feat(keycloak): add automation service account client support

Introduce a confidential service-account client (Option A) to replace user-based
kcadm sessions. The client is created automatically, granted realm-admin role,
and used for all subsequent Keycloak updates. Includes improved error handling
for HTTP 401 responses.

Discussion: https://chatgpt.com/share/68e01da3-39fc-800f-81be-2d0c8efd81a1

.github/workflows/test-cli.yml

@@ -21,12 +21,12 @@ jobs:
 
       - name: Clean build artifacts
         run: |
-          docker run --rm infinito:latest make clean
+          docker run --rm infinito:latest infinito make clean
 
       - name: Generate project outputs
         run: |
-          docker run --rm infinito:latest make build
+          docker run --rm infinito:latest infinito make build
 
       - name: Run tests
         run: |
-          docker run --rm infinito:latest make test
+          docker run --rm infinito:latest infinito make test

Dockerfile

@@ -59,11 +59,4 @@ RUN INFINITO_PATH=$(pkgmgr path infinito) && \
     ln -sf "$INFINITO_PATH"/main.py /usr/local/bin/infinito && \
     chmod +x /usr/local/bin/infinito
 
-# 10) Run integration tests
-# This needed to be deactivated becaus it doesn't work with gitthub workflow
-#RUN INFINITO_PATH=$(pkgmgr path infinito) && \
-#    cd "$INFINITO_PATH" && \
-#    make test
-
-ENTRYPOINT ["infinito"]
-CMD ["--help"]
+CMD sh -c "infinito --help && exec tail -f /dev/null"

Makefile

@@ -73,7 +73,7 @@ messy-test:
 	@echo "🧪 Running Python tests…"
 	PYTHONPATH=. python -m unittest discover -s tests
 	@echo "📑 Checking Ansible syntax…"
-	ansible-playbook playbook.yml --syntax-check
+	ansible-playbook -i localhost, -c local $(foreach f,$(wildcard group_vars/all/*.yml),-e @$(f)) playbook.yml --syntax-check
 
 install: build
 	@echo "⚙️  Install complete."

cli/TODO.md

@@ -1,3 +0,0 @@
-# Todo
-- Test this script. It's just a draft. Checkout https://chatgpt.com/c/681d9e2b-7b28-800f-aef8-4f1427e9021d
-- Solve bugs in show_vault_variables.py

cli/create/credentials.py

@@ -1,14 +1,29 @@
+#!/usr/bin/env python3
+"""
+Selectively add & vault NEW credentials in your inventory, preserving comments
+and formatting. Existing values are left untouched unless --force is used.
+
+Usage example:
+  infinito create credentials \
+    --role-path roles/web-app-akaunting \
+    --inventory-file host_vars/echoserver.yml \
+    --vault-password-file .pass/echoserver.txt \
+    --set credentials.database_password=mysecret
+"""
+
 import argparse
-import subprocess
 import sys
 from pathlib import Path
-import yaml
-from typing import Dict, Any
-from module_utils.manager.inventory import InventoryManager
-from module_utils.handler.vault   import VaultHandler, VaultScalar
-from module_utils.handler.yaml    import YamlHandler
-from yaml.dumper import SafeDumper
+from typing import Dict, Any, Union
 
+from ruamel.yaml import YAML
+from ruamel.yaml.comments import CommentedMap
+
+from module_utils.manager.inventory import InventoryManager
+from module_utils.handler.vault import VaultHandler  # uses your existing handler
+
+
+# ---------- helpers ----------
 
 def ask_for_confirmation(key: str) -> bool:
     """Prompt the user for confirmation to overwrite an existing value."""
@@ -18,35 +33,117 @@ def ask_for_confirmation(key: str) -> bool:
     return confirmation == 'y'
 
 
-def main():
+def ensure_map(node: CommentedMap, key: str) -> CommentedMap:
+    """
+    Ensure node[key] exists and is a mapping (CommentedMap) for round-trip safety.
+    """
+    if key not in node or not isinstance(node.get(key), CommentedMap):
+        node[key] = CommentedMap()
+    return node[key]
+
+
+def _is_ruamel_vault(val: Any) -> bool:
+    """Detect if a ruamel scalar already carries the !vault tag."""
+    try:
+        return getattr(val, 'tag', None) == '!vault'
+    except Exception:
+        return False
+
+
+def _is_vault_encrypted(val: Any) -> bool:
+    """
+    Detect if value is already a vault string or a ruamel !vault scalar.
+    Accept both '$ANSIBLE_VAULT' and '!vault' markers.
+    """
+    if _is_ruamel_vault(val):
+        return True
+    if isinstance(val, str) and ("$ANSIBLE_VAULT" in val or "!vault" in val):
+        return True
+    return False
+
+
+def _vault_body(text: str) -> str:
+    """
+    Return only the vault body starting from the first line that contains
+    '$ANSIBLE_VAULT'. If not found, return the original text.
+    Also strips any leading '!vault |' header if present.
+    """
+    lines = text.splitlines()
+    for i, ln in enumerate(lines):
+        if "$ANSIBLE_VAULT" in ln:
+            return "\n".join(lines[i:])
+    return text
+
+
+def _make_vault_scalar_from_text(text: str) -> Any:
+    """
+    Build a ruamel object representing a literal block scalar tagged with !vault
+    by parsing a tiny YAML snippet. This avoids depending on yaml_set_tag().
+    """
+    body = _vault_body(text)
+    indented = "  " + body.replace("\n", "\n  ")  # proper block scalar indentation
+    snippet = f"v: !vault |\n{indented}\n"
+    y = YAML(typ="rt")
+    return y.load(snippet)["v"]
+
+
+def to_vault_block(vault_handler: VaultHandler, value: Union[str, Any], label: str) -> Any:
+    """
+    Return a ruamel scalar tagged as !vault. If the input value is already
+    vault-encrypted (string contains $ANSIBLE_VAULT or is a !vault scalar), reuse/wrap.
+    Otherwise, encrypt plaintext via ansible-vault.
+    """
+    # Already a ruamel !vault scalar → reuse
+    if _is_ruamel_vault(value):
+        return value
+
+    # Already an encrypted string (may include '!vault |' or just the header)
+    if isinstance(value, str) and ("$ANSIBLE_VAULT" in value or "!vault" in value):
+        return _make_vault_scalar_from_text(value)
+
+    # Plaintext → encrypt now
+    snippet = vault_handler.encrypt_string(str(value), label)
+    return _make_vault_scalar_from_text(snippet)
+
+
+def parse_overrides(pairs: list[str]) -> Dict[str, str]:
+    """
+    Parse --set key=value pairs into a dict.
+    Supports both 'credentials.key=val' and 'key=val' (short) forms.
+    """
+    out: Dict[str, str] = {}
+    for pair in pairs:
+        k, v = pair.split("=", 1)
+        out[k.strip()] = v.strip()
+    return out
+
+
+# ---------- main ----------
+
+def main() -> int:
     parser = argparse.ArgumentParser(
-        description="Selectively vault credentials + become-password in your inventory."
+        description="Selectively add & vault NEW credentials in your inventory, preserving comments/formatting."
     )
+    parser.add_argument("--role-path", required=True, help="Path to your role")
+    parser.add_argument("--inventory-file", required=True, help="Host vars file to update")
+    parser.add_argument("--vault-password-file", required=True, help="Vault password file")
     parser.add_argument(
-        "--role-path", required=True, help="Path to your role"
-    )
-    parser.add_argument(
-        "--inventory-file", required=True, help="Host vars file to update"
-    )
-    parser.add_argument(
-        "--vault-password-file", required=True, help="Vault password file"
-    )
-    parser.add_argument(
-        "--set", nargs="*", default=[], help="Override values key.subkey=VALUE"
+        "--set", nargs="*", default=[],
+        help="Override values key[.subkey]=VALUE (applied to NEW keys; with --force also to existing)"
     )
     parser.add_argument(
         "-f", "--force", action="store_true",
-        help="Force overwrite without confirmation"
+        help="Allow overrides to replace existing values (will ask per key unless combined with --yes)"
+    )
+    parser.add_argument(
+        "-y", "--yes", action="store_true",
+        help="Non-interactive: assume 'yes' for all overwrite confirmations when --force is used"
     )
     args = parser.parse_args()
 
-    # Parse overrides
-    overrides = {
-        k.strip(): v.strip()
-        for pair in args.set for k, v in [pair.split("=", 1)]
-    }
+    overrides = parse_overrides(args.set)
 
-    # Initialize inventory manager
+    # Initialize inventory manager (provides schema + app_id + vault)
     manager = InventoryManager(
         role_path=Path(args.role_path),
         inventory_path=Path(args.inventory_file),
@@ -54,62 +151,90 @@ def main():
         overrides=overrides
     )
 
-    # Load existing credentials to preserve
-    existing_apps = manager.inventory.get("applications", {})
-    existing_creds = {}
-    if manager.app_id in existing_apps:
-        existing_creds = existing_apps[manager.app_id].get("credentials", {}).copy()
+    # 1) Load existing inventory with ruamel (round-trip)
+    yaml_rt = YAML(typ="rt")
+    yaml_rt.preserve_quotes = True
 
-    # Apply schema (may generate defaults)
-    updated_inventory = manager.apply_schema()
+    with open(args.inventory_file, "r", encoding="utf-8") as f:
+        data = yaml_rt.load(f)  # CommentedMap or None
+    if data is None:
+        data = CommentedMap()
 
-    # Restore existing database_password if present
-    apps = updated_inventory.setdefault("applications", {})
-    app_block = apps.setdefault(manager.app_id, {})
-    creds = app_block.setdefault("credentials", {})
-    if "database_password" in existing_creds:
-        creds["database_password"] = existing_creds["database_password"]
+    # 2) Get schema-applied structure (defaults etc.) for *non-destructive* merge
+    schema_inventory: Dict[str, Any] = manager.apply_schema()
 
-    # Store original plaintext values
-    original_plain = {key: str(val) for key, val in creds.items()}
+    # 3) Ensure structural path exists
+    apps = ensure_map(data, "applications")
+    app_block = ensure_map(apps, manager.app_id)
+    creds = ensure_map(app_block, "credentials")
 
-    for key, raw_val in list(creds.items()):
-        # Skip if already vaulted
-        if isinstance(raw_val, VaultScalar) or str(raw_val).lstrip().startswith("$ANSIBLE_VAULT"):
+    # 4) Determine defaults we could add
+    schema_apps = schema_inventory.get("applications", {})
+    schema_app_block = schema_apps.get(manager.app_id, {})
+    schema_creds = schema_app_block.get("credentials", {}) if isinstance(schema_app_block, dict) else {}
+
+    # 5) Add ONLY missing credential keys
+    newly_added_keys = set()
+    for key, default_val in schema_creds.items():
+        if key in creds:
+            # existing → do not touch (preserve plaintext/vault/formatting/comments)
             continue
 
-        # Determine plaintext
-        plain = original_plain.get(key, "")
-        if key in overrides and (args.force or ask_for_confirmation(key)):
-            plain = overrides[key]
+        # Value to use for the new key
+        # Priority: --set exact key → default from schema → empty string
+        ov = overrides.get(f"credentials.{key}", None)
+        if ov is None:
+            ov = overrides.get(key, None)
 
-        # Encrypt the plaintext
-        encrypted = manager.vault_handler.encrypt_string(plain, key)
-        lines = encrypted.splitlines()
-        indent = len(lines[1]) - len(lines[1].lstrip())
-        body = "\n".join(line[indent:] for line in lines[1:])
-        creds[key] = VaultScalar(body)
-
-    # Vault top-level become password if present
-    if "ansible_become_password" in updated_inventory:
-        val = str(updated_inventory["ansible_become_password"])
-        if val.lstrip().startswith("$ANSIBLE_VAULT"):
-            updated_inventory["ansible_become_password"] = VaultScalar(val)
+        if ov is not None:
+            value_for_new_key: Union[str, Any] = ov
         else:
-            snippet = manager.vault_handler.encrypt_string(
-                val, "ansible_become_password"
+            if _is_vault_encrypted(default_val):
+                # Schema already provides a vault value → take it as-is
+                creds[key] = to_vault_block(manager.vault_handler, default_val, key)
+                newly_added_keys.add(key)
+                continue
+            value_for_new_key = "" if default_val is None else str(default_val)
+
+        # Insert as !vault literal (encrypt if needed)
+        creds[key] = to_vault_block(manager.vault_handler, value_for_new_key, key)
+        newly_added_keys.add(key)
+
+    # 6) ansible_become_password: only add if missing;
+    #    never rewrite an existing one unless --force (+ confirm/--yes) and override provided.
+    if "ansible_become_password" not in data:
+        val = overrides.get("ansible_become_password", None)
+        if val is not None:
+            data["ansible_become_password"] = to_vault_block(
+                manager.vault_handler, val, "ansible_become_password"
             )
-            lines = snippet.splitlines()
-            indent = len(lines[1]) - len(lines[1].lstrip())
-            body = "\n".join(line[indent:] for line in lines[1:])
-            updated_inventory["ansible_become_password"] = VaultScalar(body)
+    else:
+        if args.force and "ansible_become_password" in overrides:
+            do_overwrite = args.yes or ask_for_confirmation("ansible_become_password")
+            if do_overwrite:
+                data["ansible_become_password"] = to_vault_block(
+                    manager.vault_handler, overrides["ansible_become_password"], "ansible_become_password"
+                )
 
-    # Write back to file
+    # 7) Overrides for existing credential keys (only with --force)
+    if args.force:
+        for ov_key, ov_val in overrides.items():
+            # Accept both 'credentials.key' and bare 'key'
+            key = ov_key.split(".", 1)[1] if ov_key.startswith("credentials.") else ov_key
+            if key in creds:
+                # If we just added it in this run, don't ask again or rewrap
+                if key in newly_added_keys:
+                    continue
+                if args.yes or ask_for_confirmation(key):
+                    creds[key] = to_vault_block(manager.vault_handler, ov_val, key)
+
+    # 8) Write back with ruamel (preserve formatting & comments)
     with open(args.inventory_file, "w", encoding="utf-8") as f:
-        yaml.dump(updated_inventory, f, sort_keys=False, Dumper=SafeDumper)
+        yaml_rt.dump(data, f)
 
-    print(f"✅ Inventory selectively vaulted → {args.inventory_file}")
+    print(f"✅ Added new credentials without touching existing formatting/comments → {args.inventory_file}")
+    return 0
 
 
 if __name__ == "__main__":
-    main()
+    sys.exit(main())

cli/create/role.py

@@ -11,7 +11,7 @@ sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')
 from module_utils.entity_name_utils import get_entity_name
 
 # Paths to the group-vars files
-PORTS_FILE = './group_vars/all/09_ports.yml'
+PORTS_FILE = './group_vars/all/10_ports.yml'
 NETWORKS_FILE = './group_vars/all/09_networks.yml'
 ROLE_TEMPLATE_DIR = './templates/roles/web-app'
 ROLES_DIR = './roles'

cli/deploy.py

@@ -5,6 +5,9 @@ import subprocess
 import os
 import datetime
 import sys
+import re
+from typing import Optional, Dict, Any, List
+
 
 def run_ansible_playbook(
     inventory,
@@ -13,21 +16,20 @@ def run_ansible_playbook(
     allowed_applications=None,
     password_file=None,
     verbose=0,
-    skip_tests=False,
-    skip_validation=False,
     skip_build=False,
-    cleanup=False,
+    skip_tests=False,
     logs=False
 ):
     start_time = datetime.datetime.now()
     print(f"\n▶️ Script started at: {start_time.isoformat()}\n")
 
-    if cleanup:
+    # Cleanup is now handled via MODE_CLEANUP
+    if modes.get("MODE_CLEANUP", False):
         cleanup_command = ["make", "clean-keep-logs"] if logs else ["make", "clean"]
-        print("\n🧹 Cleaning up project (" + " ".join(cleanup_command) +")...\n")
+        print("\n🧹 Cleaning up project (" + " ".join(cleanup_command) + ")...\n")
         subprocess.run(cleanup_command, check=True)
     else:
-        print("\n⚠️ Skipping build as requested.\n")
+        print("\n⚠️ Skipping cleanup as requested.\n")
 
     if not skip_build:
         print("\n🛠️  Building project (make messy-build)...\n")
@@ -38,26 +40,24 @@ def run_ansible_playbook(
     script_dir = os.path.dirname(os.path.realpath(__file__))
     playbook = os.path.join(os.path.dirname(script_dir), "playbook.yml")
 
-    # Inventory validation step
-    if not skip_validation:
+    # Inventory validation is controlled via MODE_ASSERT
+    if modes.get("MODE_ASSERT", None) is False:
+        print("\n⚠️ Skipping inventory validation as requested.\n")
+    elif "MODE_ASSERT" not in modes or modes["MODE_ASSERT"] is True:
         print("\n🔍 Validating inventory before deployment...\n")
         try:
             subprocess.run(
-                [sys.executable,
-                 os.path.join(script_dir, "validate/inventory.py"),
-                 os.path.dirname(inventory)
+                [
+                    sys.executable,
+                    os.path.join(script_dir, "validate", "inventory.py"),
+                    os.path.dirname(inventory),
                 ],
-                check=True
+                check=True,
             )
         except subprocess.CalledProcessError:
-            print(
-                "\n❌ Inventory validation failed. Deployment aborted.\n",
-                file=sys.stderr
-            )
+            print("\n❌ Inventory validation failed. Deployment aborted.\n", file=sys.stderr)
             sys.exit(1)
-    else:
-        print("\n⚠️ Skipping inventory validation as requested.\n")
-
+            
     if not skip_tests:
         print("\n🧪 Running tests (make messy-test)...\n")
         subprocess.run(["make", "messy-test"], check=True)
@@ -93,25 +93,136 @@ def run_ansible_playbook(
     duration = end_time - start_time
     print(f"⏱️ Total execution time: {duration}\n")
 
+
 def validate_application_ids(inventory, app_ids):
     """
     Abort the script if any application IDs are invalid, with detailed reasons.
     """
     from module_utils.valid_deploy_id import ValidDeployId
+
     validator = ValidDeployId()
     invalid = validator.validate(inventory, app_ids)
     if invalid:
         print("\n❌ Detected invalid application_id(s):\n")
         for app_id, status in invalid.items():
             reasons = []
-            if not status['in_roles']:
+            if not status["in_roles"]:
                 reasons.append("not defined in roles (infinito)")
-            if not status['in_inventory']:
+            if not status["in_inventory"]:
                 reasons.append("not found in inventory file")
             print(f"  - {app_id}: " + ", ".join(reasons))
         sys.exit(1)
 
 
+MODE_LINE_RE = re.compile(
+    r"""^\s*(?P<key>[A-Z0-9_]+)\s*:\s*(?P<value>.+?)\s*(?:#\s*(?P<cmt>.*))?\s*$"""
+)
+
+
+def _parse_bool_literal(text: str) -> Optional[bool]:
+    t = text.strip().lower()
+    if t in ("true", "yes", "on"):
+        return True
+    if t in ("false", "no", "off"):
+        return False
+    return None
+
+
+def load_modes_from_yaml(modes_yaml_path: str) -> List[Dict[str, Any]]:
+    """
+    Parse group_vars/all/01_modes.yml line-by-line to recover:
+      - name (e.g., MODE_TEST)
+      - default (True/False/None if templated/unknown)
+      - help (from trailing # comment, if present)
+    """
+    modes = []
+    if not os.path.exists(modes_yaml_path):
+        raise FileNotFoundError(f"Modes file not found: {modes_yaml_path}")
+
+    with open(modes_yaml_path, "r", encoding="utf-8") as fh:
+        for line in fh:
+            line = line.rstrip()
+            if not line or line.lstrip().startswith("#"):
+                continue
+            m = MODE_LINE_RE.match(line)
+            if not m:
+                continue
+            key = m.group("key")
+            val = m.group("value").strip()
+            cmt = (m.group("cmt") or "").strip()
+
+            if not key.startswith("MODE_"):
+                continue
+
+            default_bool = _parse_bool_literal(val)
+            modes.append(
+                {
+                    "name": key,
+                    "default": default_bool,
+                    "help": cmt or f"Toggle {key}",
+                }
+            )
+    return modes
+
+
+def add_dynamic_mode_args(
+    parser: argparse.ArgumentParser, modes_meta: List[Dict[str, Any]]
+) -> Dict[str, Dict[str, Any]]:
+    """
+    Add argparse options based on modes metadata.
+    Returns a dict mapping mode name -> { 'dest': <argparse_dest>, 'default': <bool/None>, 'kind': 'bool_true'|'bool_false'|'explicit' }.
+    """
+    spec: Dict[str, Dict[str, Any]] = {}
+    for m in modes_meta:
+        name = m["name"]
+        default = m["default"]
+        desc = m["help"]
+        short = name.replace("MODE_", "").lower()
+
+        if default is True:
+            opt = f"--skip-{short}"
+            dest = f"skip_{short}"
+            help_txt = desc or f"Skip/disable {short} (default: enabled)"
+            parser.add_argument(opt, action="store_true", help=help_txt, dest=dest)
+            spec[name] = {"dest": dest, "default": True, "kind": "bool_true"}
+        elif default is False:
+            opt = f"--{short}"
+            dest = short
+            help_txt = desc or f"Enable {short} (default: disabled)"
+            parser.add_argument(opt, action="store_true", help=help_txt, dest=dest)
+            spec[name] = {"dest": dest, "default": False, "kind": "bool_false"}
+        else:
+            opt = f"--{short}"
+            dest = short
+            help_txt = desc or f"Set {short} explicitly (true/false). If omitted, keep inventory default."
+            parser.add_argument(opt, choices=["true", "false"], help=help_txt, dest=dest)
+            spec[name] = {"dest": dest, "default": None, "kind": "explicit"}
+
+    return spec
+
+
+def build_modes_from_args(
+    spec: Dict[str, Dict[str, Any]], args_namespace: argparse.Namespace
+) -> Dict[str, Any]:
+    """
+    Using the argparse results and the spec, compute the `modes` dict to pass to Ansible.
+    """
+    modes: Dict[str, Any] = {}
+    for mode_name, info in spec.items():
+        dest = info["dest"]
+        kind = info["kind"]
+        val = getattr(args_namespace, dest, None)
+
+        if kind == "bool_true":
+            modes[mode_name] = False if val else True
+        elif kind == "bool_false":
+            modes[mode_name] = True if val else False
+        else:
+            if val is not None:
+                modes[mode_name] = True if val == "true" else False
+    return modes
+
+
 def main():
     parser = argparse.ArgumentParser(
         description="Run the central Ansible deployment script to manage infrastructure, updates, and tests."
@@ -119,87 +230,74 @@ def main():
 
     parser.add_argument(
         "inventory",
-        help="Path to the inventory file (INI or YAML) containing hosts and variables."
+        help="Path to the inventory file (INI or YAML) containing hosts and variables.",
     )
     parser.add_argument(
-        "-l", "--limit",
-        help="Restrict execution to a specific host or host group from the inventory."
+        "-l",
+        "--limit",
+        help="Restrict execution to a specific host or host group from the inventory.",
     )
     parser.add_argument(
-        "-T", "--host-type",
+        "-T",
+        "--host-type",
         choices=["server", "desktop"],
         default="server",
-        help="Specify whether the target is a server or a personal computer. Affects role selection and variables."
+        help="Specify whether the target is a server or a personal computer. Affects role selection and variables.",
     )
     parser.add_argument(
-        "-r", "--reset", action="store_true",
-        help="Reset all Infinito.Nexus files and configurations, and run the entire playbook (not just individual roles)."
+        "-p",
+        "--password-file",
+        help="Path to the file containing the Vault password. If not provided, prompts for the password interactively.",
     )
     parser.add_argument(
-        "-t", "--test", action="store_true",
-        help="Run test routines instead of production tasks. Useful for local testing and CI pipelines."
+        "-B",
+        "--skip-build",
+        action="store_true",
+        help="Skip running 'make build' before deployment.",
     )
     parser.add_argument(
-        "-u", "--update", action="store_true",
-        help="Enable the update procedure to bring software and roles up to date."
+        "-t",
+        "--skip-tests",
+        action="store_true",
+        help="Skip running 'make messy-tests' before deployment.",
     )
     parser.add_argument(
-        "-b", "--backup", action="store_true",
-        help="Perform a full backup of critical data and configurations before the update process."
-    )
-    parser.add_argument(
-        "-c", "--cleanup", action="store_true",
-        help="Clean up unused files and outdated configurations after all tasks are complete. Also cleans up the repository before the deployment procedure."
-    )
-    parser.add_argument(
-        "-d", "--debug", action="store_true",
-        help="Enable detailed debug output for Ansible and this script."
-    )
-    parser.add_argument(
-        "-p", "--password-file",
-        help="Path to the file containing the Vault password. If not provided, prompts for the password interactively."
-    )
-    parser.add_argument(
-        "-s", "--skip-tests", action="store_true",
-        help="Skip running 'make test' even if tests are normally enabled."
-    )
-    parser.add_argument(
-        "-V", "--skip-validation", action="store_true",
-        help="Skip inventory validation before deployment."
-    )
-    parser.add_argument(
-        "-B", "--skip-build", action="store_true",
-        help="Skip running 'make build' before deployment."
-    )
-    parser.add_argument(
-        "-i", "--id", 
+        "-i",
+        "--id",
         nargs="+",
         default=[],
         dest="id",
-        help="List of application_id's for partial deploy. If not set, all application IDs defined in the inventory will be executed."
+        help="List of application_id's for partial deploy. If not set, all application IDs defined in the inventory will be executed.",
     )
     parser.add_argument(
-        "-v", "--verbose", action="count", default=0,
-        help="Increase verbosity level. Multiple -v flags increase detail (e.g., -vvv for maximum log output)."
+        "-v",
+        "--verbose",
+        action="count",
+        default=0,
+        help="Increase verbosity level. Multiple -v flags increase detail (e.g., -vvv for maximum log output).",
     )
     parser.add_argument(
-        "--logs", action="store_true",
-        help="Keep the CLI logs during cleanup command"
+        "--logs",
+        action="store_true",
+        help="Keep the CLI logs during cleanup command",
     )
 
+    # ---- Dynamically add mode flags from group_vars/all/01_modes.yml ----
+    script_dir = os.path.dirname(os.path.realpath(__file__))
+    repo_root = os.path.dirname(script_dir)
+    modes_yaml_path = os.path.join(repo_root, "group_vars", "all", "01_modes.yml")
+    modes_meta = load_modes_from_yaml(modes_yaml_path)
+    modes_spec = add_dynamic_mode_args(parser, modes_meta)
+
     args = parser.parse_args()
     validate_application_ids(args.inventory, args.id)
 
-    modes = {
-        "MODE_RESET": args.reset,
-        "MODE_TEST": args.test,
-        "MODE_UPDATE": args.update,
-        "MODE_BACKUP": args.backup,
-        "MODE_CLEANUP": args.cleanup,
-        "MODE_LOGS": args.logs,
-        "MODE_DEBUG": args.debug,
-        "host_type": args.host_type
-    }
+    # Build modes from dynamic args
+    modes = build_modes_from_args(modes_spec, args)
+
+    # Additional non-dynamic flags
+    modes["MODE_LOGS"] = args.logs
+    modes["host_type"] = args.host_type
 
     run_ansible_playbook(
         inventory=args.inventory,
@@ -208,11 +306,9 @@ def main():
         allowed_applications=args.id,
         password_file=args.password_file,
         verbose=args.verbose,
-        skip_tests=args.skip_tests,
-        skip_validation=args.skip_validation,
         skip_build=args.skip_build,
-        cleanup=args.cleanup,
-        logs=args.logs
+        skip_tests=args.skip_tests,
+        logs=args.logs,
     )
 
 

cli/fix/move_unnecessary_dependencies.py

@@ -228,7 +228,7 @@ def parse_meta_dependencies(role_dir: str) -> List[str]:
 def sanitize_run_once_var(role_name: str) -> str:
     """
     Generate run_once variable name from role name.
-    Example: 'sys-srv-web-inj-logout' -> 'run_once_sys_srv_web_inj_logout'
+    Example: 'sys-front-inj-logout' -> 'run_once_sys_front_inj_logout'
     """
     return "run_once_" + role_name.replace("-", "_")
 

docker-compose.yml

@@ -0,0 +1,60 @@
+version: "3.9"
+
+services:
+  infinito:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      network: host
+    pull_policy: never
+    container_name: infinito_nexus
+    image: infinito_nexus
+    restart: unless-stopped
+    volumes:
+      - data:/var/lib/docker/volumes/
+      - backups:/Backups/
+      - letsencrypt:/etc/letsencrypt/
+    ports:
+      # --- Mail services (classic + secure) ---
+      - "${BIND_IP:-127.0.0.1}:25:25"                     # SMTP
+      - "${BIND_IP:-127.0.0.1}:110:110"                   # POP3
+      - "${BIND_IP:-127.0.0.1}:143:143"                   # IMAP
+      - "${BIND_IP:-127.0.0.1}:465:465"                   # SMTPS
+      - "${BIND_IP:-127.0.0.1}:587:587"                   # Submission (SMTP)
+      - "${BIND_IP:-127.0.0.1}:993:993"                   # IMAPS (bound to public IP)
+      - "${BIND_IP:-127.0.0.1}:995:995"                   # POP3S
+      - "${BIND_IP:-127.0.0.1}:4190:4190"                 # Sieve (ManageSieve)
+
+      # --- Web / API services ---
+      - "${BIND_IP:-127.0.0.1}:80:80"                     # HTTP
+      - "${BIND_IP:-127.0.0.1}:443:443"                   # HTTPS
+      - "${BIND_IP:-127.0.0.1}:8448:8448"                 # Matrix federation port
+
+      # --- TURN / STUN (UDP + TCP) ---
+      - "${BIND_IP:-127.0.0.1}:3478-3480:3478-3480/udp"   # TURN/STUN UDP
+      - "${BIND_IP:-127.0.0.1}:3478-3480:3478-3480"       # TURN/STUN TCP
+
+      # --- Streaming / RTMP ---
+      - "${BIND_IP:-127.0.0.1}:1935:1935"                 # Peertube
+
+      # --- Custom / application ports ---
+      - "${BIND_IP:-127.0.0.1}:2201:2201"                 # Gitea
+      - "${BIND_IP:-127.0.0.1}:2202:2202"                 # Gitlab
+      - "${BIND_IP:-127.0.0.1}:2203:22"                   # SSH
+      - "${BIND_IP:-127.0.0.1}:33552:33552"
+
+      # --- Consecutive ranges ---
+      - "${BIND_IP:-127.0.0.1}:48081-48083:48081-48083"
+      - "${BIND_IP:-127.0.0.1}:48087:48087"
+volumes:
+  data:
+  backups:
+  letsencrypt:
+networks:
+  default:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet:  ${SUBNET:-172.30.0.0/24}
+          gateway: ${GATEWAY:-172.30.0.1}

docs/guides/administrator/README.md

@@ -15,7 +15,7 @@ Follow these guides to install and configure Infinito.Nexus:
 - **Networking & VPN** - Configure `WireGuard`, `OpenVPN`, and `Nginx Reverse Proxy`.
 
 ## Managing & Updating Infinito.Nexus 🔄
-- Regularly update services using `update-docker`, `update-pacman`, or `update-apt`.
+- Regularly update services using `update-pacman`, or `update-apt`.
 - Monitor system health with `sys-ctl-hlth-btrfs`, `sys-ctl-hlth-webserver`, and `sys-ctl-hlth-docker-container`.
 - Automate system maintenance with `sys-lock`, `sys-ctl-cln-bkps`, and `sys-ctl-rpr-docker-hard`.
 

env.sample

@@ -0,0 +1,3 @@
+BIND_IP=127.0.0.1
+SUBNET=172.30.0.0/24
+GATEWAY=172.30.0.1

filter_plugins/active_docker.py

@@ -0,0 +1,79 @@
+# -*- coding: utf-8 -*-
+"""
+Ansible filter to count active docker services for current host.
+
+Active means:
+- application key is in group_names
+- application key matches prefix regex (default: ^(web-|svc-).* )
+- under applications[app]['docker']['services'] each service is counted if:
+  - 'enabled' is True, OR
+  - 'enabled' is missing/undefined  (treated as active)
+
+Returns an integer. If ensure_min_one=True, returns at least 1.
+"""
+
+import re
+from typing import Any, Dict, Mapping, Iterable
+
+
+def _is_mapping(x: Any) -> bool:
+    # be liberal: Mapping covers dict-like; fallback to dict check
+    try:
+        return isinstance(x, Mapping)
+    except Exception:
+        return isinstance(x, dict)
+
+
+def active_docker_container_count(applications: Mapping[str, Any],
+                                  group_names: Iterable[str],
+                                  prefix_regex: str = r'^(web-|svc-).*',
+                                  ensure_min_one: bool = False) -> int:
+    if not _is_mapping(applications):
+        return 1 if ensure_min_one else 0
+
+    group_set = set(group_names or [])
+    try:
+        pattern = re.compile(prefix_regex)
+    except re.error:
+        pattern = re.compile(r'^(web-|svc-).*')  # fallback
+
+    count = 0
+
+    for app_key, app_val in applications.items():
+        # host selection + name prefix
+        if app_key not in group_set:
+            continue
+        if not pattern.match(str(app_key)):
+            continue
+
+        docker = app_val.get('docker') if _is_mapping(app_val) else None
+        services = docker.get('services') if _is_mapping(docker) else None
+        if not _is_mapping(services):
+            # sometimes roles define a single service name string; ignore
+            continue
+
+        for _svc_name, svc_cfg in services.items():
+            if not _is_mapping(svc_cfg):
+                # allow shorthand like: service: {} or image string -> counts as enabled
+                count += 1
+                continue
+            enabled = svc_cfg.get('enabled', True)
+            if isinstance(enabled, bool):
+                if enabled:
+                    count += 1
+            else:
+                # non-bool enabled -> treat "truthy" as enabled
+                if bool(enabled):
+                    count += 1
+
+    if ensure_min_one and count < 1:
+        return 1
+    return count
+
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            # usage: {{ applications | active_docker_container_count(group_names) }}
+            'active_docker_container_count': active_docker_container_count,
+        }

filter_plugins/alias_domains_map.py

@@ -1,86 +0,0 @@
-from ansible.errors import AnsibleFilterError
-
-class FilterModule(object):
-    def filters(self):
-        return {'alias_domains_map': self.alias_domains_map}
-
-    def alias_domains_map(self, apps, PRIMARY_DOMAIN):
-        """
-        Build a map of application IDs to their alias domains.
-
-        - If no `domains` key → []  
-        - If `domains` exists but is an empty dict → return the original cfg  
-        - Explicit `aliases` are used (default appended if missing)  
-        - If only `canonical` defined and it doesn't include default, default is added  
-        - Invalid types raise AnsibleFilterError
-        """
-        def parse_entry(domains_cfg, key, app_id):
-            if key not in domains_cfg:
-                return None
-            entry = domains_cfg[key]
-            if isinstance(entry, dict):
-                values = list(entry.values())
-            elif isinstance(entry, list):
-                values = entry
-            else:
-                raise AnsibleFilterError(
-                    f"Unexpected type for 'domains.{key}' in application '{app_id}': {type(entry).__name__}"
-                )
-            for d in values:
-                if not isinstance(d, str) or not d.strip():
-                    raise AnsibleFilterError(
-                        f"Invalid domain entry in '{key}' for application '{app_id}': {d!r}"
-                    )
-            return values
-
-        def default_domain(app_id, primary):
-            return f"{app_id}.{primary}"
-
-        # 1) Precompute canonical domains per app (fallback to default)
-        canonical_map = {}
-        for app_id, cfg in apps.items():
-            domains_cfg = cfg.get('server',{}).get('domains',{})
-            entry = domains_cfg.get('canonical')
-            if entry is None:
-                canonical_map[app_id] = [default_domain(app_id, PRIMARY_DOMAIN)]
-            elif isinstance(entry, dict):
-                canonical_map[app_id] = list(entry.values())
-            elif isinstance(entry, list):
-                canonical_map[app_id] = list(entry)
-            else:
-                raise AnsibleFilterError(
-                    f"Unexpected type for 'server.domains.canonical' in application '{app_id}': {type(entry).__name__}"
-                )
-
-        # 2) Build alias list per app
-        result = {}
-        for app_id, cfg in apps.items():
-            domains_cfg = cfg.get('server',{}).get('domains')
-
-            # no domains key → no aliases
-            if domains_cfg is None:
-                result[app_id] = []
-                continue
-
-            # empty domains dict → return the original cfg
-            if isinstance(domains_cfg, dict) and not domains_cfg:
-                result[app_id] = cfg
-                continue
-
-            # otherwise, compute aliases
-            aliases = parse_entry(domains_cfg, 'aliases', app_id) or []
-            default = default_domain(app_id, PRIMARY_DOMAIN)
-            has_aliases = 'aliases' in domains_cfg
-            has_canon   = 'canonical' in domains_cfg
-
-            if has_aliases:
-                if default not in aliases:
-                    aliases.append(default)
-            elif has_canon:
-                canon = canonical_map.get(app_id, [])
-                if default not in canon and default not in aliases:
-                    aliases.append(default)
-
-            result[app_id] = aliases
-
-        return result

filter_plugins/csp_filters.py

@@ -1,10 +1,14 @@
 from ansible.errors import AnsibleFilterError
 import hashlib
 import base64
-import sys, os
+import sys
+import os
 
+# Ensure module_utils is importable when this filter runs from Ansible
 sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
 from module_utils.config_utils import get_app_conf
+from module_utils.get_url import get_url
+
 
 class FilterModule(object):
     """
@@ -16,10 +20,14 @@ class FilterModule(object):
             'build_csp_header': self.build_csp_header,
         }
 
+    # -------------------------------
+    # Helpers
+    # -------------------------------
+
     @staticmethod
     def is_feature_enabled(applications: dict, feature: str, application_id: str) -> bool:
         """
-        Return True if applications[application_id].features[feature] is truthy.
+        Returns True if applications[application_id].features[feature] is truthy.
         """
         return get_app_conf(
             applications,
@@ -31,6 +39,10 @@ class FilterModule(object):
 
     @staticmethod
     def get_csp_whitelist(applications, application_id, directive):
+        """
+        Returns a list of additional whitelist entries for a given directive.
+        Accepts both scalar and list in config; always returns a list.
+        """
         wl = get_app_conf(
             applications,
             application_id,
@@ -47,28 +59,37 @@ class FilterModule(object):
     @staticmethod
     def get_csp_flags(applications, application_id, directive):
         """
-        Dynamically extract all CSP flags for a given directive and return them as tokens,
-        e.g., "'unsafe-eval'", "'unsafe-inline'", etc.
+        Returns CSP flag tokens (e.g., "'unsafe-eval'", "'unsafe-inline'") for a directive,
+        merging sane defaults with app config.
+        Default: 'unsafe-inline' is enabled for style-src and style-src-elem.
         """
-        flags = get_app_conf(
+        # Defaults that apply to all apps
+        default_flags = {}
+        if directive in ('style-src', 'style-src-elem'):
+            default_flags = {'unsafe-inline': True}
+
+        configured = get_app_conf(
             applications,
             application_id,
             'server.csp.flags.' + directive,
             False,
             {}
         )
-        tokens = []
 
-        for flag_name, enabled in flags.items():
+        # Merge defaults with configured flags (configured overrides defaults)
+        merged = {**default_flags, **configured}
+
+        tokens = []
+        for flag_name, enabled in merged.items():
             if enabled:
                 tokens.append(f"'{flag_name}'")
-
         return tokens
 
     @staticmethod
     def get_csp_inline_content(applications, application_id, directive):
         """
-        Return inline script/style snippets to hash for a given CSP directive.
+        Returns inline script/style snippets to hash for a given directive.
+        Accepts both scalar and list in config; always returns a list.
         """
         snippets = get_app_conf(
             applications,
@@ -86,7 +107,7 @@ class FilterModule(object):
     @staticmethod
     def get_csp_hash(content):
         """
-        Compute the SHA256 hash of the given inline content and return
+        Computes the SHA256 hash of the given inline content and returns
         a CSP token like "'sha256-<base64>'".
         """
         try:
@@ -96,6 +117,10 @@ class FilterModule(object):
         except Exception as exc:
             raise AnsibleFilterError(f"get_csp_hash failed: {exc}")
 
+    # -------------------------------
+    # Main builder
+    # -------------------------------
+
     def build_csp_header(
         self,
         applications,
@@ -105,82 +130,85 @@ class FilterModule(object):
         matomo_feature_name='matomo'
     ):
         """
-        Build the Content-Security-Policy header value dynamically based on application settings.
-        Inline hashes are read from applications[application_id].csp.hashes
+        Builds the Content-Security-Policy header value dynamically based on application settings.
+        - Flags (e.g., 'unsafe-eval', 'unsafe-inline') are read from server.csp.flags.<directive>,
+          with sane defaults applied in get_csp_flags (always 'unsafe-inline' for style-src and style-src-elem).
+        - Inline hashes are read from server.csp.hashes.<directive>.
+        - Whitelists are read from server.csp.whitelist.<directive>.
+        - Inline hashes are added only if the final tokens do NOT include 'unsafe-inline'.
         """
         try:
             directives = [
-                'default-src',
-                'connect-src',
-                'frame-ancestors',
-                'frame-src',
-                'script-src',
-                'script-src-elem',
-                'style-src',
-                'font-src',
-                'worker-src',
-                'manifest-src',
-                'media-src',
+                'default-src',      # Fallback source list for content types not explicitly listed
+                'connect-src',      # Allowed URLs for XHR, WebSockets, EventSource, fetch()
+                'frame-ancestors',  # Who may embed this page
+                'frame-src',        # Sources for nested browsing contexts (e.g., <iframe>)
+                'script-src',       # Sources for script execution
+                'script-src-elem',  # Sources for <script> elements
+                'style-src',        # Sources for inline styles and <style>/<link> elements
+                'style-src-elem',   # Sources for <style> and <link rel="stylesheet">
+                'font-src',         # Sources for fonts
+                'worker-src',       # Sources for workers
+                'manifest-src',     # Sources for web app manifests
+                'media-src',        # Sources for audio and video
             ]
+
             parts = []
 
             for directive in directives:
                 tokens = ["'self'"]
 
-                # unsafe-eval / unsafe-inline flags
+                # Load flags (includes defaults from get_csp_flags)
                 flags = self.get_csp_flags(applications, application_id, directive)
                 tokens += flags
 
-                # Matomo integration
-                if (
-                    self.is_feature_enabled(applications, matomo_feature_name, application_id)
-                    and directive in ['script-src-elem', 'connect-src']
-                ):
-                    matomo_domain = domains.get('web-app-matomo')[0]
-                    if matomo_domain:
-                        tokens.append(f"{web_protocol}://{matomo_domain}")
+                # Allow fetching from internal CDN by default for selected directives
+                if directive in ['script-src-elem', 'connect-src', 'style-src-elem']:
+                    tokens.append(get_url(domains, 'web-svc-cdn', web_protocol))
 
-                # ReCaptcha integration: allow loading scripts from Google if feature enabled
+                # Matomo integration if feature is enabled
+                if directive in ['script-src-elem', 'connect-src']:
+                    if self.is_feature_enabled(applications, matomo_feature_name, application_id):
+                        tokens.append(get_url(domains, 'web-app-matomo', web_protocol))
+
+                # Simpleicons integration if feature is enabled
+                if directive in ['connect-src']:
+                    if self.is_feature_enabled(applications, 'simpleicons', application_id):
+                        tokens.append(get_url(domains, 'web-svc-simpleicons', web_protocol))
+
+                # ReCaptcha integration (scripts + frames) if feature is enabled
                 if self.is_feature_enabled(applications, 'recaptcha', application_id):
-                    if directive in ['script-src-elem',"frame-src"]:
+                    if directive in ['script-src-elem', 'frame-src']:
                         tokens.append('https://www.gstatic.com')
                         tokens.append('https://www.google.com')
 
-                # Allow the loading of js from the cdn
-                if directive == 'script-src-elem':
-                    if self.is_feature_enabled(applications, 'logout', application_id) or self.is_feature_enabled(applications, 'desktop', application_id):
-                        domain = domains.get('web-svc-cdn')[0]
-                        tokens.append(f"{domain}")
-
+                # Frame ancestors handling (desktop + logout support)
                 if directive == 'frame-ancestors':
-                    # Enable loading via ancestors
                     if self.is_feature_enabled(applications, 'desktop', application_id):
-                        domain = domains.get('web-app-port-ui')[0]
-                        sld_tld = ".".join(domain.split(".")[-2:])  # yields "example.com"
-                        tokens.append(f"{sld_tld}")                 # yields "*.example.com"
-                
+                        # Allow being embedded by the desktop app domain (and potentially its parent)
+                        domain = domains.get('web-app-desktop')[0]
+                        sld_tld = ".".join(domain.split(".")[-2:])  # e.g., example.com
+                        tokens.append(f"{sld_tld}")
                     if self.is_feature_enabled(applications, 'logout', application_id):
-                        
-                        # Allow logout via infinito logout proxy
-                        domain = domains.get('web-svc-logout')[0] 
-                        tokens.append(f"{domain}") 
-                        
-                        # Allow logout via keycloak app
-                        domain = domains.get('web-app-keycloak')[0]
-                        tokens.append(f"{domain}") 
-                        
-                # whitelist
+                        # Allow embedding via logout proxy and Keycloak app
+                        tokens.append(get_url(domains, 'web-svc-logout', web_protocol))
+                        tokens.append(get_url(domains, 'web-app-keycloak', web_protocol))
+
+                # Custom whitelist entries
                 tokens += self.get_csp_whitelist(applications, application_id, directive)
 
-                # only add hashes if 'unsafe-inline' is NOT in flags
-                if "'unsafe-inline'" not in flags:
+                # Add inline content hashes ONLY if final tokens do NOT include 'unsafe-inline'
+                #    (Check tokens, not flags, to include defaults and later modifications.)
+                if "'unsafe-inline'" not in tokens:
                     for snippet in self.get_csp_inline_content(applications, application_id, directive):
                         tokens.append(self.get_csp_hash(snippet))
 
+                # Append directive
                 parts.append(f"{directive} {' '.join(tokens)};")
 
-            # static img-src
+            # Static img-src directive (kept permissive for data/blob and any host)
             parts.append("img-src * data: blob:;")
+
             return ' '.join(parts)
 
         except Exception as exc:

filter_plugins/domain_redirect_mappings.py

@@ -7,7 +7,7 @@ class FilterModule(object):
     def filters(self):
         return {'domain_mappings': self.domain_mappings}
 
-    def domain_mappings(self, apps, PRIMARY_DOMAIN):
+    def domain_mappings(self, apps, primary_domain, auto_build_alias):
         """
         Build a flat list of redirect mappings for all apps:
           - source: each alias domain
@@ -43,7 +43,7 @@ class FilterModule(object):
             domains_cfg = cfg.get('server',{}).get('domains',{})
             entry = domains_cfg.get('canonical')
             if entry is None:
-                canonical_map[app_id] = [default_domain(app_id, PRIMARY_DOMAIN)]
+                canonical_map[app_id] = [default_domain(app_id, primary_domain)]
             elif isinstance(entry, dict):
                 canonical_map[app_id] = list(entry.values())
             elif isinstance(entry, list):
@@ -61,11 +61,11 @@ class FilterModule(object):
                 alias_map[app_id] = []
                 continue
             if isinstance(domains_cfg, dict) and not domains_cfg:
-                alias_map[app_id] = [default_domain(app_id, PRIMARY_DOMAIN)]
+                alias_map[app_id] = [default_domain(app_id, primary_domain)]
                 continue
 
             aliases = parse_entry(domains_cfg, 'aliases', app_id) or []
-            default = default_domain(app_id, PRIMARY_DOMAIN)
+            default = default_domain(app_id, primary_domain)
             has_aliases = 'aliases' in domains_cfg
             has_canonical = 'canonical' in domains_cfg
 
@@ -74,7 +74,7 @@ class FilterModule(object):
                     aliases.append(default)
             elif has_canonical:
                 canon = canonical_map.get(app_id, [])
-                if default not in canon and default not in aliases:
+                if default not in canon and default not in aliases and auto_build_alias:
                     aliases.append(default)
 
             alias_map[app_id] = aliases
@@ -84,7 +84,7 @@ class FilterModule(object):
         mappings = []
         for app_id, sources in alias_map.items():
             canon_list = canonical_map.get(app_id, [])
-            target = canon_list[0] if canon_list else default_domain(app_id, PRIMARY_DOMAIN)
+            target = canon_list[0] if canon_list else default_domain(app_id, primary_domain)
             for src in sources:
                 if src == target:
                     # skip self-redirects

filter_plugins/generate_all_domains.py

@@ -4,7 +4,7 @@ class FilterModule(object):
     def filters(self):
         return {'generate_all_domains': self.generate_all_domains}
 
-    def generate_all_domains(self, domains_dict, include_www=True):
+    def generate_all_domains(self, domains_dict, include_www:bool=True):
         """
         Transform a dict of domains (values: str, list, dict) into a flat list,
         optionally add 'www.' prefixes, dedupe and sort alphabetically.

filter_plugins/get_application_id.py

@@ -1,49 +0,0 @@
-import os
-import re
-import yaml
-from ansible.errors import AnsibleFilterError
-
-
-def get_application_id(role_name):
-    """
-    Jinja2/Ansible filter: given a role name, load its vars/main.yml and return the application_id value.
-    """
-    # Construct path: assumes current working directory is project root
-    vars_file = os.path.join(os.getcwd(), 'roles', role_name, 'vars', 'main.yml')
-
-    if not os.path.isfile(vars_file):
-        raise AnsibleFilterError(f"Vars file not found for role '{role_name}': {vars_file}")
-
-    try:
-        # Read entire file content to avoid lazy stream issues
-        with open(vars_file, 'r', encoding='utf-8') as f:
-            content = f.read()
-        data = yaml.safe_load(content)
-    except Exception as e:
-        raise AnsibleFilterError(f"Error reading YAML from {vars_file}: {e}")
-
-    # Ensure parsed data is a mapping
-    if not isinstance(data, dict):
-        raise AnsibleFilterError(
-            f"Error reading YAML from {vars_file}: expected mapping, got {type(data).__name__}"
-        )
-
-    # Detect malformed YAML: no valid identifier-like keys
-    valid_key_pattern = re.compile(r'^[A-Za-z_][A-Za-z0-9_]*$')
-    if data and not any(valid_key_pattern.match(k) for k in data.keys()):
-        raise AnsibleFilterError(f"Error reading YAML from {vars_file}: invalid top-level keys")
-
-    if 'application_id' not in data:
-        raise AnsibleFilterError(f"Key 'application_id' not found in {vars_file}")
-
-    return data['application_id']
-
-
-class FilterModule(object):
-    """
-    Ansible filter plugin entry point.
-    """
-    def filters(self):
-        return {
-            'get_application_id': get_application_id,
-        }

filter_plugins/get_docker_paths.py

@@ -20,9 +20,10 @@ def get_docker_paths(application_id: str, path_docker_compose_instances: str) ->
             'config':   f"{base}config/",
         },
         'files': {
-            'env':            f"{base}.env/env",
-            'docker_compose': f"{base}docker-compose.yml",
-            'dockerfile':     f"{base}Dockerfile",
+            'env':                      f"{base}.env/env",
+            'docker_compose':           f"{base}docker-compose.yml",
+            'docker_compose_override':  f"{base}docker-compose.override.yml",
+            'dockerfile':               f"{base}Dockerfile",
         }
     }
 

filter_plugins/jvm_filters.py

@@ -0,0 +1,77 @@
+from __future__ import annotations
+
+import sys, os, re
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
+
+from ansible.errors import AnsibleFilterError
+from module_utils.config_utils import get_app_conf
+from module_utils.entity_name_utils import get_entity_name
+
+_UNIT_RE = re.compile(r'^\s*(\d+(?:\.\d+)?)\s*([kKmMgGtT]?[bB]?)?\s*$')
+_FACTORS = {
+    '': 1, 'b': 1,
+    'k': 1024, 'kb': 1024,
+    'm': 1024**2, 'mb': 1024**2,
+    'g': 1024**3, 'gb': 1024**3,
+    't': 1024**4, 'tb': 1024**4,
+}
+
+def _to_bytes(v: str) -> int:
+    if v is None:
+        raise AnsibleFilterError("jvm_filters: size value is None")
+    s = str(v).strip()
+    m = _UNIT_RE.match(s)
+    if not m:
+        raise AnsibleFilterError(f"jvm_filters: invalid size '{v}'")
+    num, unit = m.group(1), (m.group(2) or '').lower()
+    try:
+        val = float(num)
+    except ValueError as e:
+        raise AnsibleFilterError(f"jvm_filters: invalid numeric size '{v}'") from e
+    factor = _FACTORS.get(unit)
+    if factor is None:
+        raise AnsibleFilterError(f"jvm_filters: unknown unit in '{v}'")
+    return int(val * factor)
+
+def _to_mb(v: str) -> int:
+    return max(0, _to_bytes(v) // (1024 * 1024))
+
+def _svc(app_id: str) -> str:
+    return get_entity_name(app_id)
+
+def _mem_limit_mb(apps: dict, app_id: str) -> int:
+    svc = _svc(app_id)
+    raw = get_app_conf(apps, app_id, f"docker.services.{svc}.mem_limit")
+    mb = _to_mb(raw)
+    if mb <= 0:
+        raise AnsibleFilterError(f"jvm_filters: mem_limit for '{svc}' must be > 0 MB (got '{raw}')")
+    return mb
+
+def _mem_res_mb(apps: dict, app_id: str) -> int:
+    svc = _svc(app_id)
+    raw = get_app_conf(apps, app_id, f"docker.services.{svc}.mem_reservation")
+    mb = _to_mb(raw)
+    if mb <= 0:
+        raise AnsibleFilterError(f"jvm_filters: mem_reservation for '{svc}' must be > 0 MB (got '{raw}')")
+    return mb
+
+def jvm_max_mb(apps: dict, app_id: str) -> int:
+    """Xmx = min( floor(0.7*limit), limit-1024, 12288 ) with floor at 1024 MB."""
+    limit_mb = _mem_limit_mb(apps, app_id)
+    c1 = (limit_mb * 7) // 10
+    c2 = max(0, limit_mb - 1024)
+    c3 = 12288
+    return max(1024, min(c1, c2, c3))
+
+def jvm_min_mb(apps: dict, app_id: str) -> int:
+    """Xms = min( floor(Xmx/2), mem_reservation, Xmx ) with floor at 512 MB."""
+    xmx = jvm_max_mb(apps, app_id)
+    res = _mem_res_mb(apps, app_id)
+    return max(512, min(xmx // 2, res, xmx))
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            "jvm_max_mb": jvm_max_mb,
+            "jvm_min_mb": jvm_min_mb,
+        }

filter_plugins/load_configuration.py

@@ -1,122 +0,0 @@
-import os
-import yaml
-import re
-from ansible.errors import AnsibleFilterError
-
-# in-memory cache: application_id → (parsed_yaml, is_nested)
-_cfg_cache = {}
-
-def load_configuration(application_id, key):
-    if not isinstance(key, str):
-        raise AnsibleFilterError("Key must be a dotted-string, e.g. 'features.matomo'")
-
-    # locate roles/
-    here = os.path.dirname(__file__)
-    root = os.path.abspath(os.path.join(here, '..'))
-    roles_dir = os.path.join(root, 'roles')
-    if not os.path.isdir(roles_dir):
-        raise AnsibleFilterError(f"Roles directory not found at {roles_dir}")
-
-    # first time? load & cache
-    if application_id not in _cfg_cache:
-        config_path = None
-
-        # 1) primary: vars/main.yml declares it
-        for role in os.listdir(roles_dir):
-            mv = os.path.join(roles_dir, role, 'vars', 'main.yml')
-            if os.path.exists(mv):
-                try:
-                    md = yaml.safe_load(open(mv)) or {}
-                except Exception:
-                    md = {}
-                if md.get('application_id') == application_id:
-                    cf = os.path.join(roles_dir, role, "config" , "main.yml")
-                    if not os.path.exists(cf):
-                        raise AnsibleFilterError(
-                            f"Role '{role}' declares '{application_id}' but missing config/main.yml"
-                        )
-                    config_path = cf
-                    break
-
-        # 2) fallback nested
-        if config_path is None:
-            for role in os.listdir(roles_dir):
-                cf = os.path.join(roles_dir, role, "config" , "main.yml")
-                if not os.path.exists(cf):
-                    continue
-                try:
-                    dd = yaml.safe_load(open(cf)) or {}
-                except Exception:
-                    dd = {}
-                if isinstance(dd, dict) and application_id in dd:
-                    config_path = cf
-                    break
-
-        # 3) fallback flat
-        if config_path is None:
-            for role in os.listdir(roles_dir):
-                cf = os.path.join(roles_dir, role, "config" , "main.yml")
-                if not os.path.exists(cf):
-                    continue
-                try:
-                    dd = yaml.safe_load(open(cf)) or {}
-                except Exception:
-                    dd = {}
-                # flat style: dict with all non-dict values
-                if isinstance(dd, dict) and not any(isinstance(v, dict) for v in dd.values()):
-                    config_path = cf
-                    break
-
-        if config_path is None:
-            return None
-
-        # parse once
-        try:
-            parsed = yaml.safe_load(open(config_path)) or {}
-        except Exception as e:
-            raise AnsibleFilterError(f"Error loading config/main.yml at {config_path}: {e}")
-
-        # detect nested vs flat
-        is_nested = isinstance(parsed, dict) and (application_id in parsed)
-        _cfg_cache[application_id] = (parsed, is_nested)
-
-    parsed, is_nested = _cfg_cache[application_id]
-
-    # pick base entry
-    entry = parsed[application_id] if is_nested else parsed
-
-    # resolve dotted key
-    key_parts = key.split('.')
-    for part in key_parts:
-        # Check if part has an index (e.g., domains.canonical[0])
-        match = re.match(r'([^\[]+)\[([0-9]+)\]', part)
-        if match:
-            part, index = match.groups()
-            index = int(index)
-            if isinstance(entry, dict) and part in entry:
-                entry = entry[part]
-                # Check if entry is a list and access the index
-                if isinstance(entry, list) and 0 <= index < len(entry):
-                    entry = entry[index]
-                else:
-                    raise AnsibleFilterError(
-                        f"Index '{index}' out of range for key '{part}' in application '{application_id}'"
-                    )
-            else:
-                raise AnsibleFilterError(
-                    f"Key '{part}' not found under application '{application_id}'"
-                )
-        else:
-            if isinstance(entry, dict) and part in entry:
-                entry = entry[part]
-            else:
-                raise AnsibleFilterError(
-                    f"Key '{part}' not found under application '{application_id}'"
-                )
-
-    return entry
-
-
-class FilterModule(object):
-    def filters(self):
-        return {'load_configuration': load_configuration}

filter_plugins/resource_filter.py

@@ -0,0 +1,40 @@
+# filter_plugins/resource_filter.py
+from __future__ import annotations
+
+import sys, os
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
+
+from module_utils.config_utils import get_app_conf, AppConfigKeyError, ConfigEntryNotSetError  # noqa: F401
+from module_utils.entity_name_utils import get_entity_name
+
+from ansible.errors import AnsibleFilterError
+
+
+def resource_filter(
+    applications: dict,
+    application_id: str,
+    key: str,
+    service_name: str,
+    hard_default,
+):
+    """
+    Lookup order:
+      1) docker.services.<service_name or get_entity_name(application_id)>.<key>
+      2) hard_default (mandatory)
+
+    - service_name may be "" → will resolve to get_entity_name(application_id).
+    - hard_default is mandatory (no implicit None).
+    - required=False always.
+    """
+    try:
+        primary_service = service_name if service_name != "" else get_entity_name(application_id)
+        return get_app_conf(applications, application_id, f"docker.services.{primary_service}.{key}", False, hard_default)
+    except (AppConfigKeyError, ConfigEntryNotSetError) as e:
+        raise AnsibleFilterError(str(e))
+
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            "resource_filter": resource_filter,
+        }

filter_plugins/safe.py

@@ -1,55 +0,0 @@
-from jinja2 import Undefined
-
-
-def safe_placeholders(template: str, mapping: dict = None) -> str:
-    """
-    Format a template like "{url}/logo.png".
-    If mapping is provided (not None) and ANY placeholder is missing or maps to None/empty string, the function will raise KeyError.
-    If mapping is None, missing placeholders or invalid templates return empty string.
-    Numerical zero or False are considered valid values.
-    Any other formatting errors return an empty string.
-    """
-    # Non-string templates yield empty
-    if not isinstance(template, str):
-        return ''
-
-    class SafeDict(dict):
-        def __getitem__(self, key):
-            val = super().get(key, None)
-            # Treat None or empty string as missing
-            if val is None or (isinstance(val, str) and val == ''):
-                raise KeyError(key)
-            return val
-        def __missing__(self, key):
-            raise KeyError(key)
-
-    silent = mapping is None
-    data = mapping or {}
-    try:
-        return template.format_map(SafeDict(data))
-    except KeyError:
-        if silent:
-            return ''
-        raise
-    except Exception:
-        return ''
-
-def safe_var(value):
-    """
-    Ansible filter: returns the value unchanged unless it's Undefined or None,
-    in which case returns an empty string.
-    Catches all exceptions and yields ''.
-    """
-    try:
-        if isinstance(value, Undefined) or value is None:
-            return ''
-        return value
-    except Exception:
-        return ''
-
-class FilterModule(object):
-    def filters(self):
-        return {
-            'safe_var': safe_var,
-            'safe_placeholders': safe_placeholders,
-        }

filter_plugins/safe_join.py

@@ -1,28 +0,0 @@
-"""
-Ansible filter plugin that joins a base string and a tail path safely.
-If the base is falsy (None, empty, etc.), returns an empty string.
-"""
-
-def safe_join(base, tail):
-    """
-    Safely join base and tail into a path or URL.
-
-    - base: the base string. If falsy, returns ''.
-    - tail: the string to append. Leading/trailing slashes are handled.
-    - On any exception, returns ''.
-    """
-    try:
-        if not base:
-            return ''
-        base_str = str(base).rstrip('/')
-        tail_str = str(tail).lstrip('/')
-        return f"{base_str}/{tail_str}"
-    except Exception:
-        return ''
-
-
-class FilterModule(object):
-    def filters(self):
-        return {
-            'safe_join': safe_join,
-        }

filter_plugins/timeout_start_sec_for_domains.py

@@ -0,0 +1,67 @@
+# filter_plugins/timeout_start_sec_for_domains.py (nur Kern geändert)
+from ansible.errors import AnsibleFilterError
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            "timeout_start_sec_for_domains": self.timeout_start_sec_for_domains,
+        }
+
+    def timeout_start_sec_for_domains(
+        self,
+        domains_dict,
+        include_www=True,
+        per_domain_seconds=25,
+        overhead_seconds=30,
+        min_seconds=120,
+        max_seconds=3600,
+    ):
+        """
+        Args:
+            domains_dict (dict | list[str] | str): Either the domain mapping dict
+                (values can be str | list[str] | dict[str,str]) or an already
+                flattened list of domains, or a single domain string.
+            include_www (bool): If true, add 'www.<domain>' for non-www entries.
+            ...
+        """
+        try:
+            # Local flattener for dict inputs (like your generate_all_domains source)
+            def _flatten_from_dict(domains_map):
+                flat = []
+                for v in (domains_map or {}).values():
+                    if isinstance(v, str):
+                        flat.append(v)
+                    elif isinstance(v, list):
+                        flat.extend(v)
+                    elif isinstance(v, dict):
+                        flat.extend(v.values())
+                return flat
+
+            # Accept dict | list | str
+            if isinstance(domains_dict, dict):
+                flat = _flatten_from_dict(domains_dict)
+            elif isinstance(domains_dict, list):
+                flat = list(domains_dict)
+            elif isinstance(domains_dict, str):
+                flat = [domains_dict]
+            else:
+                raise AnsibleFilterError(
+                    "Expected 'domains_dict' to be dict | list | str."
+                )
+
+            if include_www:
+                base_unique = sorted(set(flat))
+                www_variants = [f"www.{d}" for d in base_unique if not str(d).lower().startswith("www.")]
+                flat.extend(www_variants)
+
+            unique_domains = sorted(set(flat))
+            count = len(unique_domains)
+
+            raw = overhead_seconds + per_domain_seconds * count
+            clamped = max(min_seconds, min(max_seconds, int(raw)))
+            return clamped
+
+        except AnsibleFilterError:
+            raise
+        except Exception as exc:
+            raise AnsibleFilterError(f"timeout_start_sec_for_domains failed: {exc}")

filter_plugins/url_join.py

@@ -0,0 +1,146 @@
+"""
+Ansible filter plugin that safely joins URL components from a list.
+- Requires a valid '<scheme>://' in the first element (any RFC-3986-ish scheme)
+- Preserves the double slash after the scheme, collapses other duplicate slashes
+- Supports query parts introduced by elements starting with '?' or '&'
+  * first query element uses '?', subsequent use '&' (regardless of given prefix)
+  * each query element must be exactly one 'key=value' pair
+  * query elements may only appear after path elements; once query starts, no more path parts
+- Raises specific AnsibleFilterError messages for common misuse
+"""
+
+import re
+from ansible.errors import AnsibleFilterError
+
+_SCHEME_RE = re.compile(r'^([a-zA-Z][a-zA-Z0-9+.\-]*://)(.*)$')
+_QUERY_PAIR_RE = re.compile(r'^[^&=?#]+=[^&?#]*$')  # key=value (no '&', no extra '?' or '#')
+
+def _to_str_or_error(obj, index):
+    """Cast to str, raising a specific AnsibleFilterError with index context."""
+    try:
+        return str(obj)
+    except Exception as e:
+        raise AnsibleFilterError(
+            f"url_join: unable to convert part at index {index} to string: {e}"
+        )
+
+def url_join(parts):
+    """
+    Join a list of URL parts, URL-aware (scheme, path, query).
+
+    Args:
+        parts (list|tuple): URL segments. First element MUST include '<scheme>://'.
+            Path elements are plain strings.
+            Query elements must start with '?' or '&' and contain exactly one 'key=value'.
+
+    Returns:
+        str: Joined URL.
+
+    Raises:
+        AnsibleFilterError: with specific, descriptive messages.
+    """
+    # --- basic input validation ---
+    if parts is None:
+        raise AnsibleFilterError("url_join: parts must be a non-empty list; got None")
+    if not isinstance(parts, (list, tuple)):
+        raise AnsibleFilterError(
+            f"url_join: parts must be a list/tuple; got {type(parts).__name__}"
+        )
+    if len(parts) == 0:
+        raise AnsibleFilterError("url_join: parts must be a non-empty list")
+
+    # --- first element must carry a scheme ---
+    first_raw = parts[0]
+    if first_raw is None:
+        raise AnsibleFilterError(
+            "url_join: first element must include a scheme like 'https://'; got None"
+        )
+
+    first_str = _to_str_or_error(first_raw, 0)
+    m = _SCHEME_RE.match(first_str)
+    if not m:
+        raise AnsibleFilterError(
+            "url_join: first element must start with '<scheme>://', e.g. 'https://example.com'; "
+            f"got '{first_str}'"
+        )
+
+    scheme = m.group(1)                    # e.g., 'https://', 'ftp://', 'myapp+v1://'
+    after_scheme = m.group(2).lstrip('/')  # strip only leading slashes right after scheme
+
+    # --- iterate parts: collect path parts until first query part; then only query parts allowed ---
+    path_parts = []
+    query_pairs = []
+    in_query = False
+
+    for i, p in enumerate(parts):
+        if p is None:
+            # skip None silently (consistent with path_join-ish behavior)
+            continue
+
+        s = _to_str_or_error(p, i)
+
+        # disallow additional scheme in later parts
+        if i > 0 and "://" in s:
+            raise AnsibleFilterError(
+                f"url_join: only the first element may contain a scheme; part at index {i} "
+                f"looks like a URL with scheme ('{s}')."
+            )
+
+        # first element: replace with remainder after scheme and continue
+        if i == 0:
+            s = after_scheme
+
+        # check if this is a query element (starts with ? or &)
+        if s.startswith('?') or s.startswith('&'):
+            in_query = True
+            raw_pair = s[1:]  # strip the leading ? or &
+            if raw_pair == '':
+                raise AnsibleFilterError(
+                    f"url_join: query element at index {i} is empty; expected '?key=value' or '&key=value'"
+                )
+            # Disallow multiple pairs in a single element; enforce exactly one key=value
+            if '&' in raw_pair:
+                raise AnsibleFilterError(
+                    f"url_join: query element at index {i} must contain exactly one 'key=value' pair "
+                    f"without '&'; got '{s}'"
+                )
+            if not _QUERY_PAIR_RE.match(raw_pair):
+                raise AnsibleFilterError(
+                    f"url_join: query element at index {i} must match 'key=value' (no extra '?', '&', '#'); got '{s}'"
+                )
+            query_pairs.append(raw_pair)
+        else:
+            # non-query element
+            if in_query:
+                # once query started, no more path parts allowed
+                raise AnsibleFilterError(
+                    f"url_join: path element found at index {i} after query parameters started; "
+                    f"query parts must come last"
+                )
+            # normal path part: strip slashes to avoid duplicate '/'
+            path_parts.append(s.strip('/'))
+
+    # normalize path: remove empty chunks
+    path_parts = [p for p in path_parts if p != '']
+
+    # --- build result ---
+    # path portion
+    if path_parts:
+        joined_path = "/".join(path_parts)
+        base = scheme + joined_path
+    else:
+        # no path beyond scheme
+        base = scheme
+
+    # query portion
+    if query_pairs:
+        base = base + "?" + "&".join(query_pairs)
+
+    return base
+
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            'url_join': url_join,
+        }

filter_plugins/volume_path.py

@@ -0,0 +1,21 @@
+from ansible.errors import AnsibleFilterError
+
+def docker_volume_path(volume_name: str) -> str:
+    """
+    Returns the absolute filesystem path of a Docker volume.
+
+    Example:
+        "akaunting_data" -> "/var/lib/docker/volumes/akaunting_data/_data/"
+    """
+    if not volume_name or not isinstance(volume_name, str):
+        raise AnsibleFilterError(f"Invalid volume name: {volume_name}")
+
+    return f"/var/lib/docker/volumes/{volume_name}/_data/"
+
+class FilterModule(object):
+    """Docker volume path filters."""
+
+    def filters(self):
+        return {
+            "docker_volume_path": docker_volume_path,
+        }

group_vars/all/00_general.yml

@@ -26,8 +26,16 @@ HOST_DECIMAL_MARK:        ","
 WEB_PROTOCOL:           "https"       # Web protocol type. Use https or http. If you run local you need to change it to http
 WEB_PORT:               "{{ 443 if WEB_PROTOCOL == 'https' else 80 }}"  # Default port web applications will listen to
 
+# Websocket
+WEBSOCKET_PROTOCOL:     "{{ 'wss' if WEB_PROTOCOL == 'https' else 'ws' }}"
+
+# WWW-Redirect to None WWW-Domains enabled
+WWW_REDIRECT_ENABLED:   "{{ ('web-opt-rdr-www' in group_names) | bool }}"
+
+AUTO_BUILD_ALIASES:     False # If enabled it creates an alias domain for each web application by the entity name, recommended to set to false to safge domain space
+
 # Domain
-PRIMARY_DOMAIN:         "localhost" # Primary Domain of the server
+PRIMARY_DOMAIN:                           "localhost" # Primary Domain of the server
 
 DNS_PROVIDER:                             cloudflare              # The DNS Provider\Registrar for the domain
 
@@ -52,7 +60,7 @@ DOCKER_WHITELISTET_ANON_VOLUMES: []
 
 # Asyn Confitguration
 ASYNC_ENABLED:  "{{ not MODE_DEBUG | bool }}"                  # Activate async, deactivated for debugging
-ASYNC_TIME:     "{{ 300 if ASYNC_ENABLED | bool else omit }}"  # Run for mnax 5min
+ASYNC_TIME:     "{{ 300 if ASYNC_ENABLED | bool else omit }}"  # Run for max 5min
 ASYNC_POLL:     "{{ 0 if ASYNC_ENABLED | bool else 10 }}"      # Don't wait for task
 
 # default value if not set via CLI (-e) or in playbook vars
@@ -78,4 +86,4 @@ _applications_nextcloud_oidc_flavor: >-
 RBAC:
   GROUP:
     NAME:   "/roles"  # Name of the group which holds the RBAC roles
-    CLAIM:  "groups"  # Name of the claim containing the RBAC groups
+    CLAIM:  "groups"  # Name of the claim containing the RBAC groups

group_vars/all/01_modes.yml

@@ -1,10 +1,10 @@
 # Mode
 
 # The following modes can be combined with each other
-MODE_TEST:    false # Executes test routines instead of productive routines
-MODE_UPDATE:  true  # Executes updates
-MODE_BACKUP:  true  # Activates the backup before the update procedure
-MODE_CLEANUP: true  # Cleanup unused files and configurations
-MODE_DEBUG:   false # This enables debugging in ansible and in the apps, You SHOULD NOT enable this on production servers
-MODE_RESET:   false # Cleans up all Infinito.Nexus files. It's necessary to run to whole playbook and not particial roles when using this function.
-MODE_ASSERT:  false # Executes validation tasks during the run.
+MODE_DUMMY:   false                       # Executes dummy/test routines instead of productive routines
+MODE_UPDATE:  true                        # Executes updates
+MODE_DEBUG:   false                       # This enables debugging in ansible and in the apps, You SHOULD NOT enable this on production servers
+MODE_RESET:   false                       # Cleans up all Infinito.Nexus files. It's necessary to run to whole playbook and not particial roles when using this function.
+MODE_CLEANUP: "{{ MODE_DEBUG  | bool }}"  # Cleanup unused files and configurations
+MODE_ASSERT:  "{{ MODE_DEBUG  | bool }}"  # Executes validation tasks during the run.
+MODE_BACKUP:  true                        # Executes the Backup before the deployment

group_vars/all/05_webserver.yml

@@ -29,4 +29,31 @@ NGINX:
       IMAGE:          "/tmp/cache_nginx_image/"             # Directory which nginx uses to cache images
   USER:               "http"                                # Default nginx user in ArchLinux
 
+# Effective CPUs (float) across proxy and the current app
+WEBSERVER_CPUS_EFFECTIVE: >-
+  {{
+    [
+      (applications | resource_filter('svc-prx-openresty', 'cpus', service_name | default(''), RESOURCE_CPUS)) | float,
+      (applications | resource_filter(application_id,           'cpus', service_name | default(''), RESOURCE_CPUS)) | float
+    ] | min
+  }}
+
+# Nginx requires an integer for worker_processes:
+# - if cpus < 1 → 1
+# - else → floor to int
+WEBSERVER_WORKER_PROCESSES: >-
+  {{
+    1 if (WEBSERVER_CPUS_EFFECTIVE | float) < 1
+    else (WEBSERVER_CPUS_EFFECTIVE | float | int)
+  }}
+
+# worker_connections from pids_limit (use the smaller one), with correct key/defaults
+WEBSERVER_WORKER_CONNECTIONS: >-
+  {{
+    [
+      (applications | resource_filter('svc-prx-openresty', 'pids_limit', service_name | default(''), RESOURCE_PIDS_LIMIT)) | int,
+      (applications | resource_filter(application_id,      'pids_limit', service_name | default(''), RESOURCE_PIDS_LIMIT)) | int
+    ] | min
+  }}
+
 # @todo It propably makes sense to distinguish between target and source mount path, so that the config files can be stored in the openresty volumes folder

group_vars/all/07_services.yml

@@ -2,48 +2,52 @@
 # Services
 
 ## Meta
-SYS_SERVICE_SUFFIX:                   ".{{ SOFTWARE_NAME | lower }}.service"
+SYS_SERVICE_SUFFIX:                     ".{{ SOFTWARE_NAME | lower }}.service"
 
 ## Names
-SYS_SERVICE_CLEANUP_BACKUPS_FAILED:   "{{ 'sys-ctl-cln-faild-bkps'  | get_service_name(SOFTWARE_NAME) }}"
-SYS_SERVICE_OPTIMIZE_DRIVE:           "{{ 'svc-opt-ssd-hdd'         | get_service_name(SOFTWARE_NAME) }}"
-SYS_SERVICE_BACKUP_RMT_2_LOC:         "{{ 'svc-bkp-rmt-2-loc'       | get_service_name(SOFTWARE_NAME) }}"
-SYS_SERVICE_REPAIR_DOCKER_SOFT:       "{{ 'sys-ctl-rpr-docker-soft' | get_service_name(SOFTWARE_NAME) }}"
-SYS_SERVICE_REPAIR_DOCKER_HARD:       "{{ 'sys-ctl-rpr-docker-hard' | get_service_name(SOFTWARE_NAME) }}"
-SYS_SERVICE_UPDATE_DOCKER:            "{{ 'update-docker'           | get_service_name(SOFTWARE_NAME) }}"
+SYS_SERVICE_CLEANUP_BACKUPS:            "{{ 'sys-ctl-cln-bkps'          | get_service_name(SOFTWARE_NAME) }}"
+SYS_SERVICE_CLEANUP_BACKUPS_FAILED:     "{{ 'sys-ctl-cln-faild-bkps'    | get_service_name(SOFTWARE_NAME) }}"
+SYS_SERVICE_CLEANUP_ANONYMOUS_VOLUMES:  "{{ 'sys-ctl-cln-anon-volumes'  | get_service_name(SOFTWARE_NAME) }}"
+SYS_SERVICE_CLEANUP_DISC_SPACE:         "{{ 'sys-ctl-cln-disc-space'    | get_service_name(SOFTWARE_NAME) }}"
+SYS_SERVICE_OPTIMIZE_DRIVE:             "{{ 'svc-opt-ssd-hdd'           | get_service_name(SOFTWARE_NAME) }}"
+SYS_SERVICE_BACKUP_RMT_2_LOC:           "{{ 'svc-bkp-rmt-2-loc'         | get_service_name(SOFTWARE_NAME) }}"
+SYS_SERVICE_BACKUP_DOCKER_2_LOC:        "{{ 'sys-ctl-bkp-docker-2-loc'  | get_service_name(SOFTWARE_NAME) }}"
+SYS_SERVICE_REPAIR_DOCKER_SOFT:         "{{ 'sys-ctl-rpr-docker-soft'   | get_service_name(SOFTWARE_NAME) }}"
+SYS_SERVICE_REPAIR_DOCKER_HARD:         "{{ 'sys-ctl-rpr-docker-hard'   | get_service_name(SOFTWARE_NAME) }}"
 
 ## On Failure
-SYS_SERVICE_ON_FAILURE_COMPOSE:       "{{ ('sys-ctl-alm-compose@') | get_service_name(SOFTWARE_NAME, False) }}%n.service"
+SYS_SERVICE_ON_FAILURE_COMPOSE:         "{{ ('sys-ctl-alm-compose@') | get_service_name(SOFTWARE_NAME, False) }}%n.service"
 
 ## Groups
 SYS_SERVICE_GROUP_BACKUPS: >
   {{ (('sys-ctl-bkp-' | get_category_entries) + ('svc-bkp-' | get_category_entries))
-     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list }}
+     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list | sort }}
 
 SYS_SERVICE_GROUP_CLEANUP: >
   {{ ('sys-ctl-cln-' | get_category_entries)
-     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list }}
+     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list | sort }}
 
 SYS_SERVICE_GROUP_REPAIR: >
   {{ ('sys-ctl-rpr-' | get_category_entries)
-     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list }}
+     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list | sort }}
 
 SYS_SERVICE_GROUP_OPTIMIZATION: >
   {{ ('svc-opt-' | get_category_entries)
-     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list }}
+     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list | sort }}
 
 SYS_SERVICE_GROUP_MAINTANANCE: >
   {{ ('svc-mtn-' | get_category_entries)
-     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list }}
+     | map('regex_replace', '$', SYS_SERVICE_SUFFIX) | list | sort }}
  
 ## Collection of services to manipulate the system
 SYS_SERVICE_GROUP_MANIPULATION: >
   {{ 
-    SYS_SERVICE_GROUP_BACKUPS + 
-    SYS_SERVICE_GROUP_CLEANUP + 
-    SYS_SERVICE_GROUP_REPAIR + 
-    SYS_SERVICE_GROUP_OPTIMIZATION + 
-    SYS_SERVICE_GROUP_MAINTANANCE +
-    [ SYS_SERVICE_UPDATE_DOCKER ]
+    (
+      SYS_SERVICE_GROUP_BACKUPS +
+      SYS_SERVICE_GROUP_CLEANUP +
+      SYS_SERVICE_GROUP_REPAIR +
+      SYS_SERVICE_GROUP_OPTIMIZATION +
+      SYS_SERVICE_GROUP_MAINTANANCE
+    ) | sort
   }}
 

group_vars/all/08_schedule.yml

@@ -2,20 +2,20 @@
 # Service Timers
 
 ## Meta
-SYS_TIMER_ALL_ENABLED:  "{{ not MODE_DEBUG }}"   # Runtime Variables for Process Control - Activates all timers, independend if the handlers had been triggered
+SYS_TIMER_ALL_ENABLED:                        "{{ MODE_DEBUG }}"   # Runtime Variables for Process Control - Activates all timers, independend if the handlers had been triggered
 
 ## Server Tact Variables 
 
-HOURS_SERVER_AWAKE:            "0..23" # Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance
-RANDOMIZED_DELAY_SEC:          "5min"  # Random delay for systemd timers to avoid peak loads.
+HOURS_SERVER_AWAKE:                           "6..23" # Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance
+RANDOMIZED_DELAY_SEC:                         "5min"  # Random delay for systemd timers to avoid peak loads.
 
 ## Timeouts for all services
-SYS_TIMEOUT_CLEANUP_SERVICES:  "15min"
-SYS_TIMEOUT_STORAGE_OPTIMIZER: "10min"
-SYS_TIMEOUT_BACKUP_SERVICES:   "1h"
-SYS_TIMEOUT_HEAL_DOCKER:       "30min"
-SYS_TIMEOUT_UPDATE_DOCKER:     "2min"
-SYS_TIMEOUT_RESTART_DOCKER:    "{{ SYS_TIMEOUT_UPDATE_DOCKER }}"
+SYS_TIMEOUT_DOCKER_RPR_HARD:                  "10min"
+SYS_TIMEOUT_DOCKER_RPR_SOFT:                  "{{ SYS_TIMEOUT_DOCKER_RPR_HARD }}"
+SYS_TIMEOUT_CLEANUP_SERVICES:                 "15min"
+SYS_TIMEOUT_DOCKER_UPDATE:                    "20min"
+SYS_TIMEOUT_STORAGE_OPTIMIZER:                "{{ SYS_TIMEOUT_DOCKER_UPDATE }}"
+SYS_TIMEOUT_BACKUP_SERVICES:                  "60min"
 
 ## On Calendar
 
@@ -37,7 +37,6 @@ SYS_SCHEDULE_CLEANUP_FAILED_BACKUPS:          "*-*-* 12:00:00"
 
 ### Schedule for repair services
 SYS_SCHEDULE_REPAIR_BTRFS_AUTO_BALANCER:      "Sat *-*-01..07 00:00:00"               # Execute btrfs auto balancer every first Saturday of a month
-SYS_SCHEDULE_REPAIR_DOCKER_SOFT:              "*-*-* {{ HOURS_SERVER_AWAKE }}:30:00"  # Heal unhealthy docker instances once per hour
 SYS_SCHEDULE_REPAIR_DOCKER_HARD:              "Sun *-*-* 08:00:00"                    # Restart docker instances every Sunday at 8:00 AM
 
 ### Schedule for backup tasks

group_vars/all/09_networks.yml

@@ -10,7 +10,7 @@ defaults_networks:
     # /28 Networks, 14 Usable Ip Addresses
     web-app-akaunting:
       subnet: 192.168.101.0/28
-    web-app-attendize:
+    web-app-confluence:
       subnet: 192.168.101.16/28
     web-app-baserow:
       subnet: 192.168.101.32/28
@@ -34,8 +34,8 @@ defaults_networks:
       subnet: 192.168.101.176/28
     web-app-listmonk:
       subnet: 192.168.101.192/28
-    # Free:
-    #  subnet: 192.168.101.208/28
+    web-app-jira:
+      subnet: 192.168.101.208/28
     web-app-matomo:
       subnet: 192.168.101.224/28
     web-app-mastodon:
@@ -48,7 +48,7 @@ defaults_networks:
       subnet:       192.168.102.16/28
     web-app-moodle:
       subnet: 192.168.102.32/28
-    web-app-mybb:
+    web-app-bookwyrm:
       subnet: 192.168.102.48/28
     web-app-nextcloud:
       subnet: 192.168.102.64/28
@@ -96,6 +96,22 @@ defaults_networks:
       subnet: 192.168.103.160/28
     web-svc-logout:
       subnet: 192.168.103.176/28
+    web-app-chess:
+      subnet: 192.168.103.192/28
+    web-app-magento:
+      subnet: 192.168.103.208/28
+    web-app-bridgy-fed:
+      subnet: 192.168.103.224/28
+    web-app-xwiki:
+      subnet: 192.168.103.240/28
+    web-app-openwebui:
+      subnet: 192.168.104.0/28
+    web-app-flowise:
+      subnet: 192.168.104.16/28
+    web-app-minio:
+      subnet: 192.168.104.32/28
+    web-svc-coturn:
+      subnet: 192.168.104.48/28
 
     # /24 Networks / 254 Usable Clients
     web-app-bigbluebutton:
@@ -108,3 +124,5 @@ defaults_networks:
       subnet: 192.168.201.0/24
     svc-db-openldap:
       subnet: 192.168.202.0/24
+    svc-ai-ollama:
+      subnet: 192.168.203.0/24 # Big network to bridge applications into ai

group_vars/all/10_ports.yml

@@ -2,12 +2,12 @@ ports:
   # Ports which are exposed to localhost
   localhost:
     database:
-      svc-db-postgres: 5432
-      svc-db-mariadb: 3306
+      svc-db-postgres:    5432
+      svc-db-mariadb:     3306
     # https://developer.mozilla.org/de/docs/Web/API/WebSockets_API
     websocket:
-      web-app-mastodon: 4001
-      web-app-espocrm: 4002
+      web-app-mastodon:   4001
+      web-app-espocrm:    4002
     oauth2_proxy:
       web-app-phpmyadmin: 4181
       web-app-lam: 4182
@@ -26,7 +26,7 @@ ports:
       web-app-gitea: 8002
       web-app-wordpress: 8003
       web-app-mediawiki: 8004
-      web-app-mybb: 8005
+      web-app-confluence: 8005
       web-app-yourls: 8006
       web-app-mailu: 8007
       web-app-elk: 8008
@@ -36,7 +36,7 @@ ports:
       web-app-funkwhale: 8012
       web-app-roulette-wheel: 8013
       web-app-joomla: 8014
-      web-app-attendize: 8015
+      web-app-jira: 8015
       web-app-pgadmin: 8016
       web-app-baserow: 8017
       web-app-matomo: 8018
@@ -50,7 +50,7 @@ ports:
       web-app-moodle: 8026
       web-app-taiga: 8027
       web-app-friendica: 8028
-      web-app-port-ui: 8029
+      web-app-desktop: 8029
       web-app-bluesky_api: 8030
       web-app-bluesky_web: 8031
       web-app-keycloak: 8032
@@ -70,19 +70,39 @@ ports:
       web-app-pretix: 8046
       web-app-mig: 8047
       web-svc-logout: 8048
+      web-app-bookwyrm: 8049
+      web-app-chess: 8050
+      web-app-bluesky_view: 8051
+      web-app-magento: 8052
+      web-app-bridgy-fed: 8053
+      web-app-xwiki: 8054
+      web-app-openwebui: 8055
+      web-app-flowise: 8056
+      web-app-minio_api: 8057
+      web-app-minio_console: 8058
       web-app-bigbluebutton: 48087    # This port is predefined by bbb. @todo Try to change this to a 8XXX port
   public:
     # The following ports should be changed to 22 on the subdomain via stream mapping
     ssh:
-      web-app-gitea: 2201
-      web-app-gitlab: 2202
+      web-app-gitea:          2201
+      web-app-gitlab:         2202
     ldaps:
-      svc-db-openldap: 636
-    stun:
-      web-app-bigbluebutton: 3478    # Not sure if it's right placed here or if it should be moved to localhost section
-      web-app-nextcloud: 3479
-    turn:
-      web-app-bigbluebutton: 5349    # Not sure if it's right placed here or if it should be moved to localhost section
-      web-app-nextcloud: 5350        # Not used yet
+      svc-db-openldap:        636
+    stun_turn:
+      web-app-bigbluebutton:  3478  # Not sure if it's right placed here or if it should be moved to localhost section
+      # Occupied by BBB:      3479
+      web-app-nextcloud:      3480
+      web-svc-coturn:         3481
+    stun_turn_tls:
+      web-app-bigbluebutton:  5349  # Not sure if it's right placed here or if it should be moved to localhost section
+      web-app-nextcloud:      5350  # Not used yet
+      web-svc-coturn:         5351
     federation:
       web-app-matrix_synapse: 8448
+    relay_port_ranges:
+      web-svc-coturn_start:         20000
+      web-svc-coturn_end:           39999
+      web-app-bigbluebutton_start:  40000
+      web-app-bigbluebutton_end:    49999
+      web-app-nextcloud_start:      50000
+      web-app-nextcloud_end:        59999

group_vars/all/12_oidc.yml

@@ -7,33 +7,40 @@
 #############################################
 # @see https://en.wikipedia.org/wiki/OpenID_Connect
 
-## Helper Variables:
-_oidc_client_realm:         "{{ OIDC.CLIENT.REALM if OIDC.CLIENT is defined and OIDC.CLIENT.REALM is defined else SOFTWARE_NAME | lower }}"
-_oidc_url:                  "{{ 
-                                ( OIDC.URL
-                                  if (OIDC is defined and OIDC.URL is defined) 
-                                  else WEB_PROTOCOL ~ '://' ~ (domains | get_domain('web-app-keycloak'))
-                                ).rstrip('/') 
-                            }}"
-_oidc_client_issuer_url:    "{{ _oidc_url ~ '/realms/' ~ _oidc_client_realm }}"
-_oidc_client_id:            "{{ OIDC.CLIENT.ID if OIDC.CLIENT is defined and OIDC.CLIENT.ID is defined else SOFTWARE_NAME | lower }}"
+# Helper Variables:
+_oidc_client_realm:       "{{ OIDC.CLIENT.REALM if OIDC.CLIENT is defined and OIDC.CLIENT.REALM is defined else SOFTWARE_NAME | lower }}"
+_oidc_url:                "{{ 
+                            ( OIDC.URL
+                              if (OIDC is defined and OIDC.URL is defined) 
+                              else domains | get_url('web-app-keycloak', WEB_PROTOCOL)
+                            ).rstrip('/') 
+                          }}"
+_oidc_client_issuer_url:  "{{ _oidc_url ~ '/realms/' ~ _oidc_client_realm }}"
+_oidc_client_id:          "{{ OIDC.CLIENT.ID if OIDC.CLIENT is defined and OIDC.CLIENT.ID is defined else SOFTWARE_NAME | lower }}"
+_oidc_account_url:        "{{ _oidc_client_issuer_url ~ '/account' }}"
+_oidc_protocol_oidc:      "{{ _oidc_client_issuer_url ~ '/protocol/openid-connect' }}"
 
+# Definition
 defaults_oidc:
   URL:                    "{{ _oidc_url }}"
   CLIENT:
-    ID:                   "{{ _oidc_client_id }}"                                                  # Client identifier, typically matching your primary domain
-#   secret:                                                                                        # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
-    REALM:                "{{ _oidc_client_realm }}"                                               # The realm to which the client belongs in the OIDC provider
-    ISSUER_URL:           "{{ _oidc_client_issuer_url }}"                                          # Base URL of the OIDC provider (issuer)
-    DISCOVERY_DOCUMENT:   "{{ _oidc_client_issuer_url ~ '/.well-known/openid-configuration' }}"    # URL for fetching the provider's configuration details
-    AUTHORIZE_URL:        "{{ _oidc_client_issuer_url ~ '/protocol/openid-connect/auth' }}"        # Endpoint to start the authorization process
-    TOKEN_URL:            "{{ _oidc_client_issuer_url ~ '/protocol/openid-connect/token' }}"       # Endpoint to exchange authorization codes for tokens (note: 'token_url' may be a typo for 'token_url')
-    USER_INFO_URL:        "{{ _oidc_client_issuer_url ~ '/protocol/openid-connect/userinfo' }}"    # Endpoint to retrieve user information
-    LOGOUT_URL:           "{{ _oidc_client_issuer_url ~ '/protocol/openid-connect/logout' }}"      # Endpoint to log out the user
-    CHANGE_CREDENTIALS:   "{{ _oidc_client_issuer_url ~ '/account/account-security/signing-in' }}" # URL for managing or changing user credentials
-    CERTS:                "{{ _oidc_client_issuer_url ~ '/protocol/openid-connect/certs' }}"       # JSON Web Key Set (JWKS)
+    ID:                   "{{ _oidc_client_id }}"                                                 # Client identifier, typically matching your primary domain
+#   SECRET:                                                                                       # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
+    REALM:                "{{ _oidc_client_realm }}"                                              # The realm to which the client belongs in the OIDC provider
+    ISSUER_URL:           "{{ _oidc_client_issuer_url }}"                                         # Base URL of the OIDC provider (issuer)
+    DISCOVERY_DOCUMENT:   "{{ _oidc_client_issuer_url ~ '/.well-known/openid-configuration' }}"   # URL for fetching the provider's configuration details
+    AUTHORIZE_URL:        "{{ _oidc_protocol_oidc ~ '/auth' }}"                                   # Endpoint to start the authorization process
+    TOKEN_URL:            "{{ _oidc_protocol_oidc ~ '/token' }}"                                  # Endpoint to exchange authorization codes for tokens (note: 'token_url' may be a typo for 'token_url')
+    USER_INFO_URL:        "{{ _oidc_protocol_oidc ~ '/userinfo' }}"                               # Endpoint to retrieve user information
+    LOGOUT_URL:           "{{ _oidc_protocol_oidc ~ '/logout' }}"                                 # Endpoint to log out the user
+    CERTS:                "{{ _oidc_protocol_oidc ~ '/certs' }}"                                  # JSON Web Key Set (JWKS)
+    ACCOUNT:                                                                                        
+      URL:                "{{ _oidc_account_url }}"                                               # Entry point for the user settings console
+      PROFILE_URL:        "{{ _oidc_account_url ~ '/#/personal-info' }}"                          # Section for managing personal information
+      SECURITY_URL:       "{{ _oidc_account_url ~ '/#/security/signingin' }}"                     # Section for managing login and security settings
+    CHANGE_CREDENTIALS:   "{{ _oidc_account_url ~ '/account-security/signing-in' }}"              # URL for managing or changing user credentials
     RESET_CREDENTIALS:    "{{ _oidc_client_issuer_url ~ '/login-actions/reset-credentials?client_id=' ~ _oidc_client_id }}" # Password reset url
-  BUTTON_TEXT:            "SSO Login ({{ PRIMARY_DOMAIN | upper }})"                               # Default button text
+  BUTTON_TEXT:            "SSO Login ({{ PRIMARY_DOMAIN | upper }})"                              # Default button text
   ATTRIBUTES:
     # Attribut to identify the user
     USERNAME:             "preferred_username"

group_vars/all/13_ldap.yml

@@ -14,22 +14,22 @@ _ldap_domain:                 "{{ PRIMARY_DOMAIN }}" # LDAP is jsut listening to
 _ldap_user_id:                "uid"
 _ldap_filters_users_all:      "(|(objectclass=inetOrgPerson))"
 
-ldap:
+LDAP:
   # Distinguished Names (DN)
-  dn:
+  DN:
     # -------------------------------------------------------------------------
     # Base DN / Suffix
     # This is the top-level naming context for your directory, used as the
     # default search base for most operations (e.g. adding users, groups).
     # Example: “dc=example,dc=com”
-    root:               "{{ LDAP_DN_BASE }}"
-    administrator:
+    ROOT:               "{{ LDAP_DN_BASE }}"
+    ADMINISTRATOR:
       # -------------------------------------------------------------------------
       # Data-Tree Administrator Bind DN
       # The DN used to authenticate for regular directory operations under
       # the data tree (adding users, modifying attributes, creating OUs, etc.).
       # Typically: “cn=admin,dc=example,dc=com”
-      data: "cn={{ applications['svc-db-openldap'].users.administrator.username }},{{ LDAP_DN_BASE }}"
+      DATA: "cn={{ applications['svc-db-openldap'].users.administrator.username }},{{ LDAP_DN_BASE }}"
 
       # -------------------------------------------------------------------------
       # Config-Tree Administrator Bind DN
@@ -37,9 +37,9 @@ ldap:
       # need to load or modify schema, overlays, modules, or other server-
       # level settings.  
       # Typically: “cn=admin,cn=config”
-      configuration: "cn={{ applications['svc-db-openldap'].users.administrator.username }},cn=config"
+      CONFIGURATION: "cn={{ applications['svc-db-openldap'].users.administrator.username }},cn=config"
 
-    ou:
+    OU:
       # -------------------------------------------------------------------------
       # Organizational Units (OUs)
       # Pre-created containers in the directory tree to logically separate entries:
@@ -47,9 +47,9 @@ ldap:
       # – groups: Contains organizational or business groups (e.g., departments, teams).
       # – roles:  Contains application-specific RBAC roles 
       #           (e.g., "cn=app1-user", "cn=yourls-admin").
-      users:   "ou=users,{{ LDAP_DN_BASE }}"
-      groups:  "ou=groups,{{ LDAP_DN_BASE }}"
-      roles:   "ou=roles,{{ LDAP_DN_BASE }}"
+      USERS:   "ou=users,{{ LDAP_DN_BASE }}"
+      GROUPS:  "ou=groups,{{ LDAP_DN_BASE }}"
+      ROLES:   "ou=roles,{{ LDAP_DN_BASE }}"
 
     # -------------------------------------------------------------------------
     # Additional Notes
@@ -59,17 +59,17 @@ ldap:
     #   for ordinary user/group operations, and vice versa.
 
   # Password to access dn.bind
-  bind_credential:      "{{ applications | get_app_conf('svc-db-openldap', 'credentials.administrator_database_password') }}"
-  server:
-    domain:             "{{ _ldap_name if _ldap_docker_network_enabled else _ldap_domain }}" # Mapping for public or locale access
-    port:               "{{ _ldap_server_port }}"
-    uri:                "{{ _ldap_protocol }}://{{ _ldap_name if _ldap_docker_network_enabled else _ldap_domain }}:{{ _ldap_server_port }}"
-    security:           "" #TLS, SSL - Leave empty for none
-  network:
-    local:              "{{ _ldap_docker_network_enabled }}" # Uses the application configuration to define if local network should be available or not
-  user:
-    objects:
-      structural:
+  BIND_CREDENTIAL:      "{{ applications | get_app_conf('svc-db-openldap', 'credentials.administrator_database_password') }}"
+  SERVER:
+    DOMAIN:             "{{ _ldap_name if _ldap_docker_network_enabled else _ldap_domain }}" # Mapping for public or locale access
+    PORT:               "{{ _ldap_server_port }}"
+    URI:                "{{ _ldap_protocol }}://{{ _ldap_name if _ldap_docker_network_enabled else _ldap_domain }}:{{ _ldap_server_port }}"
+    SECURITY:           "" #TLS, SSL - Leave empty for none
+  NETWORK:
+    LOCAL:              "{{ _ldap_docker_network_enabled }}" # Uses the application configuration to define if local network should be available or not
+  USER:
+    OBJECTS:
+      STRUCTURAL:
         - person            # Structural Classes define the core identity of an entry:
                             # • Specify mandatory attributes (e.g. sn, cn)
                             # • Each entry must have exactly one structural class
@@ -77,26 +77,26 @@ ldap:
                             # (e.g. mail, employeeNumber)
         - posixAccount      # Provides UNIX account attributes (uidNumber, gidNumber,
                             # homeDirectory)
-      auxiliary:
-        nextloud_user:  "nextcloudUser"   # Auxiliary Classes attach optional attributes without
+      AUXILIARY:
+        NEXTCLOUD_USER: "nextcloudUser"   # Auxiliary Classes attach optional attributes without
                                           # changing the entry’s structural role. Here they add
                                           # nextcloudQuota and nextcloudEnabled for Nextcloud.
-        ssh_public_key: "ldapPublicKey"   # Allows storing SSH public keys for services like Gitea.
-    attributes:
+        SSH_PUBLIC_KEY: "ldapPublicKey"   # Allows storing SSH public keys for services like Gitea.
+    ATTRIBUTES:
       # Attribut to identify the user
-      id:                 "{{ _ldap_user_id }}"
-      mail:               "mail"
-      fullname:           "cn"
-      firstname:          "givenname"
-      surname:            "sn"
-      ssh_public_key:     "sshPublicKey"
-      nextcloud_quota:    "nextcloudQuota"
-  filters:
-    users:
-      login:            "(&{{ _ldap_filters_users_all }}({{_ldap_user_id}}=%{{_ldap_user_id}}))"
-      all:              "{{ _ldap_filters_users_all }}"
-  rbac:
-    flavors:
+      ID:                 "{{ _ldap_user_id }}"
+      MAIL:               "mail"
+      FULLNAME:           "cn"
+      FIRSTNAME:          "givenname"
+      SURNAME:            "sn"
+      SSH_PUBLIC_KEY:     "sshPublicKey"
+      NEXTCLOUD_QUOTA:    "nextcloudQuota"
+  FILTERS:
+    USERS:
+      LOGIN:              "(&{{ _ldap_filters_users_all }}({{_ldap_user_id}}=%{{_ldap_user_id}}))"
+      ALL:                "{{ _ldap_filters_users_all }}"
+  RBAC:
+    FLAVORS:
       # Valid values posixGroup, groupOfNames
       - groupOfNames
       # - posixGroup

group_vars/all/15_about.yml

@@ -21,7 +21,7 @@ defaults_service_provider:
          if 'web-app-bluesky' in group_names else '' }}
     email:          "{{ users.contact.username ~ '@' ~ PRIMARY_DOMAIN if 'web-app-mailu' in group_names else '' }}"
     mastodon:       "{{ '@' ~ users.contact.username ~ '@' ~ domains | get_domain('web-app-mastodon') if 'web-app-mastodon' in group_names else '' }}"
-    matrix:         "{{ '@' ~ users.contact.username ~ ':' ~ domains['web-app-matrix'].synapse if 'web-app-matrix' in group_names else '' }}"
+    matrix:         "{{ '@' ~ users.contact.username ~ ':' ~ applications | get_app_conf('web-app-matrix', 'server_name') if 'web-app-matrix' in group_names else '' }}"
     peertube:       "{{ '@' ~ users.contact.username ~ '@' ~ domains | get_domain('web-app-peertube') if 'web-app-peertube' in group_names else '' }}"
     pixelfed:       "{{ '@' ~ users.contact.username ~ '@' ~ domains | get_domain('web-app-pixelfed') if 'web-app-pixelfed' in group_names else '' }}"
     phone:          "+0 000 000 404"

group_vars/all/16_storage.yml

@@ -3,4 +3,3 @@ BACKUPS_FOLDER_PATH:              "/Backups/"   # Path to the backups folder
 # Storage Space-Related Configurations          
 SIZE_PERCENT_MAXIMUM_BACKUP:      75  # Maximum storage space in percent for backups
 SIZE_PERCENT_CLEANUP_DISC_SPACE:  85  # Threshold for triggering cleanup actions
-SIZE_PERCENT_DISC_SPACE_WARNING:  90  # Warning threshold in percent for free disk space

group_vars/all/17_ai.yml

@@ -0,0 +1,3 @@
+# URL of Local Ollama Container
+OLLAMA_BASE_LOCAL_URL:  "http://{{ applications | get_app_conf('svc-ai-ollama', 'docker.services.ollama.name') }}:{{ applications | get_app_conf('svc-ai-ollama', 'docker.services.ollama.port') }}"
+OLLAMA_LOCAL_ENABLED:   "{{ applications | get_app_conf(application_id, 'features.local_ai') }}"

group_vars/all/18_resource.yml

@@ -0,0 +1,47 @@
+# Host resources
+RESOURCE_HOST_CPUS:  "{{ ansible_processor_vcpus | int }}"
+RESOURCE_HOST_MEM:   "{{ (ansible_memtotal_mb | int) // 1024 }}"
+
+# Reserve for OS
+RESOURCE_HOST_RESERVE_CPU: 2
+RESOURCE_HOST_RESERVE_MEM: 4
+
+# Available for apps
+RESOURCE_AVAIL_CPUS: "{{ (RESOURCE_HOST_CPUS | int) - (RESOURCE_HOST_RESERVE_CPU | int) }}"
+RESOURCE_AVAIL_MEM:  "{{ (RESOURCE_HOST_MEM  | int) - (RESOURCE_HOST_RESERVE_MEM | int) }}"
+
+# Count active docker services (only roles starting with web- or svc-; service counts if enabled==true OR enabled is undefined)
+RESOURCE_ACTIVE_DOCKER_CONTAINER_COUNT: >-
+  {{
+    applications
+    | active_docker_container_count(group_names, '^(web-|svc-).*', ensure_min_one=True)
+  }}
+
+# Per-container fair share (numbers!), later we append 'g' only for the string fields in compose
+RESOURCE_CPUS_NUM: >-
+  {{
+    [
+      (
+        ((RESOURCE_AVAIL_CPUS | float) / (RESOURCE_ACTIVE_DOCKER_CONTAINER_COUNT | float))
+        | round(2)
+      ),
+      0.5
+    ] | max
+  }}
+
+RESOURCE_MEM_RESERVATION_NUM: >-
+  {{
+    (((RESOURCE_AVAIL_MEM  | float) / (RESOURCE_ACTIVE_DOCKER_CONTAINER_COUNT | float)) * 0.7)
+    | round(1)
+  }}
+RESOURCE_MEM_LIMIT_NUM: >-
+  {{
+    (((RESOURCE_AVAIL_MEM  | float) / (RESOURCE_ACTIVE_DOCKER_CONTAINER_COUNT | float)) * 1.0)
+    | round(1)
+  }}
+
+# Final strings with units for compose defaults (keep numbers above for math elsewhere if needed)
+RESOURCE_CPUS:            "{{ RESOURCE_CPUS_NUM }}"
+RESOURCE_MEM_RESERVATION: "{{ RESOURCE_MEM_RESERVATION_NUM }}g"
+RESOURCE_MEM_LIMIT:       "{{ RESOURCE_MEM_LIMIT_NUM }}g"
+RESOURCE_PIDS_LIMIT:      512

lookup_plugins/local_mtime_qs.py

@@ -0,0 +1,53 @@
+from __future__ import annotations
+from ansible.plugins.lookup import LookupBase
+from ansible.errors import AnsibleError
+import os
+
+class LookupModule(LookupBase):
+    """
+    Return a cache-busting string based on the LOCAL file's mtime.
+
+    Usage (single path → string via Jinja):
+      {{ lookup('local_mtime_qs', '/path/to/file.css') }}
+      -> "?version=1712323456"
+
+    Options:
+      param (str): query parameter name (default: "version")
+      mode  (str): "qs" (default) → returns "?<param>=<mtime>"
+                   "epoch"        → returns "<mtime>"
+
+    Multiple paths (returns list, one result per term):
+      {{ lookup('local_mtime_qs', '/a.js', '/b.js', param='v') }}
+    """
+
+    def run(self, terms, variables=None, **kwargs):
+        if not terms:
+            return []
+
+        param = kwargs.get('param', 'version')
+        mode  = kwargs.get('mode', 'qs')
+
+        if mode not in ('qs', 'epoch'):
+            raise AnsibleError("local_mtime_qs: 'mode' must be 'qs' or 'epoch'")
+
+        results = []
+        for term in terms:
+            path = os.path.abspath(os.path.expanduser(str(term)))
+
+            # Fail fast if path is missing or not a regular file
+            if not os.path.exists(path):
+                raise AnsibleError(f"local_mtime_qs: file does not exist: {path}")
+            if not os.path.isfile(path):
+                raise AnsibleError(f"local_mtime_qs: not a regular file: {path}")
+
+            try:
+                mtime = int(os.stat(path).st_mtime)
+            except OSError as e:
+                raise AnsibleError(f"local_mtime_qs: cannot stat '{path}': {e}")
+
+            if mode == 'qs':
+                results.append(f"?{param}={mtime}")
+            else:  # mode == 'epoch'
+                results.append(str(mtime))
+
+        return results

module_utils/manager/inventory.py

@@ -142,7 +142,8 @@ class InventoryManager:
         """
         if algorithm == "random_hex":
             return secrets.token_hex(64)
-        
+        if algorithm == "random_hex_32":
+            return secrets.token_hex(32)
         if algorithm == "sha256":
             return hashlib.sha256(secrets.token_bytes(32)).hexdigest()
         if algorithm == "sha1":

playbook.yml

@@ -1,10 +1,10 @@
-- name: Execute {{ SOFTWARE_NAME }} Play
+- name: "Execute {{ SOFTWARE_NAME }} Play"
   hosts: all
   tasks:
   - name: "Load 'constructor' tasks"
     include_tasks: "tasks/stages/01_constructor.yml"
-  - name: "Load '{{host_type}}' tasks"
-    include_tasks: "tasks/stages/02_{{host_type}}.yml"
+  - name: "Load '{{ host_type }}' tasks"
+    include_tasks: "tasks/stages/02_{{ host_type }}.yml"
   - name: "Load 'destructor' tasks"
     include_tasks: "tasks/stages/03_destructor.yml"
   become: true

roles/Todo.md

@@ -1,3 +0,0 @@
-# Todos
-- Use at all applications the ansible role name as application_id
-- Implement filter_plugins/get_infinito_path.py

roles/categories.yml

@@ -1,9 +1,4 @@
 roles:
-  cmp:
-    title: "Compositions"
-    description: "Composition of other roles."
-    icon: "fas fa-sitemap"
-    invokable: false
   docker:
     title: "Docker Toolkit"
     description: "Generic Docker helpers and utilities (compose wrappers, container tooling)."
@@ -56,16 +51,26 @@ roles:
       description: "DNS providers, records, and rDNS management (Cloudflare, Hetzner, etc.)."
       icon: "fas fa-network-wired"
       invokable: false
+    stk:
+      title: "Stack"
+      description: "Stack levels to setup the server"
+      icon: "fas fa-bars-staggered"
+      invokable: false
+    front:
+      title: "System Frontend Helpers"
+      description: "Frontend helpers for reverse-proxied apps (injection, shared assets, CDN plumbing)."
+      icon: "fas fa-wand-magic-sparkles"
+      invokable: false
+      inj:
+        title: "Injection"
+        description: "Composable HTML injection roles (CSS, JS, logout interceptor, analytics, desktop iframe) for Nginx/OpenResty via sub_filter/Lua with CDN-backed assets."
+        icon: "fas fa-filter"
+        invokable: false
   update:
     title: "Updates & Package Management"
     description: "OS & package updates"
     icon: "fas fa-sync"
     invokable: true
-    pkgmgr:
-      title: "Package Manager Helpers"
-      description: "Helpers for package managers and unified install flows."
-      icon: "fas fa-box-open"
-      invokable: false
   drv:
     title: "Drivers"
     description: "Roles for installing and configuring hardware drivers—covering printers, graphics, input devices, and other peripheral support."
@@ -101,21 +106,6 @@ roles:
       description: "Developer-centric server utilities and admin toolkits."
       icon: "fas fa-code"
       invokable: false
-  srv:
-    title: "Server"
-    description: "General server roles for provisioning and managing server infrastructure—covering web servers, proxy servers, network services, and other backend components."
-    icon: "fas fa-server"
-    invokable: false
-    web:
-      title: "Webserver"
-      description: "Web-server roles for installing and configuring Nginx (core, TLS, injection filters, composer modules)."
-      icon: "fas fa-server"
-      invokable: false
-    proxy:
-      title: "Proxy Server"
-      description: "Proxy-server roles for virtual-host orchestration and reverse-proxy setups."
-      icon: "fas fa-project-diagram"
-      invokable: false
   web:
     title: "Web Infrastructure"
     description: "Roles for managing web infrastructure—covering static content services and deployable web applications."
@@ -158,6 +148,11 @@ roles:
       description: "Network setup (DNS, Let's Encrypt HTTP, WireGuard, etc.)"
       icon: "fas fa-globe"
       invokable: true 
+    ai:
+      title: "AI Services"
+      description: "Core AI building blocks—model serving, OpenAI-compatible gateways, vector databases, orchestration, and chat UIs."
+      icon: "fas fa-brain"
+      invokable: true
   user:
     title: "Users & Access"
     description: "User accounts & access control"

roles/cmp-db-docker-proxy/README.md

@@ -1,11 +0,0 @@
-# Database Docker with Web Proxy
-
-This role builds on `cmp-db-docker` by adding a reverse-proxy frontend for HTTP access to your database service.
-
-## Features
-
-- **Database Composition**  
-  Leverages the `cmp-db-docker` role to stand up your containerized database (PostgreSQL, MariaDB, etc.) with backups and user management.
-
-- **Reverse Proxy**  
-  Includes the `srv-domain-provision` role to configure a proxy (e.g. nginx) for routing HTTP(S) traffic to your database UI or management endpoint.

roles/cmp-db-docker/vars/main.yml

@@ -1 +0,0 @@
-DATABASE_VARS_FILE: "{{ playbook_dir }}/roles/cmp-rdbms/vars/database.yml"

roles/cmp-docker-proxy/tasks/main.yml

@@ -1,14 +0,0 @@
-# run_once_cmp_docker_proxy: deactivated
-
-# Load the proxy first, so that openresty handlers are flushed before the main docker compose
-- name: "For '{{ application_id }}': include role srv-domain-provision"
-  include_role:
-    name: srv-domain-provision
-  vars:
-    domain:   "{{ domains | get_domain(application_id) }}"
-    http_port:   "{{ ports.localhost.http[application_id] }}"
-
-- name: "For '{{ application_id }}': Load cmp-docker-oauth2"
-  include_role: 
-    name: cmp-docker-oauth2
-

roles/cmp-rdbms/templates/services/main.yml.j2

@@ -1 +0,0 @@
-{% include 'roles/cmp-rdbms/templates/services/' + database_type + '.yml.j2' %}

roles/cmp-rdbms/vars/database.yml

@@ -1,20 +0,0 @@
-# Helper variables
-_dbtype:                          "{{ (database_type | d('') | trim) }}"
-_database_id:                     "{{ ('svc-db-' ~ _dbtype) if _dbtype else '' }}"
-_database_central_name:           "{{ (applications | get_app_conf(_database_id, 'docker.services.' ~ _dbtype ~ '.name', False, '')) if _dbtype else '' }}"
-_database_consumer_id:            "{{ database_application_id | d(application_id) }}"
-_database_consumer_entity_name:   "{{ _database_consumer_id | get_entity_name }}"
-_database_central_enabled:        "{{ (applications | get_app_conf(_database_consumer_id, 'features.central_database', False)) if _dbtype else False }}"
-
-# Definition
-
-database_name:      "{{ _database_consumer_entity_name }}"
-database_instance:  "{{ _database_central_name if _database_central_enabled else database_name }}" # This could lead to bugs at dedicated database @todo cleanup
-database_host:      "{{ _database_central_name if _database_central_enabled else 'database' }}"    # This could lead to bugs at dedicated database @todo cleanup
-database_username:  "{{ _database_consumer_entity_name }}"
-database_password:  "{{ applications | get_app_conf(_database_consumer_id, 'credentials.database_password', true) }}"
-database_port:      "{{ (ports.localhost.database[_database_id] | d('')) if _dbtype else '' }}"
-database_env:       "{{ docker_compose.directories.env }}{{ database_type }}.env"
-database_url_jdbc:  "jdbc:{{ database_type if database_type == 'mariadb' else 'postgresql' }}://{{ database_host }}:{{ database_port }}/{{ database_name }}"
-database_url_full:  "{{ database_type }}://{{ database_username }}:{{ database_password }}@{{ database_host }}:{{ database_port }}/{{ database_name }}"
-database_volume:    "{{ _database_consumer_entity_name ~ '_' if not _database_central_enabled }}{{ database_host }}"

roles/desk-gnome-caffeine/tasks/01_core.yml

@@ -19,3 +19,5 @@
   template:
     src: caffeine.desktop.j2
     dest: "{{auto_start_directory}}caffeine.desktop"
+
+- include_tasks: utils/run_once.yml

roles/desk-gnome-caffeine/tasks/main.yml

@@ -1,4 +1,3 @@
 - block:
   - include_tasks: 01_core.yml
-  - include_tasks: utils/run_once.yml
   when: run_once_desk_gnome_caffeine is not defined

roles/desk-libreoffice/tasks/main.yml

@@ -9,4 +9,4 @@
   community.general.pacman:
     name: "libreoffice-{{ applications['desk-libreoffice'].flavor }}-{{ item }}"
     state: present
-  loop: "{{libreoffice_languages}}"
+  loop: "{{ libreoffice_languages }}"

roles/desk-nextcloud/tasks/main.yml

@@ -5,8 +5,8 @@
 
 - name: Link homefolders to cloud
   ansible.builtin.file:
-    src: "{{nextcloud_cloud_directory}}{{item}}"
-    dest: "{{nextcloud_user_home_directory}}{{item}}"
+    src: "{{nextcloud_cloud_directory}}{{ item }}"
+    dest: "{{nextcloud_user_home_directory}}{{ item }}"
     owner: "{{ users[desktop_username].username }}"
     group: "{{ users[desktop_username].username }}"
     state: link

roles/desk-ssh/tasks/01_core.yml

@@ -48,4 +48,6 @@
     state: present
     create: yes
     mode: "0644"
-  become: false
+  become: false
+
+- include_tasks: utils/run_once.yml

roles/desk-ssh/tasks/main.yml

@@ -1,4 +1,3 @@
 - block:
   - include_tasks: 01_core.yml
-  - include_tasks: utils/run_once.yml
   when: run_once_desk_ssh is not defined

roles/desk-virtualbox/handlers/main.yml

@@ -1,4 +0,0 @@
----
-- name: reload virtualbox kernel modules
-  become: true
-  command: vboxreload

roles/dev-locales/tasks/main.yml

@@ -1,8 +1,14 @@
 ---
 - name: Setup locale.gen
-  template: src=locale.gen dest=/etc/locale.gen
+  template:
+    src:  locale.gen.j2
+    dest: /etc/locale.gen
+
 - name: Setup locale.conf
-  template: src=locale.conf dest=/etc/locale.conf
+  template:
+    src:  locale.conf.j2
+    dest: /etc/locale.conf
+
 - name: Generate locales
   shell: locale-gen
   become: true

roles/dev-locales/templates/locale.conf

@@ -1,2 +0,0 @@
-LANG=en_US.UTF-8
-LANGUAGE=en_US.UTF-8

roles/dev-locales/templates/locale.conf.j2

@@ -0,0 +1,2 @@
+LANG={{ HOST_LL_CC }}.UTF-8
+LANGUAGE={{ HOST_LL_CC }}.UTF-8

roles/dev-yay/defaults/main.yml

@@ -0,0 +1,4 @@
+AUR_HELPER:               yay
+AUR_BUILDER_USER:         aur_builder
+AUR_BUILDER_GROUP:        wheel
+AUR_BUILDER_SUDOERS_PATH: /etc/sudoers.d/11-install-aur_builder

roles/dev-yay/tasks/01_core.yml

@@ -6,42 +6,53 @@
   - dev-git
   - dev-base-devel
 
-- name: install yay
+- name: Install yay build prerequisites
   community.general.pacman:
     name:
     - base-devel
     - patch
     state: present
 
-- name: Create the `aur_builder` user
+- name: Create the AUR builder user
   become: true
   ansible.builtin.user:
-    name: aur_builder
+    name: "{{ AUR_BUILDER_USER }}"
     create_home: yes
-    group: wheel
+    group: "{{ AUR_BUILDER_GROUP }}"
 
-- name: Allow the `aur_builder` user to run `sudo pacman` without a password
+- name: Allow AUR builder to run pacman without password
   become: true
   ansible.builtin.lineinfile:
-    path: /etc/sudoers.d/11-install-aur_builder
-    line: 'aur_builder ALL=(ALL) NOPASSWD: /usr/bin/pacman'
+    path: "{{ AUR_BUILDER_SUDOERS_PATH }}"
+    line: '{{ AUR_BUILDER_USER }} ALL=(ALL) NOPASSWD: /usr/bin/pacman'
     create: yes
     validate: 'visudo -cf %s'
 
 - name: Clone yay from AUR
   become: true
-  become_user: aur_builder
+  become_user: "{{ AUR_BUILDER_USER }}"
   git:
     repo: https://aur.archlinux.org/yay.git
-    dest: /home/aur_builder/yay
+    dest: "/home/{{ AUR_BUILDER_USER }}/yay"
     clone: yes
     update: yes
 
 - name: Build and install yay
   become: true
-  become_user: aur_builder
+  become_user: "{{ AUR_BUILDER_USER }}"
   shell: |
-    cd /home/aur_builder/yay
+    cd /home/{{ AUR_BUILDER_USER }}/yay
     makepkg -si --noconfirm
   args:
     creates: /usr/bin/yay
+
+- name: upgrade the system using yay, only act on AUR packages.
+  become: true
+  become_user: "{{ AUR_BUILDER_USER }}"
+  kewlfft.aur.aur:
+    upgrade: yes
+    use: "{{ AUR_HELPER }}"
+    aur_only: yes
+  when: MODE_UPDATE | bool
+
+- include_tasks: utils/run_once.yml

roles/dev-yay/tasks/main.yml

@@ -1,5 +1,3 @@
 - block:
   - include_tasks: 01_core.yml
-  - set_fact:
-      run_once_dev_yay: true
   when: run_once_dev_yay is not defined

roles/docker-compose/README.md

@@ -20,7 +20,7 @@ To offer a centralized, extensible system for managing containerized application
 - **Reset Logic:** Cleans previous Compose project files and data when `MODE_RESET` is enabled.
 - **Handlers for Runtime Control:** Automatically builds, sets up, or restarts containers based on handlers.
 - **Template-ready Service Files:** Predefined service base and health check templates.
-- **Integration Support:** Compatible with `srv-proxy-core` and other Infinito.Nexus service roles.
+- **Integration Support:** Compatible with `sys-svc-proxy` and other Infinito.Nexus service roles.
 
 ## Administration Tips
 

roles/docker-compose/defaults/main.yml

@@ -1,3 +1,3 @@
-docker_compose_skipp_file_creation: false # If set to true the file creation will be skipped
-docker_pull_git_repository:         false # Activates docker repository download and routine
-docker_compose_flush_handlers:      false # Set to true in the vars/main.yml of the including role to autoflush after docker compose routine
+docker_compose_file_creation_enabled: true  # If set to true the file creation will be skipped
+docker_pull_git_repository:           false # Activates docker repository download and routine
+docker_compose_flush_handlers:        false # Set to true in the vars/main.yml of the including role to autoflush after docker compose routine

roles/docker-compose/handlers/main.yml

@@ -9,16 +9,22 @@
   listen:
     - docker compose up
     - docker compose restart
-    - docker compose just up
   when: MODE_ASSERT | bool
 
 - name: docker compose pull
   shell: |
     set -euo pipefail
-    lock="{{ [ PATH_DOCKER_COMPOSE_PULL_LOCK_DIR | docker_compose.directories.instance ] path_join | hash('sha1') }}"
+    lock="{{ [ PATH_DOCKER_COMPOSE_PULL_LOCK_DIR, (docker_compose.directories.instance | hash('sha1')) ~ '.lock' ] | path_join }}"
     if [ ! -e "$lock" ]; then
       mkdir -p "$(dirname "$lock")"
-      docker compose pull
+      if docker compose config | grep -qE '^[[:space:]]+build:'; then
+        docker compose build --pull
+      fi
+      if docker compose pull --help 2>/dev/null | grep -q -- '--ignore-buildable'; then
+        docker compose pull --ignore-buildable
+      else
+        docker compose pull || true
+      fi
       : > "$lock"
       echo "pulled"
     fi
@@ -34,14 +40,13 @@
   listen:
     - docker compose up
     - docker compose restart
-    - docker compose just up
 
-- name: Build docker compose 
+- name: Build docker compose
   shell: |
     set -euo pipefail
     docker compose build || { 
       echo "Retrying without cache and pulling bases...";
-      docker compose build --no-cache --pull; 
+      docker compose build --no-cache{{ ' --pull' if MODE_UPDATE | bool else ''}}; 
     }
   args:
     chdir: "{{ docker_compose.directories.instance }}"
@@ -70,7 +75,6 @@
     DOCKER_CLIENT_TIMEOUT: 600
   listen:
     - docker compose up
-    - docker compose just up # @todo replace later just up by up when code is refactored, build atm is also listening to up
 
 - name: docker compose restart
   command:

roles/docker-compose/tasks/03_repository.yml

@@ -1,15 +1,18 @@
 - name: Set default docker_repository_path
   set_fact:
-    docker_repository_path: "{{docker_compose.directories.services}}repository/"
+    docker_repository_path: "{{ [ docker_compose.directories.services, 'repository/' ] | path_join }}"
 
 - name: pull docker repository
   git:
-    repo:       "{{ docker_repository_address }}"
-    dest:       "{{ docker_repository_path }}"
-    version:    "{{ docker_repository_branch | default('main') }}"
-    depth:      1
-    update:     yes
-    recursive:  yes
+    repo:           "{{ docker_repository_address }}"
+    dest:           "{{ docker_repository_path }}"
+    version:        "{{ docker_repository_branch | default('main') }}"
+    single_branch:  yes
+    depth:          1
+    update:         yes
+    recursive:      yes
+    force:          yes
+    accept_hostkey: yes
   notify:
     - docker compose build
     - docker compose up

roles/docker-compose/tasks/04_files.yml

@@ -5,7 +5,9 @@
   loop:
     - "{{ application_id | abs_role_path_by_application_id }}/templates/Dockerfile.j2"
     - "{{ application_id | abs_role_path_by_application_id }}/files/Dockerfile"
-  notify: docker compose up
+  notify: 
+    - docker compose build
+    - docker compose up
   register: create_dockerfile_result
   failed_when:
     - create_dockerfile_result is failed
@@ -26,6 +28,21 @@
     - env_template is failed
     - "'Could not find or access' not in env_template.msg"
 
+- name:           "Create (optional) '{{ docker_compose.files.docker_compose_override }}'"
+  template:
+    src:          "{{ item }}"
+    dest:         "{{ docker_compose.files.docker_compose_override }}"
+    mode:         '770'
+    force:        yes
+  notify:         docker compose up
+  register:       docker_compose_override_template
+  loop:
+    - "{{ application_id | abs_role_path_by_application_id }}/templates/docker-compose.override.yml.j2"
+    - "{{ application_id | abs_role_path_by_application_id }}/files/docker-compose.override.yml"
+  failed_when:
+    - docker_compose_override_template is failed
+    - "'Could not find or access' not in docker_compose_override_template.msg"
+
 - name:           "Create (obligatoric) '{{ docker_compose.files.docker_compose }}'"
   template:
     src:          "docker-compose.yml.j2"

roles/docker-compose/tasks/main.yml

@@ -24,7 +24,7 @@
     include_tasks: "04_files.yml"
   - name: "Ensure that {{ docker_compose.directories.instance }} is up"
     include_tasks: "05_ensure_up.yml"
-  when: not docker_compose_skipp_file_creation | bool
+  when: docker_compose_file_creation_enabled | bool
 
 - name: "flush docker compose for '{{ application_id }}'"
   meta: flush_handlers

roles/docker-compose/templates/base.yml.j2

@@ -2,7 +2,7 @@
 services:
 {# Load Database #}
 {% if applications | is_docker_service_enabled(application_id, 'database') %}
-{% include 'roles/cmp-rdbms/templates/services/main.yml.j2' %}
+{% include 'roles/sys-svc-rdbms/templates/services/main.yml.j2' %}
 {% endif %}
 {# Load Redis #}
 {% if applications | is_docker_service_enabled(application_id, 'redis') or applications | get_app_conf(application_id, 'features.oauth2', False) %}

roles/docker-compose/templates/networks.yml.j2

@@ -1,5 +1,6 @@
 {# This template needs to be included in docker-compose.yml #}
 networks:
+{# Central RDMS-Database Network #}
 {% if 
   (applications | get_app_conf(application_id, 'features.central_database', False) and database_type is defined) or
   application_id in ['svc-db-mariadb','svc-db-postgres']
@@ -7,6 +8,7 @@ networks:
   {{ applications | get_app_conf('svc-db-' ~ database_type, 'docker.network') }}:
     external: true
 {% endif %}
+{# Central LDAP Network #}
 {% if 
   applications | get_app_conf(application_id, 'features.ldap', False) and 
   applications | get_app_conf('svc-db-openldap', 'network.docker', False)
@@ -14,7 +16,13 @@ networks:
   {{ applications | get_app_conf('svc-db-openldap', 'docker.network') }}:
     external: true
 {% endif %}
-{% if not application_id.startswith('svc-db-') %}
+{# Central AI Network #}
+{% if applications | get_app_conf(application_id, 'features.local_ai', False) %}
+  {{ applications | get_app_conf('svc-ai-ollama', 'docker.network') }}:
+    external: true
+{% endif %}
+{# Default Network #}
+{% if not application_id.startswith('svc-db-') and not application_id.startswith('svc-ai-') %}
   default:
 {% if
   application_id in networks.local and 
@@ -25,7 +33,7 @@ networks:
     ipam:
       driver: default
       config:
-        - subnet: {{networks.local[application_id].subnet}}
+        - subnet: {{ networks.local[application_id].subnet }}
 {% endif %}
 {% endif %}
 {{ "\n" }}

roles/docker-compose/users/main.yml

@@ -1,4 +1,6 @@
 users:
   blackhole:
     description: "Everything what will be send to this user will disapear"
-    username: "blackhole"
+    username: "blackhole"
+    roles:
+      - mail-bot

roles/docker-compose/vars/docker-compose.yml

@@ -1,2 +1,4 @@
 # @See https://chatgpt.com/share/67a23d18-fb54-800f-983c-d6d00752b0b4
-docker_compose: "{{ application_id | get_docker_paths(PATH_DOCKER_COMPOSE_INSTANCES) }}"
+docker_compose:               "{{ application_id | get_docker_paths(PATH_DOCKER_COMPOSE_INSTANCES) }}"
+docker_compose_command_base:  "docker compose --env-file {{ docker_compose.files.env }}"
+docker_compose_command_exec:  "{{ docker_compose_command_base }} exec"

roles/docker-container/templates/base.yml.j2

@@ -1,11 +1,13 @@
 {# Base for docker services #}
 
-    restart: {{ DOCKER_RESTART_POLICY }}
+    restart: {{ docker_restart_policy | default(DOCKER_RESTART_POLICY) }}
 {% if application_id | has_env  %}
     env_file:
       - "{{ docker_compose.files.env }}"
 {% endif %}
     logging:
       driver: journald
-
+{% filter indent(4) %}
+    {% include 'roles/docker-container/templates/resource.yml.j2' %}
+{% endfilter %}
 {{ "\n" }}

roles/docker-container/templates/build.yml.j2

@@ -0,0 +1,6 @@
+{# integrate it into service sections to be build by Dockerfile #}
+pull_policy: never
+build:
+  context: .
+  dockerfile: Dockerfile
+{# pass Arguments here #}

roles/docker-container/templates/healthcheck/curl.yml.j2

@@ -3,6 +3,10 @@
         - "CMD"
         - "curl"
         - "-f"
+{% if container_hostname is defined %}
+        - "-H"
+        - "Host: {{ container_hostname }}"
+{% endif %}
         - "http://127.0.0.1{{ (":" ~ container_port) if container_port is defined else '' }}/{{ container_healthcheck | default('') }}"
       interval: 1m
       timeout: 10s

roles/docker-container/templates/healthcheck/nc.yml.j2

@@ -0,0 +1,7 @@
+    healthcheck:
+      test: ["CMD-SHELL", "nc -z localhost {{ container_port }} || exit 1"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
+      start_period: 10s
+{{ "\n" }}

roles/docker-container/templates/networks.yml.j2

@@ -1,15 +1,25 @@
 {# This template needs to be included in docker-compose.yml containers #}
     networks:
+{# Central RDMS-Database Network #}
 {% if 
   (applications | get_app_conf(application_id, 'features.central_database', False) and database_type is defined) or
   application_id in ['svc-db-mariadb','svc-db-postgres']
 %}
       {{ applications | get_app_conf('svc-db-' ~ database_type, 'docker.network') }}:
+{% if application_id in ['svc-db-mariadb','svc-db-postgres'] %}
+          aliases:
+            - {{ database_type }}
 {% endif %}
+{% endif %}
+{# Central LDAP Network #}
 {% if applications | get_app_conf(application_id, 'features.ldap', False) and applications | get_app_conf('svc-db-openldap', 'network.docker') %}
       {{ applications | get_app_conf('svc-db-openldap', 'docker.network') }}:
 {% endif %}
-{% if application_id != 'svc-db-openldap' %}
+{# Central AI Network #}
+{% if applications | get_app_conf(application_id, 'features.local_ai', False) %}
+      {{ applications | get_app_conf('svc-ai-ollama', 'docker.network') }}:
+{% endif %}
+{% if not application_id.startswith('svc-db-') and not application_id.startswith('svc-ai-') %}
       default:
 {% endif %}
 {{ "\n" }}

roles/docker-container/templates/resource.yml.j2

@@ -0,0 +1,4 @@
+cpus:               {{ applications | resource_filter(application_id, 'cpus',            service_name | default(''), RESOURCE_CPUS) }}
+mem_reservation:    {{ applications | resource_filter(application_id, 'mem_reservation', service_name | default(''), RESOURCE_MEM_RESERVATION) }}
+mem_limit:          {{ applications | resource_filter(application_id, 'mem_limit',       service_name | default(''), RESOURCE_MEM_LIMIT) }}
+pids_limit:         {{ applications | resource_filter(application_id, 'pids_limit',      service_name | default(''), RESOURCE_PIDS_LIMIT) }}

roles/pkgmgr-install/tasks/main.yml

@@ -4,7 +4,7 @@
       run_once_pkgmgr_install: true
   when: run_once_pkgmgr_install is not defined
 
-- name: update {{ package_name }}
+- name: "update {{ package_name }}"
   ansible.builtin.shell: |
     source ~/.venvs/pkgmgr/bin/activate
     pkgmgr update {{ package_name }} --dependencies --clone-mode https

roles/pkgmgr/tasks/01_core.yml

@@ -16,29 +16,23 @@
 
 - name: Create installation directory for Kevin's Package Manager
   file:
-    path: "{{ pkgmgr_install_path }}"
+    path: "{{ PKGMGR_INSTALL_PATH }}"
     state: directory
     mode: '0755'
   become: true
 
 - name: Clone Kevin's Package Manager repository
   git:
-    repo: "{{ pkgmgr_repo_url }}"
-    dest: "{{ pkgmgr_install_path }}"
+    repo: "{{ PKGMGR_REPO_URL }}"
+    dest: "{{ PKGMGR_INSTALL_PATH }}"
     version: "HEAD"
     force: yes
   become: true
 
-- name: Ensure main.py is executable
-  file:
-    path: "{{ pkgmgr_install_path }}/main.py"
-    mode: '0755'
-  become: true
-
 - name: create config.yaml
   template:
     src: config.yaml.j2
-    dest: "{{ pkgmgr_config_path }}"
+    dest: "{{ PKGMGR_CONFIG_PATH }}"
   become: true
 
 - name: Run the Package Manager install command to create an alias for Kevins package manager
@@ -46,6 +40,10 @@
     source ~/.venvs/pkgmgr/bin/activate
     make setup
   args:
-    chdir: "{{ pkgmgr_install_path }}"
+    chdir: "{{ PKGMGR_INSTALL_PATH }}"
     executable: /bin/bash
   become: true
+
+- name: "Update all repositories with pkgmgr"
+  command: "pkgmgr pull --all"
+  when: MODE_UPDATE | bool

roles/pkgmgr/templates/config.yaml.j2

@@ -1,3 +1,3 @@
 directories: 
-  repositories: "{{repositories_directory}}"
-  binaries:     "{{binaries_directory}}"
+  repositories: "{{ PKGMGR_REPOSITORIES_DIR }}"
+  binaries:     "{{ PKGMGR_BINARIES_DIR }}"

roles/pkgmgr/vars/main.yml

@@ -2,16 +2,16 @@
 # Variables for Kevin's Package Manager installation
 
 # The Git repository URL for Kevin's Package Manager
-pkgmgr_repo_url:        "https://github.com/kevinveenbirkenbach/package-manager.git"
-
-# Directory which contains all Repositories managed by Kevin's Package Manager
-repositories_directory: "/opt/Repositories/"
-
-# The directory where the repository will be cloned
-pkgmgr_install_path:    "{{repositories_directory}}github.com/kevinveenbirkenbach/package-manager"
-
-# File containing the configuration
-pkgmgr_config_path:     "{{pkgmgr_install_path}}/config/config.yaml"
+PKGMGR_REPO_URL:        "https://github.com/kevinveenbirkenbach/package-manager.git"
 
 # The directory where executable aliases will be installed (ensure it's in your PATH)
-binaries_directory:     "/usr/local/bin" 
+PKGMGR_BINARIES_DIR:     "/usr/local/bin" 
+
+# Directory which contains all Repositories managed by Kevin's Package Manager
+PKGMGR_REPOSITORIES_DIR: "/opt/Repositories/"
+
+# The directory where the repository will be cloned
+PKGMGR_INSTALL_PATH:    "{{ [ PKGMGR_REPOSITORIES_DIR, 'github.com/kevinveenbirkenbach/package-manager' ] | path_join }}"
+
+# File containing the configuration
+PKGMGR_CONFIG_PATH:     "{{ [ PKGMGR_INSTALL_PATH, 'config/config.yaml' ] | path_join }}"

roles/srv-composer/tasks/main.yml

@@ -1,9 +0,0 @@
-# run_once_srv_composer: deactivated
-
-- name: "include role sys-srv-web-inj-compose for '{{ domain }}'"
-  include_role: 
-    name: sys-srv-web-inj-compose
-
-- name: "include role srv-tls-core for '{{ domain }}'"
-  include_role: 
-    name: srv-tls-core

roles/srv-core/tasks/main.yml

@@ -1,5 +0,0 @@
----
-- block:
-  - include_tasks: 01_core.yml
-  - include_tasks: utils/run_once.yml
-  when: run_once_srv_core is not defined

roles/srv-domain-provision/defaults/main.yml

@@ -1,5 +0,0 @@
-# default vhost flavour
-vhost_flavour:        "basic"               # valid: basic | ws_generic
-
-# build the full template path from the flavour
-vhost_template_src:   "roles/srv-proxy-core/templates/vhost/{{ vhost_flavour }}.conf.j2"

roles/srv-domain-provision/tasks/main.yml

@@ -1,42 +0,0 @@
-- block:
-  - name: Include dependency 'srv-proxy-core'
-    include_role:
-      name: srv-proxy-core
-    when: run_once_srv_proxy_core is not defined
-  - include_tasks: utils/run_once.yml
-  when: run_once_srv_domain_provision is not defined
-
-- include_tasks: "01_cloudflare.yml"
-  when: DNS_PROVIDER == "cloudflare"
-
-- include_tasks: "{{ playbook_dir }}/tasks/utils/load_handlers.yml"
-  vars:
-    handler_role_name: "svc-prx-openresty"
-
-- name: "include role for {{ domain }} to receive certificates and do the modification routines"
-  include_role:
-    name: srv-composer
-
-- name: "Copy nginx config to {{ configuration_destination }}"
-  template:
-    src: "{{ vhost_template_src }}"
-    dest: "{{ configuration_destination }}"
-  register: nginx_conf
-  notify: restart openresty
-
-- block:
-  - name: "Check if {{ domains | get_domain(application_id) }} is reachable (only if config unchanged)"
-    uri:
-      url: "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
-    register: site_check
-    failed_when: false
-    changed_when: false
-
-  - name: Restart nginx if site is down
-    command:
-      cmd: "true"
-    notify: restart openresty
-    when:
-    - site_check.status is defined
-    - not site_check.status in [200,301,302]
-  when: not nginx_conf.changed

roles/srv-domain-provision/vars/main.yml

@@ -1 +0,0 @@
-configuration_destination:  "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domain }}.conf"

roles/srv-letsencrypt/tasks/01_core.yml

@@ -1,14 +0,0 @@
-  - name: Include dependency 'sys-ctl-mtn-cert-renew'
-    include_role:
-      name: sys-ctl-mtn-cert-renew
-    when: run_once_sys_ctl_mtn_cert_renew is not defined
-
-  - name: create nginx letsencrypt config file
-    template:
-      src: "letsencrypt.conf.j2"
-      dest: "{{NGINX.DIRECTORIES.HTTP.GLOBAL}}letsencrypt.conf"
-    notify: restart openresty
-
-  - name: "Set CAA records for all base domains"
-    include_tasks: 01_set-caa-records.yml
-    when: DNS_PROVIDER == 'cloudflare'

roles/srv-letsencrypt/tasks/main.yml

@@ -1,4 +0,0 @@
-- block:
-  - include_tasks: 01_core.yml
-  - include_tasks: utils/run_once.yml
-  when: run_once_srv_letsencrypt is not defined

roles/srv-letsencrypt/vars/main.yml

@@ -1,4 +0,0 @@
-caa_entries:
-- tag: issue
-  value: letsencrypt.org
-base_sld_domains: '{{ current_play_domains_all | generate_base_sld_domains }}'