From db0e030900afee1a61b9fbf81bc4e3f30d877974 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Wed, 13 Aug 2025 19:10:44 +0200 Subject: [PATCH] Renamed general and mode constants and implemented a check to verify that constants are just defined ones over the whole repository --- cli/build/defaults/users.py | 2 +- cli/deploy.py | 14 +- filter_plugins/alias_domains_map.py | 6 +- filter_plugins/canonical_domains_map.py | 8 +- filter_plugins/domain_redirect_mappings.py | 10 +- filter_plugins/redirect_filters.py | 2 +- group_vars/all/00_general.yml | 43 +++--- group_vars/all/01_modes.yml | 11 +- group_vars/all/02_system_email.yml | 4 +- group_vars/all/08_calendar.yml | 10 +- group_vars/all/12_oidc.yml | 6 +- group_vars/all/13_ldap.yml | 4 +- group_vars/all/15_about.yml | 2 +- group_vars/all/docs/CLOUDFLARE_API_TOKEN.md | 6 +- roles/desk-ssh/tasks/01_core.yml | 2 +- roles/docker-compose/README.md | 4 +- roles/docker-compose/tasks/main.yml | 2 +- .../tasks/01_cloudflare.yml | 6 +- .../tasks/cloudflare/01_cleanup.yml | 2 +- .../cloudflare/02_enable_cf_dev_mode.yml | 6 +- roles/srv-proxy-6-6-domain/tasks/main.yml | 2 +- roles/srv-proxy-6-6-tls-deploy/README.md | 2 +- roles/srv-proxy-6-6-tls-deploy/SETUP.md | 10 +- .../templates/srv-proxy-6-6-tls-deploy.sh.j2 | 6 +- roles/srv-web-6-6-tls-core/README.md | 2 +- .../tasks/flavors/dedicated.yml | 18 +-- .../tasks/flavors/san.yml | 12 +- .../tasks/flavors/wildcard.yml | 4 +- roles/srv-web-6-6-tls-core/tasks/main.yml | 16 +-- roles/srv-web-7-4-core/README.md | 4 +- roles/srv-web-7-4-core/tasks/01_core.yml | 2 +- roles/srv-web-7-4-core/tasks/02_reset.yml | 2 +- .../tasks/03_cache_directories.yml | 2 +- .../srv-web-7-4-core/templates/nginx.conf.j2 | 2 +- roles/srv-web-7-6-https/README.md | 4 +- roles/srv-web-7-7-certbot/tasks/main.yml | 14 +- roles/srv-web-7-7-dns-records/README.md | 4 +- roles/srv-web-7-7-dns-records/tasks/main.yml | 2 +- roles/srv-web-7-7-inj-compose/tasks/main.yml | 4 +- roles/srv-web-7-7-inj-javascript/README.md | 2 +- .../templates/logout_one_liner.js.j2 | 2 +- roles/srv-web-7-7-inj-matomo/tasks/main.yml | 2 +- .../templates/matomo-tracking.js.j2 | 2 +- .../templates/iframe-handler.js.j2 | 4 +- .../srv-web-7-7-letsencrypt/tasks/01_core.yml | 2 +- .../tasks/01_set-caa-records.yml | 8 +- .../templates/letsencrypt.conf.j2 | 2 +- .../templates/ssl_credentials.j2 | 6 +- .../templates/docker-compose.yml.j2 | 4 +- roles/sys-bkp-docker-2-loc/tasks/01_core.yml | 2 +- .../tasks/04_seed-database-to-backup.yml | 2 +- roles/sys-cln-domains/tasks/main.yml | 6 +- roles/sys-rst-daemon/README.md | 2 +- roles/sys-rst-daemon/tasks/main.yml | 2 +- roles/sys-svc-sshd/README.md | 2 +- roles/sys-svc-sshd/templates/sshd_config.j2 | 2 +- roles/sys-timer/README.md | 2 +- roles/sys-timer/tasks/main.yml | 4 +- roles/sys-timer/templates/dummy.timer.j2 | 2 +- roles/update-docker/tasks/01_core.yml | 2 +- .../templates/update-docker.py.j2 | 2 +- roles/user-administrator/users/main.yml | 2 +- roles/user/users/main.yml | 4 +- roles/web-app-akaunting/config/main.yml | 4 +- roles/web-app-attendize/config/main.yml | 2 +- roles/web-app-baserow/config/main.yml | 2 +- roles/web-app-bigbluebutton/config/main.yml | 2 +- roles/web-app-bigbluebutton/templates/env.j2 | 4 +- roles/web-app-bigbluebutton/users/main.yml | 2 +- roles/web-app-bluesky/config/main.yml | 4 +- .../templates/docker-compose.yml.j2 | 2 +- roles/web-app-bluesky/templates/env.j2 | 2 +- roles/web-app-bluesky/users/main.yml | 2 +- roles/web-app-collabora/config/main.yml | 2 +- roles/web-app-discourse/config/main.yml | 4 +- roles/web-app-discourse/tasks/01_core.yml | 2 +- roles/web-app-elk/config/main.yml | 2 +- roles/web-app-espocrm/config/main.yml | 8 +- roles/web-app-espocrm/templates/env.j2 | 2 +- roles/web-app-friendica/config/main.yml | 2 +- roles/web-app-friendica/templates/env.j2 | 4 +- roles/web-app-funkwhale/config/main.yml | 6 +- roles/web-app-funkwhale/templates/env.j2 | 4 +- roles/web-app-gitea/config/main.yml | 4 +- roles/web-app-gitea/tasks/cleanup/ldap.yml | 2 +- roles/web-app-gitea/tasks/main.yml | 6 +- roles/web-app-gitea/tasks/setup/ldap.yml | 2 +- roles/web-app-gitea/templates/env.j2 | 4 +- roles/web-app-gitea/vars/main.yml | 2 +- roles/web-app-gitlab/config/main.yml | 2 +- roles/web-app-jenkins/config/main.yml | 2 +- roles/web-app-joomla/config/main.yml | 2 +- roles/web-app-keycloak/config/main.yml | 2 +- roles/web-app-keycloak/templates/env.j2 | 2 +- .../templates/import/realm.json.j2 | 4 +- roles/web-app-keycloak/vars/main.yml | 4 +- roles/web-app-lam/config/main.yml | 4 +- roles/web-app-libretranslate/config/main.yml | 2 +- roles/web-app-listmonk/config/main.yml | 2 +- roles/web-app-mailu/config/main.yml | 4 +- roles/web-app-mailu/tasks/01_core.yml | 4 +- roles/web-app-mailu/templates/env.j2 | 2 +- roles/web-app-mailu/users/main.yml | 2 +- roles/web-app-mailu/vars/mailu-dns.yml | 2 +- roles/web-app-mastodon/config/main.yml | 2 +- roles/web-app-matomo/config/main.yml | 4 +- roles/web-app-matrix-ansible/tasks/main.yml | 2 +- roles/web-app-matrix/config/main.yml | 8 +- roles/web-app-matrix/tasks/main.yml | 2 +- .../templates/element.config.json.j2 | 2 +- roles/web-app-mediawiki/config/main.yml | 2 +- roles/web-app-mig/config/main.yml | 4 +- roles/web-app-mig/tasks/02_build_data.yml | 2 +- roles/web-app-mobilizon/config/main.yml | 6 +- roles/web-app-mobilizon/templates/env.j2 | 2 +- roles/web-app-moodle/config/main.yml | 4 +- roles/web-app-moodle/templates/env.j2 | 2 +- roles/web-app-mybb/Installation.md | 4 +- roles/web-app-mybb/config/main.yml | 2 +- roles/web-app-mybb/tasks/main.yml | 2 +- .../{default.conf => default.conf.j2} | 2 +- roles/web-app-mybb/vars/main.yml | 2 +- roles/web-app-navigator/config/main.yml | 4 +- roles/web-app-navigator/templates/env.j2 | 2 +- roles/web-app-nextcloud/config/main.yml | 6 +- .../templates/config/memcache.config.php.j2 | 2 +- .../templates/nginx/docker.conf.j2 | 2 +- roles/web-app-oauth2-proxy/config/main.yml | 2 +- .../templates/oauth2-proxy-keycloak.cfg.j2 | 4 +- roles/web-app-openproject/config/main.yml | 2 +- roles/web-app-openproject/tasks/01_ldap.yml | 6 +- roles/web-app-openproject/tasks/main.yml | 2 +- roles/web-app-openproject/vars/ldap.yml | 2 +- roles/web-app-peertube/config/main.yml | 4 +- roles/web-app-pgadmin/config/main.yml | 2 +- roles/web-app-pgadmin/users/main.yml | 2 +- roles/web-app-phpldapadmin/config/main.yml | 2 +- roles/web-app-phpmyadmin/config/main.yml | 6 +- roles/web-app-pixelfed/config/main.yml | 6 +- roles/web-app-pixelfed/templates/env.j2 | 4 +- roles/web-app-port-ui/config/main.yml | 4 +- roles/web-app-port-ui/tasks/01_core.yml | 2 +- .../templates/javascript.js.j2 | 8 +- roles/web-app-pretix/config/main.yml | 2 +- roles/web-app-roulette-wheel/config/main.yml | 2 +- roles/web-app-snipe-it/config/main.yml | 2 +- roles/web-app-snipe-it/templates/env.j2 | 4 +- roles/web-app-sphinx/config/main.yml | 2 +- roles/web-app-syncope/config/main.yml | 2 +- roles/web-app-taiga/config/main.yml | 2 +- roles/web-app-wordpress/config/main.yml | 4 +- roles/web-app-wordpress/templates/env.j2 | 6 +- roles/web-app-wordpress/users/main.yml | 2 +- roles/web-app-wordpress/vars/discourse.yml | 2 +- roles/web-app-wordpress/vars/oidc.yml | 2 +- roles/web-app-xmpp/config/main.yml | 2 +- roles/web-app-yourls/config/main.yml | 4 +- roles/web-opt-rdr-www/README.md | 8 +- roles/web-opt-rdr-www/tasks/main.yml | 4 +- roles/web-svc-asset/config/main.yml | 2 +- roles/web-svc-cdn/config/main.yml | 2 +- roles/web-svc-file/config/main.yml | 4 +- roles/web-svc-html/config/main.yml | 2 +- roles/web-svc-html/vars/main.yml | 2 +- roles/web-svc-logout/config/main.yml | 6 +- roles/web-svc-simpleicons/config/main.yml | 2 +- tasks/stages/01_constructor.yml | 10 +- tasks/utils/debug/README.md | 2 +- templates/roles/web-app/users/main.yml | 2 +- tests/integration/test_mode_reset.py | 22 +-- .../test_uppercase_constant_vars_unique.py | 131 ++++++++++++++++++ 171 files changed, 474 insertions(+), 345 deletions(-) rename roles/web-app-mybb/templates/{default.conf => default.conf.j2} (91%) create mode 100644 tests/integration/test_uppercase_constant_vars_unique.py diff --git a/cli/build/defaults/users.py b/cli/build/defaults/users.py index 8ad83255..626df276 100644 --- a/cli/build/defaults/users.py +++ b/cli/build/defaults/users.py @@ -189,7 +189,7 @@ def parse_args(): def main(): args = parse_args() - primary_domain = '{{ primary_domain }}' + primary_domain = '{{ PRIMARY_DOMAIN }}' become_pwd = '{{ lookup("password", "/dev/null length=42 chars=ascii_letters,digits") }}' try: diff --git a/cli/deploy.py b/cli/deploy.py index 493bbfa7..28b532c7 100644 --- a/cli/deploy.py +++ b/cli/deploy.py @@ -191,13 +191,13 @@ def main(): validate_application_ids(args.inventory, args.id) modes = { - "mode_reset": args.reset, - "mode_test": args.test, - "mode_update": args.update, - "mode_backup": args.backup, - "mode_cleanup": args.cleanup, - "mode_logs": args.logs, - "enable_debug": args.debug, + "MODE_RESET": args.reset, + "MODE_TEST": args.test, + "MODE_UPDATE": args.update, + "MODE_BACKUP": args.backup, + "MODE_CLEANUP": args.cleanup, + "MODE_LOGS": args.logs, + "MODE_DEBUG": args.debug, "host_type": args.host_type } diff --git a/filter_plugins/alias_domains_map.py b/filter_plugins/alias_domains_map.py index a315a528..748536c9 100644 --- a/filter_plugins/alias_domains_map.py +++ b/filter_plugins/alias_domains_map.py @@ -4,7 +4,7 @@ class FilterModule(object): def filters(self): return {'alias_domains_map': self.alias_domains_map} - def alias_domains_map(self, apps, primary_domain): + def alias_domains_map(self, apps, PRIMARY_DOMAIN): """ Build a map of application IDs to their alias domains. @@ -42,7 +42,7 @@ class FilterModule(object): domains_cfg = cfg.get('server',{}).get('domains',{}) entry = domains_cfg.get('canonical') if entry is None: - canonical_map[app_id] = [default_domain(app_id, primary_domain)] + canonical_map[app_id] = [default_domain(app_id, PRIMARY_DOMAIN)] elif isinstance(entry, dict): canonical_map[app_id] = list(entry.values()) elif isinstance(entry, list): @@ -69,7 +69,7 @@ class FilterModule(object): # otherwise, compute aliases aliases = parse_entry(domains_cfg, 'aliases', app_id) or [] - default = default_domain(app_id, primary_domain) + default = default_domain(app_id, PRIMARY_DOMAIN) has_aliases = 'aliases' in domains_cfg has_canon = 'canonical' in domains_cfg diff --git a/filter_plugins/canonical_domains_map.py b/filter_plugins/canonical_domains_map.py index 1b704c97..b7e31287 100644 --- a/filter_plugins/canonical_domains_map.py +++ b/filter_plugins/canonical_domains_map.py @@ -9,7 +9,7 @@ class FilterModule(object): def filters(self): return {'canonical_domains_map': self.canonical_domains_map} - def canonical_domains_map(self, apps, primary_domain): + def canonical_domains_map(self, apps, PRIMARY_DOMAIN): """ Maps applications to their canonical domains, checking for conflicts and ensuring all domains are valid and unique across applications. @@ -30,7 +30,7 @@ class FilterModule(object): domains_cfg = cfg.get('server',{}).get('domains',{}) if not domains_cfg or 'canonical' not in domains_cfg: - self._add_default_domain(app_id, primary_domain, seen_domains, result) + self._add_default_domain(app_id, PRIMARY_DOMAIN, seen_domains, result) continue canonical_domains = domains_cfg['canonical'] @@ -38,13 +38,13 @@ class FilterModule(object): return result - def _add_default_domain(self, app_id, primary_domain, seen_domains, result): + def _add_default_domain(self, app_id, PRIMARY_DOMAIN, seen_domains, result): """ Add the default domain for an application if no canonical domains are defined. Ensures the domain is unique across applications. """ entity_name = get_entity_name(app_id) - default_domain = f"{entity_name}.{primary_domain}" + default_domain = f"{entity_name}.{PRIMARY_DOMAIN}" if default_domain in seen_domains: raise AnsibleFilterError( f"Domain '{default_domain}' is already configured for " diff --git a/filter_plugins/domain_redirect_mappings.py b/filter_plugins/domain_redirect_mappings.py index 4dc78307..81a97649 100644 --- a/filter_plugins/domain_redirect_mappings.py +++ b/filter_plugins/domain_redirect_mappings.py @@ -7,7 +7,7 @@ class FilterModule(object): def filters(self): return {'domain_mappings': self.domain_mappings} - def domain_mappings(self, apps, primary_domain): + def domain_mappings(self, apps, PRIMARY_DOMAIN): """ Build a flat list of redirect mappings for all apps: - source: each alias domain @@ -43,7 +43,7 @@ class FilterModule(object): domains_cfg = cfg.get('server',{}).get('domains',{}) entry = domains_cfg.get('canonical') if entry is None: - canonical_map[app_id] = [default_domain(app_id, primary_domain)] + canonical_map[app_id] = [default_domain(app_id, PRIMARY_DOMAIN)] elif isinstance(entry, dict): canonical_map[app_id] = list(entry.values()) elif isinstance(entry, list): @@ -61,11 +61,11 @@ class FilterModule(object): alias_map[app_id] = [] continue if isinstance(domains_cfg, dict) and not domains_cfg: - alias_map[app_id] = [default_domain(app_id, primary_domain)] + alias_map[app_id] = [default_domain(app_id, PRIMARY_DOMAIN)] continue aliases = parse_entry(domains_cfg, 'aliases', app_id) or [] - default = default_domain(app_id, primary_domain) + default = default_domain(app_id, PRIMARY_DOMAIN) has_aliases = 'aliases' in domains_cfg has_canonical = 'canonical' in domains_cfg @@ -84,7 +84,7 @@ class FilterModule(object): mappings = [] for app_id, sources in alias_map.items(): canon_list = canonical_map.get(app_id, []) - target = canon_list[0] if canon_list else default_domain(app_id, primary_domain) + target = canon_list[0] if canon_list else default_domain(app_id, PRIMARY_DOMAIN) for src in sources: if src == target: # skip self-redirects diff --git a/filter_plugins/redirect_filters.py b/filter_plugins/redirect_filters.py index 9b755db1..0c686d9a 100644 --- a/filter_plugins/redirect_filters.py +++ b/filter_plugins/redirect_filters.py @@ -19,7 +19,7 @@ class FilterModule(object): Usage in Jinja: {{ redirect_list | add_redirect_if_group('lam', - 'ldap.' ~ primary_domain, + 'ldap.' ~ PRIMARY_DOMAIN, domains | get_domain('web-app-lam'), group_names) }} """ diff --git a/group_vars/all/00_general.yml b/group_vars/all/00_general.yml index 1f061c8d..4910b605 100644 --- a/group_vars/all/00_general.yml +++ b/group_vars/all/00_general.yml @@ -1,4 +1,4 @@ -INFINITO_ENVIRONMENT: "production" # Possible values: production, development +ENVIRONMENT: "production" # Possible values: production, development # If true, sensitive credentials will be masked or hidden from all Ansible task logs # Recommendet to set to true @@ -19,49 +19,46 @@ HOST_THOUSAND_SEPARATOR: "." HOST_DECIMAL_MARK: "," # Deployment mode -deployment_mode: "single" # Use single, if you deploy on one server. Use cluster if you setup in cluster mode. +DEPLOYMENT_MODE: "single" # Use single, if you deploy on one server. Use cluster if you setup in cluster mode. +# Web WEB_PROTOCOL: "https" # Web protocol type. Use https or http. If you run local you need to change it to http WEB_PORT: "{{ 443 if WEB_PROTOCOL == 'https' else 80 }}" # Default port web applications will listen to -## Domain -primary_domain_tld: "localhost" # Top Level Domain of the server -primary_domain_sld: "infinito" # Second Level Domain of the server -primary_domain: "{{primary_domain_sld}}.{{primary_domain_tld}}" # Primary Domain of the server +# Domain +PRIMARY_DOMAIN: "localhost" # Primary Domain of the server +PRIMARY_DOMAIN_tld: "{{ (PRIMARY_DOMAIN == 'localhost') | ternary('localhost', PRIMARY_DOMAIN.split('.')[-1]) }}" # Top Level Domain of the server +PRIMARY_DOMAIN_SLD: "{{ (PRIMARY_DOMAIN == 'localhost') | ternary('localhost', PRIMARY_DOMAIN.split('.')[-2]) }}" # Second Level Domain of the server # Server Tact Variables ## Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance -hours_server_awake: "0..23" +HOURS_SERVER_AWAKE: "0..23" ## Random delay for systemd timers to avoid peak loads. -randomized_delay_sec: "5min" +RANDOMIZED_DELAY_SEC: "5min" # Runtime Variables for Process Control -activate_all_timers: false # Activates all timers, independend if the handlers had been triggered +ACTIVATE_ALL_TIMERS: false # Activates all timers, independend if the handlers had been triggered -# This enables debugging in ansible and in the apps -# You SHOULD NOT enable this on production servers -enable_debug: false - -dns_provider: cloudflare # The DNS Provider\Registrar for the domain +DNS_PROVIDER: cloudflare # The DNS Provider\Registrar for the domain # Which ACME method to use: webroot, cloudflare, or hetzner -certbot_acme_challenge_method: "cloudflare" -certbot_credentials_dir: /etc/certbot -certbot_credentials_file: "{{ certbot_credentials_dir }}/{{ certbot_acme_challenge_method }}.ini" -certbot_dns_api_token: "" # Define in inventory file: More information here: group_vars/all/docs/CLOUDFLARE_API_TOKEN.md -certbot_dns_propagation_wait_seconds: 300 # How long should the script wait for DNS propagation before continuing -certbot_flavor: san # Possible options: san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), dedicated +CERTBOT_ACME_CHALLENGE_METHOD: "cloudflare" +CERTBOT_CREDENTIALS_DIR: /etc/certbot +CERTBOT_CREDENTIALS_FILE: "{{ CERTBOT_CREDENTIALS_DIR }}/{{ CERTBOT_ACME_CHALLENGE_METHOD }}.ini" +CERTBOT_DNS_API_TOKEN: "" # Define in inventory file: More information here: group_vars/all/docs/CLOUDFLARE_API_TOKEN.md +CERTBOT_DNS_PROPAGATION_WAIT_SECONDS: 300 # How long should the script wait for DNS propagation before continuing +CERTBOT_FLAVOR: san # Possible options: san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), dedicated # Path where Certbot stores challenge webroot files -letsencrypt_webroot_path: "/var/lib/letsencrypt/" +LETSENCRYPT_WEBROOT_PATH: "/var/lib/letsencrypt/" # Base directory containing Certbot configuration, account data, and archives -letsencrypt_base_path: "/etc/letsencrypt/" +LETSENCRYPT_BASE_PATH: "/etc/letsencrypt/" # Symlink directory for the current active certificate and private key -letsencrypt_live_path: "{{ letsencrypt_base_path }}live/" +LETSENCRYPT_LIVE_PATH: "{{ LETSENCRYPT_BASE_PATH }}live/" ## Docker Role Specific Parameters DOCKER_RESTART_POLICY: "unless-stopped" diff --git a/group_vars/all/01_modes.yml b/group_vars/all/01_modes.yml index ad7316ac..f748e158 100644 --- a/group_vars/all/01_modes.yml +++ b/group_vars/all/01_modes.yml @@ -1,8 +1,9 @@ # Mode # The following modes can be combined with each other -mode_reset: false # Cleans up all Infinito.Nexus files. It's necessary to run to whole playbook and not particial roles when using this function. -mode_test: false # Executes test routines instead of productive routines -mode_update: true # Executes updates -mode_backup: true # Activates the backup before the update procedure -mode_cleanup: true # Cleanup unused files and configurations \ No newline at end of file +MODE_RESET: false # Cleans up all Infinito.Nexus files. It's necessary to run to whole playbook and not particial roles when using this function. +MODE_TEST: false # Executes test routines instead of productive routines +MODE_UPDATE: true # Executes updates +MODE_BACKUP: true # Activates the backup before the update procedure +MODE_CLEANUP: true # Cleanup unused files and configurations +MODE_DEBUG: false # This enables debugging in ansible and in the apps, You SHOULD NOT enable this on production servers \ No newline at end of file diff --git a/group_vars/all/02_system_email.yml b/group_vars/all/02_system_email.yml index 8a30665c..7c4b40ba 100644 --- a/group_vars/all/02_system_email.yml +++ b/group_vars/all/02_system_email.yml @@ -1,7 +1,7 @@ # Email Configuration default_system_email: - domain: "{{primary_domain}}" - host: "mail.{{primary_domain}}" + domain: "{{PRIMARY_DOMAIN}}" + host: "mail.{{PRIMARY_DOMAIN}}" port: 465 tls: true # true for TLS and false for SSL start_tls: false diff --git a/group_vars/all/08_calendar.yml b/group_vars/all/08_calendar.yml index 5cd3875d..21849ffe 100644 --- a/group_vars/all/08_calendar.yml +++ b/group_vars/all/08_calendar.yml @@ -3,10 +3,10 @@ on_calendar_health_btrfs: "*-*-* 00:00:00" # Check once per day the btrfs for errors on_calendar_health_journalctl: "*-*-* 00:00:00" # Check once per day the journalctl for errors on_calendar_health_disc_space: "*-*-* 06,12,18,00:00:00" # Check four times per day if there is sufficient disc space -on_calendar_health_docker_container: "*-*-* {{ hours_server_awake }}:00:00" # Check once per hour if the docker containers are healthy -on_calendar_health_docker_volumes: "*-*-* {{ hours_server_awake }}:15:00" # Check once per hour if the docker volumes are healthy -on_calendar_health_csp_crawler: "*-*-* {{ hours_server_awake }}:30:00" # Check once per hour if all CSP are fullfilled available -on_calendar_health_nginx: "*-*-* {{ hours_server_awake }}:45:00" # Check once per hour if all webservices are available +on_calendar_health_docker_container: "*-*-* {{ HOURS_SERVER_AWAKE }}:00:00" # Check once per hour if the docker containers are healthy +on_calendar_health_docker_volumes: "*-*-* {{ HOURS_SERVER_AWAKE }}:15:00" # Check once per hour if the docker volumes are healthy +on_calendar_health_csp_crawler: "*-*-* {{ HOURS_SERVER_AWAKE }}:30:00" # Check once per hour if all CSP are fullfilled available +on_calendar_health_nginx: "*-*-* {{ HOURS_SERVER_AWAKE }}:45:00" # Check once per hour if all webservices are available on_calendar_health_msmtp: "*-*-* 00:00:00" # Check once per day SMTP Server ## Schedule for Cleanup Tasks @@ -19,7 +19,7 @@ on_calendar_backup_docker_to_local: "*-*-* 03:30:00" on_calendar_backup_remote_to_local: "*-*-* 21:30:00" ## Schedule for Maintenance Tasks -on_calendar_heal_docker: "*-*-* {{ hours_server_awake }}:30:00" # Heal unhealthy docker instances once per hour +on_calendar_heal_docker: "*-*-* {{ HOURS_SERVER_AWAKE }}:30:00" # Heal unhealthy docker instances once per hour on_calendar_renew_lets_encrypt_certificates: "*-*-* 12,00:30:00" # Renew Mailu certificates twice per day on_calendar_deploy_certificates: "*-*-* 13,01:30:00" # Deploy letsencrypt certificates twice per day to docker containers on_calendar_msi_keyboard_color: "*-*-* *:*:00" # Change the keyboard color every minute diff --git a/group_vars/all/12_oidc.yml b/group_vars/all/12_oidc.yml index 350d407c..138e9deb 100644 --- a/group_vars/all/12_oidc.yml +++ b/group_vars/all/12_oidc.yml @@ -8,7 +8,7 @@ # @see https://en.wikipedia.org/wiki/OpenID_Connect ## Helper Variables: -_oidc_client_realm: "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}" +_oidc_client_realm: "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else PRIMARY_DOMAIN }}" _oidc_url: "{{ (oidc.url if (oidc is defined and oidc.url is defined) @@ -16,7 +16,7 @@ _oidc_url: "{{ ) }}" _oidc_client_issuer_url: "{{ _oidc_url }}/realms/{{_oidc_client_realm}}" -_oidc_client_id: "{{ oidc.client.id if oidc.client is defined and oidc.client.id is defined else primary_domain }}" +_oidc_client_id: "{{ oidc.client.id if oidc.client is defined and oidc.client.id is defined else PRIMARY_DOMAIN }}" defaults_oidc: url: "{{ _oidc_url }}" @@ -33,7 +33,7 @@ defaults_oidc: change_credentials: "{{_oidc_client_issuer_url}}account/account-security/signing-in" # URL for managing or changing user credentials certs: "{{_oidc_client_issuer_url}}/protocol/openid-connect/certs" # JSON Web Key Set (JWKS) reset_credentials: "{{_oidc_client_issuer_url}}/login-actions/reset-credentials?client_id={{ _oidc_client_id }}" # Password reset url - button_text: "SSO Login ({{primary_domain | upper}})" # Default button text + button_text: "SSO Login ({{PRIMARY_DOMAIN | upper}})" # Default button text attributes: # Attribut to identify the user username: "preferred_username" diff --git a/group_vars/all/13_ldap.yml b/group_vars/all/13_ldap.yml index 49f880bc..6d3e127d 100644 --- a/group_vars/all/13_ldap.yml +++ b/group_vars/all/13_ldap.yml @@ -5,12 +5,12 @@ # Helper Variables: # Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory -_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" +_ldap_dn_base: "dc={{PRIMARY_DOMAIN_SLD}},dc={{PRIMARY_DOMAIN_tld}}" _ldap_docker_network_enabled: "{{ applications | get_app_conf('svc-db-openldap', 'network.docker') }}" _ldap_protocol: "{{ 'ldap' if _ldap_docker_network_enabled else 'ldaps' }}" _ldap_server_port: "{{ ports.localhost[_ldap_protocol]['svc-db-openldap'] }}" _ldap_name: "{{ applications | get_app_conf('svc-db-openldap', 'docker.services.openldap.name') }}" -_ldap_domain: "{{ primary_domain }}" # LDAP is jsut listening to a port not to a dedicated domain, so primary domain should be sufficient +_ldap_domain: "{{ PRIMARY_DOMAIN }}" # LDAP is jsut listening to a port not to a dedicated domain, so primary domain should be sufficient _ldap_user_id: "uid" _ldap_filters_users_all: "(|(objectclass=inetOrgPerson))" diff --git a/group_vars/all/15_about.yml b/group_vars/all/15_about.yml index 2f30b13e..b11a22d9 100644 --- a/group_vars/all/15_about.yml +++ b/group_vars/all/15_about.yml @@ -19,7 +19,7 @@ defaults_service_provider: web-app-bluesky: >- {{ ('@' ~ users.contact.username ~ '.' ~ domains['web-app-bluesky'].api) if 'web-app-bluesky' in group_names else '' }} - email: "{{ users.contact.username ~ '@' ~ primary_domain if 'web-app-mailu' in group_names else '' }}" + email: "{{ users.contact.username ~ '@' ~ PRIMARY_DOMAIN if 'web-app-mailu' in group_names else '' }}" mastodon: "{{ '@' ~ users.contact.username ~ '@' ~ domains | get_domain('web-app-mastodon') if 'web-app-mastodon' in group_names else '' }}" matrix: "{{ '@' ~ users.contact.username ~ ':' ~ domains['web-app-matrix'].synapse if 'web-app-matrix' in group_names else '' }}" peertube: "{{ '@' ~ users.contact.username ~ '@' ~ domains | get_domain('web-app-peertube') if 'web-app-peertube' in group_names else '' }}" diff --git a/group_vars/all/docs/CLOUDFLARE_API_TOKEN.md b/group_vars/all/docs/CLOUDFLARE_API_TOKEN.md index 73484bb0..5bfd226c 100644 --- a/group_vars/all/docs/CLOUDFLARE_API_TOKEN.md +++ b/group_vars/all/docs/CLOUDFLARE_API_TOKEN.md @@ -1,10 +1,10 @@ -# Cloudflare API Token for Ansible (`certbot_dns_api_token`) +# Cloudflare API Token for Ansible (`CERTBOT_DNS_API_TOKEN`) This document explains how to generate and use a Cloudflare API Token for DNS automation and certificate operations in Ansible (e.g., with Certbot). ## Purpose -The `certbot_dns_api_token` variable must contain a valid Cloudflare API Token. +The `CERTBOT_DNS_API_TOKEN` variable must contain a valid Cloudflare API Token. This token is used for all DNS operations and ACME (SSL/TLS certificate) challenges that require access to your Cloudflare-managed domains. **Never commit your API token to a public repository. Always keep it secure!** @@ -58,4 +58,4 @@ Add the following permissions: Set the token in your Ansible inventory or secrets file: ```yaml -certbot_dns_api_token: "cf_your_generated_token_here" +CERTBOT_DNS_API_TOKEN: "cf_your_generated_token_here" diff --git a/roles/desk-ssh/tasks/01_core.yml b/roles/desk-ssh/tasks/01_core.yml index f03e69e1..408d2de3 100644 --- a/roles/desk-ssh/tasks/01_core.yml +++ b/roles/desk-ssh/tasks/01_core.yml @@ -15,7 +15,7 @@ - name: Warn if repo is not reachable debug: msg: "Warning: Repository is not reachable." - when: git_result.failed and enable_debug | bool + when: git_result.failed and MODE_DEBUG | bool - name: Ensure systemd user directory exists file: diff --git a/roles/docker-compose/README.md b/roles/docker-compose/README.md index 8cbdc058..11a81abe 100644 --- a/roles/docker-compose/README.md +++ b/roles/docker-compose/README.md @@ -8,7 +8,7 @@ Refer to the [Docker Compose documentation](https://docs.docker.com/compose/), t ## Overview -This role creates a flexible directory layout for managing Docker Compose projects across environments. It ensures directories are initialized, optionally reset, and kept clean using internal flags like `mode_reset` or `mode_cleanup`. +This role creates a flexible directory layout for managing Docker Compose projects across environments. It ensures directories are initialized, optionally reset, and kept clean using internal flags like `MODE_RESET` or `MODE_CLEANUP`. ## Purpose @@ -17,7 +17,7 @@ To offer a centralized, extensible system for managing containerized application ## Features - **Dynamic Directory Structure:** Creates per-application instance folders for Compose setups. -- **Reset Logic:** Cleans previous Compose project files and data when `mode_reset` is enabled. +- **Reset Logic:** Cleans previous Compose project files and data when `MODE_RESET` is enabled. - **Handlers for Runtime Control:** Automatically builds, sets up, or restarts containers based on handlers. - **Template-ready Service Files:** Predefined service base and health check templates. - **Integration Support:** Compatible with `srv-proxy-7-4-core` and other Infinito.Nexus service roles. diff --git a/roles/docker-compose/tasks/main.yml b/roles/docker-compose/tasks/main.yml index 661969a1..12bb14df 100644 --- a/roles/docker-compose/tasks/main.yml +++ b/roles/docker-compose/tasks/main.yml @@ -10,7 +10,7 @@ - name: "reset (if enabled)" include_tasks: 01_reset.yml - when: mode_reset | bool + when: MODE_RESET | bool # This could lead to problems in docker-compose directories which are based on a git repository # @todo Verify that this isn't the case. E.g. in accounting diff --git a/roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml b/roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml index 89bb1939..4a5cb1d7 100644 --- a/roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml +++ b/roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml @@ -16,7 +16,7 @@ url: "{{ cf_api_url }}?name={{ domain | to_primary_domain }}" method: GET headers: - Authorization: "Bearer {{ certbot_dns_api_token }}" + Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}" Content-Type: "application/json" return_content: yes register: cf_zone_lookup_dev @@ -43,8 +43,8 @@ - name: activate cloudflare cache development mode include_tasks: "cloudflare/02_enable_cf_dev_mode.yml" - when: (INFINITO_ENVIRONMENT | lower) == 'development' + when: (ENVIRONMENT | lower) == 'development' - name: purge cloudflare domain cache include_tasks: "cloudflare/01_cleanup.yml" - when: mode_cleanup | bool \ No newline at end of file + when: MODE_CLEANUP | bool \ No newline at end of file diff --git a/roles/srv-proxy-6-6-domain/tasks/cloudflare/01_cleanup.yml b/roles/srv-proxy-6-6-domain/tasks/cloudflare/01_cleanup.yml index dba2797b..2f6745d7 100644 --- a/roles/srv-proxy-6-6-domain/tasks/cloudflare/01_cleanup.yml +++ b/roles/srv-proxy-6-6-domain/tasks/cloudflare/01_cleanup.yml @@ -3,7 +3,7 @@ url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/purge_cache" method: POST headers: - Authorization: "Bearer {{ certbot_dns_api_token }}" + Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}" Content-Type: "application/json" body: purge_everything: true diff --git a/roles/srv-proxy-6-6-domain/tasks/cloudflare/02_enable_cf_dev_mode.yml b/roles/srv-proxy-6-6-domain/tasks/cloudflare/02_enable_cf_dev_mode.yml index 4a393eae..afb2719e 100644 --- a/roles/srv-proxy-6-6-domain/tasks/cloudflare/02_enable_cf_dev_mode.yml +++ b/roles/srv-proxy-6-6-domain/tasks/cloudflare/02_enable_cf_dev_mode.yml @@ -1,7 +1,7 @@ # roles/srv-proxy-6-6-domain/tasks/02_enable_cf_dev_mode.yml --- # Enables Cloudflare Development Mode (bypasses cache for ~3 hours). -# Uses the same auth token as in 01_cleanup.yml: certbot_dns_api_token +# Uses the same auth token as in 01_cleanup.yml: CERTBOT_DNS_API_TOKEN # Assumes `domain` and (optionally) `cf_zone_id` are available. # Safe to run repeatedly; only changes when the mode is not already "on". @@ -10,7 +10,7 @@ url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/settings/development_mode" method: GET headers: - Authorization: "Bearer {{ certbot_dns_api_token }}" + Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}" Content-Type: "application/json" return_content: yes register: cf_dev_mode_current @@ -20,7 +20,7 @@ url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/settings/development_mode" method: PATCH headers: - Authorization: "Bearer {{ certbot_dns_api_token }}" + Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}" Content-Type: "application/json" body: value: "on" diff --git a/roles/srv-proxy-6-6-domain/tasks/main.yml b/roles/srv-proxy-6-6-domain/tasks/main.yml index 64b87bfb..fa41da08 100644 --- a/roles/srv-proxy-6-6-domain/tasks/main.yml +++ b/roles/srv-proxy-6-6-domain/tasks/main.yml @@ -7,7 +7,7 @@ when: run_once_srv_proxy_6_6_domain is not defined - include_tasks: "01_cloudflare.yml" - when: dns_provider == "cloudflare" + when: DNS_PROVIDER == "cloudflare" - include_tasks: "{{ playbook_dir }}/tasks/utils/load_handlers.yml" vars: diff --git a/roles/srv-proxy-6-6-tls-deploy/README.md b/roles/srv-proxy-6-6-tls-deploy/README.md index 659a8020..6eb55439 100644 --- a/roles/srv-proxy-6-6-tls-deploy/README.md +++ b/roles/srv-proxy-6-6-tls-deploy/README.md @@ -49,7 +49,7 @@ This script: **Usage:** ```sh -sh srv-proxy-6-6-tls-deploy.sh primary_domain /path/to/docker/compose +sh srv-proxy-6-6-tls-deploy.sh PRIMARY_DOMAIN /path/to/docker/compose ``` --- diff --git a/roles/srv-proxy-6-6-tls-deploy/SETUP.md b/roles/srv-proxy-6-6-tls-deploy/SETUP.md index b454c954..f7344f1e 100644 --- a/roles/srv-proxy-6-6-tls-deploy/SETUP.md +++ b/roles/srv-proxy-6-6-tls-deploy/SETUP.md @@ -4,33 +4,33 @@ If you enabled `enable_wildcard_certificate`, follow these steps to manually req ### **1️⃣ Run the Certbot Command 🖥️** ```sh certbot certonly --manual --preferred-challenges=dns --agree-tos \ ---email administrator@primary_domain -d primary_domain -d "*.primary_domain" +--email administrator@PRIMARY_DOMAIN -d PRIMARY_DOMAIN -d "*.PRIMARY_DOMAIN" ``` ### **2️⃣ Add DNS TXT Record for Validation 📜** Certbot will prompt you to add a DNS TXT record: ``` Please create a TXT record under the name: -_acme-challenge.primary_domain. +_acme-challenge.PRIMARY_DOMAIN. with the following value: 9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA ``` ➡ **Go to your DNS provider** and create a new **TXT record**: - - **Host:** `_acme-challenge.primary_domain` + - **Host:** `_acme-challenge.PRIMARY_DOMAIN` - **Value:** `"9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA"` - **TTL:** Set to **300 seconds (or lowest possible)** ✅ **Verify the DNS record** before continuing: ```sh -dig TXT _acme-challenge.primary_domain @8.8.8.8 +dig TXT _acme-challenge.PRIMARY_DOMAIN @8.8.8.8 ``` ### **3️⃣ Complete the Certificate Request ✅** Once the DNS changes have propagated, **press Enter** in the Certbot terminal. If successful, Certbot will save the certificates under: ``` -/etc/letsencrypt/live/primary_domain/ +/etc/letsencrypt/live/PRIMARY_DOMAIN/ ``` - **fullchain.pem** → The certificate - **privkey.pem** → The private key diff --git a/roles/srv-proxy-6-6-tls-deploy/templates/srv-proxy-6-6-tls-deploy.sh.j2 b/roles/srv-proxy-6-6-tls-deploy/templates/srv-proxy-6-6-tls-deploy.sh.j2 index 22e5c318..a353604f 100644 --- a/roles/srv-proxy-6-6-tls-deploy/templates/srv-proxy-6-6-tls-deploy.sh.j2 +++ b/roles/srv-proxy-6-6-tls-deploy/templates/srv-proxy-6-6-tls-deploy.sh.j2 @@ -12,11 +12,11 @@ docker_compose_instance_directory="$2" docker_compose_cert_directory="$docker_compose_instance_directory/volumes/certs" # Copy certificates -cp -RvL "{{ letsencrypt_live_path }}/$ssl_cert_folder/"* "$docker_compose_cert_directory" || exit 1 +cp -RvL "{{ LETSENCRYPT_LIVE_PATH }}/$ssl_cert_folder/"* "$docker_compose_cert_directory" || exit 1 # This code is optimized for mailu -cp -v "{{ letsencrypt_live_path }}/$ssl_cert_folder/privkey.pem" "$docker_compose_cert_directory/key.pem" || exit 1 -cp -v "{{ letsencrypt_live_path }}/$ssl_cert_folder/fullchain.pem" "$docker_compose_cert_directory/cert.pem" || exit 1 +cp -v "{{ LETSENCRYPT_LIVE_PATH }}/$ssl_cert_folder/privkey.pem" "$docker_compose_cert_directory/key.pem" || exit 1 +cp -v "{{ LETSENCRYPT_LIVE_PATH }}/$ssl_cert_folder/fullchain.pem" "$docker_compose_cert_directory/cert.pem" || exit 1 # Set correct reading rights chmod a+r -v "$docker_compose_cert_directory/"* diff --git a/roles/srv-web-6-6-tls-core/README.md b/roles/srv-web-6-6-tls-core/README.md index f56e258f..2a83fd41 100644 --- a/roles/srv-web-6-6-tls-core/README.md +++ b/roles/srv-web-6-6-tls-core/README.md @@ -24,7 +24,7 @@ The Nginx HTTPS Certificate Retrieval role ensures that your Nginx-served domain - **ACME Challenge Selection:** Supports DNS plugins or webroot method automatically. - **Wildcard Certificate Management:** Issues wildcard certificates when configured, saving effort for subdomain-heavy deployments. - **Safe Cleanup:** Ensures that no unused certificates are left behind. -- **Flexible Control:** Supports `mode_test` for staging environment testing and `mode_cleanup` for cert cleanup operations. +- **Flexible Control:** Supports `MODE_TEST` for staging environment testing and `MODE_CLEANUP` for cert cleanup operations. ## 🔗 Learn More diff --git a/roles/srv-web-6-6-tls-core/tasks/flavors/dedicated.yml b/roles/srv-web-6-6-tls-core/tasks/flavors/dedicated.yml index ce324118..0f3148ff 100644 --- a/roles/srv-web-6-6-tls-core/tasks/flavors/dedicated.yml +++ b/roles/srv-web-6-6-tls-core/tasks/flavors/dedicated.yml @@ -1,7 +1,7 @@ - name: "Check if certificate already exists for {{ domain }}" cert_check_exists: domain: "{{ domain }}" - cert_base_path: "{{ letsencrypt_live_path }}" + cert_base_path: "{{ LETSENCRYPT_LIVE_PATH }}" register: cert_check - name: "receive certificate for {{ domain }}" @@ -10,21 +10,21 @@ --agree-tos --email {{ users.administrator.email }} --non-interactive - {% if certbot_acme_challenge_method != "webroot" %} - --dns-{{ certbot_acme_challenge_method }} - --dns-{{ certbot_acme_challenge_method }}-credentials {{ certbot_credentials_file }} - --dns-{{ certbot_acme_challenge_method }}-propagation-seconds {{ certbot_dns_propagation_wait_seconds }} + {% if CERTBOT_ACME_CHALLENGE_METHOD != "webroot" %} + --dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }} + --dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}-credentials {{ CERTBOT_CREDENTIALS_FILE }} + --dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}-propagation-seconds {{ CERTBOT_DNS_PROPAGATION_WAIT_SECONDS }} {% else %} --webroot - -w {{ letsencrypt_webroot_path }} + -w {{ LETSENCRYPT_WEBROOT_PATH }} {% endif %} {% if wildcard_domain is defined and ( wildcard_domain | bool ) %} - -d {{ primary_domain }} - -d *.{{ primary_domain }} + -d {{ PRIMARY_DOMAIN }} + -d *.{{ PRIMARY_DOMAIN }} {% else %} -d {{ domain }} {% endif %} - {{ '--test-cert' if mode_test | bool else '' }} + {{ '--test-cert' if MODE_TEST | bool else '' }} register: certbot_result changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout" when: not cert_check.exists \ No newline at end of file diff --git a/roles/srv-web-6-6-tls-core/tasks/flavors/san.yml b/roles/srv-web-6-6-tls-core/tasks/flavors/san.yml index 27523b02..cfad083c 100644 --- a/roles/srv-web-6-6-tls-core/tasks/flavors/san.yml +++ b/roles/srv-web-6-6-tls-core/tasks/flavors/san.yml @@ -10,15 +10,15 @@ certbundle --domains "{{ current_play_domains_all | join(',') }}" --certbot-email "{{ users.administrator.email }}" - --certbot-acme-challenge-method "{{ certbot_acme_challenge_method }}" + --certbot-acme-challenge-method "{{ CERTBOT_ACME_CHALLENGE_METHOD }}" --chunk-size 100 - {% if certbot_acme_challenge_method != 'webroot' %} - --certbot-credentials-file "{{ certbot_credentials_file }}" - --certbot-dns-propagation-seconds "{{ certbot_dns_propagation_wait_seconds }}" + {% if CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' %} + --certbot-credentials-file "{{ CERTBOT_CREDENTIALS_FILE }}" + --certbot-dns-propagation-seconds "{{ CERTBOT_DNS_PROPAGATION_WAIT_SECONDS }}" {% else %} - --letsencrypt-webroot-path "{{ letsencrypt_webroot_path }}" + --letsencrypt-webroot-path "{{ LETSENCRYPT_WEBROOT_PATH }}" {% endif %} - {{ '--mode-test' if mode_test | bool else '' }} + {{ '--mode-test' if MODE_TEST | bool else '' }} register: certbundle_result changed_when: "'Certificate not yet due for renewal' not in certbundle_result.stdout" failed_when: > diff --git a/roles/srv-web-6-6-tls-core/tasks/flavors/wildcard.yml b/roles/srv-web-6-6-tls-core/tasks/flavors/wildcard.yml index e7b00a39..bfd80446 100644 --- a/roles/srv-web-6-6-tls-core/tasks/flavors/wildcard.yml +++ b/roles/srv-web-6-6-tls-core/tasks/flavors/wildcard.yml @@ -3,7 +3,7 @@ vars: wildcard_domain: true when: - - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain) + - domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN) - run_once_receive_certificate is not defined - name: "Load dedicated certificate for domain" @@ -11,7 +11,7 @@ vars: wildcard_domain: false when: - - not (domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)) + - not (domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN)) - name: run the receive_certificate tasks once set_fact: diff --git a/roles/srv-web-6-6-tls-core/tasks/main.yml b/roles/srv-web-6-6-tls-core/tasks/main.yml index 1b1d4de0..8677cda2 100644 --- a/roles/srv-web-6-6-tls-core/tasks/main.yml +++ b/roles/srv-web-6-6-tls-core/tasks/main.yml @@ -6,20 +6,20 @@ - include_tasks: utils/run_once.yml when: run_once_srv_web_6_6_tls_core is not defined -- name: "Include flavor '{{ certbot_flavor }}' for '{{ domain }}'" - include_tasks: "{{ role_path }}/tasks/flavors/{{ certbot_flavor }}.yml" +- name: "Include flavor '{{ CERTBOT_FLAVOR }}' for '{{ domain }}'" + include_tasks: "{{ role_path }}/tasks/flavors/{{ CERTBOT_FLAVOR }}.yml" #- name: "Cleanup dedicated cert for {{ domain }}" # command: >- # certbot delete --cert-name {{ domain }} --non-interactive # when: -# - mode_cleanup | bool +# - MODE_CLEANUP | bool # # Cleanup mode is enabled -# - certbot_flavor != 'dedicated' +# - CERTBOT_FLAVOR != 'dedicated' # # Wildcard certificate is enabled -# - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain) +# - domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN) # # AND: The domain is a direct first-level subdomain of the primary domain -# - domain != primary_domain +# - domain != PRIMARY_DOMAIN # # The domain is not the primary domain # register: certbot_result # failed_when: certbot_result.rc != 0 and ("No certificate found with name" not in certbot_result.stderr) @@ -28,8 +28,8 @@ - name: "Find SSL cert folder for '{{ domain }}'" cert_folder_find: domain: "{{ domain }}" - cert_base_path: "{{ letsencrypt_live_path }}" - debug: "{{ enable_debug | default(false) }}" + cert_base_path: "{{ LETSENCRYPT_LIVE_PATH }}" + debug: "{{ MODE_DEBUG | default(false) }}" register: cert_folder_result delegate_to: "{{ inventory_hostname }}" changed_when: false diff --git a/roles/srv-web-7-4-core/README.md b/roles/srv-web-7-4-core/README.md index a8312863..7dc45dad 100644 --- a/roles/srv-web-7-4-core/README.md +++ b/roles/srv-web-7-4-core/README.md @@ -14,11 +14,11 @@ This Ansible role installs and configures **Nginx** as a core HTTP/stream server * **Configurable reset and cleanup** modes to purge and recreate directories. * **Custom `nginx.conf`** template with sensible defaults for performance and security. * **Stream proxy support**: includes `stream` block for TCP/UDP proxies. -* **Cache directory management**: cleanup and recreation based on `mode_cleanup`. +* **Cache directory management**: cleanup and recreation based on `MODE_CLEANUP`. ## Debugging Tips * **General logs**: `journalctl -f -u nginx` * **Filter by host**: `journalctl -u nginx -f | grep "{{ inventory_hostname }}"` -* **Enable detailed format**: set `enable_debug: true` and reload Nginx. +* **Enable detailed format**: set `MODE_DEBUG: true` and reload Nginx. diff --git a/roles/srv-web-7-4-core/tasks/01_core.yml b/roles/srv-web-7-4-core/tasks/01_core.yml index aa831ca1..4c84ceb0 100644 --- a/roles/srv-web-7-4-core/tasks/01_core.yml +++ b/roles/srv-web-7-4-core/tasks/01_core.yml @@ -20,7 +20,7 @@ - name: "reset (if enabled)" include_tasks: 02_reset.yml - when: mode_reset | bool + when: MODE_RESET | bool - name: Ensure nginx configuration directories are present file: diff --git a/roles/srv-web-7-4-core/tasks/02_reset.yml b/roles/srv-web-7-4-core/tasks/02_reset.yml index b0b637ae..e7169bdd 100644 --- a/roles/srv-web-7-4-core/tasks/02_reset.yml +++ b/roles/srv-web-7-4-core/tasks/02_reset.yml @@ -1,4 +1,4 @@ -- name: "Delete {{nginx.directories.configuration}} directory, when mode_reset" +- name: "Delete {{nginx.directories.configuration}} directory, when MODE_RESET" file: path: "{{ nginx.directories.configuration }}" state: absent \ No newline at end of file diff --git a/roles/srv-web-7-4-core/tasks/03_cache_directories.yml b/roles/srv-web-7-4-core/tasks/03_cache_directories.yml index 7c98cdce..4945df72 100644 --- a/roles/srv-web-7-4-core/tasks/03_cache_directories.yml +++ b/roles/srv-web-7-4-core/tasks/03_cache_directories.yml @@ -4,7 +4,7 @@ path: "{{ item.value }}" state: absent when: - - mode_cleanup | bool + - MODE_CLEANUP | bool - run_once_nginx_reverse_proxy is not defined loop: "{{ nginx.directories.cache | dict2items }}" loop_control: diff --git a/roles/srv-web-7-4-core/templates/nginx.conf.j2 b/roles/srv-web-7-4-core/templates/nginx.conf.j2 index 5b30e63d..be989c59 100644 --- a/roles/srv-web-7-4-core/templates/nginx.conf.j2 +++ b/roles/srv-web-7-4-core/templates/nginx.conf.j2 @@ -24,7 +24,7 @@ http # -------------------------------------------------------------------------------- {# logging and debugging #} -{% if enable_debug | bool %} +{% if MODE_DEBUG | bool %} {# individual log format for better debugging #} log_format debug '$host - $remote_addr [$time_local] ' '"$request" $status $body_bytes_sent ' diff --git a/roles/srv-web-7-6-https/README.md b/roles/srv-web-7-6-https/README.md index 65aed56d..dd01a26d 100644 --- a/roles/srv-web-7-6-https/README.md +++ b/roles/srv-web-7-6-https/README.md @@ -45,8 +45,8 @@ All tasks are idempotent—once your certificates are in place and your configur - A working `srv-web-7-4-core` setup. - DNS managed via Cloudflare (for CAA record tasks) or equivalent ACME DNS flow. - Variables: - - `letsencrypt_webroot_path` - - `letsencrypt_live_path` + - `LETSENCRYPT_WEBROOT_PATH` + - `LETSENCRYPT_LIVE_PATH` - `on_calendar_renew_lets_encrypt_certificates` --- diff --git a/roles/srv-web-7-7-certbot/tasks/main.yml b/roles/srv-web-7-7-certbot/tasks/main.yml index d4833b54..c93b8659 100644 --- a/roles/srv-web-7-7-certbot/tasks/main.yml +++ b/roles/srv-web-7-7-certbot/tasks/main.yml @@ -6,34 +6,34 @@ - name: install certbot DNS plugin community.general.pacman: - name: "certbot-dns-{{ certbot_acme_challenge_method }}" + name: "certbot-dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}" state: present when: - run_once_srv_web_7_7_certbot is not defined - - certbot_acme_challenge_method != 'webroot' + - CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' - name: Ensure /etc/certbot directory exists file: - path: "{{ certbot_credentials_dir }}" + path: "{{ CERTBOT_CREDENTIALS_DIR }}" state: directory owner: root group: root mode: '0755' when: - run_once_srv_web_7_7_certbot is not defined - - certbot_acme_challenge_method != 'webroot' + - CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' - name: Install plugin credentials file copy: - dest: "{{ certbot_credentials_file }}" + dest: "{{ CERTBOT_CREDENTIALS_FILE }}" content: | - dns_{{ certbot_acme_challenge_method }}_api_token = {{ certbot_dns_api_token }} + dns_{{ CERTBOT_ACME_CHALLENGE_METHOD }}_api_token = {{ CERTBOT_DNS_API_TOKEN }} owner: root group: root mode: '0600' when: - run_once_srv_web_7_7_certbot is not defined - - certbot_acme_challenge_method != 'webroot' + - CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' - name: run the certbot role once set_fact: diff --git a/roles/srv-web-7-7-dns-records/README.md b/roles/srv-web-7-7-dns-records/README.md index ef7e86da..4967d3b2 100644 --- a/roles/srv-web-7-7-dns-records/README.md +++ b/roles/srv-web-7-7-dns-records/README.md @@ -10,7 +10,7 @@ Looping over a provided list of domains (`cloudflare_domains`), this role: - Determines the zone name by extracting the last two labels of each domain. - Ensures an A-record for each domain points to the specified IP (`cloudflare_target_ip`). - Honors the `proxied` flag to switch between DNS-only and Cloudflare-proxied modes. -- Provides an optional debug task (`enable_debug`) to output the domain list before changes. +- Provides an optional debug task (`MODE_DEBUG`) to output the domain list before changes. Ideal for environments where bulk or dynamic DNS updates are needed, this role abstracts away the complexity of Cloudflare’s zone and record API. @@ -23,7 +23,7 @@ Cloudflare DNS Records delivers an idempotent, scalable solution for managing A- - **Automatic Zone Detection:** Parses each domain to derive its zone (`example.com`) without manual intervention. - **Bulk Record Management:** Creates or updates A-records for all entries in `cloudflare_domains`. - **Proxy Toggle:** Configure `proxied: true` or `false` per record to switch between DNS-only and proxied modes. -- **Debug Support:** Enable `enable_debug` to print the domain list for validation before execution. +- **Debug Support:** Enable `MODE_DEBUG` to print the domain list for validation before execution. - **Flexible Authentication:** Supports both API token (`api_token`) and Global API key + email. - **Low-TTL Option:** Use `ttl: 1` for rapid DNS propagation during dynamic updates. diff --git a/roles/srv-web-7-7-dns-records/tasks/main.yml b/roles/srv-web-7-7-dns-records/tasks/main.yml index 1ae2674f..7da09c5c 100644 --- a/roles/srv-web-7-7-dns-records/tasks/main.yml +++ b/roles/srv-web-7-7-dns-records/tasks/main.yml @@ -2,7 +2,7 @@ - name: Create or update Cloudflare A-record for {{ item }} community.general.cloudflare_dns: - api_token: "{{ certbot_dns_api_token }}" + api_token: "{{ CERTBOT_DNS_API_TOKEN }}" zone: "{{ item.split('.')[-2:] | join('.') }}" state: present type: A diff --git a/roles/srv-web-7-7-inj-compose/tasks/main.yml b/roles/srv-web-7-7-inj-compose/tasks/main.yml index 2e81f999..82a1a62b 100644 --- a/roles/srv-web-7-7-inj-compose/tasks/main.yml +++ b/roles/srv-web-7-7-inj-compose/tasks/main.yml @@ -10,7 +10,7 @@ set_fact: inj_enabled: javascript: "{{ applications | get_app_conf(application_id, 'features.javascript', False) }}" - logout: "{{ (applications | get_app_conf(application_id, 'features.logout', False) or domain == primary_domain) }}" + logout: "{{ (applications | get_app_conf(application_id, 'features.logout', False) or domain == PRIMARY_DOMAIN) }}" css: "{{ applications | get_app_conf(application_id, 'features.css', False) }}" matomo: "{{ applications | get_app_conf(application_id, 'features.matomo', False) }}" port_ui: "{{ applications | get_app_conf(application_id, 'features.port-ui-desktop', False) }}" @@ -39,7 +39,7 @@ set_fact: inj_enabled: javascript: "{{ applications | get_app_conf(application_id, 'features.javascript', False) }}" - logout: "{{ (applications | get_app_conf(application_id, 'features.logout', False) or domain == primary_domain) }}" + logout: "{{ (applications | get_app_conf(application_id, 'features.logout', False) or domain == PRIMARY_DOMAIN) }}" css: "{{ applications | get_app_conf(application_id, 'features.css', False) }}" matomo: "{{ applications | get_app_conf(application_id, 'features.matomo', False) }}" port_ui: "{{ applications | get_app_conf(application_id, 'features.port-ui-desktop', False) }}" diff --git a/roles/srv-web-7-7-inj-javascript/README.md b/roles/srv-web-7-7-inj-javascript/README.md index 0ccac899..662c9de4 100644 --- a/roles/srv-web-7-7-inj-javascript/README.md +++ b/roles/srv-web-7-7-inj-javascript/README.md @@ -16,7 +16,7 @@ This Ansible role injects a custom JavaScript snippet into all HTML responses se Activates only when you enable the `javascript` feature for a given application, keeping your server blocks clean and performant. - **Debug Mode** - Supports an `enable_debug` flag that appends optional `console.log` statements for easier troubleshooting in staging or development. + Supports an `MODE_DEBUG` flag that appends optional `console.log` statements for easier troubleshooting in staging or development. ## Author diff --git a/roles/srv-web-7-7-inj-logout/templates/logout_one_liner.js.j2 b/roles/srv-web-7-7-inj-logout/templates/logout_one_liner.js.j2 index 393e02d2..c9146729 100644 --- a/roles/srv-web-7-7-inj-logout/templates/logout_one_liner.js.j2 +++ b/roles/srv-web-7-7-inj-logout/templates/logout_one_liner.js.j2 @@ -2,6 +2,6 @@ document.addEventListener('DOMContentLoaded', function() { initLogoutPatch( '{{ oidc.client.logout_url }}', '{{ WEB_PROTOCOL }}', - '{{ primary_domain }}' + '{{ PRIMARY_DOMAIN }}' ); }); \ No newline at end of file diff --git a/roles/srv-web-7-7-inj-matomo/tasks/main.yml b/roles/srv-web-7-7-inj-matomo/tasks/main.yml index 75f6ac7b..d39d9ccd 100644 --- a/roles/srv-web-7-7-inj-matomo/tasks/main.yml +++ b/roles/srv-web-7-7-inj-matomo/tasks/main.yml @@ -12,7 +12,7 @@ domain: "{{ domain }}" base_domain: "{{ base_domain }}" matomo_verification_url: "{{ matomo_verification_url }}" - when: enable_debug | bool + when: MODE_DEBUG | bool - name: "Check if site {{ domain }} is allready registered at Matomo" uri: diff --git a/roles/srv-web-7-7-inj-matomo/templates/matomo-tracking.js.j2 b/roles/srv-web-7-7-inj-matomo/templates/matomo-tracking.js.j2 index bc71b13c..f49a9958 100644 --- a/roles/srv-web-7-7-inj-matomo/templates/matomo-tracking.js.j2 +++ b/roles/srv-web-7-7-inj-matomo/templates/matomo-tracking.js.j2 @@ -14,6 +14,6 @@ _paq.push(["enableLinkTracking"]); g.async=true; g.src=u+"matomo.js"; s.parentNode.insertBefore(g,s); })(); -{% if enable_debug | bool %} +{% if MODE_DEBUG | bool %} console.log("Matomo is loaded."); {% endif %} \ No newline at end of file diff --git a/roles/srv-web-7-7-inj-port-ui-desktop/templates/iframe-handler.js.j2 b/roles/srv-web-7-7-inj-port-ui-desktop/templates/iframe-handler.js.j2 index a5f9a7fd..438eb815 100644 --- a/roles/srv-web-7-7-inj-port-ui-desktop/templates/iframe-handler.js.j2 +++ b/roles/srv-web-7-7-inj-port-ui-desktop/templates/iframe-handler.js.j2 @@ -1,5 +1,5 @@ (function() { - var primary = "{{ primary_domain }}"; + var primary = "{{ PRIMARY_DOMAIN }}"; var allowedOrigin = "https://{{ domains | get_domain('web-app-port-ui') }}"; function notifyParent() { @@ -43,6 +43,6 @@ }; })(); -{% if enable_debug | bool %} +{% if MODE_DEBUG | bool %} console.log("[iframe-sync] Sender for iframe messages is active."); {% endif %} \ No newline at end of file diff --git a/roles/srv-web-7-7-letsencrypt/tasks/01_core.yml b/roles/srv-web-7-7-letsencrypt/tasks/01_core.yml index e5466ec6..73639b5d 100644 --- a/roles/srv-web-7-7-letsencrypt/tasks/01_core.yml +++ b/roles/srv-web-7-7-letsencrypt/tasks/01_core.yml @@ -11,4 +11,4 @@ - name: "Set CAA records for all base domains" include_tasks: 01_set-caa-records.yml - when: dns_provider == 'cloudflare' \ No newline at end of file + when: DNS_PROVIDER == 'cloudflare' \ No newline at end of file diff --git a/roles/srv-web-7-7-letsencrypt/tasks/01_set-caa-records.yml b/roles/srv-web-7-7-letsencrypt/tasks/01_set-caa-records.yml index 920b9bec..7cf44ae7 100644 --- a/roles/srv-web-7-7-letsencrypt/tasks/01_set-caa-records.yml +++ b/roles/srv-web-7-7-letsencrypt/tasks/01_set-caa-records.yml @@ -1,14 +1,14 @@ --- -- name: "Validate certbot_dns_api_token" +- name: "Validate CERTBOT_DNS_API_TOKEN" fail: msg: > - The variable "certbot_dns_api_token" must be defined and cannot be empty! - when: (certbot_dns_api_token | default('') | trim) == '' + The variable "CERTBOT_DNS_API_TOKEN" must be defined and cannot be empty! + when: (CERTBOT_DNS_API_TOKEN | default('') | trim) == '' - name: "Ensure all CAA records are present" community.general.cloudflare_dns: - api_token: "{{ certbot_dns_api_token }}" + api_token: "{{ CERTBOT_DNS_API_TOKEN }}" zone: "{{ item.0 }}" record: "@" type: CAA diff --git a/roles/srv-web-7-7-letsencrypt/templates/letsencrypt.conf.j2 b/roles/srv-web-7-7-letsencrypt/templates/letsencrypt.conf.j2 index 8c9106b9..f14bf5f6 100644 --- a/roles/srv-web-7-7-letsencrypt/templates/letsencrypt.conf.j2 +++ b/roles/srv-web-7-7-letsencrypt/templates/letsencrypt.conf.j2 @@ -9,7 +9,7 @@ server #letsencrypt location ^~ /.well-known/acme-challenge/ { allow all; - root {{ letsencrypt_webroot_path }}; + root {{ LETSENCRYPT_WEBROOT_PATH }}; default_type "text/plain"; try_files $uri =404; } diff --git a/roles/srv-web-7-7-letsencrypt/templates/ssl_credentials.j2 b/roles/srv-web-7-7-letsencrypt/templates/ssl_credentials.j2 index 872c1560..3f04c374 100644 --- a/roles/srv-web-7-7-letsencrypt/templates/ssl_credentials.j2 +++ b/roles/srv-web-7-7-letsencrypt/templates/ssl_credentials.j2 @@ -1,3 +1,3 @@ -ssl_certificate {{ [ letsencrypt_live_path, ssl_cert_folder] | path_join }}/fullchain.pem; -ssl_certificate_key {{ [ letsencrypt_live_path, ssl_cert_folder] | path_join }}/privkey.pem; -ssl_trusted_certificate {{ [ letsencrypt_live_path, ssl_cert_folder] | path_join }}/chain.pem; \ No newline at end of file +ssl_certificate {{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder] | path_join }}/fullchain.pem; +ssl_certificate_key {{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder] | path_join }}/privkey.pem; +ssl_trusted_certificate {{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder] | path_join }}/chain.pem; \ No newline at end of file diff --git a/roles/svc-prx-openresty/templates/docker-compose.yml.j2 b/roles/svc-prx-openresty/templates/docker-compose.yml.j2 index 95a171b3..650d5723 100644 --- a/roles/svc-prx-openresty/templates/docker-compose.yml.j2 +++ b/roles/svc-prx-openresty/templates/docker-compose.yml.j2 @@ -10,6 +10,6 @@ - {{ nginx.directories.configuration }}:{{ nginx.directories.configuration }}:ro - {{ nginx.directories.data.www }}:{{ nginx.directories.data.www }}:ro - {{ nginx.directories.data.well_known }}:{{ nginx.directories.data.well_known }}:ro - - {{ letsencrypt_webroot_path }}:{{ letsencrypt_webroot_path }}:ro - - {{ letsencrypt_base_path }}:{{ letsencrypt_base_path }}:ro + - {{ LETSENCRYPT_WEBROOT_PATH }}:{{ LETSENCRYPT_WEBROOT_PATH }}:ro + - {{ LETSENCRYPT_BASE_PATH }}:{{ LETSENCRYPT_BASE_PATH }}:ro command: ["openresty", "-g", "daemon off;"] \ No newline at end of file diff --git a/roles/sys-bkp-docker-2-loc/tasks/01_core.yml b/roles/sys-bkp-docker-2-loc/tasks/01_core.yml index 44c62b6c..82c87648 100644 --- a/roles/sys-bkp-docker-2-loc/tasks/01_core.yml +++ b/roles/sys-bkp-docker-2-loc/tasks/01_core.yml @@ -12,7 +12,7 @@ - name: "reset (if enabled)" include_tasks: 03_reset.yml - when: mode_reset | bool + when: MODE_RESET | bool - name: configure sys-bkp-docker-2-loc-everything.infinito.service template: diff --git a/roles/sys-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml b/roles/sys-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml index 3471e23c..ba45c9d1 100644 --- a/roles/sys-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml +++ b/roles/sys-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml @@ -11,7 +11,7 @@ database_host: "{{ database_host | default('undefined') }}" database_username: "{{ database_username | default('undefined') }}" database_password: "{{ database_password | default('undefined') }}" - when: enable_debug | bool + when: MODE_DEBUG | bool - name: "fail if not all required database variables are defined" fail: diff --git a/roles/sys-cln-domains/tasks/main.yml b/roles/sys-cln-domains/tasks/main.yml index 4e0497de..aaee95e0 100644 --- a/roles/sys-cln-domains/tasks/main.yml +++ b/roles/sys-cln-domains/tasks/main.yml @@ -14,7 +14,7 @@ vars: domain: "{{ item }}" when: - - mode_cleanup | bool + - MODE_CLEANUP | bool ## The revoking just works for the base domain #- name: "Revoke Certbot certificate for {{ item }}" @@ -25,7 +25,7 @@ # loop_control: # label: "{{ item }}" # when: -# - mode_cleanup | bool +# - MODE_CLEANUP | bool # - run_once_sys_cln_domains is not defined # register: certbot_revoke_result # failed_when: > @@ -43,7 +43,7 @@ # loop_control: # label: "{{ item }}" # when: -# - mode_cleanup | bool +# - MODE_CLEANUP | bool # - run_once_sys_cln_domains is not defined # register: certbot_delete_result # failed_when: > diff --git a/roles/sys-rst-daemon/README.md b/roles/sys-rst-daemon/README.md index 43469db2..8397611e 100644 --- a/roles/sys-rst-daemon/README.md +++ b/roles/sys-rst-daemon/README.md @@ -4,7 +4,7 @@ This Ansible role handles resetting and cleaning up “Infinito.Nexus” systemd ## Description -When enabled via the `mode_reset` flag, this role will: +When enabled via the `MODE_RESET` flag, this role will: 1. Run its reset tasks exactly once per play (`run_once_sys_rst_daemon` guard). 2. Find all `/etc/systemd/system/*.infinito.service` units. diff --git a/roles/sys-rst-daemon/tasks/main.yml b/roles/sys-rst-daemon/tasks/main.yml index 84e30416..1a4869f1 100644 --- a/roles/sys-rst-daemon/tasks/main.yml +++ b/roles/sys-rst-daemon/tasks/main.yml @@ -1,6 +1,6 @@ - name: "reset (if enabled)" include_tasks: reset.yml - when: mode_reset | bool and run_once_sys_rst_daemon is not defined + when: MODE_RESET | bool and run_once_sys_rst_daemon is not defined - name: run {{ role_name }} once set_fact: diff --git a/roles/sys-svc-sshd/README.md b/roles/sys-svc-sshd/README.md index fc67ba0f..58bce089 100644 --- a/roles/sys-svc-sshd/README.md +++ b/roles/sys-svc-sshd/README.md @@ -19,7 +19,7 @@ This Ansible role configures the OpenSSH daemon (`sshd`) by deploying a template - **Security Defaults** - Disables password (`PasswordAuthentication no`) and root login (`PermitRootLogin no`) - Enforces public-key authentication (`PubkeyAuthentication yes`) - - Conditionally sets `LogLevel` to `DEBUG3` when `enable_debug` is true + - Conditionally sets `LogLevel` to `DEBUG3` when `MODE_DEBUG` is true - **Systemd Integration** Handles daemon reload and service restart seamlessly on configuration changes. diff --git a/roles/sys-svc-sshd/templates/sshd_config.j2 b/roles/sys-svc-sshd/templates/sshd_config.j2 index c8af6248..e760adda 100644 --- a/roles/sys-svc-sshd/templates/sshd_config.j2 +++ b/roles/sys-svc-sshd/templates/sshd_config.j2 @@ -25,7 +25,7 @@ # Logging #SyslogFacility AUTH -LogLevel {% if enable_debug | bool %}DEBUG3{% else %}INFO{% endif %} +LogLevel {% if MODE_DEBUG | bool %}DEBUG3{% else %}INFO{% endif %} # Authentication: diff --git a/roles/sys-timer/README.md b/roles/sys-timer/README.md index 1d980a2d..f935e32c 100644 --- a/roles/sys-timer/README.md +++ b/roles/sys-timer/README.md @@ -9,7 +9,7 @@ This role configures a systemd timer to periodically start a corresponding servi Optimized for automated task scheduling in a [systemd](https://en.wikipedia.org/wiki/Systemd) environment, this role: - Generates a timer unit file for a given service (using the `service_name` variable). - Reloads and restarts the timer using systemd to ensure that changes take effect. -- Supports dynamic configuration of scheduling parameters via variables like `on_calendar` and `randomized_delay_sec`. +- Supports dynamic configuration of scheduling parameters via variables like `on_calendar` and `RANDOMIZED_DELAY_SEC`. ## Purpose diff --git a/roles/sys-timer/tasks/main.yml b/roles/sys-timer/tasks/main.yml index c0d22be9..b871ebce 100644 --- a/roles/sys-timer/tasks/main.yml +++ b/roles/sys-timer/tasks/main.yml @@ -1,7 +1,7 @@ - name: "reset (if enabled)" include_tasks: 01_reset.yml - when: mode_reset | bool and run_once_sys_timer is not defined + when: MODE_RESET | bool and run_once_sys_timer is not defined - name: run {{ role_name }} once set_fact: @@ -20,5 +20,5 @@ name: "{{ sys_timer_file }}" state: restarted enabled: yes - when: dummy_timer.changed or activate_all_timers | bool + when: dummy_timer.changed or ACTIVATE_ALL_TIMERS | bool diff --git a/roles/sys-timer/templates/dummy.timer.j2 b/roles/sys-timer/templates/dummy.timer.j2 index 09f6e17c..551831eb 100644 --- a/roles/sys-timer/templates/dummy.timer.j2 +++ b/roles/sys-timer/templates/dummy.timer.j2 @@ -3,7 +3,7 @@ Description=Timer to start {{service_name}}.infinito.service [Timer] OnCalendar={{on_calendar}} -RandomizedDelaySec={{randomized_delay_sec}} +RandomizedDelaySec={{RANDOMIZED_DELAY_SEC}} Persistent={{ persistent | default('false') }} [Install] diff --git a/roles/update-docker/tasks/01_core.yml b/roles/update-docker/tasks/01_core.yml index 9add5db1..38c9730a 100644 --- a/roles/update-docker/tasks/01_core.yml +++ b/roles/update-docker/tasks/01_core.yml @@ -8,7 +8,7 @@ name: sys-bkp-docker-2-loc-everything.infinito.service state: started when: - - mode_backup | bool + - MODE_BACKUP | bool - name: create {{update_docker_script}} template: diff --git a/roles/update-docker/templates/update-docker.py.j2 b/roles/update-docker/templates/update-docker.py.j2 index 10d22957..7e4d1bb0 100644 --- a/roles/update-docker/templates/update-docker.py.j2 +++ b/roles/update-docker/templates/update-docker.py.j2 @@ -149,7 +149,7 @@ def update_mastodon(): Runs the database migration for Mastodon to ensure all required tables are up to date. """ print("Starting Mastodon database migration.") - run_command("docker compose exec -T web bash -c 'RAILS_ENV={{ INFINITO_ENVIRONMENT | lower }} bin/rails db:migrate'") + run_command("docker compose exec -T web bash -c 'RAILS_ENV={{ ENVIRONMENT | lower }} bin/rails db:migrate'") print("Mastodon database migration complete.") def upgrade_listmonk(): diff --git a/roles/user-administrator/users/main.yml b/roles/user-administrator/users/main.yml index 4e098d18..f01fc728 100644 --- a/roles/user-administrator/users/main.yml +++ b/roles/user-administrator/users/main.yml @@ -2,7 +2,7 @@ users: administrator: description: "System Administrator" username: "administrator" - email: "administrator@{{ primary_domain }}" + email: "administrator@{{ PRIMARY_DOMAIN }}" password: "{{ ansible_become_password }}" uid: 1001 gid: 1001 diff --git a/roles/user/users/main.yml b/roles/user/users/main.yml index 38124490..e2fa2bc5 100644 --- a/roles/user/users/main.yml +++ b/roles/user/users/main.yml @@ -2,10 +2,10 @@ users: sld: description: "Auto Generated Account to reserve the SLD" - username: "{{ primary_domain.split('.')[0] }}" + username: "{{ PRIMARY_DOMAIN.split('.')[0] }}" tld: description: "Auto Generated Account to reserve the TLD" - username: "{{ primary_domain.split('.')[1] }}" + username: "{{ PRIMARY_DOMAIN.split('.')[1] }}" root: username: root uid: 0 diff --git a/roles/web-app-akaunting/config/main.yml b/roles/web-app-akaunting/config/main.yml index 1482456a..453d6535 100644 --- a/roles/web-app-akaunting/config/main.yml +++ b/roles/web-app-akaunting/config/main.yml @@ -1,5 +1,5 @@ company: - name: "Akaunting on {{ primary_domain | upper }}" # @todo load automatic based on service_provider infos, this will fail + name: "Akaunting on {{ PRIMARY_DOMAIN | upper }}" # @todo load automatic based on service_provider infos, this will fail email: "{{ users.administrator.email }}" # @todo load automatic based on service_provider infos, this will fail setup_admin_email: "{{ users.administrator.email }}" features: @@ -11,7 +11,7 @@ features: server: domains: canonical: - - "accounting.{{ primary_domain }}" + - "accounting.{{ PRIMARY_DOMAIN }}" docker: services: database: diff --git a/roles/web-app-attendize/config/main.yml b/roles/web-app-attendize/config/main.yml index c371557f..a006906d 100644 --- a/roles/web-app-attendize/config/main.yml +++ b/roles/web-app-attendize/config/main.yml @@ -16,4 +16,4 @@ docker: server: domains: canonical: - - "tickets.{{ primary_domain }}" + - "tickets.{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-app-baserow/config/main.yml b/roles/web-app-baserow/config/main.yml index 2b14f737..df5754ab 100644 --- a/roles/web-app-baserow/config/main.yml +++ b/roles/web-app-baserow/config/main.yml @@ -21,4 +21,4 @@ docker: server: domains: canonical: - - baserow.{{ primary_domain }} + - baserow.{{ PRIMARY_DOMAIN }} diff --git a/roles/web-app-bigbluebutton/config/main.yml b/roles/web-app-bigbluebutton/config/main.yml index b82742c3..835cab51 100644 --- a/roles/web-app-bigbluebutton/config/main.yml +++ b/roles/web-app-bigbluebutton/config/main.yml @@ -18,7 +18,7 @@ server: unsafe-inline: true domains: canonical: - - "meet.{{ primary_domain }}" + - "meet.{{ PRIMARY_DOMAIN }}" credentials: {} docker: diff --git a/roles/web-app-bigbluebutton/templates/env.j2 b/roles/web-app-bigbluebutton/templates/env.j2 index 087d3afc..d2c4c513 100644 --- a/roles/web-app-bigbluebutton/templates/env.j2 +++ b/roles/web-app-bigbluebutton/templates/env.j2 @@ -1,6 +1,6 @@ ENABLE_COTURN=true -COTURN_TLS_CERT_PATH={{ [ letsencrypt_live_path, ssl_cert_folder] | path_join }}/fullchain.pem -COTURN_TLS_KEY_PATH={{ [ letsencrypt_live_path, ssl_cert_folder] | path_join }}/privkey.pem +COTURN_TLS_CERT_PATH={{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder] | path_join }}/fullchain.pem +COTURN_TLS_KEY_PATH={{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder] | path_join }}/privkey.pem ENABLE_GREENLIGHT={{ applications | get_app_conf(application_id, 'enable_greenlight', True) }} # Enable Webhooks diff --git a/roles/web-app-bigbluebutton/users/main.yml b/roles/web-app-bigbluebutton/users/main.yml index 0e8e6748..6374b715 100644 --- a/roles/web-app-bigbluebutton/users/main.yml +++ b/roles/web-app-bigbluebutton/users/main.yml @@ -1,3 +1,3 @@ users: administrator: - email: "administrator@{{ primary_domain }}" \ No newline at end of file + email: "administrator@{{ PRIMARY_DOMAIN }}" \ No newline at end of file diff --git a/roles/web-app-bluesky/config/main.yml b/roles/web-app-bluesky/config/main.yml index 6b7550ab..bca2c8f7 100644 --- a/roles/web-app-bluesky/config/main.yml +++ b/roles/web-app-bluesky/config/main.yml @@ -11,8 +11,8 @@ features: server: domains: canonical: - web: "bskyweb.{{ primary_domain }}" - api: "bluesky.{{ primary_domain }}" + web: "bskyweb.{{ PRIMARY_DOMAIN }}" + api: "bluesky.{{ PRIMARY_DOMAIN }}" docker: services: database: diff --git a/roles/web-app-bluesky/templates/docker-compose.yml.j2 b/roles/web-app-bluesky/templates/docker-compose.yml.j2 index 90acd19b..e880460d 100644 --- a/roles/web-app-bluesky/templates/docker-compose.yml.j2 +++ b/roles/web-app-bluesky/templates/docker-compose.yml.j2 @@ -24,7 +24,7 @@ args: REACT_APP_PDS_URL: "{{ WEB_PROTOCOL }}://{{domains[application_id].api}}" # URL des PDS REACT_APP_API_URL: "{{ WEB_PROTOCOL }}://{{domains[application_id].api}}" # API-URL des PDS - REACT_APP_SITE_NAME: "{{primary_domain | upper}} - Bluesky" + REACT_APP_SITE_NAME: "{{PRIMARY_DOMAIN | upper}} - Bluesky" REACT_APP_SITE_DESCRIPTION: "Decentral Social " ports: - "127.0.0.1:{{ports.localhost.http['web-app-bluesky_web']}}:8100" diff --git a/roles/web-app-bluesky/templates/env.j2 b/roles/web-app-bluesky/templates/env.j2 index 06d36044..8a7a8dcb 100644 --- a/roles/web-app-bluesky/templates/env.j2 +++ b/roles/web-app-bluesky/templates/env.j2 @@ -3,7 +3,7 @@ PDS_ADMIN_EMAIL="{{applications.bluesky.users.administrator.email}}" PDS_SERVICE_DID="did:web:{{domains[application_id].api}}" # See https://mattdyson.org/blog/2024/11/self-hosting-bluesky-pds/ -PDS_SERVICE_HANDLE_DOMAINS=".{{primary_domain}}" +PDS_SERVICE_HANDLE_DOMAINS=".{{PRIMARY_DOMAIN}}" PDS_JWT_SECRET="{{ bluesky_jwt_secret }}" PDS_ADMIN_PASSWORD="{{bluesky_admin_password}}" PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX="{{ bluesky_rotation_key }}" diff --git a/roles/web-app-bluesky/users/main.yml b/roles/web-app-bluesky/users/main.yml index 386ff356..8af2ad17 100644 --- a/roles/web-app-bluesky/users/main.yml +++ b/roles/web-app-bluesky/users/main.yml @@ -1,3 +1,3 @@ users: administrator: - email: "administrator@{{ primary_domain }}" \ No newline at end of file + email: "administrator@{{ PRIMARY_DOMAIN }}" \ No newline at end of file diff --git a/roles/web-app-collabora/config/main.yml b/roles/web-app-collabora/config/main.yml index a39a6edf..93f55ba9 100644 --- a/roles/web-app-collabora/config/main.yml +++ b/roles/web-app-collabora/config/main.yml @@ -1,7 +1,7 @@ server: domains: canonical: - - "collabora.{{ primary_domain }}" + - "collabora.{{ PRIMARY_DOMAIN }}" docker: services: redis: diff --git a/roles/web-app-discourse/config/main.yml b/roles/web-app-discourse/config/main.yml index 50ec2993..e7ccadbf 100644 --- a/roles/web-app-discourse/config/main.yml +++ b/roles/web-app-discourse/config/main.yml @@ -16,10 +16,10 @@ server: unsafe-inline: true whitelist: font-src: - - "http://*.{{primary_domain}}" + - "http://*.{{PRIMARY_DOMAIN}}" domains: canonical: - - "forum.{{ primary_domain }}" + - "forum.{{ PRIMARY_DOMAIN }}" docker: services: database: diff --git a/roles/web-app-discourse/tasks/01_core.yml b/roles/web-app-discourse/tasks/01_core.yml index 21cb2e38..eb28c652 100644 --- a/roles/web-app-discourse/tasks/01_core.yml +++ b/roles/web-app-discourse/tasks/01_core.yml @@ -1,6 +1,6 @@ - name: "reset (if enabled)" include_tasks: 02_reset.yml - when: mode_reset | bool + when: MODE_RESET | bool # Necessary for building: https://chat.openai.com/share/99d258cc-294b-4924-8eef-02fe419bb838 - name: install which diff --git a/roles/web-app-elk/config/main.yml b/roles/web-app-elk/config/main.yml index 9f6bb7c7..b4ea7293 100644 --- a/roles/web-app-elk/config/main.yml +++ b/roles/web-app-elk/config/main.yml @@ -3,4 +3,4 @@ features: server: domains: canonical: - - elk.{{ primary_domain }} + - elk.{{ PRIMARY_DOMAIN }} diff --git a/roles/web-app-espocrm/config/main.yml b/roles/web-app-espocrm/config/main.yml index eb598017..1ea6bd59 100644 --- a/roles/web-app-espocrm/config/main.yml +++ b/roles/web-app-espocrm/config/main.yml @@ -18,17 +18,17 @@ server: unsafe-eval: true whitelist: connect-src: - - wss://espocrm.{{ primary_domain }} + - wss://espocrm.{{ PRIMARY_DOMAIN }} - "data:" frame-src: - https://s.espocrm.com/ domains: aliases: - - "crm.{{ primary_domain }}" + - "crm.{{ PRIMARY_DOMAIN }}" canonical: - - espocrm.{{ primary_domain }} + - espocrm.{{ PRIMARY_DOMAIN }} email: - from_name: "Customer Relationship Management ({{ primary_domain }})" + from_name: "Customer Relationship Management ({{ PRIMARY_DOMAIN }})" docker: services: database: diff --git a/roles/web-app-espocrm/templates/env.j2 b/roles/web-app-espocrm/templates/env.j2 index d7ea70f2..28eb811e 100644 --- a/roles/web-app-espocrm/templates/env.j2 +++ b/roles/web-app-espocrm/templates/env.j2 @@ -41,7 +41,7 @@ ESPOCRM_CONFIG_DEFAULT_CURRENCY={{ HOST_CURRENCY }} # ------------------------------------------------ # Logger # ------------------------------------------------ -ESPOCRM_CONFIG_LOGGER_LEVEL={{ 'DEBUG' if enable_debug | bool else 'INFO' }} +ESPOCRM_CONFIG_LOGGER_LEVEL={{ 'DEBUG' if MODE_DEBUG | bool else 'INFO' }} ESPOCRM_CONFIG_LOGGER_PATH=php://stdout ESPOCRM_CONFIG_LOGGER_ROTATION=false diff --git a/roles/web-app-friendica/config/main.yml b/roles/web-app-friendica/config/main.yml index 225fb921..c8c049ef 100644 --- a/roles/web-app-friendica/config/main.yml +++ b/roles/web-app-friendica/config/main.yml @@ -12,7 +12,7 @@ features: server: domains: canonical: - - "social.{{ primary_domain }}" + - "social.{{ PRIMARY_DOMAIN }}" csp: flags: script-src-elem: diff --git a/roles/web-app-friendica/templates/env.j2 b/roles/web-app-friendica/templates/env.j2 index 7d8da58d..035786e6 100644 --- a/roles/web-app-friendica/templates/env.j2 +++ b/roles/web-app-friendica/templates/env.j2 @@ -6,8 +6,8 @@ HOSTNAME={{domains | get_domain(application_id)}} FRIENDICA_NO_VALIDATION={{friendica_no_validation | lower}} # Debugging -FRIENDICA_DEBUGGING={{ (enable_debug | bool) | lower }}{{"\n"}} -FRIENDICA_LOGLEVEL={% if enable_debug | bool %}9{% else %}5{% endif %}{{"\n"}} +FRIENDICA_DEBUGGING={{ (MODE_DEBUG | bool) | lower }}{{"\n"}} +FRIENDICA_LOGLEVEL={% if MODE_DEBUG | bool %}9{% else %}5{% endif %}{{"\n"}} FRIENDICA_LOGGER=syslog # Database Configuration diff --git a/roles/web-app-funkwhale/config/main.yml b/roles/web-app-funkwhale/config/main.yml index 6b382545..065e6c79 100644 --- a/roles/web-app-funkwhale/config/main.yml +++ b/roles/web-app-funkwhale/config/main.yml @@ -23,10 +23,10 @@ features: server: domains: canonical: - - "audio.{{ primary_domain }}" + - "audio.{{ PRIMARY_DOMAIN }}" aliases: - - "music.{{ primary_domain }}" - - "sound.{{ primary_domain }}" + - "music.{{ PRIMARY_DOMAIN }}" + - "sound.{{ PRIMARY_DOMAIN }}" csp: flags: style-src: diff --git a/roles/web-app-funkwhale/templates/env.j2 b/roles/web-app-funkwhale/templates/env.j2 index f7f50376..fb285822 100644 --- a/roles/web-app-funkwhale/templates/env.j2 +++ b/roles/web-app-funkwhale/templates/env.j2 @@ -40,10 +40,10 @@ FUNKWHALE_HOSTNAME={{domains | get_domain(application_id)}} FUNKWHALE_PROTOCOL={{ WEB_PROTOCOL }} # Log level (debug, info, warning, error, critical) -LOGLEVEL={% if enable_debug | bool %}debug{% else %}error{% endif %} +LOGLEVEL={% if MODE_DEBUG | bool %}debug{% else %}error{% endif %} # Could be that this is redundant -DJANGO_LOGLEVEL={% if enable_debug | bool %}debug{% else %}error{% endif %} +DJANGO_LOGLEVEL={% if MODE_DEBUG | bool %}debug{% else %}error{% endif %} # Configure e-mail sending using this variale # By default, funkwhale will output e-mails sent to stdout diff --git a/roles/web-app-gitea/config/main.yml b/roles/web-app-gitea/config/main.yml index 087ad60b..2a6e169c 100644 --- a/roles/web-app-gitea/config/main.yml +++ b/roles/web-app-gitea/config/main.yml @@ -36,9 +36,9 @@ server: - "data:" domains: aliases: - - "git.{{ primary_domain }}" + - "git.{{ PRIMARY_DOMAIN }}" canonical: - - gitea.{{ primary_domain }} + - gitea.{{ PRIMARY_DOMAIN }} docker: services: database: diff --git a/roles/web-app-gitea/tasks/cleanup/ldap.yml b/roles/web-app-gitea/tasks/cleanup/ldap.yml index 581e539e..eb35cac4 100644 --- a/roles/web-app-gitea/tasks/cleanup/ldap.yml +++ b/roles/web-app-gitea/tasks/cleanup/ldap.yml @@ -2,7 +2,7 @@ shell: | docker exec -i --user {{ gitea_user }} {{ gitea_container }} \ gitea admin auth list \ - | awk -v name="LDAP ({{ primary_domain }})" '$0 ~ name {print $1; exit}' + | awk -v name="LDAP ({{ PRIMARY_DOMAIN }})" '$0 ~ name {print $1; exit}' args: chdir: "{{ docker_compose.directories.instance }}" register: ldap_source_id_raw diff --git a/roles/web-app-gitea/tasks/main.yml b/roles/web-app-gitea/tasks/main.yml index 3cb114bf..51abe489 100644 --- a/roles/web-app-gitea/tasks/main.yml +++ b/roles/web-app-gitea/tasks/main.yml @@ -54,14 +54,14 @@ - name: Execute Cleanup Routines include_tasks: 03_cleanup.yml - when: mode_cleanup + when: MODE_CLEANUP - name: Include DNS role to register Gitea domain(s) include_role: name: srv-web-7-7-dns-records vars: - cloudflare_api_token: "{{ certbot_dns_api_token }}" + cloudflare_api_token: "{{ CERTBOT_DNS_API_TOKEN }}" cloudflare_domains: "{{ [ domains | get_domain(application_id) ] }}" cloudflare_target_ip: "{{ networks.internet.ip4 }}" cloudflare_proxied: false - when: dns_provider == 'cloudflare' \ No newline at end of file + when: DNS_PROVIDER == 'cloudflare' \ No newline at end of file diff --git a/roles/web-app-gitea/tasks/setup/ldap.yml b/roles/web-app-gitea/tasks/setup/ldap.yml index 093d8455..c809efce 100644 --- a/roles/web-app-gitea/tasks/setup/ldap.yml +++ b/roles/web-app-gitea/tasks/setup/ldap.yml @@ -13,7 +13,7 @@ docker exec -i --user {{ gitea_user }} {{ gitea_container }} \ gitea admin auth list \ | tail -n +2 \ - | grep -F "LDAP ({{ primary_domain }})" \ + | grep -F "LDAP ({{ PRIMARY_DOMAIN }})" \ | awk '{print $1; exit}' args: chdir: "{{ docker_compose.directories.instance }}" diff --git a/roles/web-app-gitea/templates/env.j2 b/roles/web-app-gitea/templates/env.j2 index 1d25401c..8d4d750e 100644 --- a/roles/web-app-gitea/templates/env.j2 +++ b/roles/web-app-gitea/templates/env.j2 @@ -3,7 +3,7 @@ # General DOMAIN={{domains | get_domain(application_id)}} -RUN_MODE="{{ 'dev' if (INFINITO_ENVIRONMENT | lower) == 'development' else 'prod' }}" +RUN_MODE="{{ 'dev' if (ENVIRONMENT | lower) == 'development' else 'prod' }}" ROOT_URL="{{ domains | get_url(application_id, WEB_PROTOCOL) }}/" APP_NAME="{{ applications | get_app_conf(application_id, 'title', True) }}" USER_UID=1000 @@ -11,7 +11,7 @@ USER_GID=1000 # Logging configuration GITEA__log__MODE=console -GITEA__log__LEVEL={% if enable_debug | bool %}Debug{% else %}Info{% endif %} +GITEA__log__LEVEL={% if MODE_DEBUG | bool %}Debug{% else %}Info{% endif %} # Database DB_TYPE=mysql diff --git a/roles/web-app-gitea/vars/main.yml b/roles/web-app-gitea/vars/main.yml index 562f7d60..4f620287 100644 --- a/roles/web-app-gitea/vars/main.yml +++ b/roles/web-app-gitea/vars/main.yml @@ -1,7 +1,7 @@ application_id: "web-app-gitea" database_type: "mariadb" gitea_ldap_auth_args: - - '--name "LDAP ({{ primary_domain }})"' + - '--name "LDAP ({{ PRIMARY_DOMAIN }})"' - '--host "{{ ldap.server.domain }}"' - '--port {{ ldap.server.port }}' - '--security-protocol "{{ ldap.server.security | trim or "unencrypted" }}"' diff --git a/roles/web-app-gitlab/config/main.yml b/roles/web-app-gitlab/config/main.yml index f1b4e304..6bd719da 100644 --- a/roles/web-app-gitlab/config/main.yml +++ b/roles/web-app-gitlab/config/main.yml @@ -18,4 +18,4 @@ credentials: server: domains: canonical: - - gitlab.{{ primary_domain }} + - gitlab.{{ PRIMARY_DOMAIN }} diff --git a/roles/web-app-jenkins/config/main.yml b/roles/web-app-jenkins/config/main.yml index 0939cf04..7f83be94 100644 --- a/roles/web-app-jenkins/config/main.yml +++ b/roles/web-app-jenkins/config/main.yml @@ -3,4 +3,4 @@ features: server: domains: canonical: - - jenkins.{{ primary_domain }} + - jenkins.{{ PRIMARY_DOMAIN }} diff --git a/roles/web-app-joomla/config/main.yml b/roles/web-app-joomla/config/main.yml index c4925b9f..3a246d1e 100644 --- a/roles/web-app-joomla/config/main.yml +++ b/roles/web-app-joomla/config/main.yml @@ -9,7 +9,7 @@ features: server: domains: canonical: - - "cms.{{ primary_domain }}" + - "cms.{{ PRIMARY_DOMAIN }}" docker: services: database: diff --git a/roles/web-app-keycloak/config/main.yml b/roles/web-app-keycloak/config/main.yml index befdb41e..25be5752 100644 --- a/roles/web-app-keycloak/config/main.yml +++ b/roles/web-app-keycloak/config/main.yml @@ -28,7 +28,7 @@ server: - "*" # For frontend channel logout it's necessary that iframes can be loaded domains: canonical: - - "auth.{{ primary_domain }}" + - "auth.{{ PRIMARY_DOMAIN }}" scopes: rbac_roles: rbac_roles nextcloud: nextcloud diff --git a/roles/web-app-keycloak/templates/env.j2 b/roles/web-app-keycloak/templates/env.j2 index 1b8115ff..8924f975 100644 --- a/roles/web-app-keycloak/templates/env.j2 +++ b/roles/web-app-keycloak/templates/env.j2 @@ -25,7 +25,7 @@ KC_BOOTSTRAP_ADMIN_USERNAME= "{{applications | get_app_conf(application_id, ' KC_BOOTSTRAP_ADMIN_PASSWORD= "{{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}" # Enable detailed logs -{% if enable_debug | bool %} +{% if MODE_DEBUG | bool %} KC_LOG_LEVEL=DEBUG KC_LOG_CONSOLE_ENABLED=true {% endif %} \ No newline at end of file diff --git a/roles/web-app-keycloak/templates/import/realm.json.j2 b/roles/web-app-keycloak/templates/import/realm.json.j2 index 98a2c45b..fd55682f 100644 --- a/roles/web-app-keycloak/templates/import/realm.json.j2 +++ b/roles/web-app-keycloak/templates/import/realm.json.j2 @@ -836,7 +836,7 @@ {# The following line should be covered by 02_update_client_redirects.yml #} "redirectUris": {{ domains | redirect_uris(applications, WEB_PROTOCOL) | tojson }}, "webOrigins": [ - "{{ WEB_PROTOCOL }}://*.{{primary_domain}}" + "{{ WEB_PROTOCOL }}://*.{{PRIMARY_DOMAIN}}" ], "notBefore": 0, "bearerOnly": false, @@ -853,7 +853,7 @@ "oidc.ciba.grant.enabled": "false", "client.secret.creation.time": "0", "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "{{ WEB_PROTOCOL }}://{{primary_domain}}/*##+", + "post.logout.redirect.uris": "{{ WEB_PROTOCOL }}://{{PRIMARY_DOMAIN}}/*##+", "frontchannel.logout.session.required": "true", "oauth2.device.authorization.grant.enabled": "false", "display.on.consent.screen": "false", diff --git a/roles/web-app-keycloak/vars/main.yml b/roles/web-app-keycloak/vars/main.yml index ddb6a481..1d00f693 100644 --- a/roles/web-app-keycloak/vars/main.yml +++ b/roles/web-app-keycloak/vars/main.yml @@ -5,7 +5,7 @@ database_type: "postgres" # Keycloak keycloak_container: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}" # Name of the keycloak docker container keycloak_docker_import_directory: "/opt/keycloak/data/import/" # Directory in which keycloak import files are placed in the running docker container -keycloak_realm: "{{ primary_domain}}" # This is the name of the default realm which is used by the applications +keycloak_realm: "{{ PRIMARY_DOMAIN}}" # This is the name of the default realm which is used by the applications keycloak_master_api_user: "{{ applications | get_app_conf(application_id, 'users.administrator') }}" # Master Administrator keycloak_master_api_user_name: "{{ keycloak_master_api_user.username }}" # Master Administrator Username keycloak_master_api_user_password: "{{ keycloak_master_api_user.password }}" # Master Administrator Password @@ -15,7 +15,7 @@ keycloak_server_host: "127.0.0.1:{{ ports.localhost.http[applicati keycloak_server_host_url: "http://{{ keycloak_server_host }}" keycloak_image: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}" # Keycloak docker image keycloak_version: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}" # Keycloak docker version -keycloak_debug_enabled: "{{ enable_debug }}" +keycloak_debug_enabled: "{{ MODE_DEBUG }}" keycloak_redirect_features: ["features.oauth2","features.oidc"] keycloak_client_id: "{{ oidc.client.id }}" keycloak_ldap_component_name: "{{ ldap.server.domain }}" # Name of the LDAP User Federation component in Keycloak (as shown in UI) diff --git a/roles/web-app-lam/config/main.yml b/roles/web-app-lam/config/main.yml index 94132154..9e243cb1 100644 --- a/roles/web-app-lam/config/main.yml +++ b/roles/web-app-lam/config/main.yml @@ -27,7 +27,7 @@ server: unsafe-inline: true domains: aliases: - - "ldap.{{primary_domain}}" + - "ldap.{{PRIMARY_DOMAIN}}" canonical: - - lam.{{ primary_domain }} + - lam.{{ PRIMARY_DOMAIN }} diff --git a/roles/web-app-libretranslate/config/main.yml b/roles/web-app-libretranslate/config/main.yml index 3d138371..300d25fd 100644 --- a/roles/web-app-libretranslate/config/main.yml +++ b/roles/web-app-libretranslate/config/main.yml @@ -24,7 +24,7 @@ server: flags: {} # Flags which should be set domains: canonical: - - "libretranslate.{{ primary_domain }}" + - "libretranslate.{{ PRIMARY_DOMAIN }}" aliases: [] # Alias redirections to the first element of the canonical domains rbac: roles: {} diff --git a/roles/web-app-listmonk/config/main.yml b/roles/web-app-listmonk/config/main.yml index 193351df..ad5ffd28 100644 --- a/roles/web-app-listmonk/config/main.yml +++ b/roles/web-app-listmonk/config/main.yml @@ -9,7 +9,7 @@ features: server: domains: canonical: - - "newsletter.{{ primary_domain }}" + - "newsletter.{{ PRIMARY_DOMAIN }}" docker: services: database: diff --git a/roles/web-app-mailu/config/main.yml b/roles/web-app-mailu/config/main.yml index 751286b0..9c4bfd8a 100644 --- a/roles/web-app-mailu/config/main.yml +++ b/roles/web-app-mailu/config/main.yml @@ -1,7 +1,7 @@ oidc: email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used enable_user_creation: true # Users will be created if not existing -domain: "{{ primary_domain }}" # The main domain from which mails will be send \ email suffix behind @ +domain: "{{ PRIMARY_DOMAIN }}" # The main domain from which mails will be send \ email suffix behind @ features: matomo: true css: false @@ -12,7 +12,7 @@ features: server: domains: canonical: - - "mail.{{ primary_domain }}" + - "mail.{{ PRIMARY_DOMAIN }}" csp: flags: style-src: diff --git a/roles/web-app-mailu/tasks/01_core.yml b/roles/web-app-mailu/tasks/01_core.yml index 4894486f..bebd6fa3 100644 --- a/roles/web-app-mailu/tasks/01_core.yml +++ b/roles/web-app-mailu/tasks/01_core.yml @@ -13,7 +13,7 @@ include_tasks: 02_create-mailu-user.yml vars: mailu_compose_dir: "{{ docker_compose.directories.instance }}" - mailu_domain: "{{ primary_domain }}" + mailu_domain: "{{ PRIMARY_DOMAIN }}" mailu_api_base_url: "http://127.0.0.1:8080/api/v1" mailu_global_api_token: "{{ applications | get_app_conf(application_id, 'credentials.api_token') }}" mailu_action: >- @@ -33,4 +33,4 @@ - name: Set Mailu DNS records include_tasks: 04_set-mailu-dns-records.yml - when: dns_provider == 'cloudflare' \ No newline at end of file + when: DNS_PROVIDER == 'cloudflare' \ No newline at end of file diff --git a/roles/web-app-mailu/templates/env.j2 b/roles/web-app-mailu/templates/env.j2 index 3a8b6f60..fc5aba0c 100644 --- a/roles/web-app-mailu/templates/env.j2 +++ b/roles/web-app-mailu/templates/env.j2 @@ -195,7 +195,7 @@ OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}} OIDC_USERNAME_CLAIM={{oidc.attributes.username}} # The domain used when constructing an email from a non-email username (e.g., when OIDC_USERNAME_CLAIM=sub). Ignored if OIDC_USERNAME_CLAIM is already an email. Defaults to the value of DOMAIN. -OIDC_USER_DOMAIN={{primary_domain}} +OIDC_USER_DOMAIN={{PRIMARY_DOMAIN}} {% endif %} # If enabled, users who authenticate successfully but do not yet have an account will have one created for them. If disabled, only existing users can log in, and authentication will fail for users without a pre-existing account. Defaults to True. diff --git a/roles/web-app-mailu/users/main.yml b/roles/web-app-mailu/users/main.yml index a69907d6..d4516311 100644 --- a/roles/web-app-mailu/users/main.yml +++ b/roles/web-app-mailu/users/main.yml @@ -1,3 +1,3 @@ users: administrator: - email: "administrator@{{ primary_domain }}" # Administrator Email for DNS Records \ No newline at end of file + email: "administrator@{{ PRIMARY_DOMAIN }}" # Administrator Email for DNS Records \ No newline at end of file diff --git a/roles/web-app-mailu/vars/mailu-dns.yml b/roles/web-app-mailu/vars/mailu-dns.yml index b6127824..36e4c936 100644 --- a/roles/web-app-mailu/vars/mailu-dns.yml +++ b/roles/web-app-mailu/vars/mailu-dns.yml @@ -3,7 +3,7 @@ mailu_dns_zone: "{{ applications | get_app_conf(application_id, 'domain', True) }}" mailu_dns_ip: "{{ networks.internet.ip4 }}" -cloudflare_record_api_token: "{{ certbot_dns_api_token }}" +cloudflare_record_api_token: "{{ CERTBOT_DNS_API_TOKEN }}" mailu_dmarc_ruf: "{{ applications | get_app_conf(application_id, 'users.administrator.email', True) }}" diff --git a/roles/web-app-mastodon/config/main.yml b/roles/web-app-mastodon/config/main.yml index 799745dd..fdf57286 100644 --- a/roles/web-app-mastodon/config/main.yml +++ b/roles/web-app-mastodon/config/main.yml @@ -10,7 +10,7 @@ features: server: domains: canonical: - - "microblog.{{ primary_domain }}" + - "microblog.{{ PRIMARY_DOMAIN }}" csp: whitelist: frame-src: diff --git a/roles/web-app-matomo/config/main.yml b/roles/web-app-matomo/config/main.yml index e669de0a..4cf09bf3 100644 --- a/roles/web-app-matomo/config/main.yml +++ b/roles/web-app-matomo/config/main.yml @@ -27,9 +27,9 @@ server: unsafe-eval: true domains: aliases: - - "analytics.{{ primary_domain }}" + - "analytics.{{ PRIMARY_DOMAIN }}" canonical: - - "matomo.{{ primary_domain }}" + - "matomo.{{ PRIMARY_DOMAIN }}" excluded_ips: "{{ networks.internet.values() | list }}" docker: diff --git a/roles/web-app-matrix-ansible/tasks/main.yml b/roles/web-app-matrix-ansible/tasks/main.yml index 399b9463..3682e90c 100644 --- a/roles/web-app-matrix-ansible/tasks/main.yml +++ b/roles/web-app-matrix-ansible/tasks/main.yml @@ -79,7 +79,7 @@ - name: show variable information debug: msg: "hosts_path: {{hosts_path}}\nmatrix_inventory_tmp_dir:{{ matrix_inventory_tmp_dir }}" - when: enable_debug | bool + when: MODE_DEBUG | bool - name: install requirements local_action: command just roles diff --git a/roles/web-app-matrix/config/main.yml b/roles/web-app-matrix/config/main.yml index 780cf1eb..f2227c98 100644 --- a/roles/web-app-matrix/config/main.yml +++ b/roles/web-app-matrix/config/main.yml @@ -15,7 +15,7 @@ docker: volumes: synapse: "matrix_synapse_data" playbook_tags: "setup-all,start" # For the initial update use: install-all,ensure-matrix-users-created,start -server_name: "{{ primary_domain }}" # Adress for the account names etc. +server_name: "{{ PRIMARY_DOMAIN }}" # Adress for the account names etc. setup: false # Set true in inventory file to execute the setup and initializing procedures features: matomo: false # Deactivated, because in html CSP restricts use @@ -38,12 +38,12 @@ server: connect-src: - "*" script-src-elem: - - "element.{{ primary_domain }}" + - "element.{{ PRIMARY_DOMAIN }}" - "https://cdn.jsdelivr.net" domains: canonical: - synapse: "matrix.{{ primary_domain }}" - element: "element.{{ primary_domain }}" + synapse: "matrix.{{ PRIMARY_DOMAIN }}" + element: "element.{{ PRIMARY_DOMAIN }}" client_max_body_size: "15M" plugins: diff --git a/roles/web-app-matrix/tasks/main.yml b/roles/web-app-matrix/tasks/main.yml index 82049c3a..fcf5b9f7 100644 --- a/roles/web-app-matrix/tasks/main.yml +++ b/roles/web-app-matrix/tasks/main.yml @@ -116,7 +116,7 @@ command: cmd: docker-compose -p "{{ matrix_project }}" pull chdir: "{{docker_compose.directories.instance}}" - when: mode_update | bool + when: MODE_UPDATE | bool - name: docker compose up command: diff --git a/roles/web-app-matrix/templates/element.config.json.j2 b/roles/web-app-matrix/templates/element.config.json.j2 index ab98de9a..9cc4bbac 100644 --- a/roles/web-app-matrix/templates/element.config.json.j2 +++ b/roles/web-app-matrix/templates/element.config.json.j2 @@ -5,7 +5,7 @@ "server_name": "{{domains[application_id].synapse}}" }, "m.identity_server": { - "base_url": "{{ WEB_PROTOCOL }}://{{primary_domain}}" + "base_url": "{{ WEB_PROTOCOL }}://{{PRIMARY_DOMAIN}}" } }, "brand": "Element", diff --git a/roles/web-app-mediawiki/config/main.yml b/roles/web-app-mediawiki/config/main.yml index 5b431795..b92b1b38 100644 --- a/roles/web-app-mediawiki/config/main.yml +++ b/roles/web-app-mediawiki/config/main.yml @@ -1,7 +1,7 @@ server: domains: canonical: - - "wiki.{{ primary_domain }}" + - "wiki.{{ PRIMARY_DOMAIN }}" docker: services: mediawiki: diff --git a/roles/web-app-mig/config/main.yml b/roles/web-app-mig/config/main.yml index 2cb2bc07..b67241d9 100644 --- a/roles/web-app-mig/config/main.yml +++ b/roles/web-app-mig/config/main.yml @@ -33,9 +33,9 @@ server: unsafe-inline: true domains: canonical: - - "mig.{{ primary_domain }}" + - "mig.{{ PRIMARY_DOMAIN }}" aliases: - - "meta-infinite-graph.{{ primary_domain }}" + - "meta-infinite-graph.{{ PRIMARY_DOMAIN }}" build_data: # This shouldn't be relevant anymore, because the data is anyhow build async in background diff --git a/roles/web-app-mig/tasks/02_build_data.yml b/roles/web-app-mig/tasks/02_build_data.yml index 7810f53d..48ceb101 100644 --- a/roles/web-app-mig/tasks/02_build_data.yml +++ b/roles/web-app-mig/tasks/02_build_data.yml @@ -16,7 +16,7 @@ - name: Debug MIG build job ID debug: msg: "MIG build job started with ID: {{ mig_build_job.ansible_job_id }}" - when: enable_debug | bool + when: MODE_DEBUG | bool - debug: msg: "Waiting for MIG build job to finish. Set 'build_data.wait_for=false' in the application config to skip waiting and improve performance." diff --git a/roles/web-app-mobilizon/config/main.yml b/roles/web-app-mobilizon/config/main.yml index 66d063ab..fedfe363 100644 --- a/roles/web-app-mobilizon/config/main.yml +++ b/roles/web-app-mobilizon/config/main.yml @@ -1,4 +1,4 @@ -titel: "Mobilizon on {{ primary_domain | upper }}" +titel: "Mobilizon on {{ PRIMARY_DOMAIN | upper }}" features: central_database: true oidc: true @@ -14,9 +14,9 @@ server: unsafe-eval: true domains: canonical: - - "event.{{ primary_domain }}" + - "event.{{ PRIMARY_DOMAIN }}" aliases: - - "events.{{ primary_domain }}" + - "events.{{ PRIMARY_DOMAIN }}" docker: services: database: diff --git a/roles/web-app-mobilizon/templates/env.j2 b/roles/web-app-mobilizon/templates/env.j2 index 60d75a70..f2de0ebe 100644 --- a/roles/web-app-mobilizon/templates/env.j2 +++ b/roles/web-app-mobilizon/templates/env.j2 @@ -30,7 +30,7 @@ MOBILIZON_REPLY_EMAIL={{ users["administrator"].email }} # The loglevel setting. # You can find accepted values here: https://hexdocs.pm/logger/Logger.html#module-levels # Defaults to error -MOBILIZON_LOGLEVEL={% if enable_debug | bool %}debug{% else %}error{% endif %} +MOBILIZON_LOGLEVEL={% if MODE_DEBUG | bool %}debug{% else %}error{% endif %} ###################################################### # Database settings # diff --git a/roles/web-app-moodle/config/main.yml b/roles/web-app-moodle/config/main.yml index d2531fca..76066bb0 100644 --- a/roles/web-app-moodle/config/main.yml +++ b/roles/web-app-moodle/config/main.yml @@ -1,4 +1,4 @@ -site_titel: "Academy on {{primary_domain}}" +site_titel: "Academy on {{PRIMARY_DOMAIN}}" features: matomo: true css: false @@ -25,7 +25,7 @@ server: - "https://cdn.jsdelivr.net" domains: canonical: - - "academy.{{ primary_domain }}" + - "academy.{{ PRIMARY_DOMAIN }}" docker: services: database: diff --git a/roles/web-app-moodle/templates/env.j2 b/roles/web-app-moodle/templates/env.j2 index 5e99067c..ba970385 100644 --- a/roles/web-app-moodle/templates/env.j2 +++ b/roles/web-app-moodle/templates/env.j2 @@ -7,7 +7,7 @@ MOODLE_REVERSE_PROXY=yes MOODLE_USERNAME={{applications | get_app_conf(application_id, 'users.administrator.username', True)}} MOODLE_PASSWORD={{applications | get_app_conf(application_id, 'credentials.user_password', True)}} MOODLE_EMAIL={{applications | get_app_conf(application_id, 'users.administrator.email', True)}} -BITNAMI_DEBUG={% if enable_debug | bool %}true{% else %}false{% endif %} +BITNAMI_DEBUG={% if MODE_DEBUG | bool %}true{% else %}false{% endif %} # Database MOODLE_DATABASE_HOST={{database_host}} diff --git a/roles/web-app-mybb/Installation.md b/roles/web-app-mybb/Installation.md index 7072d076..836f1025 100644 --- a/roles/web-app-mybb/Installation.md +++ b/roles/web-app-mybb/Installation.md @@ -3,8 +3,8 @@ ## Multi Domain Installation If you want to access your mybb over multiple domains, keep the following in mind: - Set Cookie Domain to nothing -- Access mybb for installation via mybb. -- Set the Board Url to mybb. +- Access mybb for installation via mybb. +- Set the Board Url to mybb. ## Manual Installation of MyBB Plugins diff --git a/roles/web-app-mybb/config/main.yml b/roles/web-app-mybb/config/main.yml index 30424346..05c68ced 100644 --- a/roles/web-app-mybb/config/main.yml +++ b/roles/web-app-mybb/config/main.yml @@ -18,4 +18,4 @@ docker: server: domains: canonical: - - mybb.{{ primary_domain }} + - mybb.{{ PRIMARY_DOMAIN }} diff --git a/roles/web-app-mybb/tasks/main.yml b/roles/web-app-mybb/tasks/main.yml index 10486643..0cea1926 100644 --- a/roles/web-app-mybb/tasks/main.yml +++ b/roles/web-app-mybb/tasks/main.yml @@ -25,7 +25,7 @@ - name: "create {{docker_compose_instance_confd_defaultconf_file}}" template: - src: "default.conf" + src: "default.conf.j2" dest: "{{docker_compose_instance_confd_defaultconf_file}}" notify: docker compose up diff --git a/roles/web-app-mybb/templates/default.conf b/roles/web-app-mybb/templates/default.conf.j2 similarity index 91% rename from roles/web-app-mybb/templates/default.conf rename to roles/web-app-mybb/templates/default.conf.j2 index 1d073d23..ec139c90 100644 --- a/roles/web-app-mybb/templates/default.conf +++ b/roles/web-app-mybb/templates/default.conf.j2 @@ -4,7 +4,7 @@ upstream mybb { server { listen 80; - error_log /proc/self/fd/2 {% if enable_debug | bool %}debug{% else %}warn{% endif %}; + error_log /proc/self/fd/2 {% if MODE_DEBUG | bool %}debug{% else %}warn{% endif %}; root /var/www/html; index index.html index.php; diff --git a/roles/web-app-mybb/vars/main.yml b/roles/web-app-mybb/vars/main.yml index e049cc99..940869b5 100644 --- a/roles/web-app-mybb/vars/main.yml +++ b/roles/web-app-mybb/vars/main.yml @@ -3,7 +3,7 @@ application_id: "web-app-mybb" docker_compose_instance_confd_directory: "{{docker_compose.directories.instance}}conf.d/" docker_compose_instance_confd_defaultconf_file: "{{docker_compose_instance_confd_directory}}default.conf" target_mount_conf_d_directory: "{{nginx.directories.http.servers}}" -source_domain: "mybb.{{primary_domain}}" +source_domain: "mybb.{{PRIMARY_DOMAIN}}" database_type: "mariadb" mybb_version: "{{ applications | get_app_conf(application_id, 'docker.services.mybb.version', True) }}" mybb_image: "{{ applications | get_app_conf(application_id, 'docker.services.mybb.image', True) }}" diff --git a/roles/web-app-navigator/config/main.yml b/roles/web-app-navigator/config/main.yml index 06f78a4d..2f875f68 100644 --- a/roles/web-app-navigator/config/main.yml +++ b/roles/web-app-navigator/config/main.yml @@ -16,7 +16,7 @@ server: font-src: - https://cdnjs.cloudflare.com frame-src: - - "{{ WEB_PROTOCOL }}://*.{{primary_domain}}" # Makes sense that all of the website content is available in the navigator + - "{{ WEB_PROTOCOL }}://*.{{PRIMARY_DOMAIN}}" # Makes sense that all of the website content is available in the navigator flags: style-src: unsafe-inline: true @@ -26,4 +26,4 @@ server: unsafe-inline: true domains: canonical: - - "slides.{{ primary_domain }}" + - "slides.{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-app-navigator/templates/env.j2 b/roles/web-app-navigator/templates/env.j2 index d370a1bf..c0bd7204 100644 --- a/roles/web-app-navigator/templates/env.j2 +++ b/roles/web-app-navigator/templates/env.j2 @@ -1 +1 @@ -FLASK_DEBUG={{ enable_debug }} \ No newline at end of file +FLASK_DEBUG={{ MODE_DEBUG }} \ No newline at end of file diff --git a/roles/web-app-nextcloud/config/main.yml b/roles/web-app-nextcloud/config/main.yml index 48083764..3e318822 100644 --- a/roles/web-app-nextcloud/config/main.yml +++ b/roles/web-app-nextcloud/config/main.yml @@ -11,9 +11,9 @@ server: - "data:" domains: canonical: - - "cloud.{{ primary_domain }}" - # nextcloud: "cloud.{{ primary_domain }}" - # talk: "talk.{{ primary_domain }}" @todo needs to be activated + - "cloud.{{ PRIMARY_DOMAIN }}" + # nextcloud: "cloud.{{ PRIMARY_DOMAIN }}" + # talk: "talk.{{ PRIMARY_DOMAIN }}" @todo needs to be activated docker: volumes: data: nextcloud_data diff --git a/roles/web-app-nextcloud/templates/config/memcache.config.php.j2 b/roles/web-app-nextcloud/templates/config/memcache.config.php.j2 index 968233cc..011d4cdf 100644 --- a/roles/web-app-nextcloud/templates/config/memcache.config.php.j2 +++ b/roles/web-app-nextcloud/templates/config/memcache.config.php.j2 @@ -3,7 +3,7 @@ # Implementing redis configuration return array ( # For single server setup APCu is recommended, for multi server setup Redis - 'memcache.local' => '\\OC\\Memcache\\{% if deployment_mode == "single" %}APCu{% else %}Redis{% endif %}', + 'memcache.local' => '\\OC\\Memcache\\{% if DEPLOYMENT_MODE == "single" %}APCu{% else %}Redis{% endif %}', # The following lines are configured via the environment variables # 'memcache.locking' => '\\OC\\Memcache\\Redis', # 'redis' => diff --git a/roles/web-app-nextcloud/templates/nginx/docker.conf.j2 b/roles/web-app-nextcloud/templates/nginx/docker.conf.j2 index 2eac2808..194de40c 100644 --- a/roles/web-app-nextcloud/templates/nginx/docker.conf.j2 +++ b/roles/web-app-nextcloud/templates/nginx/docker.conf.j2 @@ -5,7 +5,7 @@ worker_processes auto; # @see https://chatgpt.com/share/67aa3ce9-eea0-800f-85e8-ac54a3810b13 -error_log /proc/self/fd/2 {% if enable_debug | bool %}debug{% else %}warn{% endif %}; +error_log /proc/self/fd/2 {% if MODE_DEBUG | bool %}debug{% else %}warn{% endif %}; pid /var/run/nginx.pid; diff --git a/roles/web-app-oauth2-proxy/config/main.yml b/roles/web-app-oauth2-proxy/config/main.yml index 7e35e11b..58294c8e 100644 --- a/roles/web-app-oauth2-proxy/config/main.yml +++ b/roles/web-app-oauth2-proxy/config/main.yml @@ -9,4 +9,4 @@ features: server: domains: canonical: - - oauth2-proxy.{{ primary_domain }} + - oauth2-proxy.{{ PRIMARY_DOMAIN }} diff --git a/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 b/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 index 7ee0d63d..099f3a8d 100644 --- a/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 +++ b/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 @@ -3,7 +3,7 @@ cookie_secret = "{{ applications | get_app_conf(oauth2_proxy_applica cookie_secure = "true" # True is necessary to force the cookie set via https upstreams = "http://{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.application', True) }}:{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.port', True) }}" cookie_domains = ["{{ domains | get_domain(oauth2_proxy_application_id) }}", "{{ domains | get_domain('web-app-keycloak') }}"] # Required so cookie can be read on all subdomains. -whitelist_domains = [".{{ primary_domain }}"] # Required to allow redirection back to original requested target. +whitelist_domains = [".{{ PRIMARY_DOMAIN }}"] # Required to allow redirection back to original requested target. # keycloak provider client_secret = "{{ oidc.client.secret }}" @@ -20,7 +20,7 @@ oidc_groups_claim = "{{ oidc.claims.groups }}" allowed_groups = {{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', True) | tojson }} email_domains = ["*"] {% else %} -email_domains = "{{ primary_domain }}" +email_domains = "{{ PRIMARY_DOMAIN }}" {% endif %} session_store_type = "redis" diff --git a/roles/web-app-openproject/config/main.yml b/roles/web-app-openproject/config/main.yml index 6271f53c..c06a3403 100644 --- a/roles/web-app-openproject/config/main.yml +++ b/roles/web-app-openproject/config/main.yml @@ -27,7 +27,7 @@ server: unsafe-inline: true domains: canonical: - - "project.{{ primary_domain }}" + - "project.{{ PRIMARY_DOMAIN }}" docker: services: diff --git a/roles/web-app-openproject/tasks/01_ldap.yml b/roles/web-app-openproject/tasks/01_ldap.yml index 9adcf584..db504523 100644 --- a/roles/web-app-openproject/tasks/01_ldap.yml +++ b/roles/web-app-openproject/tasks/01_ldap.yml @@ -83,12 +83,12 @@ login_port: "{{ database_port }}" query: "SELECT id, name FROM ldap_auth_sources" register: ldap_entries - when: enable_debug | bool + when: MODE_DEBUG | bool - name: Debug LDAP entries debug: var: ldap_entries - when: enable_debug | bool + when: MODE_DEBUG | bool # This works just after the first admin login # @todo Remove and replace trough LDAP RBAC group @@ -96,7 +96,7 @@ shell: > docker compose exec web bash -c " cd /app && - RAILS_ENV={{ INFINITO_ENVIRONMENT | lower }} bundle exec rails runner \" + RAILS_ENV={{ ENVIRONMENT | lower }} bundle exec rails runner \" user = User.find_by(mail: '{{ users.administrator.email }}'); if user.nil?; puts 'User with email {{ users.administrator.email }} not found.'; diff --git a/roles/web-app-openproject/tasks/main.yml b/roles/web-app-openproject/tasks/main.yml index 5a2c6193..02c2f364 100644 --- a/roles/web-app-openproject/tasks/main.yml +++ b/roles/web-app-openproject/tasks/main.yml @@ -29,7 +29,7 @@ - name: Set settings in OpenProject shell: > docker compose exec web bash -c "cd /app && - RAILS_ENV={{ INFINITO_ENVIRONMENT | lower }} bundle exec rails runner \"Setting[:{{ item.key }}] = '{{ item.value }}'\"" + RAILS_ENV={{ ENVIRONMENT | lower }} bundle exec rails runner \"Setting[:{{ item.key }}] = '{{ item.value }}'\"" args: chdir: "{{ docker_compose.directories.instance }}" loop: "{{ openproject_rails_settings | dict2items }}" diff --git a/roles/web-app-openproject/vars/ldap.yml b/roles/web-app-openproject/vars/ldap.yml index aaf75a8b..b1f53d2a 100644 --- a/roles/web-app-openproject/vars/ldap.yml +++ b/roles/web-app-openproject/vars/ldap.yml @@ -1,5 +1,5 @@ openproject_ldap: - name: "{{ primary_domain }}" # Display name for the LDAP connection in OpenProject + name: "{{ PRIMARY_DOMAIN }}" # Display name for the LDAP connection in OpenProject host: "{{ ldap.server.domain }}" # LDAP server address port: "{{ ldap.server.port }}" # LDAP server port (typically 389 or 636) account: "{{ ldap.dn.administrator.data }}" # Bind DN (used for authentication) diff --git a/roles/web-app-peertube/config/main.yml b/roles/web-app-peertube/config/main.yml index 527cd32e..14986bf8 100644 --- a/roles/web-app-peertube/config/main.yml +++ b/roles/web-app-peertube/config/main.yml @@ -23,9 +23,9 @@ server: - "data:" domains: canonical: - - "video.{{ primary_domain }}" + - "video.{{ PRIMARY_DOMAIN }}" aliases: - - "videos.{{ primary_domain }}" + - "videos.{{ PRIMARY_DOMAIN }}" docker: services: redis: diff --git a/roles/web-app-pgadmin/config/main.yml b/roles/web-app-pgadmin/config/main.yml index cb8a3289..75f3cd88 100644 --- a/roles/web-app-pgadmin/config/main.yml +++ b/roles/web-app-pgadmin/config/main.yml @@ -25,7 +25,7 @@ server: - "data:" domains: canonical: - - pgadmin.{{ primary_domain }} + - pgadmin.{{ PRIMARY_DOMAIN }} docker: services: database: diff --git a/roles/web-app-pgadmin/users/main.yml b/roles/web-app-pgadmin/users/main.yml index 0e8e6748..6374b715 100644 --- a/roles/web-app-pgadmin/users/main.yml +++ b/roles/web-app-pgadmin/users/main.yml @@ -1,3 +1,3 @@ users: administrator: - email: "administrator@{{ primary_domain }}" \ No newline at end of file + email: "administrator@{{ PRIMARY_DOMAIN }}" \ No newline at end of file diff --git a/roles/web-app-phpldapadmin/config/main.yml b/roles/web-app-phpldapadmin/config/main.yml index 4c9ae46c..d9cde459 100644 --- a/roles/web-app-phpldapadmin/config/main.yml +++ b/roles/web-app-phpldapadmin/config/main.yml @@ -14,4 +14,4 @@ features: server: domains: canonical: - - phpldapadmin.{{ primary_domain }} + - phpldapadmin.{{ PRIMARY_DOMAIN }} diff --git a/roles/web-app-phpmyadmin/config/main.yml b/roles/web-app-phpmyadmin/config/main.yml index 1c2b9526..c2e4db20 100644 --- a/roles/web-app-phpmyadmin/config/main.yml +++ b/roles/web-app-phpmyadmin/config/main.yml @@ -21,10 +21,10 @@ server: unsafe-inline: true domains: aliases: - - "mysql.{{ primary_domain }}" - - "mariadb.{{ primary_domain }}" + - "mysql.{{ PRIMARY_DOMAIN }}" + - "mariadb.{{ PRIMARY_DOMAIN }}" canonical: - - phpmyadmin.{{ primary_domain }} + - phpmyadmin.{{ PRIMARY_DOMAIN }} docker: services: database: diff --git a/roles/web-app-pixelfed/config/main.yml b/roles/web-app-pixelfed/config/main.yml index 84186301..1e373430 100644 --- a/roles/web-app-pixelfed/config/main.yml +++ b/roles/web-app-pixelfed/config/main.yml @@ -1,4 +1,4 @@ -titel: "Pictures on {{primary_domain}}" +titel: "Pictures on {{PRIMARY_DOMAIN}}" features: matomo: true css: false # Needs to be reactivated @@ -22,9 +22,9 @@ server: - "*" domains: canonical: - - "picture.{{ primary_domain }}" + - "picture.{{ PRIMARY_DOMAIN }}" aliases: - - "pictures.{{ primary_domain }}" + - "pictures.{{ PRIMARY_DOMAIN }}" docker: services: redis: diff --git a/roles/web-app-pixelfed/templates/env.j2 b/roles/web-app-pixelfed/templates/env.j2 index 43e9315e..91e4d60f 100644 --- a/roles/web-app-pixelfed/templates/env.j2 +++ b/roles/web-app-pixelfed/templates/env.j2 @@ -3,8 +3,8 @@ APP_KEY={{applications | get_app_conf(application_id, 'credentials.app_key', Tru ## General Settings APP_NAME="{{ pixelfed_titel }}" -APP_ENV={{ INFINITO_ENVIRONMENT | lower }} -APP_DEBUG={{enable_debug | string | lower }} +APP_ENV={{ ENVIRONMENT | lower }} +APP_DEBUG={{MODE_DEBUG | string | lower }} APP_URL={{ domains | get_url(application_id, WEB_PROTOCOL) }} APP_DOMAIN="{{domains | get_domain(application_id)}}" ADMIN_DOMAIN="{{domains | get_domain(application_id)}}" diff --git a/roles/web-app-port-ui/config/main.yml b/roles/web-app-port-ui/config/main.yml index 7d12b6f3..065bcb1f 100644 --- a/roles/web-app-port-ui/config/main.yml +++ b/roles/web-app-port-ui/config/main.yml @@ -20,7 +20,7 @@ server: connect-src: - https://ka-f.fontawesome.com frame-src: - - "{{ WEB_PROTOCOL }}://*.{{primary_domain}}" + - "{{ WEB_PROTOCOL }}://*.{{PRIMARY_DOMAIN}}" flags: style-src: unsafe-inline: true @@ -30,5 +30,5 @@ server: unsafe-inline: true domains: canonical: - - "{{ primary_domain }}" + - "{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-app-port-ui/tasks/01_core.yml b/roles/web-app-port-ui/tasks/01_core.yml index 260230dc..83abea09 100644 --- a/roles/web-app-port-ui/tasks/01_core.yml +++ b/roles/web-app-port-ui/tasks/01_core.yml @@ -37,7 +37,7 @@ portfolio_menu_categories: "{{ portfolio_menu_categories}}" portfolio_menu_data: "{{ portfolio_menu_data }}" service_provider: "{{ service_provider }}" - when: enable_debug | bool + when: MODE_DEBUG | bool - name: Copy host-specific config.yaml if it exists template: diff --git a/roles/web-app-port-ui/templates/javascript.js.j2 b/roles/web-app-port-ui/templates/javascript.js.j2 index 2577a75a..b64b08c7 100644 --- a/roles/web-app-port-ui/templates/javascript.js.j2 +++ b/roles/web-app-port-ui/templates/javascript.js.j2 @@ -1,8 +1,8 @@ window.addEventListener("message", function(event) { - const allowedSuffix = ".{{ primary_domain }}"; + const allowedSuffix = ".{{ PRIMARY_DOMAIN }}"; const origin = event.origin; - // 1. Only allow messages from *.{{ primary_domain }} + // 1. Only allow messages from *.{{ PRIMARY_DOMAIN }} if (!origin.endsWith(allowedSuffix)) return; const data = event.data; @@ -12,7 +12,7 @@ window.addEventListener("message", function(event) { try { const hrefUrl = new URL(data.href); - // 3. Only allow redirects to *.{{ primary_domain }} + // 3. Only allow redirects to *.{{ PRIMARY_DOMAIN }} if (!hrefUrl.hostname.endsWith(allowedSuffix)) return; // 4. Update the ?iframe= parameter in the browser URL @@ -25,6 +25,6 @@ window.addEventListener("message", function(event) { } }); -{% if enable_debug | bool %} +{% if MODE_DEBUG | bool %} console.log("[iframe-sync] Listener for iframe messages is active."); {% endif %} diff --git a/roles/web-app-pretix/config/main.yml b/roles/web-app-pretix/config/main.yml index b18a530f..bae548fb 100644 --- a/roles/web-app-pretix/config/main.yml +++ b/roles/web-app-pretix/config/main.yml @@ -24,7 +24,7 @@ server: flags: {} # Flags which should be set domains: canonical: - - "pretix.{{ primary_domain }}" + - "pretix.{{ PRIMARY_DOMAIN }}" aliases: [] # Alias redirections to the first element of the canonical domains rbac: roles: {} diff --git a/roles/web-app-roulette-wheel/config/main.yml b/roles/web-app-roulette-wheel/config/main.yml index d7153879..b7a76c55 100644 --- a/roles/web-app-roulette-wheel/config/main.yml +++ b/roles/web-app-roulette-wheel/config/main.yml @@ -3,4 +3,4 @@ features: server: domains: canonical: - - "wheel.{{ primary_domain }}" + - "wheel.{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-app-snipe-it/config/main.yml b/roles/web-app-snipe-it/config/main.yml index 5bac7fa3..33c76124 100644 --- a/roles/web-app-snipe-it/config/main.yml +++ b/roles/web-app-snipe-it/config/main.yml @@ -9,7 +9,7 @@ features: server: domains: canonical: - - "inventory.{{ primary_domain }}" + - "inventory.{{ PRIMARY_DOMAIN }}" csp: flags: script-src: diff --git a/roles/web-app-snipe-it/templates/env.j2 b/roles/web-app-snipe-it/templates/env.j2 index 82b23bd1..70909d41 100644 --- a/roles/web-app-snipe-it/templates/env.j2 +++ b/roles/web-app-snipe-it/templates/env.j2 @@ -1,8 +1,8 @@ # -------------------------------------------- # REQUIRED: BASIC APP SETTINGS # -------------------------------------------- -APP_ENV={{ INFINITO_ENVIRONMENT | lower }} -APP_DEBUG={{enable_debug | string | lower }} +APP_ENV={{ ENVIRONMENT | lower }} +APP_DEBUG={{MODE_DEBUG | string | lower }} APP_KEY={{ applications | get_app_conf(application_id, 'credentials.app_key', True)}} APP_URL={{ snipe_it_url }} # https://en.wikipedia.org/wiki/List_of_tz_database_time_zones - TZ identifier diff --git a/roles/web-app-sphinx/config/main.yml b/roles/web-app-sphinx/config/main.yml index 571533c4..047be3d6 100644 --- a/roles/web-app-sphinx/config/main.yml +++ b/roles/web-app-sphinx/config/main.yml @@ -15,4 +15,4 @@ server: unsafe-inline: true domains: canonical: - - "docs.{{ primary_domain }}" + - "docs.{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-app-syncope/config/main.yml b/roles/web-app-syncope/config/main.yml index 95bf3059..14bf4c3b 100644 --- a/roles/web-app-syncope/config/main.yml +++ b/roles/web-app-syncope/config/main.yml @@ -16,4 +16,4 @@ features: server: domains: canonical: - - syncope.{{ primary_domain }} + - syncope.{{ PRIMARY_DOMAIN }} diff --git a/roles/web-app-taiga/config/main.yml b/roles/web-app-taiga/config/main.yml index 26adc867..11630171 100644 --- a/roles/web-app-taiga/config/main.yml +++ b/roles/web-app-taiga/config/main.yml @@ -30,4 +30,4 @@ server: unsafe-eval: true domains: canonical: - - "kanban.{{ primary_domain }}" + - "kanban.{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-app-wordpress/config/main.yml b/roles/web-app-wordpress/config/main.yml index ba2d8691..0b85d930 100644 --- a/roles/web-app-wordpress/config/main.yml +++ b/roles/web-app-wordpress/config/main.yml @@ -32,7 +32,7 @@ server: script-src-elem: - "https://cdn.gtranslate.net" # Necessary for translation plugins - "https://translate.google.com" # Necessary for translation plugins - - "blog.{{ primary_domain }}" + - "blog.{{ PRIMARY_DOMAIN }}" style-src: - "https://fonts.bunny.net" frame-src: @@ -40,7 +40,7 @@ server: - "*" domains: canonical: - - "blog.{{ primary_domain }}" + - "blog.{{ PRIMARY_DOMAIN }}" docker: services: database: diff --git a/roles/web-app-wordpress/templates/env.j2 b/roles/web-app-wordpress/templates/env.j2 index 54db2cbc..da90d3a0 100644 --- a/roles/web-app-wordpress/templates/env.j2 +++ b/roles/web-app-wordpress/templates/env.j2 @@ -4,6 +4,6 @@ WORDPRESS_DB_PASSWORD= "{{database_password}}" WORDPRESS_DB_NAME= "{{database_name}}" # Debug flags -WP_DEBUG={{ enable_debug | lower }} -WP_DEBUG_LOG={{ enable_debug | lower }} -WP_DEBUG_DISPLAY={{ enable_debug | lower }} +WP_DEBUG={{ MODE_DEBUG | lower }} +WP_DEBUG_LOG={{ MODE_DEBUG | lower }} +WP_DEBUG_DISPLAY={{ MODE_DEBUG | lower }} diff --git a/roles/web-app-wordpress/users/main.yml b/roles/web-app-wordpress/users/main.yml index f33c641d..61cea876 100644 --- a/roles/web-app-wordpress/users/main.yml +++ b/roles/web-app-wordpress/users/main.yml @@ -1,4 +1,4 @@ users: # Credentials administrator: # Wordpress administrator username: "administrator" - email: "administrator@{{ primary_domain }}" \ No newline at end of file + email: "administrator@{{ PRIMARY_DOMAIN }}" \ No newline at end of file diff --git a/roles/web-app-wordpress/vars/discourse.yml b/roles/web-app-wordpress/vars/discourse.yml index 193ef60d..997503b6 100644 --- a/roles/web-app-wordpress/vars/discourse.yml +++ b/roles/web-app-wordpress/vars/discourse.yml @@ -242,4 +242,4 @@ discourse_settings: # - name: discourse_logs key: logs-enabled - value: "{{ enable_debug }}" + value: "{{ MODE_DEBUG }}" diff --git a/roles/web-app-wordpress/vars/oidc.yml b/roles/web-app-wordpress/vars/oidc.yml index 7c41fb5f..ac84481b 100644 --- a/roles/web-app-wordpress/vars/oidc.yml +++ b/roles/web-app-wordpress/vars/oidc.yml @@ -17,7 +17,7 @@ oidc_settings: redirect_on_logout: true # Redirect users after logout to the login screen or homepage. redirect_user_back: true # Return users to their original URL after successful login. #acr_values: "{{ oidc.client.acr_values | default('') }}" # ACR values defining required authentication context (e.g., MFA level). - enable_logging: "{{ enable_debug }}" # Enable detailed plugin logging for debugging and auditing. + enable_logging: "{{ MODE_DEBUG }}" # Enable detailed plugin logging for debugging and auditing. # log_limit: "{{ oidc.client.log_limit | default('') }}" # Maximum number of log entries to retain before pruning. no_sslverify: false # The flag to enable/disable SSL verification during authorization. http_request_timeout: 5 # The timeout for requests made to the IDP. Default value is 5. diff --git a/roles/web-app-xmpp/config/main.yml b/roles/web-app-xmpp/config/main.yml index b7b49bc5..70034684 100644 --- a/roles/web-app-xmpp/config/main.yml +++ b/roles/web-app-xmpp/config/main.yml @@ -4,4 +4,4 @@ features: server: domains: canonical: - - xmpp.{{ primary_domain }} + - xmpp.{{ PRIMARY_DOMAIN }} diff --git a/roles/web-app-yourls/config/main.yml b/roles/web-app-yourls/config/main.yml index ea01f321..3d26482d 100644 --- a/roles/web-app-yourls/config/main.yml +++ b/roles/web-app-yourls/config/main.yml @@ -16,9 +16,9 @@ features: server: domains: canonical: - - "s.{{ primary_domain }}" + - "s.{{ PRIMARY_DOMAIN }}" aliases: - - "short.{{ primary_domain }}" + - "short.{{ PRIMARY_DOMAIN }}" csp: flags: style-src: diff --git a/roles/web-opt-rdr-www/README.md b/roles/web-opt-rdr-www/README.md index f782f4df..193238b2 100644 --- a/roles/web-opt-rdr-www/README.md +++ b/roles/web-opt-rdr-www/README.md @@ -6,12 +6,12 @@ Automates the creation of Nginx server blocks that redirect all `www.` subdomain ## Overview This role will: - **Discover** existing `*.conf` vhosts in your Nginx servers directory -- **Filter** domains with or without your `primary_domain` +- **Filter** domains with or without your `PRIMARY_DOMAIN` - **Generate** redirect rules via the `web-opt-rdr-domains` role - **Optionally** include a wildcard redirect template (experimental) ⭐️ - **Clean up** leftover configs when running in cleanup mode 🧹 -All tasks are guarded by “run once” facts and `mode_cleanup` flags to avoid unintended re-runs or stale files. +All tasks are guarded by “run once” facts and `MODE_CLEANUP` flags to avoid unintended re-runs or stale files. ## Purpose Ensure that any request to `www.example.com` automatically and permanently redirects to `https://example.com`, improving user experience, SEO, and certificate management. 🎯 @@ -20,5 +20,5 @@ Ensure that any request to `www.example.com` automatically and permanently redir - **Auto-Discovery**: Scans your Nginx `servers` directory for `.conf` files. 🔍 - **Dynamic Redirects**: Builds `source: "www.domain"` → `target: "domain"` mappings on the fly. 🔧 - **Wildcard Redirect**: Includes a templated wildcard server block for `www.*` domains (toggleable). ✨ -- **Cleanup Mode**: Removes the wildcard config file when `certbot_flavor` is set to `dedicated` and `mode_cleanup` is enabled. 🗑️ -- **Debug Output**: Optional `enable_debug` gives detailed variable dumps for troubleshooting. 🐛 +- **Cleanup Mode**: Removes the wildcard config file when `CERTBOT_FLAVOR` is set to `dedicated` and `MODE_CLEANUP` is enabled. 🗑️ +- **Debug Output**: Optional `MODE_DEBUG` gives detailed variable dumps for troubleshooting. 🐛 diff --git a/roles/web-opt-rdr-www/tasks/main.yml b/roles/web-opt-rdr-www/tasks/main.yml index f2e492b2..8aa61cd5 100644 --- a/roles/web-opt-rdr-www/tasks/main.yml +++ b/roles/web-opt-rdr-www/tasks/main.yml @@ -20,8 +20,8 @@ include_role: name: srv-web-7-7-dns-records vars: - cloudflare_api_token: "{{ certbot_dns_api_token }}" + cloudflare_api_token: "{{ CERTBOT_DNS_API_TOKEN }}" cloudflare_domains: "{{ www_domains }}" cloudflare_target_ip: "{{ networks.internet.ip4 }}" cloudflare_proxied: false - when: dns_provider == 'cloudflare' + when: DNS_PROVIDER == 'cloudflare' diff --git a/roles/web-svc-asset/config/main.yml b/roles/web-svc-asset/config/main.yml index 4e326ec0..bd2788e2 100644 --- a/roles/web-svc-asset/config/main.yml +++ b/roles/web-svc-asset/config/main.yml @@ -3,4 +3,4 @@ url: "{{ WEB_PROTOCOL }}://<< defaults_applications['web-svc-file'] server: domains: canonical: - - asset.{{ primary_domain }} + - asset.{{ PRIMARY_DOMAIN }} diff --git a/roles/web-svc-cdn/config/main.yml b/roles/web-svc-cdn/config/main.yml index fac88b15..0bde48f1 100644 --- a/roles/web-svc-cdn/config/main.yml +++ b/roles/web-svc-cdn/config/main.yml @@ -5,4 +5,4 @@ features: server: domains: canonical: - - "cdn.{{ primary_domain }}" + - "cdn.{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-svc-file/config/main.yml b/roles/web-svc-file/config/main.yml index 0487dc27..fcce885c 100644 --- a/roles/web-svc-file/config/main.yml +++ b/roles/web-svc-file/config/main.yml @@ -5,6 +5,6 @@ features: server: domains: canonical: - - "file.{{ primary_domain }}" + - "file.{{ PRIMARY_DOMAIN }}" alias: - - "files.{{ primary_domain }}" + - "files.{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-svc-html/config/main.yml b/roles/web-svc-html/config/main.yml index 43c60b9f..d41b1726 100644 --- a/roles/web-svc-html/config/main.yml +++ b/roles/web-svc-html/config/main.yml @@ -5,4 +5,4 @@ features: server: domains: canonical: - - "html.{{ primary_domain }}" + - "html.{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-svc-html/vars/main.yml b/roles/web-svc-html/vars/main.yml index 31724162..5ac8d613 100644 --- a/roles/web-svc-html/vars/main.yml +++ b/roles/web-svc-html/vars/main.yml @@ -1,2 +1,2 @@ application_id: "web-svc-html" -domain: "{{domains | get_domain(application_id)}}" \ No newline at end of file +domain: "{{domains | get_domain(application_id)}}" diff --git a/roles/web-svc-logout/config/main.yml b/roles/web-svc-logout/config/main.yml index c3e2f03a..89e03f38 100644 --- a/roles/web-svc-logout/config/main.yml +++ b/roles/web-svc-logout/config/main.yml @@ -7,7 +7,7 @@ features: server: domains: canonical: - - "logout.{{ primary_domain }}" + - "logout.{{ PRIMARY_DOMAIN }}" csp: flags: style-src: @@ -16,8 +16,8 @@ server: unsafe-inline: true whitelist: connect-src: - - "{{ WEB_PROTOCOL }}://*.{{ primary_domain }}" - - "{{ WEB_PROTOCOL }}://{{ primary_domain }}" + - "{{ WEB_PROTOCOL }}://*.{{ PRIMARY_DOMAIN }}" + - "{{ WEB_PROTOCOL }}://{{ PRIMARY_DOMAIN }}" script-src-elem: - https://cdn.jsdelivr.net style-src: diff --git a/roles/web-svc-simpleicons/config/main.yml b/roles/web-svc-simpleicons/config/main.yml index 73aedc81..9ed9d871 100644 --- a/roles/web-svc-simpleicons/config/main.yml +++ b/roles/web-svc-simpleicons/config/main.yml @@ -20,7 +20,7 @@ server: csp: {} domains: canonical: - - "icons.{{ primary_domain }}" + - "icons.{{ PRIMARY_DOMAIN }}" rbac: roles: mail-bot: diff --git a/tasks/stages/01_constructor.yml b/tasks/stages/01_constructor.yml index edac2ed3..acbe6aa8 100644 --- a/tasks/stages/01_constructor.yml +++ b/tasks/stages/01_constructor.yml @@ -2,7 +2,7 @@ - name: "Debug: allowed_applications" debug: msg: "{{ allowed_applications }}" - when: enable_debug | bool + when: MODE_DEBUG | bool - name: Merge variables block: @@ -30,7 +30,7 @@ set_fact: current_play_domains: >- {{ current_play_applications | - canonical_domains_map(primary_domain) | + canonical_domains_map(PRIMARY_DOMAIN) | combine(domains | default({}, true), recursive=True) }} @@ -39,7 +39,7 @@ domains: >- {{ defaults_applications | - canonical_domains_map(primary_domain) | + canonical_domains_map(PRIMARY_DOMAIN) | combine(current_play_domains, recursive=True) }} - name: Merge redirect_domain_mappings @@ -56,7 +56,7 @@ redirect_domain_mappings: >- {{ current_play_applications | - domain_mappings(primary_domain) | + domain_mappings(PRIMARY_DOMAIN) | merge_mapping(redirect_domain_mappings, 'source') }} @@ -99,7 +99,7 @@ - name: update device include_role: name: update-compose - when: mode_update | bool + when: MODE_UPDATE | bool - name: "Load base roles" include_tasks: "./tasks/groups/{{ item }}-roles.yml" diff --git a/tasks/utils/debug/README.md b/tasks/utils/debug/README.md index a391a05f..3f3a08e5 100644 --- a/tasks/utils/debug/README.md +++ b/tasks/utils/debug/README.md @@ -24,7 +24,7 @@ Optionally, enable it conditionally: ```yaml - import_tasks: utils/debug/main.yml - when: enable_debug | default(false) + when: MODE_DEBUG | default(false) ``` **Note:** diff --git a/templates/roles/web-app/users/main.yml b/templates/roles/web-app/users/main.yml index 721c7636..cac2eac4 100644 --- a/templates/roles/web-app/users/main.yml +++ b/templates/roles/web-app/users/main.yml @@ -2,6 +2,6 @@ users: demo: username: demo - email: "demo@{{ primary_domain }}" + email: "demo@{{ PRIMARY_DOMAIN }}" roles: [] description: Demo User \ No newline at end of file diff --git a/tests/integration/test_mode_reset.py b/tests/integration/test_mode_reset.py index 69307c1c..432b76a6 100644 --- a/tests/integration/test_mode_reset.py +++ b/tests/integration/test_mode_reset.py @@ -8,11 +8,11 @@ BASE_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__), '../../roles' class TestModeResetIntegration(unittest.TestCase): """ - Verify that a role either mentioning 'mode_reset' under tasks/ OR containing a reset file: + Verify that a role either mentioning 'MODE_RESET' under tasks/ OR containing a reset file: - provides a *_reset.yml (or reset.yml) in tasks/, - includes it exactly once across tasks/*.yml, - and the include is guarded in the SAME task block by a non-commented `when` - that contains `mode_reset | bool` (inline, list, or array). + that contains `MODE_RESET | bool` (inline, list, or array). Additional conditions (e.g., `and something`) are allowed. Commented-out conditions (e.g., `#when: ...` or `# include_tasks: ...`) do NOT count. """ @@ -33,12 +33,12 @@ class TestModeResetIntegration(unittest.TestCase): if fname.lower().endswith(('.yml', '.yaml')): task_files.append(os.path.join(root, fname)) - # Detect any 'mode_reset' usage + # Detect any 'MODE_RESET' usage mode_reset_found = False for fp in task_files: try: with open(fp, 'r', encoding='utf-8') as f: - if 'mode_reset' in f.read(): + if 'MODE_RESET' in f.read(): mode_reset_found = True break except (UnicodeDecodeError, OSError): @@ -55,11 +55,11 @@ class TestModeResetIntegration(unittest.TestCase): ] # Decide if this role must be validated: - # - if it mentions mode_reset anywhere under tasks/, OR + # - if it mentions MODE_RESET anywhere under tasks/, OR # - if it has a reset file in tasks/ root should_check = mode_reset_found or bool(reset_files) if not should_check: - self.skipTest(f"Role '{role_name}': no mode_reset usage and no reset file found.") + self.skipTest(f"Role '{role_name}': no MODE_RESET usage and no reset file found.") # If we check, a reset file MUST exist self.assertTrue( @@ -108,7 +108,7 @@ class TestModeResetIntegration(unittest.TestCase): f"found {len(include_occurrences)}." ) - # Verify a proper 'when' containing 'mode_reset | bool' exists in the SAME task block + # Verify a proper 'when' containing 'MODE_RESET | bool' exists in the SAME task block include_fp, included_rf, span = include_occurrences[0] with open(include_fp, 'r', encoding='utf-8') as f: @@ -138,17 +138,17 @@ class TestModeResetIntegration(unittest.TestCase): # - Allow additional conditions inline (and/or/parentheses/etc.) # - Support list form and yaml array form when_inline = re.search( - r'(?m)^(? 1} + + if duplicates: + msg_lines = [ + "Found constants defined more than once. " + "ALL-CAPS variables are treated as constants and must be defined only once project-wide.\n" + "Please consolidate each duplicated constant into a single authoritative location (e.g., one vars/defaults file).", + "", + ] + for const, files in sorted(duplicates.items()): + msg_lines.append(f"* {const} defined in {len(files)} files:") + for f in files: + msg_lines.append(f" - {f}") + msg_lines.append("") # spacer + self.fail("\n".join(msg_lines)) + + +if __name__ == "__main__": + unittest.main()