Different optimations

group_vars/all/03_domains.yml

@@ -77,3 +77,7 @@ defaults_redirect_domain_mappings:
 - { source: "taiga.{{primary_domain}}",       target: "{{domains.taiga}}" }
 - { source: "videos.{{primary_domain}}",      target: "{{domains.peertube}}" }
 - { source: "wordpress.{{primary_domain}}",   target: "{{domains.wordpress[0]}}" }
+
+# Domains which are deprecated and should be cleaned up
+deprecated_domains: []
+

roles/docker-espocrm/Administration.md

@@ -1,32 +0,0 @@
-# Administration
-
-## 🗑️ Cleanup (Remove instance & volumes)
-```bash
-cd {{path_docker_compose_instances}}espocrm/
-docker compose down
-# EspoCRM keeps all uploaded files in the *data* volume
-docker volume rm espocrm_data espocrm_database
-cd {{path_docker_compose_instances}} && rm -vR {{path_docker_compose_instances}}espocrm
-```
-
-## 🔍 Access EspoCRM container shell
-```bash
-docker compose exec -it web /bin/bash
-```
-
-## 🛠️ Database migrations (after image upgrade)
-EspoCRM applies migrations automatically on start‑up. To run them manually:
-```bash
-docker compose exec -it web php command.php upgrade
-```
-
-## 🗄️ Backup database
-```bash
-# Dump the MySQL/MariaDB database
-docker exec espocrm_database /usr/bin/mysqldump -u root -p$MYSQL_ROOT_PASSWORD espocrm > backup_$(date +%F).sql
-```
-
-## 🧹 Clear cache
-```bash
-docker compose exec web php command.php clear cache
-```

roles/docker-espocrm/Installation.md

@@ -1,25 +0,0 @@
-# ⚙️ Configuration & Setup
-
-## 🔧 Create credentials & pull image
-```bash
-# Pull the latest EspoCRM image
-docker pull espocrm/espocrm:latest
-
-# If you need to pre‑create a config file, copy the default
-# (the container will generate one automatically on first start)
-```
-
-## 🏗️ Initial deployment with Docker Compose
-```bash
-# Change into the instance directory created by the role
-cd {{path_docker_compose_instances}}espocrm/
-
-# Launch the stack
-docker compose up -d
-```
-The first start can take a minute while EspoCRM initialises the database schema.
-
-## 🔐 LDAP & OIDC authentication
-Both mechanisms are supported out of the box:
-- **LDAP:** Configure under *Administration → Authentication → LDAP* after the first login.
-- **OIDC:** Configure under *Administration → Authentication → OpenID Connect* and paste the Issuer URL, Client ID and Client Secret from your IdP (Keycloak, Authentik, Entra ID, …).

roles/docker-espocrm/README.md

@@ -2,15 +2,38 @@
 
 ## Description
 
-EspoCRM is a lightweight, open‑source Customer Relationship Management platform that helps you manage leads, accounts, opportunities and post‑sale support in a single, web‑based interface.  
+Enhance your sales and service processes with EspoCRM, an open-source CRM featuring workflow automation, LDAP/OIDC single sign-on, and a sleek, lightweight UI! 🚀💼
-This Ansible role deploys EspoCRM with Docker, mirroring the structure of the Mastodon role for a consistent operations workflow.
 
 ## Overview
-- **Sales Pipeline & Activities Stream** – track every interaction and schedule follow‑ups.
-- **Workflow & BPM** – automate routine tasks and notifications.
-- **Extensible Authentication** – native LDAP and OpenID Connect (OIDC) login support.
-- **Containerised Architecture** – separate services for the web application, cron jobs and an upstream MySQL/MariaDB database.
 
-For detailed instructions see:
+This Ansible role deploys EspoCRM using Docker. It handles:
-- [Installation.md](./Installation.md)  
+
-- [Administration.md](./Administration.md)
+- MariaDB database provisioning via the `docker-central-database` role  
+- Nginx domain setup with WebSocket and reverse-proxy configuration  
+- Environment variable management through Jinja2 templates  
+- Docker Compose orchestration for **web**, **daemon**, and **websocket** services  
+- Automatic OIDC scope configuration within the EspoCRM container  
+
+With this role, you'll have a production-ready CRM environment that's secure, scalable, and real-time.
+
+## Features
+
+- **Workflow Automation:** Create and manage automated CRM processes with ease 🛠️  
+- **LDAP/OIDC SSO:** Integrate with corporate identity providers for seamless login 🔐  
+- **WebSocket Notifications:** Real-time updates via ZeroMQ and WebSockets 🌐  
+- **Config via Templates:** Fully customizable `.env` and `docker-compose.yml` with Jinja2 ⚙️  
+- **Health Checks & Logging:** Monitor service health and logs with built-in checks and journald 📈  
+- **Modular Role Composition:** Leverages central roles for database and Nginx, ensuring consistency across deployments 🔄  
+
+## Additional Resources
+
+- [EspoCRM Official Website](https://www.espocrm.com/) 🌍  
+- [EspoCRM Documentation](https://docs.espocrm.com/) 📖  
+- [CyMaIS Project Repository](https://github.com/kevinveenbirkenbach/cymais) 🔗  
+
+## Credits
+
+Developed and maintained by **Kevin Veen-Birkenbach**.  
+Consulting & Coaching Solutions: [veen.world](https://www.veen.world) 🌟  
+Part of the [CyMaIS Project](https://github.com/kevinveenbirkenbach/cymais) 📂  
+License: [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl) ⚖️  

roles/docker-espocrm/Todo.md

@@ -1,2 +0,0 @@
-# Todos
-- Finish draft implementation

roles/docker-espocrm/meta/main.yml

@@ -18,5 +18,5 @@ galaxy_info:
   issue_tracker_url: "https://s.veen.world/cymaisissues"
   documentation: "https://s.veen.world/cymais"
   logo:
-    class: "fa-solid fa-briefcase"
+    class: "fa-solid fa-phone"
 dependencies: []

roles/docker-espocrm/tasks/main.yml

@@ -16,3 +16,17 @@
 
 - name: "copy docker-compose.yml and env file"
   include_tasks: copy-docker-compose-and-env.yml
+
+- name: Set OIDC scopes in EspoCRM config (inside web container)
+  ansible.builtin.shell: |
+    docker compose exec -T web php -r '
+      require "/var/www/html/bootstrap.php";
+      $writer = (new \Espo\Core\Application())
+        ->getContainer()
+        ->get("injectableFactory")
+        ->create("\Espo\Core\Utils\Config\ConfigWriter");
+      $writer->set("oidcScopes", ["openid", "profile", "email"]);
+      $writer->save();
+    '
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"

roles/docker-espocrm/templates/docker-compose.yml.j2

@@ -5,7 +5,6 @@ services:
   web:
     image: espocrm/espocrm:{{ applications.espocrm.version }}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
-    command: "php-fpm"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost/"]
     ports:
@@ -41,7 +40,7 @@ services:
     volumes:
       - data:/var/www/html
     ports:
-      - "{{ ports.localhost.websocket[application_id] | default('127.0.0.1:8081') }}:8080"
+      - "127.0.0.1:{{ ports.localhost.websocket[application_id] }}:8080"
 
 {% include 'templates/docker/compose/volumes.yml.j2' %}
   data:

roles/docker-espocrm/templates/env.j2

@@ -35,8 +35,8 @@ ESPOCRM_CONFIG_TIME_ZONE={{ HOST_TIMEZONE }}
 # ESPOCRM_CONFIG_WEEK_START: 0 = Sunday, 1 = Monday
 ESPOCRM_CONFIG_WEEK_START=1
 ESPOCRM_CONFIG_DEFAULT_CURRENCY={{ HOST_CURRENCY }}
-ESPOCRM_CONFIG_THOUSAND_SEPARATOR={{ HOST_THOUSAND_SEPARATOR }}
+#ESPOCRM_CONFIG_THOUSAND_SEPARATOR={{ HOST_THOUSAND_SEPARATOR }}
-ESPOCRM_CONFIG_DECIMAL_MARK={{HOST_DECIMAL_MARK}}
+#ESPOCRM_CONFIG_DECIMAL_MARK={{HOST_DECIMAL_MARK}}
 
 # ------------------------------------------------
 # Logger
@@ -82,6 +82,7 @@ ESPOCRM_CONFIG_LDAP_USER_LOGIN_FILTER=(sAMAccountName=%USERNAME%)
 # ------------------------------------------------
 # OpenID Connect settings
 # ------------------------------------------------
+ESPOCRM_CONFIG_OIDC_ALLOW_ADMIN_USER=true
 ESPOCRM_CONFIG_AUTHENTICATION_METHOD=Oidc
 ESPOCRM_CONFIG_OIDC_FALLBACK=false                       # set true if you want LDAP as fallback
 
@@ -94,5 +95,11 @@ ESPOCRM_CONFIG_OIDC_USER_INFO_ENDPOINT={{ oidc.client.user_info_url }}
 ESPOCRM_CONFIG_OIDC_JWKS_ENDPOINT={{ oidc.client.certs }}
 
 ESPOCRM_CONFIG_OIDC_AUTHORIZATION_REDIRECT_URI=https://{{ domains[application_id] }}/oidc/callback
-ESPOCRM_CONFIG_OIDC_SCOPES=openid,profile,email
+#ESPOCRM_CONFIG_OIDC_SCOPES=openid,profile,email # Defined in main.yml
+
+ESPOCRM_CONFIG_OIDC_CREATE_USER=true
+ESPOCRM_CONFIG_OIDC_SYNC=true
+ESPOCRM_CONFIG_OIDC_USERNAME_CLAIM={{oidc.attributes.username}}
+# ESPOCRM_CONFIG_OIDC_SYNC_TEAMS=true      # (optional) Gruppen-→-Team-Mapping
+# ESPOCRM_CONFIG_OIDC_GROUP_CLAIM=group
 {% endif %}

roles/docker-ldap/TODO.md

@@ -1,4 +1,4 @@
 # Todos
-- Implement auto password hash
 - Implement auto memberof setup
-- Create a Dockerfile (may in an own repository) with memberOf
+- Create a Dockerfile (may in an own repository) with memberOf
+- Find a better decoupling solution for nextcloud

roles/docker-ldap/tasks/main.yml

@@ -37,7 +37,6 @@
   include_tasks: create_ldif_files.yml
   loop:
     - configuration
-    - schema
   loop_control:
     loop_var: folder
 
@@ -50,6 +49,37 @@
       - python-ldap
     state: present
 
+- name: Create Nextcloud Schema
+  ldap_entry:
+    dn: "cn=nextcloud,cn=schema,cn=config"
+    objectClass:
+      - top
+      - olcSchemaConfig
+    attributes:
+      cn: nextcloud
+      olcAttributeTypes:
+        - >-
+          ( 1.3.6.1.4.1.99999.1
+            NAME 'nextcloudQuota'
+            DESC 'Quota for Nextcloud'
+            EQUALITY integerMatch
+            ORDERING integerOrderingMatch
+            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+            SINGLE-VALUE
+          )
+      olcObjectClasses:
+        - >-
+          ( 1.3.6.1.4.1.99999.2
+            NAME 'nextcloudUser'
+            DESC 'Auxiliary class for Nextcloud attributes'
+            AUXILIARY
+            MAY ( nextcloudQuota )
+          )
+    server_uri: "ldap://127.0.0.1:{{ ports.localhost.ldap.ldap }}"
+    bind_dn: "cn={{ applications.ldap.users.administrator.username }},cn=config"
+    bind_pw: "{{ applications.ldap.administrator_password }}"
+    state: present
+
 ###############################################################################
 # 1) Create the LDAP entry if it does not yet exist
 ###############################################################################

roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif.j2

@@ -1,19 +0,0 @@
-# nextcloud.schema
-
-dn: cn=nextcloud,cn=schema,cn=config
-objectClass: olcSchemaConfig
-cn: nextcloud
-olcAttributeTypes: ( 1.3.6.1.4.1.99999.1
-  NAME 'nextcloudQuota'
-  DESC 'Quota for Nextcloud'
-  EQUALITY integerMatch
-  ORDERING integerOrderingMatch
-  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
-  SINGLE-VALUE
-)
-olcObjectClasses: ( 1.3.6.1.4.1.99999.2
-  NAME 'nextcloudUser'
-  DESC 'Auxiliary class for Nextcloud attributes'
-  AUXILIARY
-  MAY ( nextcloudQuota )
-)

roles/docker-ldap/templates/ldif/schema/README.md

@@ -1 +0,0 @@
-This folder contains schemas for the different applications to import

roles/docker-mailu/tasks/create-mailu-user-and-token.yml

@@ -51,6 +51,7 @@
   when:
     - users[mailu_user].mailu_token is not defined
     - mailu_user_existing_token is not none
+    - mailu_user_existing_token.id is defined
   register: mailu_token_delete
   changed_when: mailu_token_delete.rc == 0
 

roles/nginx-domain-setup/meta/main.yml

@@ -22,4 +22,6 @@ galaxy_info:
     - archlinux
   repository: https://s.veen.world/cymais
   issue_tracker_url: https://s.veen.world/cymaisissues
-  documentation: https://s.veen.world/cymais
+  documentation: https://s.veen.world/cymais
+dependencies:
+  - nginx

roles/nginx-domains-cleanup/README.md

@@ -0,0 +1,25 @@
+# nginx-domains-cleanup
+
+## Description
+
+This Ansible role removes Nginx configuration files and revokes and deletes Certbot certificates for domains marked as deprecated.
+
+## Overview
+
+Optimized for idempotent cleanup operations, this role:
+
+- Deletes Nginx server configuration files in `/etc/nginx/conf.d/http/servers/` for each domain listed in `deprecated_domains`.
+- Revokes and deletes corresponding Certbot certificates.
+- Ensures cleanup tasks execute only once per playbook run.
+- Notifies Nginx to restart after removing configurations.
+
+## Purpose
+
+Streamline the decommissioning of outdated or deprecated domains by automating the removal of Nginx server blocks and their SSL certificates.
+
+## Features
+
+- **Nginx Cleanup:** Safely removes server configuration files.
+- **Certbot Integration:** Revokes and deletes certificates without manual intervention.
+- **Idempotent Execution:** Utilizes a `run_once` flag to prevent repeated runs.
+- **Service Notification:** Triggers an Nginx restart handler upon cleanup.

roles/nginx-domains-cleanup/meta/main.yml

@@ -0,0 +1,24 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Remove Nginx configuration files and revoke/delete Certbot certificates for deprecated domains"
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - nginx
+    - cleanup
+    - certbot
+    - domains
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
+dependencies:
+  - nginx

roles/nginx-domains-cleanup/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: "Remove Nginx configuration for deprecated domains"
+  ansible.builtin.file:
+    path: "/etc/nginx/conf.d/http/servers/{{ item }}"
+    state: absent
+  loop: "{{ deprecated_domains }}"
+  loop_control:
+    label: "{{ item }}"
+  notify: restart nginx
+  when:
+    - mode_cleanup | bool
+    - run_once_nginx_domains_cleanup is not defined
+
+- name: "Revoke Certbot certificate for {{ item }}"
+  ansible.builtin.command:
+    cmd: "certbot revoke -n --cert-name {{ item }}"
+  become: true
+  loop: "{{ deprecated_domains }}"
+  loop_control:
+    label: "{{ item }}"
+  when:
+    - mode_cleanup | bool
+    - run_once_nginx_domains_cleanup is not defined
+
+- name: "Delete Certbot certificate for {{ item }}"
+  ansible.builtin.command:
+    cmd: "certbot delete -n --cert-name {{ item }}"
+  become: true
+  loop: "{{ deprecated_domains }}"
+  loop_control:
+    label: "{{ item }}"
+  when:
+    - mode_cleanup | bool
+    - run_once_nginx_domains_cleanup is not defined
+
+- name: run the nginx_domains_cleanup role once
+  set_fact:
+    run_once_nginx_domains_cleanup: true
+  when: run_once_nginx_domains_cleanup is not defined

roles/nginx-https-get-cert/tasks/main.yml

@@ -28,7 +28,7 @@
   command: >-
     certbot delete --cert-name {{ domain }} --non-interactive
   when: 
-    - mode_cleanup | bool  
+    - mode_cleanup | bool
       # Cleanup mode is enabled
     - enable_wildcard_certificate | bool  
       # Wildcard certificate is enabled

roles/nginx-https/meta/main.yml

@@ -1,3 +1,4 @@
 dependencies:
 - nginx
+- nginx-domains-cleanup
 - letsencrypt

roles/nginx/tasks/main.yml

@@ -3,7 +3,7 @@
   pacman:
     name:
       - nginx
-      - nginx-mod-stream # Enable Stream support
+      - nginx-mod-stream
     state:  present
   notify: restart nginx
   when: run_once_nginx is not defined

roles/nginx/templates/nginx.conf.j2

@@ -1,4 +1,4 @@
-load_module /usr/lib/nginx/modules/ngx_stream_module.so; # Enable Stream support
+load_module /usr/lib/nginx/modules/ngx_stream_module.so;
 worker_processes auto;
 
 events

templates/vars/applications.yml.j2

@@ -128,7 +128,7 @@ defaults_applications:
 
   ## EspoCRM
   espocrm:
-    version:                      "fpm-alpine"
+    version:                      "latest"
     users:
       administrator:
         username:                 "{{ users.administrator.username }}"
@@ -142,9 +142,9 @@ defaults_applications:
 
 {% endraw %}{{ features.render_features({
   'matomo':   true,
-  'css':      true,
+  'css':      false,
   'iframe':   false,
-  'ldap':     true,
+  'ldap':     false,
   'oidc':     true,
   'database': true
 }) }}{% raw %}