Renamed general and mode constants and implemented a check to verify that constants are just defined ones over the whole repository

2025-08-29 15:06:26 +02:00 · 2025-08-13 19:10:44 +02:00
parent 004507e233
commit db0e030900
171 changed files with 474 additions and 345 deletions
--- a/roles/desk-ssh/tasks/01_core.yml
+++ b/roles/desk-ssh/tasks/01_core.yml
@@ -15,7 +15,7 @@
 - name: Warn if repo is not reachable
  debug:
    msg: "Warning: Repository is not reachable."
-  when: git_result.failed and enable_debug | bool
+  when: git_result.failed and MODE_DEBUG | bool

 - name: Ensure systemd user directory exists
  file:
--- a/roles/docker-compose/README.md
+++ b/roles/docker-compose/README.md
@@ -8,7 +8,7 @@ Refer to the [Docker Compose documentation](https://docs.docker.com/compose/), t

 ## Overview

-This role creates a flexible directory layout for managing Docker Compose projects across environments. It ensures directories are initialized, optionally reset, and kept clean using internal flags like `mode_reset` or `mode_cleanup`.
+This role creates a flexible directory layout for managing Docker Compose projects across environments. It ensures directories are initialized, optionally reset, and kept clean using internal flags like `MODE_RESET` or `MODE_CLEANUP`.

 ## Purpose

@@ -17,7 +17,7 @@ To offer a centralized, extensible system for managing containerized application
 ## Features

 - **Dynamic Directory Structure:** Creates per-application instance folders for Compose setups.
- **Reset Logic:** Cleans previous Compose project files and data when `mode_reset` is enabled.
+- **Reset Logic:** Cleans previous Compose project files and data when `MODE_RESET` is enabled.
 - **Handlers for Runtime Control:** Automatically builds, sets up, or restarts containers based on handlers.
 - **Template-ready Service Files:** Predefined service base and health check templates.
 - **Integration Support:** Compatible with `srv-proxy-7-4-core` and other Infinito.Nexus service roles.
--- a/roles/docker-compose/tasks/main.yml
+++ b/roles/docker-compose/tasks/main.yml
@@ -10,7 +10,7 @@

 - name: "reset (if enabled)"
  include_tasks: 01_reset.yml
-  when: mode_reset | bool
+  when: MODE_RESET | bool

 # This could lead to problems in docker-compose directories which are based on a git repository
 # @todo Verify that this isn't the case. E.g. in accounting
--- a/roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml
+++ b/roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml
@@ -16,7 +16,7 @@
    url: "{{ cf_api_url }}?name={{ domain | to_primary_domain }}"
    method: GET
    headers:
-      Authorization: "Bearer {{ certbot_dns_api_token }}"
+      Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
      Content-Type: "application/json"
    return_content: yes
  register: cf_zone_lookup_dev
@@ -43,8 +43,8 @@

 - name: activate cloudflare cache development mode
  include_tasks: "cloudflare/02_enable_cf_dev_mode.yml"
-  when: (INFINITO_ENVIRONMENT | lower) == 'development' 
+  when: (ENVIRONMENT | lower) == 'development' 
  
 - name: purge cloudflare domain cache
  include_tasks: "cloudflare/01_cleanup.yml"
-  when: mode_cleanup | bool
+  when: MODE_CLEANUP | bool
--- a/roles/srv-proxy-6-6-domain/tasks/cloudflare/01_cleanup.yml
+++ b/roles/srv-proxy-6-6-domain/tasks/cloudflare/01_cleanup.yml
@@ -3,7 +3,7 @@
    url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/purge_cache"
    method: POST
    headers:
-      Authorization: "Bearer {{ certbot_dns_api_token }}"
+      Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
      Content-Type: "application/json"
    body:
      purge_everything: true
--- a/roles/srv-proxy-6-6-domain/tasks/cloudflare/02_enable_cf_dev_mode.yml
+++ b/roles/srv-proxy-6-6-domain/tasks/cloudflare/02_enable_cf_dev_mode.yml
@@ -1,7 +1,7 @@
 # roles/srv-proxy-6-6-domain/tasks/02_enable_cf_dev_mode.yml
 ---
 # Enables Cloudflare Development Mode (bypasses cache for ~3 hours).
-# Uses the same auth token as in 01_cleanup.yml: certbot_dns_api_token
+# Uses the same auth token as in 01_cleanup.yml: CERTBOT_DNS_API_TOKEN
 # Assumes `domain` and (optionally) `cf_zone_id` are available.
 # Safe to run repeatedly; only changes when the mode is not already "on".

@@ -10,7 +10,7 @@
    url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/settings/development_mode"
    method: GET
    headers:
-      Authorization: "Bearer {{ certbot_dns_api_token }}"
+      Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
      Content-Type: "application/json"
    return_content: yes
  register: cf_dev_mode_current
@@ -20,7 +20,7 @@
    url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/settings/development_mode"
    method: PATCH
    headers:
-      Authorization: "Bearer {{ certbot_dns_api_token }}"
+      Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
      Content-Type: "application/json"
    body:
      value: "on"
--- a/roles/srv-proxy-6-6-domain/tasks/main.yml
+++ b/roles/srv-proxy-6-6-domain/tasks/main.yml
@@ -7,7 +7,7 @@
  when: run_once_srv_proxy_6_6_domain is not defined

 - include_tasks: "01_cloudflare.yml"
-  when: dns_provider == "cloudflare"
+  when: DNS_PROVIDER == "cloudflare"

 - include_tasks: "{{ playbook_dir }}/tasks/utils/load_handlers.yml"
  vars:
--- a/roles/srv-proxy-6-6-tls-deploy/README.md
+++ b/roles/srv-proxy-6-6-tls-deploy/README.md
@@ -49,7 +49,7 @@ This script:

 **Usage:**
 ```sh
-sh srv-proxy-6-6-tls-deploy.sh primary_domain /path/to/docker/compose
+sh srv-proxy-6-6-tls-deploy.sh PRIMARY_DOMAIN /path/to/docker/compose
 ```

 ---
--- a/roles/srv-proxy-6-6-tls-deploy/SETUP.md
+++ b/roles/srv-proxy-6-6-tls-deploy/SETUP.md
@@ -4,33 +4,33 @@ If you enabled `enable_wildcard_certificate`, follow these steps to manually req
 ### **1️⃣ Run the Certbot Command 🖥️**
 ```sh
 certbot certonly --manual --preferred-challenges=dns --agree-tos \
--email administrator@primary_domain -d primary_domain -d "*.primary_domain"
+--email administrator@PRIMARY_DOMAIN -d PRIMARY_DOMAIN -d "*.PRIMARY_DOMAIN"
 ```

 ### **2️⃣ Add DNS TXT Record for Validation 📜**
 Certbot will prompt you to add a DNS TXT record:
 ```
 Please create a TXT record under the name:
-_acme-challenge.primary_domain.
+_acme-challenge.PRIMARY_DOMAIN.

 with the following value:
 9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA
 ```
 ➡ **Go to your DNS provider** and create a new **TXT record**:  
-   - **Host:** `_acme-challenge.primary_domain`  
+   - **Host:** `_acme-challenge.PRIMARY_DOMAIN`  
   - **Value:** `"9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA"`  
   - **TTL:** Set to **300 seconds (or lowest possible)**  

 ✅ **Verify the DNS record** before continuing:  
 ```sh
-dig TXT _acme-challenge.primary_domain @8.8.8.8
+dig TXT _acme-challenge.PRIMARY_DOMAIN @8.8.8.8
 ```

 ### **3️⃣ Complete the Certificate Request ✅**
 Once the DNS changes have propagated, **press Enter** in the Certbot terminal.  
 If successful, Certbot will save the certificates under:  
 ```
-/etc/letsencrypt/live/primary_domain/
+/etc/letsencrypt/live/PRIMARY_DOMAIN/
 ```
 - **fullchain.pem** → The certificate  
 - **privkey.pem** → The private key  
--- a/roles/srv-proxy-6-6-tls-deploy/templates/srv-proxy-6-6-tls-deploy.sh.j2
+++ b/roles/srv-proxy-6-6-tls-deploy/templates/srv-proxy-6-6-tls-deploy.sh.j2
@@ -12,11 +12,11 @@ docker_compose_instance_directory="$2"
 docker_compose_cert_directory="$docker_compose_instance_directory/volumes/certs"

 # Copy certificates
-cp -RvL "{{ letsencrypt_live_path }}/$ssl_cert_folder/"* "$docker_compose_cert_directory" || exit 1
+cp -RvL "{{ LETSENCRYPT_LIVE_PATH }}/$ssl_cert_folder/"* "$docker_compose_cert_directory" || exit 1

 # This code is optimized for mailu
-cp -v "{{ letsencrypt_live_path }}/$ssl_cert_folder/privkey.pem" "$docker_compose_cert_directory/key.pem" || exit 1
-cp -v "{{ letsencrypt_live_path }}/$ssl_cert_folder/fullchain.pem" "$docker_compose_cert_directory/cert.pem" || exit 1
+cp -v "{{ LETSENCRYPT_LIVE_PATH }}/$ssl_cert_folder/privkey.pem" "$docker_compose_cert_directory/key.pem" || exit 1
+cp -v "{{ LETSENCRYPT_LIVE_PATH }}/$ssl_cert_folder/fullchain.pem" "$docker_compose_cert_directory/cert.pem" || exit 1

 # Set correct reading rights
 chmod a+r -v "$docker_compose_cert_directory/"*
--- a/roles/srv-web-6-6-tls-core/README.md
+++ b/roles/srv-web-6-6-tls-core/README.md
@@ -24,7 +24,7 @@ The Nginx HTTPS Certificate Retrieval role ensures that your Nginx-served domain
 - **ACME Challenge Selection:** Supports DNS plugins or webroot method automatically.
 - **Wildcard Certificate Management:** Issues wildcard certificates when configured, saving effort for subdomain-heavy deployments.
 - **Safe Cleanup:** Ensures that no unused certificates are left behind.
- **Flexible Control:** Supports `mode_test` for staging environment testing and `mode_cleanup` for cert cleanup operations.
+- **Flexible Control:** Supports `MODE_TEST` for staging environment testing and `MODE_CLEANUP` for cert cleanup operations.

 ## 🔗 Learn More

--- a/roles/srv-web-6-6-tls-core/tasks/flavors/dedicated.yml
+++ b/roles/srv-web-6-6-tls-core/tasks/flavors/dedicated.yml
@@ -1,7 +1,7 @@
 - name: "Check if certificate already exists for {{ domain }}"
  cert_check_exists:
    domain: "{{ domain }}"
-    cert_base_path: "{{ letsencrypt_live_path }}"
+    cert_base_path: "{{ LETSENCRYPT_LIVE_PATH }}"
  register: cert_check

 - name: "receive certificate for {{ domain }}"
@@ -10,21 +10,21 @@
    --agree-tos 
    --email {{ users.administrator.email }}
    --non-interactive 
-    {% if certbot_acme_challenge_method != "webroot" %}
-    --dns-{{ certbot_acme_challenge_method }}
-    --dns-{{ certbot_acme_challenge_method }}-credentials {{ certbot_credentials_file }}
-    --dns-{{ certbot_acme_challenge_method }}-propagation-seconds {{ certbot_dns_propagation_wait_seconds }}
+    {% if CERTBOT_ACME_CHALLENGE_METHOD != "webroot" %}
+    --dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}
+    --dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}-credentials {{ CERTBOT_CREDENTIALS_FILE }}
+    --dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}-propagation-seconds {{ CERTBOT_DNS_PROPAGATION_WAIT_SECONDS }}
    {% else %}
    --webroot 
-    -w {{ letsencrypt_webroot_path }}
+    -w {{ LETSENCRYPT_WEBROOT_PATH }}
    {% endif %}
    {% if wildcard_domain is defined and ( wildcard_domain | bool ) %}
-    -d {{ primary_domain }} 
-    -d *.{{ primary_domain }}
+    -d {{ PRIMARY_DOMAIN }} 
+    -d *.{{ PRIMARY_DOMAIN }}
    {% else %}
    -d {{ domain }}
    {% endif %}
-    {{ '--test-cert' if mode_test | bool else '' }}
+    {{ '--test-cert' if MODE_TEST | bool else '' }}
  register: certbot_result
  changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
  when: not cert_check.exists
--- a/roles/srv-web-6-6-tls-core/tasks/flavors/san.yml
+++ b/roles/srv-web-6-6-tls-core/tasks/flavors/san.yml
@@ -10,15 +10,15 @@
        certbundle
        --domains "{{ current_play_domains_all | join(',') }}"
        --certbot-email "{{ users.administrator.email }}"
-        --certbot-acme-challenge-method "{{ certbot_acme_challenge_method }}"
+        --certbot-acme-challenge-method "{{ CERTBOT_ACME_CHALLENGE_METHOD }}"
        --chunk-size 100
-        {% if certbot_acme_challenge_method != 'webroot' %}
-        --certbot-credentials-file "{{ certbot_credentials_file }}"
-        --certbot-dns-propagation-seconds "{{ certbot_dns_propagation_wait_seconds }}"
+        {% if CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' %}
+        --certbot-credentials-file "{{ CERTBOT_CREDENTIALS_FILE }}"
+        --certbot-dns-propagation-seconds "{{ CERTBOT_DNS_PROPAGATION_WAIT_SECONDS }}"
        {% else %}
-        --letsencrypt-webroot-path "{{ letsencrypt_webroot_path }}"
+        --letsencrypt-webroot-path "{{ LETSENCRYPT_WEBROOT_PATH }}"
        {% endif %}
-        {{ '--mode-test' if mode_test | bool else '' }}
+        {{ '--mode-test' if MODE_TEST | bool else '' }}
      register: certbundle_result
      changed_when: "'Certificate not yet due for renewal' not in certbundle_result.stdout"
      failed_when: >
--- a/roles/srv-web-6-6-tls-core/tasks/flavors/wildcard.yml
+++ b/roles/srv-web-6-6-tls-core/tasks/flavors/wildcard.yml
@@ -3,7 +3,7 @@
  vars:
    wildcard_domain: true
  when: 
-    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
+    - domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN)
    - run_once_receive_certificate is not defined  

 - name: "Load dedicated certificate for domain"
@@ -11,7 +11,7 @@
  vars:
    wildcard_domain: false
  when: 
-    - not (domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain))
+    - not (domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN))

 - name: run the receive_certificate tasks once
  set_fact:
--- a/roles/srv-web-6-6-tls-core/tasks/main.yml
+++ b/roles/srv-web-6-6-tls-core/tasks/main.yml
@@ -6,20 +6,20 @@
  - include_tasks: utils/run_once.yml
  when: run_once_srv_web_6_6_tls_core is not defined

- name: "Include flavor '{{ certbot_flavor }}' for '{{ domain }}'"
-  include_tasks: "{{ role_path }}/tasks/flavors/{{ certbot_flavor }}.yml"
+- name: "Include flavor '{{ CERTBOT_FLAVOR }}' for '{{ domain }}'"
+  include_tasks: "{{ role_path }}/tasks/flavors/{{ CERTBOT_FLAVOR }}.yml"

 #- name: "Cleanup dedicated cert for {{ domain }}"
 #  command: >-
 #    certbot delete --cert-name {{ domain }} --non-interactive
 #  when: 
-#    - mode_cleanup | bool
+#    - MODE_CLEANUP | bool
 #      # Cleanup mode is enabled
-#    - certbot_flavor != 'dedicated'
+#    - CERTBOT_FLAVOR != 'dedicated'
 #      # Wildcard certificate is enabled
-#    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
+#    - domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN)
 #      # AND: The domain is a direct first-level subdomain of the primary domain
-#    - domain != primary_domain  
+#    - domain != PRIMARY_DOMAIN  
 #      # The domain is not the primary domain
 #  register: certbot_result
 #  failed_when: certbot_result.rc != 0 and ("No certificate found with name" not in certbot_result.stderr)
@@ -28,8 +28,8 @@
 - name: "Find SSL cert folder for '{{ domain }}'"
  cert_folder_find:
    domain: "{{ domain }}"
-    cert_base_path: "{{ letsencrypt_live_path }}"
-    debug: "{{ enable_debug | default(false) }}"
+    cert_base_path: "{{ LETSENCRYPT_LIVE_PATH }}"
+    debug: "{{ MODE_DEBUG | default(false) }}"
  register: cert_folder_result
  delegate_to: "{{ inventory_hostname }}"
  changed_when: false
--- a/roles/srv-web-7-4-core/README.md
+++ b/roles/srv-web-7-4-core/README.md
@@ -14,11 +14,11 @@ This Ansible role installs and configures **Nginx** as a core HTTP/stream server
 * **Configurable reset and cleanup** modes to purge and recreate directories.
 * **Custom `nginx.conf`** template with sensible defaults for performance and security.
 * **Stream proxy support**: includes `stream` block for TCP/UDP proxies.
-* **Cache directory management**: cleanup and recreation based on `mode_cleanup`.
+* **Cache directory management**: cleanup and recreation based on `MODE_CLEANUP`.


 ## Debugging Tips

 * **General logs**: `journalctl -f -u nginx`
 * **Filter by host**: `journalctl -u nginx -f | grep "{{ inventory_hostname }}"`
-* **Enable detailed format**: set `enable_debug: true` and reload Nginx.
+* **Enable detailed format**: set `MODE_DEBUG: true` and reload Nginx.
--- a/roles/srv-web-7-4-core/tasks/01_core.yml
+++ b/roles/srv-web-7-4-core/tasks/01_core.yml
@@ -20,7 +20,7 @@

 - name: "reset (if enabled)"
  include_tasks: 02_reset.yml
-  when: mode_reset | bool
+  when: MODE_RESET | bool
  
 - name: Ensure nginx configuration directories are present
  file:
--- a/roles/srv-web-7-4-core/tasks/02_reset.yml
+++ b/roles/srv-web-7-4-core/tasks/02_reset.yml
@@ -1,4 +1,4 @@
- name: "Delete {{nginx.directories.configuration}} directory, when mode_reset"
+- name: "Delete {{nginx.directories.configuration}} directory, when MODE_RESET"
  file:
    path: "{{ nginx.directories.configuration }}"
    state: absent
--- a/roles/srv-web-7-4-core/tasks/03_cache_directories.yml
+++ b/roles/srv-web-7-4-core/tasks/03_cache_directories.yml
@@ -4,7 +4,7 @@
    path: "{{ item.value }}"
    state: absent
  when:
-    - mode_cleanup | bool
+    - MODE_CLEANUP | bool
    - run_once_nginx_reverse_proxy is not defined
  loop: "{{ nginx.directories.cache | dict2items }}"
  loop_control:
--- a/roles/srv-web-7-4-core/templates/nginx.conf.j2
+++ b/roles/srv-web-7-4-core/templates/nginx.conf.j2
@@ -24,7 +24,7 @@ http
  # --------------------------------------------------------------------------------

  {# logging and debugging #}
-{% if enable_debug | bool %}
+{% if MODE_DEBUG | bool %}
  {# individual log format for better debugging #}
  log_format debug '$host - $remote_addr [$time_local] '
                  '"$request" $status $body_bytes_sent '
--- a/roles/srv-web-7-6-https/README.md
+++ b/roles/srv-web-7-6-https/README.md
@@ -45,8 +45,8 @@ All tasks are idempotent—once your certificates are in place and your configur
 - A working `srv-web-7-4-core` setup.
 - DNS managed via Cloudflare (for CAA record tasks) or equivalent ACME DNS flow.
 - Variables:
-  - `letsencrypt_webroot_path`  
-  - `letsencrypt_live_path`  
+  - `LETSENCRYPT_WEBROOT_PATH`  
+  - `LETSENCRYPT_LIVE_PATH`  
  - `on_calendar_renew_lets_encrypt_certificates`

 ---
--- a/roles/srv-web-7-7-certbot/tasks/main.yml
+++ b/roles/srv-web-7-7-certbot/tasks/main.yml
@@ -6,34 +6,34 @@

 - name: install certbot DNS plugin
  community.general.pacman:
-    name: "certbot-dns-{{ certbot_acme_challenge_method }}"
+    name: "certbot-dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}"
    state: present
  when:
    - run_once_srv_web_7_7_certbot is not defined
-    - certbot_acme_challenge_method != 'webroot'
+    - CERTBOT_ACME_CHALLENGE_METHOD != 'webroot'

 - name: Ensure /etc/certbot directory exists
  file:
-    path:   "{{ certbot_credentials_dir }}"
+    path:   "{{ CERTBOT_CREDENTIALS_DIR }}"
    state:  directory
    owner:  root
    group:  root
    mode:   '0755'
  when:
    - run_once_srv_web_7_7_certbot is not defined
-    - certbot_acme_challenge_method != 'webroot'
+    - CERTBOT_ACME_CHALLENGE_METHOD != 'webroot'

 - name: Install plugin credentials file
  copy:
-    dest: "{{ certbot_credentials_file }}"
+    dest: "{{ CERTBOT_CREDENTIALS_FILE }}"
    content: |
-      dns_{{ certbot_acme_challenge_method }}_api_token = {{ certbot_dns_api_token }}
+      dns_{{ CERTBOT_ACME_CHALLENGE_METHOD }}_api_token = {{ CERTBOT_DNS_API_TOKEN }}
    owner: root
    group: root
    mode: '0600'
  when:
    - run_once_srv_web_7_7_certbot is not defined
-    - certbot_acme_challenge_method != 'webroot'
+    - CERTBOT_ACME_CHALLENGE_METHOD != 'webroot'

 - name: run the certbot role once
  set_fact:
--- a/roles/srv-web-7-7-dns-records/README.md
+++ b/roles/srv-web-7-7-dns-records/README.md
@@ -10,7 +10,7 @@ Looping over a provided list of domains (`cloudflare_domains`), this role:
 - Determines the zone name by extracting the last two labels of each domain.
 - Ensures an A-record for each domain points to the specified IP (`cloudflare_target_ip`).
 - Honors the `proxied` flag to switch between DNS-only and Cloudflare-proxied modes.
- Provides an optional debug task (`enable_debug`) to output the domain list before changes.
+- Provides an optional debug task (`MODE_DEBUG`) to output the domain list before changes.

 Ideal for environments where bulk or dynamic DNS updates are needed, this role abstracts away the complexity of Cloudflare’s zone and record API.

@@ -23,7 +23,7 @@ Cloudflare DNS Records delivers an idempotent, scalable solution for managing A-
 - **Automatic Zone Detection:** Parses each domain to derive its zone (`example.com`) without manual intervention.  
 - **Bulk Record Management:** Creates or updates A-records for all entries in `cloudflare_domains`.  
 - **Proxy Toggle:** Configure `proxied: true` or `false` per record to switch between DNS-only and proxied modes.  
- **Debug Support:** Enable `enable_debug` to print the domain list for validation before execution.  
+- **Debug Support:** Enable `MODE_DEBUG` to print the domain list for validation before execution.  
 - **Flexible Authentication:** Supports both API token (`api_token`) and Global API key + email.  
 - **Low-TTL Option:** Use `ttl: 1` for rapid DNS propagation during dynamic updates.

--- a/roles/srv-web-7-7-dns-records/tasks/main.yml
+++ b/roles/srv-web-7-7-dns-records/tasks/main.yml
@@ -2,7 +2,7 @@

 - name: Create or update Cloudflare A-record for {{ item }}
  community.general.cloudflare_dns:
-    api_token: "{{ certbot_dns_api_token }}"
+    api_token: "{{ CERTBOT_DNS_API_TOKEN }}"
    zone: "{{ item.split('.')[-2:] | join('.') }}"
    state: present
    type: A
--- a/roles/srv-web-7-7-inj-compose/tasks/main.yml
+++ b/roles/srv-web-7-7-inj-compose/tasks/main.yml
@@ -10,7 +10,7 @@
  set_fact:
    inj_enabled:
      javascript: "{{ applications | get_app_conf(application_id, 'features.javascript', False) }}"
-      logout: "{{ (applications | get_app_conf(application_id, 'features.logout', False) or domain == primary_domain) }}"
+      logout: "{{ (applications | get_app_conf(application_id, 'features.logout', False) or domain == PRIMARY_DOMAIN) }}"
      css: "{{ applications | get_app_conf(application_id, 'features.css', False) }}"
      matomo: "{{ applications | get_app_conf(application_id, 'features.matomo', False) }}"
      port_ui: "{{ applications | get_app_conf(application_id, 'features.port-ui-desktop', False) }}"
@@ -39,7 +39,7 @@
  set_fact:
    inj_enabled:
      javascript: "{{ applications | get_app_conf(application_id, 'features.javascript', False) }}"
-      logout: "{{ (applications | get_app_conf(application_id, 'features.logout', False) or domain == primary_domain) }}"
+      logout: "{{ (applications | get_app_conf(application_id, 'features.logout', False) or domain == PRIMARY_DOMAIN) }}"
      css: "{{ applications | get_app_conf(application_id, 'features.css', False) }}"
      matomo: "{{ applications | get_app_conf(application_id, 'features.matomo', False) }}"
      port_ui: "{{ applications | get_app_conf(application_id, 'features.port-ui-desktop', False) }}"
--- a/roles/srv-web-7-7-inj-javascript/README.md
+++ b/roles/srv-web-7-7-inj-javascript/README.md
@@ -16,7 +16,7 @@ This Ansible role injects a custom JavaScript snippet into all HTML responses se
  Activates only when you enable the `javascript` feature for a given application, keeping your server blocks clean and performant.

 - **Debug Mode**  
-  Supports an `enable_debug` flag that appends optional `console.log` statements for easier troubleshooting in staging or development.
+  Supports an `MODE_DEBUG` flag that appends optional `console.log` statements for easier troubleshooting in staging or development.

 ## Author

--- a/roles/srv-web-7-7-inj-logout/templates/logout_one_liner.js.j2
+++ b/roles/srv-web-7-7-inj-logout/templates/logout_one_liner.js.j2
@@ -2,6 +2,6 @@ document.addEventListener('DOMContentLoaded', function() {
    initLogoutPatch(
        '{{ oidc.client.logout_url }}',
        '{{ WEB_PROTOCOL }}',
-        '{{ primary_domain }}'
+        '{{ PRIMARY_DOMAIN }}'
    );
 });
--- a/roles/srv-web-7-7-inj-matomo/tasks/main.yml
+++ b/roles/srv-web-7-7-inj-matomo/tasks/main.yml
@@ -12,7 +12,7 @@
      domain: "{{ domain }}"
      base_domain: "{{ base_domain }}"
      matomo_verification_url: "{{ matomo_verification_url }}"
-  when: enable_debug | bool
+  when: MODE_DEBUG | bool

 - name: "Check if site {{ domain }} is allready registered at Matomo"
  uri:
--- a/roles/srv-web-7-7-inj-matomo/templates/matomo-tracking.js.j2
+++ b/roles/srv-web-7-7-inj-matomo/templates/matomo-tracking.js.j2
@@ -14,6 +14,6 @@ _paq.push(["enableLinkTracking"]);
  g.async=true; g.src=u+"matomo.js"; s.parentNode.insertBefore(g,s);
 })();

-{% if enable_debug | bool %}
+{% if MODE_DEBUG | bool %}
 console.log("Matomo is loaded.");
 {% endif %}
--- a/roles/srv-web-7-7-inj-port-ui-desktop/templates/iframe-handler.js.j2
+++ b/roles/srv-web-7-7-inj-port-ui-desktop/templates/iframe-handler.js.j2
@@ -1,5 +1,5 @@
 (function() {
-  var primary = "{{ primary_domain }}";
+  var primary = "{{ PRIMARY_DOMAIN }}";
  var allowedOrigin = "https://{{ domains | get_domain('web-app-port-ui') }}";

  function notifyParent() {
@@ -43,6 +43,6 @@
  };
 })();

-{% if enable_debug | bool %}
+{% if MODE_DEBUG | bool %}
 console.log("[iframe-sync] Sender for iframe messages is active.");
 {% endif %}
--- a/roles/srv-web-7-7-letsencrypt/tasks/01_core.yml
+++ b/roles/srv-web-7-7-letsencrypt/tasks/01_core.yml
@@ -11,4 +11,4 @@

  - name: "Set CAA records for all base domains"
    include_tasks: 01_set-caa-records.yml
-    when: dns_provider == 'cloudflare'
+    when: DNS_PROVIDER == 'cloudflare'
--- a/roles/srv-web-7-7-letsencrypt/tasks/01_set-caa-records.yml
+++ b/roles/srv-web-7-7-letsencrypt/tasks/01_set-caa-records.yml
@@ -1,14 +1,14 @@
 ---

- name: "Validate certbot_dns_api_token"
+- name: "Validate CERTBOT_DNS_API_TOKEN"
  fail:
    msg: >
-      The variable "certbot_dns_api_token" must be defined and cannot be empty!
-  when: (certbot_dns_api_token | default('') | trim) == ''
+      The variable "CERTBOT_DNS_API_TOKEN" must be defined and cannot be empty!
+  when: (CERTBOT_DNS_API_TOKEN | default('') | trim) == ''

 - name: "Ensure all CAA records are present"
  community.general.cloudflare_dns:
-    api_token: "{{ certbot_dns_api_token }}"
+    api_token: "{{ CERTBOT_DNS_API_TOKEN }}"
    zone:     "{{ item.0 }}"
    record:   "@"
    type:     CAA
--- a/roles/srv-web-7-7-letsencrypt/templates/letsencrypt.conf.j2
+++ b/roles/srv-web-7-7-letsencrypt/templates/letsencrypt.conf.j2
@@ -9,7 +9,7 @@ server
  #letsencrypt
  location ^~ /.well-known/acme-challenge/ {
    allow all;
-    root {{ letsencrypt_webroot_path }};
+    root {{ LETSENCRYPT_WEBROOT_PATH }};
    default_type "text/plain";
    try_files $uri =404;
  }
--- a/roles/srv-web-7-7-letsencrypt/templates/ssl_credentials.j2
+++ b/roles/srv-web-7-7-letsencrypt/templates/ssl_credentials.j2
@@ -1,3 +1,3 @@
-ssl_certificate         {{ [ letsencrypt_live_path, ssl_cert_folder] | path_join }}/fullchain.pem;
-ssl_certificate_key     {{ [ letsencrypt_live_path, ssl_cert_folder] | path_join }}/privkey.pem;
-ssl_trusted_certificate {{ [ letsencrypt_live_path, ssl_cert_folder] | path_join }}/chain.pem;
+ssl_certificate         {{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder] | path_join }}/fullchain.pem;
+ssl_certificate_key     {{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder] | path_join }}/privkey.pem;
+ssl_trusted_certificate {{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder] | path_join }}/chain.pem;
--- a/roles/svc-prx-openresty/templates/docker-compose.yml.j2
+++ b/roles/svc-prx-openresty/templates/docker-compose.yml.j2
@@ -10,6 +10,6 @@
      - {{ nginx.directories.configuration }}:{{ nginx.directories.configuration }}:ro
      - {{ nginx.directories.data.www }}:{{ nginx.directories.data.www }}:ro
      - {{ nginx.directories.data.well_known }}:{{ nginx.directories.data.well_known }}:ro
-      - {{ letsencrypt_webroot_path }}:{{ letsencrypt_webroot_path }}:ro
-      - {{ letsencrypt_base_path }}:{{ letsencrypt_base_path }}:ro
+      - {{ LETSENCRYPT_WEBROOT_PATH }}:{{ LETSENCRYPT_WEBROOT_PATH }}:ro
+      - {{ LETSENCRYPT_BASE_PATH }}:{{ LETSENCRYPT_BASE_PATH }}:ro
    command: ["openresty", "-g", "daemon off;"]
--- a/roles/sys-bkp-docker-2-loc/tasks/01_core.yml
+++ b/roles/sys-bkp-docker-2-loc/tasks/01_core.yml
@@ -12,7 +12,7 @@

 - name: "reset (if enabled)"
  include_tasks: 03_reset.yml
-  when: mode_reset | bool
+  when: MODE_RESET | bool

 - name: configure sys-bkp-docker-2-loc-everything.infinito.service
  template:
--- a/roles/sys-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml
+++ b/roles/sys-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml
@@ -11,7 +11,7 @@
      database_host: "{{ database_host | default('undefined') }}"
      database_username: "{{ database_username | default('undefined') }}"
      database_password: "{{ database_password | default('undefined') }}"
-  when: enable_debug | bool
+  when: MODE_DEBUG | bool

 - name: "fail if not all required database variables are defined"
  fail:
--- a/roles/sys-cln-domains/tasks/main.yml
+++ b/roles/sys-cln-domains/tasks/main.yml
@@ -14,7 +14,7 @@
    vars:
      domain: "{{ item }}"
    when:
-    - mode_cleanup | bool
+    - MODE_CLEANUP | bool

 ## The revoking just works for the base domain
 #- name: "Revoke Certbot certificate for {{ item }}"
@@ -25,7 +25,7 @@
 #  loop_control:
 #    label: "{{ item }}"
 #  when:
-#    - mode_cleanup | bool
+#    - MODE_CLEANUP | bool
 #    - run_once_sys_cln_domains is not defined
 #  register: certbot_revoke_result
 #  failed_when: >
@@ -43,7 +43,7 @@
 #  loop_control:
 #    label: "{{ item }}"
 #  when:
-#    - mode_cleanup | bool
+#    - MODE_CLEANUP | bool
 #    - run_once_sys_cln_domains is not defined
 #  register: certbot_delete_result
 #  failed_when: >
--- a/roles/sys-rst-daemon/README.md
+++ b/roles/sys-rst-daemon/README.md
@@ -4,7 +4,7 @@ This Ansible role handles resetting and cleaning up “Infinito.Nexus” systemd

 ## Description

-When enabled via the `mode_reset` flag, this role will:
+When enabled via the `MODE_RESET` flag, this role will:

 1. Run its reset tasks exactly once per play (`run_once_sys_rst_daemon` guard).  
 2. Find all `/etc/systemd/system/*.infinito.service` units.  
--- a/roles/sys-rst-daemon/tasks/main.yml
+++ b/roles/sys-rst-daemon/tasks/main.yml
@@ -1,6 +1,6 @@
 - name: "reset (if enabled)"
  include_tasks: reset.yml 
-  when: mode_reset | bool and run_once_sys_rst_daemon is not defined
+  when: MODE_RESET | bool and run_once_sys_rst_daemon is not defined

 - name: run {{ role_name }} once
  set_fact:
--- a/roles/sys-svc-sshd/README.md
+++ b/roles/sys-svc-sshd/README.md
@@ -19,7 +19,7 @@ This Ansible role configures the OpenSSH daemon (`sshd`) by deploying a template
 - **Security Defaults**  
  - Disables password (`PasswordAuthentication no`) and root login (`PermitRootLogin no`)  
  - Enforces public-key authentication (`PubkeyAuthentication yes`)  
-  - Conditionally sets `LogLevel` to `DEBUG3` when `enable_debug` is true  
+  - Conditionally sets `LogLevel` to `DEBUG3` when `MODE_DEBUG` is true  

 - **Systemd Integration**  
  Handles daemon reload and service restart seamlessly on configuration changes.
--- a/roles/sys-svc-sshd/templates/sshd_config.j2
+++ b/roles/sys-svc-sshd/templates/sshd_config.j2
@@ -25,7 +25,7 @@

 # Logging
 #SyslogFacility AUTH
-LogLevel {% if enable_debug | bool %}DEBUG3{% else %}INFO{% endif %}
+LogLevel {% if MODE_DEBUG | bool %}DEBUG3{% else %}INFO{% endif %}

 # Authentication:

--- a/roles/sys-timer/README.md
+++ b/roles/sys-timer/README.md
@@ -9,7 +9,7 @@ This role configures a systemd timer to periodically start a corresponding servi
 Optimized for automated task scheduling in a [systemd](https://en.wikipedia.org/wiki/Systemd) environment, this role:
 - Generates a timer unit file for a given service (using the `service_name` variable).
 - Reloads and restarts the timer using systemd to ensure that changes take effect.
- Supports dynamic configuration of scheduling parameters via variables like `on_calendar` and `randomized_delay_sec`.
+- Supports dynamic configuration of scheduling parameters via variables like `on_calendar` and `RANDOMIZED_DELAY_SEC`.

 ## Purpose

--- a/roles/sys-timer/tasks/main.yml
+++ b/roles/sys-timer/tasks/main.yml
@@ -1,7 +1,7 @@

 - name: "reset (if enabled)"
  include_tasks: 01_reset.yml 
-  when: mode_reset | bool and run_once_sys_timer is not defined
+  when: MODE_RESET | bool and run_once_sys_timer is not defined

 - name: run {{ role_name }} once
  set_fact:
@@ -20,5 +20,5 @@
    name: "{{ sys_timer_file }}"
    state: restarted
    enabled: yes
-  when: dummy_timer.changed or activate_all_timers | bool
+  when: dummy_timer.changed or ACTIVATE_ALL_TIMERS | bool

--- a/roles/sys-timer/templates/dummy.timer.j2
+++ b/roles/sys-timer/templates/dummy.timer.j2
@@ -3,7 +3,7 @@ Description=Timer to start {{service_name}}.infinito.service

 [Timer]
 OnCalendar={{on_calendar}}
-RandomizedDelaySec={{randomized_delay_sec}}
+RandomizedDelaySec={{RANDOMIZED_DELAY_SEC}}
 Persistent={{ persistent | default('false') }}

 [Install]
--- a/roles/update-docker/tasks/01_core.yml
+++ b/roles/update-docker/tasks/01_core.yml
@@ -8,7 +8,7 @@
    name: sys-bkp-docker-2-loc-everything.infinito.service
    state: started
  when:
-  - mode_backup | bool
+  - MODE_BACKUP | bool

 - name: create {{update_docker_script}}
  template:
--- a/roles/update-docker/templates/update-docker.py.j2
+++ b/roles/update-docker/templates/update-docker.py.j2
@@ -149,7 +149,7 @@ def update_mastodon():
    Runs the database migration for Mastodon to ensure all required tables are up to date.
    """
    print("Starting Mastodon database migration.")
-    run_command("docker compose exec -T web bash -c 'RAILS_ENV={{ INFINITO_ENVIRONMENT | lower }} bin/rails db:migrate'")
+    run_command("docker compose exec -T web bash -c 'RAILS_ENV={{ ENVIRONMENT | lower }} bin/rails db:migrate'")
    print("Mastodon database migration complete.")

 def upgrade_listmonk():
--- a/roles/user-administrator/users/main.yml
+++ b/roles/user-administrator/users/main.yml
@@ -2,7 +2,7 @@ users:
  administrator:
    description:        "System Administrator"
    username:           "administrator"
-    email:              "administrator@{{ primary_domain }}"
+    email:              "administrator@{{ PRIMARY_DOMAIN }}"
    password:           "{{ ansible_become_password }}"
    uid:                1001
    gid:                1001
--- a/roles/user/users/main.yml
+++ b/roles/user/users/main.yml
@@ -2,10 +2,10 @@
 users:
  sld:
    description: "Auto Generated Account to reserve the SLD"
-    username: "{{ primary_domain.split('.')[0] }}"
+    username: "{{ PRIMARY_DOMAIN.split('.')[0] }}"
  tld:
    description: "Auto Generated Account to reserve the TLD"
-    username: "{{ primary_domain.split('.')[1] }}"
+    username: "{{ PRIMARY_DOMAIN.split('.')[1] }}"
  root:
    username: root
    uid: 0
--- a/roles/web-app-akaunting/config/main.yml
+++ b/roles/web-app-akaunting/config/main.yml
@@ -1,5 +1,5 @@
 company:
-  name:             "Akaunting on {{ primary_domain | upper }}" # @todo load automatic based on service_provider infos, this will fail
+  name:             "Akaunting on {{ PRIMARY_DOMAIN | upper }}" # @todo load automatic based on service_provider infos, this will fail
  email:            "{{ users.administrator.email }}" # @todo load automatic based on service_provider infos, this will fail
 setup_admin_email:  "{{ users.administrator.email }}"
 features:
@@ -11,7 +11,7 @@ features:
 server:
  domains:
    canonical:
-      - "accounting.{{ primary_domain }}"
+      - "accounting.{{ PRIMARY_DOMAIN }}"
 docker:
  services:
    database:
--- a/roles/web-app-attendize/config/main.yml
+++ b/roles/web-app-attendize/config/main.yml
@@ -16,4 +16,4 @@ docker:
 server:
  domains:
    canonical:
-      - "tickets.{{ primary_domain }}"
+      - "tickets.{{ PRIMARY_DOMAIN }}"
--- a/roles/web-app-baserow/config/main.yml
+++ b/roles/web-app-baserow/config/main.yml
@@ -21,4 +21,4 @@ docker:
 server:
  domains:
    canonical:
-      - baserow.{{ primary_domain }}
+      - baserow.{{ PRIMARY_DOMAIN }}
--- a/roles/web-app-bigbluebutton/config/main.yml
+++ b/roles/web-app-bigbluebutton/config/main.yml
@@ -18,7 +18,7 @@ server:
        unsafe-inline:  true
  domains:
    canonical:
-      - "meet.{{ primary_domain }}"
+      - "meet.{{ PRIMARY_DOMAIN }}"
 credentials: {}

 docker:
--- a/roles/web-app-bigbluebutton/templates/env.j2
+++ b/roles/web-app-bigbluebutton/templates/env.j2
@@ -1,6 +1,6 @@
 ENABLE_COTURN=true
-COTURN_TLS_CERT_PATH={{ [ letsencrypt_live_path, ssl_cert_folder] | path_join }}/fullchain.pem
-COTURN_TLS_KEY_PATH={{ [ letsencrypt_live_path, ssl_cert_folder] | path_join }}/privkey.pem
+COTURN_TLS_CERT_PATH={{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder] | path_join }}/fullchain.pem
+COTURN_TLS_KEY_PATH={{ [ LETSENCRYPT_LIVE_PATH, ssl_cert_folder] | path_join }}/privkey.pem
 ENABLE_GREENLIGHT={{ applications | get_app_conf(application_id, 'enable_greenlight', True) }}

 # Enable Webhooks
--- a/roles/web-app-bigbluebutton/users/main.yml
+++ b/roles/web-app-bigbluebutton/users/main.yml
@@ -1,3 +1,3 @@
 users:
  administrator:
-    email:                "administrator@{{ primary_domain }}"
+    email:                "administrator@{{ PRIMARY_DOMAIN }}"
--- a/roles/web-app-bluesky/config/main.yml
+++ b/roles/web-app-bluesky/config/main.yml
@@ -11,8 +11,8 @@ features:
 server:
  domains:
    canonical:
-      web:  "bskyweb.{{ primary_domain }}"
-      api:  "bluesky.{{ primary_domain }}"
+      web:  "bskyweb.{{ PRIMARY_DOMAIN }}"
+      api:  "bluesky.{{ PRIMARY_DOMAIN }}"
 docker:
  services:
    database:
--- a/roles/web-app-bluesky/templates/docker-compose.yml.j2
+++ b/roles/web-app-bluesky/templates/docker-compose.yml.j2
@@ -24,7 +24,7 @@
      args:
        REACT_APP_PDS_URL: "{{ WEB_PROTOCOL }}://{{domains[application_id].api}}" # URL des PDS
        REACT_APP_API_URL: "{{ WEB_PROTOCOL }}://{{domains[application_id].api}}" # API-URL des PDS
-        REACT_APP_SITE_NAME: "{{primary_domain | upper}} - Bluesky"
+        REACT_APP_SITE_NAME: "{{PRIMARY_DOMAIN | upper}} - Bluesky"
        REACT_APP_SITE_DESCRIPTION: "Decentral Social "
    ports:
      - "127.0.0.1:{{ports.localhost.http['web-app-bluesky_web']}}:8100"
--- a/roles/web-app-bluesky/templates/env.j2
+++ b/roles/web-app-bluesky/templates/env.j2
@@ -3,7 +3,7 @@ PDS_ADMIN_EMAIL="{{applications.bluesky.users.administrator.email}}"
 PDS_SERVICE_DID="did:web:{{domains[application_id].api}}"

 # See https://mattdyson.org/blog/2024/11/self-hosting-bluesky-pds/
-PDS_SERVICE_HANDLE_DOMAINS=".{{primary_domain}}"
+PDS_SERVICE_HANDLE_DOMAINS=".{{PRIMARY_DOMAIN}}"
 PDS_JWT_SECRET="{{ bluesky_jwt_secret }}"
 PDS_ADMIN_PASSWORD="{{bluesky_admin_password}}"
 PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX="{{ bluesky_rotation_key }}"
--- a/roles/web-app-bluesky/users/main.yml
+++ b/roles/web-app-bluesky/users/main.yml
@@ -1,3 +1,3 @@
 users:
  administrator:
-    email:          "administrator@{{ primary_domain }}"
+    email:          "administrator@{{ PRIMARY_DOMAIN }}"
--- a/roles/web-app-collabora/config/main.yml
+++ b/roles/web-app-collabora/config/main.yml
@@ -1,7 +1,7 @@
 server:
  domains:
    canonical:
-      - "collabora.{{ primary_domain }}"
+      - "collabora.{{ PRIMARY_DOMAIN }}"
 docker:
  services:
    redis:
--- a/roles/web-app-discourse/config/main.yml
+++ b/roles/web-app-discourse/config/main.yml
@@ -16,10 +16,10 @@ server:
        unsafe-inline: true
    whitelist:
      font-src:
-        - "http://*.{{primary_domain}}"
+        - "http://*.{{PRIMARY_DOMAIN}}"
  domains:
    canonical:
-      - "forum.{{ primary_domain }}"
+      - "forum.{{ PRIMARY_DOMAIN }}"
 docker:
  services:
    database:
--- a/roles/web-app-discourse/tasks/01_core.yml
+++ b/roles/web-app-discourse/tasks/01_core.yml
@@ -1,6 +1,6 @@
 - name: "reset (if enabled)"
  include_tasks: 02_reset.yml
-  when: mode_reset | bool
+  when: MODE_RESET | bool

 # Necessary for building: https://chat.openai.com/share/99d258cc-294b-4924-8eef-02fe419bb838
 - name: install which
--- a/roles/web-app-elk/config/main.yml
+++ b/roles/web-app-elk/config/main.yml
@@ -3,4 +3,4 @@ features:
 server:
  domains:
    canonical:
-      - elk.{{ primary_domain }}
+      - elk.{{ PRIMARY_DOMAIN }}
--- a/roles/web-app-espocrm/config/main.yml
+++ b/roles/web-app-espocrm/config/main.yml
@@ -18,17 +18,17 @@ server:
        unsafe-eval:    true
    whitelist:
      connect-src:
-        - wss://espocrm.{{ primary_domain }}
+        - wss://espocrm.{{ PRIMARY_DOMAIN }}
        - "data:"
      frame-src:
        - https://s.espocrm.com/
  domains:
    aliases:
-      - "crm.{{ primary_domain }}"
+      - "crm.{{ PRIMARY_DOMAIN }}"
    canonical:
-      - espocrm.{{ primary_domain }}
+      - espocrm.{{ PRIMARY_DOMAIN }}
 email:
-  from_name: "Customer Relationship Management ({{ primary_domain }})"
+  from_name: "Customer Relationship Management ({{ PRIMARY_DOMAIN }})"
 docker:
  services:
    database:
--- a/roles/web-app-espocrm/templates/env.j2
+++ b/roles/web-app-espocrm/templates/env.j2
@@ -41,7 +41,7 @@ ESPOCRM_CONFIG_DEFAULT_CURRENCY={{ HOST_CURRENCY }}
 # ------------------------------------------------
 # Logger
 # ------------------------------------------------
-ESPOCRM_CONFIG_LOGGER_LEVEL={{ 'DEBUG' if enable_debug | bool else 'INFO' }}
+ESPOCRM_CONFIG_LOGGER_LEVEL={{ 'DEBUG' if MODE_DEBUG | bool else 'INFO' }}
 ESPOCRM_CONFIG_LOGGER_PATH=php://stdout
 ESPOCRM_CONFIG_LOGGER_ROTATION=false

--- a/roles/web-app-friendica/config/main.yml
+++ b/roles/web-app-friendica/config/main.yml
@@ -12,7 +12,7 @@ features:
 server:
  domains:
    canonical:
-      - "social.{{ primary_domain }}"
+      - "social.{{ PRIMARY_DOMAIN }}"
  csp:
    flags:
      script-src-elem:
--- a/roles/web-app-friendica/templates/env.j2
+++ b/roles/web-app-friendica/templates/env.j2
@@ -6,8 +6,8 @@ HOSTNAME={{domains | get_domain(application_id)}}
 FRIENDICA_NO_VALIDATION={{friendica_no_validation | lower}}

 # Debugging
-FRIENDICA_DEBUGGING={{ (enable_debug | bool) | lower }}{{"\n"}}
-FRIENDICA_LOGLEVEL={% if enable_debug | bool %}9{% else %}5{% endif %}{{"\n"}}
+FRIENDICA_DEBUGGING={{ (MODE_DEBUG | bool) | lower }}{{"\n"}}
+FRIENDICA_LOGLEVEL={% if MODE_DEBUG | bool %}9{% else %}5{% endif %}{{"\n"}}
 FRIENDICA_LOGGER=syslog

 # Database Configuration 
--- a/roles/web-app-funkwhale/config/main.yml
+++ b/roles/web-app-funkwhale/config/main.yml
@@ -23,10 +23,10 @@ features:
 server:
  domains:
    canonical:
-      - "audio.{{ primary_domain }}"
+      - "audio.{{ PRIMARY_DOMAIN }}"
    aliases:
-      - "music.{{ primary_domain }}"
-      - "sound.{{ primary_domain }}"
+      - "music.{{ PRIMARY_DOMAIN }}"
+      - "sound.{{ PRIMARY_DOMAIN }}"
  csp:  
    flags:
      style-src:
--- a/roles/web-app-funkwhale/templates/env.j2
+++ b/roles/web-app-funkwhale/templates/env.j2
@@ -40,10 +40,10 @@ FUNKWHALE_HOSTNAME={{domains | get_domain(application_id)}}
 FUNKWHALE_PROTOCOL={{ WEB_PROTOCOL }}

 # Log level (debug, info, warning, error, critical)
-LOGLEVEL={% if enable_debug | bool %}debug{% else %}error{% endif %}
+LOGLEVEL={% if MODE_DEBUG | bool %}debug{% else %}error{% endif %}

 # Could be that this is redundant
-DJANGO_LOGLEVEL={% if enable_debug | bool %}debug{% else %}error{% endif %}
+DJANGO_LOGLEVEL={% if MODE_DEBUG | bool %}debug{% else %}error{% endif %}

 # Configure e-mail sending using this variale
 # By default, funkwhale will output e-mails sent to stdout
--- a/roles/web-app-gitea/config/main.yml
+++ b/roles/web-app-gitea/config/main.yml
@@ -36,9 +36,9 @@ server:
        - "data:"
  domains:
    aliases:
-      - "git.{{ primary_domain }}"
+      - "git.{{ PRIMARY_DOMAIN }}"
    canonical:
-      - gitea.{{ primary_domain }}
+      - gitea.{{ PRIMARY_DOMAIN }}
 docker:
  services:
    database:
--- a/roles/web-app-gitea/tasks/cleanup/ldap.yml
+++ b/roles/web-app-gitea/tasks/cleanup/ldap.yml
@@ -2,7 +2,7 @@
  shell: |
    docker exec -i --user {{ gitea_user }} {{ gitea_container }} \
      gitea admin auth list \
-      | awk -v name="LDAP ({{ primary_domain }})" '$0 ~ name {print $1; exit}'
+      | awk -v name="LDAP ({{ PRIMARY_DOMAIN }})" '$0 ~ name {print $1; exit}'
  args:
    chdir: "{{ docker_compose.directories.instance }}"
  register: ldap_source_id_raw
--- a/roles/web-app-gitea/tasks/main.yml
+++ b/roles/web-app-gitea/tasks/main.yml
@@ -54,14 +54,14 @@

 - name: Execute Cleanup Routines
  include_tasks: 03_cleanup.yml 
-  when: mode_cleanup
+  when: MODE_CLEANUP

 - name: Include DNS role to register Gitea domain(s)
  include_role:
    name: srv-web-7-7-dns-records
  vars:
-    cloudflare_api_token:   "{{ certbot_dns_api_token }}"
+    cloudflare_api_token:   "{{ CERTBOT_DNS_API_TOKEN }}"
    cloudflare_domains:     "{{ [ domains | get_domain(application_id) ] }}"
    cloudflare_target_ip:   "{{ networks.internet.ip4 }}"
    cloudflare_proxied:     false
-  when: dns_provider == 'cloudflare'
+  when: DNS_PROVIDER == 'cloudflare'
--- a/roles/web-app-gitea/tasks/setup/ldap.yml
+++ b/roles/web-app-gitea/tasks/setup/ldap.yml
@@ -13,7 +13,7 @@
    docker exec -i --user {{ gitea_user }} {{ gitea_container }} \
      gitea admin auth list \
      | tail -n +2 \
-      | grep -F "LDAP ({{ primary_domain }})" \
+      | grep -F "LDAP ({{ PRIMARY_DOMAIN }})" \
      | awk '{print $1; exit}'
  args:
    chdir: "{{ docker_compose.directories.instance }}"
--- a/roles/web-app-gitea/templates/env.j2
+++ b/roles/web-app-gitea/templates/env.j2
@@ -3,7 +3,7 @@

 # General
 DOMAIN={{domains | get_domain(application_id)}}
-RUN_MODE="{{ 'dev' if (INFINITO_ENVIRONMENT | lower) == 'development' else 'prod' }}"
+RUN_MODE="{{ 'dev' if (ENVIRONMENT | lower) == 'development' else 'prod' }}"
 ROOT_URL="{{ domains | get_url(application_id, WEB_PROTOCOL) }}/"
 APP_NAME="{{ applications | get_app_conf(application_id, 'title', True) }}"
 USER_UID=1000
@@ -11,7 +11,7 @@ USER_GID=1000

 # Logging configuration
 GITEA__log__MODE=console
-GITEA__log__LEVEL={% if enable_debug | bool %}Debug{% else %}Info{% endif %}    
+GITEA__log__LEVEL={% if MODE_DEBUG | bool %}Debug{% else %}Info{% endif %}    

 # Database
 DB_TYPE=mysql
--- a/roles/web-app-gitea/vars/main.yml
+++ b/roles/web-app-gitea/vars/main.yml
@@ -1,7 +1,7 @@
 application_id:       "web-app-gitea"
 database_type:        "mariadb"
 gitea_ldap_auth_args:
-  - '--name "LDAP ({{ primary_domain }})"'
+  - '--name "LDAP ({{ PRIMARY_DOMAIN }})"'
  - '--host "{{ ldap.server.domain }}"'
  - '--port {{ ldap.server.port }}'
  - '--security-protocol "{{ ldap.server.security | trim or "unencrypted" }}"'
--- a/roles/web-app-gitlab/config/main.yml
+++ b/roles/web-app-gitlab/config/main.yml
@@ -18,4 +18,4 @@ credentials:
 server:
  domains:
    canonical:
-      - gitlab.{{ primary_domain }}
+      - gitlab.{{ PRIMARY_DOMAIN }}
--- a/roles/web-app-jenkins/config/main.yml
+++ b/roles/web-app-jenkins/config/main.yml
@@ -3,4 +3,4 @@ features:
 server:
  domains:
    canonical:
-      - jenkins.{{ primary_domain }}
+      - jenkins.{{ PRIMARY_DOMAIN }}
--- a/roles/web-app-joomla/config/main.yml
+++ b/roles/web-app-joomla/config/main.yml
@@ -9,7 +9,7 @@ features:
 server:
  domains:
    canonical:
-      - "cms.{{ primary_domain }}"
+      - "cms.{{ PRIMARY_DOMAIN }}"
 docker:
  services:
    database:
--- a/roles/web-app-keycloak/config/main.yml
+++ b/roles/web-app-keycloak/config/main.yml
@@ -28,7 +28,7 @@ server:
        - "*" # For frontend channel logout it's necessary that iframes can be loaded
  domains:
    canonical:
-      - "auth.{{ primary_domain }}"
+      - "auth.{{ PRIMARY_DOMAIN }}"
 scopes:
  rbac_roles: rbac_roles
  nextcloud:  nextcloud
--- a/roles/web-app-keycloak/templates/env.j2
+++ b/roles/web-app-keycloak/templates/env.j2
@@ -25,7 +25,7 @@ KC_BOOTSTRAP_ADMIN_USERNAME=    "{{applications | get_app_conf(application_id, '
 KC_BOOTSTRAP_ADMIN_PASSWORD=    "{{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}"

 # Enable detailed logs
-{% if enable_debug | bool %}
+{% if MODE_DEBUG | bool %}
 KC_LOG_LEVEL=DEBUG
 KC_LOG_CONSOLE_ENABLED=true
 {% endif %}
--- a/roles/web-app-keycloak/templates/import/realm.json.j2
+++ b/roles/web-app-keycloak/templates/import/realm.json.j2
@@ -836,7 +836,7 @@
      {# The following line should be covered by 02_update_client_redirects.yml #}
      "redirectUris": {{ domains | redirect_uris(applications, WEB_PROTOCOL) | tojson }},
      "webOrigins": [
-        "{{ WEB_PROTOCOL }}://*.{{primary_domain}}"
+        "{{ WEB_PROTOCOL }}://*.{{PRIMARY_DOMAIN}}"
      ],
      "notBefore": 0,
      "bearerOnly": false,
@@ -853,7 +853,7 @@
        "oidc.ciba.grant.enabled": "false",
        "client.secret.creation.time": "0",
        "backchannel.logout.session.required": "true",
-        "post.logout.redirect.uris": "{{ WEB_PROTOCOL }}://{{primary_domain}}/*##+",
+        "post.logout.redirect.uris": "{{ WEB_PROTOCOL }}://{{PRIMARY_DOMAIN}}/*##+",
        "frontchannel.logout.session.required": "true",
        "oauth2.device.authorization.grant.enabled": "false",
        "display.on.consent.screen": "false",
--- a/roles/web-app-keycloak/vars/main.yml
+++ b/roles/web-app-keycloak/vars/main.yml
@@ -5,7 +5,7 @@ database_type:                    "postgres"
 # Keycloak
 keycloak_container:                 "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}"      # Name of the keycloak docker container
 keycloak_docker_import_directory:   "/opt/keycloak/data/import/"                                                              # Directory in which keycloak import files are placed in the running docker container
-keycloak_realm:                     "{{ primary_domain}}"                                                                     # This is the name of the default realm which is used by the applications
+keycloak_realm:                     "{{ PRIMARY_DOMAIN}}"                                                                     # This is the name of the default realm which is used by the applications
 keycloak_master_api_user:           "{{ applications | get_app_conf(application_id, 'users.administrator') }}"                # Master Administrator
 keycloak_master_api_user_name:      "{{ keycloak_master_api_user.username }}"                                                 # Master Administrator Username
 keycloak_master_api_user_password:  "{{ keycloak_master_api_user.password }}"                                                 # Master Administrator Password
@@ -15,7 +15,7 @@ keycloak_server_host:               "127.0.0.1:{{ ports.localhost.http[applicati
 keycloak_server_host_url:           "http://{{ keycloak_server_host }}"
 keycloak_image:                     "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}"     # Keycloak docker image
 keycloak_version:                   "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}"   # Keycloak docker version
-keycloak_debug_enabled:             "{{ enable_debug }}"
+keycloak_debug_enabled:             "{{ MODE_DEBUG }}"
 keycloak_redirect_features:         ["features.oauth2","features.oidc"]
 keycloak_client_id:                 "{{ oidc.client.id }}"
 keycloak_ldap_component_name:       "{{ ldap.server.domain }}"                                                                                    # Name of the LDAP User Federation component in Keycloak (as shown in UI)
--- a/roles/web-app-lam/config/main.yml
+++ b/roles/web-app-lam/config/main.yml
@@ -27,7 +27,7 @@ server:
        unsafe-inline:            true
  domains:
    aliases:
-      - "ldap.{{primary_domain}}"
+      - "ldap.{{PRIMARY_DOMAIN}}"
    canonical:
-      - lam.{{ primary_domain }}
+      - lam.{{ PRIMARY_DOMAIN }}

--- a/roles/web-app-libretranslate/config/main.yml
+++ b/roles/web-app-libretranslate/config/main.yml
@@ -24,7 +24,7 @@ server:
    flags:            {}      # Flags which should be set
  domains:
    canonical:
-      - "libretranslate.{{ primary_domain }}"
+      - "libretranslate.{{ PRIMARY_DOMAIN }}"
    aliases:          []      # Alias redirections to the first element of the canonical domains
 rbac:
  roles: {}
--- a/roles/web-app-listmonk/config/main.yml
+++ b/roles/web-app-listmonk/config/main.yml
@@ -9,7 +9,7 @@ features:
 server:
  domains:
    canonical:
-      - "newsletter.{{ primary_domain }}"
+      - "newsletter.{{ PRIMARY_DOMAIN }}"
 docker:
  services:
    database:
--- a/roles/web-app-mailu/config/main.yml
+++ b/roles/web-app-mailu/config/main.yml
@@ -1,7 +1,7 @@
 oidc:
  email_by_username:      true                    # If true, then the mail is set by the username. If wrong then the OIDC user email is used
  enable_user_creation:   true                    # Users will be created if not existing
-domain:                   "{{ primary_domain }}"  # The main domain from which mails will be send \ email suffix behind @                              
+domain:                   "{{ PRIMARY_DOMAIN }}"  # The main domain from which mails will be send \ email suffix behind @                              
 features:
  matomo:                 true
  css:                    false
@@ -12,7 +12,7 @@ features:
 server:
  domains:
    canonical:
-      - "mail.{{ primary_domain }}"
+      - "mail.{{ PRIMARY_DOMAIN }}"
  csp:
    flags:
      style-src:
--- a/roles/web-app-mailu/tasks/01_core.yml
+++ b/roles/web-app-mailu/tasks/01_core.yml
@@ -13,7 +13,7 @@
  include_tasks: 02_create-mailu-user.yml
  vars:
    mailu_compose_dir:        "{{ docker_compose.directories.instance }}"
-    mailu_domain:             "{{ primary_domain }}"
+    mailu_domain:             "{{ PRIMARY_DOMAIN }}"
    mailu_api_base_url:       "http://127.0.0.1:8080/api/v1"
    mailu_global_api_token:   "{{ applications | get_app_conf(application_id, 'credentials.api_token') }}"
    mailu_action: >-
@@ -33,4 +33,4 @@

 - name: Set Mailu DNS records
  include_tasks: 04_set-mailu-dns-records.yml
-  when: dns_provider == 'cloudflare'
+  when: DNS_PROVIDER == 'cloudflare'
--- a/roles/web-app-mailu/templates/env.j2
+++ b/roles/web-app-mailu/templates/env.j2
@@ -195,7 +195,7 @@ OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}}
 OIDC_USERNAME_CLAIM={{oidc.attributes.username}}

 # The domain used when constructing an email from a non-email username (e.g., when OIDC_USERNAME_CLAIM=sub). Ignored if OIDC_USERNAME_CLAIM is already an email. Defaults to the value of DOMAIN.
-OIDC_USER_DOMAIN={{primary_domain}}
+OIDC_USER_DOMAIN={{PRIMARY_DOMAIN}}
 {% endif %}

 # If enabled, users who authenticate successfully but do not yet have an account will have one created for them. If disabled, only existing users can log in, and authentication will fail for users without a pre-existing account. Defaults to True.
--- a/roles/web-app-mailu/users/main.yml
+++ b/roles/web-app-mailu/users/main.yml
@@ -1,3 +1,3 @@
 users:
  administrator:
-    email:                "administrator@{{ primary_domain }}"   # Administrator Email for DNS Records
+    email:                "administrator@{{ PRIMARY_DOMAIN }}"   # Administrator Email for DNS Records
--- a/roles/web-app-mailu/vars/mailu-dns.yml
+++ b/roles/web-app-mailu/vars/mailu-dns.yml
@@ -3,7 +3,7 @@
 mailu_dns_zone: "{{ applications | get_app_conf(application_id, 'domain', True) }}"
 mailu_dns_ip:   "{{ networks.internet.ip4 }}"

-cloudflare_record_api_token: "{{ certbot_dns_api_token }}"
+cloudflare_record_api_token: "{{ CERTBOT_DNS_API_TOKEN }}"

 mailu_dmarc_ruf:    "{{ applications | get_app_conf(application_id, 'users.administrator.email', True) }}"

--- a/roles/web-app-mastodon/config/main.yml
+++ b/roles/web-app-mastodon/config/main.yml
@@ -10,7 +10,7 @@ features:
 server:
  domains:
    canonical:
-      - "microblog.{{ primary_domain }}"
+      - "microblog.{{ PRIMARY_DOMAIN }}"
  csp:
    whitelist:
      frame-src:
--- a/roles/web-app-matomo/config/main.yml
+++ b/roles/web-app-matomo/config/main.yml
@@ -27,9 +27,9 @@ server:
        unsafe-eval:   true
  domains:
    aliases:
-      - "analytics.{{ primary_domain }}"
+      - "analytics.{{ PRIMARY_DOMAIN }}"
    canonical:
-      - "matomo.{{ primary_domain }}"
+      - "matomo.{{ PRIMARY_DOMAIN }}"
 excluded_ips: "{{ networks.internet.values() | list }}"

 docker:
--- a/roles/web-app-matrix-ansible/tasks/main.yml
+++ b/roles/web-app-matrix-ansible/tasks/main.yml
@@ -79,7 +79,7 @@
 - name: show variable information
  debug:
    msg: "hosts_path: {{hosts_path}}\nmatrix_inventory_tmp_dir:{{ matrix_inventory_tmp_dir }}"
-  when: enable_debug | bool
+  when: MODE_DEBUG | bool

 - name: install requirements
  local_action: command just roles
--- a/roles/web-app-matrix/config/main.yml
+++ b/roles/web-app-matrix/config/main.yml
@@ -15,7 +15,7 @@ docker:
  volumes: 
    synapse:          "matrix_synapse_data"
 playbook_tags:        "setup-all,start"                  # For the initial update use: install-all,ensure-matrix-users-created,start
-server_name:          "{{ primary_domain }}"               # Adress for the account names etc.
+server_name:          "{{ PRIMARY_DOMAIN }}"               # Adress for the account names etc.
 setup:                false                              # Set true in inventory file to execute the setup and initializing procedures
 features:
  matomo:             false                              # Deactivated, because in html CSP restricts use
@@ -38,12 +38,12 @@ server:
      connect-src:
        - "*"
      script-src-elem:
-        - "element.{{ primary_domain }}"
+        - "element.{{ PRIMARY_DOMAIN }}"
        - "https://cdn.jsdelivr.net"
  domains:
    canonical:
-      synapse: "matrix.{{ primary_domain }}"
-      element: "element.{{ primary_domain }}"
+      synapse: "matrix.{{ PRIMARY_DOMAIN }}"
+      element: "element.{{ PRIMARY_DOMAIN }}"
  client_max_body_size: "15M"

 plugins:
--- a/roles/web-app-matrix/tasks/main.yml
+++ b/roles/web-app-matrix/tasks/main.yml
@@ -116,7 +116,7 @@
  command:
    cmd: docker-compose -p "{{ matrix_project }}" pull
    chdir: "{{docker_compose.directories.instance}}"
-  when: mode_update | bool
+  when: MODE_UPDATE | bool

 - name: docker compose up
  command:
--- a/roles/web-app-matrix/templates/element.config.json.j2
+++ b/roles/web-app-matrix/templates/element.config.json.j2
@@ -5,7 +5,7 @@
            "server_name": "{{domains[application_id].synapse}}"
        },
        "m.identity_server": {
-            "base_url": "{{ WEB_PROTOCOL }}://{{primary_domain}}"
+            "base_url": "{{ WEB_PROTOCOL }}://{{PRIMARY_DOMAIN}}"
        }
    },
    "brand": "Element",
--- a/roles/web-app-mediawiki/config/main.yml
+++ b/roles/web-app-mediawiki/config/main.yml
@@ -1,7 +1,7 @@
 server:
  domains:
    canonical:
-      - "wiki.{{ primary_domain }}"
+      - "wiki.{{ PRIMARY_DOMAIN }}"
 docker:
  services:
    mediawiki: 
--- a/roles/web-app-mig/config/main.yml
+++ b/roles/web-app-mig/config/main.yml
@@ -33,9 +33,9 @@ server:
        unsafe-inline: true
  domains:
    canonical:
-      - "mig.{{ primary_domain }}"
+      - "mig.{{ PRIMARY_DOMAIN }}"
    aliases:
-      - "meta-infinite-graph.{{ primary_domain }}"
+      - "meta-infinite-graph.{{ PRIMARY_DOMAIN }}"

 build_data: 
  # This shouldn't be relevant anymore, because the data is anyhow build async in background
--- a/roles/web-app-mig/tasks/02_build_data.yml
+++ b/roles/web-app-mig/tasks/02_build_data.yml
@@ -16,7 +16,7 @@
 - name: Debug MIG build job ID
  debug:
    msg: "MIG build job started with ID: {{ mig_build_job.ansible_job_id }}"
-  when: enable_debug | bool
+  when: MODE_DEBUG | bool

 - debug:
    msg: "Waiting for MIG build job to finish. Set 'build_data.wait_for=false' in the application config to skip waiting and improve performance."
--- a/roles/web-app-mobilizon/config/main.yml
+++ b/roles/web-app-mobilizon/config/main.yml
@@ -1,4 +1,4 @@
-titel:              "Mobilizon on {{ primary_domain | upper }}"
+titel:              "Mobilizon on {{ PRIMARY_DOMAIN | upper }}"
 features:
  central_database: true
  oidc:             true
@@ -14,9 +14,9 @@ server:
        unsafe-eval:  true
  domains:
    canonical:
-      - "event.{{ primary_domain }}"
+      - "event.{{ PRIMARY_DOMAIN }}"
    aliases:
-      - "events.{{ primary_domain }}"
+      - "events.{{ PRIMARY_DOMAIN }}"
 docker:
  services:
    database:
--- a/Show More
+++ b/Show More