Added database type

git-subtree-dir: client-playbook
git-subtree-mainline: e763d13570
git-subtree-split: 13f29ce5f7

.gitignore

@@ -1 +1 @@
-site.retry
+site.retry

COMMON_APPLICATIONS.md

@@ -0,0 +1,81 @@
+# Common Applications
+This section outlines the common applications tailored for both servers and end-users, offering a wide range of functionalities to enhance system performance, security, and usability.
+
+## Base Setup
+Key for initial system configuration, this section includes hostname setting, systemd journal management, locale configurations, and swapfile handling. Essential for both server and end-user setups, it ensures a solid foundation for system operations.
+
+- **[Hostname](./roles/hostname/)**: Sets the system's hostname.
+- **[Journalctl](./roles/journalctl/)**: Configures systemd journal settings.
+- **[Locales](./roles/locales/)**: Configures system locales.
+- **[System-Swapfile](./roles/system-swapfile/)**: Configures swapfile creation and management.
+
+## Administration Tools
+These tools are crucial for effective system administration, encompassing Git setup, Linux admin tools, and sudo configuration, suitable for both server environments and power users.
+
+- **[Git](./roles/git/)**: Basic Git version control system setup.
+- **[Administrator-Tools](./roles/pc-administrator-tools/)**: Installs basic Linux administration tools.
+- **[Sudo](./roles/sudo/)**: Installs and configures sudo.
+
+## Update
+This category focuses on automated updates and maintenance for the system and its components, including package managers and Docker containers, ensuring systems are up-to-date and secure.
+
+- **[update](./roles/update/)**: Automates the process of system updates.
+- **[update-apt](./roles/update-apt/)**: Updates system packages using apt (for Debian-based systems).
+- **[update-docker](./roles/update-docker/)**: Keeps Docker containers up to date.
+- **[update-pacman](./roles/update-pacman/)**: Updates system packages using Pacman (for Arch-based systems).
+- **[update-yay](./roles/update-yay/)**: Updates system packages using yay.
+
+## Driver
+Caters to a range of devices and needs for hardware driver installation and configuration, an integral part for both server hardware optimization and end-user device functionality.
+
+- **[driver-epson-multiprinter](./roles/driver-epson-multiprinter/)**: Installs drivers for Epson multi-function printers.
+- **[driver-intel](./roles/driver-intel/)**: Installs Intel drivers, typically for graphics and other hardware.
+- **[driver-msi-keyboard-color](./roles/driver-msi-keyboard-color/)**: Configures MSI keyboard color settings.
+- **[driver-non-free](./roles/driver-non-free/)**: Installs non-free drivers, generally for specific hardware needs.
+
+## Security
+Enhances system security with roles focused on security measures, user configurations, and SSH settings. It's vital for protecting both server environments and end-user systems.
+- **[System Security](./roles/system-security/)**: Enhances overall system security.
+- **[User Administrator](./roles/user-administrator/)**: Setup for system administrator user.
+- **[User Alarm](./roles/user-alarm/)**: Manages the alarm user.
+- **[PC SSH](./roles/pc-ssh/)**: Configuration of SSH for secure remote access.
+- **[SSHD](./roles/sshd/)**: Configures SSH daemon settings.
+- **[System Maintenance Lock](./roles/system-maintenance-lock)**: Locks maintenance services to prevent dangerous inteactions between services
+
+## Virtual Private Network (VPN)
+Centers on VPN configurations for secure and efficient network connectivity, particularly crucial for remote server access and end-users needing secure connections.
+- **[client-wireguard](./roles/client-wireguard/)**: Configures Wireguard VPN client.
+- **[client-wireguard-behind-firewall](./roles/client-wireguard-behind-firewall/)**: Sets up Wireguard client functionality behind a firewall.
+- **[wireguard](./roles/wireguard/)**: Installs and configures Wireguard for secure VPN connections.
+
+## Notifier
+Sets up system event notifications via email and Telegram, a versatile feature for server administrators and end-users alike to stay informed about their system's status.
+- **[Systemd-Notifier](./roles/systemd-notifier/)**: Notifier service for systemd.
+- **[Systemd-Notifier-Email](./roles/systemd-notifier-email/)**: Email notifications for systemd services.
+- **[Systemd-Notifier-Telegram](./roles/systemd-notifier-telegram/)**: Telegram notifications for systemd services.
+
+## Backup Solutions
+Focuses on comprehensive backup strategies and cleanup procedures, encompassing data backups, remote server backups, and maintenance of backup storage efficiency, crucial for data integrity in both servers and personal devices.
+
+### Backups
+For USB devices, Docker volumes, remote servers, and user configurations.
+- **[backup-data-to-usb](./roles/backup-data-to-usb/)**: Automates data backup to USB devices.
+- **[backup-docker-to-local](./roles/backup-docker-to-local/)**: Backs up Docker volumes to local storage.
+- **[backup-remote-to-local](./roles/backup-remote-to-local/)**: Pulls backups from remote servers for local storage.
+- **[backups-provider](./roles/backups-provider/)**: Manages backup processes and storage solutions.
+- **[backups-provider-user](./roles/backups-provider-user/)**: Creates and configures users for backup processes.
+
+### Backups Cleanup
+Manages disk space and cleans up old or failed backups.
+- **[cleanup-backups-service](./roles/cleanup-backups-service/)**: Service to clean up old backups automatically.
+- **[cleanup-backups-timer](./roles/cleanup-backups-timer/)**: Timer for scheduling the backup cleanup service.
+- **[cleanup-disc-space](./roles/cleanup-disc-space/)**: Manages and frees up disk space on the system.
+- **[cleanup-failed-docker-backups](./roles/cleanup-failed-docker-backups/)**: Cleans up failed Docker backups.
+
+## Other
+Encompasses miscellaneous essential tools and systems, including package management, spellchecking, and typesetting, beneficial for both server maintenance and enhancing end-user experience.
+- **[System-Aur-Helper](./roles/system-aur-helper/)**: Installs and configures AUR helper (yay).
+- **[Hunspell](./roles/hunspell/)**: Installation of Hunspell spellchecker.
+- **[Latex](./roles/pc-latex/)**: Installation of LaTeX typesetting system.
+- **[Java](./roles/java/)**: Installs Java Development Kit (JDK).
+- **[Python Pip](./roles/python-pip/)**: Installation of Python Pip package manager.

END_USER_APPLICATIONS.md

@@ -0,0 +1,46 @@
+# End User Applications
+End User Applications provide a diverse suite of tools and software designed to enhance the computing experience for personal computer users, including those using desktops and laptops. These applications cover various aspects such as multimedia, productivity, virtualization, and more, catering to the everyday needs of end users.
+
+## Common Applications
+In addition to the specialized software found in this document, the [COMMON_APPLICATIONS.md](./COMMON_APPLICATIONS.md) offers a comprehensive range of functionalities that cater to both server and end-user needs. This section enhances system performance, security, and usability with a variety of tools and configurations suitable for diverse computing environments.
+
+## Desktop
+This category focuses on tools and configurations that enhance the desktop computing experience. It includes utilities to maintain system activity, and software for optimizing the desktop environment, ensuring a seamless and user-friendly interface for day-to-day computer usage.
+- **[Caffeine](./roles/pc-caffeine/)**: Utility to keep your computer awake.
+- **[Gnome](./roles/pc-gnome/)**: Installation and configuration of Gnome desktop environment.
+
+## Entertainment
+Geared towards leisure and entertainment, this section includes software for playing Blu-ray media, accessing a vast collection of music, and installing various computer games. It's designed to enrich your personal computing experience with multimedia enjoyment and gaming.
+- **[Bluray Player Tools](./roles/pc-bluray-player-tools/)**: Software for playing Blu-ray media on personal computers.
+- **[Spotify](./roles/pc-spotify/)**: Installation of Spotify for music streaming.
+- **[Games](./roles/pc-games/)**: Installation of various computer games.
+
+## Office
+This segment caters to professional productivity needs. It encompasses a range of office-related software, from comprehensive office suites and video conferencing tools to cloud storage solutions, facilitating efficient and organized work in various office environments.
+- **[LibreOffice](./roles/pc-libreoffice/)**: Installation of the LibreOffice suite.
+- **[Office](./roles/pc-office/)**: Various office productivity tools.
+- **[Video Conference](./roles/pc-video-conference/)**: Video conferencing software setup.
+- **[Nextcloud Client](./roles/pc-nextcloud/)**: Client setup for Nextcloud cloud storage service.
+- **[GnuCash](./roles/pc-gnucash/)**: Software to manage finances
+- **[Jrnl](./roles/pc-jrnl/)**: CLI Journaling 
+
+## Anonymization
+Focusing on privacy and security, the Anonymization section offers tools for secure file sharing and anonymous web browsing. It includes software solutions that prioritize user privacy, ensuring secure online activities and data protection.
+- **[Qbittorrent](./roles/pc-qbittorrent/)**: Installation of qBittorrent for file sharing.
+- **[Torbrowser](./roles/pc-torbrowser/)**: Installation of Tor Browser for anonymous browsing.
+
+## Content Creation
+Dedicated to creatives and content producers, this category provides tools essential for video streaming, recording, graphic design, and 3D modeling. It's tailored for those involved in digital content creation, offering the necessary software to bring creative projects to life.
+- **[Streaming Tools](./roles/pc-streaming-tools/)**: Software for video streaming and recording.
+- **[Designer Tools](./roles/pc-designer-tools/)**: Graphic design and 3D modeling software.
+
+## Development Environment
+Targets software developers with tools and environments for various programming languages and development needs.
+- **[Developer Tools](./roles/pc-developer-tools/)**: Basic developer tools setup.
+- **[Developer Tools for Arduino](./roles/pc-developer-tools-arduino/)**: Setup for Arduino development.
+- **[Developer Tools for Bash](./roles/pc-developer-tools-bash/)**: Tools for Bash scripting.
+- **[Developer Tools for Java](./roles/pc-developer-tools-java/)**: Java development environment setup.
+- **[Developer Tools for PHP](./roles/pc-developer-tools-php/)**: PHP development environment setup.
+- **[Developer Tools for Python](./roles/pc-developer-tools-python/)**: Python development environment setup.
+- **[Virtual Box](./roles/pc-virtual-box/)**: VirtualBox setup for creating virtual machines.
+- **[Network Analyze Tools](./roles/pc-network-analyze-tools/)**: Network analysis and troubleshooting utilities.

LICENSE.md

@@ -0,0 +1,27 @@
+# License Agreement
+
+## Definitions
+- **"Software":** Refers to *"[CyMaIS - Cyber Master Infrastructure Solution](https://cymais.cloud/)"* and its associated source code.
+- **"Commercial Use":** Any use of the Software intended for direct or indirect financial gain, including but not limited to sales, rentals, or provision of services.
+
+## Provisions
+
+1. **Attribution of the Original Licensor:** In any distribution or publication of the Software or derivative works, the original licensor, *Kevin Veen-Birkenbach, Email: [license@veen.world](mailto:license@veen.world), Website: [https://www.veen.world/](https://www.veen.world/)* must be explicitly named.
+
+2. **Restrictions on Commercial Use and Profit Sharing:**
+   - The Software may not be used commercially without an express license from Kevin Veen-Birkenbach.
+   - All profits and revenues generated directly or indirectly from the use or distribution of the Software are owed 100% to Kevin Veen-Birkenbach unless a separate licensing agreement is made.
+   - Any commercial exploitation without a corresponding licensing agreement with Kevin Veen-Birkenbach is prohibited.
+
+3. **Service Limitations:** Services that use or are based on the Software may only be offered or performed with a license from Kevin Veen-Birkenbach.
+
+4. **Process for Licensing Inquiries:** For inquiries regarding a commercial use or service license, please contact Kevin Veen-Birkenbach at the above-mentioned email address.
+
+5. **Consequences of Non-Compliance:** Non-compliance with these license terms may result in legal action, including but not limited to injunctions and claims for damages.
+
+6. **Subsidiary Application of AGPLv3 Terms:** This license agreement constitutes the primary and specific conditions for the use of *"[CyMaIS - Cyber Master Infrastructure Solution](https://cymais.cloud/)"*. In cases where this license agreement does not expressly address certain legal aspects, the terms of the GNU Affero General Public License, Version 3, dated November 19, 2007, shall be applied as secondary, supplementary regulations. This means that the AGPLv3 will only apply in areas not specifically covered by this license, ensuring that all legal aspects are comprehensively regulated. The full text of the AGPLv3 is available at [https://www.gnu.org/licenses/agpl-3.0.de.html](https://www.gnu.org/licenses/agpl-3.0.de.html).
+
+7. **Disclaimer:** Use of the Software is at your own risk. The Licensor assumes no liability for any damages that may arise from the use of the Software.
+
+## Consent
+By using, modifying, or distributing the Software, you agree to these terms.

README.md

@@ -1,33 +1,80 @@
-# Server-Manager
-## Description
-Ansible script to manage servers.
+# CyMaIS - Cyber Master Infrastructure Solution
 
-## roles
-The system use the following role namings:
+<img src="https://cybermaster.space/wp-content/uploads/sites/7/2023/12/logo_cymais.png" width="300" style="float: right; margin-left: 10px;">
 
-| role prefix | meaning|
-|---|---|
-|system-|general system roles which apply basic configurations|
-|native-|applications which run native on the system|
-|docker-|applications which run on docker containers on the system|
+Welcome to CyMaIS (Cyber Master Infrastructure Solution), a transformative tool designed to redefine IT infrastructure setup for organizations and individuals alike. 
 
-## Update
-Follow the best [practices for inventories](https://docs.ansible.com/ansible/2.3/playbooks_best_practices.html) and execute ansible via:
+At its core, CyMaIS leverages the power of Docker, Linux, and Ansible to offer a streamlined, automated solution for deploying and managing IT systems. 
 
-``bash
-ansible-playbook -i ~/your-inventories/inventorie/hosts site.yml
-``
+Whether you're a small startup, a growing enterprise, or an individual seeking efficient IT management, CyMaIS provides a comprehensive suite of tools that cater to a wide range of needs. From simple system setups to complex server configurations and end-user PC management, CyMaIS simplifies the entire process. 
 
-## Debug
-### Cleanup docker
-``bash
-docker stop $(docker ps -aq); docker rm $(docker ps -aq); docker volume rm $(docker volume ls -q);
-``
+Our intuitive interface, coupled with in-depth documentation, makes it accessible to both tech-savvy users and those with limited IT experience. 
 
-## todo
-- Use docker-compose.yml files instead of the ansible inbuild docker-compose for more flexibility
-- Implement https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker
-- Refactor https://stackoverflow.com/questions/44784103/where-should-i-put-docker-compose-yml
+With CyMaIS, setting up a secure, scalable, and robust IT infrastructure is not just faster and easier, but also aligned with the best industry practices, ensuring that your organization stays ahead in the ever-evolving digital landscape.
 
-## see
-- https://wiki.archlinux.org/index.php/Ansible
+## Vision
+Our project is anchored in the vision of transforming IT infrastructure deployment into a seamless, secure, and scalable experience. 
+
+We are committed to developing a fully automated solution that enables businesses of any size and industry to set up a 100% secure and infinitely scalable IT infrastructure in just 24 hours. 
+
+Leveraging the power of Open Source, our tool not only promises to uphold the highest standards of security and adaptability but also embodies a commitment to transparency and community-driven innovation. 
+
+This is not just a step towards simplifying IT management – it's a leap towards democratizing access to advanced technology, ensuring every business can quickly adapt and thrive in the digital age.
+
+For a deeper understanding of our goals and the ethos driving our project, we invite you to explore our detailed **[Vision Statement](./VISION_STATEMENT.md)**. Here, you'll find the cornerstone principles that guide our development process and our commitment to making a lasting impact in the realm of IT infrastructure.
+
+## Solutions Overview
+
+To help you navigate through our repository, we have categorized our extensive range of tools and solutions into three key areas:
+
+1. **[Server Applications](./SERVER_APPLICATIONS.md)**: Detailed information on server-focused tools and configurations, ideal for managing and optimizing server environments.
+   
+2. **[End User Applications](./END_USER_APPLICATIONS.md)**: A guide to applications and tools specifically designed for end-user PCs, enhancing personal computing experience.
+   
+3. **[Common Applications](./COMMON_APPLICATIONS.md)**: A comprehensive list of tools and applications that are versatile and useful across both server and end-user environments.
+
+Each of these documents provides a tailored overview, ensuring you can find the right tools and information relevant to your specific needs, whether for server management, personal computing, or general IT infrastructure.
+
+## Key Benefits of CyMaIS for Your Business
+
+**CyMaIS - Cyber Master Infrastructure Solution** revolutionizes IT infrastructure management, making it simpler, safer, and more adaptable for businesses of all sizes. Here's how it can benefit your organization:
+
+1. **Effortless Setup and Management**: CyMaIS makes setting up and managing IT systems a breeze. Whether you're using Linux servers or personal computers, our tool automates the process, saving you time and effort.
+
+2. **Everything You Need in One Place**: From the basics of system setup to advanced features like VPN and Docker, CyMaIS provides a complete range of tools. It's like having an IT expert at your fingertips, offering solutions for every need.
+
+3. **Tailored to Your Business**: We understand that every business is unique. That's why CyMaIS is designed to be flexible, with customizable options to fit your specific requirements, whether you're a start-up, a growing business, or an established enterprise.
+
+4. **Stay Ahead with Proactive Monitoring**: Our tool doesn't just set up your IT infrastructure; it keeps it running smoothly. With automated updates and proactive monitoring, you can rest assured that your systems are always up-to-date and performing optimally.
+
+5. **Uncompromised Security and Reliability**: Protecting your data is our top priority. CyMaIS comes with robust security features and comprehensive backup solutions, giving you peace of mind that your business's sensitive information is safe and secure.
+
+6. **User-Friendly with Expert Support**: While familiarity with Docker, Linux, and Ansible enhances your experience with CyMaIS, it's not a requirement. Our comprehensive roles for servers and end-user PCs simplify the setup process. With these intuitive tools and our detailed guides, managing your IT infrastructure becomes more accessible, even if you're not a seasoned IT professional. Plus, our support team is always ready to assist you, bridging any knowledge gaps and ensuring a smooth operation of your systems.
+
+7. **Open Source Trust and Transparency**: With CyMaIS, you benefit from the reliability and security of open-source software. Our tool is transparent, community-driven, and aligned with the highest standards of software ethics and security.
+
+CyMaIS is more than just an IT solution; it's a commitment to empowering your business with the technology it needs to thrive in today’s digital landscape, effortlessly and securely.
+
+## Professional CyMaIS Implementation
+<img src="https://cybermaster.space/wp-content/uploads/sites/7/2023/11/FVG_8364BW-scaled.jpg" width="300" style="float: right; margin-left: 30px;">
+
+My name is Kevin Veen-Birkenbach and I'm glad to assist you in the implementation of your secure and scalable IT infrastrucutre solution with CyMaIS.
+
+My expertise in server administration, digital corporate infrastructure, custom software, and information security, all underpinned by a commitment to Open Source solutions, guarantees that your IT setup meets the highest industry standards.
+
+Discover how CyMaIS can transform your IT landscape. 
+
+Contact me for more details:
+
+🌍 Website: [www.CyberMaster.Space](https://cybermaster.space)<br />
+📧 Email: [kevin@veen.world](mailto:kevin@veen.world)<br />
+☎️ Phone: [+ 49 178 179 80 23](tel:00491781798023)
+
+## Showcases
+The following list showcases the extensive range of solutions that CyMaIS incorporates, each playing a vital role in providing a comprehensive, efficient, and secure IT infrastructure setup:
+
+[ELK Stack](./roles/docker-elk), [Intel Driver](./roles/driver-intel), [Nginx Docker Reverse Proxy](./roles/nginx-docker-reverse-proxy), [Sudo](./roles/sudo), [Funkwhale](./roles/docker-funkwhale), [MSI Keyboard Color Driver](./roles/driver-msi-keyboard-color), [Nginx Domain Redirect](./roles/nginx-domain-redirect), [GnuCash](./roles/pc-gnucash), [Backup Data to USB](./roles/backup-data-to-usb), [Gitea](./roles/docker-gitea), [Non-Free Driver](./roles/driver-non-free), [Nginx Homepage](./roles/nginx-homepage), [Jrnl](./roles/pc-jrnl), [Systemd Notifier](./roles/systemd-notifier), [Backup Docker to Local](./roles/backup-docker-to-local), [Jenkins](./roles/docker-jenkins), [Git](./roles/git), [Nginx HTTPS](./roles/nginx-https), [Latex](./roles/pc-latex), [Email Notifier](./roles/systemd-notifier-email), [Remote to Local Backup Solution](./roles/backup-remote-to-local), [Joomla](./roles/docker-joomla), [Heal Defect Docker Installations](./roles/heal-docker), [Nginx Matomo Tracking](./roles/nginx-matomo-tracking), [LibreOffice](./roles/pc-libreoffice), [Telegram Notifier](./roles/systemd-notifier-telegram), [Listmonk](./roles/docker-listmonk), [Btrfs Health Check](./roles/health-btrfs), [Nginx WWW Redirect](./roles/nginx-www-redirect), [Network Analyze Tools](./roles/pc-network-analyze-tools), [System Security](./roles/system-security), [Mailu](./roles/docker-mailu), [Disc Space Health Check](./roles/health-disc-space), [Administrator Tools](./roles/pc-administrator-tools), [Nextcloud Client](./roles/pc-nextcloud), [Swapfile Setup](./roles/system-swapfile), [Backups Cleanup](./roles/cleanup-backups-service), [Mastodon](./roles/docker-mastodon), [Docker Container Health Checker](./roles/health-docker-container), [Blu-ray Player Tools](./roles/pc-bluray-player-tools), [Office](./roles/pc-office), [Update Solutions](./roles/update), [Matomo](./roles/docker-matomo), [Docker Volumes Health Checker](./roles/health-docker-volumes), [Caffeine](./roles/pc-caffeine), [Qbittorrent](./roles/pc-qbittorrent), [Update Apt](./roles/update-apt), [Disc Space Cleanup](./roles/cleanup-disc-space), [Matrix](./roles/docker-matrix), [Health Journalctl](./roles/health-journalctl), [Designer Tools](./roles/pc-designer-tools), [Security Tools](./roles/pc-security-tools), [Update Docker](./roles/update-docker), [Failed Docker Backups Cleanup](./roles/cleanup-failed-docker-backups), [MediaWiki](./roles/docker-mediawiki), [Nginx Health Checker](./roles/health-nginx), [Developer Tools](./roles/pc-developer-tools), [Spotify](./roles/pc-spotify), [Update Pacman](./roles/update-pacman), [Client Wireguard](./roles/client-wireguard), [MyBB](./roles/docker-mybb), [Developer Tools for Arduino](./roles/pc-developer-tools-arduino), [SSH](./roles/pc-ssh), [Update Yay](./roles/update-yay), [Client Setup for Wireguard Behind Firewall](./roles/client-wireguard-behind-firewall), [Nextcloud Server](./roles/docker-nextcloud), [Hunspell](./roles/hunspell), [Developer Tools for Bash](./roles/pc-developer-tools-bash), [Streaming Tools](./roles/pc-streaming-tools), [Administrator](./roles/user-administrator), [Docker](./roles/docker), [Peertube](./roles/docker-peertube), [Java](./roles/java), [Developer Tools for Java](./roles/pc-developer-tools-java), [Tor Browser](./roles/pc-torbrowser), [Video Conference](./roles/pc-video-conference), [Wireguard](./roles/wireguard), [Akaunting](./roles/docker-akaunting), [Pixelfed](./roles/docker-pixelfed), [Journalctl](./roles/journalctl), [Developer Tools for PHP](./roles/pc-developer-tools-php), [Virtual Box](./roles/pc-virtual-box), [Postfix](./roles/postfix), [Attendize](./roles/docker-attendize), [Wordpress](./roles/docker-wordpress), [Locales](./roles/locales), [Docker for End Users](./roles/pc-docker), [Games](./roles/pc-games), [Python Pip](./roles/python-pip), [Discourse](./roles/docker-discourse), [Epson Multiprinter Driver](./roles/driver-epson-multiprinter), [Nginx Certbot](./roles/nginx-certbot), [Git](./roles/pc-git), [SSHD](./roles/sshd), [YOURLS](./roles/docker-yourls), [BigBlueButton](./roles/docker-bigbluebutton),[System Maintenance Lock](./roles/system-maintenance-lock),[Open Project](./roles/docker-openproject)...
+
+## License
+
+This project is licensed from Kevin Veen-Birkenbach. The full license is available in the [LICENSE.md](./LICENSE.md) of this repository. 

SERVER_APPLICATIONS.md

@@ -0,0 +1,95 @@
+# Server Applications
+Server applications encompass a wide array of functionalities designed to enhance the performance, reliability, and usability of server infrastructures. These applications are essential for maintaining server health, managing web services, facilitating containerization, and providing various tools for specific server needs.
+
+## Common Applications
+For a detailed overview of the broad spectrum of server applications, including base setup, administration tools, update mechanisms, driver installations, security enhancements, VPN configurations, notifier services, backup solutions, and other essential tools and systems, please refer to the **[COMMON_APPLICATIONS.md](./COMMON_APPLICATIONS.md)**. This document provides insights into categories and specific roles catered to both server and end-user environments, ensuring comprehensive server management and optimization.
+
+## Server Health
+Addresses server maintenance and health monitoring, ensuring optimal performance and reliability of the server infrastructure.
+- **[Health Btrfs](./roles/health-btrfs/)**: Monitors the health of Btrfs filesystems.
+- **[Health Disc Space](./roles/health-disc-space/)**: Checks for available disk space.
+- **[Health Docker Container](./roles/health-docker-container/)**: Monitors the health of Docker containers.
+- **[Health Docker Volumes](./roles/health-docker-volumes/)**: Checks the status of Docker volumes.
+- **[Health Journalctl](./roles/health-journalctl/)**: Monitors and manages the system journal.
+- **[Health Nginx](./roles/health-nginx/)**: Ensures the Nginx server is running smoothly.
+- **[Heal Docker](./roles/heal-docker/)**: Automated healing and maintenance tasks for Docker.
+
+## Webserver
+Focuses on web server roles and applications, covering SSL certificates, Nginx configurations, reverse proxies, and email services.
+- **[Letsencrypt](./roles/letsencrypt/)**: Configures Let's Encrypt for SSL certificates.
+- **[Nginx](./roles/nginx/)**: Installs and configures Nginx web server.
+- **[Nginx-Docker-Reverse-Proxy](./roles/nginx-docker-reverse-proxy/)**: Sets up a reverse proxy for Docker containers.
+- **[Nginx-Homepage](./roles/nginx-homepage/)**: Configures a homepage for Nginx.
+- **[Nginx-Https](./roles/nginx-https/)**: Enables HTTPS configuration for Nginx.
+- **[Nginx-Matomo-Tracking](./roles/nginx-matomo-tracking/)**: Integrates Matomo tracking with Nginx.
+- **[Nginx-Domain-Redirect](./roles/nginx-domain-redirect/)**: Manages URL redirects in Nginx.
+- **[Nginx-WWW-Redirect](./roles/nginx-www-redirect/)**: Redirects all domains with the prefix www. from www.domain.tld to domain.tld
+- **[Nginx-Certbot](./roles/nginx-certbot/)**: Integrates Certbot with Nginx for SSL certificates.
+- **[Postfix](./roles/postfix/)**: Setup for the Postfix mail transfer agent.
+
+## Docker and Containerization
+Dedicated to Docker container setups and application management, offering a wide array of software deployment options.
+- **[Docker](./roles/docker/)**: Basic Docker and Docker Compose setup.
+
+### Finance and Project Management
+Facilitating the deployment of finance-related and project management applications.
+- **[Docker Akaunting](./roles/docker-akaunting/)**: Deployment of the Akaunting finance software.
+- **[Open Project](./roles/docker-openproject)**: Project Management Software
+
+### Continues Integration and Continues Delivery 
+Setups for development platforms and version control systems.
+- **[Gitea](./roles/docker-gitea/)**: Setup for the Gitea git server.
+- **[Jenkins](./roles/docker-jenkins/)**: Jenkins automation server setup.
+- **[ELK](./roles/docker-elk/)**: Elasticsearch, Logstash, and Kibana (ELK) stack setup.
+
+### Content Management
+Deployment of various content management systems for web platforms.
+- **[Wordpress](./roles/docker-wordpress/)**: Wordpress blog and website platform setup.
+- **[Joomla](./roles/docker-joomla/)**: Joomla content management system setup.
+
+### Fediverse Networks
+Implementing federated and decentralized social platforms.
+- **[Funkwhale](./roles/docker-funkwhale/)**: Deployment of Funkwhale, a federated music streaming server.
+- **[Mastodon](./roles/docker-mastodon/)**: Deployment of the Mastodon social network server.
+- **[Peertube](./roles/docker-peertube/)**: Deployment of the PeerTube video platform.
+- **[Pixelfed](./roles/docker-pixelfed/)**: Pixelfed, a federated image sharing platform, setup.
+
+### Analytics Solutions
+Tools for web and data analytics.
+- **[Matomo](./roles/docker-matomo/)**: Setup for Matomo, an open-source analytics platform.
+
+### Forum Software
+Deployments for community-driven forum platforms.
+- **[MyBB](./roles/docker-mybb/)**: Setup for MyBB forum software.
+- **[Discourse](./roles/docker-discourse/)**: Setup of Discouse a forum and community platform. 
+
+### Wiki and Documentation
+Setting up platforms for collaborative information sharing.
+- **[MediaWiki](./roles/docker-mediawiki/)**: MediaWiki setup for creating wikis.
+
+### Event and Shop Management
+Tools for managing events and online retail.
+- **[Attendize](./roles/docker-attendize/)**: Setup for the Attendize event management tool.
+
+### Data and Cloud Storage
+Solutions for data management and cloud-based storage.
+- **[Baserow](./roles/docker-baserow/)**: Deployment of Baserow, an open-source no-code database tool.
+- **[Nextcloud](./roles/docker-nextcloud/)**: Cloud storage solution setup.
+
+### Communication and Collaboration
+Platffor enhancing communication and collaborative efforts.
+- **[BigBlueButton](./roles/docker-bigbluebutton/)**: Setup for the BigBlueButton video conferencing tool.
+- **[Mailu](./roles/docker-mailu/)**: Complete mail server solution.
+- **[Matrix](./roles/docker-matrix/)**: Setup and deployment of the Matrix server for secure, decentralized communication.
+
+### Marketing and Communication Tools
+Focusing on tools that assist in communication, marketing, and outreach efforts.
+- **[Listmonk](./roles/docker-listmonk/)**: Setup for Listmonk, a self-hosted newsletter and mailing list manager.
+
+### Web Utilities and Services
+Encompassing tools that enhance web functionality or provide essential web services.
+- **[YOURLS](./roles/docker-yourls/)**: Setup for YOURLS, a URL shortening service.
+
+### Miscellaneous
+Diverse tools for specific needs and utilities.
+- **[Roulette Wheel](./roles/docker-roulette-wheel/)**: Setup for a custom roulette wheel application.

VISION_STATEMENT.md

@@ -0,0 +1,17 @@
+# Vision Statement
+
+At the heart of our endeavor lies the creation of an unparalleled tool, designed to revolutionize the way IT infrastructure is deployed and managed in businesses of all scales and across various industries. Our vision is to develop a fully automated solution capable of establishing a 100% secure and infinitely scalable corporate IT infrastructure.
+
+This tool, grounded firmly in Open Source principles, will not only champion transparency and innovation but also ensure adaptability and accessibility for every business, regardless of its size or industry. We aim to make the complex process of IT setup not just simpler but also faster – achieving full deployment within an audacious timeframe of 24 hours.
+
+We envision a future where businesses are no longer constrained by the complexities of IT infrastructure setup. Instead, they will be empowered with a tool that seamlessly integrates into their operational fabric, offering a robust, secure, and scalable digital backbone. This tool will not only cater to the immediate IT needs of a company but also be agile enough to evolve with their growing demands and the ever-changing technological landscape.
+
+Our commitment is to break down barriers to advanced IT infrastructure, democratizing access to high-level technology solutions. By harnessing the power of Open Source, our solution will not only uphold the highest standards of security and scalability but also foster a community-driven approach to continuous improvement and innovation.
+
+In essence, our vision is to redefine the paradigm of IT infrastructure deployment, making it a swift, secure, and scalable journey for every business, and setting a new benchmark in the industry for efficiency and reliability.
+
+---
+
+Kevin Veen-Birkenbach  
+Berlin  
+2023-12-13

constructor.yml

@@ -0,0 +1,60 @@
+---
+
+- name: update device
+  hosts:  all
+  become: true
+  roles:
+    - role: update
+      when: execute_updates | bool
+
+- name: setup standard wireguard
+  hosts: wireguard_server
+  become: true
+  roles:
+    - wireguard
+
+# vpn setup
+- name: setup wireguard client behind firewall\nat
+  hosts: wireguard_behind_firewall
+  become: true
+  roles:
+    - client-wireguard-behind-firewall
+
+- name: setup wireguard client
+  hosts: wireguard_client
+  become: true
+  roles:
+    - client-wireguard
+
+## backup setup
+- name: setup replica backup hosts
+  hosts: replica_backup
+  become: true
+  roles:
+    - role: backup-remote-to-local
+
+- name: setup backup to swappable
+  hosts: backup_to_usb
+  become: true
+  roles:
+    - backup-data-to-usb
+
+## driver setup
+- name: driver-intel
+  hosts: intel
+  become: true
+  roles:
+    - driver-intel
+
+- name: setup multiprinter hosts
+  hosts: epson_multiprinter
+  become: true
+  roles:
+    - driver-epson-multiprinter
+
+## system setup 
+- name: setup swapfile hosts
+  hosts: swapfile
+  become: false
+  roles:
+    - system-swapfile

end_users.yml

@@ -0,0 +1,105 @@
+---
+
+- import_playbook: playbook-common.yml
+
+## pc applications
+- name: general host setup
+  hosts: personal_computers
+  become: true
+  roles:
+    - pc-administrator-tools
+    - driver-non-free
+
+- name: pc-office
+  hosts: collection_officetools
+  become: true
+  roles:
+    - pc-office
+    - pc-jrnl
+
+- name: personal computer for business
+  hosts: business_personal_computer
+  become: true
+  roles:
+    - pc-gnucash
+
+- name: pc-designer-tools
+  hosts: collection_designer
+  become: true
+  roles:
+    - pc-designer-tools
+
+- name: pc-qbittorrent
+  hosts: collection_torrent
+  become: true
+  roles:
+    - pc-qbittorrent
+
+- name: pc-streaming-tools
+  hosts: collection_streamer
+  become: true
+  roles:
+    - pc-streaming-tools
+
+- name: pc-bluray-player-tools
+  hosts: collection_bluray_player
+  become: true
+  roles:
+    - pc-bluray-player-tools
+
+- name: pc-latex
+  hosts: latex
+  become: true
+  roles:
+    - pc-latex
+
+- name: GNOME setup
+  hosts: gnome
+  become: true
+  roles:
+    - pc-gnome
+
+- name: setup ssh client
+  hosts: ssh
+  become: false
+  roles:
+    - pc-ssh
+
+- name: setup gaming hosts
+  hosts: gaming
+  become: true
+  roles:
+    - pc-games
+
+- name: setup entertainment hosts
+  hosts: entertainment
+  become: true
+  roles:
+    - pc-spotify
+
+- name: setup torbrowser hosts
+  hosts: torbrowser
+  become: true
+  roles:
+    - pc-torbrowser
+
+- name: setup nextcloud
+  hosts: nextcloud_client
+  become: true
+  roles:
+    - pc-nextcloud
+
+- name: setup docker
+  hosts: docker
+  become: true
+  roles:
+    - pc-docker
+
+# driver 
+- name: setup msi rgb keyboard
+  hosts: msi_perkeyrgb
+  become: true
+  roles:
+    - driver-msi-keyboard-color
+
+- import_playbook: destructor.yml

group_vars/all

@@ -0,0 +1,173 @@
+# General
+setup:                false       # Pass CLI commands to execute the setup tasks for the different roles
+verbose:              false       # Prints well formated debug information
+top_domain:           "localhost" # Change this in inventory to your domain
+ip4_address:          "127.0.0.1" # Change thie in inventory to the ip address of your server
+backups_folder_path:  "/Backups/" # Path to the backups folder
+
+# Server Tact Variables 
+
+## Ours in which the server is 100% working. Rest of the time is reserved for maintanance
+hours_server_awake: "0..1,9..23"
+
+## Random delay for systemd timers to avoid peak loads.
+randomized_delay_sec:                         "5min" 
+
+## Schedule for Health Checks
+on_calendar_health_btrfs:                     "*-*-* 00:00:00"                        # Check once per day the btrfs for errors
+on_calendar_health_journalctl:                "*-*-* 00:00:00"                        # Check once per day the journalctl for errors
+on_calendar_health_disc_space:                "*-*-* 06,12,18,00:00:00"               # Check four times per day if there is sufficient disc space 
+on_calendar_health_docker_container:          "*-*-* {{ hours_server_awake }}:00:00"  # Check once per hour if the docker containers are healthy
+on_calendar_health_docker_volumes:            "*-*-* {{ hours_server_awake }}:15:00"  # Check once per hour if the docker volumes are healthy
+on_calendar_health_nginx:                     "*-*-* {{ hours_server_awake }}:45:00"  # Check once per hour if all webservices are available
+
+## Schedule for Cleanup Tasks
+on_calendar_cleanup_backups:                  "*-*-* 00,06,12,18:30:00"               # Cleanup backups every 6 hours, MUST be called before disc space cleanup
+on_calendar_cleanup_disc_space:               "*-*-* 07,13,19,01:30:00"               # Cleanup disc space every 6 hours
+
+## Schedule for Backup Tasks
+on_calendar_backup_docker_to_local:           "*-*-* 03:30:00"
+on_calendar_backup_remote_to_local:           "*-*-* 21:30:00"
+
+## Schedule for Maintenance Tasks
+on_calendar_heal_docker:                      "*-*-* {{ hours_server_awake }}:30:00"  # Heal unhealthy docker instances once per hour
+on_calendar_renew_lets_encrypt_certificates:  "*-*-* 12,00:30:00"                     # Renew Mailu certificates twice per day
+on_calendar_deploy_mailu_certificates:        "*-*-* 13,01:30:00"                     # Deploy Mailu certificates twice per day
+on_calendar_msi_keyboard_color:               "*-*-* *:*:00"                          # Change the keyboard color every minute
+on_calendar_cleanup_failed_docker:            "*-*-* 12:00:00"                        # Clean up failed docker backups every noon
+
+
+# Storage Space-Related Configurations          
+size_percent_maximum_backup:                  75  # Maximum storage space in percent for backups
+size_percent_disc_space_warning:              85  # Warning threshold in percent for free disk space
+size_percent_cleanup_disc_space:              90  # Threshold for triggering cleanup actions
+
+
+# Path Variables for Key Directories and Scripts
+path_administrator_home:        "/home/administrator/"
+path_administrator_scripts:     "{{path_administrator_home}}scripts/"
+path_docker_volumes:            "{{path_administrator_home}}volumes/docker/"
+path_docker_compose_instances:  "{{path_administrator_home}}docker-compose/"
+path_system_lock_script:        "{{path_administrator_scripts}}system-maintenance-lock.py"
+
+
+# Runtime Variables for Process Control
+activate_all_timers:          false   # Activates all timers, independend if the handlers had been triggered
+nginx_matomo_tracking:        false   # Activates matomo tracking on all html pages
+execute_updates:              true    # Executes updates
+force_backup_before_update:   true    # Activates the backup before the update procedure
+
+
+# System maintenance Services
+
+## Timeouts to wait for other services to stop
+sytem_maintenance_lock_timeoutcleanup_services:  "15min"
+sytem_maintenance_lock_timeoutbackup_services:   "1h"
+sytem_maintenance_lock_timeoutheal_docker:       "30min"
+sytem_maintenance_lock_timeoutupdate_docker:     "2min"
+
+## Services
+
+### Defined Services for Backup Tasks
+system_maintenance_backup_services:
+  - "backup-docker-to-local"
+  - "backup-remote-to-local"
+  - "backup-data-to-usb"
+  - "backup-docker-to-local-everything"
+
+### Defined Services for System Cleanup
+system_maintenance_cleanup_services:
+  - "cleanup-backups"
+  - "cleanup-disc-space"
+  - "cleanup-failed-docker-backups"
+
+### Services that Manipulate the System
+system_maintenance_manipulation_services:
+  - "heal-docker"
+  - "update-docker"
+  
+## Total System Maintenance Services
+system_maintenance_services: "{{ system_maintenance_backup_services + system_maintenance_cleanup_services + system_maintenance_manipulation_services }}"
+
+### Define Variables for Docker Volume Health services
+whitelisted_anonymous_docker_volumes: []
+
+# Webserver Configuration
+
+## Nginx-Specific Path Configurations
+nginx_configuration_directory:  "/etc/nginx/conf.d/"                            # General configuration dir
+nginx_servers_directory:        "{{nginx_configuration_directory}}servers/"     # Contains server blogs
+nginx_maps_directory:           "{{nginx_configuration_directory}}maps/"        # Contains mappins
+nginx_upstreams_directory:      "{{nginx_configuration_directory}}upstreams/"   # Contains upstream configurations
+
+## Docker Applications
+
+### Enable Central MariaDB
+enable_central_database: true
+
+### Domain Names for Various Services
+domain_akaunting:               "akaunting.{{top_domain}}"
+domain_baserow:                 "baserow.{{top_domain}}"
+domain_bigbluebutton:           "meet.{{top_domain}}"
+domain_elk:                     "elk.{{top_domain}}"
+domain_discourse:               "forum.{{top_domain}}"
+domain_funkwhale:               "music.{{top_domain}}"
+domain_gitea:                   "git.{{top_domain}}"
+domain_gitlab:                  "gitlab.{{top_domain}}"
+domain_listmonk:                "newsletter.{{top_domain}}"
+domain_mailu:                   "mail.{{top_domain}}"
+domain_mastodon:                "microblog.{{top_domain}}"
+domains_mastodon_alternates:    []
+domain_matomo:                  "matomo.{{top_domain}}"
+domain_matrix_synapse:          "matrix.{{top_domain}}"
+domain_matrix_element:          "element.{{top_domain}}"
+domain_mediawiki:               "wiki.{{top_domain}}"
+domain_nextcloud:               "cloud.{{top_domain}}"
+domain_pixelfed:                "picture.{{top_domain}}"
+domain_peertube:                "video.{{top_domain}}"
+domains_peertube:               []
+domain_roulette:                "roulette.{{top_domain}}"
+domain_attendize:               "tickets.{{top_domain}}"
+domain_yourls:                  "s.{{top_domain}}"
+domain_openproject:             "project.{{top_domain}}"
+domains_wordpress:              ["wordpress.{{top_domain}}","blog.{{top_domain}}"]
+
+### Common Configurations
+postgres_default_version:       "16"
+
+### Docker Role Specific Parameters
+
+#### Pixelfed
+pixelfed_app_name:      "Pictures"
+
+#### Matrix
+matrix_playbook_tags:   "setup-all,start" # For the initial update use: install-all,ensure-matrix-users-created,start
+matrix_role:            "compose"         # Role to setup Matrix. Valid values: ansible, compose
+
+#### Mastodon
+version_mastodon:       "latest"
+
+#### Akaunting
+version_akaunting:      "latest"
+
+#### Mailu
+version_mailu:          "2.0"
+
+#### Nextcloud
+version_nextcloud:      "production"  # Danger: Nextcloud can't skipp major version updates.
+
+# Routing Configurations for Domain Redirections
+redirect_domain_mappings:
+- { source: "bbb.{{top_domain}}",         target: "{{domain_bigbluebutton}}" }
+- { source: "discourse.{{top_domain}}",   target: "{{domain_discourse}}" }
+- { source: "funkwhale.{{top_domain}}",   target: "{{domain_funkwhale}}" }
+- { source: "gitea.{{top_domain}}",       target: "{{domain_gitea}}" }
+- { source: "listmonk.{{top_domain}}",    target: "{{domain_listmonk}}" }
+- { source: "mastodon.{{top_domain}}",    target: "{{domain_mastodon}}" }
+- { source: "nextcloud.{{top_domain}}",   target: "{{domain_nextcloud}}" }
+- { source: "openproject.{{top_domain}}", target: "{{domain_openproject}}" }
+- { source: "peertube.{{top_domain}}",    target: "{{domain_peertube}}" }
+- { source: "pictures.{{top_domain}}",    target: "{{domain_pixelfed}}" }
+- { source: "pixelfed.{{top_domain}}",    target: "{{domain_pixelfed}}" }
+- { source: "short.{{top_domain}}",       target: "{{domain_yourls}}" }
+- { source: "videos.{{top_domain}}",      target: "{{domain_peertube}}" }

requirements.yml

@@ -0,0 +1,2 @@
+collections:
+  - name: kewlfft.aur

roles/backup-data-to-usb/README.md

@@ -0,0 +1,17 @@
+# backup-data-to-usb
+
+This Ansible role automates the process of performing backups to a swappable USB device.
+
+## Features
+
+- Automatically starts the backup process when mounted to a specific destination.
+- Supports customization of the backup source path and destination.
+- Provides a systemd service to run the backup script.
+
+## Author
+
+This role was created and is maintained by Kevin Veen-Birkenbach.
+
+## Credits
+
+This software was created with the assistance of [OpenAI ChatGPT](https://chat.openai.com/share/a75ca771-d8a4-4b75-9912-c515ba371ae4).

roles/backup-data-to-usb/files/backup-data-to-usb.python

@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+
+import sys
+import subprocess
+import shutil
+import os
+import glob
+import datetime
+
+def main():
+    source_path = sys.argv[1]
+    print(f"source path: {source_path}")
+    
+    backup_to_usb_destination_path = sys.argv[2]
+    print(f"backup to usb destination path: {backup_to_usb_destination_path}")
+    
+    if not os.path.isdir(backup_to_usb_destination_path):
+        print(f"Directory {backup_to_usb_destination_path} does not exist")
+        sys.exit(1)
+    
+    machine_id = subprocess.run(["sha256sum", "/etc/machine-id"], capture_output=True, text=True).stdout.strip()[:64]
+    print(f"machine id: {machine_id}")
+    
+    versions_path = os.path.join(backup_to_usb_destination_path, f"{machine_id}/backup-data-to-usb/")
+    print(f"versions path: {versions_path}")
+    
+    if not os.path.isdir(versions_path):
+        print(f"Creating {versions_path}...")
+        os.makedirs(versions_path, exist_ok=True)
+    
+    previous_version_path = max(glob.glob(f"{versions_path}*"), key=os.path.getmtime, default=None)
+    print(f"previous versions path: {previous_version_path}")
+    
+    current_version_path = os.path.join(versions_path, datetime.datetime.now().strftime("%Y%m%d%H%M%S"))
+    print(f"current versions path: {current_version_path}")
+    
+    print("Creating backup destination folder...")
+    os.makedirs(current_version_path, exist_ok=True)
+    
+    print("Starting synchronization...")
+    try:
+        rsync_command = [
+            "rsync", "-abP", "--delete", "--delete-excluded"
+        ]
+        if previous_version_path is not None:
+            rsync_command.append("--link-dest=" + previous_version_path)
+        rsync_command.extend([source_path, current_version_path])
+        rsync_output = subprocess.check_output(rsync_command, stderr=subprocess.STDOUT, text=True)
+        
+        print(rsync_output)
+        print("Synchronization finished")
+        sys.exit(0)
+    except subprocess.CalledProcessError as e:
+        print(e.output)
+        if "rsync warning: some files vanished before they could be transferred" in e.output:
+            print("Synchronization finished with rsync warning")
+            sys.exit(0)
+        else:
+            print("Synchronization failed")
+            sys.exit(1)
+
+if __name__ == "__main__":
+    main()

roles/backup-data-to-usb/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: "reload backup-data-to-usb.service"
+  systemd:
+    name: backup-data-to-usb.service
+    state: reloaded
+    daemon_reload: yes

roles/backup-data-to-usb/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: cleanup-backups-service
+  - role: system-maintenance-lock

roles/backup-data-to-usb/tasks/main.yml

@@ -0,0 +1,16 @@
+- name: Copy backup script to the scripts directory
+  copy:
+    src: backup-data-to-usb.python
+    dest: "{{ backup_to_usb_script_path }}"
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Copy systemd service to systemd directory
+  template:
+    src: backup-data-to-usb.service.j2
+    dest: /etc/systemd/system/backup-data-to-usb.service
+    owner: root
+    group: root
+    mode: '0644'
+  notify: reload backup-data-to-usb.service

roles/backup-data-to-usb/templates/backup-data-to-usb.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Backup to USB when mounted to {{ backup_to_usb_mount }}
+Wants={{systemctl_mount_service_name}}
+OnFailure=systemd-notifier@%n.service
+
+[Service]
+ExecStart=/bin/python {{ backup_to_usb_script_path }} {{backup_to_usb_source}} {{backup_to_usb_destination}}
+ExecStartPost=/bin/systemctl start cleanup-backups.service
+
+[Install]
+WantedBy=multi-user.target

roles/backup-data-to-usb/vars/main.yml

@@ -0,0 +1,4 @@
+backup_to_usb_script_path:    "/usr/local/sbin/backup-data-to-usb.python"
+backup_to_usb_destination:    "{{backup_to_usb_mount}}{{backup_to_usb_destination_subdirectory}}"
+backups_folder_path:          "{{backup_to_usb_destination}}"
+systemctl_mount_service_name: "{{ backup_to_usb_mount | trim('/') | replace('/', '-') }}.mount"

roles/backup-docker-to-local/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: "reload backup-docker-to-local.service"
+  systemd:
+    name: backup-docker-to-local.service
+    daemon_reload: yes

roles/backup-docker-to-local/meta/main.yml

@@ -0,0 +1,6 @@
+dependencies:
+  - git
+  - backups-provider
+  - systemd-notifier
+  - cleanup-failed-docker-backups
+  - system-maintenance-lock

roles/backup-docker-to-local/tasks/main.yml

@@ -0,0 +1,81 @@
+- name: install pandas system wide
+  community.general.pacman:
+    name:
+      - lsof
+      - python-pandas
+    state: present
+  when: run_once_backup_docker_to_local is not defined
+
+- name: pull backup-docker-to-local.git
+  git:
+    repo: "https://github.com/kevinveenbirkenbach/backup-docker-to-local.git"
+    dest: "{{backup_docker_to_local_folder}}"
+    update: yes
+  register: git_result
+  ignore_errors: true
+  when: run_once_backup_docker_to_local is not defined
+
+- name: Warn if repo is not reachable
+  debug:
+    msg: "Warning: Repository is not reachable."
+  when: git_result is defined and git_result.failed is defined and run_once_cleanup_failed_docker_backups is not defined
+
+- name: configure backup-docker-to-local-everything.service
+  template: 
+    src: backup-docker-to-local-everything.service.j2
+    dest: /etc/systemd/system/backup-docker-to-local-everything.service
+  notify: reload backup-docker-to-local-everything.service
+  when: run_once_backup_docker_to_local is not defined
+
+- name: configure backup-docker-to-local.service
+  template: 
+    src: backup-docker-to-local.service.j2
+    dest: /etc/systemd/system/backup-docker-to-local.service
+  notify: reload backup-docker-to-local.service
+  when: run_once_backup_docker_to_local is not defined
+
+- name: set service_name to the name of the current role
+  set_fact:
+    service_name: "{{ role_name }}"
+  when: run_once_backup_docker_to_local is not defined
+
+- name: "include role for systemd-timer for {{service_name}}"
+  include_role:
+    name: systemd-timer
+  vars:
+    on_calendar:  "{{on_calendar_backup_docker_to_local}}"
+  when: run_once_backup_docker_to_local is not defined
+
+- name: seed database values
+  command:
+    cmd: "python database_entry_seeder.py databases.csv {{docker_compose_project_name}} {{database_host}} {{database_databasename}} {{database_username}} {{database_password}}"
+    chdir: "{{backup_docker_to_local_folder}}"
+  when: >
+    database_host is defined or
+    database_databasename is defined or
+    database_username is defined or
+    database_password is defined
+
+- name: Set file permissions for databases.csv to be readable, writable, and executable by root only
+  ansible.builtin.file:
+    path: "{{ backup_docker_to_local_folder }}databases.csv"
+    mode: '0700'
+    owner: root
+    group: root
+  when: >
+    (database_host is defined or
+    database_databasename is defined or
+    database_username is defined or
+    database_password is defined) and
+    run_once_backup_docker_to_local_file_permission is not defined
+  register: file_permission_result
+
+- name: run the backup_docker_to_local_file_permission tasks once
+  set_fact:
+    run_once_backup_docker_to_local_file_permission: true
+  when: run_once_backup_docker_to_local_file_permission is not defined and file_permission_result is defined and file_permission_result.changed
+
+- name: run the backup_docker_to_local tasks once
+  set_fact:
+    run_once_backup_docker_to_local: true
+  when: run_once_backup_docker_to_local is not defined

roles/backup-docker-to-local/templates/backup-docker-to-local-everything.service.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=backup docker volumes to local folder
+OnFailure=systemd-notifier@%n.service cleanup-failed-docker-backups.service
+
+[Service]
+Type=oneshot
+ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ')  }} --ignore {{ system_maintenance_backup_services | reject('equalto', 'backup-docker-to-local') | join(' ') }} --timeout "{{sytem_maintenance_lock_timeoutbackup_services}}"'
+ExecStart=/bin/sh -c '/usr/bin/python {{backup_docker_to_local_folder}}backup-docker-to-local.py --everything'

roles/backup-docker-to-local/templates/backup-docker-to-local.service.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=backup docker volumes to local folder
+OnFailure=systemd-notifier@%n.service cleanup-failed-docker-backups.service
+
+[Service]
+Type=oneshot
+ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ')  }} --ignore {{ system_maintenance_backup_services | reject('equalto', 'backup-docker-to-local-everything') | join(' ') }} --timeout "{{sytem_maintenance_lock_timeoutbackup_services}}"'
+ExecStart=/bin/sh -c '/usr/bin/python {{backup_docker_to_local_folder}}backup-docker-to-local.py'

roles/backup-docker-to-local/vars/main.yml

@@ -0,0 +1 @@
+backup_docker_to_local_folder: "{{path_administrator_scripts}}backup-docker-to-local/"

roles/backup-remote-to-local/README.md

@@ -1,4 +1,4 @@
-# role native-pull-primary-backups
+# role backup-remote-to-local
 
 ## goal
 This script allows to pull backups from a remote server.
@@ -11,17 +11,24 @@ Further information you will find [in this blog post](https://www.veen.world/202
 ## debug
 
 ### live
-To track what the service is doing execute the following command:
+To track what the service is doing execute one of the following commands:
 
+#### systemctl
 ```bash
-  watch -n2 "systemctl status pull-remote-backups.service"
+  watch -n2 "systemctl status backup-remote-to-local.service"
 ```
 
+#### journalctl
+```bash
+  journalctl -fu backup-remote-to-local.service
+```  
+
 ### history
 ```bash
-  sudo journalctl -u pull-remote-backups
+  sudo journalctl -u backup-remote-to-local
 ```
 
 ## see
 - https://superuser.com/questions/363444/how-do-i-get-the-output-and-exit-value-of-a-subshell-when-using-bash-e
 - https://gist.github.com/otkrsk/b0ffd4018e8a79b9010c461af298471e
+- https://serverfault.com/questions/304125/rsync-seems-incompatible-with-bashrc-causes-is-your-shell-clean

roles/backup-remote-to-local/files/backup-remote-to-local.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+# @param $1 hostname from which backup should be pulled
+
+echo "pulling backups from: $1" &&
+
+# error counter
+errors=0 &&
+
+echo "loading meta data..." &&
+
+remote_host="backup@$1" &&
+echo "host address:         $remote_host" &&
+
+remote_machine_id="$( (ssh "$remote_host" sha256sum /etc/machine-id) | head -c 64 )" &&
+echo "remote machine id:    $remote_machine_id" &&
+
+general_backup_machine_dir="/Backups/$remote_machine_id/" &&
+echo "backup dir:           $general_backup_machine_dir" &&
+
+remote_backup_types="$(ssh "$remote_host" "find $general_backup_machine_dir -maxdepth 1 -type d -execdir basename {} ;")" &&
+echo "backup types:          $remote_backup_types" || exit 1
+
+for backup_type in $remote_backup_types; do
+  if [ "$backup_type" != "$remote_machine_id" ]; then
+    echo "backup type:              $backup_type" &&
+    
+    general_backup_type_dir="$general_backup_machine_dir""$backup_type/" &&
+    general_versions_dir="$general_backup_type_dir" &&
+    local_previous_version_dir="$(ls -d $general_versions_dir* | tail -1)" &&
+    echo "last local backup:      $local_previous_version_dir" &&
+
+    remote_backup_versions="$(ssh "$remote_host" ls -d "$general_backup_type_dir"\*)" &&
+    echo "remote backup versions:   $remote_backup_versions" &&
+
+
+    remote_last_backup_dir=$(echo "$remote_backup_versions" | tail -1) &&
+    echo "last remote backup:       $remote_last_backup_dir" &&
+
+    remote_source_path="$remote_host:$remote_last_backup_dir/" &&
+    echo "source path:              $remote_source_path" &&
+
+    local_backup_destination_path=$remote_last_backup_dir &&
+    echo "backup destination:       $local_backup_destination_path" &&
+
+    echo "creating local backup destination folder..." &&
+    mkdir -vp "$local_backup_destination_path" &&
+
+    echo "starting backup..."
+    rsync_command='rsync -abP --delete --delete-excluded --rsync-path="sudo rsync" --link-dest="'$local_previous_version_dir'" "'$remote_source_path'" "'$local_backup_destination_path'"'
+
+    echo "executing:                $rsync_command"
+
+    retry_count=0
+    max_retries=12
+    retry_delay=300  # Retry delay in seconds (5 minutes)
+    last_retry_start=0
+    max_retry_duration=43200  # Maximum duration for a single retry attempt (12 hours)
+
+    while [[ $retry_count -lt $max_retries ]]; do
+      echo "Retry attempt: $((retry_count + 1))"
+      if [[ $retry_count -gt 0 ]]; then
+        current_time=$(date +%s)
+        last_retry_duration=$((current_time - last_retry_start))
+        if [[ $last_retry_duration -ge $max_retry_duration ]]; then
+          echo "Last retry took more than 12 hours, increasing max retries to 12."
+          max_retries=12
+        fi
+      fi
+      last_retry_start=$(date +%s)
+      eval "$rsync_command"
+      rsync_exit_code=$?
+      if [[ $rsync_exit_code -eq 0 ]]; then
+        break
+      fi
+      retry_count=$((retry_count + 1))
+      sleep $retry_delay
+    done
+
+    if [[ $rsync_exit_code -ne 0 ]]; then
+      echo "Error: rsync failed after $max_retries attempts"
+      ((errors += 1))
+    fi
+  fi
+done
+exit $errors;

roles/backup-remote-to-local/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: "reload backup-remote-to-local service"
+  systemd:
+    name: backup-remote-to-local.service
+    daemon_reload: yes
+    
+- name: "restart backup-remote-to-local timer"
+  systemd:
+    name: backup-remote-to-local.timer
+    state: started
+    enabled: yes
+    daemon_reload: yes

roles/backup-remote-to-local/meta/main.yml

@@ -0,0 +1,7 @@
+dependencies:
+  - git
+  - systemd-notifier
+  - cleanup-backups-timer
+  - cleanup-failed-docker-backups
+  - system-maintenance-lock
+  - user-root

roles/backup-remote-to-local/tasks/main.yml

@@ -0,0 +1,32 @@
+- name: "create {{docker_backup_remote_to_local_folder}}"
+  file:
+    path: "{{docker_backup_remote_to_local_folder}}"
+    state: directory
+    mode: 0755
+
+- name: create backup-remote-to-local.sh
+  copy:
+    src: backup-remote-to-local.sh
+    dest: "{{docker_backup_remote_to_local_folder}}backup-remote-to-local.sh"
+    mode: 0755
+
+- name: create backup-remote-to-local.service
+  template: src=backup-remote-to-local.service.j2 dest=/etc/systemd/system/backup-remote-to-local.service
+  notify: reload backup-remote-to-local service
+
+- name: create backups-remote-to-local.sh
+  template: 
+    src: backups-remote-to-local.sh.j2 
+    dest: "{{docker_backup_remote_to_local_folder}}backups-remote-to-local.sh"
+    mode: 0755
+
+- name: set service_name to the name of the current role
+  set_fact:
+    service_name: "{{ role_name }}"
+
+- name: "include role for systemd-timer for {{service_name}}"
+  include_role:
+    name: systemd-timer
+  vars:
+    on_calendar:  "{{on_calendar_backup_remote_to_local}}"
+

roles/backup-remote-to-local/templates/backup-remote-to-local.service.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=pull remote backups
+OnFailure=systemd-notifier@%n.service cleanup-failed-docker-backups.service
+
+[Service]
+Type=oneshot
+ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ')  }} --ignore {{system_maintenance_backup_services| join(' ') }} --timeout "{{sytem_maintenance_lock_timeoutbackup_services}}"'
+ExecStart=/bin/sh -c '/usr/bin/bash {{docker_backup_remote_to_local_folder}}backups-remote-to-local.sh'

roles/backup-remote-to-local/templates/backups-remote-to-local.sh.j2

@@ -0,0 +1,8 @@
+#!/bin/bash
+# Pulls the remote backups from multiple hosts
+hosts="{{pull_remote_backups}}";
+errors=0
+for host in $hosts; do
+  bash {{docker_backup_remote_to_local_folder}}backup-remote-to-local.sh $host || ((errors+=1));
+done;
+exit $errors;

roles/backup-remote-to-local/vars/main.yml

@@ -0,0 +1 @@
+docker_backup_remote_to_local_folder: "{{path_administrator_scripts}}backup-remote-to-local/"

roles/backups-provider-user/README.md

@@ -1,4 +1,4 @@
-# role native-user-backup
+# role backups-provider-user
 User for backups
 
 ## todo

roles/backups-provider-user/files/ssh-wrapper.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# log command
+if [ -n "$SSH_ORIGINAL_COMMAND" ]
+then
+  echo "`/bin/date`: $SSH_ORIGINAL_COMMAND" | systemd-cat -t "ssh-wrapper.sh"
+fi
+
+# define executable commands
+get_hashed_machine_id="sha256sum /etc/machine-id";
+hashed_machine_id="$($get_hashed_machine_id | head -c 64)"
+get_backup_types="find /Backups/$hashed_machine_id/ -maxdepth 1 -type d -execdir basename {} ;";
+
+
+# @todo This configuration is not scalable yet. If other backup services then backup-docker-to-local are integrated, this logic needs to be optimized
+get_version_directories="ls -d /Backups/$hashed_machine_id/backup-docker-to-local/*"
+last_version_directory="$($get_version_directories | tail -1)"
+rsync_command="sudo rsync --server --sender -blogDtpre.iLsfxCIvu . $last_version_directory/"
+
+# filter commands
+case "$SSH_ORIGINAL_COMMAND" in
+	"$get_hashed_machine_id")
+		$get_hashed_machine_id
+		;;
+	"$get_version_directories")
+		$get_version_directories
+		;;
+	"$get_backup_types")
+		$get_backup_types
+		;;
+	"$rsync_command")
+		$rsync_command
+		;;
+	*)
+		echo "This command is not supported."
+		exit 1
+		;;
+esac

roles/backups-provider-user/meta/main.yml

@@ -1,2 +1,2 @@
 dependencies:
-- native-sshd
+- sshd

roles/backups-provider-user/tasks/main.yml

@@ -2,6 +2,7 @@
   user:
     name: backup
     create_home: yes
+  when: run_once_backups_provider_user is not defined
 
 - name: create .ssh directory
   file:
@@ -10,10 +11,7 @@
     owner: backup
     group: backup
     mode: '0700'
-
-- name: register hashed_machine_id
-  shell: sha256sum /etc/machine-id | head -c 64
-  register: hashed_machine_id
+  when: run_once_backups_provider_user is not defined
 
 - name: create /home/backup/.ssh/authorized_keys
   template:
@@ -22,14 +20,16 @@
     owner: backup
     group: backup
     mode: '0644'
+  when: run_once_backups_provider_user is not defined
 
 - name: create /home/backup/ssh-wrapper.sh
-  template:
-    src: "ssh-wrapper.sh.j2"
+  copy:
+    src: "ssh-wrapper.sh"
     dest: /home/backup/ssh-wrapper.sh
     owner: backup
     group: backup
     mode: '0700'
+  when: run_once_backups_provider_user is not defined
 
 - name: grant backup sudo rights
   copy:
@@ -39,3 +39,9 @@
     owner: root
     group: root
   notify: sshd restart
+  when: run_once_backups_provider_user is not defined
+  
+- name: run the backups_provider_user tasks once
+  set_fact:
+    run_once_backups_provider_user: true
+  when: run_once_backups_provider_user is not defined

roles/backups-provider-user/templates/authorized_keys.j2

@@ -0,0 +1,3 @@
+{% for authorized_key in authorized_keys_list %}
+command="/home/backup/ssh-wrapper.sh" {{authorized_key}}
+{% endfor %}

roles/backups-provider-user/vars/main.yml

@@ -1,2 +1,2 @@
 authorized_keys_path: "{{ inventory_dir }}/files/{{ inventory_hostname }}/home/backup/.ssh/authorized_keys"
-authorized_keys: "{{ lookup('file', authorized_keys_path) }}"
+authorized_keys_list: "{{ lookup('file', authorized_keys_path).splitlines() }}"

roles/backups-provider/README.md

@@ -1,4 +1,4 @@
-# role native-primary-backup-host
+# role backups-provider-host
 
 ## todo
 - add full system backup

roles/backups-provider/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- backups-provider-user
+- cleanup-backups-timer

roles/cleanup-backups-service/README.md

@@ -0,0 +1,14 @@
+# role cleanup-backups-timer
+
+Cleans up old backups
+
+## Additional software
+
+It may be neccessary to install gcc seperat to use psutil
+
+```bash
+  sudo pacman -S gcc
+```
+
+## further information
+- https://stackoverflow.com/questions/48929553/get-hard-disk-size-in-python

roles/cleanup-backups-service/files/cleanup-backups.py

@@ -0,0 +1,57 @@
+import psutil
+import shutil
+import os
+import argparse
+import subprocess
+
+# Validating arguments
+parser = argparse.ArgumentParser()
+parser.add_argument('--maximum-backup-size-percent', type=int, dest='maximum_backup_size_percent',required=True, choices=range(0,100), help="The directory from which the data should be encrypted.")
+parser.add_argument('--backups-folder-path',type=str,dest='backups_folder_path',required=True, help="The folder in which the backups are stored")
+args = parser.parse_args()
+
+def print_used_disc_space():
+    print("%d %% of disk %s are used" % (psutil.disk_usage(args.backups_folder_path).percent,args.backups_folder_path))  
+
+def is_directory_used_by_another_process(directory_path):
+    command= "lsof " + directory_path
+    process = subprocess.Popen([command], stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+    output, error = process.communicate()
+    # @See https://stackoverflow.com/questions/29841984/non-zero-exit-code-for-lsof
+    if process.wait() > bool(0):
+        return False
+    return True
+
+for host_backup_directory_name in os.listdir(args.backups_folder_path):
+    host_backup_directory_path = os.path.join(args.backups_folder_path, host_backup_directory_name)
+    for application_directory in os.listdir(host_backup_directory_path):
+        
+        # The directory which contains all backup versions of the application
+        versions_directory = os.path.join(host_backup_directory_path, application_directory) + "/"
+                    
+        versions = os.listdir(versions_directory)
+        versions.sort(reverse=False)
+        
+        print_used_disc_space()  
+        for version in versions:
+            version_path=os.path.join(versions_directory, version)
+            print("Checking directory %s ..." % (version_path))
+            if version == versions[-1]:
+                print("Directory %s contains the last version of the backup. Skipped." % (version_path))
+                continue
+            
+            if is_directory_used_by_another_process(version_path):
+                print("Directory %s is used by another process. Skipped." % (version_path))
+                continue
+             
+            old_disc_usage_percent=psutil.disk_usage(args.backups_folder_path).percent
+            if old_disc_usage_percent > args.maximum_backup_size_percent:
+                print("Deleting %s to free space." % (version_path))
+                shutil.rmtree(version_path)
+                new_disc_usage_percent=psutil.disk_usage(args.backups_folder_path).percent
+                difference_percent=old_disc_usage_percent-new_disc_usage_percent
+                print("{:6.2f} %% of drive freed".format(difference_percent))
+                continue
+            
+print_used_disc_space()            
+print("Cleaning up finished.")

roles/cleanup-backups-service/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: "reload cleanup-backups.service"
+  systemd:
+    name: cleanup-backups.service
+    enabled: yes
+    daemon_reload: yes

roles/cleanup-backups-service/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - python-pip
+  - systemd-notifier
+  - system-maintenance-lock

roles/cleanup-backups-service/tasks/main.yml

@@ -0,0 +1,32 @@
+- name: install lsof and python-psutil
+  community.general.pacman:
+    name:
+      - lsof
+      - python-psutil
+    state: present
+  when: run_once_cleanup_backups_service is not defined
+
+- name: "create {{docker_cleanup_backups}}"
+  file:
+    path: "{{docker_cleanup_backups}}"
+    state: directory
+    mode: 0755
+  when: run_once_cleanup_backups_service is not defined
+
+- name: create cleanup-backups.py
+  copy: 
+    src:  "cleanup-backups.py"
+    dest: "{{docker_cleanup_backups}}cleanup-backups.py"
+  when: run_once_cleanup_backups_service is not defined
+
+- name: create cleanup-backups.service
+  template: 
+    src:  "cleanup-backups.service.j2"
+    dest: "/etc/systemd/system/cleanup-backups.service"
+  notify: reload cleanup-backups.service
+  when: run_once_cleanup_backups_service is not defined
+
+- name: run the cleanup_backups_service tasks once
+  set_fact:
+    run_once_cleanup_backups_service: true
+  when: run_once_cleanup_backups_service is not defined

roles/cleanup-backups-service/templates/cleanup-backups.service.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=delete old backups
+OnFailure=systemd-notifier@%n.service
+
+[Service]
+Type=oneshot
+ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ')  }} --ignore {{system_maintenance_cleanup_services| join(' ') }} --timeout "{{sytem_maintenance_lock_timeoutbackup_services}}"'
+ExecStart=/bin/sh -c '/usr/bin/python {{docker_cleanup_backups}}cleanup-backups.py --backups-folder-path {{backups_folder_path}} --maximum-backup-size-percent {{size_percent_maximum_backup}}'

roles/cleanup-backups-service/vars/main.yml

@@ -0,0 +1 @@
+docker_cleanup_backups: "{{path_administrator_scripts}}cleanup-backups/"

roles/cleanup-backups-timer/README.md

@@ -0,0 +1,3 @@
+# role cleanup-backups-timer
+
+Timer for cleaning up old backups

roles/cleanup-backups-timer/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - cleanup-backups-service

roles/cleanup-backups-timer/tasks/main.yml

@@ -0,0 +1,16 @@
+- name: set service_name to the name of the current role
+  set_fact:
+    service_name: "{{ role_name }}"
+  when: run_once_cleanup_backups_timer is not defined
+
+- name: "include role for systemd-timer for {{service_name}}"
+  include_role:
+    name: systemd-timer
+  vars:
+    on_calendar:  "{{on_calendar_cleanup_backups}}"
+  when: run_once_cleanup_backups_timer is not defined
+
+- name: run the cleanup_backups_timer tasks once
+  set_fact:
+    run_once_cleanup_backups_timer: true
+  when: run_once_cleanup_backups_timer is not defined

roles/cleanup-disc-space/README.md

@@ -0,0 +1,4 @@
+# cleanup-disc-space
+Frees disc space
+## More information
+- https://askubuntu.com/questions/380238/how-to-clean-tmp

roles/cleanup-disc-space/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: "reload cleanup-disc-space.service"
+  systemd:
+    name: cleanup-disc-space.service
+    enabled: yes
+    daemon_reload: yes

roles/cleanup-disc-space/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+  - systemd-notifier
+  - system-maintenance-lock

roles/cleanup-disc-space/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: "create {{cleanup_disc_space_folder}}"
+  file:
+    path: "{{cleanup_disc_space_folder}}"
+    state: directory
+    mode: 0755
+
+- name: create cleanup-disc-space.sh
+  template:
+    src: cleanup-disc-space.sh.j2
+    dest: "{{cleanup_disc_space_folder}}cleanup-disc-space.sh"
+
+- name: create cleanup-disc-space.service
+  template: 
+    src: cleanup-disc-space.service.j2
+    dest: /etc/systemd/system/cleanup-disc-space.service
+  notify: reload cleanup-disc-space.service
+
+- name: set service_name to the name of the current role
+  set_fact:
+    service_name: "{{ role_name }}"
+
+- name: "include role for systemd-timer for {{service_name}}"
+  include_role:
+    name: systemd-timer
+  vars:
+    on_calendar:  "{{on_calendar_cleanup_disc_space}}"

roles/cleanup-disc-space/templates/cleanup-disc-space.service.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=freeing disc space
+OnFailure=systemd-notifier@%n.service
+
+[Service]
+Type=oneshot
+ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ')  }} --ignore {{system_maintenance_cleanup_services| join(' ') }} --timeout "{{sytem_maintenance_lock_timeoutbackup_services}}"'
+ExecStart=/bin/sh -c '/bin/bash {{cleanup_disc_space_folder}}cleanup-disc-space.sh {{size_percent_cleanup_disc_space}}'

roles/cleanup-disc-space/templates/cleanup-disc-space.sh.j2

@@ -0,0 +1,53 @@
+#!/bin/sh
+# @param $1 mimimum free disc space
+# @param $2 --force to for execution indepentend on how much disc space is free
+
+execute_cleanup_disc_space=0
+minimum_percent_cleanup_disc_space="$1"
+force_freeing=false
+echo "Checking free disc space..."
+df
+if [ $# -gt 0 ] && [ "$2" == "--force" ]; then
+  echo "Forcing disc space freeing."
+  force_freeing=true 
+fi 
+for disc_use_percent in $(df --output=pcent | sed 1d)
+do
+    disc_use_percent_number=$(echo "$disc_use_percent" | sed "s/%//")
+    if [ "$disc_use_percent_number" -gt "$minimum_percent_cleanup_disc_space" ]; then
+      echo "WARNING: $disc_use_percent_number exceeds the limit of {{size_percent_disc_space_warning}}%."
+      execute_cleanup_disc_space+=1;
+    fi
+done
+if [ "$disc_use_percent_number" -gt "$minimum_percent_cleanup_disc_space" ] || [ "$force_freeing" = true ]; then
+  echo "cleaning up /tmp" &&
+  find /tmp -type f -atime +10 -delete || exit 1
+  
+  {% if backups_folder_path is defined and size_percent_maximum_backup is defined %}
+  echo "cleaning up backups" &&
+  python {{path_administrator_scripts}}cleanup-backups/cleanup-backups.py --backups-folder-path {{backups_folder_path}} --maximum-backup-size-percent {{size_percent_maximum_backup}} || exit 2
+  {% endif %}
+
+  if pacman -Qs $package > /dev/null ; then
+    echo "cleaning up docker" &&
+    docker system prune -f || exit 3
+
+    nextcloud_application_container="nextcloud-application-1"
+    if [ "$(docker ps -a -q -f name=$nextcloud_application_container)" ] ; then
+      echo "cleaning up docker nextcloud" &&
+      docker exec -it -u www-data $nextcloud_application_container /var/www/html/occ files:cleanup || exit 4
+      docker exec -it -u www-data $nextcloud_application_container /var/www/html/occ trashbin:cleanup --all-users || exit 5
+      docker exec -it -u www-data $nextcloud_application_container /var/www/html/occ versions:cleanup || exit 6
+    fi
+
+  fi
+
+  echo "cleaning pacman cache" &&
+  yes | pacman -Sc || exit 7
+
+  echo "cleanup finished."
+else
+  echo "Sufficiend disc space available."
+  echo "To force the freeing of disc space pass the parameter --force."
+fi
+exit 0

roles/cleanup-disc-space/vars/main.yml

@@ -0,0 +1 @@
+cleanup_disc_space_folder: "{{path_administrator_scripts}}cleanup-disc-space/"

roles/cleanup-failed-docker-backups/README.md

@@ -0,0 +1,3 @@
+# Docker Volume Backup Cleanup
+This script cleans up failed docker backups.
+It uses https://github.com/kevinveenbirkenbach/cleanup-failed-docker-backups as base.

roles/cleanup-failed-docker-backups/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: "reload cleanup-failed-docker-backups.service daemon"
+  systemd:
+    name: cleanup-failed-docker-backups.service
+    enabled: yes
+    daemon_reload: yes

roles/cleanup-failed-docker-backups/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - git
+  - systemd-notifier
+  - system-maintenance-lock

roles/cleanup-failed-docker-backups/tasks/main.yml

@@ -0,0 +1,37 @@
+- name: pull cleanup-failed-docker-backups.git
+  git:
+    repo: "https://github.com/kevinveenbirkenbach/cleanup-failed-docker-backups.git"
+    dest: "{{backup_docker_to_local_cleanup_folder}}"
+    update: yes
+  register: git_result
+  ignore_errors: true
+  when: run_once_cleanup_failed_docker_backups is not defined
+
+- name: Warn if repo is not reachable
+  debug:
+    msg: "Warning: Repository is not reachable."
+  when: git_result is defined and git_result.failed is defined and run_once_cleanup_failed_docker_backups is not defined
+
+- name: configure cleanup-failed-docker-backups.service
+  template: 
+    src: cleanup-failed-docker-backups.service.j2
+    dest: /etc/systemd/system/cleanup-failed-docker-backups.service
+  notify: reload cleanup-failed-docker-backups.service daemon
+  when: run_once_cleanup_failed_docker_backups is not defined
+
+- name: set service_name to the name of the current role
+  set_fact:
+    service_name: "{{ role_name }}"
+  when: run_once_cleanup_failed_docker_backups is not defined
+
+- name: "include role for systemd-timer for {{service_name}}"
+  include_role:
+    name: systemd-timer
+  vars:
+    on_calendar:  "{{on_calendar_cleanup_failed_docker}}"
+  when: run_once_cleanup_failed_docker_backups is not defined
+
+- name: run the cleanup_failed_docker_backups tasks once
+  set_fact:
+    run_once_cleanup_failed_docker_backups: true
+  when: run_once_cleanup_failed_docker_backups is not defined

roles/cleanup-failed-docker-backups/templates/cleanup-failed-docker-backups.service.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=Cleaning up failed docker volume backups
+OnFailure=systemd-notifier@%n.service
+
+[Service]
+Type=oneshot
+ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ')  }} --ignore {{system_maintenance_cleanup_services| join(' ') }} --timeout "{{sytem_maintenance_lock_timeoutbackup_services}}"'
+ExecStart=/bin/sh -c '/usr/bin/yes | /usr/bin/bash {{backup_docker_to_local_cleanup_folder}}cleanup-all.sh {{backup_docker_to_local_cleanup_trigger_directory}}'

roles/cleanup-failed-docker-backups/vars/main.yml

@@ -0,0 +1 @@
+backup_docker_to_local_cleanup_folder: "{{path_administrator_scripts}}cleanup-failed-docker-backups/"

roles/client-wireguard-behind-firewall/README.md

@@ -1,4 +1,4 @@
-# native-wireguard-behind-nat
+# client-wireguard-behind-nat
 
 # see
 - https://gist.github.com/insdavm/b1034635ab23b8839bf957aa406b5e39

roles/client-wireguard-behind-firewall/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+- client-wireguard

roles/client-wireguard/README.md

@@ -0,0 +1,28 @@
+# Role Native Wireguard
+Manages wireguard on a client.
+
+## Create Client Keys
+```bash
+  wg_private_key="$(wg genkey)"
+  wg_public_key="$(echo "$wg_private_key" | wg pubkey)"
+  echo "PrivateKey: $wg_private_key"
+  echo "PublicKey: $wg_public_key"
+  echo "PresharedKey: $(wg genpsk)"
+```
+
+## Other
+- https://golb.hplar.ch/2019/01/expose-server-vpn.html
+- https://wiki.archlinux.org/index.php/WireGuard
+- https://wireguard.how/server/raspbian/
+- https://www.scaleuptech.com/de/blog/was-ist-und-wie-funktioniert-subnetting/
+- https://bodhilinux.boards.net/thread/450/wireguard-rtnetlink-answers-permission-denied
+- https://stackoverflow.com/questions/69140072/unable-to-ssh-into-wireguard-ip-until-i-ping-another-server-from-inside-the-serv
+- https://unix.stackexchange.com/questions/717172/why-is-ufw-blocking-acces-to-ssh-via-wireguard
+- https://forum.openwrt.org/t/cannot-ssh-to-clients-on-lan-when-accessing-router-via-wireguard-client/132709/3
+- https://serverfault.com/questions/1086297/wireguard-connection-dies-on-ubuntu-peer
+- https://unix.stackexchange.com/questions/624987/ssh-fails-to-start-when-listenaddress-is-set-to-wireguard-vpn-ip
+- https://serverfault.com/questions/210408/cannot-ssh-debug1-expecting-ssh2-msg-kex-dh-gex-reply
+- https://www.thomas-krenn.com/de/wiki/Linux_ip_Kommando
+- https://wiki.archlinux.org/title/dhcpcd
+- https://wiki.ubuntuusers.de/NetworkManager/Dispatcher/
+- https://askubuntu.com/questions/1024916/how-can-i-launch-a-systemd-service-at-startup-before-another-systemd-service-sta

roles/client-wireguard/files/set-mtu.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=set MTU 
+Before=wg-quick@wg0.service
+
+[Service]
+Type=oneshot
+ExecStart=bash /usr/local/bin/set-mtu.sh
+
+[Install]
+RequiredBy=wg-quick@wg0.service

roles/client-wireguard/handlers/main.yml

@@ -0,0 +1,6 @@
+- name: "restart set-mtu.service"
+  systemd:
+    name: set-mtu.service
+    state: restarted
+    enabled: yes
+    daemon_reload: yes

roles/client-wireguard/meta/main.yml

@@ -1,2 +1,2 @@
 dependencies:
-- native-sudo
+- wireguard

roles/client-wireguard/tasks/main.yml

@@ -0,0 +1,11 @@
+- name: create set-mtu.service
+  copy: 
+    src:  set-mtu.service
+    dest: /etc/systemd/system/set-mtu.service
+  notify: restart set-mtu.service
+
+- name: create set-mtu.sh
+  template: 
+    src:  set-mtu.sh.j2
+    dest: /usr/local/bin/set-mtu.sh
+  notify: restart set-mtu.service

roles/client-wireguard/templates/set-mtu.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+{% for internet_interface in internet_interfaces %}
+ip li set mtu 1400 dev {{internet_interface}}
+{% endfor %}

roles/docker-akaunting/README.md

@@ -0,0 +1,106 @@
+# Docker Akaunting Setup Guide
+
+## !!!DANGER!!!
+
+**AKAUNTING CONTAINS VERY MUCH PROPERITARY COMPONENTS. IT IS ALMOST IMPOSSIBLE TO USE THIS SOFTWARE FOR FREE IN A PRODUCTIVE ENVIRONMENT. UPDATES MAY BREAK YOUR INSTALLATION. IN THE PAST UPDATES LEADED TO THE REDUCTION OF FREE FEATURES AND INSTEAD THEY BECOME PAYD FEATURES. THIS LEADED TO THAT USERS COULD NOT MAINTAINE THERE COMPANIES IN AKAUNTING ANYMORE**
+
+I recommend to use instead [Open Project](../docker-openproject/) and/or [GNUCash](../pc-gnucash/).
+
+This role still exist in case, that you want to setup Akaunting and you're willing to pay, but I recommend to don't use akaunting.  
+
+## Introduction
+This guide details the process of setting up Akaunting, a free and online accounting software, using Docker. It's tailored to help you deploy and manage an Akaunting instance efficiently using Docker and Docker Compose.
+
+## Prerequisites
+- Docker and Docker Compose installed.
+- Basic understanding of Docker concepts.
+- Access to the command line or terminal.
+
+## Installation Steps
+
+@ATTENTION Variable ```#AKAUNTING_SETUP: true``` needs to be set
+
+### New Manual Setup
+1. **Navigate to Docker Compose Directory**: Change to the directory containing your Docker Compose files for Akaunting.
+
+    ```bash
+    cd {{path_docker_compose_instances}}akaunting/
+    ```
+
+2. **Set Environment Variables**: These are necessary to prevent timeouts during long operations.
+
+    ```bash
+    export COMPOSE_HTTP_TIMEOUT=600
+    export DOCKER_CLIENT_TIMEOUT=600
+    ```
+
+3. **Start Akaunting Service**: This command will initialize the Akaunting setup.
+
+    ```bash
+    AKAUNTING_SETUP=true docker-compose -p akaunting up -d
+    ```
+
+4. **Check Web Interface**: Ensure the web interface is operational.
+
+5. **Restart Services**: To finalize the setup, restart the services.
+
+    ```bash
+    docker-compose down
+    docker-compose -p akaunting up -d
+    ```
+
+### Administration
+- **View Logs**: To check the latest logs of Akaunting.
+
+    ```bash
+    docker-compose exec -it akaunting tail -n 300 storage/logs/laravel.log 
+    ```
+
+- **Access Containers**: For troubleshooting or configuration.
+  - Akaunting Container: `docker-compose exec -it akaunting bash`
+  - Database Container: `docker-compose exec -it akaunting-db /bin/mariadb -u admin --password=$akaunting_db_password akaunting`
+
+### Manual Update
+Execute PHP artisan commands in the following order for updating Akaunting:
+
+```bash
+php artisan about
+php artisan cache:clear
+php artisan view:clear
+php artisan migrate:status
+php artisan update:all
+php artisan update:db
+```
+
+### Composer
+To install Composer, a PHP dependency management tool:
+
+```bash
+curl https://getcomposer.org/download/2.4.1/composer.phar --output composer.phar
+php composer.phar install
+```
+
+### Full Backup Routine
+Detailed steps for backing up your Akaunting instance, including setting manual and automatic variables, destroying containers, removing volumes, and rebuilding and recovering volumes. (Refer to the full backup routine script in the original README).
+
+### Setting Variables
+Variables are crucial in configuring your Akaunting setup. Ensure you set the following variables correctly in your environment:
+
+- `docker_compose_instance_directory`: Set this variable to the path where your Docker Compose files for Akaunting are located.
+- `akaunting_db_password`, `version_akaunting`, `akaunting_company_name`, `akaunting_company_email`, `akaunting_setup_admin_email`, and `akaunting_setup_admin_password`: These should be set in your `.env` files as per your requirements.
+
+### Additional Configuration
+- **SSL Certificate**: The guide includes steps to receive a certificate for your domain.
+- **Nginx Configuration**: Necessary steps to configure Nginx as a reverse proxy for Akaunting.
+- **Database and Runtime Environment**: Instructions on how to set up the `db.env` and `run.env` files for database and runtime configurations.
+
+## Further Information
+For more details, visit the [Akaunting Docker Repository](https://github.com/akaunting/docker) and the [Akaunting Forums](https://akaunting.com/forum).
+
+## Contribution and Feedback
+
+Your contributions and feedback are welcome. Please reach out for support or queries at kevin@veen.world.
+
+## Author
+
+This script is developed by Kevin Veen-Birkenbach. You can reach out to him at kevin@veen.world or visit his website at https://www.veen.world.

roles/docker-akaunting/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- name: "include docker-compose-common.yml"
+  include_tasks: docker-compose-common.yml
+
+- name: "include tasks nginx-docker-proxy-domain.yml"
+  include_tasks: nginx-docker-proxy-domain.yml
+
+- name: "include tasks update-repository-with-docker-compose.yml"
+  include_tasks: update-repository-with-docker-compose.yml
+
+- name: configure run.env
+  template: src=run.env.j2 dest={{docker_compose_instance_directory}}/env/run.env
+  notify: docker compose project setup

roles/docker-akaunting/templates/docker-compose.yml.j2

@@ -0,0 +1,26 @@
+version: '3.7'
+
+services:
+
+{% include 'templates/docker-service-' + database_type + '.yml.j2' %}
+
+  application:
+    image: docker.io/akaunting/akaunting:{{version_akaunting}}
+    build:
+      context: .
+    ports:
+      - 127.0.0.1:{{http_port}}:80
+    volumes:
+      - data:/var/www/html
+    restart: unless-stopped
+    env_file:
+      - env/run.env
+    environment:
+      - AKAUNTING_SETUP
+{% include 'templates/docker-container-networks.yml.j2' %}
+{% include 'templates/docker-container-depends-on-just-database.yml.j2' %}
+
+{% include 'templates/docker-compose-volumes.yml.j2' %}
+  data:
+
+{% include 'templates/docker-compose-networks.yml.j2' %}

roles/docker-akaunting/templates/run.env.j2

@@ -0,0 +1,22 @@
+# You should change this to match your reverse proxy DNS name and protocol
+APP_URL=https://{{domain}}
+LOCALE=en-US
+
+# Don't change this unless you rename your database container or use rootless podman, in case of using rootless podman you should set it to 127.0.0.1 (NOT localhost)
+DB_HOST={{database_host}}
+
+# Change these to match env/db.env
+DB_DATABASE={{database_databasename}}
+DB_USERNAME={{database_username}}
+DB_PASSWORD={{database_password}}
+
+# You should change this to a random string of three numbers or letters followed by an underscore
+DB_PREFIX=asd_
+
+# These define the first company to exist on this instance. They are only used during setup.
+COMPANY_NAME={{akaunting_company_name}}
+COMPANY_EMAIL={{akaunting_company_email}}
+
+# This will be the first administrative user created on setup.
+ADMIN_EMAIL={{akaunting_setup_admin_email}}
+ADMIN_PASSWORD={{akaunting_setup_admin_password}}

roles/docker-akaunting/vars/main.yml

@@ -0,0 +1,6 @@
+docker_compose_project_name:        "akaunting"
+docker_compose_file_path:           "{{docker_compose_instance_directory}}docker-compose.yml"
+docker_compose_backup_path:         "/tmp/{{docker_compose_project_name}}-docker-compose-backup.yml"
+database_type:                      "mariadb"
+database_password:                  "{{akaunting_database_password}}"
+repository_address:                 "https://github.com/akaunting/docker.git"

roles/docker-attendize/README.md

@@ -0,0 +1,11 @@
+@TODO @ATTENTION THIS ROLE IS WORK IN PROGRESS
+
+# Role: docker-attendize (WIP)
+
+This Ansible role sets up Attendize, an open-source ticket selling and event management platform.
+
+## Setup Instructions
+
+```bash
+bash ./Makefile setup
+```

roles/docker-attendize/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: "include docker-compose-common.yml"
+  include_tasks: docker-compose-common.yml
+
+- name: receive {{ mail_interface_domain }} certificate
+  command: certbot certonly --agree-tos --email {{ administrator_email }} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ mail_interface_domain }}
+
+- name: receive {{ domain }} certificate
+  command: certbot certonly --agree-tos --email {{ administrator_email }} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
+
+- name: configure {{domain}}.conf
+  template: 
+    src: roles/nginx-docker-reverse-proxy/templates/domain.conf.j2 
+    dest: "{{nginx_servers_directory}}{{domain}}.conf"
+  notify: restart nginx
+
+- name: "include tasks update-repository-with-docker-compose.yml"
+  include_tasks: update-repository-with-docker-compose.yml

roles/docker-attendize/templates/docker-compose.yml.j2

@@ -0,0 +1,41 @@
+version: '3.2'
+services:
+
+{% include 'templates/docker-service-redis.yml.j2' %}
+
+{% include 'templates/docker-service-' + database_type + '.yml.j2' %}
+
+  web:
+    image: attendize_web:latest
+    ports:
+    - "{{http_port}}:80"
+    volumes:
+      - .:/usr/share/nginx/html
+      - .:/var/www
+{% include 'templates/docker-container-depends-on-database-redis.yml.j2' %}
+      maildev:
+      worker:
+    env_file:
+      - ./.env
+{% include 'templates/docker-container-networks.yml.j2' %}
+
+  worker:
+    image: attendize_worker:latest
+{% include 'templates/docker-container-depends-on-database-redis.yml.j2' %}
+      maildev:
+{% include 'templates/docker-container-networks.yml.j2' %}
+    volumes:
+      - .:/usr/share/nginx/html
+      - .:/var/www
+
+  maildev:
+    image: maildev/maildev
+    ports:
+      - "{{ mail_interface_http_port }}:1080"
+{% include 'templates/docker-container-networks.yml.j2' %}
+{% include 'templates/docker-container-depends-on-just-database.yml.j2' %}
+
+{% include 'templates/docker-compose-volumes.yml.j2' %}
+  redis:
+
+{% include 'templates/docker-compose-networks.yml.j2' %}

roles/docker-attendize/vars/main.yml

@@ -0,0 +1,8 @@
+---
+docker_compose_project_name:        "attendize"
+docker_compose_file_path:           "{{docker_compose_instance_directory}}docker-compose.yml"
+docker_compose_backup_path:         "/tmp/{{docker_compose_project_name}}-docker-compose-backup.yml"
+mail_interface_domain:              "mail.{{domain}}"
+database_type:                      "mariadb"
+database_password:                  "{{attendize_database_password}}"
+repository_address:                 "https://github.com/Attendize/Attendize.git"

roles/docker-baserow/README.md

@@ -0,0 +1,5 @@
+# docker baserow
+
+This role allows the setup of [baserole](https://baserow.io/).
+
+It was created with the help of [Chat GPT-4](https://chat.openai.com/share/556c2d7f-6b6f-4256-a646-a50529554efc).

roles/docker-baserow/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: "include docker-compose-common.yml"
+  include_tasks: docker-compose-common.yml
+
+- name: "include tasks nginx-docker-proxy-domain.yml"
+  include_tasks: nginx-docker-proxy-domain.yml
+
+- name: "create {{docker_compose_instance_directory}}"
+  file:
+    path: "{{docker_compose_instance_directory}}"
+    state: directory
+    mode: 0755
+
+- name: add docker-compose.yml
+  template: src=docker-compose.yml.j2 dest={{docker_compose_instance_directory}}docker-compose.yml
+  notify: docker compose project setup
+
+- name: add env
+  template: 
+    src: env.j2 
+    dest: "{{docker_compose_instance_directory}}env"
+    mode: '770'
+    force: yes
+  notify: docker compose project setup

roles/docker-baserow/templates/docker-compose.yml.j2

@@ -0,0 +1,27 @@
+version: '2'
+
+services:
+
+{% include 'templates/docker-service-redis.yml.j2' %}
+
+{% include 'templates/docker-service-' + database_type + '.yml.j2' %}
+
+  baserow:
+    image: baserow/baserow:1.19.1
+    restart: always
+    logging:
+      driver: journald
+    env_file:
+      - ./env
+    volumes:
+      - data:/baserow/data
+    ports:
+      - "{{http_port}}:80"
+{% include 'templates/docker-container-networks.yml.j2' %}
+{% include 'templates/docker-container-depends-on-just-database.yml.j2' %}
+
+{% include 'templates/docker-compose-volumes.yml.j2' %}
+  data:
+  redis:
+
+{% include 'templates/docker-compose-networks.yml.j2' %}

roles/docker-baserow/templates/env.j2

@@ -0,0 +1,20 @@
+# Public URL
+BASEROW_PUBLIC_URL=https://{{ domain }}
+
+# Email Server Configuration
+EMAIL_SMTP={{ system_email_smtp | upper }}
+EMAIL_SMTP_HOST={{ system_email_host }}
+EMAIL_SMTP_PORT={{ system_email_smtp_port }}
+EMAIL_SMTP_USER={{ system_email_username }}
+EMAIL_SMTP_PASSWORD={{ system_email_password }}
+EMAIL_SMTP_USE_TLS={{ system_email_tls | upper }}
+
+DATABASE_USER={{ database_username }}
+DATABASE_NAME={{ database_databasename }}
+DATABASE_HOST={{ database_host }}
+DATABASE_PORT=5432
+DATABASE_PASSWORD={{ database_password }}
+
+REDIS_HOST=redis
+REDIS_PORT=6379
+REDIS_PASSWORD=

roles/docker-baserow/vars/main.yml

@@ -0,0 +1,4 @@
+docker_compose_project_name:        "baserow"
+database_password:                  "{{ baserow_database_password }}"
+database_version:                   "{{ baserow_database_version | default(postgres_default_version) }}"
+database_type:                      "postgres"

roles/docker-bigbluebutton/README.md

@@ -0,0 +1,31 @@
+# docker bigbluebutton
+@TODO Database needs to be decoupled 
+
+Role to deploy [BigBlueButton](https://bigbluebutton.org/). 
+
+## maintanace
+
+### cleanup
+```bash
+    docker-compose down;
+    docker volume rm bigbluebutton_bigbluebutton bigbluebutton_html5-static bigbluebutton_vol-freeswitch bigbluebutton_vol-kurento bigbluebutton_vol-mediasoup bigbluebutton_database
+```
+
+### check container status 
+```bash
+watch -n 2 "docker ps -a | grep bigbluebutton"
+```
+
+### database access
+```bash
+ sudo docker-compose exec -it postgres psql -U postgres
+```
+
+## further information
+- https://github.com/bigbluebutton/docker
+- https://docs.bigbluebutton.org/greenlight/gl-install.html#setting-bigbluebutton-credentials
+- https://goneuland.de/big-blue-button-mit-docker-und-traefik-installieren/
+- https://github.com/docker/compose/issues/4799
+- https://www.cyberciti.biz/faq/linux-command-to-remove-virtual-interfaces-or-network-aliases/
+- https://www.cyberciti.biz/faq/linux-restart-network-interface/
+- https://stackoverflow.com/questions/53347951/docker-network-not-found

roles/docker-bigbluebutton/files/websocket_upgrade.conf

@@ -0,0 +1,11 @@
+# Context: https://chat.openai.com/share/9b3c0e79-15bc-4780-aa88-f0dd149bdaac
+
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+map $remote_addr $endpoint_addr {
+    "~:"    [::1];
+    default    127.0.0.1;
+}

roles/docker-bigbluebutton/handlers/main.yml

@@ -0,0 +1,17 @@
+---
+- name: create docker-compose.yml for bigbluebutton
+  command:
+    cmd: bash ./scripts/generate-compose
+    chdir: "{{docker_compose_instance_directory}}"
+  environment:
+    COMPOSE_HTTP_TIMEOUT: 600
+    DOCKER_CLIENT_TIMEOUT: 600
+  listen: setup bigbluebutton
+- name: docker compose up bigbluebutton
+  command:
+    cmd: docker-compose -p bigbluebutton up -d --force-recreate
+    chdir: "{{docker_compose_instance_directory}}"
+  environment:
+    COMPOSE_HTTP_TIMEOUT: 600
+    DOCKER_CLIENT_TIMEOUT: 600
+  listen: setup bigbluebutton

roles/docker-bigbluebutton/tasks/main.yml

@@ -0,0 +1,42 @@
+---
+- name: include docker vars
+  include_vars: vars/docker-database-service.yml.j2
+
+- name: load docker compose dependencies
+  include_role:
+    name: docker-compose
+
+- name: "include task certbot-matomo.yml"
+  include_tasks: certbot-matomo.yml
+
+- name: configure {{domain}}.conf
+  template: 
+    src:  "nginx-proxy.conf.j2"
+    dest: "{{nginx_servers_directory}}{{domain}}.conf"
+  notify: restart nginx
+
+- name: configure websocket_upgrade.conf
+  copy: 
+    src:  "websocket_upgrade.conf"
+    dest: "{{nginx_maps_directory}}websocket_upgrade.conf"
+  notify: restart nginx
+
+- name: pull docker repository
+  git:
+    repo: "https://github.com/bigbluebutton/docker.git"
+    dest: "{{docker_compose_instance_directory}}"
+    update: yes
+    recursive: yes
+    version: main
+  notify: setup bigbluebutton
+  register: git_result
+  ignore_errors: true
+
+- name: Warn if repo is not reachable
+  debug:
+    msg: "Warning: Repository is not reachable."
+  when: git_result.failed
+
+- name: deploy .env
+  template: src=env.j2 dest={{docker_compose_instance_directory}}/.env
+  notify: setup bigbluebutton

roles/docker-bigbluebutton/templates/env.j2

@@ -0,0 +1,273 @@
+ENABLE_COTURN=true
+COTURN_TLS_CERT_PATH=/etc/letsencrypt/live/{{domain}}/fullchain.pem
+COTURN_TLS_KEY_PATH=/etc/letsencrypt/live/{{domain}}/privkey.pem
+ENABLE_GREENLIGHT=true
+
+# Enable Webhooks
+# used by some integrations
+#ENABLE_WEBHOOKS=true
+
+# Prometheus Exporter
+# serves the bigbluebutton-exporter under following URL:
+# https://yourdomain/bbb-exporter
+#ENABLE_PROMETHEUS_EXPORTER=true
+#ENABLE_PROMETHEUS_EXPORTER_OPTIMIZATION=true
+
+# Recording
+# IMPORTANT: this is currently a big privacy issues, because it will
+# record everything which happens in the conference, even when the button
+# suggets, that it does not.
+# https://github.com/bigbluebutton/bigbluebutton/issues/9202
+# make sure that you get peoples consent, before they join a room
+ENABLE_RECORDING=false
+REMOVE_OLD_RECORDING=true
+RECORDING_MAX_AGE_DAYS=365
+
+# ====================================
+# SECRETS
+# ====================================
+# important! change these to any random values
+SHARED_SECRET={{bigbluebutton_shared_secret}}
+ETHERPAD_API_KEY={{bigbluebutton_etherpad_api_key}}
+RAILS_SECRET={{bigbluebutton_rails_secret}}
+POSTGRESQL_SECRET={{bigbluebutton_postgresql_secret}}
+FSESL_PASSWORD={{bigbluebutton_fsesl_password}}
+
+
+
+# ====================================
+# CONNECTION
+# ====================================
+
+DOMAIN={{domain}}
+
+EXTERNAL_IPv4={{ip4_address}}
+EXTERNAL_IPv6=
+
+# STUN SERVER
+# stun.freeswitch.org
+STUN_IP={{ip4_address}}
+STUN_PORT=3478
+
+# TURN SERVER
+# uncomment and adjust following two lines to add an external TURN server
+TURN_SERVER=turns:{{domain}}:5349?transport=tcp
+TURN_SECRET={{bigbluebutton_turn_secret}}
+
+# Allowed SIP IPs
+# due to high traffic caused by bots, by default the SIP port is blocked.
+# but you can allow access by your providers IP or IP ranges (comma seperated)
+# Hint: if you want to allow requests from every IP, you can use 0.0.0.0/0
+SIP_IP_ALLOWLIST=
+
+
+# ====================================
+# CUSTOMIZATION
+# ====================================
+
+CLIENT_TITLE=BigBlueButton
+
+# use following lines to replace the default welcome message and footer
+WELCOME_MESSAGE="Welcome to <b>%%CONFNAME%%</b>!<br><br>For help on using BigBlueButton see these (short) <a href='https://www.bigbluebutton.org/html5' target='_blank'><u>tutorial videos</u></a>.<br><br>To join the audio bridge click the speaker button.  Use a headset to avoid causing background noise for others."
+WELCOME_FOOTER="This server is running <a href='https://docs.bigbluebutton.org/'' target='_blank'><u>BigBlueButton</u></a>."
+
+# use following line for an additional SIP dial-in message
+#WELCOME_FOOTER="This server is running <a href='https://docs.bigbluebutton.org/' target='_blank'><u>BigBlueButton</u></a>. <br><br>To join this meeting by phone, dial:<br>  INSERT_YOUR_PHONE_NUMBER_HERE<br>Then enter %%CONFNUM%% as the conference PIN number."
+
+# for a different default presentation, place the pdf file in ./conf/ and
+# adjust the following path
+DEFAULT_PRESENTATION=./mod/nginx/default.pdf
+
+# language of sound announcements
+# options:
+# - en-ca-june - EN Canadian June
+# - en-us-allison - US English Allison
+# - en-us-callie - US English Callie
+# - de-de-daedalus3 - German by Daedalus3 (https://github.com/Daedalus3/freeswitch-german-soundfiles)
+# - es-ar-mario - Spanish/Argentina Mario
+# - fr-ca-june - FR Canadian June
+# - pt-br-karina - Brazilian Portuguese Karina
+# - ru-RU-elena - RU Russian Elena
+# - ru-RU-kirill - RU Russian Kirill
+# - ru-RU-vika - RU Russian Viktoriya
+# - sv-se-jakob - Swedish (Sweden) Jakob
+# - zh-cn-sinmei - Chinese/China Sinmei
+# - zh-hk-sinmei - Chinese/Hong Kong Sinmei
+SOUNDS_LANGUAGE=en-us-callie
+
+# set to false to disable listenOnlyMode
+LISTEN_ONLY_MODE=true
+
+# set to true to disable echo test
+DISABLE_ECHO_TEST=false
+
+# set to true to automatically share webcam
+AUTO_SHARE_WEBCAM=false
+
+# set to true to disable video preview for webcam sharing
+DISABLE_VIDEO_PREVIEW=false
+
+# set to false to disable chat
+CHAT_ENABLED=true
+
+# set to true to start chat closed
+CHAT_START_CLOSED=false
+
+# set to true to disable announcements "You are now (un-)muted"
+DISABLE_SOUND_MUTED=false
+
+# set to true to disable announcement "You are the only person in this conference"
+DISABLE_SOUND_ALONE=false
+
+# maximum count of breakout rooms per meeting
+# Warning: increasing the limit of breakout rooms per meeting
+# can generate excessive overhead to the server. We recommend
+# this value to be kept under 12.
+BREAKOUTROOM_LIMIT=8
+
+# set to false to disable the learning dashboard
+ENABLE_LEARNING_DASHBOARD=true
+
+# ====================================
+# Tuning
+# ====================================
+# Default = 2; Min = 1; Max = 4
+# On powerful systems with high number of meetings you can set values up to 4 to accelerate handling of events
+NUMBER_OF_BACKEND_NODEJS_PROCESSES=2
+
+# Default = 2; Min = 1; Max = 8
+# Set a number between 1 and 4 times the value of NUMBER_OF_BACKEND_NODEJS_PROCESSES where higher number helps with meetings
+# stretching the recommended number of users in BigBlueButton
+NUMBER_OF_FRONTEND_NODEJS_PROCESSES=2
+
+
+# ====================================
+# GREENLIGHT CONFIGURATION
+# ====================================
+
+# Microsoft Office365 Login Provider (optional)
+#
+# For in-depth steps on setting up a Office 365 Login Provider, see:
+#
+#   https://docs.bigbluebutton.org/greenlight/gl-config.html#office365-oauth2
+#
+OFFICE365_KEY=
+OFFICE365_SECRET=
+OFFICE365_HD=
+
+# OAUTH2_REDIRECT allows you to specify the redirect_url passed to oauth on sign in.
+# It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy
+OAUTH2_REDIRECT=
+
+# LDAP Login Provider (optional)
+#
+# You can enable LDAP authentication by providing values for the variables below.
+# Configuring LDAP authentication will take precedence over all other providers.
+# For information about setting up LDAP, see:
+#
+#   https://docs.bigbluebutton.org/greenlight/gl-config.html#ldap-auth
+#
+#   LDAP_SERVER=ldap.example.com
+#   LDAP_PORT=389
+#   LDAP_METHOD=plain
+#   LDAP_UID=uid
+#   LDAP_BASE=dc=example,dc=com
+#   LDAP_AUTH=simple
+#   LDAP_BIND_DN=cn=admin,dc=example,dc=com
+#   LDAP_PASSWORD=password
+#   LDAP_ROLE_FIELD=ou
+#   LDAP_FILTER=(&(attr1=value1)(attr2=value2))
+LDAP_SERVER=
+LDAP_PORT=
+LDAP_METHOD=
+LDAP_UID=
+LDAP_BASE=
+LDAP_BIND_DN=
+LDAP_AUTH=
+LDAP_PASSWORD=
+LDAP_ROLE_FIELD=
+LDAP_FILTER=
+
+# Set this to true if you want GreenLight to support user signup and login without
+# Omniauth. For more information, see:
+#
+#   https://docs.bigbluebutton.org/greenlight/gl-overview.html#accounts-and-profile
+#
+ALLOW_GREENLIGHT_ACCOUNTS=true
+
+SMTP_SERVER={{system_email_host}}
+SMTP_DOMAIN={{domain}}
+SMTP_PORT={{system_email_smtp_port}}
+SMTP_USERNAME={{system_email_username}}
+SMTP_PASSWORD={{system_email_password}}
+SMTP_AUTH=plain
+SMTP_OPENSSL_VERIFY_MODE=none
+SMTP_STARTTLS_AUTO={{system_email_start_tls}}
+SMTP_SENDER={{system_email_username}}
+SMTP_SENDER_EMAIL={{system_email_username}}
+
+# Prefix for the applications root URL.
+# Useful for deploying the application to a subdirectory, which is highly recommended
+# if deploying on a BigBlueButton server. Keep in mind that if you change this, you'll
+# have to update your authentication callback URL's to reflect this change.
+#
+#   The recommended prefix is "/b".
+#
+RELATIVE_URL_ROOT="/b"
+
+# Specify which settings you would like the users to configure on room creation
+# or edit after the room has been created
+# By default, all settings are turned OFF.
+#
+# Current settings available:
+#   mute-on-join: Automatically mute users by default when they join a room
+#   require-moderator-approval: Require moderators to approve new users before they can join the room
+#   anyone-can-start: Allows anyone with the join url to start the room in BigBlueButton
+#   all-join-moderator: All users join as moderators in BigBlueButton
+ROOM_FEATURES=mute-on-join,require-moderator-approval,anyone-can-start,all-join-moderator
+
+# Specify the maximum number of records to be sent to the BigBlueButton API in one call
+# Default is set to 25 records
+PAGINATION_NUMBER=25
+
+# Specify the maximum number of rows that should be displayed per page for a paginated table
+# Default is set to 25 rows
+NUMBER_OF_ROWS=25
+
+# Specify if you want to display the Google Calendar button
+#   ENABLE_GOOGLE_CALENDAR_BUTTON=true|false
+ENABLE_GOOGLE_CALENDAR_BUTTON=
+
+# Set the application into Maintenance Mode
+#
+# Current options supported:
+# true: Renders an error page that does not allow users to access any of the features in the application
+# false: Application runs normally
+MAINTENANCE_MODE=false
+
+# Displays a flash that appears to inform the user of a scheduled maintenance window
+# This variable should contain ONLY the date and time of the scheduled maintenance
+#
+# Ex: MAINTENANCE_WINDOW=Friday August 18 6pm-10pm EST
+MAINTENANCE_WINDOW=
+
+# The link to the Report an Issue button that appears on the 500 page and in the Account Dropdown
+#
+# Defaults to the Github Issues Page for Greenlight
+# Button can be disabled by setting the value to blank
+#
+# REPORT_ISSUE_URL=https://github.com/bigbluebutton/greenlight/issues/new
+
+# The link to the Need help? button that appears on the Account Dropdown
+#
+# Defaults to the Greenlight documentation
+# Button can be disabled by setting the value to blank
+HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
+
+# Specify the default registration to be used by Greenlight until an administrator sets the
+# registration method
+# Allowed values are:
+#   open - For open registration
+#   invite - For invite only registration
+#   approval - For approve/decline registration
+DEFAULT_REGISTRATION=invite

roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2

@@ -0,0 +1,20 @@
+server {
+  listen 443 ssl http2 default_server;
+  listen [::]:443 ssl http2 default_server;
+  server_name {{domain}};
+
+  ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
+
+  location / {
+    proxy_http_version 1.1;
+    proxy_pass http://$endpoint_addr:48087;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_cache_bypass $http_upgrade;
+  }
+}

roles/docker-bigbluebutton/vars/main.yml

@@ -0,0 +1,6 @@
+docker_compose_project_name:        "bigbluebutton"
+database_host:                      "postgres" # needs to be fixed
+database_databasename:              "greenlight-v3"
+database_username:                  "postgres"
+database_password:  	              ""
+database_type:                      "postgres"

roles/docker-compose/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: docker compose project setup
+  command:
+    cmd: docker-compose -p "{{docker_compose_project_name}}" up -d --force-recreate
+    chdir: "{{docker_compose_instance_directory}}"
+  environment:
+    COMPOSE_HTTP_TIMEOUT: 600
+    DOCKER_CLIENT_TIMEOUT: 600

roles/docker-compose/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+- nginx-docker-reverse-proxy

roles/docker-discourse/README.md

@@ -0,0 +1,10 @@
+# Ansible Role: Docker-Discourse
+
+@TODO Database needs to be decoupled 
+
+This Ansible role sets up Discourse, a popular open-source discussion platform, using Docker containers. It is designed to automate the deployment and configuration process of Discourse, making it easier to maintain and update.
+
+---
+
+This README was generated with information provided in the Ansible role. For more detailed instructions and information, refer to the inline comments within the role files. Additional support and context for this role can be found in an [online chat discussion](https://chat.openai.com/share/fdbf9870-1f7e-491f-b4d2-357e6e8ad59c).
+

roles/docker-discourse/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: recreate discourse
+  command:
+    cmd: ./launcher rebuild app
+    chdir: "{{docker_compose_instance_directory}}"

roles/docker-discourse/tasks/main.yml

@@ -0,0 +1,54 @@
+---
+- name: "include docker-compose-common.yml"
+  include_tasks: docker-compose-common.yml
+
+- name: "include tasks nginx-docker-proxy-domain.yml"
+  include_tasks: nginx-docker-proxy-domain.yml
+  loop: "{{ domains }}"
+  loop_control:
+    loop_var: domain
+
+- name: "create {{docker_compose_instance_directory}}"
+  file:
+    path: "{{docker_compose_instance_directory}}"
+    state: directory
+    mode: 0755
+
+- name: register directory
+  stat:
+    path: "{{docker_compose_instance_directory}}"
+  register: docker_compose_instance_directory_register
+
+- name: checkout repository 
+  ansible.builtin.shell: git checkout .
+  become: true
+  args:
+    chdir: "{{docker_compose_instance_directory}}"
+  when: docker_compose_instance_directory_register.stat.exists
+
+- name: pull docker repository
+  git:
+    repo: "https://github.com/discourse/discourse_docker.git"
+    dest: "{{docker_compose_instance_directory}}"
+    update: yes
+  notify: recreate discourse
+  become: true
+  register: git_result
+  ignore_errors: true
+
+- name: Warn if repo is not reachable
+  debug:
+    msg: "Warning: Repository is not reachable."
+  when: git_result.failed
+
+- name: set chmod 700 for {{docker_compose_instance_directory}}containers
+  ansible.builtin.file:
+    path: "{{docker_compose_instance_directory}}/containers"
+    mode: '700'
+    state: directory
+
+- name: "copy configuration to {{docker_compose_instance_directory}}containers/app.yml"
+  template: 
+    src: app.yml.j2
+    dest: "{{docker_compose_instance_directory}}containers/app.yml"
+  notify: recreate discourse

roles/docker-discourse/templates/app.yml.j2

@@ -0,0 +1,125 @@
+## this is the all-in-one, standalone Discourse Docker container template
+##
+## After making changes to this file, you MUST rebuild
+## /var/discourse/launcher rebuild app
+##
+## BE *VERY* CAREFUL WHEN EDITING!
+## YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT!
+## visit http://www.yamllint.com/ to validate this file as needed
+
+templates:
+  - "templates/postgres.template.yml"
+  - "templates/redis.template.yml"
+  - "templates/web.template.yml"
+  ## Uncomment the next line to enable the IPv6 listener
+  #- "templates/web.ipv6.template.yml"
+  - "templates/web.ratelimited.template.yml"
+  ## Uncomment these two lines if you wish to add Lets Encrypt (https)
+  #- "templates/web.ssl.template.yml"
+  #- "templates/web.letsencrypt.ssl.template.yml"
+
+## which TCP/IP ports should this container expose?
+## If you want Discourse to share a port with another webserver like Apache or nginx,
+## see https://meta.discourse.org/t/17247 for details
+expose:
+  - "127.0.0.1:{{http_port}}:80"   # http
+  #- "443:443" # https
+
+params:
+  db_default_text_search_config: "pg_catalog.english"
+
+  ## Set db_shared_buffers to a max of 25% of the total memory.
+  ## will be set automatically by bootstrap based on detected RAM, or you can override
+  db_shared_buffers: "4096MB"
+
+  ## can improve sorting performance, but adds memory usage per-connection
+  #db_work_mem: "40MB"
+
+  ## Which Git revision should this container use? (default: tests-passed)
+  #version: tests-passed
+
+env:
+  LC_ALL: en_US.UTF-8
+  LANG: en_US.UTF-8
+  LANGUAGE: en_US.UTF-8
+  # DISCOURSE_DEFAULT_LOCALE: en
+
+  ## How many concurrent web requests are supported? Depends on memory and CPU cores.
+  ## will be set automatically by bootstrap based on detected CPUs, or you can override
+  UNICORN_WORKERS: 8
+
+  ## TODO: The domain name this Discourse instance will respond to
+  ## Required. Discourse will not work with a bare IP number.
+  DISCOURSE_HOSTNAME: {{domain}}
+
+  ## Uncomment if you want the container to be started with the same
+  ## hostname (-h option) as specified above (default "$hostname-$config")
+  #DOCKER_USE_HOSTNAME: true
+
+  ## TODO: List of comma delimited emails that will be made admin and developer
+  ## on initial signup example 'user1@example.com,user2@example.com'
+  DISCOURSE_DEVELOPER_EMAILS:       {{administrator_email}}
+
+  ## TODO: The SMTP mail server used to validate new accounts and send notifications
+  # SMTP ADDRESS, username, and password are required
+  # WARNING the char '#' in SMTP password can cause problems!
+  DISCOURSE_SMTP_ADDRESS:           {{ system_email_host }}
+  DISCOURSE_SMTP_PORT:              {{ system_email_smtp_port }}
+  DISCOURSE_SMTP_USER_NAME:         {{ system_email }}
+  DISCOURSE_SMTP_PASSWORD:          {{ system_email_password }}
+  DISCOURSE_SMTP_ENABLE_START_TLS:  {{ system_email_start_tls | upper }}
+  DISCOURSE_SMTP_DOMAIN:            {{ system_email_domain }}
+  DISCOURSE_NOTIFICATION_EMAIL:     {{ system_email }}
+
+{% if enable_central_database | bool %}
+  # Database Configuration
+  DISCOURSE_DB_USERNAME: {{ database_username }}
+  DISCOURSE_DB_PASSWORD: {{ database_password }}
+  DISCOURSE_DB_HOST:     {{ database_host }}
+  DISCOURSE_DB_NAME:     {{ database_databasename }}
+{% if enable_central_database | bool %}
+
+  ## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
+  #LETSENCRYPT_ACCOUNT_EMAIL: administrator@veen.world
+
+  ## The http or https CDN address for this Discourse instance (configured to pull)
+  ## see https://meta.discourse.org/t/14857 for details
+  #DISCOURSE_CDN_URL: https://discourse-cdn.example.com
+  
+  ## The maxmind geolocation IP address key for IP address lookup
+  ## see https://meta.discourse.org/t/-/137387/23 for details
+  #DISCOURSE_MAXMIND_LICENSE_KEY: 1234567890123456
+
+## The Docker container is stateless; all data is stored in /shared
+volumes:
+  - volume:
+      host: discourse_data
+      guest: /shared
+  - volume:
+      host: /var/discourse/shared/standalone/log/var-log
+      guest: /var/log
+
+## Plugins go here
+## see https://meta.discourse.org/t/19157 for details
+hooks:
+  after_code:
+    - exec:
+        cd: $home/plugins
+        cmd:
+          - git clone https://github.com/discourse/docker_manager.git
+          - git clone https://github.com/discourse/discourse-activity-pub.git
+          - git clone https://github.com/discourse/discourse-calendar.git
+          - git clone https://github.com/discourse/discourse-akismet.git
+          - git clone https://github.com/discourse/discourse-cakeday.git
+          - git clone https://github.com/discourse/discourse-solved.git
+          - git clone https://github.com/discourse/discourse-voting.git
+          - git clone https://github.com/discourse/discourse-oauth2-basic.git
+          - git clone https://github.com/discourse/discourse-openid-connect.git
+
+## Any custom commands to run after building
+run:
+  - exec: echo "Beginning of custom commands"
+  ## If you want to set the 'From' email address for your first registration, uncomment and change:
+  ## After getting the first signup email, re-comment the line. It only needs to run once.
+  #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
+  - exec: echo "End of custom commands"