Details:
- Added pkgmgr update task directly in pkgmgr role (pkgmgr pull --all)
- Removed deprecated update-pkgmgr role and references
- Removed deprecated update-pip role and references
- Simplified update-compose by dropping update-pkgmgr include
https://chatgpt.com/share/68bbeff1-27a0-800f-bef3-03ab597595fd
Details:
- Removed upgrade_listmonk() function and related calls from update-docker script
- Added dedicated Ansible task in web-app-listmonk role to run non-interactive DB/schema upgrade
- Conditional execution via MODE_UPDATE
Ref: https://chatgpt.com/share/68bbeff1-27a0-800f-bef3-03ab597595fd
- Switch to split containers (markoshust/magento-php:8.2-fpm + magento-nginx:latest)
- Disable central DB; use app-local MariaDB and pin to 11.4
- Composer bootstrap of Magento in php container (Adobe repo keys), idempotent via creates
- Make setup:install idempotent; run as container user 'app'
- Wire OpenSearch (security disabled) and depends_on ordering
- Add credentials schema (adobe_public_key/adobe_private_key)
- Update vars for php/nginx/search containers + MAGENTO_USER
- Remove legacy docs (Administration.md, Upgrade.md)
Context: changes derived from our ChatGPT session about getting Magento 2.4.8 running with MariaDB 11.4.
Conversation: https://chatgpt.com/share/68b8dc30-361c-800f-aa69-88df514cb160
- Unified Jinja2 variable spacing in tasks and templates
- Introduced database_image and database_version variables in vars/database.yml
- Updated mariadb.yml.j2 and postgres.yml.j2 to use {{ database_image }}:{{ database_version }}
- Ensured env file paths and includes are consistent
- Prepared support for versioned database images (needed for Magento deployment)
Ref: https://chatgpt.com/share/68b96a9d-c100-800f-856f-cd23d1eda2ed
- Add `server.config_upstream_url` default in `roles/web-app-bluesky/config/main.yml`
to define upstream for /config (defaults to https://ip.bsky.app/config).
- Introduce front-proxy injection `extra_locations.conf.j2` that:
- proxies `/config` to the upstream,
- sets SNI and correct Host header,
- normalizes CORS headers for same-origin consumption.
- Wire the proxy injection only for the Web domain in
`roles/web-app-bluesky/tasks/main.yml` via `proxy_extra_configuration`.
- Force fresh social-app checkout and patch
`src/state/geolocation.tsx` to `const BAPP_CONFIG_URL = '/config'`
in `roles/web-app-bluesky/tasks/02_social_app.yml`; notify `docker compose build` and `up`.
- Tidy and re-group PDS env in `roles/web-app-bluesky/templates/env.j2` (no functional change).
- Add vars in `roles/web-app-bluesky/vars/main.yml`:
- `BLUESKY_FRONT_PROXY_CONTENT` (renders the extra locations),
- `BLUESKY_CONFIG_UPSTREAM_URL` (reads `server.config_upstream_url`).
Security/Scope:
- Only affects the Bluesky web frontend (same-origin `/config`); PDS/API and AppView remain unchanged.
Refs:
- Conversation: https://chatgpt.com/share/68b8dd3a-2100-800f-959e-1495f6320aab
• Add roles/web-app-chess/files/Dockerfile using build ARGs (CHESS_VERSION, CHESS_REPO_URL, CHESS_REPO_REF, CHESS_ENTRYPOINT_REL, CHESS_ENTRYPOINT_INT, CHESS_APP_DATA_DIR, CONTAINER_PORT). Enable Corepack/Yarn as root in the runtime stage to avoid EACCES on /usr/local/bin symlinks, then drop privileges to 'node'.
• Delete Jinja-based templates/Dockerfile.j2; docker-compose now passes former Jinja vars via build.args. • Update templates/docker-compose.yml.j2 to forward all required build args. • Update config/main.yml: add CSP flag 'script-src-elem: unsafe-inline'.
Ref: https://chatgpt.com/share/68b88d3d-3bd8-800f-9723-e8df0cdc37e2
Build: use Yarn 4 via Corepack; immutable install with inline builds.
Runtime: enable Corepack as user 'node', use project-local cache (/app/.yarn/cache), add curl; fix ownership.
Entrypoint: generate keys in correct dir; run 'yarn install --immutable --inline-builds' before migrations; wait for Postgres.
Config: enable matomo/css/desktop; notify 'docker compose build' on entrypoint changes.
Docs: rename README title to 'Chess'.
Ref: ChatGPT conversation (2025-09-03) — https://chatgpt.com/share/68b88126-7a6c-800f-acae-ae61ed577f46
- Move entrypoint to files/ and deploy via copy
- Parameterize APP_KEY_FILE, data dir, and entrypoint paths
- Require explicit PORT/PG envs (remove fallbacks)
- Drop stray header from config/main.yml
- Dockerfile: use templated data dir & entrypoint; keep node user
- Compose: set custom image, adjust volume mapping
- env: derive APP_SCHEME from WEB_PROTOCOL; NODE_ENV from ENVIRONMENT
- tasks: add 01_core and simplify main to include it
Ref: https://chatgpt.com/share/68b851c5-4dd8-800f-8e9e-22b985597b8f
Add base include to oletools service so it inherits env_file (LD_PRELOAD=/usr/lib/libhardened_malloc.so) and other defaults. Fixes crash: PermissionError: '/proc/cpuinfo' during hardened_malloc compatibility probe when LD_PRELOAD was absent. Aligns oletools with other Mailu services.
Refs: ChatGPT discussion – https://chatgpt.com/share/68b837ba-c9cc-800f-b5d9-62b60d6fafd9
- script.py now resolves docker-compose project and working_dir strictly from container labels
- removed container-name fallback logic
- adjusted sys-ctl-hlth-docker-container to include sys-ctl-rpr-docker-soft
- cleaned up sys-svc-docker dependencies
- updated unit tests to mock docker inspect and os.path.isfile for STRICT mode
Conversation: https://chatgpt.com/share/68b80927-b800-800f-a909-0fe8d110fd0e
- Fix BookWyrm email SSL/TLS handling (use ternary without 'not' for clarity)
- Add truststore_enabled flag in Confluence config and vars
- Wire JVM_SUPPORT_RECOMMENDED_ARGS to disable UPM signature check if truststore is disabled
- Add placeholder style.css.j2 for Confluence
See conversation: https://chatgpt.com/share/68b80024-7100-800f-a2fe-ba8b9f5cec05
- Added network subnet (192.168.103.192/28) and port 8050 for web-app-chess
- Replaced stub README with usability-focused description of castling.club
- Implemented config, vars, meta, and tasks for web-app-chess
- Added Dockerfile, docker-compose.yml, env, and docker-entrypoint.sh templates
- Integrated entrypoint asset placement
- Updated meta to reflect usability and software features
Ref: https://chatgpt.com/share/68b6c65a-3de8-800f-86b2-a110920cd50e
Confluence: README added; demo disables OIDC/LDAP; Dockerfile overlay; docker-compose now uses CONFLUENCE_CUSTOM_IMAGE and DB depends include; env.j2 adds ATL_* and JVM_*; vars use integer math (//) for Xmx/Xms and expose CUSTOM_IMAGE.
Jira: initial role skeleton with README, config/meta/tasks; Dockerfile overlay; docker-compose using JIRA_CUSTOM_IMAGE and DB depends include; env.j2 with proxy + JVM envs; vars with integer-safe memory sizing.
Context: https://chatgpt.com/share/68b6b592-2250-800f-b68e-b37ae98dbe70
- Store pull lock under ${PATH_DOCKER_COMPOSE_PULL_LOCK_DIR}/<hash>.lock so global cleanup removes it reliably
- If any service defines `build:`, run `docker compose build --pull` before pulling
- Use `docker compose pull --ignore-buildable` when supported; otherwise tolerate pull failures for locally built images
This prevents failures when images are meant to be built locally (e.g., custom images) and ensures lock handling is consistent.
Ref: https://chatgpt.com/share/68b6b592-2250-800f-b68e-b37ae98dbe70
Removed obsolete handlers from roles (VirtualBox, backup-to-USB, OpenLDAP)
and introduced an integration test under tests/integration/test_handlers_invoked.py
that ensures all handlers defined in roles/*/handlers are actually notified
somewhere in the code base. This keeps the repository clean by preventing
unused or forgotten handlers from accumulating.
Ref: https://chatgpt.com/share/68b6b28e-4388-800f-87d2-34dfb34b8d36
• Add tasks/01_core.yml to set applications[application_id].server.csp.whitelist['connect-src'] = LOGOUT_CONNECT_SRC_NEW.
• Switch tasks/main.yml to include 01_core.yml (run-once guard preserved).
• Update templates/env.j2 to emit LOGOUT_DOMAINS as a comma-separated list.
• Rework vars/main.yml: compute LOGOUT_DOMAINS, derive LOGOUT_ORIGINS with WEB_PROTOCOL, read connect-src via the get_app_conf filter, and merge/dedupe (unique).
Rationale: ensure CSP allows cross-domain logout requests for all configured services.
Conversation: https://chatgpt.com/share/68b5b07d-b208-800f-b6b2-f26934607c8a
- Add Host header to curl healthcheck when container_hostname is defined
- Use PRETIX_PRETIX_ALLOWED_HOSTS to fix Django 400 Bad Request during healthcheck
- Centralize PRETIX_HOSTNAME from container_hostname var
- Add Redis broker/result backend config for Celery
See: https://chatgpt.com/share/68b59c42-c0fc-800f-9bfb-f1137c59b3de
- Move run_once include from main.yml to 01_core.yml in desk-gnome-caffeine and desk-ssh
- Introduce sys-svc-cdn/01_core.yml to handle shared/vendor dirs once and role dirs per run
- Replace cdn.* with cdn_paths_all.* across inj roles
- Split cdn_dirs into cdn_dirs_role and CDN_DIRS_GLOBAL
- Ensure cdn_urls uses cdn_paths_all
Details: https://chatgpt.com/share/68b58d64-1e28-800f-8907-36926a9e9a9b
- Removed obsolete Installation.md, TODO.md, 02_debug.yml, 05_oidc.yml and legacy debug enable/disable tasks
- Added 01_prep.yml to render debug.php/oidc.php on host side before container start
- Introduced _ensure_require.yml for generic require_once management in LocalSettings.php
- Renamed 01_install.yml -> 02_install.yml to align with new numbering
- Updated docker-compose.yml.j2 to bind-mount mw-local into /opt/mw-local
- Adjusted vars/main.yml to define MEDIAWIKI_LOCAL_MOUNT_DIR and MEDIAWIKI_LOCAL_PATH
- Templates debug.php.j2 and oidc.php.j2 now gated by MODE_DEBUG and MEDIAWIKI_OIDC_ENABLED
- main.yml now orchestrates prep, install, debug, extensions, oidc require, admin consistently
Ref: https://chatgpt.com/share/68b57db2-efcc-800f-a733-aca952298437
Integration tests added/updated:
- tests/integration/test_filters_usage.py: AST-based detection of filter definitions (FilterModule.filters), robust Jinja detection ({{ ... }}, {% ... %}, {% filter ... %}), plus Python call tracking; fails if a filter is used only under tests/.
- tests/integration/test_filters_are_defined.py: inverse check — every filter used in .yml/.yaml/.j2/.jinja2/.tmpl must be defined locally. Scans only inside Jinja blocks and ignores pipes inside strings (e.g., lookup('pipe', "... | grep ... | awk ...")) to avoid false positives like trusted_hosts, woff/woff2, etc.
Bug fixes & robustness:
- Build regexes without %-string formatting to avoid ValueError from literal '%' in Jinja tags.
- Strip quoted strings in usage analysis so sed/grep/awk pipes are not miscounted as filters.
- Prevent self-matches in the defining file.
Cleanup / removal of dead code:
- Removed unused filter plugins and related unit tests:
* filter_plugins/alias_domains_map.py
* filter_plugins/get_application_id.py
* filter_plugins/load_configuration.py
* filter_plugins/safe.py
* filter_plugins/safe_join.py
* roles/svc-db-openldap/filter_plugins/build_ldap_nested_group_entries.py
* roles/sys-ctl-bkp-docker-2-loc/filter_plugins/dict_to_cli_args.py
* corresponding tests under tests/unit/*
- roles/svc-db-postgres/filter_plugins/split_postgres_connections.py: dropped no-longer-needed list_postgres_roles API; adjusted tests.
Misc:
- sys-stk-front-proxy/defaults/main.yml: clarified valid vhost_flavour values (comma-separated).
Ref: https://chatgpt.com/share/68b56bac-c4f8-800f-aeef-6708dbb44199
Changed safe_join to raise ValueError if base or tail is None instead of returning 'None/path'.
Adjusted unit tests accordingly to expect exceptions for None inputs and kept empty-string handling valid.
Ref: https://chatgpt.com/share/68b55850-e854-800f-9702-09ea956b8dc4
- Move default 'unsafe-inline' for style-src and style-src-elem into get_csp_flags
- Ensure hashes are only added if 'unsafe-inline' not in final tokens
- Improve comments and structure
- Extend unit tests to cover default flags, overrides, and final-token logic
See: https://chatgpt.com/share/68b54520-5cfc-800f-9bac-45093740df78
- Support query elements starting with '?' or '&'
* First query element normalized to '?', subsequent to '&'
* Each query element must be exactly one 'key=value' pair
* Query elements may only appear after path elements
* Once query starts, no more path elements are allowed
- Extend test suite with success and failure cases for query handling
See: https://chatgpt.com/share/68b537ea-d198-800f-927a-940c4de832f2
Improved url_join filter:
- Requires first element to contain a valid '<scheme>://'
- Raises specific errors for None, empty list, wrong type, missing scheme,
extra schemes in later parts, or string conversion failures
- Provides clearer error messages with index context in parts
See: https://chatgpt.com/share/68b537ea-d198-800f-927a-940c4de832f2
• Removed hardcoded container_port/container_healthcheck from docker-compose.yml.j2
• Added container_port=8080 and container_healthcheck to vars/main.yml
• Rationale: current image listens on 8080; centralizes settings in vars
Ref: https://chatgpt.com/share/68b4a69d-e4b0-800f-a4f8-6c8e4fc55ee4
Introduced a new Ansible role for deploying Atlassian Confluence within the Infinito.Nexus ecosystem.
The role follows the same structure as web-app-pretix and includes:
- : Core variables, database config, OIDC integration.
- : Docker service definitions, features (Matomo, CSS, OIDC, logout, central DB).
- : Loads docker, db and proxy stack.
- : Placeholder for schema definitions.
- :
- (base for OIDC plugins/extensions),
- (service orchestration),
- (environment configuration).
- : Metadata, license, company, logo (Font Awesome book-open icon).
Canonical domain is set to `confluence.{{ PRIMARY_DOMAIN }}`.
This role ensures Confluence integrates seamlessly with Keycloak OIDC and the Infinito.Nexus service stack.
Conversation: https://chatgpt.com/share/68b1d006-bbd4-800f-9d2e-9c8a8af2c00f
Summary:
- Replace draft with complete README (features, resources, credits).
- Remove obsolete Todo.md.
- Switch to custom image tag (PRETIX_IMAGE_CUSTOM) and install 'pretix-oidc' in Dockerfile.
- Drop unused 'config' volume; keep persistent 'data' only.
- Rename docker-compose service from 'application' to 'pretix' and use container_port.
- Use standard depends_on include for DB/Redis (dmbs_excl).
- Align vars to docker.services.pretix.* (image/version/name); add PRETIX_IMAGE_CUSTOM.
Breaking:
- Service key changed to 'pretix' under docker.services.
- 'config' volume removed from compose.
Status:
- Pretix role is now fully implemented and production-ready.
Reference:
- Conversation: https://chatgpt.com/share/68b1cb34-b7dc-800f-8b39-c183124972f2
- Updated filter to handle dict (domain map), list (flattened domains), or single str inputs.
- Prevents duplicate 'www.' prefixes by checking prefix before adding.
- Adjusted unit tests:
* Replaced old non-dict test with invalid type tests (int, None).
* Added explicit tests for list and string input types.
See conversation: https://chatgpt.com/share/68b1ae9a-1ac0-800f-b49d-2915386a1a23
- Added new filter plugin 'timeout_start_sec_for_domains' to calculate TimeoutStartSec based on number of domains.
- Updated sys-ctl-hlth-csp and sys-ctl-hlth-webserver tasks to use the filter.
- Removed obsolete systemctl.service.j2 in sys-ctl-hlth-csp.
- Adjusted variable naming (CURRENT_PLAY_DOMAINS_ALL etc.) in multiple roles.
- Updated srv-letsencrypt and sys-svc-certs to use uppercase vars.
- Switched pretix role to sys-stk-full-stateful and removed leftover javascript.js.
- Added unittests for the new filter under tests/unit/filter_plugins.
See conversation: https://chatgpt.com/share/68b1ae9a-1ac0-800f-b49d-2915386a1a23
- Renamed role `srv-tls-core` → `sys-svc-certs`
- Renamed role `srv-https-stack` → `sys-stk-front-pure`
- Renamed role `sys-stk-front` → `sys-stk-front-proxy`
- Updated all includes, READMEs, meta, and dependent roles accordingly
This improves clarity and consistency of naming conventions for certificate management and proxy orchestration.
See: https://chatgpt.com/share/68b19f2c-22b0-800f-ba9b-3f2c8fd427b0
- Added oidc feature flag in config
- Removed obsolete credentials schema (initial_root_password)
- Updated docker-compose.yml.j2 to use explicit GITLAB_* vars (image, version, container, volumes)
- Moved initial_root_password into vars/main.yml
- Introduced GITLAB_OMNIBUS_BASE and GITLAB_OMNIBUS_OIDC config lists
- Switched env.j2 to use GITLAB_OMNIBUS_ALL join
See conversation: https://chatgpt.com/share/68b1962c-3ee0-800f-a858-d4590ff6132a
Discussion: https://chatgpt.com/share/68b10c0a-c308-800f-93ac-2ffb386cf58b
- Split tasks into 01_install, 02_debug, 03_admin, 04_extensions, 05_oidc.
- Ensure unzip+git+composer on demand in the container; run Composer as www-data with COMPOSER_HOME=/tmp/composer.
- Idempotently unpack/install PluggableAuth & OpenIDConnect; run composer install only if vendor/ is missing.
- Add sanity check for Jumbojett\OpenIDConnectClient.
- Copy oidc.php only when changed and append a single require_once to LocalSettings.php.
- Use REL1_44-compatible numeric array for $wgPluggableAuth_Config; set $wgPluggableAuth_ButtonLabelMessage.
- Debug: add debug.php that logs to STDERR (visible via docker logs); toggle cleanly with MODE_DEBUG.
- Enable OIDC feature in config; add paths/OIDC/extension vars in vars/main.yml.
fix(services): include SYS_SERVICE_GROUP_CLEANUP in StartPre lock (ssd-hdd, docker-hard).
fix(desktop/joomla): simplify MODE_DEBUG templating.
chore: minor cleanups and renames.
Tasks:
- Enable docker_compose_flush_handlers=true so services come up immediately.
- Add DB readiness guard via maintenance/sql.php (SELECT 1).
- Run maintenance/install.php on empty schema with robust changed_when/failed_when (merge stdout+stderr); keep secrets hidden.
- Run maintenance/update.php for migrations with neutral changed_when unless work is done.
- Make admin creation idempotent: tolerate 'already exists' and 'Account exists', keep async+no_log.
Config changes:
- Remove LocalSettings.php template and its host bind-mount from compose.
- Drop MediaWiki settings path variables and META namespace variable (unused after switch).
Result: First boot is fully automated (schema + admin), subsequent runs are cleanly idempotent.
Ref: ChatGPT conversation (Aug 28, 2025, Europe/Berlin) — https://chatgpt.com/share/68b0d2e1-9bc0-800f-81a5-db03ce0b81e3.
- Removed outdated Installation.md (manual plugin instructions no longer needed)
- Added schema/main.yml with validation for secret_pin
- Added config.php.j2 template to manage DB + admin config
- Refactored tasks/main.yml to deploy config.php instead of legacy docker-compose
- Removed setup-domain.yml (TLS/domain handling moved to core roles)
- Updated docker-compose.yml.j2 to mount config.php and use new vars
- Cleaned up vars/main.yml: standardized MYBB_* variable names, added MYBB_SECRET_PIN, config paths, and container port
See ChatGPT conversation: https://chatgpt.com/share/68b0ae26-93ec-800f-8785-0da7c9303090
- Converted group_vars/all/13_ldap.yml from lower-case to ALL-CAPS nested keys.
- Updated all roles, tasks, templates, and filter_plugins to reference LDAP.* instead of ldap.*.
- Fixed Keycloak JSON templates to properly quote Jinja variables.
- Adjusted svc-db-openldap filter plugins and unit tests to handle new LDAP structure.
- Updated integration test to only check uniqueness of TOP-LEVEL ALL-CAPS constants, ignoring nested keys.
See: https://chatgpt.com/share/68b01017-efe0-800f-a508-7d7e2f1c8c8d
- Allow kc_object_kind='realm'
- Map endpoint to 'realms' and default lookup_field to 'id'
- Use realm-specific kcadm GET/UPDATE (no -r flag)
- Preserve immutables: id, realm
- Guard query-based ID resolution to non-realm objects
Context: fixing failure in 'Update REALM mail settings' task.
See: https://chatgpt.com/share/68affdb8-3d28-800f-8480-aa6a74000bf8
Add roles/web-app-taiga/tasks/01_administrator.yml to handle admin creation via 'createsuperuser' and, on failure, an upsert fallback using 'manage.py shell'. Ensures email, is_staff, is_superuser, is_active are set and password is updated when needed; emits CHANGED marker for idempotence.
Update roles/web-app-taiga/tasks/main.yml to include the new 01_administrator.yml task file, removing the inline admin logic for better separation of concerns.
Uses taiga-manage helper service and composes docker-compose.yml with docker-compose-inits.yml to inherit env/networks/volumes consistently.
Chat reference: https://chatgpt.com/share/68af7637-225c-800f-b670-2b948f5dea54
- Introduced dedicated variables in vars/main.yml:
* TAIGA_FLAVOR_TAIGAIO
* TAIGA_TAIGAIO_ENABLED
- Replaced inline Jinja2 get_app_conf checks with TAIGA_TAIGAIO_ENABLED for
consistency in tasks, docker-compose template and env file.
- Adjusted env.j2 to use TAIGA_TAIGAIO_ENABLED instead of direct flavor checks.
- Enabled css by default (true instead of false).
- Cleaned up spacing/indentation in config and env.
This improves readability, reduces duplicated logic, and makes it easier to
maintain both OIDC flavors (robrotheram, taigaio).
Conversation: https://chatgpt.com/share/68af65b3-27c0-800f-964f-ff4f2d96ff5d
- Introduce WEBSOCKET_PROTOCOL derived from WEB_PROTOCOL (wss if https, else ws).
- Replace hardcoded websocket URLs in EspoCRM, Nextcloud and Taiga with {{ WEBSOCKET_PROTOCOL }}.
- Fix mautrix-imessage to use ws:// for internal synapse:8008.
- Standardize Pixelfed OIDC env spacing.
- Refactor Taiga variables to TAIGA_* naming convention and clean up EMAIL_BACKEND definition.
See: https://chatgpt.com/share/68af62fa-4dcc-800f-9aaf-cff746daab1e
- Move image definition from images.joomla to docker.services.joomla
- Add container name, container_port variable, and healthcheck
- Introduce JOOMLA_IMAGE, JOOMLA_VERSION, JOOMLA_CONTAINER, JOOMLA_VOLUME in vars
- Use volume mapping via docker.volumes.data
See: https://chatgpt.com/share/68af55a9-6514-800f-b6f7-1dc86356936e
- Extend certbundle task to ignore 'The service is down for maintenance or had an internal error'
as a fatal failure.
- Add debug/warning output when this error occurs, so playbook does not stop but logs the issue.
- Ensure changed_when does not mark run as changed if only maintenance error was hit.
Ref: https://chatgpt.com/share/68af4e15-24cc-800f-b1dd-6a5f2380e35a
- Removed COPY of msmtp configuration from Dockerfile to avoid baking secrets/config into the image
- Added volume mount for host-side msmtp config ({{ WORDPRESS_HOST_MSMTP_CONF }}) in docker-compose.yml
- Keeps PHP upload.ini handling inside the image, but externalizes sensitive mail configuration
- Increases flexibility and avoids rebuilds when msmtp config changes
Ref: https://chatgpt.com/share/68af3c51-0544-800f-b76f-b2660c43addb
- Replaced all lowercase wordpress_* variables with uppercase WORDPRESS_* equivalents
- Ensured consistency across tasks, templates, and vars
- Improves readability and aligns with naming conventions
Conversation: https://chatgpt.com/share/68af29b5-8e7c-800f-bd12-48cc5956311c
- Fixed incorrect filter usage in docker-compose handler (proper use of | path_join).
- Improved LetsEncrypt template by joining paths with filenames instead of appending manually.
- Enhanced sys-svc-msmtp task with an additional condition to only run if no-reply mailu_token exists.
- Updated Keycloak meta to depend on Mailu (ensuring token generation before setup).
- Refactored Keycloak import path variables to use path_join consistently.
- Adjusted Mailu meta dependency to run after Matomo instead of Keycloak.
See: https://chatgpt.com/share/68af13e6-edc0-800f-b76a-a5f427837173
- Improved CSP filter to properly include web-svc-cdn and use protocol-aware domains
- Added Todo.md with redis and OIDC notes
- Enhanced Akaunting role config with CSP flags and redis option
- Updated schema to include app_key validation
- Reworked tasks to handle first-run marker logic cleanly
- Fixed docker-compose template (marker, healthcheck, setup flag)
- Expanded env.j2 with cache, email, proxy, and redis options
- Added javascript.js.j2 template for SSO warning
- Introduced structured vars for Akaunting role
- Removed deprecated update-repository-with-files.yml task
See conversation: https://chatgpt.com/share/68af00df-2c74-800f-90b6-6ac5b29acdcb
- update cli/create/credentials.py to handle vault literals correctly:
* strip 'vault |' headers and keep only ANSIBLE_VAULT body
* skip reprocessing keys added in same run (no duplicate confirmation prompts)
* detect both 'vault' and 'ANSIBLE_VAULT' as already encrypted
Refs: https://chatgpt.com/share/68aed780-ad4c-800f-877d-aa4c40a47755
- Introduced a generic sso_warning.js.j2 template under
templates/roles/web-app/templates/javascripts/
- Included this template in web-app-baserow/templates/javascript.js.j2
- Added new variable js_application_name in
roles/web-app-baserow/vars/main.yml to make the warning
application-specific
- Implemented cookie-based logic so the warning is only shown once
per user (default: 365 days)
Reference: https://chatgpt.com/share/68aecdae-82d0-800f-b05e-f2cb680664f1
- Extended kc_force_attrs in tasks/main.yml to source 'publicClient',
'serviceAccountsEnabled' and 'frontchannelLogout' directly from
KEYCLOAK_DICTIONARY_REALM for consistency with import definitions.
- Updated default.json.j2 import template to set 'publicClient' to true.
- Public client mode is required so the frontend API of role 'web-app-desktop'
can handle login/logout flows without client secret.
Ref: https://chatgpt.com/share/68ae0060-4fac-800f-9f02-22592a4087d3
Replaced over-escaped '{{{{.Names}}}}' with proper '{{.Names}}'
in docker ps commands. This resolves 'failed to parse template:
unexpected "{" in command' errors during unhealthy/exited
container detection.
Reference: https://chatgpt.com/share/68addfd9-fa78-800f-abda-49161699e673
- Added detect_env_file() to both sys-ctl-rpr-docker-soft and sys-ctl-rpr-docker-hard
* prefer .env, fallback to .env/env
* append --env-file parameter automatically
- Refactored soft script to use compose_cmd() for consistent command building
- Adjusted error recovery path in soft script to also respect env-file
- Extended unit tests for soft script to cover env-file priority and restart commands
- Added new unit tests for hard script verifying env-file priority, cwd handling,
and --only filter logic
Ref: https://chatgpt.com/share/68ad7b30-7510-800f-8172-56f03a2f40f5
- extended generic systemctl template to support ExecStartPost
- health-docker-volumes: run main script with whitelist, trigger both compose alarm and cleanup on failure
- repair-docker-hard: added ExecStartPre lock, ExecStart, and ExecStartPost to trigger compose alarm always, plus cleanup on failure
- removed obsolete role-specific systemctl.service.j2 templates
- improved consistency across vars and defaults
See: https://chatgpt.com/share/68ad6cb8-c164-800f-96b6-a45c6c7779b3
- Render userObjectClasses via `tojson` (and trim) to avoid invalid control
characters and ensure valid realm import parsing.
- Introduce KEYCLOAK_LDAP_USER_OBJECT_CLASSES in vars; exclude `posixAccount`
for Keycloak’s LDAP config while keeping it for Ansible-managed UNIX users.
- Update UserStorageProvider template to use the new variable.
Rationale:
Keycloak must not require `posixAccount` on every LDAP user. We keep
`posixAccount` structural for Ansible provisioning, but filter it out for
Keycloak to prevent sync/import errors on entries without POSIX attributes.
Touched:
- roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2
- roles/web-app-keycloak/vars/main.yml
Refs: conversation https://chatgpt.com/share/68aa1ef0-3658-800f-bdf4-5b57131d03b4
- Replace `ESPOCRM_NAME` with `ESPOCRM_CONTAINER` for clarity and consistency.
- Drop unused `ESPOCRM_CONFIG_FILE_PUBLIC`, rely only on `config-internal.php`.
- Make DB credential patching idempotent using `grep` + `sed` checks.
- Replace direct sed edits for maintenance/cron/cache with EspoCRM ConfigWriter.
- Add fallback execution as root if www-data user cannot write config.
- Clear EspoCRM cache only when config changes and in update mode.
- Remove obsolete OIDC scopes inline task (now handled via env/vars).
- Fix docker-compose template to use `ESPOCRM_CONTAINER`.
This refactor makes the EspoCRM role more robust, idempotent, and aligned
with EspoCRM’s official ConfigWriter mechanism.
See conversation: https://chatgpt.com/share/68a87820-12f8-800f-90d6-01ba97a1b279
- Removed unused soft restart function and switched to argparse-based CLI.
- Added --only argument to selectively restart subdirectories.
- Updated systemctl service template to pass PATH_DOCKER_COMPOSE_INSTANCES as argument.
- Ensures service unit correctly invokes the Python script with target path.
See conversation: https://chatgpt.com/share/68a771d9-5fd8-800f-a410-08132699cc3a
- Added '| sort' to all service group lists and backup routine lists to ensure
deterministic ordering and stable checksums across Ansible runs.
- Adjusted systemctl templates to use a single service variable
('SYS_SERVICE_BACKUP_RMT_2_LOC') instead of rejecting dynamic list entries,
making the ignore logic simpler and more predictable.
- Fixed minor whitespace inconsistencies in Jinja templates to avoid
unnecessary changes.
This change was made to prevent spurious 'changed' states in Ansible caused by
non-deterministic list order and to reduce complexity in service definitions.
See discussion: https://chatgpt.com/share/68a74c20-6300-800f-a44e-da43ae2f3dea
- sys-service:
- Set explicit ownership and permissions for generated unit files:
owner=root, group=root, mode=0644. Prevents drift and makes idempotence
predictable when handlers reload/refresh systemd.
- web-svc-collabora:
- Move cmp-docker-proxy include into tasks/01_core.yml and run it
before Nginx config generation. Use public: true only to initialize the
proxy/compose context and docker_compose_flush_handlers: true to ensure
timely handler execution.
- Define role-local variables domain and http_port in vars/main.yml
and use {{ domain }} for the Nginx server file path. These values MUST
be defined locally because they cannot be reliably imported via
public: true — other roles may override them later in the play, leading
to leakage and nondeterministic behavior. Localizing avoids precedence
conflicts without resorting to host-wide set_fact.
- CSP adjusted: add server.security.flags.style-src.unsafe-inline: true
to accommodate Collabora’s inline styles (requested as “csr” in notes).
- Minor variable alignment/cleanup and TODO note for future refactor.
- Housekeeping:
- Rename task title to reflect {{ domain }} usage.
Refs:
- Discussion and rationale in this chat https://chatgpt.com/share/68a731aa-d394-800f-9eb4-2499f45ed54b (2025-08-21, Europe/Berlin).
Introduced custom filter plugin to render optional systemd directives, refactored template to loop over directives, and adjusted default vars (TimeoutStartSec, RuntimeMaxSec handling).
Details: see ChatGPT conversation
https://chatgpt.com/share/68a5a730-6344-800f-b9a3-dc62d5902e9b
- Introduced a new handler 'docker compose pull' that runs only once per
{{ docker_compose.directories.instance }} directory by using a lock
file under /run/ansible/compose-pull.
- Ensures idempotency by marking the task as changed only when a pull
was actually executed.
- Restricted execution with 'when: MODE_UPDATE | bool'.
- Improves update workflow by avoiding redundant docker pulls during
the same Ansible run.
Reference: ChatGPT discussion
https://chatgpt.com/share/68a55151-959c-800f-8b70-160ffe43e776
This test scans all roles for tasks including:
- include_role:
name: sys-service
If present, the role must define a non-empty 'system_service_id' in vars/main.yml.
Helps enforce consistency and prevent misconfiguration.
Ref: https://chatgpt.com/share/68a536e5-c384-800f-937a-f9d91249950c
- Added missing 'Iterable' import in 'canonical_domains_map' to avoid NameError.
- Introduced 'seed' parameter so the filter can start traversal from current play apps
while still emitting canonical domains for discovered dependencies (e.g. web-svc-collabora).
- Updated 01_constructor.yml to pass full 'applications' and a clean 'seed' list
(using dict2items → key) instead of '.keys()' method calls, fixing integration
test error: 'reference to application keys is invalid'.
This resolves issues where collabora domains were missing and integration tests failed.
Ref: https://chatgpt.com/share/68a51f9b-3924-800f-a41b-803d8dd10397
- Introduced module_utils/role_dependency_resolver.py with full support for include_role, import_role, meta dependencies, and run_after.
- Refactored cli/build/tree.py to use RoleDependencyResolver (added toggles for include/import/dependencies/run_after).
- Extended filter_plugins/canonical_domains_map.py with optional 'recursive' mode (ignores run_after by design).
- Updated roles/web-app-nextcloud to properly include Collabora dependency.
- Added comprehensive unittests under tests/unit/module_utils for RoleDependencyResolver.
Ref: https://chatgpt.com/share/68a519c8-8e54-800f-83c0-be38546620d9
Use `systemd-escape --unescape` to restore human-readable unit identifiers in
Telegram and Email alerts. Also ensure Telegram messages are URL-encoded and
Email status checks try both raw and escaped forms for robustness.
Fixes issue where slashes were shown as dashes in notifications.
Context: see ChatGPT conversation
https://chatgpt.com/share/68a4c171-db08-800f-8399-7e07f237a441
- Improved get_service_name filter plugin (clearer suffix handling, consistent var names).
- Added MODE_ASSERT flag to optionally execute validation/assertion tasks.
- Fixed systemd unit handling: consistent use of %I instead of %i, correct escaping of instance names.
- Unified on_failure behavior and alarm composer scripts.
- Cleaned up redundant logging, handlers, and debug config.
- Strengthened sys-service template resolution with assert (only active when MODE_ASSERT).
- Simplified timer and suffix handling with get_service_name filter.
- Hardened sensitive tasks with no_log.
- Added conditional asserts across roles (Keycloak, DNS, Mailu, Discourse, etc.).
These changes improve consistency, safety, and validation across the automation stack.
Conversation: https://chatgpt.com/share/68a4ae28-483c-800f-b2f7-f64c7124c274
- Added logic to scan each role’s tasks/*.yml files for include_role usage
- Supports:
* loop/with_items with literal strings → adds each role
* patterns with variables inside literals (e.g. svc-db-{{database_type}}) → expanded to glob and matched
* pure variable-only names ({{var}}) → ignored
* pure literal names → added directly
- Merges discovered dependencies under graphs["dependencies"]["include_role"]
- Added dedicated unit test covering looped includes, glob patterns, pure literals, and ignoring pure variables
See ChatGPT conversation (https://chatgpt.com/share/68a4ace0-7268-800f-bd32-b475c5c9ba1d) for context.
- Swap role includes: sys-systemctl → sys-service in all roles
- Rename variables everywhere: systemctl_* → system_service_* (incl. systemctl_id → system_service_id)
- Templates: ExecStart now uses {{ system_service_script_exec }}; add optional RuntimeMaxSec via SYS_SERVICE_DEFAULT_RUNTIME
- Move SYS_SERVICE defaults into roles/sys-service/defaults (remove SYS_SERVICE_ALL_ENABLED & SYS_SERVICE_DEFAULT_STATE from group_vars/07_services.yml)
- Tidy group_vars/all/08_timer.yml formatting
- Introduce roles/sys-daemon:
- default manager timeouts (timeouts.conf)
- optional purge of /etc/systemd/system.conf.d
- validation via systemd-analyze verify
- handlers for daemon-reload & daemon-reexec
- Refactor sys-timer to system_service_* variables (docs and templates updated)
- Move filter_plugins/filetype.py under sys-service
- Update meta/README to point to official systemd docs
- Touch many roles (backup/cleanup/health/repair/certs/nginx/csp/wireguard/ssd-hdd/keyboard/update-docker/alarm compose/email/telegram/etc.) to new naming
BREAKING CHANGE:
- Role path/name change: use `sys-service` instead of `sys-systemctl`
- All `systemctl_*` vars are now `system_service_*` (e.g., on_calendar, state, timer_enabled, script_exec, id)
- If you have custom templates, adopt RuntimeMaxSec and new variable names
Chat context: https://chatgpt.com/share/68a47568-312c-800f-af3f-e98575446327
- Fixed bug where not both alarm services (email + telegram) were triggered.
- Removed direct OnFailure references for email and telegram,
now handled by unified compose service.
- Introduced 01_core.yml in sys-ctl-alm-compose to structure
role execution (subservices → core service → test run).
- Added configurable variables SYSTEMCTL_ALARM_COMPOSER_SUBSERVICES
and SYSTEMCTL_ALARM_COMPOSER_DUMMY_MESSAGE.
- Replaced dedicated @.service template with generic systemctl template
using systemctl_tpl_* variables for flexibility.
- Updated script.sh.j2 to collect exit codes and print clear errors.
- Fixed typos and streamlined vars in sys-systemctl.
See conversation: https://chatgpt.com/share/68a46172-7c3c-800f-a69c-0cb9edd6839f
- update alarm compose unit to run email/telegram notifiers independently via multiple ExecStart lines
- ensure cleanup backup dependencies are included before timer setup with handler flush
conversation: https://chatgpt.com/share/68a43429-c0cc-800f-9cc9-9a5ae258dc50
- Introduce SYS_SERVICE_ALL_ENABLED and SYS_TIMER_ALL_ENABLED runtime flags
- Add SYS_SERVICE_DEFAULT_STATE for consistent default handling
- Ensure all on-failure service names use lowercase software_name
- Load sys-svc-cln-anon-volumes role during Docker cleanup
- Allow forced service refresh when SYS_SERVICE_ALL_ENABLED is true
- Replace ACTIVATE_ALL_TIMERS with SYS_TIMER_ALL_ENABLED
- Use SYS_SERVICE_DEFAULT_STATE in sys-systemctl vars
- Remove redundant MIG build job fail check
Related to service/timer process control refactoring.
- Updated filter_plugins/get_service_name.py:
* Default suffix handling: auto-select .service (no '@') or .timer (with '@')
* Explicit False disables suffix entirely
* Explicit string suffix still supported
- Updated sys-systemctl handler to use new filter instead of SYS_SERVICE_SUFFIX
- Extended unit tests to cover new suffix behavior
Ref: https://chat.openai.com/share/8c2de9e6-daa0-44dd-ae13-d7a7d8d8b6d9
Replaced all hardcoded service name concatenations with the new get_service_name filter.
This ensures consistency, proper lowercase formatting, and correct handling of '@' suffixed units.
Added unittests for the filter (normal, custom suffix, '@'-units, and lowercase normalization).
Context: see ChatGPT discussion https://chatgpt.com/share/68a38beb-b9bc-800f-b7ed-cdd2b64b2604
- Unified service templates into generic systemctl templates
- Introduced reusable filter plugins for script path handling
- Updated path variables and service/timer definitions
- Migrated roles (backup, cleanup, repair, etc.) to use systemctl role
- Added sys-daemon role for core systemd cleanup
- Simplified timer handling via sys-timer role
Note: This is a large refactor and some errors may still exist. Further testing and adjustments will be needed.
This commit restructures systemctl service definitions and category mappings.
Motivation: Alarm-related bugs revealed inconsistencies in service and role handling.
Preparation step: lays the groundwork for fixing the alarm issues by aligning categories, roles, and service templates.
This commit introduces a new Ansible filter plugin named
'get_category_entries', which returns all role names under the
roles/ directory that start with a given prefix.
Additionally, unit tests (unittest framework) have been added under
tests/unit/filterplugins/ to ensure correct behavior, including:
- Returns empty list when roles/ directory is missing
- Correctly filters and sorts by prefix
- Ignores non-directory entries
- Supports custom roles_path argument
- Returns all roles when prefix is empty
Reference: https://chatgpt.com/share/68a2f1ab-1fe8-800f-b22a-28c1c95802c2
- Standardized spacing in {{ docker_compose.directories.volumes }} across multiple roles
- Added async and poll support to sys-bkp-docker-2-loc database seeding and file permission tasks
- Moved Installation.md for web-app-matrix into docs/ for better structure
- Enabled central_database in Mailu config
- Improved API token creation task:
* use curl -f to fail on HTTP errors
* added explicit failed_when and changed_when conditions
- Adjusted docker-compose template spacing for readability
- Made logging level configurable (DEBUG when MODE_DEBUG is set)
- Added new documentation Move_Domain.md explaining safe procedure for migrating mailboxes to a new domain
- Fixed incorrect handling of RBAC group configuration (moved from OIDC claims into dedicated RBAC variable set).
- Unified RBAC group usage across applications (LAM, pgAdmin, phpLDAPadmin, phpMyAdmin, YOURLS).
- Replaced old 'KEYCLOAK_OIDC_RBAC_SCOPE_NAME' with dedicated 'KEYCLOAK_RBAC_GROUP_*' variables.
- Updated OAuth2 Proxy configuration to use 'RBAC.GROUP.CLAIM'.
- Refactored Keycloak role task structure:
* Renamed and reorganized task files for clarity ('_update.yml', '02_cleanup.yml', etc.).
* Introduced meta and dependency handling separation.
- Cleaned up Keycloak config defaults and recaptcha placeholders.
Replace 01_import.yml with 01_initialize.yml (KEYCLOAK_HOST_IMPORT_DIR)
Add generic 02_update.yml (kcadm updater for clients/components)
- Resolve ID → read current → merge (kc_merge_path optional)
- Preserve immutable fields; support kc_force_attrs
Update tasks/main.yml:
- Readiness via KEYCLOAK_MASTER_REALM_URL; kcadm login
- Merge LDAP component config from Realm when KEYCLOAK_LDAP_ENABLED
- Update client settings incl. frontchannel.logout.url
realm.json.j2: include ldap.json in UserStorageProvider
ldap.json.j2: use KEYCLOAK_LDAP_* vars for bindDn/credential/connectionUrl
vars/main.yml: add KEYCLOAK_* URLs/dirs and KEYCLOAK_DICTIONARY_REALM(_RAW)
docker-compose.yml.j2: mount KEYCLOAK_HOST_IMPORT_DIR
Cleanup: remove 02_update_client_redirects.yml, 03_update-ldap-bind.yml, 04_ssh_public_key.yml; drop obsolete config flag; formatting
Note: redirectUris/webOrigins ordering may still cause changed=true; consider sorting for stability in a follow-up.
- Removed all static 'id' fields from realm.json.j2, ldap.json.j2, and client.json.j2
- Replaced 'desktop-secret' with correct 'client-secret' authenticator type
- Standardized Jinja filters to use 'to_json' consistently
- Corrected defaultClientScopes entry from 'web-app-origins' to built-in 'web-origins'
- Verified LDAP mapper definitions and optional realm role mapping
- Ensured realm.json.j2 contains only required scopes
References: Chat with ChatGPT (2025-08-17)
https://chatgpt.com/share/68a1aaae-1b04-800f-aa8d-8a0ef6d33cba
- Replace KEYCLOAK_KCADM_PATH with KEYCLOAK_EXEC_KCADM consistently
- Externalize client.json to separate Jinja2 template and include it in realm.json
- Simplify LDAP bind update to use explicit KEYCLOAK_LDAP_* vars
- Add async/poll support for long-running kcadm updates
- Restructure vars/main.yml: clearer grouping (General, Docker, Server, Update, LDAP, API)
- Compute redirectUris/webOrigins centrally in vars
- Align post.logout.redirect.uris handling with playbook
Conversation: https://chatgpt.com/share/68a1a11f-f8ac-800f-bada-cdc99a4fa1bf
- Removed trailing slash in '_oidc_client_issuer_url' to avoid issuer mismatch
- Use '.rstrip('/')' to normalize '_oidc_url'
- Switched to '~' concatenation instead of inline slashes for all OIDC endpoints
- Ensures that Mastodon and other OIDC clients match the issuer from Keycloak discovery
Change motivated by Mastodon issuer mismatch bug (OpenIDConnect::Discovery::DiscoveryFailed).
See related discussion: https://chatgpt.com/share/68a17d3c-c980-800f-934c-d56955b45f81
- removed obsolete role `srv-web-7-7-dns-records` (README, meta, tasks)
- updated Gitea role to use `sys-dns-cloudflare-records` with explicit record vars
- updated web-opt-rdr-www role to use new DNS role with zone detection (`to_zone`)
- added REDIRECT_WWW_FLAVOR var to support "edge" flavor selection
- Support fully qualified ansible.builtin.set_fact
- Parse inline set_fact mappings (e.g. set_fact: { a: 1, b: 2 })
- Continue scanning inside vars/set_fact blocks for Jinja {% set %}, {% for %}, and {% macro %}
- Ensures variables defined by set_fact are correctly recognized as defined
- replaced CERTBOT_DNS_API_TOKEN with CLOUDFLARE_API_TOKEN everywhere
- introduced generic sys-dns-cloudflare-records role for managing DNS records
- added sys-dns-hetzner-rdns role with both Cloud (hcloud) and Robot API flavors
- updated Mailu role to:
- generate DKIM before DNS setup
- delegate DNS + rDNS records to the new generic roles
- removed legacy per-role Cloudflare vars (MAILU_CLOUDFLARE_API_TOKEN)
- extended group vars with HOSTING_PROVIDER for rDNS flavor decision
- added hetzner.hcloud collection to requirements
This consolidates DNS management into reusable roles,
supports both Cloudflare and Hetzner providers,
and standardizes variable naming across the project.
- Added vars/main.yml to define iframe-handler.js file name and destination
- Implemented 01_deploy.yml to deploy iframe-handler.js to CDN and set mtime-based version fact
- Split original iframe logic into:
• iframe-handler.js (full logic, served from CDN)
• iframe-init_one_liner.js.j2 (small inline bootstrap, CSP-hashed)
- Updated head_sub.j2 to load script from CDN instead of embedding full code
- Added body_sub.j2 for inline init code
- Updated iframe-handler.js.j2 with initIframeHandler() function and global exposure
- Activated role earlier in inj-compose with public: true so vars are available for templates
- Included 'port-ui-desktop' in body_snippets loop in location.lua.j2
- Disabled 'port-ui-desktop' feature in web-svc-cdn config by default
https://chatgpt.com/share/689d03a8-4c28-800f-8b06-58ce2807b075
- Standardize async/poll usage with 'ASYNC_ENABLED | bool'
- Add async/poll parameters to Cloudflare, Nginx, Mailu, MIG, Nextcloud, and OpenLDAP tasks
- Update async configuration in 'group_vars/all/00_general.yml' to ensure boolean evaluation
- Allow CAA, cache, and DNS tasks to run asynchronously when enabled
https://chatgpt.com/share/689cd8cc-7fbc-800f-bd06-a667561573bf
- Introduce global async configuration in group_vars/all/00_general.yml:
- ASYNC_ENABLED (disabled in debug mode)
- ASYNC_TIME (default 300s, omitted if async disabled)
- ASYNC_POLL (0 for async fire-and-forget, 10 for sync mode)
- Replace hardcoded async/poll values with global vars in:
- svc-db-openldap (03_users.yml, 04_update.yml)
- web-app-mig (02_build_data.yml)
- web-app-nextcloud (03_admin.yml, 04_system_config.yml, 05_plugin.yml,
06_plugin_routines.yml, 07_plugin_enable_and_configure.yml)
- Guard changed_when and failed_when conditions to only evaluate in synchronous
mode to avoid accessing undefined rc/stdout/stderr in async runs
https://chatgpt.com/share/689cd8cc-7fbc-800f-bd06-a667561573bf
• Add config.performance.async.wait_for and expose as nextcloud_wait_for_async_enabled to toggle waiting for async jobs.
• Split system/admin/index maintenance into separate tasks: 02_add_missing_indices.yml, 03_admin.yml, 04_system_config.yml.
• Refactor plugin flow: rename 02_plugin→05_plugin, 03_plugin_routines→06_plugin_routines, 04_plugin_enable_and_configure→07_plugin_enable_and_configure; remove old 03_plugin_routines and 05_system.
• Harden async handling: filter async_status loops by ansible_job_id; conditionally wait only when nextcloud_wait_for_async_enabled; reduce delay to 1s.
• Reorder main.yml to run system steps before plugin setup; keep handlers flush earlier.
• env.j2: simplify get_app_conf lookups (drop extra True flag).
• vars/main.yml: add nextcloud_host_nginx_path and nextcloud_wait_for_async_enabled.
https://chatgpt.com/share/689c9d4a-1748-800f-b490-06a5a48dd831
Switch to command:argv to avoid shell quoting and argument splitting issues.
Pass -s config values as JSON arrays via to_json, fixing previous errors: Cannot parse the JSON / failed at splitting arguments.
Also reconcile config.connectionUrl from ldap.server.uri.
Source desired values strictly from ldap.* (no computed defaults) and assert their presence.
Keep operation idempotent by reading current values and updating only on change.
Minor refactor: build reusable kcadm_argv_base and expand client state extraction.
Touch: roles/web-app-keycloak/tasks/03_update-ldap-bind.yml
https://chatgpt.com/share/689bea84-7188-800f-ba51-830a0735f24c
2025-08-13 03:30:14 +02:00
1568 changed files with 18326 additions and 11548 deletions
- **"Software":** Refers to *"[Infinito.Nexus - Cyber Master Infrastructure Solution](https://infinito.nexus/)"* and its associated source code.
- **"Software":** Refers to *"[Infinito.Nexus](https://infinito.nexus/)"* and its associated source code.
- **"Commercial Use":** Any use of the Software intended for direct or indirect financial gain, including but not limited to sales, rentals, or provision of services.
*Automate the Provisioning of All Your Servers and Workstations with a Single Open‑Source Script!*
---
@@ -15,7 +13,7 @@
|---|---|
| 🌐 Try It Live | [](https://infinito.nexus) |
| 🔧 Request Your Setup | [](https://cybermaster.space) |
| 📖 About This Project | [](https://github.com/sponsors/kevinveenbirkenbach) [](https://s.infinito.nexus/code/actions/workflows/test-cli.yml?query=branch%3Amaster) [](https://s.infinito.nexus/code) |
| 📖 About This Project | [](https://github.com/sponsors/kevinveenbirkenbach) [](https://github.com/kevinveenbirkenbach/infinito-nexus/actions/workflows/test-cli.yml) [](https://s.infinito.nexus/code) |
| ☕️ Support Us | [](https://www.patreon.com/c/kevinveenbirkenbach) [](https://buymeacoffee.com/kevinveenbirkenbach) [](https://s.veen.world/paypaldonate) [](https://github.com/sponsors/kevinveenbirkenbach) |
---
@@ -93,4 +91,4 @@ Infinito.Nexus is distributed under the **Infinito.Nexus NonCommercial License**
## Professional Setup & Support 💼
For expert installation and configuration visit [cybermaster.space](https://cybermaster.space/) or write to us at **[contact@infinito.nexus](mailto:contact@infinito.nexus)**.
For expert installation and configuration visit [cybermaster.space](https://cybermaster.space/) or write to us at **[contact@cymais.cloud](mailto:contact@cymais.cloud)**.
Infinito.Nexus (Cyber Master Infrastructure Solution) is a modular, open-source IT infrastructure automation platform designed to simplify the deployment, management, and security of self-hosted environments.
[Infinito.Nexus](https://infinito.nexus) is a modular, open-source IT infrastructure automation platform designed to simplify the deployment, management, and security of self-hosted environments.
It provides a flexible, scalable, and secure architecture based on modern [DevOps](https://en.wikipedia.org/wiki/DevOps) principles, leveraging technologies like [Ansible](https://en.wikipedia.org/wiki/Ansible_(software)), [Docker](https://en.wikipedia.org/wiki/Docker_(software)), and [Infrastructure as Code (IaC)](https://en.wikipedia.org/wiki/Infrastructure_as_code).
This section explains how to deploy and manage the **Cyber Master Infrastructure Solution (Infinito.Nexus)** using Ansible. Infinito.Nexus uses a collection of Ansible tasks, which are controlled via different **"modes"** — such as **updates**, **backups**, **resets**, and **cleanup** operations.
This section explains how to deploy and manage **[Infinito.Nexus](https://infinito.nexus)** using Ansible. Infinito.Nexus uses a collection of Ansible tasks, which are controlled via different **"modes"** — such as **updates**, **backups**, **resets**, and **cleanup** operations.
certbot_dns_api_token:""# Define in inventory file: More information here: group_vars/all/docs/CLOUDFLARE_API_TOKEN.md
certbot_dns_propagation_wait_seconds:300# How long should the script wait for DNS propagation before continuing
certbot_flavor: san # Possible options:san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), dedicated
CERTBOT_DNS_PROPAGATION_WAIT_SECONDS:300# How long should the script wait for DNS propagation before continuing
CERTBOT_FLAVOR: san # Possible options:san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), dedicated
# Path where Certbot stores challenge webroot files
letsencrypt_webroot_path:"/var/lib/letsencrypt/"
# Letsencrypt
LETSENCRYPT_WEBROOT_PATH:"/var/lib/letsencrypt/"# Path where Certbot stores challenge webroot files
LETSENCRYPT_BASE_PATH:"/etc/letsencrypt/"# Base directory containing Certbot configuration, account data, and archives
LETSENCRYPT_LIVE_PATH:"{{ LETSENCRYPT_BASE_PATH }}live/"# Symlink directory for the current active certificate and private key
# Base directory containing Certbot configuration, account data, and archives
letsencrypt_base_path:"/etc/letsencrypt/"
## Docker
DOCKER_RESTART_POLICY:"unless-stopped"# Default restart parameter for docker containers
DOCKER_VARS_FILE:"{{ playbook_dir }}/roles/docker-compose/vars/docker-compose.yml"# File containing docker compose variables used by other services
DOCKER_WHITELISTET_ANON_VOLUMES:[]# Volumes which should be ignored during docker anonymous health check
# Symlink directory for the current active certificate and private key
STREAMS:"{{ _nginx_conf_dir }}streams/"# Contains streams configuration e.g. for ldaps
DATA:
WWW:"{{ _nginx_www_dir }}"
WELL_KNOWN:"/usr/share/nginx/well-known/"# Path where well-known files are stored
HTML:"{{ _nginx_www_dir }}public_html/"# Path where the static homepage files are stored
FILES:"{{ _nginx_www_dir }}public_files/"# Path where the web accessable files are stored
CDN:"{{ _nginx_www_dir }}public_cdn/"# Contains files which will be accessable via the content delivery network
GLOBAL:"{{ _nginx_www_dir }}global/"# Directory containing files which will be globaly accessable, @Todo remove this when css migrated to CDN
CACHE:
GENERAL:"/tmp/cache_nginx_general/"# Directory which nginx uses to cache general data
IMAGE:"/tmp/cache_nginx_image/"# Directory which nginx uses to cache images
USER:"http"# Default nginx user in ArchLinux
# @todo It propably makes sense to distinguish between target and source mount path, so that the config files can be stored in the openresty volumes folder
id:"{{ _oidc_client_id }}"# Client identifier, typically matching your primary domain
# secret: # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
realm:"{{_oidc_client_realm}}"# The realm to which the client belongs in the OIDC provider
issuer_url:"{{_oidc_client_issuer_url}}"# Base URL of the OIDC provider (issuer)
discovery_document:"{{_oidc_client_issuer_url}}/.well-known/openid-configuration"# URL for fetching the provider's configuration details
authorize_url:"{{_oidc_client_issuer_url}}/protocol/openid-connect/auth"# Endpoint to start the authorization process
token_url:"{{_oidc_client_issuer_url}}/protocol/openid-connect/token"# Endpoint to exchange authorization codes for tokens (note: 'token_url' may be a typo for 'token_url')
user_info_url:"{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo"# Endpoint to retrieve user information
logout_url:"{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"# Endpoint to log out the user
change_credentials:"{{_oidc_client_issuer_url}}account/account-security/signing-in"# URL for managing or changing user credentials
certs:"{{_oidc_client_issuer_url}}/protocol/openid-connect/certs"# JSON Web Key Set (JWKS)
description:"Notification handlers for system events"
icon:"fas fa-bell"
invokable:false
mtn:
title:"Maintenance"
description:"Maintenance roles for certificates, system upkeep, and recurring operational tasks."
icon:"fas fa-tools"
invokable:false
rpr:
title:"Repair"
description:"Repair and recovery roles—handling hard/soft recovery of Docker, Btrfs balancers, and other low-level system fixes."
icon:"fas fa-wrench"
invokable:false
dns:
title:"DNS Automation"
description:"DNS providers, records, and rDNS management (Cloudflare, Hetzner, etc.)."
icon:"fas fa-network-wired"
invokable:false
stk:
title:"Stack"
description:"Stack levels to setup the server"
icon:"fas fa-bars-staggered"
invokable:false
front:
title:"System Frontend Helpers"
description:"Frontend helpers for reverse-proxied apps (injection, shared assets, CDN plumbing)."
icon:"fas fa-wand-magic-sparkles"
invokable:false
inj:
title:"Injection"
description:"Composable HTML injection roles (CSS, JS, logout interceptor, analytics, desktop iframe) for Nginx/OpenResty via sub_filter/Lua with CDN-backed assets."
icon:"fas fa-filter"
invokable:false
update:
title:"Updates & Package Management"
description:"OS & package updates"
icon:"fas fa-sync"
invokable:true
pkgmgr:
title:"Package Manager Helpers"
description:"Helpers for package managers and unified install flows."
icon:"fas fa-box-open"
invokable:false
drv:
title:"Drivers"
description:"Roles for installing and configuring hardware drivers—covering printers, graphics, input devices, and other peripheral support."
description:"Utility roles for server-side configuration and management—covering corporate identity provisioning, network helpers, and other service-oriented toolkits."
icon:"fas fa-cogs"
invokable:true
srv:
title:"Server"
description:"General server roles for provisioning and managing server infrastructure—covering web servers, proxy servers, network services, and other backend components."
icon:"fas fa-server"
invokable:false
web:
title:"Webserver"
description:"Web-server roles for installing and configuring Nginx (core, TLS, injection filters, composer modules)."
icon:"fas fa-server"
invokable:false
proxy:
title:"Proxy Server"
description:"Proxy-server roles for virtual-host orchestration and reverse-proxy setups."
icon:"fas fa-project-diagram"
dev:
title:"Developer Utilities"
description:"Developer-centric server utilities and admin toolkits."
icon:"fas fa-code"
invokable:false
web:
title:"Web Infrastructure"
@@ -99,11 +129,6 @@ roles:
title:"Webserver Optimation"
description:"Tools which help to optimize webservers"
database_instance:"{{ _database_central_name if _database_central_enabled else database_name }}"# This could lead to bugs at dedicated database @todo cleanup
database_host:"{{ _database_central_name if _database_central_enabled else 'database' }}"# This could lead to bugs at dedicated database @todo cleanup
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
