Solved 'capplications' typo bug

Makefile

@@ -1,12 +1,11 @@
-# Makefile for j2render
-
-TEMPLATE=./templates/vars/applications.yml.j2
+ROLES_DIR=./roles
 OUTPUT=./group_vars/all/11_applications.yml
+SCRIPT=./cli/generate_defaults_applications.py
 
 build:
-	@echo "🔧 Building rendered file from $(TEMPLATE)..."
+	@echo "🔧 Generating $(OUTPUT) from roles in $(ROLES_DIR)..."
 	@mkdir -p $(dir $(OUTPUT))
-	j2r $(TEMPLATE) $(OUTPUT)
+	python3 $(SCRIPT) --roles-dir $(ROLES_DIR) --output-file $(OUTPUT)
 	@echo "✅ Output written to $(OUTPUT)"
 
 install: build

cli/fix_tabs.py

@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+
+import os
+from pathlib import Path
+
+ROLES_DIR = Path("roles")  # Adjust this if needed
+FILES_FIXED = []
+
+def fix_tabs_in_file(file_path):
+    with open(file_path, "r") as f:
+        lines = f.readlines()
+
+    if any('\t' in line for line in lines):
+        fixed_lines = [line.replace('\t', '  ') for line in lines]
+        with open(file_path, "w") as f:
+            f.writelines(fixed_lines)
+        FILES_FIXED.append(str(file_path))
+
+def main():
+    for role_dir in sorted(ROLES_DIR.iterdir()):
+        if not role_dir.is_dir():
+            continue
+
+        vars_main = role_dir / "vars" / "main.yml"
+        if vars_main.exists():
+            fix_tabs_in_file(vars_main)
+
+    if FILES_FIXED:
+        print("✅ Fixed tab characters in the following files:")
+        for f in FILES_FIXED:
+            print(f"  - {f}")
+    else:
+        print("✅ No tabs found in any vars/main.yml files.")
+
+if __name__ == "__main__":
+    main()

cli/generate_defaults_applications.py

@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+
+import argparse
+import os
+import yaml
+from pathlib import Path
+
+def load_yaml_file(path):
+    """Load a YAML file if it exists, otherwise return an empty dict."""
+    if not path.exists():
+        return {}
+    with path.open("r", encoding="utf-8") as f:
+        return yaml.safe_load(f) or {}
+
+def main():
+    parser = argparse.ArgumentParser(description="Generate defaults_applications YAML from docker roles.")
+    parser.add_argument("--roles-dir", default="roles", help="Path to the roles directory (default: roles)")
+    parser.add_argument("--output-file", default="group_vars/all/11_applications.yml", help="Path to output YAML file")
+
+    args = parser.parse_args()
+    cwd = Path.cwd()
+    roles_dir = (cwd / args.roles_dir).resolve()
+    output_file = (cwd / args.output_file).resolve()
+
+    output_file.parent.mkdir(parents=True, exist_ok=True)
+
+    result = {"defaults_applications": {}}
+
+    for role_dir in sorted(roles_dir.iterdir()):
+        role_name = role_dir.name
+        vars_main = role_dir / "vars" / "main.yml"
+        config_file = role_dir / "vars" / "configuration.yml"
+
+        if not vars_main.exists():
+            print(f"[!] Skipping {role_name}: vars/main.yml missing")
+            continue
+
+        vars_data = load_yaml_file(vars_main)
+        application_id = vars_data.get("application_id")
+
+        if not application_id:
+            print(f"[!] Skipping {role_name}: application_id not defined in vars/main.yml")
+            continue
+
+        if not config_file.exists():
+            print(f"[!] Skipping {role_name}: vars/configuration.yml missing")
+            continue
+
+        config_data = load_yaml_file(config_file)
+        if config_data:
+            result["defaults_applications"][application_id] = config_data
+
+    with output_file.open("w", encoding="utf-8") as f:
+        yaml.dump(result, f, sort_keys=False)
+
+    try:
+        print(f"✅ Generated: {output_file.relative_to(cwd)}")
+    except ValueError:
+        print(f"✅ Generated: {output_file}")
+
+if __name__ == "__main__":
+    main()

group_vars/all/00_general.yml

@@ -48,3 +48,9 @@ certbot_dns_propagation_wait_seconds:     40                      # How long sho
 certbot_flavor:                           san                     # Possible options: san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), deicated
 certbot_webroot_path:                     "/var/lib/letsencrypt/" # Path used by Certbot to serve HTTP-01 ACME challenges
 certbot_cert_path:                        "/etc/letsencrypt/live" # Path containing active certificate symlinks for domains
+
+## Docker Role Specific Parameters
+docker_restart_policy:        "unless-stopped"
+
+# helper
+_applications_nextcloud_oidc_flavor:  "{{ applications.nextcloud.oidc.flavor | default('oidc_login' if applications.nextcloud.features.ldap | default(true) else 'sociallogin') }}"

requirements.yml

@@ -4,5 +4,3 @@ collections:
 pacman:
   - ansible
   - python-passlib
-pkgmgr:
-  - j2r

roles/backup-docker-to-local/tasks/seed-database-to-backup.yml

@@ -5,6 +5,8 @@
     msg: |
       database_instance: "{{ database_instance | default('undefined') }}"
       database_name: "{{ database_name | default('undefined') }}"
+      database_type: "{{ database_type | default('undefined') }}"
+      database_host: "{{ database_host | default('undefined') }}"
       database_username: "{{ database_username | default('undefined') }}"
       database_password: "{{ database_password | default('undefined') }}"
   when: enable_debug | bool

roles/client-browser-chromium/templates/configuration.yml.j2

@@ -0,0 +1,23 @@
+# Concerning configuration options checkout:
+# https://chromeenterprise.google/policies/#ExtensionSettings
+chromium:
+  password_manager_enabled: false
+  default_installation_mode: allowed
+  plugins:
+    # UBlock Origin
+    - id: "cjpalhdlnbpafiamejdnhcphjbkeiagm"
+      update_url: "https://clients2.google.com/service/update2/crx"
+      incognito: true
+      installation_mode: "force_installed"
+
+    # KeepassXC
+    - id: "ddkjiahejlhfcafbddmgiahcphecmpfh"
+      update_url: "https://clients2.google.com/service/update2/crx"
+      incognito: false
+      installation_mode: "force_installed"
+
+    # Dark Mode Extension
+    - id: "dmghijelimhndkbmpgbldicpogfkceaj"
+      update_url: "https://clients2.google.com/service/update2/crx"
+      incognito: true
+      installation_mode: "force_installed"

roles/client-browser-chromium/templates/extensions_policy.json.j2

@@ -1,8 +1,20 @@
 {
   "ExtensionInstallForcelist": [
-    {% for plugin in applications[application_id].plugins -%}
-      "{{ plugin }}"{% if not loop.last %},{% endif %}
+    {% for plugin in applications[application_id].chromium.plugins -%}
+    "{{ plugin.id }};{{ plugin.update_url }}"{% if not loop.last %},{% endif %}
     {% endfor %}
   ],
-  "PasswordManagerEnabled": false
+  "ExtensionSettings": {
+    "*": {
+      "installation_mode": "{{ applications[application_id].default_installation_mode }}"
+    }
+    {% for plugin in applications[application_id].chromium.plugins -%},
+    "{{ plugin.id }}": {
+      "installation_mode": "{{ plugin.installation_mode }}",
+      "update_url": "{{ plugin.update_url }}",
+      "incognito_mode": "{{ 'enabled' if plugin.incognito else 'disabled' }}"
+    }
+    {% endfor %}
+  },
+  "PasswordManagerEnabled": {{ applications[application_id].password_manager_enabled }}
 }

roles/client-browser-firefox/vars/configuration.yml

@@ -0,0 +1,3 @@
+plugins:                                                                                # Plugins to be installed in Firefox
+  - "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"      # U-Block Origine Plugin
+  - "https://addons.mozilla.org/firefox/downloads/latest/keepassxc-browser/latest.xpi"  # KeepassXC Plugin

roles/client-gnome/vars/configuration.yml

@@ -0,0 +1,4 @@
+plugins:
+  - [enable,nasa_apod@elinvention.ovh,https://github.com/Elinvention/gnome-shell-extension-nasa-apod.git]
+  - [disable,dash-to-dock@micxgx.gmail.com,'']
+  - [enable, dash-to-panel@jderose9.github.com,'']

roles/client-gnome/vars/main.yml

@@ -0,0 +1 @@
+application_id: gnome

roles/client-libreoffice/vars/configuration.yml

@@ -0,0 +1 @@
+flavor: "fresh" # Libre Office flavor, fresh for new, still for stable

roles/client-libreoffice/vars/main.yml

@@ -0,0 +1 @@
+application_id: "libreoffice"

roles/docker-akaunting/meta/schema.yml

@@ -0,0 +1,9 @@
+credentials:
+  database_password:
+    description: "Database password for MariaDB"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+  setup_admin_password:
+    description: "Initial admin user password for Akaunting"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"

roles/docker-akaunting/templates/env.j2

@@ -14,9 +14,9 @@ DB_PASSWORD={{database_password}}
 DB_PREFIX=asd_
 
 # These define the first company to exist on this instance. They are only used during setup.
-COMPANY_NAME={{applications.akaunting.company_name}}
-COMPANY_EMAIL={{applications.akaunting.company_email}}
+COMPANY_NAME={{applications[application_id].company_name}}
+COMPANY_EMAIL={{applications[application_id].company_email}}
 
 # This will be the first administrative user created on setup.
 ADMIN_EMAIL={{applications.akaunting.setup_admin_email}}
-ADMIN_PASSWORD={{akaunting_setup_admin_password}}
+ADMIN_PASSWORD={{applications[application_id].credentials.setup_admin_password}}

roles/docker-akaunting/vars/configuration.yml

@@ -0,0 +1,12 @@
+version:                  "latest"
+company_name:             "{{primary_domain}}"
+company_email:            "{{users.administrator.email}}"
+setup_admin_email:        "{{users.administrator.email}}"
+features:
+  matomo:                 true
+  css:                    true
+  landingpage_iframe:     false
+  central_database:       true
+credentials:
+#  database_password:     Needs to be defined in inventory file 
+#  setup_admin_password:  Needs to be defined in inventory file

roles/docker-akaunting/vars/main.yml

@@ -1,4 +1,4 @@
 application_id:             "akaunting"
 database_type:              "mariadb"
-database_password:          "{{akaunting_database_password}}"
+database_password:          "{{ applications[application_id]].credentials.database_password }}"
 docker_repository_address:  "https://github.com/akaunting/docker.git"

roles/docker-attendize/meta/schema.yml

@@ -0,0 +1,5 @@
+credentials:
+  database_password:
+    description: "Database password for MariaDB used by Attendize"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"

roles/docker-attendize/vars/configuration.yml

@@ -0,0 +1,9 @@
+version:                      "latest"
+credentials:
+# database_password: Password for the database
+
+features:
+  matomo:             true
+  css:                true
+  landingpage_iframe: false
+  central_database:   true

roles/docker-attendize/vars/main.yml

@@ -1,5 +1,5 @@
 ---
 application_id:             "attendize"
 database_type:              "mariadb"
-database_password:          "{{attendize_database_password}}"
+database_password:          "{{applications[application_id].credentials.database_password}}"
 docker_repository_address:  "https://github.com/Attendize/Attendize.git"

roles/docker-baserow/meta/schema.yml

@@ -0,0 +1,5 @@
+credentials:
+  database_password:
+    description: "Password for the PostgreSQL database used by Baserow"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"

roles/docker-baserow/vars/configuration.yml

@@ -0,0 +1,6 @@
+version:              "latest"
+features:
+  matomo:             true
+  css:                true
+  landingpage_iframe: true
+  central_database:   true

roles/docker-bigbluebutton/TODO.md

@@ -0,0 +1,2 @@
+# Todo
+-  Propper implement and test the LDAP integration, the configuration values just had been set during refactoring

roles/docker-bigbluebutton/meta/schema.yml

@@ -0,0 +1,25 @@
+credentials:
+  shared_secret:
+    description: "Shared secret for BigBlueButton API authentication"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+  etherpad_api_key:
+    description: "API key for Etherpad integration"
+    algorithm: "plain"
+    validation: "^[a-zA-Z0-9]{32}$"
+  rails_secret:
+    description: "Secret key for Rails backend"
+    algorithm: "random_hex"
+    validation: "^[a-f0-9]{128}$"
+  postgresql_secret:
+    description: "Password for PostgreSQL user"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+  fsesl_password:
+    description: "Password for FreeSWITCH ESL connection"
+    algorithm: "plain"
+    validation: "^.{8,}$"
+  turn_secret:
+    description: "TURN server shared secret"
+    algorithm: "sha1"
+    validation: "^[a-f0-9]{40}$"

roles/docker-bigbluebutton/vars/configuration.yml

@@ -0,0 +1,21 @@
+enable_greenlight:    "true"
+setup:                false                                             # Set to true in inventory file for initial setup
+credentials:
+# shared_secret:                                                       # Needs to be defined in inventory file
+# etherpad_api_key:                                                    # Needs to be defined in inventory file                                             
+# rails_secret:                                                        # Needs to be defined in inventory file
+# postgresql_secret:                                                   # Needs to be defined in inventory file   
+# fsesl_password:                                                      # Needs to be defined in inventory file
+# turn_secret:                                                         # Needs to be defined in inventory file  
+database:
+  name:      "multiple_databases"
+  username:  "postgres2"
+urls:
+  api:                        "{{ web_protocol }}://{{domains.bigbluebutton}}/bigbluebutton/"  # API Address used by Nextcloud Integration
+features:
+  matomo:             true
+  css:                true
+  landingpage_iframe: false
+  ldap:               false
+  oidc:               true
+  central_database:   false

roles/docker-bluesky/meta/schema.yml

@@ -0,0 +1,13 @@
+credentials:
+  jwt_secret:
+    description: "Secret used for JWT signing (base64, 64 bytes)"
+    algorithm: "plain"
+    validation: "^[A-Za-z0-9+/=]{86,}$"  # 64 bytes base64 = ~86 characters without newline
+  plc_rotation_key_k256_private_key_hex:
+    description: "PLC rotation key in hex format (32 bytes)"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+  admin_password:
+    description: "Initial admin password for Bluesky PDS"
+    algorithm: "plain"
+    validation: "^.{12,}$"

roles/docker-bluesky/templates/env.j2

@@ -4,9 +4,9 @@ PDS_SERVICE_DID="did:web:{{domains.bluesky_api}}"
 
 # See https://mattdyson.org/blog/2024/11/self-hosting-bluesky-pds/
 PDS_SERVICE_HANDLE_DOMAINS=".{{primary_domain}}"
-PDS_JWT_SECRET="{{applications.bluesky.pds.jwt_secret}}"
-PDS_ADMIN_PASSWORD="{{applications.bluesky.pds.admin_password}}"
-PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX="{{applications.bluesky.pds.plc_rotation_key_k256_private_key_hex}}"
+PDS_JWT_SECRET="{{applications.bluesky.credentials.jwt_secret}}"
+PDS_ADMIN_PASSWORD="{{applications.bluesky.credentials.admin_password}}"
+PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX="{{applications.bluesky.credentials.plc_rotation_key_k256_private_key_hex}}"
 PDS_CRAWLERS=https://bsky.network
 PDS_EMAIL_SMTP_URL=smtps://{{ users['no-reply'].email }}:{{ users['no-reply'].mailu_token }}@{{system_email.host}}:{{system_email.port}}/
 PDS_EMAIL_FROM_ADDRESS={{ users['no-reply'].email }}

roles/docker-bluesky/vars/configuration.yml

@@ -0,0 +1,14 @@
+users:
+  administrator:
+  email:    "{{users.administrator.email}}"
+pds:
+  version:              "latest"
+credentials:  
+  #jwt_secret:                                                          # Needs to be defined in inventory file - Use: openssl rand -base64 64 | tr -d '\n'
+  #plc_rotation_key_k256_private_key_hex:                               # Needs to be defined in inventory file - Use: openssl rand -hex 32 
+  #admin_password:                                                      # Needs to be defined in inventory file - Use: openssl rand -base64 16
+features:
+  matomo: true
+  css: true
+  landingpage_iframe: true
+  central_database: true

roles/docker-central-database/tasks/main.yml

@@ -10,18 +10,18 @@
     name: docker-compose
 
 # The following env file will just be used from the dedicated mariadb container
-# and not the central-mariadb-database
+# and not the {{applications.mariadb.hostname }}-database
 - name: "Create {{database_env}}"
   template: 
     src: "env/{{database_type}}.env.j2"
     dest: "{{database_env}}"
   notify: docker compose project build and setup
-  when: not applications[application_id].features.database | bool
+  when: not applications | is_feature_enabled('central_database',application_id)
 
 - name: "Create central database"
   include_role:
     name: "docker-{{database_type}}"
-  when: applications[application_id].features.database | bool
+  when: applications | is_feature_enabled('central_database',application_id)
 
 - name: "Add database to backup"
   include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"

roles/docker-central-database/templates/configuration.yml.j2

@@ -0,0 +1,3 @@
+# Jinja2 configuration template
+# Define your variables here
+

roles/docker-central-database/templates/services/mariadb.yml.j2

@@ -1,5 +1,5 @@
 # This template needs to be included in docker-compose.yml, which depend on a mariadb database
-{% if not applications[application_id].features.database | bool %}
+{% if not applications | is_feature_enabled('central_database',application_id) %}
   database:
     container_name: {{application_id}}-database
     logging:

roles/docker-central-database/templates/services/postgres.yml.j2

@@ -1,5 +1,5 @@
 # This template needs to be included in docker-compose.yml, which depend on a postgres database
-{% if not applications[application_id].features.database | bool %}  
+{% if not applications | is_feature_enabled('central_database',application_id) %}  
   database:
     image: postgres:{{applications.postgres.version}}-alpine
     container_name: {{application_id}}-database

roles/docker-central-database/vars/database.yml

@@ -1,5 +1,5 @@
-database_instance:  "{{ 'central-' + database_type if applications[application_id].features.database | bool else application_id }}"
-database_host:      "{{ 'central-' + database_type if applications[application_id].features.database | bool else 'database' }}"
+database_instance:  "{{ 'central-' + database_type if applications | is_feature_enabled('central_database',application_id) else application_id }}"
+database_host:      "{{ 'central-' + database_type if applications | is_feature_enabled('central_database',application_id) else 'database' }}"
 database_name:      "{{ applications[application_id].credentials.database.name | default( application_id ) }}"      # The overwritte configuration is needed by bigbluebutton
 database_username:  "{{ applications[application_id].credentials.database.username | default( application_id )}}"   # The overwritte configuration is needed by bigbluebutton
 database_port:      "{{ 3306 if database_type == 'mariadb' else 5432 }}"

roles/docker-coturn/TODO.md

@@ -0,0 +1,2 @@
+# Todo
+- Implement this role

roles/docker-coturn/vars/configuration.yml.j2

@@ -0,0 +1,4 @@
+user:       turnuser
+credentials:
+  # password:                                                           # Need to be defined in invetory file
+  # secret:                                                             # Need to be defined in invetory file

roles/docker-coturn/vars/main.yml

@@ -1,3 +1,3 @@
 application_id:     "coturn"
-#database_password:  "{{gitea_database_password}}"
+#database_password:  "{{applications[application_id].credentials.database_password}}"
 #database_type:      "mariadb"

roles/docker-discourse/handlers/main.yml

@@ -11,7 +11,7 @@
   command:
     cmd: "docker network connect {{applications.discourse.network}} central-{{ database_type }}"
   ignore_errors: true
-  when: applications[application_id].features.database | bool
+  when: applications | is_feature_enabled('central_database',application_id)
   listen: recreate discourse
 
 - name: rebuild discourse

roles/docker-discourse/meta/schema.yml

@@ -0,0 +1,5 @@
+credentials:
+  database_password:
+    description: "Password for the Discourse PostgreSQL database"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"

roles/docker-discourse/tasks/main.yml

@@ -83,7 +83,7 @@
     cmd: "docker network connect central_postgres {{applications.discourse.container}}"
   ignore_errors: true
   when:
-    - applications[application_id].features.database | bool
+    - applications | is_feature_enabled('central_database',application_id)
     - run_once_docker_discourse is not defined
   
 - name: "remove central database from {{application_id}}_default"
@@ -91,7 +91,7 @@
     cmd: "docker network disconnect {{applications.discourse.network}} central-{{ database_type }}"
   ignore_errors: true
   when:
-    - applications[application_id].features.database | bool
+    - applications | is_feature_enabled('central_database',application_id)
     - run_once_docker_discourse is not defined
 
 - name: run the docker_discourse tasks once

roles/docker-discourse/templates/discourse_application.yml.j2

@@ -1,5 +1,5 @@
 templates:
-{% if not applications[application_id].features.database | bool %}
+{% if not applications | is_feature_enabled('central_database',application_id) %}
   - "templates/postgres.template.yml"
 {% endif %}
   #- "templates/redis.template.yml"

roles/docker-discourse/vars/configuration.yml

@@ -0,0 +1,11 @@
+network:    "discourse_default"     # Name of the docker network
+container:  "discourse_application" # Name of the container application
+repository: "discourse_repository"  # Name of the repository folder
+credentials:
+#  database_password:                     # Needs to be defined in inventory file                        
+features:
+  matomo:             true
+  css:                true
+  landingpage_iframe: false
+  oidc:               true
+  central_database:   true

roles/docker-discourse/vars/main.yml

@@ -1,5 +1,5 @@
 application_id:                         "discourse"
-database_password:                      "{{ applications.discourse.credentials.database.password }}"
+database_password:                      "{{ applications.discourse.credentials.database_password }}"
 database_type:                          "postgres"
 docker_repository_directory :           "{{docker_compose.directories.services}}{{applications.discourse.repository}}/"
 discourse_application_yml_destination:  "{{docker_repository_directory }}containers/{{applications.discourse.container}}.yml"

roles/docker-elk/TODO.md

@@ -1 +1,2 @@
+# Todo
 - implement

roles/docker-elk/templates/configuration.yml.j2

@@ -0,0 +1,3 @@
+# Jinja2 configuration template
+# Define your variables here
+

roles/docker-espocrm/meta/schema.yml

@@ -0,0 +1,9 @@
+credentials:
+  administrator_password:
+    description: "Initial password for the EspoCRM administrator user"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+  database_password:
+    description: "Password for the EspoCRM database user"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"

roles/docker-espocrm/templates/env.j2

@@ -20,7 +20,7 @@ CRON_DISABLED=true
 # Initial admin account
 # ------------------------------------------------
 ESPOCRM_ADMIN_USERNAME={{ applications[application_id].users.administrator.username }}
-ESPOCRM_ADMIN_PASSWORD={{ applications[application_id].credentials.administrator.password }}
+ESPOCRM_ADMIN_PASSWORD={{ applications[application_id].credentials.administrator_password }}
 
 # Public base URL of the EspoCRM instance
 ESPOCRM_SITE_URL={{ web_protocol }}://{{ domains[application_id] }}

roles/docker-espocrm/vars/configuration.yml

@@ -0,0 +1,17 @@
+version:                  "latest"
+users:
+  administrator:
+    username:             "{{ users.administrator.username }}"
+    email:                "{{ users.administrator.email }}"
+
+credentials:
+#  administrator_password: # Set in inventory file
+#  database_password:      # Set in your inventory file
+
+features:
+  matomo:             true
+  css:                false
+  landingpage_iframe: false
+  ldap:               false
+  oidc:               true
+  central_database:   true

roles/docker-espocrm/vars/main.yml

@@ -1,5 +1,5 @@
 application_id: "espocrm"
 # Password for the espocrm DB user (taken from inventory applications dict)
-database_password: "{{ applications[application_id].credentials.database.password }}"
+database_password: "{{ applications[application_id].credentials.database_password }}"
 # EspoCRM uses MySQL/MariaDB
 database_type: "mariadb"

roles/docker-friendica/Administration.md

@@ -8,7 +8,7 @@ The following environment variables need to be defined for successful operation:
 
 To completely reset Friendica, including its database and volumes, run:
 ```bash
-docker exec -i central-mariadb mariadb -u root -p"${DB_ROOT_PASSWORD}" -e "DROP DATABASE IF EXISTS friendica; CREATE DATABASE friendica;"
+docker exec -i {{applications.mariadb.hostname }} mariadb -u root -p"${DB_ROOT_PASSWORD}" -e "DROP DATABASE IF EXISTS friendica; CREATE DATABASE friendica;"
 docker compose down
 rm -rv /mnt/hdd/data/docker/volumes/friendica_data
 docker volume rm friendica_data
@@ -19,7 +19,7 @@ docker volume rm friendica_data
 ## Manual Method:
 1. Connect to the MariaDB instance:
    ```bash
-   docker exec -it central-mariadb mariadb -u root -p
+   docker exec -it {{applications.mariadb.hostname }} mariadb -u root -p
    ```
 2. Run the following commands:
    ```sql
@@ -31,7 +31,7 @@ docker volume rm friendica_data
 ## Automatic Method:
 ```bash
 DB_ROOT_PASSWORD="your_root_password"
-docker exec -i central-mariadb mariadb -u root -p"${DB_ROOT_PASSWORD}" -e "DROP DATABASE IF EXISTS friendica; CREATE DATABASE friendica;"
+docker exec -i {{applications.mariadb.hostname }} mariadb -u root -p"${DB_ROOT_PASSWORD}" -e "DROP DATABASE IF EXISTS friendica; CREATE DATABASE friendica;"
 ```
 
 ## Enter the Application Container 🔍

roles/docker-friendica/meta/schema.yml

@@ -0,0 +1,5 @@
+credentials:
+  database_password:
+    description: "Password for the Friendica database user"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"

roles/docker-friendica/vars/configuration.yml

@@ -0,0 +1,7 @@
+version:              "latest"
+features:
+  matomo:             true
+  css:                true
+  landingpage_iframe: true
+  oidc:               true
+  central_database:   true

roles/docker-friendica/vars/main.yml

@@ -1,4 +1,4 @@
 application_id:     "friendica"
-database_password:  "{{friendica_database_password}}"
+database_password:  "{{ applications[application_id].credentials.database_password }}"
 database_type:      "mariadb"
-no_validation:      "{{applications[application_id].features.oidc}}" # Email validation is not neccessary if OIDC is active
+no_validation:      "{{ applications[application_id].features.oidc }}" # Email validation is not neccessary if OIDC is active

roles/docker-funkwhale/meta/schema.yml

@@ -0,0 +1,9 @@
+credentials:
+  database_password:
+    description: "Password for the Funkwhale PostgreSQL database"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+  django_secret:
+    description: "Django SECRET_KEY used for cryptographic signing"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"

roles/docker-funkwhale/templates/env.j2

@@ -98,7 +98,7 @@ STATIC_ROOT={{static_root}}
 DJANGO_SETTINGS_MODULE=config.settings.production
 
 # Generate one using `openssl rand -base64 45`, for example
-DJANGO_SECRET_KEY={{funkwhale_django_secret}}
+DJANGO_SECRET_KEY={{applications[application_id].credentials.django_secret}}
 
 {% if applications[application_id].features.ldap | bool %}
 # LDAP settings

roles/docker-funkwhale/vars/configuration.yml

@@ -0,0 +1,10 @@
+version:              "1.4.0"
+features:
+  matomo:             true
+  css:                true
+  landingpage_iframe: true
+  ldap:               true
+  central_database:   true
+credentials:
+#  database_password: # Needs to be defined in inventory file
+#  django_secret:     # Needs to be defined in inventory file

roles/docker-funkwhale/vars/main.yml

@@ -1,6 +1,6 @@
 application_id:                                 "funkwhale"
 nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 512M;"
-database_password:                              "{{funkwhale_database_password}}"
+database_password:                              "{{applications[application_id].credentials.database_password}}"
 database_type:                                  "postgres"
 media_root:                                     "/srv/funkwhale/data/"
 static_root:                                    "{{media_root}}static"

roles/docker-gitea/meta/schema.yml

@@ -0,0 +1,5 @@
+credentials:
+  database_password:
+    description: "Password for the Gitea database user"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"

roles/docker-gitea/vars/configuration.yml

@@ -0,0 +1,11 @@
+version:                          "latest"  # Use latest docker image 
+configuration:
+  repository:
+    enable_push_create_user:      True      # Allow users to push local repositories to Gitea and have them automatically created for a user.
+    default_private:              last      # Default private when creating a new repository: last, private, public
+    default_push_create_private:  True      # Default private when creating a new repository with push-to-create.
+features:
+  matomo:                         true
+  css:                            true
+  landingpage_iframe:             true
+  central_database:               true

roles/docker-gitea/vars/main.yml

@@ -1,3 +1,3 @@
 application_id:     "gitea"
-database_password:  "{{gitea_database_password}}"
+database_password:  "{{applications[application_id].credentials.database_password}}"
 database_type:      "mariadb"

roles/docker-gitlab/meta/schema.yml

@@ -0,0 +1,10 @@
+credentials:
+  database_password:
+    description: "Password for the GitLab PostgreSQL database"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  initial_root_password:
+    description: "Initial password for the GitLab root user"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"

roles/docker-gitlab/vars/configuration.yml

@@ -0,0 +1,6 @@
+version:              "latest"
+features:
+  matomo:             true
+  css:                true
+  landingpage_iframe: true
+  central_database:   true

roles/docker-gitlab/vars/main.yml

@@ -1,3 +1,3 @@
 application_id:     "gitlab"
-database_password:  "{{gitlab_database_password}}"
+database_password:  "{{applications[application_id].credentials.database_password}}"
 database_type:      "postgres"

roles/docker-jenkins/Todo.md

@@ -0,0 +1,2 @@
+# Todo
+- Implement this role

roles/docker-jenkins/vars/configuration.yml

@@ -0,0 +1,3 @@
+# Jinja2 configuration template
+# Define your variables here
+

roles/docker-joomla/meta/schema.yml

@@ -0,0 +1,5 @@
+credentials:
+  database_password:
+    description: "Password for the Joomla database user"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"

roles/docker-joomla/vars/configuration.yml

@@ -0,0 +1,5 @@
+version:              "latest"
+features:
+  matomo:             true
+  css:                true
+  landingpage_iframe: true

roles/docker-keycloak/meta/schema.yml

@@ -0,0 +1,10 @@
+credentials:
+  database_password:
+    description: "Password for the Keycloak PostgreSQL database"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  administrator_password:
+    description: "Password for the Keycloak administrator user (used in bootstrap and CLI access)"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"

roles/docker-keycloak/templates/env.j2

@@ -10,13 +10,13 @@ KC_HTTP_ENABLED=                true
 KC_HEALTH_ENABLED=              true
 KC_METRICS_ENABLED=             true
 
-KEYCLOAK_ADMIN=                 "{{applications.keycloak.users.administrator.username}}"
-KEYCLOAK_ADMIN_PASSWORD=        "{{applications.keycloak.administrator_password}}"
+KEYCLOAK_ADMIN=                 "{{applications[application_id].users.administrator.username}}"
+KEYCLOAK_ADMIN_PASSWORD=        "{{applications[application_id].credentials.administrator_password}}"
 KC_DB=                          postgres
 KC_DB_URL=                      {{database_url_jdbc}}
 KC_DB_USERNAME=                 {{database_username}}
 KC_DB_PASSWORD=                 {{database_password}}
 
 # If the initial administrator already exists and the environment variables are still present at startup, an error message stating the failed creation of the initial administrator is shown in the logs. Keycloak ignores the values and starts up correctly.
-KC_BOOTSTRAP_ADMIN_USERNAME=    {{users.administrator.username}}
-KC_BOOTSTRAP_ADMIN_PASSWORD=    {{users.administrator.password}}
+KC_BOOTSTRAP_ADMIN_USERNAME=    "{{applications[application_id].users.administrator.username}}"
+KC_BOOTSTRAP_ADMIN_PASSWORD=    "{{applications[application_id].credentials.administrator_password}}"

roles/docker-keycloak/vars/configuration.yml

@@ -0,0 +1,15 @@
+version:              "latest"
+users:
+  administrator:
+    username:         "{{users.administrator.username}}"  # Administrator Username for Keycloak
+import_realm:         True                                # If True realm will be imported. If false skip.
+credentials:
+#   database_password:                                    # Needs to be defined in inventory file
+#   administrator_password:                               # Needs to be defined in inventory file
+features:
+  matomo:             true
+  css:                true
+  landingpage_iframe: true
+  ldap:               true
+  central_database:   true
+  recaptcha:          true

roles/docker-keycloak/vars/main.yml

@@ -1,6 +1,6 @@
 application_id:            "keycloak"
 database_type:            "postgres"
-database_password:        "{{applications.keycloak.credentials.database.password}}"
+database_password:        "{{applications[application_id].credentials.database_password}}"
 container_name:           "{{application_id}}_application"
 realm:                    "{{primary_domain}}"                              # This is the name of the default realm which is used by the applications
 import_directory_host:    "{{docker_compose.directories.volumes}}import/"   # Directory in which keycloack import files are placed on the host

roles/docker-lam/meta/schema.yml

@@ -0,0 +1,10 @@
+credentials:
+  oauth2_proxy_cookie_secret:
+    description: "Secret used to encrypt OAuth2 proxy cookies (hex-encoded, 16 bytes)"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{32}$"
+
+  administrator_password:
+    description: "Initial password for the LAM administrator"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"

roles/docker-lam/vars/configuration.yml

@@ -0,0 +1,14 @@
+version:                        "latest"
+oauth2_proxy:
+  application:                  application # Needs to be the same as webinterface
+  port:                         80          # application port
+credentials:
+#  oauth2_proxy_cookie_secret:  None # Set via openssl rand -hex 16
+#  administrator_password:      "None"  # CHANGE for security reasons  
+features:
+  matomo:                       true
+  css:                          true
+  landingpage_iframe:           true
+  ldap:                         true
+  central_database:             false
+  oauth2:                       false

roles/docker-ldap/meta/schema.yml

@@ -0,0 +1,10 @@
+credentials:
+  administrator_password:
+    description: "Initial password for the LDAP administrator (e.g. cn=admin,dc=example,dc=com)"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  administrator_database_password:
+    description: "Password used internally for the database-backed directory admin"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"

roles/docker-ldap/templates/env.j2

@@ -3,8 +3,8 @@
       
 # GENERAL
 ## Database
-LDAP_ADMIN_USERNAME=        {{applications.ldap.users.administrator.username}}      # LDAP database admin user.
-LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}}   # LDAP database admin password.
+LDAP_ADMIN_USERNAME=        {{applications[application_id].administrator.username}}      # LDAP database admin user.
+LDAP_ADMIN_PASSWORD=        {{applications[application_id].credentials.administrator_database_password}}   # LDAP database admin password.
 
 ## Users
 LDAP_USERS=                 ' '                             # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
@@ -14,8 +14,8 @@ LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or su
 ## Admin
 LDAP_ADMIN_DN=              {{ldap.dn.administrator}}
 LDAP_CONFIG_ADMIN_ENABLED=  yes
-LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.users.administrator.username}}
-LDAP_CONFIG_ADMIN_PASSWORD= {{applications.ldap.administrator_password}}
+LDAP_CONFIG_ADMIN_USERNAME= {{applications[application_id].administrator.username}}
+LDAP_CONFIG_ADMIN_PASSWORD= {{applications[application_id].credentials.administrator_password}}
   
 # Network
 LDAP_PORT_NUMBER=           {{ldap_docker_port}}            # Route to default port

roles/docker-ldap/vars/configuration.yml

@@ -0,0 +1,15 @@
+version:                        "latest"
+network:
+  local:                        True                                # Activates local network. Necessary for LDIF import routines
+  docker:                       True                                # Activates docker network to allow other docker containers to connect
+  public:                       False                               # Set to true in inventory file if you want to expose the LDAP port to the internet
+hostname:                       "ldap"                              # Hostname of the LDAP Server in the central_ldap network
+webinterface:                   "lam"                               # The webinterface which should be used. Possible: lam and phpldapadmin
+users:  
+  administrator:
+    username:                   "{{users.administrator.username}}"  # Administrator username
+credentials:
+# administrator_password:                                           # CHANGE for security reasons in inventory file
+# administrator_database_password:                                  # CHANGE for security reasons in inventory file
+features:
+  ldap: true

roles/docker-listmonk/meta/schema.yml

@@ -0,0 +1,20 @@
+credentials:
+  database_password:
+    description: "Password for the Listmonk PostgreSQL database user"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  administrator_password:
+    description: "Initial password for the Listmonk administrator account"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  hcaptcha_site_key:
+    description: "Public site key used by Listmonk to render hCaptcha"
+    algorithm: "plain"
+    validation: "^[0-9a-zA-Z_-]{32,}$"
+
+  hcaptcha_secret:
+    description: "Private hCaptcha secret key for server-side verification"
+    algorithm: "plain"
+    validation: "^[0-9a-zA-Z_-]{32,}$"

roles/docker-listmonk/templates/env.j2

@@ -3,4 +3,4 @@ TZ={{ HOST_TIMEZONE }}
 # Administrator setup
 
 LISTMONK_ADMIN_USER={{ applications[application_id].users.administrator.username }}
-LISTMONK_ADMIN_PASSWORD={{ applications[application_id].users.administrator.password }}
+LISTMONK_ADMIN_PASSWORD={{ applications[application_id].credentials.administrator_password }}

roles/docker-listmonk/vars/configuration.yml

@@ -0,0 +1,11 @@
+users:
+  administrator:
+    username:               "{{users.administrator.username}}"    # Listmonk administrator account username
+public_api_activated:       False                                 # Security hole. Can be used for spaming
+version:                    "latest"                              # Docker Image version
+features:
+  matomo:                   true
+  css:                      true
+  landingpage_iframe:       true
+  central_database:         true
+  oidc:                     true

roles/docker-listmonk/vars/main.yml

@@ -1,5 +1,5 @@
 application_id:      "listmonk"
-database_password:  "{{applications[application_id].credentials.database.password}}"
+database_password:  "{{applications[application_id].credentials.database_password}}"
 database_type:      "postgres"
 
 listmonk_settings:
@@ -25,10 +25,10 @@ listmonk_settings:
     value: 'true'
 
   - key: "security.captcha_key"
-    value: '"{{ applications[application_id].credentials.hcaptcha.site_key }}"'
+    value: '"{{ applications[application_id].credentials.hcaptcha_site_key }}"'
 
   - key: "security.captcha_secret"
-    value: '"{{ applications[application_id].credentials.hcaptcha.secret }}"'
+    value: '"{{ applications[application_id].credentials.hcaptcha_secret }}"'
 
   # SMTP servers
   - key: "smtp"

roles/docker-mailu/meta/schema.yml

@@ -0,0 +1,25 @@
+credentials:
+  secret_key:
+    description: "Secret key for cryptographic operations in Mailu (must be a 16-byte random string, hex-encoded)"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{32}$"
+
+  database_password:
+    description: "Password for the Mailu PostgreSQL or MariaDB database user"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  api_token:
+    description: "Authentication token for accessing the Mailu RESTful API (minimum 3 characters)"
+    algorithm: "plain"
+    validation: "^.{3,}$"
+
+  initial_administrator_password:
+    description: "Initial password for the Mailu administrator account (used during setup)"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  dkim_public_key:
+    description: "Public DKIM key for DNS configuration (TXT record)"
+    algorithm: "plain"
+    validation: "^.{64,}$"

roles/docker-mailu/vars/configuration.yml

@@ -0,0 +1,20 @@
+version:                  "2024.06"                         # Docker Image Version
+users:
+  administrator:
+    email:                "{{users.administrator.email}}"   # Administrator Email for DNS Records
+oidc:
+  email_by_username:      true                              # If true, then the mail is set by the username. If wrong then the OIDC user email is used
+  enable_user_creation:   true                              # Users will be created if not existing
+domain:                   "{{primary_domain}}"              # The main domain from which mails will be send \ email suffix behind @
+credentials:                                     
+# secret_key:                                               # Set to a randomly generated 16 bytes string
+# database_password:                                        # Needs to be set in inventory file
+# api_token:                                                # Configures the authentication token. The minimum length is 3 characters. This is a mandatory setting for using the RESTful API.
+# initial_administrator_password:                           # Initial administrator password for setup 
+# dkim_public_key:                                          # Must be set in inventory file
+features:
+  matomo:                 true
+  css:                    true
+  landingpage_iframe:     false                             # Deactivated mailu iframe loading until keycloak supports it
+  oidc:                   true
+  central_database:       false                             # Deactivate central database for mailu, I don't know why the database deactivation is necessary

roles/docker-mailu/vars/main.yml

@@ -1,7 +1,7 @@
 application_id:               "mailu"
 
 # Database Configuration
-database_password:  	        "{{applications.mailu.credentials.database.password}}"
+database_password:            "{{applications.mailu.credentials.database_password}}"
 database_type:                "mariadb"
 
 cert_mount_directory:         "{{docker_compose.directories.volumes}}certs/"

roles/docker-mariadb/Administration.md

@@ -2,5 +2,5 @@
 
 ## Execute SQL commands
 ```bash
-docker exec -it central-mariadb mariadb -u root -p
+docker exec -it {{applications.mariadb.hostname }} mariadb -u root -p
 ```

roles/docker-mariadb/meta/main.yml

@@ -0,0 +1,26 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: >-
+    The Docker MariaDB Role offers an easy and efficient way to deploy a MariaDB server inside a Docker container.
+    Manage your data securely and effectively, making it ideal for production or local development.
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Docker
+      versions:
+        - "latest"
+  galaxy_tags:
+    - mariadb
+    - docker
+    - database
+    - administration
+    - central-database
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"

roles/docker-mariadb/meta/schema.yml

@@ -0,0 +1,5 @@
+credentials:
+  root_password:
+    description: "Password for the MariaDB root user"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"

roles/docker-mariadb/tasks/main.yml

@@ -8,11 +8,11 @@
 
 - name: install MariaDB
   docker_container:
-    name: central-mariadb
+    name: "{{applications.mariadb.hostname }}"
     image: "mariadb:{{applications.mariadb.version}}" #could lead to problems with nextcloud
     detach: yes
     env:
-      MARIADB_ROOT_PASSWORD:  "{{central_mariadb_root_password}}"
+      MARIADB_ROOT_PASSWORD:  "{{applications.mariadb.credentials.root_password}}"
       MARIADB_AUTO_UPGRADE:   "1"
     networks:
       - name: central_mariadb
@@ -23,7 +23,7 @@
     command: "--transaction-isolation=READ-COMMITTED --binlog-format=ROW" #for nextcloud
     restart_policy: "{{docker_restart_policy}}"
     healthcheck:
-      test: "/usr/bin/mariadb --user=root --password={{central_mariadb_root_password}} --execute \"SHOW DATABASES;\""
+      test: "/usr/bin/mariadb --user=root --password={{applications.mariadb.credentials.root_password}} --execute \"SHOW DATABASES;\""
       interval: 3s
       timeout: 1s
       retries: 5
@@ -38,7 +38,7 @@
 
 - name: Wait until the MariaDB container is healthy
   community.docker.docker_container_info:
-    name: central-mariadb
+    name: "{{applications.mariadb.hostname }}"
   register: db_info
   until: db_info.containers[0].State.Health.Status == "healthy"
   retries: 30
@@ -53,7 +53,7 @@
     name: "{{ database_name }}"
     state: present
     login_user: root
-    login_password: "{{ central_mariadb_root_password }}"
+    login_password: "{{ applications.mariadb.credentials.root_password }}"
     login_host: 127.0.0.1
     login_port: "{{database_port}}"
 
@@ -65,13 +65,13 @@
     priv: '{{database_name}}.*:ALL'
     state: present
     login_user: root
-    login_password: "{{central_mariadb_root_password}}"
+    login_password: "{{applications.mariadb.credentials.root_password}}"
     login_host: 127.0.0.1
     login_port: "{{database_port}}"
 
 - name: Grant database privileges
   ansible.builtin.shell:
-    cmd: "docker exec central-mariadb mariadb -u root -p{{ central_mariadb_root_password }} -e \"GRANT ALL PRIVILEGES ON {{database_name}}.* TO '{{database_username}}'@'%';\""
+    cmd: "docker exec {{applications.mariadb.hostname }} mariadb -u root -p{{ applications.mariadb.credentials.root_password }} -e \"GRANT ALL PRIVILEGES ON {{database_name}}.* TO '{{database_username}}'@'%';\""
   args:
     executable: /bin/bash
 

roles/docker-mariadb/vars/main.yml

@@ -0,0 +1,3 @@
+version:        "latest"
+application_id: "mariadb"
+hostname:       "central-{{application_id}}"

roles/docker-mastodon/meta/schema.yml

@@ -0,0 +1,40 @@
+credentials:
+  database_password:
+    description: "Password for the Mastodon PostgreSQL database user"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  secret_key_base:
+    description: "Main secret key used to verify the integrity of signed cookies and tokens"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  otp_secret:
+    description: "OTP secret used for two-factor authentication"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  vapid_private_key:
+    description: "Private VAPID key used for web push notifications"
+    algorithm: "plain"
+    validation: "^[-_a-zA-Z0-9]{30,}$"
+
+  vapid_public_key:
+    description: "Public VAPID key used for web push notifications"
+    algorithm: "plain"
+    validation: "^[-_a-zA-Z0-9]{30,}$"
+
+  active_record_encryption_deterministic_key:
+    description: "Deterministic encryption key for Active Record encryption"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  active_record_encryption_key_derivation_salt:
+    description: "Key derivation salt for Active Record encryption"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  active_record_encryption_primary_key:
+    description: "Primary encryption key for Active Record encrypted columns"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"

roles/docker-mastodon/templates/env.j2

@@ -20,8 +20,8 @@ OTP_SECRET=         {{applications.mastodon.credentials.otp_secret}}
 # --------
 # Generate with `bundle exec rails mastodon:webpush:generate_vapid_key`
 # --------
-VAPID_PRIVATE_KEY=  {{applications.mastodon.credentials.vapid.private_key}}
-VAPID_PUBLIC_KEY=   {{applications.mastodon.credentials.vapid.public_key}}
+VAPID_PRIVATE_KEY=  {{applications.mastodon.credentials.vapid_private_key}}
+VAPID_PUBLIC_KEY=   {{applications.mastodon.credentials.vapid_public_key}}
 
 # Encryption secrets
 # ------------------
@@ -29,9 +29,9 @@ VAPID_PUBLIC_KEY=   {{applications.mastodon.credentials.vapid.public_key}}
 # These are private/secret values, do not share outside hosting environment
 # Use `bin/rails db:encryption:init` to generate fresh secrets
 # Do NOT change these secrets once in use, as this would cause data loss and other issues
-ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=     {{applications.mastodon.credentials.active_record_encryption.deterministic_key}}
-ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=   {{applications.mastodon.credentials.active_record_encryption.key_derivation_salt}}
-ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=           {{applications.mastodon.credentials.active_record_encryption.primary_key}}
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=     {{applications.mastodon.credentials.active_record_encryption_deterministic_key}}
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=   {{applications.mastodon.credentials.active_record_encryption_key_derivation_salt}}
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=           {{applications.mastodon.credentials.active_record_encryption_primary_key}}
 
 DB_HOST={{database_host}}
 DB_PORT={{database_port}}

roles/docker-mastodon/vars/configuration.yml

@@ -0,0 +1,19 @@
+version:                      "latest"
+single_user_mode:             false                                           # Set true for initial setup
+setup:                        false                                           # Set true in inventory file to execute the setup and initializing procedures
+credentials:
+# Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials
+#     database_password:                              
+#     secret_key_base:                                
+#     otp_secret:                                     
+#     vapid_private_key:                                  
+#     vapid_public_key:                                   
+#     active_record_encryption_deterministic_key:                            
+#     active_record_encryption_key_derivation_salt:                          
+#     active_record_encryption_primary_key:                                  
+features:
+  matomo: true
+  css: true
+  landingpage_iframe: false
+  oidc: true
+  central_database: true

roles/docker-mastodon/vars/main.yml

@@ -1,3 +1,3 @@
 application_id:      "mastodon"
-database_password:  "{{applications[application_id].credentials.database.password}}"
+database_password:  "{{applications[application_id].credentials.database_password}}"
 database_type:      "postgres"

roles/docker-matomo/meta/schema.yml

@@ -0,0 +1,15 @@
+credentials:
+  database_password:
+    description: "Password for the Matomo database user"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  auth_token:
+    description: "Authentication token for the Matomo HTTP API (used for automation and integrations)"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  oauth2_proxy_cookie_secret:
+    description: "Secret used to encrypt cookies in the OAuth2 Proxy (hex-encoded, 16 bytes)"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{32}$"

roles/docker-matomo/vars/configuration.yml

@@ -0,0 +1,7 @@
+version:              "latest"
+features:
+  matomo:             true
+  css:                false
+  landingpage_iframe: false
+  central_database:   true
+  oauth2:             false

roles/docker-matomo/vars/main.yml

@@ -1,7 +1,7 @@
 ---
 application_id:     "matomo"
 database_type:      "mariadb"
-database_password:  "{{applications.matomo.credentials.database.password}}"
+database_password:  "{{ applications[application_id].credentials.database_password }}"
 
 # I don't know if this is still necessary
-domain:             "{{domains.matomo}}"                         
+domain:             "{{ domains[application_id] }}"

roles/docker-matrix-ansible/README.md

@@ -1,4 +1,4 @@
-# Matrix (Ansible)
+# Matrix (Ansible - Deprecated)
 
 ## Warning
 This role is experimental and may not be actively maintained. Use it with caution in production environments. For a more stable deployment, please consider using the Matrix Compose role or another alternative solution.

roles/docker-matrix-ansible/templates/vars.yml.j2

@@ -18,7 +18,7 @@ matrix_homeserver_implementation: synapse
 
 # A secret used as a base, for generating various other secrets.
 # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
-matrix_homeserver_generic_secret_key: "{{matrix_generic_secret_key}}"
+matrix_homeserver_generic_secret_key: "{{applications[application_id].credentials.generic_secret_key}}"
 
 # By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server.
 # It will retrieve SSL certificates for you on-demand and forward requests to all other components.
@@ -52,7 +52,7 @@ devture_traefik_config_certificatesResolvers_acme_email: "{{users.administrator.
 #
 # The playbook creates additional Postgres users and databases (one for each enabled service)
 # using this superuser account.
-devture_postgres_connection_password: "{{matrix_database_password}}"
+devture_postgres_connection_password: "{{applications[application_id].credentials.database_password}}"
 
 # By default, we configure Coturn's external IP address using the value specified for `ansible_host` in your `inventory/hosts` file.
 # If this value is an external IP address, you can skip this section.

roles/docker-matrix-compose/Administration.md

@@ -3,7 +3,7 @@
 ## Cleanup 
 ```
 # Cleanup Database
-for db in matrix mautrix_whatsapp_bridge mautrix_telegram_bridge mautrix_signal_bridge mautrix_slack_bridge; do python reset-database-in-central-postgres.py $db; done
+for db in matrix applications[application_id].credentials.mautrix_whatsapp_bridge applications[application_id].credentials.mautrix_telegram_bridge applications[application_id].credentials.mautrix_signal_bridge applications[application_id].credentials.mautrix_slack_bridge; do python reset-database-in-central-postgres.py $db; done
 # Cleanup Docker and Volumes
 docker compose down -v
 ```

roles/docker-matrix-compose/Installation.md

@@ -15,7 +15,7 @@ For login with Token checkout [this guide](https://docs.mau.fi/bridges/go/slack/
 
 ### ChatGPT
 - Create API Token: https://platform.openai.com/api-keys
-- Set ``matrix_chatgpt_bridge_access_token`` 
+- Set ``applications[application_id].credentials.chatgpt_bridge_access_token`` 
 
 ## Debug:
 - https://federationtester.matrix.org/

roles/docker-matrix-compose/meta/schema.yml

@@ -0,0 +1,90 @@
+credentials:
+  administrator_password:
+    description: "Initial administrator password for the Matrix homeserver"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  generic_secret_key:
+    description: "Generic secret used by Synapse for key signing and session management"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  database_password:
+    description: "Password for the Matrix PostgreSQL database"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  registration_shared_secret:
+    description: "Secret token used to allow shared registration from external sources"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  macaroon_secret_key:
+    description: "Secret key used to sign macaroon tokens for authentication"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  form_secret:
+    description: "Secret for form token protection (used in web registration flows)"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  chatgpt_bridge_openai_api_key:
+    description: "API key for accessing OpenAI via the Matrix ChatGPT bridge"
+    algorithm: "plain"
+    validation: "^sk-[a-zA-Z0-9]{40,}$"
+
+  chatgpt_bridge_access_token:
+    description: "Access token used by the ChatGPT bridge for authentication"
+    algorithm: "plain"
+    validation: "^[a-zA-Z0-9-_]{20,}$"
+
+  chatgpt_bridge_user_password:
+    description: "Matrix user password used by the ChatGPT bridge"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  mautrix_facebook_bridge_database_password:
+    description: "Database password for the mautrix-facebook bridge"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  mautrix_instagram_bridge_database_password:
+    description: "Database password for the mautrix-instagram bridge"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  mautrix_signal_bridge_database_password:
+    description: "Database password for the mautrix-signal bridge"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  mautrix_slack_bridge_database_password:
+    description: "Database password for the mautrix-slack bridge"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  mautrix_telegram_bridge_database_password:
+    description: "Database password for the mautrix-telegram bridge"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  mautrix_telgegram_bridge_api_id:
+    description: "Telegram API ID for the mautrix-telegram bridge"
+    algorithm: "plain"
+    validation: "^\\d{5,}$"
+
+  mautrix_telgegram_bridge_api_pin:
+    description: "Telegram API hash or PIN for the mautrix-telegram bridge"
+    algorithm: "plain"
+    validation: "^[a-zA-Z0-9]{10,}$"
+
+  mautrix_whatsapp_bridge_database_password:
+    description: "Database password for the mautrix-whatsapp bridge"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  mautrix_whatsapp_bridge_provisioning_shared_secret:
+    description: "Shared secret for the mautrix-whatsapp bridge provisioning endpoint"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"