"
+database_password:  "{{ applications | get_app_conf(application_id, 'credentials.database_password', True) }}"
 database_type:      "mariadb"
 snipe_it_url:       "{{ domains | get_url(application_id, web_protocol) }}"

roles/web-app-syncope/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
    application: 
      depends_on:
        - db
-     image: apache/syncope:{{ applications[application_id].version }}
+     image: apache/syncope:{{ applications | get_app_conf(application_id, 'version', True) }}
      ports:
        - "18080:8080"
      restart: always
@@ -16,7 +16,7 @@
    console: 
      depends_on:
        - syncope
-     image: apache/syncope-console:{{ applications[application_id].version }}
+     image: apache/syncope-console:{{ applications | get_app_conf(application_id, 'version', True) }}
      ports:
        - "28080:8080"
      restart: always
@@ -27,7 +27,7 @@
    enduser: 
      depends_on:
        - syncope
-     image: apache/syncope-enduser:{{ applications[application_id].version }}
+     image: apache/syncope-enduser:{{ applications | get_app_conf(application_id, 'version', True) }}
      ports:
        - "38080:8080"
      restart: always

roles/web-app-taiga/tasks/main.yml

@@ -7,7 +7,7 @@
   template:
     src:  "taiga/{{item}}.py.j2"
     dest: "{{ docker_compose.directories.config }}taiga-{{item}}.py"
-  when:   applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio'
+  when:   applications | get_app_conf(application_id, 'features.oidc', True) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio'
   notify: docker compose up
   loop:   "{{ settings_files }}"
 

roles/web-app-taiga/templates/docker-compose.yml.j2

@@ -9,7 +9,7 @@
       - media-data:/taiga-back/media
       # - ./config.py:/taiga-back/settings/config.py
 
-{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | is_feature_enabled('oidc',application_id) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %}
 
       - {{ docker_compose.directories.config }}taiga-local.py:/taiga-back/settings/local.py:ro
 
@@ -22,7 +22,7 @@
         condition: service_started
       taiga-async-rabbitmq:
         condition: service_started
-{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | is_feature_enabled('oidc',application_id) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %}
     
     command: >
       /bin/sh -c "
@@ -42,7 +42,7 @@
       - media-data:/taiga-back/media
       # - ./config.py:/taiga-back/settings/config.py
 
-{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | is_feature_enabled('oidc',application_id) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %}
 
 {% for item in settings_files %}
       - {{ docker_compose.directories.config }}taiga-{{ item }}.py:/taiga-back/settings/{{ item }}.py:ro
@@ -57,7 +57,7 @@
         condition: service_started
       taiga-async-rabbitmq:
         condition: service_started
-{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | is_feature_enabled('oidc',application_id) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %}
     
     command: >
       /bin/sh -c "

roles/web-app-taiga/templates/env.j2

@@ -6,8 +6,8 @@ TAIGA_SUBPATH       =   ""  # it'll be appended to the TAIGA_DOMAIN (use either
 WEBSOCKETS_SCHEME   =   wss # events connection protocol (use either "ws" or "wss")
 
 # Taiga's Secret Key - Variable to provide cryptographic signing
-TAIGA_SECRET_KEY    =   "{{applications[application_id].credentials.secret_key}}"
+TAIGA_SECRET_KEY    =   "{{applications | get_app_conf(application_id, 'credentials.secret_key', True)}}"
-SECRET_KEY          =   "{{applications[application_id].credentials.secret_key}}"
+SECRET_KEY          =   "{{applications | get_app_conf(application_id, 'credentials.secret_key', True)}}"
 
 # Taiga's Database settings - Variables to create the Taiga database and connect to it
 POSTGRES_USER       =   "{{database_username}}"       # user to connect to PostgreSQL
@@ -49,7 +49,7 @@ ENABLE_TELEMETRY    =   True
 
 {% if applications | is_feature_enabled('oidc',application_id) %}
 
-{% if applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %}
 
 # OIDC via taigaio official contrib
 # @See https://github.com/taigaio/taiga-contrib-oidc-auth
@@ -65,7 +65,7 @@ OIDC_OP_JWKS_ENDPOINT="{{ oidc.client.certs }}"
 
 {% endif %}
 
-{% if applications[application_id].oidc.flavor == 'robrotheram' %}
+{% if applications | get_app_conf(application_id, 'oidc.flavor', True) == 'robrotheram' %}
 
 # OIDC via robrotheram
 # @see https://github.com/robrotheram/taiga-contrib-openid-auth

roles/web-app-taiga/vars/main.yml

@@ -4,10 +4,10 @@ docker_repository_address:  "https://github.com/taigaio/taiga-docker"
 email_backend:              "smtp"                                      ## use an SMTP server or display the emails in the console (either "smtp" or "console")
 docker_compose_init:        "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2"
 taiga_image_backend: >-
-  {{ 'robrotheram/taiga-back-openid' if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'robrotheram'
+  {{ 'robrotheram/taiga-back-openid' if applications | get_app_conf(application_id, 'features.oidc', True) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'robrotheram'
      else 'taigaio/taiga-back' }}
 taiga_image_frontend: >-
-  {{ 'robrotheram/taiga-front-openid' if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'robrotheram'
+  {{ 'robrotheram/taiga-front-openid' if applications | get_app_conf(application_id, 'features.oidc', True) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'robrotheram'
      else 'taigaio/taiga-front' }}
 taiga_frontend_conf_path:   "{{docker_compose.directories.config}}conf.json"
 docker_repository:          true