Details:
- Added pkgmgr update task directly in pkgmgr role (pkgmgr pull --all)
- Removed deprecated update-pkgmgr role and references
- Removed deprecated update-pip role and references
- Simplified update-compose by dropping update-pkgmgr include
https://chatgpt.com/share/68bbeff1-27a0-800f-bef3-03ab597595fd
Details:
- Removed upgrade_listmonk() function and related calls from update-docker script
- Added dedicated Ansible task in web-app-listmonk role to run non-interactive DB/schema upgrade
- Conditional execution via MODE_UPDATE
Ref: https://chatgpt.com/share/68bbeff1-27a0-800f-bef3-03ab597595fd
- Switch to split containers (markoshust/magento-php:8.2-fpm + magento-nginx:latest)
- Disable central DB; use app-local MariaDB and pin to 11.4
- Composer bootstrap of Magento in php container (Adobe repo keys), idempotent via creates
- Make setup:install idempotent; run as container user 'app'
- Wire OpenSearch (security disabled) and depends_on ordering
- Add credentials schema (adobe_public_key/adobe_private_key)
- Update vars for php/nginx/search containers + MAGENTO_USER
- Remove legacy docs (Administration.md, Upgrade.md)
Context: changes derived from our ChatGPT session about getting Magento 2.4.8 running with MariaDB 11.4.
Conversation: https://chatgpt.com/share/68b8dc30-361c-800f-aa69-88df514cb160
- Unified Jinja2 variable spacing in tasks and templates
- Introduced database_image and database_version variables in vars/database.yml
- Updated mariadb.yml.j2 and postgres.yml.j2 to use {{ database_image }}:{{ database_version }}
- Ensured env file paths and includes are consistent
- Prepared support for versioned database images (needed for Magento deployment)
Ref: https://chatgpt.com/share/68b96a9d-c100-800f-856f-cd23d1eda2ed
- Add `server.config_upstream_url` default in `roles/web-app-bluesky/config/main.yml`
to define upstream for /config (defaults to https://ip.bsky.app/config).
- Introduce front-proxy injection `extra_locations.conf.j2` that:
- proxies `/config` to the upstream,
- sets SNI and correct Host header,
- normalizes CORS headers for same-origin consumption.
- Wire the proxy injection only for the Web domain in
`roles/web-app-bluesky/tasks/main.yml` via `proxy_extra_configuration`.
- Force fresh social-app checkout and patch
`src/state/geolocation.tsx` to `const BAPP_CONFIG_URL = '/config'`
in `roles/web-app-bluesky/tasks/02_social_app.yml`; notify `docker compose build` and `up`.
- Tidy and re-group PDS env in `roles/web-app-bluesky/templates/env.j2` (no functional change).
- Add vars in `roles/web-app-bluesky/vars/main.yml`:
- `BLUESKY_FRONT_PROXY_CONTENT` (renders the extra locations),
- `BLUESKY_CONFIG_UPSTREAM_URL` (reads `server.config_upstream_url`).
Security/Scope:
- Only affects the Bluesky web frontend (same-origin `/config`); PDS/API and AppView remain unchanged.
Refs:
- Conversation: https://chatgpt.com/share/68b8dd3a-2100-800f-959e-1495f6320aab
• Add roles/web-app-chess/files/Dockerfile using build ARGs (CHESS_VERSION, CHESS_REPO_URL, CHESS_REPO_REF, CHESS_ENTRYPOINT_REL, CHESS_ENTRYPOINT_INT, CHESS_APP_DATA_DIR, CONTAINER_PORT). Enable Corepack/Yarn as root in the runtime stage to avoid EACCES on /usr/local/bin symlinks, then drop privileges to 'node'.
• Delete Jinja-based templates/Dockerfile.j2; docker-compose now passes former Jinja vars via build.args. • Update templates/docker-compose.yml.j2 to forward all required build args. • Update config/main.yml: add CSP flag 'script-src-elem: unsafe-inline'.
Ref: https://chatgpt.com/share/68b88d3d-3bd8-800f-9723-e8df0cdc37e2
Build: use Yarn 4 via Corepack; immutable install with inline builds.
Runtime: enable Corepack as user 'node', use project-local cache (/app/.yarn/cache), add curl; fix ownership.
Entrypoint: generate keys in correct dir; run 'yarn install --immutable --inline-builds' before migrations; wait for Postgres.
Config: enable matomo/css/desktop; notify 'docker compose build' on entrypoint changes.
Docs: rename README title to 'Chess'.
Ref: ChatGPT conversation (2025-09-03) — https://chatgpt.com/share/68b88126-7a6c-800f-acae-ae61ed577f46
- Move entrypoint to files/ and deploy via copy
- Parameterize APP_KEY_FILE, data dir, and entrypoint paths
- Require explicit PORT/PG envs (remove fallbacks)
- Drop stray header from config/main.yml
- Dockerfile: use templated data dir & entrypoint; keep node user
- Compose: set custom image, adjust volume mapping
- env: derive APP_SCHEME from WEB_PROTOCOL; NODE_ENV from ENVIRONMENT
- tasks: add 01_core and simplify main to include it
Ref: https://chatgpt.com/share/68b851c5-4dd8-800f-8e9e-22b985597b8f
Add base include to oletools service so it inherits env_file (LD_PRELOAD=/usr/lib/libhardened_malloc.so) and other defaults. Fixes crash: PermissionError: '/proc/cpuinfo' during hardened_malloc compatibility probe when LD_PRELOAD was absent. Aligns oletools with other Mailu services.
Refs: ChatGPT discussion – https://chatgpt.com/share/68b837ba-c9cc-800f-b5d9-62b60d6fafd9
- script.py now resolves docker-compose project and working_dir strictly from container labels
- removed container-name fallback logic
- adjusted sys-ctl-hlth-docker-container to include sys-ctl-rpr-docker-soft
- cleaned up sys-svc-docker dependencies
- updated unit tests to mock docker inspect and os.path.isfile for STRICT mode
Conversation: https://chatgpt.com/share/68b80927-b800-800f-a909-0fe8d110fd0e
- Fix BookWyrm email SSL/TLS handling (use ternary without 'not' for clarity)
- Add truststore_enabled flag in Confluence config and vars
- Wire JVM_SUPPORT_RECOMMENDED_ARGS to disable UPM signature check if truststore is disabled
- Add placeholder style.css.j2 for Confluence
See conversation: https://chatgpt.com/share/68b80024-7100-800f-a2fe-ba8b9f5cec05
- Added network subnet (192.168.103.192/28) and port 8050 for web-app-chess
- Replaced stub README with usability-focused description of castling.club
- Implemented config, vars, meta, and tasks for web-app-chess
- Added Dockerfile, docker-compose.yml, env, and docker-entrypoint.sh templates
- Integrated entrypoint asset placement
- Updated meta to reflect usability and software features
Ref: https://chatgpt.com/share/68b6c65a-3de8-800f-86b2-a110920cd50e
Confluence: README added; demo disables OIDC/LDAP; Dockerfile overlay; docker-compose now uses CONFLUENCE_CUSTOM_IMAGE and DB depends include; env.j2 adds ATL_* and JVM_*; vars use integer math (//) for Xmx/Xms and expose CUSTOM_IMAGE.
Jira: initial role skeleton with README, config/meta/tasks; Dockerfile overlay; docker-compose using JIRA_CUSTOM_IMAGE and DB depends include; env.j2 with proxy + JVM envs; vars with integer-safe memory sizing.
Context: https://chatgpt.com/share/68b6b592-2250-800f-b68e-b37ae98dbe70
- Store pull lock under ${PATH_DOCKER_COMPOSE_PULL_LOCK_DIR}/<hash>.lock so global cleanup removes it reliably
- If any service defines `build:`, run `docker compose build --pull` before pulling
- Use `docker compose pull --ignore-buildable` when supported; otherwise tolerate pull failures for locally built images
This prevents failures when images are meant to be built locally (e.g., custom images) and ensures lock handling is consistent.
Ref: https://chatgpt.com/share/68b6b592-2250-800f-b68e-b37ae98dbe70
Removed obsolete handlers from roles (VirtualBox, backup-to-USB, OpenLDAP)
and introduced an integration test under tests/integration/test_handlers_invoked.py
that ensures all handlers defined in roles/*/handlers are actually notified
somewhere in the code base. This keeps the repository clean by preventing
unused or forgotten handlers from accumulating.
Ref: https://chatgpt.com/share/68b6b28e-4388-800f-87d2-34dfb34b8d36
• Add tasks/01_core.yml to set applications[application_id].server.csp.whitelist['connect-src'] = LOGOUT_CONNECT_SRC_NEW.
• Switch tasks/main.yml to include 01_core.yml (run-once guard preserved).
• Update templates/env.j2 to emit LOGOUT_DOMAINS as a comma-separated list.
• Rework vars/main.yml: compute LOGOUT_DOMAINS, derive LOGOUT_ORIGINS with WEB_PROTOCOL, read connect-src via the get_app_conf filter, and merge/dedupe (unique).
Rationale: ensure CSP allows cross-domain logout requests for all configured services.
Conversation: https://chatgpt.com/share/68b5b07d-b208-800f-b6b2-f26934607c8a
- Add Host header to curl healthcheck when container_hostname is defined
- Use PRETIX_PRETIX_ALLOWED_HOSTS to fix Django 400 Bad Request during healthcheck
- Centralize PRETIX_HOSTNAME from container_hostname var
- Add Redis broker/result backend config for Celery
See: https://chatgpt.com/share/68b59c42-c0fc-800f-9bfb-f1137c59b3de
- Move run_once include from main.yml to 01_core.yml in desk-gnome-caffeine and desk-ssh
- Introduce sys-svc-cdn/01_core.yml to handle shared/vendor dirs once and role dirs per run
- Replace cdn.* with cdn_paths_all.* across inj roles
- Split cdn_dirs into cdn_dirs_role and CDN_DIRS_GLOBAL
- Ensure cdn_urls uses cdn_paths_all
Details: https://chatgpt.com/share/68b58d64-1e28-800f-8907-36926a9e9a9b
- Removed obsolete Installation.md, TODO.md, 02_debug.yml, 05_oidc.yml and legacy debug enable/disable tasks
- Added 01_prep.yml to render debug.php/oidc.php on host side before container start
- Introduced _ensure_require.yml for generic require_once management in LocalSettings.php
- Renamed 01_install.yml -> 02_install.yml to align with new numbering
- Updated docker-compose.yml.j2 to bind-mount mw-local into /opt/mw-local
- Adjusted vars/main.yml to define MEDIAWIKI_LOCAL_MOUNT_DIR and MEDIAWIKI_LOCAL_PATH
- Templates debug.php.j2 and oidc.php.j2 now gated by MODE_DEBUG and MEDIAWIKI_OIDC_ENABLED
- main.yml now orchestrates prep, install, debug, extensions, oidc require, admin consistently
Ref: https://chatgpt.com/share/68b57db2-efcc-800f-a733-aca952298437
Integration tests added/updated:
- tests/integration/test_filters_usage.py: AST-based detection of filter definitions (FilterModule.filters), robust Jinja detection ({{ ... }}, {% ... %}, {% filter ... %}), plus Python call tracking; fails if a filter is used only under tests/.
- tests/integration/test_filters_are_defined.py: inverse check — every filter used in .yml/.yaml/.j2/.jinja2/.tmpl must be defined locally. Scans only inside Jinja blocks and ignores pipes inside strings (e.g., lookup('pipe', "... | grep ... | awk ...")) to avoid false positives like trusted_hosts, woff/woff2, etc.
Bug fixes & robustness:
- Build regexes without %-string formatting to avoid ValueError from literal '%' in Jinja tags.
- Strip quoted strings in usage analysis so sed/grep/awk pipes are not miscounted as filters.
- Prevent self-matches in the defining file.
Cleanup / removal of dead code:
- Removed unused filter plugins and related unit tests:
* filter_plugins/alias_domains_map.py
* filter_plugins/get_application_id.py
* filter_plugins/load_configuration.py
* filter_plugins/safe.py
* filter_plugins/safe_join.py
* roles/svc-db-openldap/filter_plugins/build_ldap_nested_group_entries.py
* roles/sys-ctl-bkp-docker-2-loc/filter_plugins/dict_to_cli_args.py
* corresponding tests under tests/unit/*
- roles/svc-db-postgres/filter_plugins/split_postgres_connections.py: dropped no-longer-needed list_postgres_roles API; adjusted tests.
Misc:
- sys-stk-front-proxy/defaults/main.yml: clarified valid vhost_flavour values (comma-separated).
Ref: https://chatgpt.com/share/68b56bac-c4f8-800f-aeef-6708dbb44199
Changed safe_join to raise ValueError if base or tail is None instead of returning 'None/path'.
Adjusted unit tests accordingly to expect exceptions for None inputs and kept empty-string handling valid.
Ref: https://chatgpt.com/share/68b55850-e854-800f-9702-09ea956b8dc4
- Move default 'unsafe-inline' for style-src and style-src-elem into get_csp_flags
- Ensure hashes are only added if 'unsafe-inline' not in final tokens
- Improve comments and structure
- Extend unit tests to cover default flags, overrides, and final-token logic
See: https://chatgpt.com/share/68b54520-5cfc-800f-9bac-45093740df78
- Support query elements starting with '?' or '&'
* First query element normalized to '?', subsequent to '&'
* Each query element must be exactly one 'key=value' pair
* Query elements may only appear after path elements
* Once query starts, no more path elements are allowed
- Extend test suite with success and failure cases for query handling
See: https://chatgpt.com/share/68b537ea-d198-800f-927a-940c4de832f2
Improved url_join filter:
- Requires first element to contain a valid '<scheme>://'
- Raises specific errors for None, empty list, wrong type, missing scheme,
extra schemes in later parts, or string conversion failures
- Provides clearer error messages with index context in parts
See: https://chatgpt.com/share/68b537ea-d198-800f-927a-940c4de832f2
• Removed hardcoded container_port/container_healthcheck from docker-compose.yml.j2
• Added container_port=8080 and container_healthcheck to vars/main.yml
• Rationale: current image listens on 8080; centralizes settings in vars
Ref: https://chatgpt.com/share/68b4a69d-e4b0-800f-a4f8-6c8e4fc55ee4
Introduced a new Ansible role for deploying Atlassian Confluence within the Infinito.Nexus ecosystem.
The role follows the same structure as web-app-pretix and includes:
- : Core variables, database config, OIDC integration.
- : Docker service definitions, features (Matomo, CSS, OIDC, logout, central DB).
- : Loads docker, db and proxy stack.
- : Placeholder for schema definitions.
- :
- (base for OIDC plugins/extensions),
- (service orchestration),
- (environment configuration).
- : Metadata, license, company, logo (Font Awesome book-open icon).
Canonical domain is set to `confluence.{{ PRIMARY_DOMAIN }}`.
This role ensures Confluence integrates seamlessly with Keycloak OIDC and the Infinito.Nexus service stack.
Conversation: https://chatgpt.com/share/68b1d006-bbd4-800f-9d2e-9c8a8af2c00f
Summary:
- Replace draft with complete README (features, resources, credits).
- Remove obsolete Todo.md.
- Switch to custom image tag (PRETIX_IMAGE_CUSTOM) and install 'pretix-oidc' in Dockerfile.
- Drop unused 'config' volume; keep persistent 'data' only.
- Rename docker-compose service from 'application' to 'pretix' and use container_port.
- Use standard depends_on include for DB/Redis (dmbs_excl).
- Align vars to docker.services.pretix.* (image/version/name); add PRETIX_IMAGE_CUSTOM.
Breaking:
- Service key changed to 'pretix' under docker.services.
- 'config' volume removed from compose.
Status:
- Pretix role is now fully implemented and production-ready.
Reference:
- Conversation: https://chatgpt.com/share/68b1cb34-b7dc-800f-8b39-c183124972f2
- Updated filter to handle dict (domain map), list (flattened domains), or single str inputs.
- Prevents duplicate 'www.' prefixes by checking prefix before adding.
- Adjusted unit tests:
* Replaced old non-dict test with invalid type tests (int, None).
* Added explicit tests for list and string input types.
See conversation: https://chatgpt.com/share/68b1ae9a-1ac0-800f-b49d-2915386a1a23
- Added new filter plugin 'timeout_start_sec_for_domains' to calculate TimeoutStartSec based on number of domains.
- Updated sys-ctl-hlth-csp and sys-ctl-hlth-webserver tasks to use the filter.
- Removed obsolete systemctl.service.j2 in sys-ctl-hlth-csp.
- Adjusted variable naming (CURRENT_PLAY_DOMAINS_ALL etc.) in multiple roles.
- Updated srv-letsencrypt and sys-svc-certs to use uppercase vars.
- Switched pretix role to sys-stk-full-stateful and removed leftover javascript.js.
- Added unittests for the new filter under tests/unit/filter_plugins.
See conversation: https://chatgpt.com/share/68b1ae9a-1ac0-800f-b49d-2915386a1a23
- Renamed role `srv-tls-core` → `sys-svc-certs`
- Renamed role `srv-https-stack` → `sys-stk-front-pure`
- Renamed role `sys-stk-front` → `sys-stk-front-proxy`
- Updated all includes, READMEs, meta, and dependent roles accordingly
This improves clarity and consistency of naming conventions for certificate management and proxy orchestration.
See: https://chatgpt.com/share/68b19f2c-22b0-800f-ba9b-3f2c8fd427b0
- Added oidc feature flag in config
- Removed obsolete credentials schema (initial_root_password)
- Updated docker-compose.yml.j2 to use explicit GITLAB_* vars (image, version, container, volumes)
- Moved initial_root_password into vars/main.yml
- Introduced GITLAB_OMNIBUS_BASE and GITLAB_OMNIBUS_OIDC config lists
- Switched env.j2 to use GITLAB_OMNIBUS_ALL join
See conversation: https://chatgpt.com/share/68b1962c-3ee0-800f-a858-d4590ff6132a
Discussion: https://chatgpt.com/share/68b10c0a-c308-800f-93ac-2ffb386cf58b
- Split tasks into 01_install, 02_debug, 03_admin, 04_extensions, 05_oidc.
- Ensure unzip+git+composer on demand in the container; run Composer as www-data with COMPOSER_HOME=/tmp/composer.
- Idempotently unpack/install PluggableAuth & OpenIDConnect; run composer install only if vendor/ is missing.
- Add sanity check for Jumbojett\OpenIDConnectClient.
- Copy oidc.php only when changed and append a single require_once to LocalSettings.php.
- Use REL1_44-compatible numeric array for $wgPluggableAuth_Config; set $wgPluggableAuth_ButtonLabelMessage.
- Debug: add debug.php that logs to STDERR (visible via docker logs); toggle cleanly with MODE_DEBUG.
- Enable OIDC feature in config; add paths/OIDC/extension vars in vars/main.yml.
fix(services): include SYS_SERVICE_GROUP_CLEANUP in StartPre lock (ssd-hdd, docker-hard).
fix(desktop/joomla): simplify MODE_DEBUG templating.
chore: minor cleanups and renames.
Tasks:
- Enable docker_compose_flush_handlers=true so services come up immediately.
- Add DB readiness guard via maintenance/sql.php (SELECT 1).
- Run maintenance/install.php on empty schema with robust changed_when/failed_when (merge stdout+stderr); keep secrets hidden.
- Run maintenance/update.php for migrations with neutral changed_when unless work is done.
- Make admin creation idempotent: tolerate 'already exists' and 'Account exists', keep async+no_log.
Config changes:
- Remove LocalSettings.php template and its host bind-mount from compose.
- Drop MediaWiki settings path variables and META namespace variable (unused after switch).
Result: First boot is fully automated (schema + admin), subsequent runs are cleanly idempotent.
Ref: ChatGPT conversation (Aug 28, 2025, Europe/Berlin) — https://chatgpt.com/share/68b0d2e1-9bc0-800f-81a5-db03ce0b81e3.
- Removed outdated Installation.md (manual plugin instructions no longer needed)
- Added schema/main.yml with validation for secret_pin
- Added config.php.j2 template to manage DB + admin config
- Refactored tasks/main.yml to deploy config.php instead of legacy docker-compose
- Removed setup-domain.yml (TLS/domain handling moved to core roles)
- Updated docker-compose.yml.j2 to mount config.php and use new vars
- Cleaned up vars/main.yml: standardized MYBB_* variable names, added MYBB_SECRET_PIN, config paths, and container port
See ChatGPT conversation: https://chatgpt.com/share/68b0ae26-93ec-800f-8785-0da7c9303090
- Converted group_vars/all/13_ldap.yml from lower-case to ALL-CAPS nested keys.
- Updated all roles, tasks, templates, and filter_plugins to reference LDAP.* instead of ldap.*.
- Fixed Keycloak JSON templates to properly quote Jinja variables.
- Adjusted svc-db-openldap filter plugins and unit tests to handle new LDAP structure.
- Updated integration test to only check uniqueness of TOP-LEVEL ALL-CAPS constants, ignoring nested keys.
See: https://chatgpt.com/share/68b01017-efe0-800f-a508-7d7e2f1c8c8d
- Allow kc_object_kind='realm'
- Map endpoint to 'realms' and default lookup_field to 'id'
- Use realm-specific kcadm GET/UPDATE (no -r flag)
- Preserve immutables: id, realm
- Guard query-based ID resolution to non-realm objects
Context: fixing failure in 'Update REALM mail settings' task.
See: https://chatgpt.com/share/68affdb8-3d28-800f-8480-aa6a74000bf8
Add roles/web-app-taiga/tasks/01_administrator.yml to handle admin creation via 'createsuperuser' and, on failure, an upsert fallback using 'manage.py shell'. Ensures email, is_staff, is_superuser, is_active are set and password is updated when needed; emits CHANGED marker for idempotence.
Update roles/web-app-taiga/tasks/main.yml to include the new 01_administrator.yml task file, removing the inline admin logic for better separation of concerns.
Uses taiga-manage helper service and composes docker-compose.yml with docker-compose-inits.yml to inherit env/networks/volumes consistently.
Chat reference: https://chatgpt.com/share/68af7637-225c-800f-b670-2b948f5dea54
- Introduced dedicated variables in vars/main.yml:
* TAIGA_FLAVOR_TAIGAIO
* TAIGA_TAIGAIO_ENABLED
- Replaced inline Jinja2 get_app_conf checks with TAIGA_TAIGAIO_ENABLED for
consistency in tasks, docker-compose template and env file.
- Adjusted env.j2 to use TAIGA_TAIGAIO_ENABLED instead of direct flavor checks.
- Enabled css by default (true instead of false).
- Cleaned up spacing/indentation in config and env.
This improves readability, reduces duplicated logic, and makes it easier to
maintain both OIDC flavors (robrotheram, taigaio).
Conversation: https://chatgpt.com/share/68af65b3-27c0-800f-964f-ff4f2d96ff5d
- Introduce WEBSOCKET_PROTOCOL derived from WEB_PROTOCOL (wss if https, else ws).
- Replace hardcoded websocket URLs in EspoCRM, Nextcloud and Taiga with {{ WEBSOCKET_PROTOCOL }}.
- Fix mautrix-imessage to use ws:// for internal synapse:8008.
- Standardize Pixelfed OIDC env spacing.
- Refactor Taiga variables to TAIGA_* naming convention and clean up EMAIL_BACKEND definition.
See: https://chatgpt.com/share/68af62fa-4dcc-800f-9aaf-cff746daab1e
- Move image definition from images.joomla to docker.services.joomla
- Add container name, container_port variable, and healthcheck
- Introduce JOOMLA_IMAGE, JOOMLA_VERSION, JOOMLA_CONTAINER, JOOMLA_VOLUME in vars
- Use volume mapping via docker.volumes.data
See: https://chatgpt.com/share/68af55a9-6514-800f-b6f7-1dc86356936e
- Extend certbundle task to ignore 'The service is down for maintenance or had an internal error'
as a fatal failure.
- Add debug/warning output when this error occurs, so playbook does not stop but logs the issue.
- Ensure changed_when does not mark run as changed if only maintenance error was hit.
Ref: https://chatgpt.com/share/68af4e15-24cc-800f-b1dd-6a5f2380e35a
- Removed COPY of msmtp configuration from Dockerfile to avoid baking secrets/config into the image
- Added volume mount for host-side msmtp config ({{ WORDPRESS_HOST_MSMTP_CONF }}) in docker-compose.yml
- Keeps PHP upload.ini handling inside the image, but externalizes sensitive mail configuration
- Increases flexibility and avoids rebuilds when msmtp config changes
Ref: https://chatgpt.com/share/68af3c51-0544-800f-b76f-b2660c43addb
- Replaced all lowercase wordpress_* variables with uppercase WORDPRESS_* equivalents
- Ensured consistency across tasks, templates, and vars
- Improves readability and aligns with naming conventions
Conversation: https://chatgpt.com/share/68af29b5-8e7c-800f-bd12-48cc5956311c
- Fixed incorrect filter usage in docker-compose handler (proper use of | path_join).
- Improved LetsEncrypt template by joining paths with filenames instead of appending manually.
- Enhanced sys-svc-msmtp task with an additional condition to only run if no-reply mailu_token exists.
- Updated Keycloak meta to depend on Mailu (ensuring token generation before setup).
- Refactored Keycloak import path variables to use path_join consistently.
- Adjusted Mailu meta dependency to run after Matomo instead of Keycloak.
See: https://chatgpt.com/share/68af13e6-edc0-800f-b76a-a5f427837173
- Improved CSP filter to properly include web-svc-cdn and use protocol-aware domains
- Added Todo.md with redis and OIDC notes
- Enhanced Akaunting role config with CSP flags and redis option
- Updated schema to include app_key validation
- Reworked tasks to handle first-run marker logic cleanly
- Fixed docker-compose template (marker, healthcheck, setup flag)
- Expanded env.j2 with cache, email, proxy, and redis options
- Added javascript.js.j2 template for SSO warning
- Introduced structured vars for Akaunting role
- Removed deprecated update-repository-with-files.yml task
See conversation: https://chatgpt.com/share/68af00df-2c74-800f-90b6-6ac5b29acdcb
- update cli/create/credentials.py to handle vault literals correctly:
* strip 'vault |' headers and keep only ANSIBLE_VAULT body
* skip reprocessing keys added in same run (no duplicate confirmation prompts)
* detect both 'vault' and 'ANSIBLE_VAULT' as already encrypted
Refs: https://chatgpt.com/share/68aed780-ad4c-800f-877d-aa4c40a47755
- Introduced a generic sso_warning.js.j2 template under
templates/roles/web-app/templates/javascripts/
- Included this template in web-app-baserow/templates/javascript.js.j2
- Added new variable js_application_name in
roles/web-app-baserow/vars/main.yml to make the warning
application-specific
- Implemented cookie-based logic so the warning is only shown once
per user (default: 365 days)
Reference: https://chatgpt.com/share/68aecdae-82d0-800f-b05e-f2cb680664f1
- Extended kc_force_attrs in tasks/main.yml to source 'publicClient',
'serviceAccountsEnabled' and 'frontchannelLogout' directly from
KEYCLOAK_DICTIONARY_REALM for consistency with import definitions.
- Updated default.json.j2 import template to set 'publicClient' to true.
- Public client mode is required so the frontend API of role 'web-app-desktop'
can handle login/logout flows without client secret.
Ref: https://chatgpt.com/share/68ae0060-4fac-800f-9f02-22592a4087d3
Replaced over-escaped '{{{{.Names}}}}' with proper '{{.Names}}'
in docker ps commands. This resolves 'failed to parse template:
unexpected "{" in command' errors during unhealthy/exited
container detection.
Reference: https://chatgpt.com/share/68addfd9-fa78-800f-abda-49161699e673
- Added detect_env_file() to both sys-ctl-rpr-docker-soft and sys-ctl-rpr-docker-hard
* prefer .env, fallback to .env/env
* append --env-file parameter automatically
- Refactored soft script to use compose_cmd() for consistent command building
- Adjusted error recovery path in soft script to also respect env-file
- Extended unit tests for soft script to cover env-file priority and restart commands
- Added new unit tests for hard script verifying env-file priority, cwd handling,
and --only filter logic
Ref: https://chatgpt.com/share/68ad7b30-7510-800f-8172-56f03a2f40f5
- extended generic systemctl template to support ExecStartPost
- health-docker-volumes: run main script with whitelist, trigger both compose alarm and cleanup on failure
- repair-docker-hard: added ExecStartPre lock, ExecStart, and ExecStartPost to trigger compose alarm always, plus cleanup on failure
- removed obsolete role-specific systemctl.service.j2 templates
- improved consistency across vars and defaults
See: https://chatgpt.com/share/68ad6cb8-c164-800f-96b6-a45c6c7779b3
- Render userObjectClasses via `tojson` (and trim) to avoid invalid control
characters and ensure valid realm import parsing.
- Introduce KEYCLOAK_LDAP_USER_OBJECT_CLASSES in vars; exclude `posixAccount`
for Keycloak’s LDAP config while keeping it for Ansible-managed UNIX users.
- Update UserStorageProvider template to use the new variable.
Rationale:
Keycloak must not require `posixAccount` on every LDAP user. We keep
`posixAccount` structural for Ansible provisioning, but filter it out for
Keycloak to prevent sync/import errors on entries without POSIX attributes.
Touched:
- roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2
- roles/web-app-keycloak/vars/main.yml
Refs: conversation https://chatgpt.com/share/68aa1ef0-3658-800f-bdf4-5b57131d03b4
- Replace `ESPOCRM_NAME` with `ESPOCRM_CONTAINER` for clarity and consistency.
- Drop unused `ESPOCRM_CONFIG_FILE_PUBLIC`, rely only on `config-internal.php`.
- Make DB credential patching idempotent using `grep` + `sed` checks.
- Replace direct sed edits for maintenance/cron/cache with EspoCRM ConfigWriter.
- Add fallback execution as root if www-data user cannot write config.
- Clear EspoCRM cache only when config changes and in update mode.
- Remove obsolete OIDC scopes inline task (now handled via env/vars).
- Fix docker-compose template to use `ESPOCRM_CONTAINER`.
This refactor makes the EspoCRM role more robust, idempotent, and aligned
with EspoCRM’s official ConfigWriter mechanism.
See conversation: https://chatgpt.com/share/68a87820-12f8-800f-90d6-01ba97a1b279
- Removed unused soft restart function and switched to argparse-based CLI.
- Added --only argument to selectively restart subdirectories.
- Updated systemctl service template to pass PATH_DOCKER_COMPOSE_INSTANCES as argument.
- Ensures service unit correctly invokes the Python script with target path.
See conversation: https://chatgpt.com/share/68a771d9-5fd8-800f-a410-08132699cc3a
- Added '| sort' to all service group lists and backup routine lists to ensure
deterministic ordering and stable checksums across Ansible runs.
- Adjusted systemctl templates to use a single service variable
('SYS_SERVICE_BACKUP_RMT_2_LOC') instead of rejecting dynamic list entries,
making the ignore logic simpler and more predictable.
- Fixed minor whitespace inconsistencies in Jinja templates to avoid
unnecessary changes.
This change was made to prevent spurious 'changed' states in Ansible caused by
non-deterministic list order and to reduce complexity in service definitions.
See discussion: https://chatgpt.com/share/68a74c20-6300-800f-a44e-da43ae2f3dea
- sys-service:
- Set explicit ownership and permissions for generated unit files:
owner=root, group=root, mode=0644. Prevents drift and makes idempotence
predictable when handlers reload/refresh systemd.
- web-svc-collabora:
- Move cmp-docker-proxy include into tasks/01_core.yml and run it
before Nginx config generation. Use public: true only to initialize the
proxy/compose context and docker_compose_flush_handlers: true to ensure
timely handler execution.
- Define role-local variables domain and http_port in vars/main.yml
and use {{ domain }} for the Nginx server file path. These values MUST
be defined locally because they cannot be reliably imported via
public: true — other roles may override them later in the play, leading
to leakage and nondeterministic behavior. Localizing avoids precedence
conflicts without resorting to host-wide set_fact.
- CSP adjusted: add server.security.flags.style-src.unsafe-inline: true
to accommodate Collabora’s inline styles (requested as “csr” in notes).
- Minor variable alignment/cleanup and TODO note for future refactor.
- Housekeeping:
- Rename task title to reflect {{ domain }} usage.
Refs:
- Discussion and rationale in this chat https://chatgpt.com/share/68a731aa-d394-800f-9eb4-2499f45ed54b (2025-08-21, Europe/Berlin).
Introduced custom filter plugin to render optional systemd directives, refactored template to loop over directives, and adjusted default vars (TimeoutStartSec, RuntimeMaxSec handling).
Details: see ChatGPT conversation
https://chatgpt.com/share/68a5a730-6344-800f-b9a3-dc62d5902e9b
- Introduced a new handler 'docker compose pull' that runs only once per
{{ docker_compose.directories.instance }} directory by using a lock
file under /run/ansible/compose-pull.
- Ensures idempotency by marking the task as changed only when a pull
was actually executed.
- Restricted execution with 'when: MODE_UPDATE | bool'.
- Improves update workflow by avoiding redundant docker pulls during
the same Ansible run.
Reference: ChatGPT discussion
https://chatgpt.com/share/68a55151-959c-800f-8b70-160ffe43e776
This test scans all roles for tasks including:
- include_role:
name: sys-service
If present, the role must define a non-empty 'system_service_id' in vars/main.yml.
Helps enforce consistency and prevent misconfiguration.
Ref: https://chatgpt.com/share/68a536e5-c384-800f-937a-f9d91249950c
- Added missing 'Iterable' import in 'canonical_domains_map' to avoid NameError.
- Introduced 'seed' parameter so the filter can start traversal from current play apps
while still emitting canonical domains for discovered dependencies (e.g. web-svc-collabora).
- Updated 01_constructor.yml to pass full 'applications' and a clean 'seed' list
(using dict2items → key) instead of '.keys()' method calls, fixing integration
test error: 'reference to application keys is invalid'.
This resolves issues where collabora domains were missing and integration tests failed.
Ref: https://chatgpt.com/share/68a51f9b-3924-800f-a41b-803d8dd10397
- Introduced module_utils/role_dependency_resolver.py with full support for include_role, import_role, meta dependencies, and run_after.
- Refactored cli/build/tree.py to use RoleDependencyResolver (added toggles for include/import/dependencies/run_after).
- Extended filter_plugins/canonical_domains_map.py with optional 'recursive' mode (ignores run_after by design).
- Updated roles/web-app-nextcloud to properly include Collabora dependency.
- Added comprehensive unittests under tests/unit/module_utils for RoleDependencyResolver.
Ref: https://chatgpt.com/share/68a519c8-8e54-800f-83c0-be38546620d9
Use `systemd-escape --unescape` to restore human-readable unit identifiers in
Telegram and Email alerts. Also ensure Telegram messages are URL-encoded and
Email status checks try both raw and escaped forms for robustness.
Fixes issue where slashes were shown as dashes in notifications.
Context: see ChatGPT conversation
https://chatgpt.com/share/68a4c171-db08-800f-8399-7e07f237a441
- Improved get_service_name filter plugin (clearer suffix handling, consistent var names).
- Added MODE_ASSERT flag to optionally execute validation/assertion tasks.
- Fixed systemd unit handling: consistent use of %I instead of %i, correct escaping of instance names.
- Unified on_failure behavior and alarm composer scripts.
- Cleaned up redundant logging, handlers, and debug config.
- Strengthened sys-service template resolution with assert (only active when MODE_ASSERT).
- Simplified timer and suffix handling with get_service_name filter.
- Hardened sensitive tasks with no_log.
- Added conditional asserts across roles (Keycloak, DNS, Mailu, Discourse, etc.).
These changes improve consistency, safety, and validation across the automation stack.
Conversation: https://chatgpt.com/share/68a4ae28-483c-800f-b2f7-f64c7124c274
- Added logic to scan each role’s tasks/*.yml files for include_role usage
- Supports:
* loop/with_items with literal strings → adds each role
* patterns with variables inside literals (e.g. svc-db-{{database_type}}) → expanded to glob and matched
* pure variable-only names ({{var}}) → ignored
* pure literal names → added directly
- Merges discovered dependencies under graphs["dependencies"]["include_role"]
- Added dedicated unit test covering looped includes, glob patterns, pure literals, and ignoring pure variables
See ChatGPT conversation (https://chatgpt.com/share/68a4ace0-7268-800f-bd32-b475c5c9ba1d) for context.
- Swap role includes: sys-systemctl → sys-service in all roles
- Rename variables everywhere: systemctl_* → system_service_* (incl. systemctl_id → system_service_id)
- Templates: ExecStart now uses {{ system_service_script_exec }}; add optional RuntimeMaxSec via SYS_SERVICE_DEFAULT_RUNTIME
- Move SYS_SERVICE defaults into roles/sys-service/defaults (remove SYS_SERVICE_ALL_ENABLED & SYS_SERVICE_DEFAULT_STATE from group_vars/07_services.yml)
- Tidy group_vars/all/08_timer.yml formatting
- Introduce roles/sys-daemon:
- default manager timeouts (timeouts.conf)
- optional purge of /etc/systemd/system.conf.d
- validation via systemd-analyze verify
- handlers for daemon-reload & daemon-reexec
- Refactor sys-timer to system_service_* variables (docs and templates updated)
- Move filter_plugins/filetype.py under sys-service
- Update meta/README to point to official systemd docs
- Touch many roles (backup/cleanup/health/repair/certs/nginx/csp/wireguard/ssd-hdd/keyboard/update-docker/alarm compose/email/telegram/etc.) to new naming
BREAKING CHANGE:
- Role path/name change: use `sys-service` instead of `sys-systemctl`
- All `systemctl_*` vars are now `system_service_*` (e.g., on_calendar, state, timer_enabled, script_exec, id)
- If you have custom templates, adopt RuntimeMaxSec and new variable names
Chat context: https://chatgpt.com/share/68a47568-312c-800f-af3f-e98575446327
- Fixed bug where not both alarm services (email + telegram) were triggered.
- Removed direct OnFailure references for email and telegram,
now handled by unified compose service.
- Introduced 01_core.yml in sys-ctl-alm-compose to structure
role execution (subservices → core service → test run).
- Added configurable variables SYSTEMCTL_ALARM_COMPOSER_SUBSERVICES
and SYSTEMCTL_ALARM_COMPOSER_DUMMY_MESSAGE.
- Replaced dedicated @.service template with generic systemctl template
using systemctl_tpl_* variables for flexibility.
- Updated script.sh.j2 to collect exit codes and print clear errors.
- Fixed typos and streamlined vars in sys-systemctl.
See conversation: https://chatgpt.com/share/68a46172-7c3c-800f-a69c-0cb9edd6839f
- update alarm compose unit to run email/telegram notifiers independently via multiple ExecStart lines
- ensure cleanup backup dependencies are included before timer setup with handler flush
conversation: https://chatgpt.com/share/68a43429-c0cc-800f-9cc9-9a5ae258dc50
- Introduce SYS_SERVICE_ALL_ENABLED and SYS_TIMER_ALL_ENABLED runtime flags
- Add SYS_SERVICE_DEFAULT_STATE for consistent default handling
- Ensure all on-failure service names use lowercase software_name
- Load sys-svc-cln-anon-volumes role during Docker cleanup
- Allow forced service refresh when SYS_SERVICE_ALL_ENABLED is true
- Replace ACTIVATE_ALL_TIMERS with SYS_TIMER_ALL_ENABLED
- Use SYS_SERVICE_DEFAULT_STATE in sys-systemctl vars
- Remove redundant MIG build job fail check
Related to service/timer process control refactoring.
- Updated filter_plugins/get_service_name.py:
* Default suffix handling: auto-select .service (no '@') or .timer (with '@')
* Explicit False disables suffix entirely
* Explicit string suffix still supported
- Updated sys-systemctl handler to use new filter instead of SYS_SERVICE_SUFFIX
- Extended unit tests to cover new suffix behavior
Ref: https://chat.openai.com/share/8c2de9e6-daa0-44dd-ae13-d7a7d8d8b6d9
Replaced all hardcoded service name concatenations with the new get_service_name filter.
This ensures consistency, proper lowercase formatting, and correct handling of '@' suffixed units.
Added unittests for the filter (normal, custom suffix, '@'-units, and lowercase normalization).
Context: see ChatGPT discussion https://chatgpt.com/share/68a38beb-b9bc-800f-b7ed-cdd2b64b2604
- Unified service templates into generic systemctl templates
- Introduced reusable filter plugins for script path handling
- Updated path variables and service/timer definitions
- Migrated roles (backup, cleanup, repair, etc.) to use systemctl role
- Added sys-daemon role for core systemd cleanup
- Simplified timer handling via sys-timer role
Note: This is a large refactor and some errors may still exist. Further testing and adjustments will be needed.
This commit restructures systemctl service definitions and category mappings.
Motivation: Alarm-related bugs revealed inconsistencies in service and role handling.
Preparation step: lays the groundwork for fixing the alarm issues by aligning categories, roles, and service templates.
This commit introduces a new Ansible filter plugin named
'get_category_entries', which returns all role names under the
roles/ directory that start with a given prefix.
Additionally, unit tests (unittest framework) have been added under
tests/unit/filterplugins/ to ensure correct behavior, including:
- Returns empty list when roles/ directory is missing
- Correctly filters and sorts by prefix
- Ignores non-directory entries
- Supports custom roles_path argument
- Returns all roles when prefix is empty
Reference: https://chatgpt.com/share/68a2f1ab-1fe8-800f-b22a-28c1c95802c2
- Standardized spacing in {{ docker_compose.directories.volumes }} across multiple roles
- Added async and poll support to sys-bkp-docker-2-loc database seeding and file permission tasks
- Moved Installation.md for web-app-matrix into docs/ for better structure
- Enabled central_database in Mailu config
- Improved API token creation task:
* use curl -f to fail on HTTP errors
* added explicit failed_when and changed_when conditions
- Adjusted docker-compose template spacing for readability
- Made logging level configurable (DEBUG when MODE_DEBUG is set)
- Added new documentation Move_Domain.md explaining safe procedure for migrating mailboxes to a new domain
- Fixed incorrect handling of RBAC group configuration (moved from OIDC claims into dedicated RBAC variable set).
- Unified RBAC group usage across applications (LAM, pgAdmin, phpLDAPadmin, phpMyAdmin, YOURLS).
- Replaced old 'KEYCLOAK_OIDC_RBAC_SCOPE_NAME' with dedicated 'KEYCLOAK_RBAC_GROUP_*' variables.
- Updated OAuth2 Proxy configuration to use 'RBAC.GROUP.CLAIM'.
- Refactored Keycloak role task structure:
* Renamed and reorganized task files for clarity ('_update.yml', '02_cleanup.yml', etc.).
* Introduced meta and dependency handling separation.
- Cleaned up Keycloak config defaults and recaptcha placeholders.
Replace 01_import.yml with 01_initialize.yml (KEYCLOAK_HOST_IMPORT_DIR)
Add generic 02_update.yml (kcadm updater for clients/components)
- Resolve ID → read current → merge (kc_merge_path optional)
- Preserve immutable fields; support kc_force_attrs
Update tasks/main.yml:
- Readiness via KEYCLOAK_MASTER_REALM_URL; kcadm login
- Merge LDAP component config from Realm when KEYCLOAK_LDAP_ENABLED
- Update client settings incl. frontchannel.logout.url
realm.json.j2: include ldap.json in UserStorageProvider
ldap.json.j2: use KEYCLOAK_LDAP_* vars for bindDn/credential/connectionUrl
vars/main.yml: add KEYCLOAK_* URLs/dirs and KEYCLOAK_DICTIONARY_REALM(_RAW)
docker-compose.yml.j2: mount KEYCLOAK_HOST_IMPORT_DIR
Cleanup: remove 02_update_client_redirects.yml, 03_update-ldap-bind.yml, 04_ssh_public_key.yml; drop obsolete config flag; formatting
Note: redirectUris/webOrigins ordering may still cause changed=true; consider sorting for stability in a follow-up.
- Removed all static 'id' fields from realm.json.j2, ldap.json.j2, and client.json.j2
- Replaced 'desktop-secret' with correct 'client-secret' authenticator type
- Standardized Jinja filters to use 'to_json' consistently
- Corrected defaultClientScopes entry from 'web-app-origins' to built-in 'web-origins'
- Verified LDAP mapper definitions and optional realm role mapping
- Ensured realm.json.j2 contains only required scopes
References: Chat with ChatGPT (2025-08-17)
https://chatgpt.com/share/68a1aaae-1b04-800f-aa8d-8a0ef6d33cba
- Replace KEYCLOAK_KCADM_PATH with KEYCLOAK_EXEC_KCADM consistently
- Externalize client.json to separate Jinja2 template and include it in realm.json
- Simplify LDAP bind update to use explicit KEYCLOAK_LDAP_* vars
- Add async/poll support for long-running kcadm updates
- Restructure vars/main.yml: clearer grouping (General, Docker, Server, Update, LDAP, API)
- Compute redirectUris/webOrigins centrally in vars
- Align post.logout.redirect.uris handling with playbook
Conversation: https://chatgpt.com/share/68a1a11f-f8ac-800f-bada-cdc99a4fa1bf
- Removed trailing slash in '_oidc_client_issuer_url' to avoid issuer mismatch
- Use '.rstrip('/')' to normalize '_oidc_url'
- Switched to '~' concatenation instead of inline slashes for all OIDC endpoints
- Ensures that Mastodon and other OIDC clients match the issuer from Keycloak discovery
Change motivated by Mastodon issuer mismatch bug (OpenIDConnect::Discovery::DiscoveryFailed).
See related discussion: https://chatgpt.com/share/68a17d3c-c980-800f-934c-d56955b45f81
- removed obsolete role `srv-web-7-7-dns-records` (README, meta, tasks)
- updated Gitea role to use `sys-dns-cloudflare-records` with explicit record vars
- updated web-opt-rdr-www role to use new DNS role with zone detection (`to_zone`)
- added REDIRECT_WWW_FLAVOR var to support "edge" flavor selection
- Support fully qualified ansible.builtin.set_fact
- Parse inline set_fact mappings (e.g. set_fact: { a: 1, b: 2 })
- Continue scanning inside vars/set_fact blocks for Jinja {% set %}, {% for %}, and {% macro %}
- Ensures variables defined by set_fact are correctly recognized as defined
- replaced CERTBOT_DNS_API_TOKEN with CLOUDFLARE_API_TOKEN everywhere
- introduced generic sys-dns-cloudflare-records role for managing DNS records
- added sys-dns-hetzner-rdns role with both Cloud (hcloud) and Robot API flavors
- updated Mailu role to:
- generate DKIM before DNS setup
- delegate DNS + rDNS records to the new generic roles
- removed legacy per-role Cloudflare vars (MAILU_CLOUDFLARE_API_TOKEN)
- extended group vars with HOSTING_PROVIDER for rDNS flavor decision
- added hetzner.hcloud collection to requirements
This consolidates DNS management into reusable roles,
supports both Cloudflare and Hetzner providers,
and standardizes variable naming across the project.
- Added vars/main.yml to define iframe-handler.js file name and destination
- Implemented 01_deploy.yml to deploy iframe-handler.js to CDN and set mtime-based version fact
- Split original iframe logic into:
• iframe-handler.js (full logic, served from CDN)
• iframe-init_one_liner.js.j2 (small inline bootstrap, CSP-hashed)
- Updated head_sub.j2 to load script from CDN instead of embedding full code
- Added body_sub.j2 for inline init code
- Updated iframe-handler.js.j2 with initIframeHandler() function and global exposure
- Activated role earlier in inj-compose with public: true so vars are available for templates
- Included 'port-ui-desktop' in body_snippets loop in location.lua.j2
- Disabled 'port-ui-desktop' feature in web-svc-cdn config by default
https://chatgpt.com/share/689d03a8-4c28-800f-8b06-58ce2807b075
- Standardize async/poll usage with 'ASYNC_ENABLED | bool'
- Add async/poll parameters to Cloudflare, Nginx, Mailu, MIG, Nextcloud, and OpenLDAP tasks
- Update async configuration in 'group_vars/all/00_general.yml' to ensure boolean evaluation
- Allow CAA, cache, and DNS tasks to run asynchronously when enabled
https://chatgpt.com/share/689cd8cc-7fbc-800f-bd06-a667561573bf
- Introduce global async configuration in group_vars/all/00_general.yml:
- ASYNC_ENABLED (disabled in debug mode)
- ASYNC_TIME (default 300s, omitted if async disabled)
- ASYNC_POLL (0 for async fire-and-forget, 10 for sync mode)
- Replace hardcoded async/poll values with global vars in:
- svc-db-openldap (03_users.yml, 04_update.yml)
- web-app-mig (02_build_data.yml)
- web-app-nextcloud (03_admin.yml, 04_system_config.yml, 05_plugin.yml,
06_plugin_routines.yml, 07_plugin_enable_and_configure.yml)
- Guard changed_when and failed_when conditions to only evaluate in synchronous
mode to avoid accessing undefined rc/stdout/stderr in async runs
https://chatgpt.com/share/689cd8cc-7fbc-800f-bd06-a667561573bf
• Add config.performance.async.wait_for and expose as nextcloud_wait_for_async_enabled to toggle waiting for async jobs.
• Split system/admin/index maintenance into separate tasks: 02_add_missing_indices.yml, 03_admin.yml, 04_system_config.yml.
• Refactor plugin flow: rename 02_plugin→05_plugin, 03_plugin_routines→06_plugin_routines, 04_plugin_enable_and_configure→07_plugin_enable_and_configure; remove old 03_plugin_routines and 05_system.
• Harden async handling: filter async_status loops by ansible_job_id; conditionally wait only when nextcloud_wait_for_async_enabled; reduce delay to 1s.
• Reorder main.yml to run system steps before plugin setup; keep handlers flush earlier.
• env.j2: simplify get_app_conf lookups (drop extra True flag).
• vars/main.yml: add nextcloud_host_nginx_path and nextcloud_wait_for_async_enabled.
https://chatgpt.com/share/689c9d4a-1748-800f-b490-06a5a48dd831
Switch to command:argv to avoid shell quoting and argument splitting issues.
Pass -s config values as JSON arrays via to_json, fixing previous errors: Cannot parse the JSON / failed at splitting arguments.
Also reconcile config.connectionUrl from ldap.server.uri.
Source desired values strictly from ldap.* (no computed defaults) and assert their presence.
Keep operation idempotent by reading current values and updating only on change.
Minor refactor: build reusable kcadm_argv_base and expand client state extraction.
Touch: roles/web-app-keycloak/tasks/03_update-ldap-bind.yml
https://chatgpt.com/share/689bea84-7188-800f-ba51-830a0735f24c
Use EspoCRM's ConfigWriter API to patch the 'siteUrl' setting during updates.
This makes the process idempotent, avoids brittle regex replacements, and
ensures the running configuration stays in sync with the deployment domain.
https://chatgpt.com/share/689bb860-ba90-800f-adb5-4fa5a992b267
- New task 04_update_domain.yml updates home/siteurl only when needed
- DB-wide search-replace (old → new), GUID-safe, precise, tables-with-prefix
- Normalizes http→https, strips trailing slashes, then flushes cache/rewrites
- Guarded by is_multisite()==0; multisite untouched
- Wired into main.yml with auto target URL via domains|get_url
Fixes post-domain-change mixed/CSP issues due to hard-coded old URLs.
https://chatgpt.com/share/689bac2d-3610-800f-b6f0-41dc79d13a14
Fix a templating crash during docker-compose.yml rendering when a role sets database_type to an empty string or does not expose it (e.g., svc-prx-openresty). Previously _database_id resolved to 'svc-db-' and get_app_conf attempted to read 'docker.services..name', raising AppConfigKeyError: Application ID 'svc-db-' not found.
Changes:
- Introduce _dbtype = (database_type | d('') | trim) and build _database_id only if _dbtype is non-empty.
- Guard central DB lookups: use get_app_conf(..., strict=False, default='') and only when _dbtype is set.
- Default _database_consumer_entity_name to get_entity_name of database_application_id or fallback to application_id.
- Only resolve database_port when _dbtype is set; otherwise empty.
- Minor formatting fixes for env and URL strings.
Impact:
- Prevents failures in roles without a DB or with database_type=''.
- Keeps previous behavior intact for apps with a valid database_type (mariadb/postgres).
- Eliminates 'config_path: docker.services..name' errors while keeping compose templates stable.
https://chatgpt.com/share/689b9d11-6308-800f-b20c-2d9f18d832f1
- Patch local.config.php in one sed exec:
* hostname, database, username, password
* system.url via '#' delimiter to avoid URL slash escaping
* Single notify: docker compose up
- env.j2:
* FRIENDICA_URL now uses domains|get_url(application_id, WEB_PROTOCOL)
* Simplify FRIENDICA_DEBUGGING with |lower
* Normalize spacing for readability
- vars/main.yml:
* Minor cleanups (comment header, spacing)
* Consistent friendica_docker_ldap_config path construction
Why: fewer container execs ⇒ faster runs; idempotent key updates; consistent URL configuration across env and PHP config.
Risk: requires WEB_PROTOCOL and domains|get_url to be defined in inventory/vars as elsewhere in the project.
https://chatgpt.com/share/689b92af-b184-800f-9664-2450e00b29d6
- Moved MIG data build commands into a dedicated 02_build_data.yml task file.
- Added async execution (async: 3600, poll: 0) for non-blocking build.
- Introduced mig_wait_for_build variable to optionally wait for completion.
- Added debug message to inform how to disable waiting via build_data.wait_for=false for performance.
- Updated config to use nested build_data.enabled and build_data.wait_for structure.
- Adjusted variable lookups accordingly.
https://chatgpt.com/share/689b54d2-e3b0-800f-91df-939ebc5e12ef
This test scans roles/*/handlers/main.yml and fails if a handler's 'name' contains a Jinja variable ({{ ... }}).
Reason:
- Handler names must be static to ensure reliable 'notify' resolution.
- Dynamic names can break handler matching, cause undefined-variable errors, and produce unstable logs.
Recommendation:
- Keep handler names static and, if dynamic behavior is needed, use a static 'listen:' key.
https://chatgpt.com/share/689b37dc-e1e4-800f-bd56-00b43c7701f6
- Added register, until, retries, and delay to all PostgreSQL-related tasks
in 02_init.yml to handle transient 'tuple concurrently updated' and similar errors.
- Changed 'when: "{{ postgres_init }}"' to 'when: postgres_init | bool' in main.yml
for correct boolean evaluation.
- Switched 'role' to 'roles' in postgresql_privs tasks for forward compatibility.
- Added postgres_retry_retries and postgres_retry_delay defaults in vars/main.yml
to centralize retry configuration.
https://chatgpt.com/share/689b2360-a8a4-800f-9acb-6d88d6aa5cb7
@@ -5,7 +5,7 @@ Thank you for your interest in contributing to Infinito.Nexus! We welcome contri
## How to Contribute
There are several ways you can help:
- **Reporting Issues:** Found a bug or have a feature request? Please open an issue on our [GitHub Issues page](https://github.com/kevinveenbirkenbach/infinito-nexus/issues) with a clear description and steps to reproduce the problem.
- **Reporting Issues:** Found a bug or have a feature request? Please open an issue on our [GitHub Issues page](https://s.infinito.nexus/issues) with a clear description and steps to reproduce the problem.
- **Code Contributions:** If you'd like to contribute code, fork the repository, create a new branch for your feature or bug fix, and submit a pull request. Ensure your code adheres to our coding style and includes tests where applicable.
- **Documentation:** Improving the documentation is a great way to contribute. Whether it's clarifying an existing section or adding new guides, your contributions help others understand and use Infinito.Nexus effectively.
- **Financial Contributions:** If you appreciate Infinito.Nexus and want to support its ongoing development, consider making a financial contribution. For more details, please see our [donate options](12_DONATE.md).
- **"Software":** Refers to *"[Infinito.Nexus - Cyber Master Infrastructure Solution](https://infinito.nexus/)"* and its associated source code.
- **"Software":** Refers to *"[Infinito.Nexus](https://infinito.nexus/)"* and its associated source code.
- **"Commercial Use":** Any use of the Software intended for direct or indirect financial gain, including but not limited to sales, rentals, or provision of services.
*Automate the Provisioning of All Your Servers and Workstations with a Single Open‑Source Script!*
---
@@ -15,7 +13,7 @@
|---|---|
| 🌐 Try It Live | [](https://infinito.nexus) |
| 🔧 Request Your Setup | [](https://cybermaster.space) |
| 📖 About This Project | [](https://github.com/sponsors/kevinveenbirkenbach) [](https://github.com/kevinveenbirkenbach/infinito-nexus/actions/workflows/test-cli.yml?query=branch%3Amaster) [](https://github.com/kevinveenbirkenbach/infinito-nexus) |
| 📖 About This Project | [](https://github.com/sponsors/kevinveenbirkenbach) [](https://github.com/kevinveenbirkenbach/infinito-nexus/actions/workflows/test-cli.yml) [](https://s.infinito.nexus/code) |
| ☕️ Support Us | [](https://www.patreon.com/c/kevinveenbirkenbach) [](https://buymeacoffee.com/kevinveenbirkenbach) [](https://s.veen.world/paypaldonate) [](https://github.com/sponsors/kevinveenbirkenbach) |
---
@@ -93,4 +91,4 @@ Infinito.Nexus is distributed under the **Infinito.Nexus NonCommercial License**
## Professional Setup & Support 💼
For expert installation and configuration visit [cybermaster.space](https://cybermaster.space/) or write to us at **[contact@infinito.nexus](mailto:contact@infinito.nexus)**.
For expert installation and configuration visit [cybermaster.space](https://cybermaster.space/) or write to us at **[contact@cymais.cloud](mailto:contact@cymais.cloud)**.
Infinito.Nexus (Cyber Master Infrastructure Solution) is a modular, open-source IT infrastructure automation platform designed to simplify the deployment, management, and security of self-hosted environments.
[Infinito.Nexus](https://infinito.nexus) is a modular, open-source IT infrastructure automation platform designed to simplify the deployment, management, and security of self-hosted environments.
It provides a flexible, scalable, and secure architecture based on modern [DevOps](https://en.wikipedia.org/wiki/DevOps) principles, leveraging technologies like [Ansible](https://en.wikipedia.org/wiki/Ansible_(software)), [Docker](https://en.wikipedia.org/wiki/Docker_(software)), and [Infrastructure as Code (IaC)](https://en.wikipedia.org/wiki/Infrastructure_as_code).
This section explains how to deploy and manage the **Cyber Master Infrastructure Solution (Infinito.Nexus)** using Ansible. Infinito.Nexus uses a collection of Ansible tasks, which are controlled via different **"modes"** — such as **updates**, **backups**, **resets**, and **cleanup** operations.
This section explains how to deploy and manage **[Infinito.Nexus](https://infinito.nexus)** using Ansible. Infinito.Nexus uses a collection of Ansible tasks, which are controlled via different **"modes"** — such as **updates**, **backups**, **resets**, and **cleanup** operations.
certbot_dns_api_token:""# Define in inventory file: More information here: group_vars/all/docs/CLOUDFLARE_API_TOKEN.md
certbot_dns_propagation_wait_seconds:300# How long should the script wait for DNS propagation before continuing
certbot_flavor: san # Possible options:san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), dedicated
CERTBOT_DNS_PROPAGATION_WAIT_SECONDS:300# How long should the script wait for DNS propagation before continuing
CERTBOT_FLAVOR: san # Possible options:san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), dedicated
# Path where Certbot stores challenge webroot files
letsencrypt_webroot_path:"/var/lib/letsencrypt/"
# Letsencrypt
LETSENCRYPT_WEBROOT_PATH:"/var/lib/letsencrypt/"# Path where Certbot stores challenge webroot files
LETSENCRYPT_BASE_PATH:"/etc/letsencrypt/"# Base directory containing Certbot configuration, account data, and archives
LETSENCRYPT_LIVE_PATH:"{{ LETSENCRYPT_BASE_PATH }}live/"# Symlink directory for the current active certificate and private key
# Base directory containing Certbot configuration, account data, and archives
letsencrypt_base_path:"/etc/letsencrypt/"
## Docker
DOCKER_RESTART_POLICY:"unless-stopped"# Default restart parameter for docker containers
DOCKER_VARS_FILE:"{{ playbook_dir }}/roles/docker-compose/vars/docker-compose.yml"# File containing docker compose variables used by other services
DOCKER_WHITELISTET_ANON_VOLUMES:[]# Volumes which should be ignored during docker anonymous health check
# Symlink directory for the current active certificate and private key
STREAMS:"{{ _nginx_conf_dir }}streams/"# Contains streams configuration e.g. for ldaps
DATA:
WWW:"{{ _nginx_www_dir }}"
WELL_KNOWN:"/usr/share/nginx/well-known/"# Path where well-known files are stored
HTML:"{{ _nginx_www_dir }}public_html/"# Path where the static homepage files are stored
FILES:"{{ _nginx_www_dir }}public_files/"# Path where the web accessable files are stored
CDN:"{{ _nginx_www_dir }}public_cdn/"# Contains files which will be accessable via the content delivery network
GLOBAL:"{{ _nginx_www_dir }}global/"# Directory containing files which will be globaly accessable, @Todo remove this when css migrated to CDN
CACHE:
GENERAL:"/tmp/cache_nginx_general/"# Directory which nginx uses to cache general data
IMAGE:"/tmp/cache_nginx_image/"# Directory which nginx uses to cache images
USER:"http"# Default nginx user in ArchLinux
# @todo It propably makes sense to distinguish between target and source mount path, so that the config files can be stored in the openresty volumes folder
id:"{{ _oidc_client_id }}"# Client identifier, typically matching your primary domain
# secret: # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
realm:"{{_oidc_client_realm}}"# The realm to which the client belongs in the OIDC provider
issuer_url:"{{_oidc_client_issuer_url}}"# Base URL of the OIDC provider (issuer)
discovery_document:"{{_oidc_client_issuer_url}}/.well-known/openid-configuration"# URL for fetching the provider's configuration details
authorize_url:"{{_oidc_client_issuer_url}}/protocol/openid-connect/auth"# Endpoint to start the authorization process
token_url:"{{_oidc_client_issuer_url}}/protocol/openid-connect/token"# Endpoint to exchange authorization codes for tokens (note: 'token_url' may be a typo for 'token_url')
user_info_url:"{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo"# Endpoint to retrieve user information
logout_url:"{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"# Endpoint to log out the user
change_credentials:"{{_oidc_client_issuer_url}}account/account-security/signing-in"# URL for managing or changing user credentials
certs:"{{_oidc_client_issuer_url}}/protocol/openid-connect/certs"# JSON Web Key Set (JWKS)
description:"Generic Docker helpers and utilities (compose wrappers, container tooling)."
icon:"fas fa-docker"
invokable:false
dev:
title:"Software Development Utilties"
invokable:false
@@ -6,41 +11,76 @@ roles:
title:"System"
description:"System near components. Will be automaticly called if necessary from other roles."
invokable:false
alm:
title:"Alerting"
description:"Notification handlers for system events"
icon:"fas fa-bell"
ctl:
title:"Control"
description:"Control layer for system lifecycle management—handling cleanup, monitoring, backups, alerting, maintenance, and repair tasks."
icon:"fas fa-cogs"
invokable:false
cln:
title:"Cleanup"
description:"Roles for cleaning up various system resources—old backups, unused certificates, temporary files, Docker volumes, disk caches, deprecated domains, and more."
icon:"fas fa-trash-alt"
cln:
title:"Cleanup"
description:"Roles for cleaning up various system resources—old backups, unused certificates, temporary files, Docker volumes, disk caches, deprecated domains, and more."
icon:"fas fa-trash-alt"
invokable:false
hlth:
title:"Monitoring"
description:"Roles for system monitoring and health checks—encompassing bot-style automated checks and core low-level monitors for logs, containers, disk usage, and more."
description:"Notification handlers for system events"
icon:"fas fa-bell"
invokable:false
mtn:
title:"Maintenance"
description:"Maintenance roles for certificates, system upkeep, and recurring operational tasks."
icon:"fas fa-tools"
invokable:false
rpr:
title:"Repair"
description:"Repair and recovery roles—handling hard/soft recovery of Docker, Btrfs balancers, and other low-level system fixes."
icon:"fas fa-wrench"
invokable:false
dns:
title:"DNS Automation"
description:"DNS providers, records, and rDNS management (Cloudflare, Hetzner, etc.)."
icon:"fas fa-network-wired"
invokable:false
hlth:
title:"Monitoring"
description:"Roles for system monitoring and health checks—encompassing bot-style automated checks and core low-level monitors for logs, containers, disk usage, and more."
description:"Frontend helpers for reverse-proxied apps (injection, shared assets, CDN plumbing)."
icon:"fas fa-wand-magic-sparkles"
invokable:false
inj:
title:"Injection"
description:"Composable HTML injection roles (CSS, JS, logout interceptor, analytics, desktop iframe) for Nginx/OpenResty via sub_filter/Lua with CDN-backed assets."
icon:"fas fa-filter"
invokable:false
update:
title:"Updates & Package Management"
description:"OS & package updates"
icon:"fas fa-sync"
invokable:true
pkgmgr:
title:"Package Manager Helpers"
description:"Helpers for package managers and unified install flows."
icon:"fas fa-box-open"
invokable:false
drv:
title:"Drivers"
description:"Roles for installing and configuring hardware drivers—covering printers, graphics, input devices, and other peripheral support."
description:"Utility roles for server-side configuration and management—covering corporate identity provisioning, network helpers, and other service-oriented toolkits."
icon:"fas fa-cogs"
invokable:true
srv:
title:"Server"
description:"General server roles for provisioning and managing server infrastructure—covering web servers, proxy servers, network services, and other backend components."
icon:"fas fa-server"
invokable:false
web:
title:"Webserver"
description:"Web-server roles for installing and configuring Nginx (core, TLS, injection filters, composer modules)."
icon:"fas fa-server"
invokable:false
proxy:
title:"Proxy Server"
description:"Proxy-server roles for virtual-host orchestration and reverse-proxy setups."
icon:"fas fa-project-diagram"
dev:
title:"Developer Utilities"
description:"Developer-centric server utilities and admin toolkits."
icon:"fas fa-code"
invokable:false
web:
title:"Web Infrastructure"
@@ -99,11 +129,6 @@ roles:
title:"Webserver Optimation"
description:"Tools which help to optimize webservers"
database_instance:"{{ _database_central_name if _database_central_enabled else database_name }}"# This could lead to bugs at dedicated database @todo cleanup
database_host:"{{ _database_central_name if _database_central_enabled else 'database' }}"# This could lead to bugs at dedicated database @todo cleanup
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
