Refactored CyMaIS basic features and optimized wordpress implementation

Makefile

@@ -0,0 +1,15 @@
+# Makefile for j2render
+
+TEMPLATE=./templates/vars/applications.yml.j2
+OUTPUT=./group_vars/all/07_applications.yml
+
+build:
+	@echo "🔧 Building rendered file from $(TEMPLATE)..."
+	@mkdir -p $(dir $(OUTPUT))
+	j2r $(TEMPLATE) $(OUTPUT)
+	@echo "✅ Output written to $(OUTPUT)"
+
+install: build
+
+test:
+	python -m unittest discover -s tests/unit

docs/guides/developer/Role_Creation.md

@@ -17,10 +17,15 @@ defaults_applications:
 
   ## My Service Configuration
   my_service:
-    version: "latest"                                      # Version of the service
+    version: "latest"
-    matomo_tracking_enabled: true                          # Enable Matomo tracking for analytics
+    features:                               # Version of the service
-    css_enabled: true                                      # Enable or disable global CSS styling
+      matomo:     true                      # Enable Matomo tracking for analytics
-    landingpage_iframe_enabled: false                      # Allow embedding the landing page in an iframe (if true)
+      css:        true                      # Enable or disable global CSS styling
+      iframe:     false                     # Allow embedding the landing page in an iframe (if true)
+      database:   true                      # Enable central database integration
+      ldap:       true                      # Enable ldap integration
+      oauth2:     true                      # Enable oauth2 proxy
+      oidc:       true                      # Enable oidc
 ```
 
 ---

filter_plugins/configuration_filters.py

@@ -1,20 +1,20 @@
-def get_oauth22_enabled(applications, application_id):
+def get_oauth2_enabled(applications, application_id):
     # Retrieve the application dictionary based on the ID
     app = applications.get(application_id, {})
     # Retrieve the value for oauth2_proxy.enabled, default is False
-    enabled = app.get('oauth2_proxy', {}).get('enabled', False)
+    enabled = app.get('features', {}).get('oauth2', False)
     return bool(enabled)
 
 def get_oidc_enabled(applications, application_id):
     # Retrieve the application dictionary based on the ID
     app = applications.get(application_id, {})
     # Retrieve the value for oidc.enabled, default is False
-    enabled = app.get('oidc', {}).get('enabled', False)
+    enabled = app.get('features', {}).get('oidc', False)
     return bool(enabled)
 
-def get_landingpage_iframe_enabled(applications, application_id):
+def get_features_iframe(applications, application_id):
     app = applications.get(application_id)
-    enabled = app.get('landingpage_iframe_enabled')
+    enabled = app.features.iframe
     return bool(enabled)
 
 def get_database_central_storage(applications, application_id):
@@ -24,14 +24,14 @@ def get_database_central_storage(applications, application_id):
     If not defined, None is returned.
     """
     app = applications.get(application_id, {})
-    db_type = app.get('database', {}).get('central_storage', False)
+    db_type = app.get('features', {}).get('database', False)
     return db_type
 
 class FilterModule(object):
     def filters(self):
         return {
             'get_oidc_enabled': get_oidc_enabled,
-            'get_oauth2_enabled': get_oauth22_enabled,
+            'get_oauth2_enabled': get_oauth2_enabled,
             'get_database_central_storage': get_database_central_storage,
-            'get_landingpage_iframe_enabled': get_landingpage_iframe_enabled,
+            'get_features_iframe': get_features_iframe,
         }

group_vars/all/.gitignore

@@ -0,0 +1 @@
+*_applications.yml

group_vars/all/00_general.yml

@@ -52,20 +52,3 @@ enable_wildcard_certificate:              false
 # This enables debugging in ansible and in the apps
 # You SHOULD NOT enable this on production servers
 enable_debug:                             false
-
-#########################
-##  ENABLED DEFAULTS   ##
-#########################
-
-# The following defaults are used for the default_applications
-# It can be that in a default_applications the value for one application is overwritten.
-# You can overwritte it in this case in the applications in your inventory
-
-## Matomo Tracking
-matomo_tracking_enabled_default:           true  # Enables\Disables Matomo tracking on all html pages by default.
-
-## CSS
-css_enabled_default:                       true  # Enables\Disables Global CSS on all html pages by default.
-
-## iframe for primary domain
-landingpage_iframe_enabled_default:        true  # Enables\Disables the possibility to be embedded via iframe by default. 

group_vars/all/07_applications.yml

@@ -1,3 +1,4 @@
+
 # Docker Applications
 
 ## Docker Role Specific Parameters
@@ -11,9 +12,7 @@ docker_restart_policy:        "unless-stopped"
 # If other applications depend on this variables, propably it makes sense to define it in e.g. IMA or other variable files.
 
 # helper
-_applications_nextcloud_ldap_enabled: "{{ applications.nextcloud.ldap.enabled | default(true) }}"
+_applications_nextcloud_oidc_flavor:  "{{ applications.nextcloud.oidc.flavor | default('oidc_login' if applications.nextcloud.features.ldap | default(true) else 'sociallogin') }}"
-_applications_nextcloud_oidc_enabled: "{{ applications.nextcloud.oidc.enabled | default(true) }}"
-_applications_nextcloud_oidc_flavor:  "{{ applications.nextcloud.oidc.flavor | default('oidc_login' if _applications_nextcloud_ldap_enabled else 'sociallogin') }}"
 
 # applications
 
@@ -25,48 +24,46 @@ defaults_applications:
     company_name:                 "{{primary_domain}}"
     company_email:                "{{users.administrator.email}}"
     setup_admin_email:            "{{users.administrator.email}}"
-    database:
+    features:  
-      central_storage:  True
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      iframe: False   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
+      database: True   # Enables use of central database
 
   ## Assets Server
   assets_server:
     source_directory:             "{{ playbook_dir }}/assets"               # Directory from which the assets will be copied
     url:                          "https://{{domains.file_server}}/assets"  # Public address of the assets directory
-
   ## Attendize 
   attendize:
     version:                      "latest"
-    database:
+    features:  
-      central_storage:  True
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      iframe: False   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe  
+      database: True   # Enables use of central database
 
   ## Baserow 
   baserow:
     version:            "latest"
-    database:
+    features:  
-      central_storage:  True
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      iframe: True   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
+      database: True   # Enables use of central database
 
   ## Big Blue Button
   bigbluebutton:
     enable_greenlight:    "true"
     setup:                false                                             # Set to true in inventory file for initial setup
-    oidc:
+# @todo LDAP needs to get propper implemented and tested, just set values during refactoring
-      enabled:            true                                              # Activate OIDC
+    features:  
-    database:
+      matomo: True   # Enables Matomo tracking  
-      central_storage:    True
+      css: True   # Enables custom CSS styling  
-    ldap:
+      iframe: True   # Allows embedding via iframe on landing page  
-      enabled:            False                                             # @todo LDAP needs to get propper implemented and tested, just set values during refactoring
+      ldap: False   # Enables LDAP integration and networking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      oidc: True   # Enables OpenID Connect (OIDC) authentication  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      database: True   # Enables use of central database
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
     credentials:
 #      shared_secret:                                                       # Needs to be defined in inventory file
 #      etherpad_api_key:                                                    # Needs to be defined in inventory file                                             
@@ -87,11 +84,11 @@ defaults_applications:
       #jwt_secret:                                                          # Needs to be defined in inventory file - Use: openssl rand -base64 64 | tr -d '\n'
       #plc_rotation_key_k256_private_key_hex:                               # Needs to be defined in inventory file - Use: openssl rand -hex 32 
       #admin_password:                                                      # Needs to be defined in inventory file - Use: openssl rand -base64 16
-    database:
+    features:  
-      central_storage:                True
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      iframe: True   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
+      database: True   # Enables use of central database
 
   # Chromium Browser
   chromium:
@@ -110,20 +107,25 @@ defaults_applications:
     network:                      "discourse_default"                       # Name of the docker network
     container:                    "discourse_application"                   # Name of the container application
     repository:                   "discourse_repository"                    # Name of the repository folder
-    # database_password:                                                    # Needs to be defined in inventory file
+    credentials:
-    oidc:
-      enabled:                    true                                      # Activate OIDC
       database:
-      central_storage:            True                                      # Activate Central Database Storage
+#       password:                                                           # Needs to be defined in inventory file
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      master_api:
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+#       key:                                                                # Needs to be defined in inventory file
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
+        username:                 "{{ users.administrator.username }}"      # Username for the Master API                           
+    features:  
+      matomo: True   # Enables Matomo tracking  
+      css: True   # Enables custom CSS styling  
+      iframe: True   # Allows embedding via iframe on landing page  
+      oidc: True   # Enables OpenID Connect (OIDC) authentication  
+      database: True   # Enables use of central database
 
   ## File Server
   file_server:
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:   "true"                                    # Landingpage should be embeded in portfolio
+      css: True   # Enables custom CSS styling  
+      iframe: True   # Allows embedding via iframe on landing page
 
   # Firefox Browser
   firefox:
@@ -134,47 +136,45 @@ defaults_applications:
   ## Friendica
   friendica:
     version:                 "latest"
-    oidc:
+    features:  
-      enabled:               true                                           # Activate OIDC. Plugin is not working yet
+      matomo: True   # Enables Matomo tracking  
-    database:
+      css: True   # Enables custom CSS styling  
-      central_storage:       True                                           # Activate Central Database Storage
+      iframe: True   # Allows embedding via iframe on landing page  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      oidc: True   # Enables OpenID Connect (OIDC) authentication  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      database: True   # Enables use of central database
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
 
   ## Funkwhale
   funkwhale:
     version:              "1.4.0"
-    ldap:
+    features:  
-      enabled:            True                                              # Enables LDAP by default @todo check implementation
+      matomo: True   # Enables Matomo tracking  
-    database:
+      css: True   # Enables custom CSS styling  
-      central_storage:    True                                              # Activate Central Database Storage
+      iframe: True   # Allows embedding via iframe on landing page  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      ldap: True   # Enables LDAP integration and networking  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      database: True   # Enables use of central database
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
 
   ## Gitea
   gitea:
     version:                          "latest"                                  # Use latest docker image 
-    database:
-      central_storage:                True                                      # Activate Central Database Storage
     configuration:
       repository:
         enable_push_create_user:      True                                      # Allow users to push local repositories to Gitea and have them automatically created for a user.
         default_private:              last                                      # Default private when creating a new repository: last, private, public
         default_push_create_private:  True                                      # Default private when creating a new repository with push-to-create.
-    matomo_tracking_enabled:          "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                      "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:       "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe         
+      css: True   # Enables custom CSS styling  
+      iframe: True   # Allows embedding via iframe on landing page  
+      database: True   # Enables use of central database
 
   ## Gitlab
   gitlab:
     version:                      "latest"
-    database:
+    features:  
-      central_storage:  True                                                # Activate Central Database Storage
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      iframe: True   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
+      database: True   # Enables use of central database
 
   ## Gnome
   gnome:
@@ -186,15 +186,17 @@ defaults_applications:
   ## Joomla
   joomla:
     version:                      "latest"
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
+      css: True   # Enables custom CSS styling  
+      iframe: True   # Allows embedding via iframe on landing page
 
   ## HTML Server
   html_server:
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:   "true"                                    # Landingpage should be embeded in portfolio
+      css: True   # Enables custom CSS styling  
+      iframe: False   # Allows embedding via iframe on landing page
 
   ## Keycloak
   keycloak:
@@ -202,31 +204,31 @@ defaults_applications:
     users:
       administrator:
         username:       "{{users.administrator.username}}"                  # Administrator Username for Keycloak
-    ldap:
-      enabled:          True                                                # Enables LDAP by default
     import_realm:       True                                                # If True realm will be imported. If false skip.
-    database: 
-      central_storage:  True                                                # Activate Central Database Storage
 #   database_password:                                                      # Needs to be defined in inventory file
 #   administrator_password:                                                 # Needs to be defined in inventory file
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:   false                                     # Disabled by default, because it leads to authentification problems
+      css: True   # Enables custom CSS styling  
+      iframe: True   # Allows embedding via iframe on landing page  
+      ldap: True   # Enables LDAP integration and networking  
+      database: True   # Enables use of central database
 
   # LDAP Account Manager 
   lam:
     version:                        "latest"
 #    administrator_password:         "{{users.administrator.initial_password}}"  # CHANGE for security reasons  
-    ldap:
-      enabled:                        True                                        # Should have the same value as applications.ldap.network.local.
     oauth2_proxy:
-      enabled:                        true                                        # Activate the OAuth2 Proxy for the LDAP Webinterface
       application:                    application                                 # Needs to be the same as webinterface
       port:                           80                                          # application port
 #     cookie_secret:                  None                                        # Set via openssl rand -hex 16
-    matomo_tracking_enabled:          "{{matomo_tracking_enabled_default}}"       # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                      "{{css_enabled_default}}"                   # Enables\Disables Global CSS Style
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:       "{{landingpage_iframe_enabled_default}}"    # Enables\Disables the possibility to embed this on landing page via iframe
+      css: True   # Enables custom CSS styling  
+      iframe: True   # Allows embedding via iframe on landing page  
+      ldap: True   # Enables LDAP integration and networking  
+      oauth2: False   # Enables OAuth2 proxy integration  
+      database: False   # Enables use of central database
 
   ## LDAP
   ldap:
@@ -242,8 +244,8 @@ defaults_applications:
     # administrator_password:                                                   # CHANGE for security reasons in inventory file
     # administrator_database_password:                                          # CHANGE for security reasons in inventory file
     force_import:                   False                                       # Forces the import of the LDIF files
-    ldap:
+    features:  
-      enabled:          True                                                    # Enables LDAP network by default
+      ldap: True   # Enables LDAP integration and networking
 
   ## Libre Office
   libreoffice:
@@ -257,31 +259,31 @@ defaults_applications:
     public_api_activated:             False                                       # Security hole. Can be used for spaming
     version:                          "latest"                                    # Docker Image version
     setup:                            false                                       # Set true in inventory file to execute the setup and initializing procedures
-    database:
+    features:  
-      central_storage:                True                                        # Activate Central Database Storage
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:          "{{matomo_tracking_enabled_default}}"       # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                      "{{css_enabled_default}}"                   # Enables\Disables Global CSS Style
+      iframe: True   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:       "{{landingpage_iframe_enabled_default}}"    # Enables\Disables the possibility to embed this on landing page via iframe
+      database: True   # Enables use of central database
 
   mailu:
     version:                          "2024.06"                                   # Docker Image Version
     setup:                            false                                       # Set true in inventory file to execute the setup and initializing procedures
     oidc:
-      enabled:                        true                                        # Activate OIDC for Mailu
       email_by_username:              true                                        # If true, then the mail is set by the username. If wrong then the OIDC user email is used
       enable_user_creation:           true                                        # Users will be created if not existing
     domain:                           "{{primary_domain}}"                        # The main domain from which mails will be send \ email suffix behind @
-    # I don't know why the database deactivation is necessary
-    database:
-      central_storage:                False                                       # Deactivate central database for mailu
     credentials:                                     
 #     secret_key:                                                                 # Set to a randomly generated 16 bytes string
 #     database_password:                                                          # Needs to be set in inventory file
 #     api_token:                                                                  # Configures the authentication token. The minimum length is 3 characters. This is a mandatory setting for using the RESTful API.
 #     initial_administrator_password:                                             # Initial administrator password for setup 
-    matomo_tracking_enabled:          "{{matomo_tracking_enabled_default}}"       # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                      "{{css_enabled_default}}"                   # Enables\Disables Global CSS Style
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:       true                                        # Default enabled because working well in iframe
+      css: True   # Enables custom CSS styling  
+      iframe: True   # Allows embedding via iframe on landing page  
+      oidc: True   # Enables OpenID Connect (OIDC) authentication  
+      database: False   # Enables use of central database
+# Deactivate central database for mailu, I don't know why the database deactivation is necessary
 
   ## MariaDB
   mariadb:
@@ -291,25 +293,21 @@ defaults_applications:
   matomo:
     version:                      "latest"
     oauth2_proxy:
-      enabled:                    false                                           # Deactivated atm. @todo implement 
 #   cookie_secret:              None                                            # Set via openssl rand -hex 16
 #   database_password:            Null                                            # Needs to be set in inventory file
 #   auth_token:                   Null                                            # Needs to be set in inventory file
-    database:
+    features:  
-      central_storage:            True                                            # Activate Central Database Storage
+      matomo: False   # Enables Matomo tracking  
-    matomo_tracking_enabled:      false                                           # Activate in inventory file if you want to have the statistics, as soon as matomo is running
+      css: False   # Enables custom CSS styling  
-    css_enabled:                  false                                           # Not optimized yet for matomo
+      iframe: False   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"        # Enables\Disables the possibility to embed this on landing page via iframe
+      oauth2: False   # Enables OAuth2 proxy integration  
+      database: True   # Enables use of central database
 
   ## Mastodon
   mastodon:
     version:                      "latest"
     single_user_mode:             false                                           # Set true for initial setup
     setup:                        false                                           # Set true in inventory file to execute the setup and initializing procedures
-    database:
-      central_storage:            True                                            # Activate Central Database Storage
-    oidc:
-      enabled:                    True                                            # Activate OIDC for Mastodon
     credentials:
 # Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials
 #     database_password:                              
@@ -322,9 +320,12 @@ defaults_applications:
 #       deterministic_key:                            
 #       key_derivation_salt:                          
 #       primary_key:                                  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"           # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                  "{{css_enabled_default}}"                       # Enables\Disables Global CSS Style
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"        # Enables\Disables the possibility to embed this on landing page via iframe
+      css: True   # Enables custom CSS styling  
+      iframe: False   # Allows embedding via iframe on landing page  
+      oidc: True   # Enables OpenID Connect (OIDC) authentication  
+      database: True   # Enables use of central database
 
   ## Matrix
   matrix:
@@ -339,13 +340,13 @@ defaults_applications:
     element:
       version:                    "latest"
     setup:                        false                                           # Set true in inventory file to execute the setup and initializing procedures
-    database:
+    features:  
-      central_storage:            True                                            # Activate Central Database Storage
+      matomo: True   # Enables Matomo tracking  
-    oidc:
+      css: True   # Enables custom CSS styling  
-      enabled:                    False                                           # Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492
+      iframe: False   # Allows embedding via iframe on landing page  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"           # Enables\Disables Matomo Tracking
+      oidc: False   # Enables OpenID Connect (OIDC) authentication  
-    css_enabled:                  "{{css_enabled_default}}"                       # Enables\Disables Global CSS Style
+      database: True   # Enables use of central database
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"        # Enables\Disables the possibility to embed this on landing page via iframe
+# Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492
 
   ## Moodle
   moodle:
@@ -355,20 +356,20 @@ defaults_applications:
         username:                 "{{users.administrator.username}}"
         email:                    "{{users.administrator.email}}"
     version:                      "latest"
-    database:
+    features:  
-      central_storage:  True                                                      # Activate Central Database Storage
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"           # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{css_enabled_default}}"                       # Enables\Disables Global CSS Style
+      iframe: False   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"        # Enables\Disables the possibility to embed this on landing page via iframe
+      database: True   # Enables use of central database
 
   ## MyBB
   mybb:
     version:            "latest"
-    database:
+    features:  
-      central_storage:  True                                                      # Activate Central Database Storage
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"           # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{css_enabled_default}}"                       # Enables\Disables Global CSS Style
+      iframe: False   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"        # Enables\Disables the possibility to embed this on landing page via iframe
+      database: True   # Enables use of central database
 
   ## Nextcloud
   nextcloud:
@@ -376,17 +377,19 @@ defaults_applications:
     ldap:
       enabled:                    True                                              # Enables LDAP by default
     oidc:
-      enabled:                    "{{ _applications_nextcloud_oidc_enabled }}"      # Activate OIDC for Nextcloud
+      enabled:                    "{{ applications.nextcloud.features.oidc | default(true) }}"      # Activate OIDC for Nextcloud
       # floavor decides which OICD plugin should be used. 
       # Available options: oidc_login, sociallogin
       # @see https://apps.nextcloud.com/apps/oidc_login
       # @see https://apps.nextcloud.com/apps/sociallogin
       flavor:                     "oidc_login"                                      # Keeping on sociallogin because the other option is not implemented yet                                             
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"             # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                  "{{css_enabled_default}}"                         # Enables\Disables Global CSS Style
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"          # Enables\Disables the possibility to embed this on landing page via iframe
+      css: True   # Enables custom CSS styling  
-    database:
+      iframe: False   # Allows embedding via iframe on landing page  
-      central_storage:            True                                              # Activate Central Database Storage
+      ldap: True   # Enables LDAP integration and networking  
+      oidc: True   # Enables OpenID Connect (OIDC) authentication  
+      database: True   # Enables use of central database
     credentials:
 #     database_password:          Null                                              # Needs to be set in inventory file
     users:      
@@ -577,13 +580,13 @@ defaults_applications:
       #  enabled: false
       twofactor_nextcloud_notification:
         # Nextcloud two-factor notification: sends notifications for two-factor authentication events (https://apps.nextcloud.com/apps/twofactor_nextcloud_notification)
-        enabled: "{{ (not _applications_nextcloud_oidc_enabled) | lower }}" # Deactivate 2FA if oidc is active
+        enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active
       twofactor_totp:
         # Nextcloud two-factor TOTP: provides time-based one-time password authentication (https://apps.nextcloud.com/apps/twofactor_totp)
-        enabled: "{{ (not _applications_nextcloud_oidc_enabled) | lower }}" # Deactivate 2FA if oidc is active
+        enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active
       user_ldap:
         # Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap)
-        enabled: "{{ _applications_nextcloud_ldap_enabled | lower }}"
+        enabled: "{{ applications.nextcloud.features.ldap | default(true) }}"
       user_oidc:
         # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc)
         enabled:    "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}"
@@ -600,37 +603,38 @@ defaults_applications:
     version:            "latest"                                                                                    # Docker Image version
     redirect_url:       "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
     allowed_roles:      admin                                                                                       # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"                                             # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                  "{{css_enabled_default}}"                                                         # Enables\Disables Global CSS Style
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"                                          # Enables\Disables the possibility to embed this on landing page via iframe
+      css: True   # Enables custom CSS styling  
+      iframe: False   # Allows embedding via iframe on landing page
 
   ## Open Project
   openproject:
     version:                    "13"                                      # Update when available. Sadly no rolling release implemented
     oauth2_proxy:  
-      enabled:                  true                                      # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed
       application:              "proxy"
       port:                     "80"
 #     cookie_secret:            None                                      # Set via openssl rand -hex 16
     ldap:
-      enabled:                  True                                      # Enables LDAP by default
       filters:
         administrators:         True                                      # Set true to filter administrators
         users:                  False                                     # Set true to filter users
-    database:                                                                               
+    features:  
-      central_storage:          True                                      # Activate Central Database Storage
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:    "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      iframe: False   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
+      ldap: True   # Enables LDAP integration and networking  
+      oauth2: True   # Enables OAuth2 proxy integration  
+      database: True   # Enables use of central database
 
   ## Peertube
   peertube:
     version:                      "bookworm"
-    database:
+    features:  
-      central_storage:            True                                      # Activate Central Database Storage
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      iframe: False   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
+      database: True   # Enables use of central database
 
   ## PgAdmin
   pgadmin:
@@ -642,56 +646,54 @@ defaults_applications:
         email:                   "{{ users.administrator.email }}"              # Initial login email address
         password:                "{{ users.administrator.initial_password }}"   # Initial login password – should be overridden in inventory for security
     oauth2_proxy:
-      enabled:                    true                                          # Enable OAuth2 proxy for authentication
       application:                "application"
       port:                       "80"
 #     cookie_secret:              None                                          # Set via: openssl rand -hex 16
-    database:
+    features:  
-      central_storage:            True                                          # Uses central PostgreSQL database
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{ matomo_tracking_enabled_default }}"       # Enables/Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{ css_enabled_default }}"                   # Enables/Disables global CSS styling
+      iframe: False   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{ landingpage_iframe_enabled_default }}"    # Enables/Disables embedding via iframe
+      oauth2: True   # Enables OAuth2 proxy integration  
+      database: True   # Enables use of central database
 
   ## phpLDAPadmin
   phpldapadmin:
     version:                        "2.0.0-dev"                                 # @todo Attention: Change this as fast as released to latest
-    ldap:
-      enabled:                        True                                      # Should have the same value as applications.ldap.network.local.
     oauth2_proxy:
-      enabled:                        true                                      # Activate the OAuth2 Proxy for the LDAP Webinterface
       application:                    application                               # Needs to be the same as webinterface
       port:                           8080                                      # application port
 #     cookie_secret:                  None                                      # Set via openssl rand -hex 16
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"         # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                  "{{css_enabled_default}}"                     # Enables\Disables Global CSS Style
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"      # Enables\Disables the possibility to embed this on landing page via iframe
+      css: True   # Enables custom CSS styling  
+      iframe: False   # Allows embedding via iframe on landing page  
+      ldap: True   # Enables LDAP integration and networking  
+      oauth2: True   # Enables OAuth2 proxy integration
 
   ## PHPMyAdmin
   phpmyadmin:
     version:                      "latest"                                  # Use the latest phpmyadmin version
     autologin:                    false                                     # This is a high security risk. Just activate this option if you know what you're doing
     oauth2_proxy:  
-      enabled:                    true
       port:                       "80"
       application:                "application"
 #     cookie_secret:              None                                      # Set via openssl rand -hex 16
-    database:
+    features:  
-      central_storage:            True                                      # Activate Central Database Storage
+      matomo: True   # Enables Matomo tracking  
-    css:
+      css: False   # Enables custom CSS styling  
-      enabled:                    False                                     # The css needs more optimation for PHPMyAdmin
+      iframe: False   # Allows embedding via iframe on landing page  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      oauth2: True   # Enables OAuth2 proxy integration  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      database: True   # Enables use of central database
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
 
   ## Pixelfed
   pixelfed:
     titel:                        "Pictures on {{primary_domain}}"
     version:                      "latest"
-    database:
+    features:  
-      central_storage:            True                                      # Activate Central Database Storage
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      iframe: False   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
+      database: True   # Enables use of central database
 
   ## Postgres
   # Please set an version in your inventory file - Rolling release for postgres isn't recommended
@@ -699,50 +701,50 @@ defaults_applications:
     version:                      "latest"
 
   portfolio:
-    database:
+    features:  
-      central_storage:  False                                               # Portfolio doesn't use any database
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      iframe: False   # Allows embedding via iframe on landing page
-    landingpage_iframe_enabled:   false                                     # Doesn't make sense to load landingpage in landingpage
 
   ## Presentation
   presentation:
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                  False                                     # Would mess with the presentation layout
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:   True                                      # Makes sense to make the documentary allways in iframe available
+      css: True   # Enables custom CSS styling  
+      iframe: True   # Allows embedding via iframe on landing page
 
   # Snipe-IT
   snipe_it:
     version:                      "latest"
-    database:
+    features:  
-      central_storage:  True                                                # Activate Central Database Storage
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      iframe: False   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
+      database: True   # Enables use of central database
 
   ## Sphinx
   sphinx:
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+    features:  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      matomo: True   # Enables Matomo tracking  
-    landingpage_iframe_enabled:   true                                      # Makes sense to make the documentary allways in iframe available
+      css: True   # Enables custom CSS styling  
+      iframe: False   # Allows embedding via iframe on landing page
 
   ## Taiga
   taiga:
     version:                      "latest"
-    database:
-      central_storage:            True                                      # Activate Central Database Storage
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
     oidc:
     # Taiga doesn't have a functioning oidc support at the moment
     # See
     # - https://community.taiga.io/t/taiga-and-oidc-plugin/4866
     #
     # Due to this reason this plutin is deactivated atm
-      enabled:                    False                                     # De\Activate OIDC for Taiga
       flavor:                     'taigaio'                                 # Potential flavors: robrotheram, taigaio
-                                                                            
+    features:  
+      matomo: True   # Enables Matomo tracking  
+      css: True   # Enables custom CSS styling  
+      iframe: False   # Allows embedding via iframe on landing page  
+      oidc: False   # Enables OpenID Connect (OIDC) authentication  
+      database: True   # Enables use of central database                                                                            
 
   ## YOURLS
   yourls:
@@ -751,16 +753,16 @@ defaults_applications:
         username:       "{{users.administrator.username}}"
     version:            "latest"
     oauth2_proxy:  
-      enabled:          true
       application:      "application"
       port:             "80"
       location:         "/admin/"                                           # Protects the admin area
 #     cookie_secret:    None                                                # Set via openssl rand -hex 16
-    database:
+    features:  
-      central_storage:  True                                                # Activate Central Database Storage
+      matomo: True   # Enables Matomo tracking  
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      css: True   # Enables custom CSS styling  
-    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+      iframe: False   # Allows embedding via iframe on landing page  
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
+      oauth2: True   # Enables OAuth2 proxy integration  
+      database: True   # Enables use of central database
 
   wordpress:
 # Deactivate Global theming for wordpress role
@@ -769,16 +771,18 @@ defaults_applications:
 #
 # May a solution could be to generate a template or css file dedicated
 # for wordpress based on the theming values and import it. 
-    database:
+    title:                        "Blog"                                      # Wordpress titel
-      central_storage:            True                                      # Activate Central Database Storage
+    credentials:                                                              # Credentials
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+      administrator:                                                          # Wordpress administrator
-    css_enabled:                  false                                     # CSS is hard to tweak for wordpress
-    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
-    oidc:
-      enabled:                    true                                      # Activate OIDC
-    title:                        "Blog"                                    
-    credentials:
-      administrator:
         username:                 "{{users.administrator.username}}"          # Username of the wordpress administrator
 #       password:                                                             # Password of the wordpress administrator
         email:                    "{{users.administrator.email}}"             # Email of the wordpress adminsitrator
+    plugins:
+      discourse:                  false
+      oidc:                       true
+    features:  
+      matomo: True   # Enables Matomo tracking  
+      css: False   # Enables custom CSS styling  
+      iframe: False   # Allows embedding via iframe on landing page  
+      oidc: True   # Enables OpenID Connect (OIDC) authentication  
+      database: True   # Enables use of central database

main.py

@@ -30,7 +30,7 @@ def run_ansible_playbook(inventory: str, playbook: str, modes: dict, limit: str
     if verbose:
         # Append a single flag with multiple "v"s (e.g. -vvv)
         cmd.append("-" + "v" * verbose)
-    
+    subprocess.run(['make','build'], check=True)
     subprocess.run(cmd, check=True)
 
 def main():

requirements.yml

@@ -3,3 +3,5 @@ collections:
 pacman:
   - ansible
   - python-passlib
+pkgmgr:
+  - j2r

roles/docker-bigbluebutton/templates/env.j2

@@ -161,7 +161,7 @@ OFFICE365_HD=
 # It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy
 OAUTH2_REDIRECT=
 
-{% if applications[application_id].ldap.enabled | bool %}
+{% if applications[application_id].features.ldap | bool %}
 # LDAP Login Provider (optional)
 #
 # You can enable LDAP authentication by providing values for the variables below.
@@ -286,7 +286,7 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
 #   approval - For approve/decline registration
 DEFAULT_REGISTRATION=invite
 
-{% if applications[application_id].oidc.enabled | bool %}
+{% if applications[application_id].features.oidc | bool %}
 ### EXTERNAL AUTHENTICATION METHODS
 # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
 #

roles/docker-central-database/tasks/main.yml

@@ -16,12 +16,12 @@
     src: "env/{{database_type}}.env.j2"
     dest: "{{database_env}}"
   notify: docker compose project build and setup
-  when: not applications[application_id].database.central_storage | bool
+  when: not applications[application_id].features.database | bool
 
 - name: "Create central database"
   include_role:
     name: "docker-{{database_type}}"
-  when: applications[application_id].database.central_storage | bool
+  when: applications[application_id].features.database | bool
 
 - name: "Add database to backup"
   include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"

roles/docker-central-database/templates/services/mariadb.yml.j2

@@ -1,5 +1,5 @@
 # This template needs to be included in docker-compose.yml, which depend on a mariadb database
-{% if not applications[application_id].database.central_storage | bool %}
+{% if not applications[application_id].features.database | bool %}
   database:
     container_name: {{application_id}}-database
     logging:

roles/docker-central-database/templates/services/postgres.yml.j2

@@ -1,5 +1,5 @@
 # This template needs to be included in docker-compose.yml, which depend on a postgres database
-{% if not applications[application_id].database.central_storage | bool %}  
+{% if not applications[application_id].features.database | bool %}  
   database:
     image: postgres:{{applications.postgres.version}}-alpine
     container_name: {{application_id}}-database

roles/docker-central-database/vars/database.yml

@@ -1,5 +1,5 @@
-database_instance:  "{{ 'central-' + database_type if applications[application_id].database.central_storage | bool else application_id }}"
+database_instance:  "{{ 'central-' + database_type if applications[application_id].features.database | bool else application_id }}"
-database_host:      "{{ 'central-' + database_type if applications[application_id].database.central_storage | bool else 'database' }}"
+database_host:      "{{ 'central-' + database_type if applications[application_id].features.database | bool else 'database' }}"
 database_name:      "{{ application_id }}"
 database_username:  "{{ application_id }}"
 database_port:      "{{ 3306 if database_type == 'mariadb' else 5432 }}"

roles/docker-discourse/handlers/main.yml

@@ -11,7 +11,7 @@
   command:
     cmd: "docker network connect {{applications.discourse.network}} central-{{ database_type }}"
   ignore_errors: true
-  when: applications[application_id].database.central_storage | bool
+  when: applications[application_id].features.database | bool
   listen: recreate discourse
 
 - name: rebuild discourse

roles/docker-discourse/tasks/main.yml

@@ -68,10 +68,10 @@
   command:
     cmd: "docker network connect central_postgres {{applications.discourse.container}}"
   ignore_errors: true
-  when: applications[application_id].database.central_storage | bool
+  when: applications[application_id].features.database | bool
   
 - name: "remove central database from {{application_id}}_default"
   command:
     cmd: "docker network disconnect {{applications.discourse.network}} central-{{ database_type }}"
   ignore_errors: true
-  when: applications[application_id].database.central_storage | bool
+  when: applications[application_id].features.database | bool

roles/docker-discourse/templates/discourse_application.yml.j2

@@ -1,5 +1,5 @@
 templates:
-{% if not applications[application_id].database.central_storage | bool %}
+{% if not applications[application_id].features.database | bool %}
   - "templates/postgres.template.yml"
 {% endif %}
   #- "templates/redis.template.yml"
@@ -112,7 +112,7 @@ run:
   ## If you want to set the 'From' email address for your first registration, uncomment and change:
   ## After getting the first signup email, re-comment the line. It only needs to run once.
   #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
-{% if applications[application_id].oidc.enabled | bool %}
+{% if applications[application_id].features.oidc | bool %}
   # Deactivate Default Login
   - exec: rails r "SiteSetting.enable_local_logins = false"
   - exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589

roles/docker-friendica/vars/main.yml

@@ -1,4 +1,4 @@
 application_id:     "friendica"
 database_password:  "{{friendica_database_password}}"
 database_type:      "mariadb"
-no_validation:      "{{applications[application_id].oidc.enabled}}" # Email validation is not neccessary if OIDC is active
+no_validation:      "{{applications[application_id].features.oidc}}" # Email validation is not neccessary if OIDC is active

roles/docker-funkwhale/templates/env.j2

@@ -100,7 +100,7 @@ DJANGO_SETTINGS_MODULE=config.settings.production
 # Generate one using `openssl rand -base64 45`, for example
 DJANGO_SECRET_KEY={{funkwhale_django_secret}}
 
-{% if applications[application_id].ldap.enabled | bool %}
+{% if applications[application_id].features.ldap | bool %}
 # LDAP settings
 # Use the following options to allow authentication on your Funkwhale instance
 # using a LDAP directory.

roles/docker-mailu/templates/env.j2

@@ -151,14 +151,14 @@ API_TOKEN={{applications.mailu.credentials.api_token}}
 AUTH_REQUIRE_TOKENS=True
 
 
-{% if applications[application_id].oidc.enabled | bool %}
+{% if applications[application_id].features.oidc | bool %}
 ################################### 
 # OpenID Connect settings
 ###################################
 # @see https://github.com/heviat/Mailu-OIDC/tree/master
 
 # Enable OpenID Connect. Possible values: True, False
-OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }}
+OIDC_ENABLED={{ applications[application_id].features.oidc | string | capitalize }}
 
 # OpenID Connect provider configuration URL
 OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
@@ -182,7 +182,7 @@ OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True
 # Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password
 OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}}
 
-{% if applications[application_id].oidc.enabled | bool %}
+{% if applications[application_id].features.oidc | bool %}
 
 # The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., sub), the email address will be constructed as <OIDC_USERNAME_CLAIM>@<OIDC_USER_DOMAIN>. Defaults to email.
 OIDC_USERNAME_CLAIM={{oidc.attributes.username}}

roles/docker-mailu/vars/main.yml

@@ -6,7 +6,7 @@ enable_wildcard_certificate:  false
 
 # Use dedicated source for oidc if activated  
 # @see https://github.com/heviat/Mailu-OIDC/tree/2024.06
-docker_source:                "{{ 'ghcr.io/heviat' if applications[application_id].oidc.enabled | bool else 'ghcr.io/mailu' }}"
+docker_source:                "{{ 'ghcr.io/heviat' if applications[application_id].features.oidc | bool else 'ghcr.io/mailu' }}"
 
 domain:     "{{ domains[application_id] }}"
 http_port: 	"{{ ports.localhost.http[application_id] }}"

roles/docker-mastodon/templates/env.j2

@@ -52,14 +52,14 @@ SMTP_OPENSSL_VERIFY_MODE=none
 SMTP_ENABLE_STARTTLS=auto
 SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>
 
-{% if applications[application_id].oidc.enabled | bool %}
+{% if applications[application_id].features.oidc | bool %}
 ################################### 
 # OpenID Connect settings
 ###################################
 # @see https://github.com/mastodon/mastodon/pull/16221
 # @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso
 
-OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | lower }}
+OIDC_ENABLED={{ applications[application_id].features.oidc | string | lower }}
 OIDC_DISPLAY_NAME="{{oidc.button_text}}"
 OIDC_ISSUER={{oidc.client.issuer_url}}
 OIDC_DISCOVERY=true

roles/docker-matrix-compose/tasks/create-and-seed-database.yml

@@ -7,7 +7,7 @@
 - name: "create {{database_name}} database"
   include_role:
     name: docker-postgres
-  when: applications[application_id].database.central_storage | bool
+  when: applications[application_id].features.database | bool
 
 - name: "include seed-database-to-backup.yml"
   include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"

roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2

@@ -45,7 +45,7 @@ email:
   client_base_url:              "{{domains.matrix_synapse}}"
   validation_token_lifetime:    15m
 
-{% if applications[application_id].oidc.enabled | bool %}
+{% if applications[application_id].features.oidc | bool %}
 # @See https://matrix-org.github.io/synapse/latest/openid.html
 oidc_providers:
   - idp_id: keycloak

roles/docker-nextcloud/templates/config/oidc.config.php.j2

@@ -146,7 +146,7 @@ return array (
     //
     // The `id` attribute in `oidc_login_attributes` must return the
     // "Internal Username" (see expert settings in LDAP integration)
-    'oidc_login_proxy_ldap' => {{applications[application_id].ldap.enabled | string | lower}},
+    'oidc_login_proxy_ldap' => {{applications[application_id].features.ldap | string | lower}},
 
     // Disable creation of users new to Nextcloud from OIDC login.
     // A user may be known to the IdP but not (yet) known to Nextcloud.

roles/docker-openproject/tasks/main.yml

@@ -59,4 +59,4 @@
 
 - name: Setup LDAP
   include_tasks: ldap.yml
-  when: applications[application_id].ldap.enabled | bool
+  when: applications[application_id].features.ldap | bool

roles/docker-pgadmin/vars/main.yml

@@ -1,6 +1,6 @@
 application_id:               "pgadmin"
 database_type:                "postgres"
-database_host:                "{{ 'central-' + database_type if applications[application_id].database.central_storage }}"
+database_host:                "{{ 'central-' + database_type if applications[application_id].features.database }}"
 database_var_file:            "{{playbook_dir}}/roles/docker-central-database/vars/database.yml"
 pgadmin_user:                 5050
 pgadmin_group:                "{{pgadmin_user}}"

roles/docker-phpmyadmin/vars/main.yml

@@ -1,3 +1,3 @@
 application_id:       "phpmyadmin"
 database_type:        "mariadb"
-database_host:        "{{ 'central-' + database_type if applications[application_id].database.central_storage}}"
+database_host:        "{{ 'central-' + database_type if applications[application_id].features.database}}"

roles/docker-portfolio/lookup_plugins/docker_cards.py

@@ -22,7 +22,7 @@ class LookupModule(LookupBase):
           - Retrieves the icon class from galaxy_info.logo.class
           - Retrieves the tags from galaxy_info.galaxy_tags
           - Builds the URL using the 'domains' variable (e.g. domains[application_id])
-          - Sets the iframe flag from applications[application_id].landingpage_iframe_enabled
+          - Sets the iframe flag from applications[application_id].features.iframe
 
         Only cards whose application_id is included in the variable group_names are returned.
         """
@@ -98,7 +98,7 @@ class LookupModule(LookupBase):
             url = "https://" + domain_url if domain_url else ""
 
             app_data = applications.get(application_id, {})
-            iframe = app_data.get("landingpage_iframe_enabled", False)
+            iframe = app_data.get("features", {}).get("iframe", False)
 
             # Build card dictionary
             card = {

roles/docker-portfolio/templates/config.yaml.j2

@@ -28,7 +28,7 @@ accounts:
           class: fa-brands fa-mastodon
         url: "https://{{ service_provider.contact.mastodon.split('@')[2] }}/@{{ service_provider.contact.mastodon.split('@')[1] }}"
         identifier: "{{service_provider.contact.mastodon}}"
-        iframe: {{ applications | get_landingpage_iframe_enabled('mastodon') }}
+        iframe: {{ applications | get_features_iframe('mastodon') }}
 
 {% endif %}
 {% if service_provider.contact.bluesky is defined and service_provider.contact.bluesky != "" %}
@@ -52,7 +52,7 @@ accounts:
           class: fa-solid fa-camera
       identifier: "{{service_provider.contact.pixelfed}}"
       url: "https://{{ service_provider.contact.pixelfed.split('@')[2] }}/@{{ service_provider.contact.pixelfed.split('@')[1] }}"
-      iframe: {{ applications | get_landingpage_iframe_enabled('pixelfed') }}
+      iframe: {{ applications | get_features_iframe('pixelfed') }}
 
 {% endif %}
 {% if service_provider.contact.peertube  is defined and service_provider.contact.peertube  != "" %}
@@ -64,7 +64,7 @@ accounts:
         class: fa-solid fa-video
       identifier: "{{service_provider.contact.peertube}}"
       url: "https://{{ service_provider.contact.peertube.split('@')[2] }}/@{{ service_provider.contact.peertube.split('@')[1] }}"
-      iframe: {{ applications | get_landingpage_iframe_enabled('peertube') }}
+      iframe: {{ applications | get_features_iframe('peertube') }}
 
 {% endif %}
 {% if service_provider.contact.wordpress is defined and service_provider.contact.wordpress != "" %}
@@ -76,7 +76,7 @@ accounts:
         class: fa-solid fa-blog
       identifier: "{{service_provider.contact.wordpress}}"
       url: "https://{{ service_provider.contact.wordpress.split('@')[2] }}/@{{ service_provider.contact.wordpress.split('@')[1] }}"
-      iframe: {{ applications | get_landingpage_iframe_enabled('wordpress') }}
+      iframe: {{ applications | get_features_iframe('wordpress') }}
 
 {% endif %}
 {% if service_provider.contact.source_code is defined and service_provider.contact.source_code != "" %}
@@ -98,7 +98,7 @@ accounts:
       class: fas fa-network-wired
     identifier: "{{service_provider.contact.friendica}}"
     url: "https://{{ service_provider.contact.friendica.split('@')[2] }}/@{{ service_provider.contact.friendica.split('@')[1] }}"
-    iframe: {{ applications | get_landingpage_iframe_enabled('friendica') }}
+    iframe: {{ applications | get_features_iframe('friendica') }}
 
 {% endif %}
 

roles/docker-portfolio/templates/footer_menu.yaml.j2

@@ -37,13 +37,13 @@
                 icon:
                   class: fa-solid fa-shield-halved
                 url: https://{{domains.keycloak}}/admin
-                iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }}
+                iframe: {{ applications | get_features_iframe('keycloak') }}
               - name: Profile
                 description: Update your personal admin settings
                 icon:
                   class: fa-solid fa-user-gear
                 url: https://{{ domains.keycloak }}/realms/{{oidc.client.id}}/account
-                iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }}
+                iframe: {{ applications | get_features_iframe('keycloak') }}
               - name: Logout
                 description: End your admin session securely
                 icon:
@@ -113,7 +113,7 @@
       icon:
         class: fas fa-book
       url: https://{{domains.sphinx}}
-      iframe: {{ applications | get_landingpage_iframe_enabled('sphinx') }}
+      iframe: {{ applications | get_features_iframe('sphinx') }}
 
 {% endif %}
 
@@ -124,7 +124,7 @@
       icon:
         class: "fas fa-chalkboard-teacher"
       url: https://{{domains.presentation}}
-      iframe: {{ applications | get_landingpage_iframe_enabled('presentation') }}
+      iframe: {{ applications | get_features_iframe('presentation') }}
 
 {% endif %}
 

roles/docker-snipe_it/templates/env.j2

@@ -27,7 +27,7 @@ DB_DATABASE={{database_name}}
 DB_USERNAME={{database_username}}
 DB_PASSWORD={{database_password}}
 
-{% if not applications[application_id].database.central_storage | bool %}
+{% if not applications[application_id].features.database | bool %}
 MYSQL_ROOT_PASSWORD={{database_password}}
 DB_PREFIX=null
 DB_DUMP_PATH='/usr/bin'

roles/docker-taiga/tasks/main.yml

@@ -18,7 +18,7 @@
   template:
     src:  "taiga/{{item}}.py.j2"
     dest: "{{ docker_compose.directories.config }}taiga-{{item}}.py"
-  when:   applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio'
+  when:   applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio'
   notify: docker compose project build and setup
   loop:   "{{ settings_files }}"
 

roles/docker-taiga/templates/docker-compose.yml.j2

@@ -9,7 +9,7 @@ services:
       - media-data:/taiga-back/media
       # - ./config.py:/taiga-back/settings/config.py
 
-{% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' %}
 
       - {{ docker_compose.directories.config }}taiga-local.py:/taiga-back/settings/local.py:ro
 
@@ -22,7 +22,7 @@ services:
         condition: service_started
       taiga-async-rabbitmq:
         condition: service_started
-{% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' %}
     
     command: >
       /bin/sh -c "
@@ -42,7 +42,7 @@ services:
       - media-data:/taiga-back/media
       # - ./config.py:/taiga-back/settings/config.py
 
-{% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' %}
 
 {% for item in settings_files %}
       - {{ docker_compose.directories.config }}taiga-{{ item }}.py:/taiga-back/settings/{{ item }}.py:ro
@@ -57,7 +57,7 @@ services:
         condition: service_started
       taiga-async-rabbitmq:
         condition: service_started
-{% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' %}
     
     command: >
       /bin/sh -c "

roles/docker-taiga/templates/env.j2

@@ -47,7 +47,7 @@ MAX_AGE             =   360
 # Taiga's Telemetry - Variable to enable or disable the anonymous telemetry
 ENABLE_TELEMETRY    =   True
 
-{% if applications[application_id].oidc.enabled %}
+{% if applications[application_id].features.oidc %}
 
 {% if applications[application_id].oidc.flavor == 'taigaio' %}
 

roles/docker-taiga/vars/main.yml

@@ -5,10 +5,10 @@ docker_repository_address:  "https://github.com/taigaio/taiga-docker"
 email_backend:              "smtp"                                      ## use an SMTP server or display the emails in the console (either "smtp" or "console")
 docker_compose_init:        "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2"
 taiga_image_backend: >-
-  {{ 'robrotheram/taiga-back-openid' if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'robrotheram'
+  {{ 'robrotheram/taiga-back-openid' if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'robrotheram'
      else 'taigaio/taiga-back' }}
 taiga_image_frontend: >-
-  {{ 'robrotheram/taiga-front-openid' if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'robrotheram'
+  {{ 'robrotheram/taiga-front-openid' if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'robrotheram'
      else 'taigaio/taiga-front' }}
 taiga_frontend_conf_path:   "{{docker_compose.directories.config}}conf.json"
 

roles/docker-wordpress/tasks/main.yml

@@ -39,4 +39,8 @@
 
 - name: "Activating OIDC when enabled."
   include_tasks: oidc.yml
-  when: applications[application_id].oidc.enabled | bool
+  when: applications[application_id].features.oidc | bool
+
+#- name: "Activating WP Discourse when enabled"
+#  include_tasks: wp_discourse.yml
+#  when: applications[application_id].wp_discourse.enabled | bool

roles/docker-wordpress/tasks/setup-discourse-api-key.yml

@@ -0,0 +1,23 @@
+---
+- name: "Create Discourse API key for WordPress integration"
+  uri:
+    url: "https://{{ domains.discourse }}/admin/api/keys"
+    method: POST
+    headers:
+      Content-Type: "application/json"
+      Api-Key: "{{ applications.discourse.master_api_key }}"
+      Api-Username: "{{ applications.discourse.master_api_username | default('admin') }}"
+    body_format: json
+    body:
+      key:
+        description: "WP Discourse Integration"
+        username: "system"
+    return_content: true
+    status_code: 200
+  register: discourse_api_key_response
+  when: applications.discourse.master_api_key is defined
+
+- name: "Set fact for vault_discourse_api_key"
+  set_fact:
+    vault_discourse_api_key: "{{ discourse_api_key_response.json.key.key }}"
+  when: discourse_api_key_response is defined and discourse_api_key_response.json.key is defined

roles/docker-wordpress/tasks/wp_discourse.yml

@@ -0,0 +1,17 @@
+---
+- name: "Install WP Discourse plugin"
+  command: >
+    docker-compose exec -u www-data -T application
+    wp plugin install wp-discourse --activate
+    --path={{ wordpress_docker_html_path }}
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+
+- name: "Configure WP Discourse settings"
+  vars:
+    discourse_settings_json_b64: "{{ discourse_settings | to_json | b64encode }}"
+  command: >
+    docker-compose exec -u www-data -T application bash -lc
+    "wp eval \"update_option('wp_discourse_options', json_decode(base64_decode('{{ discourse_settings_json_b64 }}'), true));\" --path={{ wordpress_docker_html_path }}"
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"

roles/docker-wordpress/vars/wp_discourse.yml

@@ -0,0 +1,10 @@
+# Defines WP Discourse plugin settings
+# @see https://github.com/discourse/wp-discourse
+
+discourse_settings:
+  publish_discourse_posts: true
+  discourse_url:           "https://{{ domains.discourse }}"
+  discourse_api_key:       "{{ applications.discourse.api_key }}"
+  discourse_username:      "system"
+  discourse_use_sso:       false     # You can change this depending on your integration style
+  discourse_sso_secret:    "{{ applications.wordpress.credentials.discourse_sso_secret | default('') }}"

roles/health-nginx/TODO.md

@@ -0,0 +1,2 @@
+# Todo
+- Implement health check for oauth2-proxy

roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2

@@ -1,4 +1,4 @@
-{% if landingpage_iframe_enabled | default(applications.get(application_id).get('landingpage_iframe_enabled')) | bool %}
+{% if applications.get(application_id, {}).get('features', {}).get('iframe', False) %}
 add_header X-Frame-Options "SAMEORIGIN" always;
 add_header Content-Security-Policy "frame-ancestors 'self' {{primary_domain}};" always;
 {% endif %}

roles/nginx-modifier-all/tasks/main.yml

@@ -1,9 +1,9 @@
 - name: "Activate Global CSS for {{domain}}"
   include_role:
     name: nginx-modifier-css
-  when: applications.get(application_id).get('css_enabled') | bool
+  when: applications.get(application_id).get('features').get('css') | bool
 
 - name: "Activate Global Matomo Tracking for {{domain}}"
   include_role:
     name: nginx-modifier-matomo
-  when: applications.get(application_id).get('matomo_tracking_enabled') | bool
+  when: applications.get(application_id).get('features').get('matomo') | bool

roles/nginx-modifier-all/templates/global.includes.conf.j2

@@ -2,20 +2,20 @@
 sub_filter_once off;
 sub_filter_types text/html;
 
-{% set css_enabled_final                = applications.get(application_id).get('css_enabled') | bool %}
+{% set features_css_final                = applications.get(application_id).get('features').get('css') | bool %}
-{% set matomo_tracking_enabled_final    = applications.get(application_id).get('matomo_tracking_enabled') | bool %}
+{% set features_matomo_final    = applications.get(application_id).get('features').get('matomo') | bool %}
 
 
-{% if matomo_tracking_enabled_final | bool %}
+{% if features_matomo_final | bool %}
   {# Include Global Matomo Tracking #}
   {% include 'roles/nginx-modifier-matomo/templates/matomo-tracking.conf.j2' %}
 {% endif %}
 
-{% if css_enabled_final | bool or matomo_tracking_enabled_final | bool %}
+{% if features_css_final | bool or features_matomo_final | bool %}
-  sub_filter '</head>' '{% if matomo_tracking_enabled_final | bool %}{% include 'roles/nginx-modifier-matomo/templates/script.j2' %}{% endif %}{% if css_enabled_final | bool %}{% include 'roles/nginx-modifier-css/templates/link.j2' %}{% endif %}</head>';
+  sub_filter '</head>' '{% if features_matomo_final | bool %}{% include 'roles/nginx-modifier-matomo/templates/script.j2' %}{% endif %}{% if features_css_final | bool %}{% include 'roles/nginx-modifier-css/templates/link.j2' %}{% endif %}</head>';
 {% endif %}
 
-{% if css_enabled_final | bool %}
+{% if features_css_final | bool %}
   {# Include Global CSS Location #}
   {% include 'roles/nginx-modifier-css/templates/location.conf.j2' %}
 {% endif %}

roles/nginx-modifier-matomo/tasks/main.yml

@@ -30,7 +30,7 @@
   uri:
     url: "https://{{ domains.matomo }}/index.php"
     method: POST
-    body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ applications.matomo.auth_token }}&format=json"
+    body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ applications.matomo.credentials.auth_token }}&format=json"
     body_format: form-urlencoded
     status_code: 200
     return_content: yes

roles/nginx-modifier-matomo/vars/main.yml

@@ -1,2 +1,2 @@
 base_domain:      "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
-verification_url: "https://{{domains.matomo}}/index.php?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{base_domain}}&format=json&token_auth={{applications.matomo.auth_token}}"
+verification_url: "https://{{domains.matomo}}/index.php?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{base_domain}}&format=json&token_auth={{applications.matomo.credentials.auth_token}}"

tasks/constructor.yml

@@ -32,6 +32,20 @@
     set_fact:
       applications: "{{ defaults_applications | combine(applications | default({}, true), recursive=True) }}"
 
+# @todo implement
+#  - name: Ensure features.integrated is set based on group membership
+#    set_fact:
+#      applications: "{{ applications | combine({ item.key: updated_app }, recursive=True) }}"
+#    vars:
+#      original_app: "{{ applications[item.key] | default({}) }}"
+#      original_features: "{{ original_app.features | default({}) }}"
+#      needs_integration: original_features.integrated is not defined
+#      updated_features: >-
+#        {{ original_features | combine({'integrated': (item.key in group_names)}) if needs_integration else original_features }}
+#      updated_app: >-
+#        {{ original_app | combine({'features': updated_features}) }}
+#    loop: "{{ applications | dict2items }}"
+
   - name: Merge networks definitions
     set_fact:
       networks: "{{ defaults_networks | combine(networks | default({}, true), recursive=True) }}"

templates/docker/compose/networks.yml.j2

@@ -4,7 +4,7 @@ networks:
   central_{{ database_type }}:
     external: true
 {% endif %}
-{% if applications[application_id].get('ldap', {}).get('enabled', false) | bool and applications.ldap.network.local | bool %}
+{% if applications[application_id].get('features', {}).get('ldap', false) | bool and applications.ldap.network.local | bool %}
   central_ldap:
     external: true
 {% endif %}

templates/docker/compose/volumes-just-database.yml.j2

@@ -1,5 +1,5 @@
 {# This needs to be included in docker-compose.yml which just contain a database volume #}
-{% if not (applications[application_id].database.central_storage | default(false)) | bool %}
+{% if not (applications[application_id].features.database | default(false)) | bool %}
 volumes:
   database:
 {% endif %}

templates/docker/compose/volumes.yml.j2

@@ -1,6 +1,6 @@
 {# This template needs to be included in docker-compose.yml which contain a database and additional volumes #}
 volumes:
-{% if not (applications[application_id].database.central_storage | default(false)) | bool %}
+{% if not (applications[application_id].features.database | default(false)) | bool %}
   database:
 {% endif %}
 {{ "\n" }}

templates/docker/container/depends-on-also-database.yml.j2

@@ -1,6 +1,6 @@
 {# This template needs to be included in docker-compose.yml containers which depend on a database and additional containers #}
     depends_on:
-{% if not applications[application_id].database.central_storage | bool %}
+{% if not applications[application_id].features.database | bool %}
       database:
         condition: service_healthy
 {% endif %}

templates/docker/container/depends-on-database-redis.yml.j2

@@ -1,6 +1,6 @@
 {# This template needs to be included in docker-compose.yml containers, which depend on a database, redis and optional additional volumes #}
     depends_on:
-{% if not applications[application_id].database.central_storage | bool %}
+{% if not applications[application_id].features.database | bool %}
       database:
         condition: service_healthy
 {% endif %}

templates/docker/container/depends-on-just-database.yml.j2

@@ -1,5 +1,5 @@
 {# This template needs to be included in docker-compose.yml containers, which just depend on a database #}
-{% if not applications[application_id].database.central_storage | bool %}
+{% if not applications[application_id].features.database | bool %}
     depends_on:
       database:
         condition: service_healthy

templates/docker/container/networks.yml.j2

@@ -3,7 +3,7 @@
 {% if applications | get_database_central_storage(application_id) | bool and database_type is defined %}
       central_{{ database_type }}:
 {% endif %}
-{% if applications[application_id].get('ldap', {}).get('enabled', false)|bool and applications.ldap.network.local|bool %}
+{% if applications[application_id].get('features', {}).get('ldap', false) | bool and applications.ldap.network.local|bool %}
       central_ldap:
 {% endif %}
       default:

templates/vars/applications.yml.j2

@@ -0,0 +1,826 @@
+{% import "features.yml.j2" as features %}{% raw %}
+# Docker Applications
+
+## Docker Role Specific Parameters
+docker_restart_policy:        "unless-stopped"
+
+##############################################
+## Applications Configuration              
+##############################################
+
+# Keep in mind, that this configuration should in general just apply to the roles which set the applications up.
+# If other applications depend on this variables, propably it makes sense to define it in e.g. IMA or other variable files.
+
+# helper
+_applications_nextcloud_oidc_flavor:  "{{ applications.nextcloud.oidc.flavor | default('oidc_login' if applications.nextcloud.features.ldap | default(true) else 'sociallogin') }}"
+
+# applications
+
+defaults_applications:
+
+  ## Akaunting
+  akaunting:
+    version:                      "latest"
+    company_name:                 "{{primary_domain}}"
+    company_email:                "{{users.administrator.email}}"
+    setup_admin_email:            "{{users.administrator.email}}"
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   false,
+  'database': true,
+}) }}{% raw %}
+
+  ## Assets Server
+  assets_server:
+    source_directory:             "{{ playbook_dir }}/assets"               # Directory from which the assets will be copied
+    url:                          "https://{{domains.file_server}}/assets"  # Public address of the assets directory
+  ## Attendize 
+  attendize:
+    version:                      "latest"
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   false,
+  'database': true,
+}) }}{% raw %}
+
+  ## Baserow 
+  baserow:
+    version:            "latest"
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+  'database': true,
+}) }}{% raw %}
+
+  ## Big Blue Button
+  bigbluebutton:
+    enable_greenlight:    "true"
+    setup:                false                                             # Set to true in inventory file for initial setup
+# @todo LDAP needs to get propper implemented and tested, just set values during refactoring
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+  'ldap':     false,
+  'oidc':     true,
+  'database': true,
+}) }}{% raw %}
+    credentials:
+#      shared_secret:                                                       # Needs to be defined in inventory file
+#      etherpad_api_key:                                                    # Needs to be defined in inventory file                                             
+#      rails_secret:                                                        # Needs to be defined in inventory file
+#      postgresql_secret:                                                   # Needs to be defined in inventory file   
+#      fsesl_password:                                                      # Needs to be defined in inventory file
+#      turn_secret:                                                         # Needs to be defined in inventory file  
+    urls:
+      api:                        "https://{{domains.bigbluebutton}}/bigbluebutton/"  # API Address used by Nextcloud Integration
+
+  ## Bluesky
+  bluesky:
+    users:
+      administrator:
+        email:    "{{users.administrator.email}}"
+    pds:
+      version:              "latest"
+      #jwt_secret:                                                          # Needs to be defined in inventory file - Use: openssl rand -base64 64 | tr -d '\n'
+      #plc_rotation_key_k256_private_key_hex:                               # Needs to be defined in inventory file - Use: openssl rand -hex 32 
+      #admin_password:                                                      # Needs to be defined in inventory file - Use: openssl rand -base64 16
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+  'database': true,
+}) }}{% raw %}
+
+  # Chromium Browser
+  chromium:
+    plugins:                                                                                # Plugins to be installed in Chromium
+      - "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx"  # U-Block Origine Plugin
+      - "oboonakemofpalcgghocfoadofidjkkk;https://clients2.google.com/service/update2/crx"  # KeepassXC Plugin
+
+  coturn:                     # @todo implement                
+    credentials:
+      user:       turnuser
+      # password:                                                           # Need to be defined in invetory file
+      # secret:                                                             # Need to be defined in invetory file
+
+  ## Discourse:
+  discourse:
+    network:                      "discourse_default"                       # Name of the docker network
+    container:                    "discourse_application"                   # Name of the container application
+    repository:                   "discourse_repository"                    # Name of the repository folder
+    credentials:
+      database:
+#       password:                                                           # Needs to be defined in inventory file
+      master_api:
+#       key:                                                                # Needs to be defined in inventory file
+        username:                 "{{ users.administrator.username }}"      # Username for the Master API                           
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+  'oidc':     true,
+  'database': true,
+}) }}{% raw %}
+
+  ## File Server
+  file_server:
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+}) }}{% raw %}
+
+  # Firefox Browser
+  firefox:
+    plugins:                                                                                # Plugins to be installed in Firefox
+      - "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"      # U-Block Origine Plugin
+      - "https://addons.mozilla.org/firefox/downloads/latest/keepassxc-browser/latest.xpi"  # KeepassXC Plugin
+
+  ## Friendica
+  friendica:
+    version:                 "latest"
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+  'oidc':     true,
+  'database': true,
+}) }}{% raw %}
+
+  ## Funkwhale
+  funkwhale:
+    version:              "1.4.0"
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+  'ldap':     true,
+  'database': true,
+}) }}{% raw %}
+
+  ## Gitea
+  gitea:
+    version:                          "latest"                                  # Use latest docker image 
+    configuration:
+      repository:
+        enable_push_create_user:      True                                      # Allow users to push local repositories to Gitea and have them automatically created for a user.
+        default_private:              last                                      # Default private when creating a new repository: last, private, public
+        default_push_create_private:  True                                      # Default private when creating a new repository with push-to-create.
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+  'database': true,
+}) }}{% raw %}
+
+  ## Gitlab
+  gitlab:
+    version:                      "latest"
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+  'database': true,
+}) }}{% raw %}
+
+  ## Gnome
+  gnome:
+    plugins:
+      - [enable,nasa_apod@elinvention.ovh,https://github.com/Elinvention/gnome-shell-extension-nasa-apod.git]
+      - [disable,dash-to-dock@micxgx.gmail.com,'']
+      - [enable, dash-to-panel@jderose9.github.com,'']
+
+  ## Joomla
+  joomla:
+    version:                      "latest"
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+}) }}{% raw %}
+
+  ## HTML Server
+  html_server:
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   false,
+}) }}{% raw %}
+
+  ## Keycloak
+  keycloak:
+    version:            "latest"
+    users:
+      administrator:
+        username:       "{{users.administrator.username}}"                  # Administrator Username for Keycloak
+    import_realm:       True                                                # If True realm will be imported. If false skip.
+#   database_password:                                                      # Needs to be defined in inventory file
+#   administrator_password:                                                 # Needs to be defined in inventory file
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+  'ldap':     true,
+  'database': true,
+}) }}{% raw %}
+
+  # LDAP Account Manager 
+  lam:
+    version:                        "latest"
+#    administrator_password:         "{{users.administrator.initial_password}}"  # CHANGE for security reasons  
+    oauth2_proxy:
+      application:                    application                                 # Needs to be the same as webinterface
+      port:                           80                                          # application port
+#     cookie_secret:                  None                                        # Set via openssl rand -hex 16
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+  'ldap':     true,
+  'database': false,
+  'oauth2':   false,
+}) }}{% raw %}
+
+  ## LDAP
+  ldap:
+    version:                        "latest"
+    network:
+      local:                        True                                        # Activates local network to allow other docker containers to connect
+      public:                       False                                       # Set to true in inventory file if you want to expose the LDAP port to the internet
+    hostname:                       "ldap"                                      # Hostname of the LDAP Server in the central_ldap network
+    webinterface:                   "lam"                                       # The webinterface which should be used. Possible: lam and phpldapadmin
+    users:  
+      administrator:
+        username:                   "{{users.administrator.username}}"          # Administrator username
+    # administrator_password:                                                   # CHANGE for security reasons in inventory file
+    # administrator_database_password:                                          # CHANGE for security reasons in inventory file
+    force_import:                   False                                       # Forces the import of the LDIF files
+{% endraw %}{{ features.render_features({
+  'ldap':     true,
+}) }}{% raw %}
+
+  ## Libre Office
+  libreoffice:
+    flavor:                       "fresh"                                       # Libre Office flavor, fresh for new, still for stable
+
+  ## Listmonk
+  listmonk:
+    users:
+      administrator:
+        username:                     "{{users.administrator.username}}"          # Listmonk administrator account username
+    public_api_activated:             False                                       # Security hole. Can be used for spaming
+    version:                          "latest"                                    # Docker Image version
+    setup:                            false                                       # Set true in inventory file to execute the setup and initializing procedures
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+  'database': true,
+}) }}{% raw %}
+
+  mailu:
+    version:                          "2024.06"                                   # Docker Image Version
+    setup:                            false                                       # Set true in inventory file to execute the setup and initializing procedures
+    oidc:
+      email_by_username:              true                                        # If true, then the mail is set by the username. If wrong then the OIDC user email is used
+      enable_user_creation:           true                                        # Users will be created if not existing
+    domain:                           "{{primary_domain}}"                        # The main domain from which mails will be send \ email suffix behind @
+    credentials:                                     
+#     secret_key:                                                                 # Set to a randomly generated 16 bytes string
+#     database_password:                                                          # Needs to be set in inventory file
+#     api_token:                                                                  # Configures the authentication token. The minimum length is 3 characters. This is a mandatory setting for using the RESTful API.
+#     initial_administrator_password:                                             # Initial administrator password for setup 
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   true,
+  'oidc':     true,
+  'database': false
+}) }}{% raw %}
+# Deactivate central database for mailu, I don't know why the database deactivation is necessary
+
+  ## MariaDB
+  mariadb:
+    version:                          "latest"
+
+  ## Matomo
+  matomo:
+    version:                      "latest"
+    oauth2_proxy:
+#   cookie_secret:              None                                            # Set via openssl rand -hex 16
+#   database_password:            Null                                            # Needs to be set in inventory file
+#   auth_token:                   Null                                            # Needs to be set in inventory file
+{% endraw %}{{ features.render_features({
+  'matomo':   false,
+  'css':      false,
+  'iframe':   false,
+  'database': true,
+  'oauth2':   false,
+}) }}{% raw %}
+
+  ## Mastodon
+  mastodon:
+    version:                      "latest"
+    single_user_mode:             false                                           # Set true for initial setup
+    setup:                        false                                           # Set true in inventory file to execute the setup and initializing procedures
+    credentials:
+# Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials
+#     database_password:                              
+#     secret_key_base:                                
+#     otp_secret:                                     
+#     vapid:
+#       private_key:                                  
+#       public_key:                                   
+#     active_record_encryption:
+#       deterministic_key:                            
+#       key_derivation_salt:                          
+#       primary_key:                                  
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   false,
+  'oidc':     true,
+  'database': true,
+}) }}{% raw %}
+
+  ## Matrix
+  matrix:
+    users:
+      administrator:
+        username:                 "{{users.administrator.username}}"              # Accountname of the matrix admin
+    playbook_tags:                "setup-all,start"                               # For the initial update use: install-all,ensure-matrix-users-created,start
+    role:                         "compose"                                       # Role to setup Matrix. Valid values: ansible, compose
+    server_name:                  "{{primary_domain}}"                            # Adress for the account names etc.
+    synapse:
+      version:                    "latest"
+    element:
+      version:                    "latest"
+    setup:                        false                                           # Set true in inventory file to execute the setup and initializing procedures
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   false,
+  'oidc':     false,
+  'database': true,
+}) }}{% raw %}
+# Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492
+
+  ## Moodle
+  moodle:
+    site_titel:                   "Global Learning Academy on {{primary_domain}}"
+    users:
+      administrator:
+        username:                 "{{users.administrator.username}}"
+        email:                    "{{users.administrator.email}}"
+    version:                      "latest"
+{% endraw %}{{ features.render_features({
+  'matomo':   true,
+  'css':      true,
+  'iframe':   false,
+  'database': true,
+}) }}{% raw %}
+
+  ## MyBB
+  mybb:
+    version:            "latest"
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+  'database': 	true,
+}) }}{% raw %}
+
+  ## Nextcloud
+  nextcloud:
+    version:                      "production"                                      # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
+    ldap:
+      enabled:                    True                                              # Enables LDAP by default
+    oidc:
+      enabled:                    "{{ applications.nextcloud.features.oidc | default(true) }}"      # Activate OIDC for Nextcloud
+      # floavor decides which OICD plugin should be used. 
+      # Available options: oidc_login, sociallogin
+      # @see https://apps.nextcloud.com/apps/oidc_login
+      # @see https://apps.nextcloud.com/apps/sociallogin
+      flavor:                     "oidc_login"                                      # Keeping on sociallogin because the other option is not implemented yet                                             
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+  'ldap':     	true,
+  'oidc':     	true,
+  'database': 	true,
+}) }}{% raw %}
+    credentials:
+#     database_password:          Null                                              # Needs to be set in inventory file
+    users:      
+      administrator:
+        username:                  "{{users.administrator.username}}"
+        initial_password:          "{{users.administrator.initial_password}}"       # Keep in mind to change the password fast after creation and activate 2FA
+    default_quota:                 '1000000000'                                     # Quota to assign if no quota is specified in the OIDC response (bytes)
+    legacy_login_mask:   
+      enabled:                      False                                           # If true, then legacy  login mask is shown. Otherwise just SSO
+    container:
+      application:                  "nextcloud-application"                         # Nextcloud application container name
+      proxy:                        "nextcloud-web"                                 # Nextcloud Proxy Container Name
+    performance:
+      php:
+        memory_limit:               "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory limit
+        upload_limit:               "5G"                                            # Set upload limit to 5GB for big media files
+        opcache_memory_consumption: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory consumption
+    plugins:                                                  
+    # List for Nextcloud Plugin Routine
+    # Decides if plugins should be activated or deactivated
+      appointments:
+        # Nextcloud appointments: handles scheduling and appointment management (https://apps.nextcloud.com/apps/appointments)
+        enabled: true
+      bbb:
+        # Nextcloud BigBlueButton integration: enables video conferencing using BigBlueButton (https://apps.nextcloud.com/apps/bbb)
+        enabled: "{{ 'bigbluebutton' in group_names | lower }}"
+      #- bookmarks 
+      #  # Nextcloud Bookmarks: manage and share your bookmarks easily (https://apps.nextcloud.com/apps/bookmarks)
+      #  enabled: false
+      calendar:
+        # Nextcloud calendar: manages calendar events and scheduling (https://apps.nextcloud.com/apps/calendar)
+        enabled: true
+      cfg_share_links:
+        # Nextcloud share links configuration: customizes sharing settings and link options (https://apps.nextcloud.com/apps/cfg_share_links)
+        enabled: true
+      collectives:
+        # Nextcloud collectives: supports collaborative group management and sharing (https://apps.nextcloud.com/apps/collectives)
+        enabled: true
+      contacts:
+        # Nextcloud contacts: manages address book and contact information (https://apps.nextcloud.com/apps/contacts)
+        enabled: true
+      cospend:
+        # Nextcloud cospend: manages shared expenses and spending tracking (https://apps.nextcloud.com/apps/cospend)
+        enabled: true
+      deck:
+        # Nextcloud Deck: organizes tasks and projects using Kanban boards (https://apps.nextcloud.com/apps/deck)
+        # When Taiga is activated, this plugin is deactivated, because Taiga is the prefered application.
+        enabled: "{{ 'taiga' not in group_names | lower }}"
+      drawio:
+        # Nextcloud draw.io: integrates diagram creation and editing tools (https://apps.nextcloud.com/apps/drawio)
+        enabled: true
+      duplicatefinder:
+        # Nextcloud duplicate finder: scans and identifies duplicate files (https://apps.nextcloud.com/apps/duplicatefinder)
+        enabled: true
+      emlviewer:
+        # Nextcloud EML Viewer: previews and manages EML email files (https://apps.nextcloud.com/apps/emlviewer)
+        enabled: true
+      event_update_notification:
+        # Nextcloud event update notification: sends alerts when events are updated (https://apps.nextcloud.com/apps/event_update_notification)
+        enabled: true
+      epubviewer:
+        # Nextcloud EPUB Viewer: enables reading and previewing EPUB e-books (https://apps.nextcloud.com/apps/epubviewer)
+        enabled: true
+      external:
+        # Nextcloud External: Adds links to external services (https://apps.nextcloud.com/apps/external)
+        enabled: true 
+      #files_accesscontrol
+      #  # Nextcloud Files Access Control: restricts file access based on defined rules (https://apps.nextcloud.com/apps/files_accesscontrol)
+      #  enabled: false
+      #files_archive
+      #  # Nextcloud Files Archive: compresses and archives files for efficient storage (https://apps.nextcloud.com/apps/files_archive)
+      #  enabled: false
+      #files_automatedtagging
+      #  # Nextcloud Files Automated Tagging: automatically tags files to improve organization (https://apps.nextcloud.com/apps/files_automatedtagging)
+      #  enabled: false
+      files_bpm:
+        # Nextcloud Files BPM: integrates business process management for file workflows (https://apps.nextcloud.com/apps/files_bpm)
+        enabled: true
+      files_downloadactivity:
+        # Nextcloud Files Download Activity: tracks and logs file download events (https://apps.nextcloud.com/apps/files_downloadactivity)
+        enabled: true
+      files_linkeditor:
+        # Nextcloud files link editor: allows customization of shared file links (https://apps.nextcloud.com/apps/files_linkeditor)
+        enabled: true
+      files_mindmap:
+        # Nextcloud Files Mindmap: visualizes file relationships as mind maps (https://apps.nextcloud.com/apps/files_mindmap)
+        enabled: true
+      files_texteditor:
+        # Nextcloud Files Text Editor: provides an online editor for text files (https://apps.nextcloud.com/apps/files_texteditor)
+        # Not available for Nextcloud < 27
+        enabled: false
+      fileslibreofficeedit:
+        # Nextcloud LibreOffice integration: allows online editing of documents with LibreOffice (https://apps.nextcloud.com/apps/fileslibreofficeedit)
+        enabled: true
+      forms:
+        # Nextcloud forms: facilitates creation of forms and surveys (https://apps.nextcloud.com/apps/forms)
+        enabled: true
+      gestion:
+        # Nextcloud Gestion: manages administrative tasks and workflows (https://apps.nextcloud.com/apps/gestion)
+        enabled: true
+      groupfolders:
+        # Nextcloud Group Folders: centralizes shared folders for group collaboration (https://apps.nextcloud.com/apps/groupfolders)
+        enabled: true
+      gpxpod:
+        # Nextcloud GPX pod: visualizes GPS tracks and GPX data (https://apps.nextcloud.com/apps/gpxpod)
+        enabled: true
+      integration_discourse:
+        # Nextcloud Integration Discourse: connects Nextcloud with Discourse forums (https://apps.nextcloud.com/apps/integration_discourse)
+        enabled: false
+      integration_gitlab:
+        # Nextcloud Integration GitLab: connects Nextcloud with GitLab repositories (https://apps.nextcloud.com/apps/integration_gitlab)
+        enabled: "{{ 'gitlab' in group_names | lower }}"
+      integration_github:
+        # Nextcloud Integration GitHub: integrates GitHub repositories with Nextcloud (https://apps.nextcloud.com/apps/integration_github)
+        enabled: false
+      integration_google:
+        # Nextcloud Integration Google: connects Google services with Nextcloud (https://apps.nextcloud.com/apps/integration_google)
+        enabled: true
+      integration_mastodon:
+        # Nextcloud Integration Mastodon: connects Nextcloud with the Mastodon social network (https://apps.nextcloud.com/apps/integration_mastodon)
+        enabled: "{{ 'mastodon' in group_names | lower }}"
+      integration_openai:
+        # Nextcloud Integration OpenAI: brings OpenAI functionalities into Nextcloud (https://apps.nextcloud.com/apps/integration_openai)
+        enabled: false
+      integration_openproject:
+        # Nextcloud Integration OpenProject: integrates project management features from OpenProject (https://apps.nextcloud.com/apps/integration_openproject)
+        enabled: "{{ 'openproject' in group_names | lower }}"
+      integration_peertube:
+        # Nextcloud Integration PeerTube: connects to PeerTube for video sharing (https://apps.nextcloud.com/apps/integration_peertube)
+        enabled: "{{ 'peertube' in group_names | lower }}"
+      #keeweb 
+      #  # Nextcloud KeeWeb: integrates the KeeWeb password manager within Nextcloud (https://apps.nextcloud.com/apps/keeweb)
+      #  # This isn't maintained anymore. The alternatives don't support keepass files
+      #  enabled: false
+      keeporsweep:
+        # Nextcloud keep or sweep: helps manage and clean up files and data (https://apps.nextcloud.com/apps/keeporsweep)
+        enabled: true
+      mail:
+        # Nextcloud mail: integrated email client for managing mail accounts (https://apps.nextcloud.com/apps/mail)
+        enabled: true
+      maps:
+        # Nextcloud maps: provides mapping and location services integration (https://apps.nextcloud.com/apps/maps)
+        enabled: true
+      metadata:
+        # Nextcloud Metadata: manages and displays file metadata for enhanced organization (https://apps.nextcloud.com/apps/metadata)
+        enabled: true
+      news:
+        # Nextcloud News: aggregates and displays news feeds directly in Nextcloud (https://apps.nextcloud.com/apps/news)
+        enabled: true
+      oidc_login:
+        # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/oidc_login)
+        enabled:    "{{ _applications_nextcloud_oidc_flavor=='oidc_login' | lower }}"
+        incompatible_plugins:  
+          - user_oidc   # Will be disabled
+          - sociallogin # Will be disabled
+      phonetrack:
+        # Nextcloud phone track: tracks and monitors mobile device usage (https://apps.nextcloud.com/apps/phonetrack)
+        enabled: true
+      polls:
+        # Nextcloud polls: facilitates creation and management of user polls (https://apps.nextcloud.com/apps/polls)
+        enabled: true
+      quota_warning:
+        # Nextcloud quota warning: notifies users when storage limits are reached (https://apps.nextcloud.com/apps/quota_warning)
+        enabled: true
+      recognize:
+        # Nextcloud recognize: performs image recognition tasks (https://apps.nextcloud.com/apps/recognize)
+        enabled: false # Deactivated because it let to bugs
+      richdocuments:
+        # Nextcloud Rich Documents: provides collaborative document editing capabilities (https://apps.nextcloud.com/apps/richdocuments)
+        enabled: false # @todo To set it default to true activate https://hub.docker.com/r/collabora/code before
+      sociallogin:
+        # Nextcloud social login: allows authentication using social networks (https://apps.nextcloud.com/apps/sociallogin)
+        enabled:    "{{ _applications_nextcloud_oidc_flavor=='sociallogin' | lower }}"
+        incompatible_plugins:  
+          - user_oidc   # Will be disabled
+          - oidc_login  # Will be disabled
+      spreed:
+        # Nextcloud Spreed: offers video conferencing and chat functionalities (https://apps.nextcloud.com/apps/spreed)
+        enabled: false # @todo to activate it first implement docker-coturn and activate it
+      tables:
+        # Nextcloud tables: allows creation and editing of tables within the interface (https://apps.nextcloud.com/apps/tables)
+        enabled: true
+      tasks:
+        # Nextcloud tasks: manages personal or group tasks and to-do lists (https://apps.nextcloud.com/apps/tasks)
+        enabled: true
+      #terms_of_service 
+      #  # Nextcloud Terms of Service: manages user acceptance of terms and conditions (https://apps.nextcloud.com/apps/terms_of_service)
+      #  enabled: false
+      twofactor_nextcloud_notification:
+        # Nextcloud two-factor notification: sends notifications for two-factor authentication events (https://apps.nextcloud.com/apps/twofactor_nextcloud_notification)
+        enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active
+      twofactor_totp:
+        # Nextcloud two-factor TOTP: provides time-based one-time password authentication (https://apps.nextcloud.com/apps/twofactor_totp)
+        enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active
+      user_ldap:
+        # Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap)
+        enabled: "{{ applications.nextcloud.features.ldap | default(true) }}"
+      user_oidc:
+        # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc)
+        enabled:    "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}"
+        incompatible_plugins:  
+          - oidc_login
+          - sociallogin
+      whiteboard:
+        # Nextcloud Whiteboard: provides a collaborative drawing and brainstorming tool (https://apps.nextcloud.com/apps/whiteboard)
+        enabled: true
+
+  ## OAuth2 Proxy
+  oauth2_proxy:
+    configuration_file: "oauth2-proxy-keycloak.cfg"                                                                 # Needs to be set true in the roles which use it
+    version:            "latest"                                                                                    # Docker Image version
+    redirect_url:       "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
+    allowed_roles:      admin                                                                                       # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+}) }}{% raw %}
+
+  ## Open Project
+  openproject:
+    version:                    "13"                                      # Update when available. Sadly no rolling release implemented
+    oauth2_proxy:  
+      application:              "proxy"
+      port:                     "80"
+#     cookie_secret:            None                                      # Set via openssl rand -hex 16
+    ldap:
+      filters:
+        administrators:         True                                      # Set true to filter administrators
+        users:                  False                                     # Set true to filter users
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+  'ldap':     	true,
+  'database': 	true,
+  'oauth2':   	true,
+}) }}{% raw %}
+
+  ## Peertube
+  peertube:
+    version:                      "bookworm"
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+  'database': 	true,
+}) }}{% raw %}
+
+  ## PgAdmin
+  pgadmin:
+    version:                     "latest"
+    server_mode:                 False                                          # If true then the preconfigured database file is loaded. Recommended False. True is a security risk.
+    master_password_required:    True                                           # Master password is required. Recommended True. False is a security risk.
+    users:
+      administrator:
+        email:                   "{{ users.administrator.email }}"              # Initial login email address
+        password:                "{{ users.administrator.initial_password }}"   # Initial login password – should be overridden in inventory for security
+    oauth2_proxy:
+      application:                "application"
+      port:                       "80"
+#     cookie_secret:              None                                          # Set via: openssl rand -hex 16
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+  'database': 	true,
+  'oauth2':   	true,
+}) }}{% raw %}
+
+  ## phpLDAPadmin
+  phpldapadmin:
+    version:                        "2.0.0-dev"                                 # @todo Attention: Change this as fast as released to latest
+    oauth2_proxy:
+      application:                    application                               # Needs to be the same as webinterface
+      port:                           8080                                      # application port
+#     cookie_secret:                  None                                      # Set via openssl rand -hex 16
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+  'ldap':     	true,
+  'oauth2':   	true,
+}) }}{% raw %}
+
+  ## PHPMyAdmin
+  phpmyadmin:
+    version:                      "latest"                                  # Use the latest phpmyadmin version
+    autologin:                    false                                     # This is a high security risk. Just activate this option if you know what you're doing
+    oauth2_proxy:  
+      port:                       "80"
+      application:                "application"
+#     cookie_secret:              None                                      # Set via openssl rand -hex 16
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	false,
+  'iframe':   	false,
+  'database': 	true,
+  'oauth2':   	true,
+}) }}{% raw %}
+
+  ## Pixelfed
+  pixelfed:
+    titel:                        "Pictures on {{primary_domain}}"
+    version:                      "latest"
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+  'database': 	true,
+}) }}{% raw %}
+
+  ## Postgres
+  # Please set an version in your inventory file - Rolling release for postgres isn't recommended
+  postgres:
+    version:                      "latest"
+
+  portfolio:
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+}) }}{% raw %}
+
+  ## Presentation
+  presentation:
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	true,
+}) }}{% raw %}
+
+  # Snipe-IT
+  snipe_it:
+    version:                      "latest"
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+  'database': 	true,
+}) }}{% raw %}
+
+  ## Sphinx
+  sphinx:
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+}) }}{% raw %}
+
+  ## Taiga
+  taiga:
+    version:                      "latest"
+    oidc:
+    # Taiga doesn't have a functioning oidc support at the moment
+    # See
+    # - https://community.taiga.io/t/taiga-and-oidc-plugin/4866
+    #
+    # Due to this reason this plutin is deactivated atm
+      flavor:                     'taigaio'                                 # Potential flavors: robrotheram, taigaio
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+  'oidc':     	false,
+  'database': 	true,
+}) }}{% raw %}                                                                            
+
+  ## YOURLS
+  yourls:
+    users:
+      administrator:
+        username:       "{{users.administrator.username}}"
+    version:            "latest"
+    oauth2_proxy:  
+      application:      "application"
+      port:             "80"
+      location:         "/admin/"                                           # Protects the admin area
+#     cookie_secret:    None                                                # Set via openssl rand -hex 16
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	true,
+  'iframe':   	false,
+  'database': 	true,
+  'oauth2':   	true,
+}) }}{% raw %}
+
+  wordpress:
+# Deactivate Global theming for wordpress role
+# due to the reason that wordpress has to much different themes
+# and one styling for all is not possible.
+#
+# May a solution could be to generate a template or css file dedicated
+# for wordpress based on the theming values and import it. 
+    title:                        "Blog"                                      # Wordpress titel
+    credentials:                                                              # Credentials
+      administrator:                                                          # Wordpress administrator
+        username:                 "{{users.administrator.username}}"          # Username of the wordpress administrator
+#       password:                                                             # Password of the wordpress administrator
+        email:                    "{{users.administrator.email}}"             # Email of the wordpress adminsitrator
+    plugins:
+      discourse:                  false
+      oidc:                       true
+{% endraw %}{{ features.render_features({
+  'matomo':   	true,
+  'css':      	false,
+  'iframe':   	false,
+  'oidc':     	true,
+  'database': 	true,
+}) }}{% raw %}

templates/vars/features.yml.j2

@@ -0,0 +1,19 @@
+{% macro render_features(options) %}
+    features:
+    {%- set feature_map = {
+        'matomo':   'Enables Matomo tracking',
+        'css':      'Enables custom CSS styling',
+        'iframe':   'Allows embedding via iframe on landing page',
+        'ldap':     'Enables LDAP integration and networking',
+        'oidc':     'Enables OpenID Connect (OIDC) authentication',
+        'oauth2':   'Enables OAuth2 proxy integration',
+        'database': 'Enables use of central database'
+    } %}
+    {%- for key, comment in feature_map.items() %}
+        {%- if key in options %}
+  
+      {{ key }}: {{ options[key] }}   # {{ comment }}
+
+        {%- endif %}
+    {%- endfor %}
+{% endmacro %}

tests/unit/test_docker_cards.py

@@ -44,7 +44,13 @@ galaxy_info:
         # Define dummy variables including group_names that contain the application_id "portfolio".
         fake_variables = {
             "domains": {"portfolio": "myportfolio.com"},
-            "applications": {"portfolio": {"landingpage_iframe_enabled": True}},
+            "applications": {
+                "portfolio": {
+                    "features": {
+                        "iframe": True
+                    }
+                }
+            },
             "group_names": ["portfolio"]
         }
         result = lookup_module.run([self.test_roles_dir], variables=fake_variables)
@@ -71,7 +77,13 @@ galaxy_info:
         # Set fake variables with group_names that do NOT include the application_id "portfolio".
         fake_variables = {
             "domains": {"portfolio": "myportfolio.com"},
-            "applications": {"portfolio": {"landingpage_iframe_enabled": True}},
+            "applications": {
+                "portfolio": {
+                    "features": {
+                        "iframe": True
+                    }
+                }
+            },
             "group_names": []  # Not including "portfolio"
         }
         result = lookup_module.run([self.test_roles_dir], variables=fake_variables)