Added Dockerfile draft

Dockerfile

@@ -0,0 +1,25 @@
+FROM archlinux:latest
+
+# 1) Update system and install required tools
+RUN pacman -Syu --noconfirm \
+    git \
+    make \
+    python \
+    python-pip \
+ && pacman -Scc --noconfirm
+
+# 2) Ensure ~/.local/bin is on PATH so pkgmgr & cymais are discoverable
+ENV PATH="/root/.local/bin:${PATH}"
+
+# 3) Clone and install Kevin’s Package Manager
+RUN git clone https://github.com/kevinveenbirkenbach/package-manager.git /opt/package-manager \
+ && cd /opt/package-manager \
+ && make setup \
+ && ln -s /opt/package-manager/main.py /usr/local/bin/pkgmgr
+
+# 4) Use pkgmgr to install CyMaIS
+RUN pkgmgr install cymais
+
+# 5) Default entrypoint to the cymais CLI
+ENTRYPOINT ["cymais"]
+CMD ["--help"]

cli/fix/replace_by_get_app_config.sh

@@ -0,0 +1,5 @@
+# Just a little refactoring script, you can delete it later
+ATTR="$1"
+OLD="applications[application_id].$ATTR"
+NEW="applications | get_app_conf(application_id, '$ATTR', True)"
+bsr ./ "$OLD" -rFfc -n "$NEW"

filter_plugins/Todo.md

@@ -1,2 +0,0 @@
-# Todo 
-- Refactor is_feature_enabled to one function

filter_plugins/configuration_filters.py

@@ -1,10 +1,3 @@
-def is_feature_enabled(applications: dict, feature: str, application_id: str) -> bool:
-    """
-    Return True if applications[application_id].features[feature] is truthy.
-    """
-    app = applications.get(application_id, {})
-    return bool(app.get('features', {}).get(feature, False))
-
 def get_docker_compose(path_docker_compose_instances: str, application_id: str) -> dict:
     """
     Build the docker_compose dict based on
@@ -30,6 +23,5 @@ def get_docker_compose(path_docker_compose_instances: str, application_id: str)
 class FilterModule(object):
     def filters(self):
         return {
-            'is_feature_enabled':   is_feature_enabled,
             'get_docker_compose':   get_docker_compose,
         }

filter_plugins/csp_filters.py

@@ -112,7 +112,7 @@ class FilterModule(object):
                     self.is_feature_enabled(applications, matomo_feature_name, application_id)
                     and directive in ['script-src-elem', 'connect-src']
                 ):
-                    matomo_domain = domains.get('matomo')[0]
+                    matomo_domain = domains.get('web-app-matomo')[0]
                     if matomo_domain:
                         tokens.append(f"{web_protocol}://{matomo_domain}")
 
@@ -124,7 +124,7 @@ class FilterModule(object):
 
                 # Enable loading via ancestors
                 if (
-                    self.is_feature_enabled(applications, 'portfolio_iframe', application_id)
+                    self.is_feature_enabled(applications, 'port-ui-desktop', application_id)
                     and directive == 'frame-ancestors'
                 ):
                     domain = domains.get('web-app-port-ui')[0]

filter_plugins/docker_service_enabled.py

@@ -0,0 +1,25 @@
+class FilterModule(object):
+    ''' Custom filter to safely check if a docker service is enabled for an application_id '''
+
+    def filters(self):
+        return {
+            'is_docker_service_enabled': self.is_docker_service_enabled
+        }
+
+    @staticmethod
+    def is_docker_service_enabled(applications, application_id, service_name):
+        """
+        Returns True if applications[application_id].docker.services[service_name].enabled is truthy,
+        otherwise returns False (even if intermediate keys are missing).
+        """
+        try:
+            return bool(
+                applications
+                and application_id in applications
+                and applications[application_id].get('docker', {})
+                .get('services', {})
+                .get(service_name, {})
+                .get('enabled', False)
+            )
+        except Exception:
+            return False

filter_plugins/get_app_conf.py

@@ -0,0 +1,94 @@
+# filter_plugins/get_app_conf.py
+
+import re
+from ansible.errors import AnsibleFilterError
+
+class AppConfigKeyError(AnsibleFilterError, ValueError):
+    """
+    Raised when a required application config key is missing (strict mode).
+    Compatible with Ansible error handling and Python ValueError.
+    """
+    pass
+
+def get_app_conf(applications, application_id, config_path, strict=True):
+    def access(obj, key, path_trace):
+        m = re.match(r"^([a-zA-Z0-9_]+)(?:\[(\d+)\])?$", key)
+        if not m:
+            raise AppConfigKeyError(
+                f"Invalid key format in config_path: '{key}'\n"
+                f"Full path so far: {'.'.join(path_trace)}\n"
+                f"application_id: {application_id}\n"
+                f"config_path: {config_path}"
+            )
+        k, idx = m.group(1), m.group(2)
+        if isinstance(obj, dict):
+            if k not in obj:
+                if strict:
+                    raise AppConfigKeyError(
+                        f"Key '{k}' not found in dict at '{key}'\n"
+                        f"Full path so far: {'.'.join(path_trace)}\n"
+                        f"Current object: {repr(obj)}\n"
+                        f"application_id: {application_id}\n"
+                        f"config_path: {config_path}"
+                    )
+                return False
+            obj = obj[k]
+        else:
+            if strict:
+                raise AppConfigKeyError(
+                    f"Expected dict for '{k}', got {type(obj).__name__} at '{key}'\n"
+                    f"Full path so far: {'.'.join(path_trace)}\n"
+                    f"Current object: {repr(obj)}\n"
+                    f"application_id: {application_id}\n"
+                    f"config_path: {config_path}"
+                )
+            return False
+        if idx is not None:
+            if not isinstance(obj, list):
+                if strict:
+                    raise AppConfigKeyError(
+                        f"Expected list for '{k}[{idx}]', got {type(obj).__name__}\n"
+                        f"Full path so far: {'.'.join(path_trace)}\n"
+                        f"Current object: {repr(obj)}\n"
+                        f"application_id: {application_id}\n"
+                        f"config_path: {config_path}"
+                    )
+                return False
+            i = int(idx)
+            if i >= len(obj):
+                if strict:
+                    raise AppConfigKeyError(
+                        f"Index {i} out of range for list at '{k}'\n"
+                        f"Full path so far: {'.'.join(path_trace)}\n"
+                        f"Current object: {repr(obj)}\n"
+                        f"application_id: {application_id}\n"
+                        f"config_path: {config_path}"
+                    )
+                return False
+            obj = obj[i]
+        return obj
+
+    path_trace = [f"applications[{repr(application_id)}]"]
+    try:
+        obj = applications[application_id]
+    except KeyError:
+        raise AppConfigKeyError(
+            f"Application ID '{application_id}' not found in applications dict.\n"
+            f"path_trace: {path_trace}\n"
+            f"applications keys: {list(applications.keys())}\n"
+            f"config_path: {config_path}"
+        )
+
+    for part in config_path.split("."):
+        path_trace.append(part)
+        obj = access(obj, part, path_trace)
+        if obj is False and not strict:
+            return False
+    return obj
+
+class FilterModule(object):
+    ''' CyMaIS application config extraction filters '''
+    def filters(self):
+        return {
+            'get_app_conf': get_app_conf,
+        }

group_vars/all/09_ports.yml

@@ -35,7 +35,7 @@ ports:
       attendize: 8015
       pgadmin: 8016
       baserow: 8017
-      matomo: 8018
+      web-app-matomo: 8018
       listmonk: 8019
       discourse: 8020
       matrix_synapse: 8021

group_vars/all/10_networks.yml

@@ -36,7 +36,7 @@ defaults_networks:
       subnet: 192.168.101.192/28
     # Free:
     #  subnet: 192.168.101.208/28
-    matomo:
+    web-app-matomo:
       subnet: 192.168.101.224/28
     mastodon:
       subnet: 192.168.101.240/28

roles/Todo.md

@@ -0,0 +1,2 @@
+# Todos
+- Use at all applications the ansible role name as application_id

roles/cmp-rdbms/tasks/main.yml

@@ -5,14 +5,14 @@
     src: "env/{{database_type}}.env.j2"
     dest: "{{database_env}}"
   notify: docker compose up
-  when: not applications | is_feature_enabled('central_database',application_id)
+  when: not applications | get_app_conf(application_id, 'features.central_database', False)
 
 - name: "For '{{ application_id }}': Create central database"
   # I don't know why this includes leads to that the application_id in vars/main.yml of the database role isn't used
   # This is the behaviour which I want, but I'm still wondering why ;)
   include_role:
     name: "svc-db-{{database_type}}"
-  when: applications | is_feature_enabled('central_database',application_id)
+  when: applications | get_app_conf(application_id, 'features.central_database', False)
 
 - name: "For '{{ application_id }}': Add Entry for Backup Procedure"
   include_tasks: "{{ playbook_dir }}/roles/sys-bkp-docker-to-local/tasks/seed-database-to-backup.yml"

roles/cmp-rdbms/templates/services/mariadb.yml.j2

@@ -1,5 +1,5 @@
 # This template needs to be included in docker-compose.yml, which depend on a mariadb database
-{% if not applications | is_feature_enabled('central_database',application_id) %}
+{% if not applications | get_app_conf(application_id, 'features.central_database', False) %}
   {{ database_host }}:
     container_name: {{application_id}}-database
     logging:

roles/cmp-rdbms/templates/services/postgres.yml.j2

@@ -1,5 +1,5 @@
 # This template needs to be included in docker-compose.yml, which depend on a postgres database
-{% if not applications | is_feature_enabled('central_database',application_id) %}  
+{% if not applications | get_app_conf(application_id, 'features.central_database', False) %}  
   {{ database_host }}:
     image: postgres:{{applications['svc-db-postgres'].version}}-alpine
     container_name: {{application_id}}-database

roles/cmp-rdbms/vars/database.yml

@@ -1,8 +1,8 @@
-database_instance:  "{{ applications[ 'svc-db-' ~ database_type ].hostname if applications | is_feature_enabled('central_database',database_application_id) else database_application_id }}"
+database_instance:  "{{ applications[ 'svc-db-' ~ database_type ].hostname if applications | get_app_conf(database_application_id, 'features.central_database', False) else database_application_id }}"
-database_host:      "{{ applications[ 'svc-db-' ~ database_type ].hostname if applications | is_feature_enabled('central_database',database_application_id) else 'database' }}"
+database_host:      "{{ applications[ 'svc-db-' ~ database_type ].hostname if applications | get_app_conf(database_application_id, 'features.central_database', False) else 'database' }}"
-database_name:      "{{ applications[ database_application_id ].database.name | default( database_application_id ) }}"      # The overwritte configuration is needed by bigbluebutton
+database_name:      "{{ applications | get_app_conf(database_application_id, 'database.name', False) | default( database_application_id ) }}"      # The overwritte configuration is needed by bigbluebutton
-database_username:  "{{ applications[ database_application_id ].database.username | default( database_application_id )}}"   # The overwritte configuration is needed by bigbluebutton
+database_username:  "{{ applications | get_app_conf(database_application_id, 'database.username', False) | default( database_application_id )}}"   # The overwritte configuration is needed by bigbluebutton
-database_password:  "{{ applications[ database_application_id ].credentials.database_password }}"
+database_password:  "{{ applications | get_app_conf(database_application_id, 'credentials.database_password', true) }}"
 database_port:      "{{ applications[ 'svc-db-' ~ database_type ].port }}"
 database_env:       "{{docker_compose.directories.env}}{{database_type}}.env"
 database_url_jdbc:  "jdbc:{{ database_type if database_type == 'mariadb' else 'postgresql' }}://{{ database_host }}:{{ database_port }}/{{ database_name }}"

roles/desk-chromium/config/main.yml

@@ -0,0 +1,22 @@
+# Concerning configuration options checkout:
+# https://chromeenterprise.google/policies/#ExtensionSettings
+password_manager_enabled: false
+default_installation_mode: allowed
+plugins:
+  # UBlock Origin
+  - id: "cjpalhdlnbpafiamejdnhcphjbkeiagm"
+    update_url: "https://clients2.google.com/service/update2/crx"
+    incognito: true
+    installation_mode: "force_installed"
+
+  # KeepassXC
+  - id: "ddkjiahejlhfcafbddmgiahcphecmpfh"
+    update_url: "https://clients2.google.com/service/update2/crx"
+    incognito: false
+    installation_mode: "force_installed"
+
+  # Dark Mode Extension
+  - id: "dmghijelimhndkbmpgbldicpogfkceaj"
+    update_url: "https://clients2.google.com/service/update2/crx"
+    incognito: true
+    installation_mode: "force_installed"

roles/desk-chromium/templates/configuration.yml.j2

@@ -1,23 +0,0 @@
-# Concerning configuration options checkout:
-# https://chromeenterprise.google/policies/#ExtensionSettings
-chromium:
-  password_manager_enabled: false
-  default_installation_mode: allowed
-  plugins:
-    # UBlock Origin
-    - id: "cjpalhdlnbpafiamejdnhcphjbkeiagm"
-      update_url: "https://clients2.google.com/service/update2/crx"
-      incognito: true
-      installation_mode: "force_installed"
-
-    # KeepassXC
-    - id: "ddkjiahejlhfcafbddmgiahcphecmpfh"
-      update_url: "https://clients2.google.com/service/update2/crx"
-      incognito: false
-      installation_mode: "force_installed"
-
-    # Dark Mode Extension
-    - id: "dmghijelimhndkbmpgbldicpogfkceaj"
-      update_url: "https://clients2.google.com/service/update2/crx"
-      incognito: true
-      installation_mode: "force_installed"

roles/desk-chromium/templates/extensions_policy.json.j2

@@ -1,14 +1,14 @@
 {
   "ExtensionInstallForcelist": [
-    {% for plugin in applications[application_id].chromium.plugins -%}
+    {% for plugin in applications | get_app_conf(application_id, 'plugins', True) -%}
     "{{ plugin.id }};{{ plugin.update_url }}"{% if not loop.last %},{% endif %}
     {% endfor %}
   ],
   "ExtensionSettings": {
     "*": {
-      "installation_mode": "{{ applications[application_id].default_installation_mode }}"
+      "installation_mode": "{{ applications | get_app_conf(application_id, 'default_installation_mode', True) }}"
     }
-    {% for plugin in applications[application_id].chromium.plugins -%},
+    {% for plugin in applications | get_app_conf(application_id, 'plugins', True) -%},
     "{{ plugin.id }}": {
       "installation_mode": "{{ plugin.installation_mode }}",
       "update_url": "{{ plugin.update_url }}",
@@ -16,5 +16,5 @@
     }
     {% endfor %}
   },
-  "PasswordManagerEnabled": {{ applications[application_id].password_manager_enabled }}
+  "PasswordManagerEnabled": {{ applications | get_app_conf(application_id, 'password_manager_enabled', True) }}
 }

roles/desk-firefox/templates/policies.json.j2

@@ -2,7 +2,7 @@
     "policies": {
       "Extensions": {
         "Install": [
-          {% for plugin in applications[application_id].plugins -%}
+          {% for plugin in applications | get_app_conf(application_id, 'plugins', True) -%}
             "{{ plugin }}"{% if not loop.last %},{% endif %}
           {% endfor %}
         ]

roles/desk-gnome-extensions/tasks/main.yml

@@ -10,5 +10,5 @@
 
 - name: Execute CLI GNOME Extension manager script
   ansible.builtin.shell: cli-gnome-extension-manager "{{ item[0] }}" "{{ item[1] }}" "{{ item[2] }}"
-  loop: "{{ applications[application_id].plugins }}"
+  loop: "{{ applications | get_app_conf(application_id, 'plugins', True) }}"
   become: false

roles/docker-compose/templates/base.yml.j2

@@ -1,15 +1,15 @@
 {# Base template for all docker-compose.yml.j2 #}
 services:
 {# Load Database #}
-{% if applications[application_id].docker.services.database.enabled | default(false) | bool %}
+{% if applications | is_docker_service_enabled(application_id, 'database') %}
 {% include 'roles/cmp-rdbms/templates/services/main.yml.j2' %}
 {% endif %}
 {# Load Redis #}
-{% if applications[application_id].docker.services.redis.enabled | default(false) | bool %}
+{% if applications | is_docker_service_enabled(application_id, 'redis') %}
 {% include 'roles/svc-db-redis/templates/service.yml.j2' %}
 {% endif %}
 {# Load OAuth2 Proxy #}
-{% if applications | is_feature_enabled('oauth2',application_id) %}
+{% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
 {% include 'roles/web-app-oauth2-proxy/templates/container.yml.j2' %}
 {% endif %}
 {{ "\n" }}

roles/docker-compose/templates/networks.yml.j2

@@ -1,10 +1,11 @@
 {# This template needs to be included in docker-compose.yml #}
 networks:
-{% if applications | is_feature_enabled('central_database',application_id) and database_type is defined %}
+{% if applications | get_app_conf(application_id, 'features.central_database', False) and database_type is defined %}
+
   {{ applications[ 'svc-db-' ~ database_type ].network }}:
     external: true
 {% endif %}
-{% if applications[application_id].get('features', {}).get('ldap', false) and applications['svc-db-openldap'].network.docker | bool %}
+{% if applications | get_app_conf(application_id, 'features.ldap', False) and applications['svc-db-openldap'].network.docker | bool %}
   svc-db-openldap:
     external: true
 {% endif %}

roles/docker-compose/templates/volumes-just-database.yml.j2

@@ -1,5 +1,5 @@
 {# This needs to be included in docker-compose.yml which just contain a database volume #}
-{% if not applications | is_feature_enabled('central_database',application_id) %}
+{% if not applications | get_app_conf(application_id, 'features.central_database', False)%}
 volumes:
   database:
 {% endif %}

roles/docker-compose/templates/volumes.yml.j2

@@ -1,6 +1,6 @@
 {# This template needs to be included in docker-compose.yml which contain a database and additional volumes #}
 volumes:
-{% if not applications | is_feature_enabled('central_database',application_id) %}
+{% if not applications | get_app_conf(application_id, 'features.central_database', False)%}
   database:
 {% endif %}
 {{ "\n" }}

roles/docker-container/templates/depends_on/dbms_base.yml.j2

@@ -1,8 +1,8 @@
-{% if not applications | is_feature_enabled('central_database',application_id) %}
+{% if not applications | get_app_conf(application_id, 'features.central_database', False)%}
       {{ database_host }}:
         condition: service_healthy
 {% endif %}
-{% if applications[application_id].docker.services.redis.enabled | default(false) | bool %}
+{% if applications | is_docker_service_enabled(application_id, 'redis') %}
       redis:
         condition: service_healthy
 {% endif %}

roles/docker-container/templates/depends_on/dmbs_excl.yml.j2

@@ -1,7 +1,7 @@
 {# This template needs to be included in docker-compose.yml containers, which depend on a database, redis and optional additional volumes #}
 {% if
-      (applications[application_id].docker.services.redis.enabled | default(false)| bool) or
+      applications | is_docker_service_enabled(application_id, 'redis') or
-      not applications | is_feature_enabled('central_database',application_id) 
+      not applications | get_app_conf(application_id, 'features.central_database', False)
     %}
     depends_on:
 {% include "roles/docker-container/templates/depends_on/dbms_base.yml.j2" %}

roles/docker-container/templates/networks.yml.j2

@@ -1,9 +1,9 @@
 {# This template needs to be included in docker-compose.yml containers #}
     networks:
-{% if applications | is_feature_enabled('central_database',application_id) | bool and database_type is defined %}
+{% if applications | get_app_conf(application_id, 'features.central_database', False)| bool and database_type is defined %}
       {{ applications[ 'svc-db-' ~ database_type ].network }}:
 {% endif %}
-{% if applications[application_id].get('features', {}).get('ldap', false) | bool and applications['svc-db-openldap'].network.docker|bool %}
+{% if applications | get_app_conf(application_id, 'features.ldap', False) | bool and applications['svc-db-openldap'].network.docker|bool %}
       svc-db-openldap:
 {% endif %}
       default:

roles/srv-proxy-6-6-domain/tasks/main.yml

@@ -29,8 +29,8 @@
 - name: "set oauth2_proxy_application_id (Needed due to lazzy loading issue)"
   set_fact:
     oauth2_proxy_application_id: "{{ application_id }}"
-  when: applications | is_feature_enabled('oauth2',application_id)
+  when: applications | get_app_conf(application_id, 'features.oauth2', False)
 
 - name: "include the web-app-oauth2-proxy role {{domain}}"
   include_tasks: "{{ playbook_dir }}/roles/web-app-oauth2-proxy/tasks/main.yml"
-  when: applications | is_feature_enabled('oauth2',application_id)
+  when: applications | get_app_conf(application_id, 'features.oauth2', False)

roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2

@@ -2,7 +2,7 @@ server
 {
   server_name {{domain}};
 
-  {% if applications | is_feature_enabled('oauth2',application_id) %}
+  {% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
     {% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%}
   {% endif %}
 
@@ -15,8 +15,8 @@ server
 
   {% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %}
 
-  {% if applications | is_feature_enabled('oauth2', application_id) %}
+  {% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
-    {% set acl = applications[application_id].oauth2_proxy.acl | default({}) %}
+    {% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', True) | default({}) %}
 
     {% if acl.blacklist is defined %}
       {# 1. Expose everything by default, then protect blacklisted paths #}

roles/srv-web-7-7-inj-compose/tasks/main.yml

@@ -1,19 +1,19 @@
 - name: "Activate Global CSS for {{domain}}"
   include_role:
     name: srv-web-7-7-inj-css
-  when: applications | is_feature_enabled('css',application_id)
+  when: applications | get_app_conf(application_id, 'features.css', False)
 
 - name: "Activate Global Matomo Tracking for {{domain}}"
   include_role:
     name: srv-web-7-7-inj-matomo
-  when: applications | is_feature_enabled('matomo',application_id)
+  when: applications | get_app_conf(application_id, 'features.matomo', False)
 
 - name: "Activate Portfolio iFrame Notifier for {{ domain }}"
   include_role:
     name: srv-web-7-7-inj-iframe
-  when: applications | is_feature_enabled('portfolio_iframe', application_id)
+  when: applications | get_app_conf(application_id, 'features.port-ui-desktop', False)
 
 - name: "Activate Javascript for {{ domain }}"
   include_role:
     name: srv-web-7-7-inj-javascript
-  when: applications | is_feature_enabled('javascript', application_id)
+  when: applications | get_app_conf(application_id, 'features.javascript', False)

roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2

@@ -2,10 +2,10 @@
 sub_filter_once off;
 sub_filter_types text/html;
 
-{% set modifier_css_enabled     = applications | is_feature_enabled('css',application_id) %}
+{% set modifier_css_enabled     = applications | get_app_conf(application_id, 'features.css', False) %}
-{% set modifier_matomo_enabled  = applications | is_feature_enabled('matomo',application_id) %}
+{% set modifier_matomo_enabled  = applications | get_app_conf(application_id, 'features.matomo', False) %}
-{% set modifier_iframe_enabled  = applications | is_feature_enabled('portfolio_iframe',application_id) %}
+{% set modifier_iframe_enabled  = applications | get_app_conf(application_id, 'features.port-ui-desktop', False) %}
-{% set modifier_javascript_enabled  = applications | is_feature_enabled('javascript',application_id) %}
+{% set modifier_javascript_enabled  = applications | get_app_conf(application_id, 'features.javascript', False) %}
 
 {% if modifier_iframe_enabled or modifier_css_enabled or modifier_matomo_enabled or modifier_javascript_enabled %}
 sub_filter '</head>' ' 

roles/srv-web-7-7-inj-matomo/templates/matomo-tracking.conf.j2

@@ -1,2 +1,2 @@
 # sub filters to integrate matomo tracking code in nginx websites
-sub_filter '</body>' '<noscript><p><img src="//matomo.{{primary_domain}}/matomo.php?idsite={{matomo_site_id}}&rec=1" style="border:0;" alt="" /></p></noscript></body>';
+sub_filter '</body>' '<noscript><p><img src="//{{ domains | get_domain('web-app-matomo') }}/matomo.php?idsite={{matomo_site_id}}&rec=1" style="border:0;" alt="" /></p></noscript></body>';

roles/srv-web-7-7-inj-matomo/templates/matomo-tracking.js.j2

@@ -7,7 +7,7 @@ _paq.push(["trackPageView"]);
 _paq.push(["trackAllContentImpressions"]);
 _paq.push(["enableLinkTracking"]);
 (function() {
-  var u="//{{ domains | get_domain('matomo') }}/";
+  var u="//{{ domains | get_domain('web-app-matomo') }}/";
   _paq.push(["setTrackerUrl", u+"matomo.php"]);
   _paq.push(["setSiteId", "{{matomo_site_id}}"]);
   var d=document, g=d.createElement("script"), s=d.getElementsByTagName("script")[0];

roles/srv-web-7-7-inj-matomo/vars/main.yml

@@ -1,4 +1,4 @@
 base_domain:              "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
-matomo_index_php_url:     "{{ domains | get_url('matomo', web_protocol) }}/index.php"
+matomo_index_php_url:     "{{ domains | get_url('web-app-matomo', web_protocol) }}/index.php"
-matomo_auth_token:        "{{ applications.matomo.credentials.auth_token }}"
+matomo_auth_token:        "{{ applications['web-app-matomo'].credentials.auth_token }}"
 matomo_verification_url:  "{{ matomo_index_php_url }}?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{ base_domain }}&format=json&token_auth={{ matomo_auth_token }}"

roles/svc-db-mariadb/config/main.yml

@@ -1,4 +1,5 @@
 version:  "latest"
 hostname: "svc-db-mariadb"
-network:  "svc-db-mariadb"
+network:  "<< defaults_applications[svc-db-mariadb].hostname >>"
-port:     5432
+port:     5432
+volume:   "<< defaults_applications[svc-db-mariadb].hostname >>_data"

roles/svc-db-mariadb/tasks/main.yml

@@ -17,7 +17,7 @@
     networks:
       - name: "{{ applications['svc-db-mariadb'].network }}"
     volumes:
-      - mariadb_database:/var/lib/mysql
+      - "{{ applications['svc-db-mariadb'].volume }}:/var/lib/mysql"
     published_ports:
       - "127.0.0.1:{{database_port}}:3306" # can be that this will be removed if all applications use sockets
     command: "--transaction-isolation=READ-COMMITTED --binlog-format=ROW" #for nextcloud
@@ -36,7 +36,7 @@
     state: present
   when: run_once_docker_mariadb is not defined
 
-- name: Wait until the MariaDB container is healthy
+- name: "Wait until the MariaDB container (hostname {{ applications['svc-db-mariadb'].hostname }}) is healthy"
   community.docker.docker_container_info:
     name: "{{ applications['svc-db-mariadb'].hostname }}"
   register: db_info

roles/svc-db-openldap/handlers/main.yml

@@ -1,6 +1,6 @@
 - name: Load memberof module from file in OpenLDAP container
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/01_member_of_configuration.ldif
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/01_member_of_configuration.ldif
   listen: 
     - "Import configuration LDIF files"
     - "Import all LDIF files"
@@ -10,7 +10,7 @@
 
 - name: Refint Module Activation for OpenLDAP
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapadd -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/02_member_of_configuration.ldif
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapadd -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/02_member_of_configuration.ldif
   listen: 
     - "Import configuration LDIF files"
     - "Import all LDIF files"
@@ -22,7 +22,7 @@
 
 - name: "Import schemas"
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ldif_docker_path}}schema/{{ item | basename | regex_replace('\.j2$', '') }}"
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ldif_docker_path}}schema/{{ item | basename | regex_replace('\.j2$', '') }}"
   register: ldapadd_result
   changed_when: "'adding new entry' in ldapadd_result.stdout"
   failed_when: ldapadd_result.rc not in [0, 80]
@@ -33,7 +33,7 @@
 
 - name: Refint Overlay Configuration for OpenLDAP
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/03_member_of_configuration.ldif
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/03_member_of_configuration.ldif
   listen:
     - "Import configuration LDIF files"
     - "Import all LDIF files"
@@ -45,7 +45,7 @@
 
 - name: "Import users, groups, etc. to LDAP"
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapadd -x -D "{{ldap.dn.administrator.data}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}data/{{ item | basename | regex_replace('\.j2$', '') }}"
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapadd -x -D "{{ldap.dn.administrator.data}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}data/{{ item | basename | regex_replace('\.j2$', '') }}"
   register: ldapadd_result
   changed_when: "'adding new entry' in ldapadd_result.stdout"
   failed_when: ldapadd_result.rc not in [0, 20, 68]

roles/svc-db-openldap/tasks/main.yml

@@ -9,17 +9,17 @@
     src:  "nginx.stream.conf.j2" 
     dest: "{{nginx.directories.streams}}{{domains | get_domain(application_id)}}.conf"
   notify: restart nginx
-  when: applications[application_id].network.public | bool
+  when: applications | get_app_conf(application_id, 'network.public', True) | bool
 
 - name: Remove {{domains | get_domain(application_id)}}.conf if LDAP is not exposed to internet
   file:
     path: "{{ nginx.directories.streams }}{{ domains | get_domain(application_id) }}.conf"
     state: absent
-  when: not applications[application_id].network.public | bool
+  when: not applications | get_app_conf(application_id, 'network.public', True) | bool
 
 - name: create docker network for LDAP, so that other applications can access it
   docker_network:
-    name: "{{ applications[application_id].network.name }}"
+    name: "{{ applications | get_app_conf(application_id, 'network.name', True) }}"
     state: present
     ipam_config:
       - subnet: "{{ networks.local['svc-db-openldap'].subnet }}"
@@ -36,7 +36,7 @@
 
 - name: "Reset LDAP admin passwords"
   include_tasks: reset_admin_passwords.yml
-  when: applications[application_id].network.local
+  when: applications | get_app_conf(application_id, 'network.local', True)
 
 - name: "create directory {{ldif_host_path}}{{item}}"
   file:

roles/svc-db-openldap/tasks/reset_admin_passwords.yml

@@ -3,7 +3,7 @@
 
 - name: "Query available LDAP databases"
   shell: |
-    docker exec {{ applications[application_id].hostname }} \
+    docker exec {{ applications | get_app_conf(application_id, 'hostname', True) }} \
       ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config "(olcDatabase=*)" dn
   register: ldap_databases
 
@@ -27,13 +27,13 @@
 
 - name: "Generate hash for Database Admin password"
   shell: |
-    docker exec {{ applications[application_id].hostname }} \
+    docker exec {{ applications | get_app_conf(application_id, 'hostname', True) }} \
       slappasswd -s "{{ ldap.bind_credential }}"
   register: database_admin_pw_hash
 
 - name: "Reset Database Admin password in LDAP (olcRootPW)"
   shell: |
-    docker exec -i {{ applications[application_id].hostname }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
     dn: {{ data_backend_dn }}
     changetype: modify
     replace: olcRootPW
@@ -42,13 +42,13 @@
 
 - name: "Generate hash for Configuration Admin password"
   shell: |
-    docker exec {{ applications[application_id].hostname }} \
+    docker exec {{ applications | get_app_conf(application_id, 'hostname', True) }} \
-      slappasswd -s "{{ applications[application_id].credentials.administrator_password }}"
+      slappasswd -s "{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}"
   register: config_admin_pw_hash
 
 - name: "Reset Configuration Admin password in LDAP (olcRootPW)"
   shell: |
-    docker exec -i {{ applications[application_id].hostname }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
     dn: {{ config_backend_dn }}
     changetype: modify
     replace: olcRootPW

roles/svc-db-openldap/templates/docker-compose.yml.j2

@@ -1,10 +1,10 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images.openldap }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.openldap', True) }}"
-    container_name: {{ applications[application_id].hostname }}
+    container_name: {{ applications | get_app_conf(application_id, 'hostname', True) }}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-{% if applications[application_id].network.public | bool or applications[application_id].network.local | bool %}
+{% if applications | get_app_conf(application_id, 'network.public', True) | bool or applications | get_app_conf(application_id, 'network.local', True) | bool %}
     ports:
       - 127.0.0.1:{{ports.localhost.ldap['svc-db-openldap']}}:{{ldap_docker_port}}
 {% endif %}

roles/svc-db-openldap/templates/env.j2

@@ -3,7 +3,7 @@
       
 # GENERAL
 ## Admin (Data)
-LDAP_ADMIN_USERNAME=        {{applications[application_id].users.administrator.username}} # LDAP database admin user.
+LDAP_ADMIN_USERNAME=        {{applications | get_app_conf(application_id, 'users.administrator.username', True)}} # LDAP database admin user.
 LDAP_ADMIN_PASSWORD=        {{ldap.bind_credential}}                                      # LDAP database admin password.
 
 ## Users
@@ -14,8 +14,8 @@ LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or su
 ## Admin (Config)
 LDAP_ADMIN_DN=              {{ldap.dn.administrator.data}}
 LDAP_CONFIG_ADMIN_ENABLED=  yes
-LDAP_CONFIG_ADMIN_USERNAME= {{applications[application_id].users.administrator.username}}
+LDAP_CONFIG_ADMIN_USERNAME= {{applications | get_app_conf(application_id, 'users.administrator.username', True)}}
-LDAP_CONFIG_ADMIN_PASSWORD= {{applications[application_id].credentials.administrator_password}}
+LDAP_CONFIG_ADMIN_PASSWORD= {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}
   
 # Network
 LDAP_PORT_NUMBER=           {{ldap_docker_port}}            # Route to default port

roles/svc-db-openldap/vars/main.yml

@@ -4,9 +4,9 @@ application_id:     "svc-db-openldap"
 ldaps_docker_port:  636
 ldap_docker_port:   389
 ldap_server_uri:    "ldap://127.0.0.1:{{ ports.localhost.ldap['svc-db-openldap'] }}"
-ldap_hostname:      "{{ applications[application_id].hostname }}"
+ldap_hostname:      "{{ applications | get_app_conf(application_id, 'hostname', True) }}"
 ldap_bind_dn:       "{{ ldap.dn.administrator.configuration }}"
-ldap_bind_pw:       "{{ applications[application_id].credentials.administrator_password }}"
+ldap_bind_pw:       "{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}"
 
 # LDIF Variables
 ldif_host_path:     "{{docker_compose.directories.volumes}}ldif/"

roles/svc-db-postgres/config/main.yml

@@ -1,6 +1,7 @@
 hostname: "svc-db-postgres"
-network:  "svc-db-postgres"
+network:  "<< defaults_applications[svc-db-postgres].hostname >>"
 port:     5432
+volume:   "<< defaults_applications[svc-db-postgres].hostname >>"
 docker:
   images:
     # Postgis is necessary for mobilizon

roles/svc-db-postgres/tasks/init_database.yml

@@ -13,7 +13,7 @@
     name: "{{ database_name }}"
     state: present
     login_user: postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host: 127.0.0.1
     login_port: "{{ database_port }}"
 
@@ -25,7 +25,7 @@
     db:             "{{ database_name }}"
     state:          present
     login_user:     postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host:     127.0.0.1
     login_port:     "{{ database_port }}"
 
@@ -34,7 +34,7 @@
   postgresql_query:
     db: postgres
     login_user: postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host: 127.0.0.1
     login_port: "{{ database_port }}"
     query: |
@@ -52,7 +52,7 @@
     schema: public
     state:  present
     login_user:     postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host:     127.0.0.1
     login_port:     "{{ database_port }}"
 
@@ -65,7 +65,7 @@
     privs: ALL
     state: present
     login_user:     postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host:     127.0.0.1
     login_port:     "{{ database_port }}"
 
@@ -74,7 +74,7 @@
   postgresql_query:
     db: "{{ database_name }}"
     login_user: postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host: 127.0.0.1
     login_port: "{{ database_port }}"
     query: |
@@ -90,7 +90,7 @@
     ext:        "{{ item }}"
     state:      present
     login_user:     postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host:     127.0.0.1
     login_port:     "{{ database_port }}"
   loop:

roles/svc-db-postgres/tasks/main.yml

@@ -1,6 +1,6 @@
 - name: Create Docker network for PostgreSQL
   docker_network:
-    name: "{{ applications[application_id].network }}"
+    name: "{{ applications | get_app_conf(application_id, 'network', True) }}"
     state: present
     ipam_config:
       - subnet: "{{ networks.local['svc-db-postgres'].subnet }}"
@@ -8,18 +8,18 @@
 
 - name: Install PostgreSQL
   docker_container:
-    name: "{{ applications[application_id].hostname }}"
+    name: "{{ applications | get_app_conf(application_id, 'hostname', True) }}"
     image: "{{ applications | get_docker_image(application_id) }}"
     detach: yes
     env:
-      POSTGRES_PASSWORD: "{{ applications[application_id].credentials.postgres_password }}"
+      POSTGRES_PASSWORD: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
       POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C" # Necessary for web-app-matrix
     networks:
-      - name: "{{ applications[application_id].network }}"
+      - name: "{{ applications | get_app_conf(application_id, 'network', True) }}"
     published_ports:
-      - "127.0.0.1:{{ applications[application_id].port }}:5432"
+      - "127.0.0.1:{{ applications | get_app_conf(application_id, 'port', True) }}:5432"
     volumes:
-      - postgres_database:/var/lib/postgresql/data
+      - "{{ applications['svc-db-postgres'].volume }}:/var/lib/postgresql/data"
     restart_policy: "{{ docker_restart_policy }}"
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U postgres"]
@@ -31,7 +31,7 @@
   when: run_once_docker_postgres is not defined
 
 - name: Wait for Postgres inside the container
-  shell: "docker exec {{ applications[application_id].hostname }} pg_isready -U postgres"
+  shell: "docker exec {{ applications | get_app_conf(application_id, 'hostname', True) }} pg_isready -U postgres"
   register: pg_ready
   until: pg_ready.rc == 0
   retries: 30

roles/web-app-akaunting/config/main.yml

@@ -6,7 +6,7 @@ setup_admin_email:  "{{ users.administrator.email }}"
 features:
   matomo:           true
   css:              true
-  portfolio_iframe: true
+  port-ui-desktop: true
   central_database: true
 domains:
   canonical:

roles/web-app-akaunting/templates/docker-compose.yml.j2

@@ -3,7 +3,7 @@
 
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
     build:
       context: .
     ports:

roles/web-app-akaunting/templates/env.j2

@@ -14,9 +14,9 @@ DB_PASSWORD={{database_password}}
 DB_PREFIX=asd_
 
 # These define the first company to exist on this instance. They are only used during setup.
-COMPANY_NAME={{applications[application_id].company_name}}
+COMPANY_NAME={{applications | get_app_conf(application_id, 'company_name', True)}}
-COMPANY_EMAIL={{applications[application_id].company_email}}
+COMPANY_EMAIL={{applications | get_app_conf(application_id, 'company_email', True)}}
 
 # This will be the first administrative user created on setup.
 ADMIN_EMAIL={{applications.akaunting.setup_admin_email}}
-ADMIN_PASSWORD={{applications[application_id].credentials.setup_admin_password}}
+ADMIN_PASSWORD={{applications | get_app_conf(application_id, 'credentials.setup_admin_password', True)}}

roles/web-app-akaunting/vars/main.yml

@@ -1,4 +1,4 @@
 application_id:             "akaunting"
 database_type:              "mariadb"
-database_password:          "{{ applications[application_id]].credentials.database_password }}"
+database_password:          "applications | get_app_conf(application_id, 'credentials.database_password', True)"
 docker_repository_address:  "https://github.com/akaunting/docker.git"

roles/web-app-attendize/config/main.yml

@@ -4,7 +4,7 @@ image:
 features:
   matomo:           true
   css:              true
-  portfolio_iframe: true
+  port-ui-desktop: true
   central_database: true
 docker:
   services:

roles/web-app-attendize/templates/docker-compose.yml.j2

@@ -1,7 +1,7 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   web:
-    image: "{{ applications[application_id].images.web }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.web', True) }}"
     ports:
     - "{{ports.localhost.http[application_id]}}:80"
     volumes:
@@ -15,7 +15,7 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 
   worker:
-    image: "{{ applications[application_id].images.worker }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.worker', True) }}"
 {% include 'roles/docker-container/templates/depends_on/dmbs_incl.yml.j2' %}
       maildev:
 {% include 'roles/docker-container/templates/networks.yml.j2' %}

roles/web-app-baserow/config/main.yml

@@ -3,7 +3,7 @@ images:
 features:
   matomo:             true
   css:                true
-  portfolio_iframe:   true
+  port-ui-desktop:   true
   central_database:   true
 docker:
   services:

roles/web-app-baserow/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
 
   application:
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].images.baserow }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.baserow', True) }}"
     container_name: baserow-application
     volumes:
       - data:/baserow/data

roles/web-app-bigbluebutton/config/main.yml

@@ -7,7 +7,7 @@ api_suffix:           "/bigbluebutton/"
 features:
   matomo:             true
   css:                true
-  portfolio_iframe:   false # Videos can't open in frame due to iframe restrictions
+  port-ui-desktop:   false # Videos can't open in frame due to iframe restrictions
                             # @todo fix this
   ldap:               false
   oidc:               true

roles/web-app-bigbluebutton/tasks/main.yml

@@ -5,7 +5,7 @@
     name: docker-compose
   vars:
     database_instance:  "{{ application_id }}"
-    database_password:  "{{ applications[application_id].credentials.postgresql_secret }}"
+    database_password:  "{{ applications | get_app_conf(application_id, 'credentials.postgresql_secret', True) }}"
     database_username:  "postgres"
     database_name:      ""                              # Multiple databases
 
@@ -13,7 +13,7 @@
   include_tasks:        "{{ playbook_dir }}/roles/sys-bkp-docker-to-local/tasks/seed-database-to-backup.yml"
   vars:
     database_instance:  "{{ application_id }}"
-    database_password:  "{{ applications[application_id].credentials.postgresql_secret }}"
+    database_password:  "{{ applications | get_app_conf(application_id, 'credentials.postgresql_secret', True) }}"
     database_username:  "postgres"
     database_name:      ""                              # Multiple databases
 

roles/web-app-bigbluebutton/templates/env.j2

@@ -1,7 +1,7 @@
 ENABLE_COTURN=true
 COTURN_TLS_CERT_PATH={{ certbot_cert_path }}/{{ ssl_cert_folder }}/fullchain.pem
 COTURN_TLS_KEY_PATH={{ certbot_cert_path }}/{{ ssl_cert_folder }}/privkey.pem
-ENABLE_GREENLIGHT={{applications[application_id].enable_greenlight}}
+ENABLE_GREENLIGHT={{applications | get_app_conf(application_id, 'enable_greenlight', True)}}
 
 # Enable Webhooks
 # used by some integrations
@@ -27,11 +27,11 @@ RECORDING_MAX_AGE_DAYS=365
 # SECRETS
 # ====================================
 # important! change these to any random values
-SHARED_SECRET={{applications[application_id].credentials.shared_secret}}
+SHARED_SECRET={{applications | get_app_conf(application_id, 'credentials.shared_secret', True)}}
-ETHERPAD_API_KEY={{applications[application_id].credentials.etherpad_api_key}}
+ETHERPAD_API_KEY={{applications | get_app_conf(application_id, 'credentials.etherpad_api_key', True)}}
-RAILS_SECRET={{applications[application_id].credentials.rails_secret}}
+RAILS_SECRET={{applications | get_app_conf(application_id, 'credentials.rails_secret', True)}}
-POSTGRESQL_SECRET={{applications[application_id].credentials.postgresql_secret}}
+POSTGRESQL_SECRET={{applications | get_app_conf(application_id, 'credentials.postgresql_secret', True)}}
-FSESL_PASSWORD={{applications[application_id].credentials.fsesl_password}}
+FSESL_PASSWORD={{applications | get_app_conf(application_id, 'credentials.fsesl_password', True)}}
 
 # ====================================
 # CONNECTION
@@ -51,7 +51,7 @@ STUN_PORT={{ ports.public.stun[application_id] }}
 # TURN SERVER
 # uncomment and adjust following two lines to add an external TURN server
 TURN_SERVER=turns:{{domains | get_domain(application_id)}}:{{ ports.public.turn[application_id] }}?transport=tcp
-TURN_SECRET={{applications[application_id].credentials.turn_secret}}
+TURN_SECRET={{applications | get_app_conf(application_id, 'credentials.turn_secret', True)}}
 
 # Allowed SIP IPs
 # due to high traffic caused by bots, by default the SIP port is blocked.
@@ -158,7 +158,7 @@ OFFICE365_HD=
 # It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy
 OAUTH2_REDIRECT=
 
-{% if applications | is_feature_enabled('ldap',application_id) %}
+{% if applications | get_app_conf(application_id, 'features.ldap', False) %}
 # LDAP Login Provider (optional)
 #
 # You can enable LDAP authentication by providing values for the variables below.
@@ -283,7 +283,7 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
 #   approval - For approve/decline registration
 DEFAULT_REGISTRATION=invite
 
-{% if applications | is_feature_enabled('oidc',application_id) %}
+{% if applications | get_app_conf(application_id, 'features.oidc', False) %}
 ### EXTERNAL AUTHENTICATION METHODS
 # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
 #

roles/web-app-bluesky/config/main.yml

@@ -5,7 +5,7 @@ pds:
 features:
   matomo:           true
   css:              true
-  portfolio_iframe: true
+  port-ui-desktop: true
   central_database: true
 domains:
   canonical:

roles/web-app-bluesky/templates/docker-compose.yml.j2

@@ -3,7 +3,7 @@
   pds:
 {% set container_port = 3000 %}
 {% set container_healthcheck = 'xrpc/_health' %}
-    image: "{{ applications[application_id].images.pds }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.pds', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
         - pds_data:/opt/pds

roles/web-app-discourse/config/main.yml

@@ -4,7 +4,7 @@ repository: "discourse_repository"  # Name of the repository folder
 features:
   matomo:             true
   css:                true
-  portfolio_iframe:   true
+  port-ui-desktop:   true
   oidc:               true
   central_database:   true
   ldap:               false         # @todo implement and activate

roles/web-app-discourse/handlers/main.yml

@@ -1,23 +1,23 @@
 ---
 - name: "stop and remove discourse container if it exist"
   docker_container:
-    name: "{{applications[application_id].container}}"
+    name: "{{applications | get_app_conf(application_id, 'container', True)}}"
     state: absent
   register: container_action
   failed_when: container_action.failed and 'No such container' not in container_action.msg
   listen: recreate discourse
   
 - name: "add central database temporary to {{application_id}}_default"
-  command: docker network connect {{applications[application_id].network}} {{ database_host }}
+  command: docker network connect {{applications | get_app_conf(application_id, 'network', True)}} {{ database_host }}
   failed_when: >
     result.rc != 0 and
     'already exists in network' not in result.stderr
   register: result
-  when: applications | is_feature_enabled('central_database', application_id)
+  when: applications | get_app_conf(application_id, 'features.central_database', False)
   listen: recreate discourse
 
 - name: rebuild discourse
-  shell: ./launcher rebuild {{applications[application_id].container}}
+  shell: ./launcher rebuild {{applications | get_app_conf(application_id, 'container', True)}}
   args:
     executable: /bin/bash  
     chdir: "{{docker_repository_directory }}"

roles/web-app-discourse/tasks/main.yml

@@ -43,29 +43,29 @@
   meta: flush_handlers
   when: run_once_docker_discourse is not defined
 
-- name: "Connect {{ applications[application_id].container }} to network {{ applications['svc-db-postgres'].network }}"
+- name: "Connect {{ applications | get_app_conf(application_id, 'container', True) }} to network {{ applications['svc-db-postgres'].network }}"
   command: >
-    docker network connect {{ applications['svc-db-postgres'].network }} {{ applications[application_id].container }}
+    docker network connect {{ applications['svc-db-postgres'].network }} {{ applications | get_app_conf(application_id, 'container', True) }}
   register: network_connect
   failed_when: >
     network_connect.rc != 0 and
-    'Error response from daemon: endpoint with name {{ applications[application_id].container }} already exists in network {{ applications["svc-db-postgres"].network }}'
+    'Error response from daemon: endpoint with name {{ applications | get_app_conf(application_id, 'container', True) }} already exists in network {{ applications["svc-db-postgres"].network }}'
     not in network_connect.stderr
   changed_when: network_connect.rc == 0
   when:
-    - applications | is_feature_enabled('central_database', application_id)
+    - applications | get_app_conf(application_id, 'features.central_database', False)
     - run_once_docker_discourse is not defined
 
-- name: "Remove {{ applications[application_id].network }} from {{ database_host }}"
+- name: "Remove {{ applications | get_app_conf(application_id, 'network', True) }} from {{ database_host }}"
   command: >
-    docker network disconnect {{ applications[application_id].network }} {{ database_host }}
+    docker network disconnect {{ applications | get_app_conf(application_id, 'network', True) }} {{ database_host }}
   register: network_disconnect
   failed_when: >
     network_disconnect.rc != 0 and
-    'is not connected to network {{ applications[application_id].network }}' not in network_disconnect.stderr
+    'is not connected to network {{ applications | get_app_conf(application_id, 'network', True) }}' not in network_disconnect.stderr
   changed_when: network_disconnect.rc == 0
   when:
-    - applications | is_feature_enabled('central_database', application_id)
+    - applications | get_app_conf(application_id, 'features.central_database', False)
     - run_once_docker_discourse is not defined
 
 - name: run the docker_discourse tasks once

roles/web-app-discourse/tasks/reset.yml

@@ -3,7 +3,7 @@
 
 - name: "cleanup central database from {{application_id}}_default network"
   command:
-    cmd: "docker network disconnect {{applications[application_id].network}} {{ database_host }}"
+    cmd: "docker network disconnect {{applications | get_app_conf(application_id, 'network', True)}} {{ database_host }}"
   ignore_errors: true
 
 - name: "destroy container discourse_application"

roles/web-app-discourse/templates/discourse_application.yml.j2

@@ -1,5 +1,5 @@
 templates:
-{% if not applications | is_feature_enabled('central_database',application_id) %}
+{% if not applications | get_app_conf(application_id, 'features.central_database', False)%}
   - "templates/postgres.template.yml"
 {% endif %}
   #- "templates/redis.template.yml"
@@ -112,11 +112,11 @@ hooks:
           - git clone --depth=1 https://github.com/discourse/discourse-voting.git
           - git clone --depth=1 https://github.com/discourse/discourse-oauth2-basic.git
 
-{% if applications | is_feature_enabled('oidc',application_id) %}
+{% if applications | get_app_conf(application_id, 'features.oidc', False) %}
           - git clone --depth=1 https://github.com/discourse/discourse-openid-connect.git
 {% endif %}
 
-{% if applications | is_feature_enabled('ldap',application_id) %}
+{% if applications | get_app_conf(application_id, 'features.ldap', False) %}
           - git clone --depth=1 https://github.com/jonmbake/discourse-ldap-auth.git
 {% endif %}
 
@@ -127,7 +127,7 @@ run:
   ## If you want to set the 'From' email address for your first registration, uncomment and change:
   ## After getting the first signup email, re-comment the line. It only needs to run once.
   #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
-{% if applications | is_feature_enabled('oidc',application_id) %}
+{% if applications | get_app_conf(application_id, 'features.oidc', False) %}
   # Deactivate Default Login
   - exec: rails r "SiteSetting.enable_local_logins = false"
   - exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589
@@ -151,7 +151,7 @@ run:
   - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true"
 {% endif %}
 
-{% if applications | is_feature_enabled('ldap',application_id) %}
+{% if applications | get_app_conf(application_id, 'features.ldap', False) %}
   # Enable LDAP authentication
   - exec: rails r "SiteSetting.ldap_auth_enabled = true"
   - exec: rails r "SiteSetting.ldap_sync_enabled = true"
@@ -178,4 +178,4 @@ run:
 
 docker_args:
   - --network={{application_id}}_default
-  - --name={{applications[application_id].container}}
+  - --name={{applications | get_app_conf(application_id, 'container', True)}}

roles/web-app-discourse/vars/main.yml

@@ -1,6 +1,6 @@
 application_id:                         "discourse"
-database_password:                      "{{ applications[application_id].credentials.database_password }}"
+database_password:                      "{{ applications | get_app_conf(application_id, 'credentials.database_password', True) }}"
 database_type:                          "postgres"
-docker_repository_directory :           "{{docker_compose.directories.services}}{{applications[application_id].repository}}/"
+docker_repository_directory :           "{{docker_compose.directories.services}}{{applications | get_app_conf(application_id, 'repository', True)}}/"
-discourse_application_yml_destination:  "{{docker_repository_directory }}containers/{{applications[application_id].container}}.yml"
+discourse_application_yml_destination:  "{{docker_repository_directory }}containers/{{applications | get_app_conf(application_id, 'container', True)}}.yml"
 docker_compose_flush_handlers:          false

roles/web-app-espocrm/config/main.yml

@@ -3,7 +3,7 @@ images:
 features:
   matomo:             true
   css:                false
-  portfolio_iframe:   true
+  port-ui-desktop:   true
   ldap:               false
   oidc:               true
   central_database:   true

roles/web-app-espocrm/templates/docker-compose.yml.j2

@@ -1,6 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   web:
-    image: "{{ applications[application_id].images.espocrm }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.espocrm', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
     ports:
@@ -11,7 +11,7 @@
       - data:/var/www/html
 
   daemon:
-    image: "{{ applications[application_id].images.espocrm }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.espocrm', True) }}"
     restart: {{docker_restart_policy}}
     logging:
       driver: journald
@@ -21,7 +21,7 @@
       - data:/var/www/html
 
   websocket:
-    image: "{{ applications[application_id].images.espocrm }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.espocrm', True) }}"
     restart: {{docker_restart_policy}}
     logging:
       driver: journald

roles/web-app-espocrm/templates/env.j2

@@ -19,8 +19,8 @@ CRON_DISABLED=true
 # ------------------------------------------------
 # Initial admin account
 # ------------------------------------------------
-ESPOCRM_ADMIN_USERNAME={{ applications[application_id].users.administrator.username }}
+ESPOCRM_ADMIN_USERNAME={{ applications | get_app_conf(application_id, 'users.administrator.username', True) }}
-ESPOCRM_ADMIN_PASSWORD={{ applications[application_id].credentials.administrator_password }}
+ESPOCRM_ADMIN_PASSWORD={{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}
 
 # Public base URL of the EspoCRM instance
 ESPOCRM_SITE_URL={{ domains | get_url(application_id, web_protocol) }}
@@ -54,14 +54,14 @@ ESPOCRM_CONFIG_SMTP_SECURITY={{ "TLS" if system_email.start_tls else "SSL"}}
 ESPOCRM_CONFIG_SMTP_AUTH=true
 ESPOCRM_CONFIG_SMTP_USERNAME={{ users['contact'].email }}
 ESPOCRM_CONFIG_SMTP_PASSWORD={{ users['contact'].mailu_token }}
-ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_NAME={{ applications[application_id].email.from_name}}
+ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_NAME={{ applications | get_app_conf(application_id, 'email.from_name', True)}}
 ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_ADDRESS={{ users['contact'].email }}
 
 # ------------------------------------------------
 # LDAP settings (optional)
 # Applied only if the feature flag is true
 # ------------------------------------------------
-{% if applications | is_feature_enabled('ldap',application_id) %}
+{% if applications | get_app_conf(application_id, 'features.ldap', False) %}
 ESPOCRM_CONFIG_AUTHENTICATION_METHOD=Ldap
 ESPOCRM_CONFIG_LDAP_HOST={{ ldap.server.domain }}
 ESPOCRM_CONFIG_LDAP_PORT={{ ldap.server.port }}
@@ -77,7 +77,7 @@ ESPOCRM_CONFIG_LDAP_USER_LOGIN_FILTER=(sAMAccountName=%USERNAME%)
 # OpenID Connect settings (optional)
 # Applied only if the feature flag is true
 # ------------------------------------------------
-{% if applications | is_feature_enabled('oidc',application_id) %}
+{% if applications | get_app_conf(application_id, 'features.oidc', False) %}
 
 # ------------------------------------------------
 # OpenID Connect settings

roles/web-app-friendica/config/main.yml

@@ -3,7 +3,7 @@ images:
 features:
   matomo:             true
   css:                false # Temporary deactivated
-  portfolio_iframe:   true
+  port-ui-desktop:   true
   oidc:               false # Implementation doesn't work yet
   central_database:   true
   ldap:               true

roles/web-app-friendica/tasks/main.yml

@@ -12,7 +12,7 @@
     group: 33
     force: yes
   notify: docker compose up
-  when: applications | is_feature_enabled('ldap',application_id)
+  when: applications | get_app_conf(application_id, 'features.ldap', False)
 
 - name: Build friendica_addons based on features
   set_fact:
@@ -22,15 +22,15 @@
         + [{
             'name': item.key,
             'enabled': (
-              applications[application_id].features.oidc
+              applications | get_app_conf(application_id, 'features.oidc', True)
                 if item.key == 'keycloakpassword'
-              else applications[application_id].features.ldap
+              else applications | get_app_conf(application_id, 'features.ldap', True)
                 if item.key == 'ldapauth'
               else (item.value.enabled if item.value is mapping and 'enabled' in item.value else False)
             )
           }]
       }}
-  loop: "{{ applications[application_id].addons | dict2items }}"
+  loop: "{{ applications | get_app_conf(application_id, 'addons', True) | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
 

roles/web-app-friendica/templates/docker-compose.yml.j2

@@ -1,6 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   application:
-    image: "{{ applications[application_id].images.friendica }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.friendica', True) }}"
     {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
       - html:{{ friendica_application_base }}

roles/web-app-friendica/vars/main.yml

@@ -1,7 +1,7 @@
 application_id:     "friendica"
 database_type:      "mariadb"
 
-friendica_no_validation:       "{{ applications[application_id].features.oidc }}" # Email validation is not neccessary if OIDC is active
+friendica_no_validation:       "{{ applications | get_app_conf(application_id, 'features.oidc', True) }}" # Email validation is not neccessary if OIDC is active
 friendica_application_base:    "/var/www/html"
 friendica_docker_ldap_config:  "{{friendica_application_base}}/config/ldapauth.config.php"
 friendica_host_ldap_config:    "{{ docker_compose.directories.volumes }}ldapauth.config.php"

roles/web-app-funkwhale/config/main.yml

@@ -15,7 +15,7 @@ docker:
 features:
   matomo:             true
   css:                false
-  portfolio_iframe:   true
+  port-ui-desktop:   true
   ldap:               true
   central_database:   true
   oauth2:             false # Doesn't make sense to activate it atm, because login is possible on homepage

roles/web-app-funkwhale/templates/docker-compose.yml.j2

@@ -53,7 +53,7 @@
   
   typesense:
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].docker.images.typesense }}"
+    image: "{{ applications | get_app_conf(application_id, 'docker.images.typesense', True) }}"
     volumes:
       - ./typesense/data:/data
     command: --data-dir /data --enable-cors

roles/web-app-funkwhale/templates/env.j2

@@ -97,9 +97,9 @@ STATIC_ROOT={{funkwhale_static_root}}
 DJANGO_SETTINGS_MODULE=config.settings.production
 
 # Generate one using `openssl rand -base64 45`, for example
-DJANGO_SECRET_KEY={{applications[application_id].credentials.django_secret}}
+DJANGO_SECRET_KEY={{applications | get_app_conf(application_id, 'credentials.django_secret', True)}}
 
-{% if applications | is_feature_enabled('ldap',application_id) %}
+{% if applications | get_app_conf(application_id, 'features.ldap', False) %}
 # LDAP settings
 # Use the following options to allow authentication on your Funkwhale instance
 # using a LDAP directory.

roles/web-app-fusiondirectory/templates/env.j2

@@ -2,7 +2,7 @@
 # https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env  
       
 # Basic Configuration   
-LAM_PASSWORD=               {{applications[application_id].credentials.administrator_password}}    # LAM configuration master password and password for server profile "lam
+LAM_PASSWORD=               {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}    # LAM configuration master password and password for server profile "lam
      
 # Database
 LAM_CONFIGURATION_DATABASE= files                                               # configuration database (files or mysql) @todo implement mariadb

roles/web-app-gitea/config/main.yml

@@ -9,7 +9,7 @@ configuration:
 features:
   matomo:                         true
   css:                            false
-  portfolio_iframe:               true
+  port-ui-desktop:               true
   central_database:               true
   ldap:                           true
   oauth2:                         true

roles/web-app-gitea/tasks/cleanup.yml

@@ -1,7 +1,7 @@
 - name: Execute OIDC Cleanup Routine
   include_tasks: cleanup/oidc.yml
-  when: not (applications | is_feature_enabled('oidc', application_id))
+  when: not (applications | get_app_conf(application_id, 'features.oidc', False))
 
 - name: Execute LDAP Cleanup Routine
   include_tasks: cleanup/ldap.yml
-  when: not (applications | is_feature_enabled('ldap', application_id))
+  when: not (applications | get_app_conf(application_id, 'features.ldap', False))

roles/web-app-gitea/tasks/main.yml

@@ -46,7 +46,7 @@
   until: gitea_ready.status == 200
   retries: 20
   delay: 5
-  when: applications | is_feature_enabled('oidc', application_id) or applications | is_feature_enabled('ldap', application_id)
+  when: applications | get_app_conf(application_id, 'features.oidc', False) or applications | get_app_conf(application_id, 'features.ldap', False)
 
 - name: Execute Setup Routines
   include_tasks: setup.yml

roles/web-app-gitea/tasks/setup.yml

@@ -1,7 +1,7 @@
 - name: Execute OIDC Setup Routine
   include_tasks: setup/oidc.yml
-  when: applications | is_feature_enabled('oidc', application_id)
+  when: applications | get_app_conf(application_id, 'features.oidc', False)
 
 - name: Execute LDAP Setup Routine
   include_tasks: setup/ldap.yml
-  when: applications | is_feature_enabled('ldap', application_id)
+  when: applications | get_app_conf(application_id, 'features.ldap', False)

roles/web-app-gitea/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
 
   application:
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].images.gitea }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.gitea', True) }}"
     ports:
       - "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}"
       - "{{ports.public.ssh[application_id]}}:22"

roles/web-app-gitea/templates/env.j2

@@ -5,7 +5,7 @@
 DOMAIN={{domains | get_domain(application_id)}}
 RUN_MODE="{{ 'dev' if (CYMAIS_ENVIRONMENT | lower) == 'development' else 'prod' }}"
 ROOT_URL="{{ domains | get_url(application_id, web_protocol) }}/"
-APP_NAME="{{ applications[application_id].title }}"
+APP_NAME="{{ applications | get_app_conf(application_id, 'title', True) }}"
 USER_UID=1000
 USER_GID=1000
 
@@ -38,21 +38,21 @@ GITEA__mailer__PASSWD={{ users['no-reply'].mailu_token }}
 
 # Allow push creation
 # @see https://github.com/go-gitea/gitea/issues/17619
-GITEA__REPOSITORY__ENABLE_PUSH_CREATE_USER={{ applications[application_id].configuration.repository.enable_push_create_user | lower }}
+GITEA__REPOSITORY__ENABLE_PUSH_CREATE_USER={{ applications | get_app_conf(application_id, 'configuration.repository.enable_push_create_user', True) | lower }}
-GITEA__REPOSITORY__DEFAULT_PRIVATE={{ applications[application_id].configuration.repository.default_private | lower }}
+GITEA__REPOSITORY__DEFAULT_PRIVATE={{ applications | get_app_conf(application_id, 'configuration.repository.default_private', True) | lower }}
-GITEA__REPOSITORY__DEFAULT_PUSH_CREATE_PRIVATE={{ applications[application_id].configuration.repository.default_push_create_private | lower }}
+GITEA__REPOSITORY__DEFAULT_PUSH_CREATE_PRIVATE={{ applications | get_app_conf(application_id, 'configuration.repository.default_push_create_private', True) | lower }}
 
 GITEA__security__INSTALL_LOCK=true # Locks the installation page
 
 # (De)activate OIDC
-GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | is_feature_enabled('oidc',application_id) | lower }}
+GITEA__openid__ENABLE_OPENID_SIGNUP={{ applications | get_app_conf(application_id, 'features.oidc', False) | lower }}
-GITEA__openid__ENABLE_OPENID_SIGNIN={{ applications | is_feature_enabled('oidc',application_id) | lower }}
+GITEA__openid__ENABLE_OPENID_SIGNIN={{ applications | get_app_conf(application_id, 'features.oidc', False) | lower }}
 
-{% if applications | is_feature_enabled('oidc',application_id) or applications | is_feature_enabled('ldap',application_id) %}
+{% if applications | get_app_conf(application_id, 'features.oidc', False) or applications | get_app_conf(application_id, 'features.ldap', False) %}
 
 EXTERNAL_USER_DISABLE_FEATURES=deletion,manage_credentials,change_username,change_full_name
 
-{% if applications | is_feature_enabled('ldap',application_id) %}
+{% if applications | get_app_conf(application_id, 'features.ldap', False) %}
 GITEA__ldap__SYNC_USER_ON_LOGIN=true
 {% endif %}
 

roles/web-app-gitlab/config/main.yml

@@ -3,7 +3,7 @@ images:
 features:
   matomo:             true
   css:                true
-  portfolio_iframe:   true
+  port-ui-desktop:   true
   central_database:   true
 docker:
   services:

roles/web-app-gitlab/templates/docker-compose.yml.j2

@@ -1,7 +1,7 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   web:
-    image: "{{ applications[application_id].images.gitlab }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.gitlab', True) }}"
     hostname: '{{domains | get_domain(application_id)}}'
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     ports:

roles/web-app-joomla/config/main.yml

@@ -3,7 +3,7 @@ images:
 features:
   matomo:             true
   css:                true
-  portfolio_iframe:   true
+  port-ui-desktop:   true
   central_database:   true
 domains:
   canonical:

roles/web-app-joomla/templates/docker-compose.yml.j2

@@ -1,6 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   application:
-    image: "{{ applications[application_id].images.joomla }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.joomla', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
       - data:/var/www/html

roles/web-app-keycloak/config/main.yml

@@ -4,7 +4,7 @@ import_realm:         True                                # If True realm will b
 features:
   matomo:             true
   css:                false
-  portfolio_iframe:   true
+  port-ui-desktop:   true
   ldap:               true
   central_database:   true
   recaptcha:          true
@@ -27,4 +27,9 @@ rbac_groups:  "/rbac"
 docker:
   services:
     database:
-      enabled: true
+      enabled: true
+
+credentials:
+  recaptcha:
+    website_key:    "YOUR_RECAPTCHA_WEBSITE_KEY" # Required if you enabled recaptcha:
+    secret_key:     "YOUR_RECAPTCHA_SECRET_KEY" # Required if you enabled recaptcha:

roles/web-app-keycloak/templates/docker-compose.yml.j2

@@ -1,9 +1,9 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images.keycloak }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.keycloak', True) }}"
     container_name: {{container_name}}
-    command: start {% if applications[application_id].import_realm | bool %}--import-realm{% endif %}
+    command: start {% if applications | get_app_conf(application_id, 'import_realm', True) | bool %}--import-realm{% endif %}
     {% include 'roles/docker-container/templates/base.yml.j2' %}
     ports:
       - "{{ keycloak_server_host }}:8080"

roles/web-app-keycloak/templates/env.j2

@@ -11,8 +11,8 @@ KC_HEALTH_ENABLED=              true
 KC_METRICS_ENABLED=             true
 
 # Administrator
-KEYCLOAK_ADMIN=                 "{{applications[application_id].users.administrator.username}}"
+KEYCLOAK_ADMIN=                 "{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}"
-KEYCLOAK_ADMIN_PASSWORD=        "{{applications[application_id].credentials.administrator_password}}"
+KEYCLOAK_ADMIN_PASSWORD=        "{{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}"
 
 # Database
 KC_DB=                          postgres
@@ -21,5 +21,5 @@ KC_DB_USERNAME=                 {{database_username}}
 KC_DB_PASSWORD=                 {{database_password}}
 
 # If the initial administrator already exists and the environment variables are still present at startup, an error message stating the failed creation of the initial administrator is shown in the logs. Keycloak ignores the values and starts up correctly.
-KC_BOOTSTRAP_ADMIN_USERNAME=    "{{applications[application_id].users.administrator.username}}"
+KC_BOOTSTRAP_ADMIN_USERNAME=    "{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}"
-KC_BOOTSTRAP_ADMIN_PASSWORD=    "{{applications[application_id].credentials.administrator_password}}"
+KC_BOOTSTRAP_ADMIN_PASSWORD=    "{{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}"

roles/web-app-keycloak/templates/import/realm.json.j2

@@ -834,8 +834,8 @@
       "clientAuthenticatorType": "desktop-secret",
       "secret": "{{oidc.client.secret}}",
       {%- set redirect_uris = [] %}
-      {%- for application, domain in domains.items() %}
+      {%- for application_id, domain in domains.items() %}
-        {%- if applications[application] is defined and (applications | is_feature_enabled('oauth2',application) or applications | is_feature_enabled('oidc',application_id)) %}
+        {%- if applications | get_app_conf(application_id, 'features.oauth2', False) or applications | get_app_conf(application_id, 'features.oidc', False) %}
           {%- if domain is string %}
             {%- set _ = redirect_uris.append(web_protocol ~ '://' ~ domain ~ '/*') %}
           {%- else %}
@@ -890,8 +890,8 @@
         "organization",
         "offline_access",
         "microprofile-jwt",
-        "{{ applications[application_id].scopes.rbac_roles }}",
+        "{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
-        "{{ applications[application_id].scopes.nextcloud }}"
+        "{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}"
 
       ]
     }
@@ -1197,7 +1197,7 @@
     },
     {
       "id": "15dd4961-5b4f-4635-a3f1-a21e1fa7bf3a",
-      "name": "{{ applications[application_id].scopes.nextcloud }}",
+      "name": "{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}",
       "description": "Optimized mappers for nextcloud oidc_login with ldap.",
       "protocol": "openid-connect",
       "attributes": {
@@ -1249,7 +1249,7 @@
     },
     {
       "id": "59917c48-a7ef-464a-a8b0-ea24316db18e",
-      "name": "{{ applications[application_id].scopes.rbac_roles }}",
+      "name": "{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
       "description": "RBAC Groups",
       "protocol": "openid-connect",
       "attributes": {
@@ -1675,8 +1675,8 @@
     "phone",
     "microprofile-jwt",
     "organization",
-    "{{ applications[application_id].scopes.rbac_roles }}",
+    "{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
-    "{{ applications[application_id].scopes.nextcloud }}"
+    "{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}"
   ],
   "browserSecurityHeaders": {
     "contentSecurityPolicyReportOnly": "",
@@ -1994,7 +1994,7 @@
                   "false"
                 ],
                 "groups.path": [
-                  "{{ applications[application_id].rbac_groups }}"
+                  "{{ applications | get_app_conf(application_id, 'rbac_groups', True) }}"
                 ]
               }
             },
@@ -2820,7 +2820,7 @@
           "autheticatorFlow": false,
           "userSetupAllowed": false
         },
-{%- if applications | is_feature_enabled('recaptcha', application_id) %}
+{%- if applications | get_app_conf(application_id, 'features.recaptcha', False) %}
         {
           "authenticatorConfig": "Google reCaptcha",
           "authenticator": "registration-recaptcha-action",
@@ -2912,7 +2912,7 @@
     }
   ],
   "authenticatorConfig": [
-{%- if applications | is_feature_enabled('recaptcha',application_id) %}
+{%- if applications | get_app_conf(application_id, 'features.recaptcha', False) %}
     {
       "id": "c6dcf381-7e39-4f7f-8d1f-631faec31b56",
       "alias": "Google reCaptcha",
@@ -2920,8 +2920,8 @@
         "action": "register",
         "useRecaptchaNet": "false",
         "recaptcha.v3": "true",
-        "secret.key": "{{ applications[application_id].credentials.recaptcha.secret_key }}",
+        "secret.key": "{{ applications | get_app_conf(application_id, 'credentials.recaptcha.secret_key', True) }}",
-        "site.key": "{{ applications[application_id].credentials.recaptcha.website_key }}"
+        "site.key": "{{ applications | get_app_conf(application_id, 'credentials.recaptcha.website_key', True) }}"
       }
     },
 {%- endif %}

roles/web-app-keycloak/vars/main.yml

@@ -4,7 +4,7 @@ container_name:                   "{{application_id}}_application"
 import_directory_host:            "{{docker_compose.directories.volumes}}import/"           # Directory in which keycloack import files are placed on the host
 import_directory_docker:          "/opt/keycloak/data/import/"                              # Directory in which keycloack import files are placed in the running docker container
 keycloak_realm:                   "{{ primary_domain}}"                                     # This is the name of the default realm which is used by the applications
-keycloak_administrator:           "{{ applications[application_id].users.administrator }}"  # Master Administrator
+keycloak_administrator:           "{{ applications | get_app_conf(application_id, 'users.administrator', True) }}"  # Master Administrator
 keycloak_administrator_username:  "{{ keycloak_administrator.username}}"                    # Master Administrator Username
 keycloak_administrator_password:  "{{ keycloak_administrator.password}}"                    # Master Administrator Password
 keycloak_kcadm_path:              "docker exec -i {{ container_name }} /opt/keycloak/bin/kcadm.sh"

roles/web-app-lam/config/main.yml

@@ -6,7 +6,7 @@ oauth2_proxy:
 features:
   matomo:                       true
   css:                          true
-  portfolio_iframe:             true
+  port-ui-desktop:             true
   ldap:                         true
   central_database:             false
   oauth2:                       false

roles/web-app-lam/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
 
   application:
     container_name: {{ application_id }}
-    image: "{{ applications[application_id].images.lam }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.lam', True) }}"
     ports:
       - 127.0.0.1:{{ports.localhost.http[application_id]}}:80 
 {% include 'roles/docker-container/templates/base.yml.j2' %}

roles/web-app-lam/templates/env.j2

@@ -2,7 +2,7 @@
 # https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env  
       
 # Basic Configuration   
-LAM_PASSWORD=               {{applications[application_id].credentials.administrator_password}}    # LAM configuration master password and password for server profile "lam
+LAM_PASSWORD=               {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}    # LAM configuration master password and password for server profile "lam
      
 # Database
 LAM_CONFIGURATION_DATABASE= files                                               # configuration database (files or mysql) @todo implement mariadb

roles/web-app-libretranslate/config/main.yml

@@ -11,7 +11,7 @@ docker:
 features:
   matomo:           true    # Enable Matomo Tracking
   css:              true    # Enable Global CSS Styling
-  portfolio_iframe: true    # Enable loading of app in iframe
+  port-ui-desktop: true    # Enable loading of app in iframe
   ldap:             false   # Enable LDAP Network
   central_database: false   # Enable Central Database Network
   recaptcha:        false   # Enable ReCaptcha

roles/web-app-libretranslate/templates/docker-compose.yml.j2

@@ -3,7 +3,7 @@ services:
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
     volumes: []
     ports:
       - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"

roles/web-app-listmonk/config/main.yml

@@ -5,7 +5,7 @@ version:                    "latest"                              # Docker Image
 features:
   matomo:                   true
   css:                      false
-  portfolio_iframe:         true
+  port-ui-desktop:         true
   central_database:         true
   oidc:                     true
 domains:

roles/web-app-listmonk/tasks/main.yml

@@ -1,8 +1,8 @@
 ---
-- name: Set proxy_extra_configuration based on applications[application_id].public_api_activated
+- name: Set proxy_extra_configuration based on applications | get_app_conf(application_id, 'public_api_activated', True)
   set_fact:
     proxy_extra_configuration: >-
-      {% if not applications[application_id].public_api_activated %}
+      {% if not applications | get_app_conf(application_id, 'public_api_activated', True) %}
       {{ lookup('file', '{{ role_path }}/files/deactivate-public-api.conf') }}
       {% else %}
       ""
@@ -50,7 +50,7 @@
       -d {{ database_name }} << 'EOSQL'
     UPDATE users
     SET email = '{{ users.administrator.email }}',
-        password_login = {{ 'false' if applications[application_id].features.oidc else 'true' }}
+        password_login = {{ 'false' if applications | get_app_conf(application_id, 'features.oidc', True) else 'true' }}
     WHERE username = 'administrator';
     EOSQL
   args:

roles/web-app-listmonk/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
   application:
 {% set container_healthcheck = 'health' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].images.listmonk }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.listmonk', True) }}"
     ports:
       - "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}"
     volumes:

roles/web-app-listmonk/templates/env.j2

@@ -2,5 +2,5 @@ TZ={{ HOST_TIMEZONE }}
 
 # Administrator setup
 
-LISTMONK_ADMIN_USER={{ applications[application_id].users.administrator.username }}
+LISTMONK_ADMIN_USER={{ applications | get_app_conf(application_id, 'users.administrator.username', True) }}
-LISTMONK_ADMIN_PASSWORD={{ applications[application_id].credentials.administrator_password }}
+LISTMONK_ADMIN_PASSWORD={{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}

roles/web-app-listmonk/vars/main.yml

@@ -18,17 +18,17 @@ listmonk_settings:
          "provider_url": oidc.client.issuer_url,
          "client_secret": oidc.client.secret
       } | to_json }}
-    when: applications | is_feature_enabled('oidc',application_id)
+    when: applications | get_app_conf(application_id, 'features.oidc', False)
 
   # hCaptcha toggles and credentials
   - key: "security.enable_captcha"
     value: 'true'
 
   - key: "security.captcha_key"
-    value: '"{{ applications[application_id].credentials.hcaptcha_site_key }}"'
+    value: '"{{ applications | get_app_conf(application_id, "credentials.hcaptcha_site_key", True) }}"'
 
   - key: "security.captcha_secret"
-    value: '"{{ applications[application_id].credentials.hcaptcha_secret }}"'
+    value: '"{{ applications | get_app_conf(application_id, "credentials.hcaptcha_secret", True) }}"'
 
   # SMTP servers
   - key: "smtp"