Implemented vault password

Refactored code
Implemented realm import parameter
2025-04-28 10:26:54 +02:00 · 2025-03-19 15:43:04 +01:00 · 2025-03-19 15:37:29 +01:00 · 2025-03-19 15:37:12 +01:00 · 2025-03-19 15:36:36 +01:00 · 2025-03-19 15:35:16 +01:00
33 changed files with 804 additions and 659 deletions
--- a/03_INSTALLATION.md
+++ b/03_INSTALLATION.md
@ -1,9 +0,0 @@
 # Installation
 CyMaIS can be easily installed using [Kevin's Package Manager](https://github.com/kevinveenbirkenbach/package-manager). Once you have the package manager set up, simply run:
 ```bash
 pkgmgr install cymais
 ```
 This command will install CyMaIS on your system with the alias **cymais**.
--- a/03_SETUP.md
+++ b/03_SETUP.md
@ -0,0 +1,26 @@
 # Setup
 To setup CyMaIS follow this steps: 
 ## Prerequisites
 Before you setup CyMaIS you need to install [Kevin's Package Manager](https://github.com/kevinveenbirkenbach/package-manager).
 Follow the installation instruction descriped [here](https://github.com/kevinveenbirkenbach/package-manager)
 ## Setup CyMaIS
 To setup CyMaIS execute: 
 ```bash
 pkgmgr setup cymais
 ```
 This command will setup CyMaIS on your system with the alias **cymais**.
 ## Get Help 
 After you setuped CyMaIS you can recieve more help by executing: 
 ```bash
 cymais --help
 ```
--- a/04_ENTERPRISE.md
+++ b/04_ENTERPRISE.md
--- a/04_SETUP.md
+++ b/04_SETUP.md
@ -1,127 +0,0 @@
 # Setup Guide
 This guide explains how to deploy and manage the Cyber Master Infrastructure Solution (CyMaIS) using Ansible. CyMaIS is based on a collection of playbooks and an inventory (computer-inventory) that defines your servers and personal computers. The playbooks use different “modes” to control behavior such as updates, backups, resets, and cleanup tasks. This document outlines how to use Ansible Vault, describes the various operating modes, and shows example commands to run the playbooks.
 ---
 ## Prerequisites
 - **Ansible Installed:** Ensure that Ansible is installed on your control node.
 - **Inventory File:** Have an inventory file that lists your servers and PCs. (Paths in examples are general; adjust them to your environment.)
 - **Vault Password File (Optional):** Prepare a file with your vault password if you prefer not to enter it interactively.
 ---
 ## Ansible Vault Basics
 CyMaIS uses Ansible Vault to protect sensitive data (e.g. passwords). Use these common commands:
 ### Edit an Encrypted File
 ```bash
 ansible-vault edit <filename.yml> --vault-password-file <your-vault-pass-file>
 ```
 ### Decrypt a File
 ```bash
 ansible-vault decrypt <filename.yml> --vault-password-file <your-vault-pass-file>
 ```
 ### Encrypt a File
 ```bash
 ansible-vault encrypt <filename.yml> --vault-password-file <your-vault-pass-file>
 ```
 ### Encrypt a String
 ```bash
 ansible-vault encrypt_string --vault-password-file <your-vault-pass-file> 'example' --name 'test'
 ```
 ---
 ## Operating Modes
 CyMaIS playbooks support several modes that control which tasks are executed:
 - **mode_reset** (`true`/`false`):  
  When enabled, cleans up all CyMaIS-related files. Use this mode when you need to reinitialize the system completely. _Note: Run the full playbook when using reset mode._
 - **mode_test** (`true`/`false`):  
  Executes test routines instead of production routines. Useful for staging or validation.
 - **mode_update** (`true`/`false`):  
  Enables update tasks to upgrade packages and Docker images. Set to `false` if you want to skip updates.
 - **mode_backup** (`true`/`false`):  
  Activates backup procedures before applying updates. This ensures your data is backed up prior to any changes.
 - **mode_cleanup** (`true`/`false`):  
  Performs cleanup of unused files and configurations (e.g., removing obsolete certificates or Docker volumes).
 These modes are defined in your group variables (e.g., in a file like `group_vars/all/01_modes.yml`) and can be overridden via extra variables when running playbooks.
 ---
 ## Deploying on Servers
 To deploy CyMaIS on your servers, use an Ansible playbook that targets your server inventory. Below are some example commands:
 ### Configure All Servers
 ```bash
 ansible-playbook -i /path/to/your/inventory/servers.yml "$(pkgmgr path cymais)playbook.servers.yml" --ask-vault-pass
 ```
 ### Configure a Specific Server
 For example, to target a server named `galaxyserver`:
 ```bash
 ansible-playbook -i /path/to/your/inventory/servers.tmp "$(pkgmgr path cymais)playbook.servers.yml" --limit galaxyserver --ask-vault-pass
 ```
 ### Run in Temporary Mode Without Update
 ```bash
 ansible-playbook -i /path/to/your/inventory/servers.tmp "$(pkgmgr path cymais)playbook.servers.yml" --limit galaxyserver -e "mode_update=false" --ask-vault-pass
 ```
 ### Run Without Update and Backup
 ```bash
 ansible-playbook -i /path/to/your/inventory/servers.tmp "$(pkgmgr path cymais)playbook.servers.yml" --limit galaxyserver -e "mode_update=false" -e "mode_backup=false" --ask-vault-pass
 ```
 ### Run with Cleanup and Debug (Using a Vault Password File)
 ```bash
 ansible-playbook -i /path/to/your/inventory/servers.tmp "$(pkgmgr path cymais)playbook.servers.yml" --limit galaxyserver -e "mode_update=false" -e "mode_backup=false" -e "mode_cleanup=true" -e "enable_debug=true" -v --vault-password-file /path/to/your/vault_pass.txt
 ```
 ---
 ## Using a Password File
 To avoid entering your vault password interactively every time, use the `--vault-password-file` option:
 ```bash
 --vault-password-file /path/to/your/vault_pass.txt
 ```
 Ensure the vault password file is stored securely.
 ---
 ## Password Generation
 You can generate a secure random password and encrypt it with Ansible Vault. For example:
 ```bash
 ansible-vault encrypt_string "$(cat /dev/urandom | tr -dc 'A-Za-z0-9' | head -c 32)" --vault-password-file /path/to/your/vault_pass.txt | xclip -selection clipboard
 ```
 This command generates a 32-character alphanumeric password, encrypts it, and copies the result to your clipboard.
 ---
 ## Final Notes
 - **Customizing Paths and Variables:**  
  All file paths and configuration variables are defined in group variables (e.g., `group_vars/all/*.yml`) and role variable files. Adjust these to suit your deployment environment.
 - **Combining Modes:**  
  The different modes (reset, test, update, backup, cleanup) can be combined by passing extra variables (using `-e`) on the command line. This flexibility allows you to tailor the playbook run to your current needs.
 - **Debugging:**  
  If you need more verbose output or troubleshooting information, add the `-v` (or `-vvv`) option when running the playbook.
 This guide should give you a comprehensive starting point for managing your infrastructure with CyMaIS. For further details, consult the individual role documentation and the accompanying repository README files.
--- a/05_DONATE.md
+++ b/05_DONATE.md
--- a/06_SECURITY.md
+++ b/06_SECURITY.md
--- a/README.md
+++ b/README.md
@ -22,16 +22,19 @@ Explore the key documents for detailed information about CyMaIS:
 - [Vision](02_VISION.md)  
  *Learn about the vision and long-term goals behind CyMaIS.*
- [Installation](03_INSTALLATION.md)  
+- [Setup](03_SETUP.md)  
-  *Step-by-step instructions for installing the system and its dependencies.*
+  *Step-by-step instructions for seting up the system and its dependencies.*
- [Setup](04_SETUP.md)  
+- [Configuration](group_vars/README.md)  
-  *Detailed procedures for configuring and deploying CyMaIS.*
+  *Detailed procedures for configuring CyMaIS.*
- [Enterprise](05_ENTERPRISE.md)  
+- [Deploy](tasks/README.md)
  *Detailed procedures for deploying CyMaIS tp your servers*
 - [Enterprise](04_ENTERPRISE.md)  
  *Guidance and best practices for enterprise deployments.*
- [Donate](06_DONATE.md)  
+- [Donate](05_DONATE.md)  
  *Information on how to support and donate to the CyMaIS project.*
 - [Code of Conduct](CODE_OF_CONDUCT.md)  
--- a/group_vars/README.md
+++ b/group_vars/README.md
@ -1 +1,38 @@
 # Configuration
 ## Ansible Vault Basics
 CyMaIS uses Ansible Vault to protect sensitive data (e.g. passwords). Use these common commands:
 ### Edit an Encrypted File
 ```bash
 ansible-vault edit <filename.yml> --vault-password-file <your-vault-pass-file>
 ```
 ### Decrypt a File
 ```bash
 ansible-vault decrypt <filename.yml> --vault-password-file <your-vault-pass-file>
 ```
 ### Encrypt a File
 ```bash
 ansible-vault encrypt <filename.yml> --vault-password-file <your-vault-pass-file>
 ```
 ### Encrypt a String
 ```bash
 ansible-vault encrypt_string --vault-password-file <your-vault-pass-file> 'example' --name 'test'
 ```
 ## Password Generation
 You can generate a secure random password and encrypt it with Ansible Vault. For example:
 ```bash
 ansible-vault encrypt_string "$(cat /dev/urandom | tr -dc 'A-Za-z0-9' | head -c 32)" --vault-password-file /path/to/your/vault_pass.txt | xclip -selection clipboard
 ```
 This command generates a 32-character alphanumeric password, encrypts it, and copies the result to your clipboard.
 ## Final Notes
 - **Customizing Paths and Variables:**  
  All file paths and configuration variables are defined in group variables (e.g., `group_vars/all/*.yml`) and role variable files. Adjust these to suit your deployment environment.
--- a/group_vars/all/05_nginx.yml
+++ b/group_vars/all/05_nginx.yml
@ -15,6 +15,7 @@ nginx:
      files:          "/var/www/public_files/"          # Path where the web accessable files are stored
      global:         "/var/www/global/"                # Directory containing files which will be globaly accessable
  user:               "http"                            # Default nginx user in ArchLinux
  iframe:             true                              # Allows applications to be loaded in iframe
 ## Matomo Tracking
 global_matomo_tracking_enabled:   false                 # Activates matomo tracking on all html pages. Change this in inventory.
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@ -125,6 +125,7 @@ defaults_applications:
        username:       "{{users.administrator.username}}"  # Administrator Username for Keycloak
    ldap:
      enabled:          True                                # Enables LDAP by default
    import_realm:       True                                # If True realm will be imported. If false skip.
    database: 
      central_storage:  True                                # Activate Central Database Storage
 #   database_password:                                      # Needs to be defined in inventory file   
--- a/main.py
+++ b/main.py
@ -0,0 +1,78 @@
 #!/usr/bin/env python3
 import argparse
 import subprocess
 def run_ansible_vault(action, filename, password_file):
    """Execute an ansible-vault command with the specified action on a file."""
    cmd = ["ansible-vault", action, filename, "--vault-password-file", password_file]
    subprocess.run(cmd, check=True)
 def run_ansible_playbook(inventory:str, playbook:str, modes:[bool], limit:str=None, password_file:str=None, verbose:bool=False):
    """Execute an ansible-playbook command with optional parameters."""
    cmd = ["ansible-playbook", "-i", inventory, playbook]
    if limit:
        cmd.extend(["--limit", limit])
    if modes:
        for key, value in modes.items():
            # Convert boolean values to lowercase strings
            arg_value = f"{str(value).lower()}" if isinstance(value, bool) else f"{value}"
            cmd.extend(["-e", f"{key}={arg_value}"])
    if password_file:
        cmd.extend(["--vault-password-file", password_file])
    else:
        cmd.extend(["--ask-vault-pass"])
    if verbose:
        cmd.append("-v")
    subprocess.run(cmd, check=True)
 def main():
    parser = argparse.ArgumentParser(description="CyMaIS Ansible Deployment and Vault Management")
    subparsers = parser.add_subparsers(dest="command", required=True)
    # Vault subcommand parser
    vault_parser = subparsers.add_parser("vault", help="Manage Ansible Vault")
    vault_parser.add_argument("action", choices=["edit", "decrypt", "encrypt"], help="Vault action")
    vault_parser.add_argument("filename", help="File to process")
    vault_parser.add_argument("--password-file", required=True, help="Path to the Vault password file")
    # Playbook subcommand parser
    playbook_parser = subparsers.add_parser("playbook", help="Run Ansible Playbooks")
    playbook_parser.add_argument("inventory", help="Path to the inventory file")
    playbook_parser.add_argument("--limit", help="Limit execution to a specific server")
    playbook_parser.add_argument("--host-type", choices=["server", "personal-computer"], default="server",
                                 help="Host type to run the playbook on; defaults to 'server'")
    playbook_parser.add_argument("--reset", action="store_true", help="Enable reset mode")
    playbook_parser.add_argument("--test", action="store_true", help="Enable test mode")
    playbook_parser.add_argument("--update", action="store_true", help="Enable update mode")
    playbook_parser.add_argument("--backup", action="store_true", help="Enable backup mode")
    playbook_parser.add_argument("--cleanup", action="store_true", help="Enable cleanup mode")
    playbook_parser.add_argument("--debug", action="store_true", help="Enable debugging output")
    playbook_parser.add_argument("--password-file", help="Path to the Vault password file")
    playbook_parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose output")
    args = parser.parse_args()
    if args.command == "vault":
        run_ansible_vault(args.action, args.filename, args.password_file)
    elif args.command == "playbook":
        modes = {
            "mode_reset": args.reset,
            "mode_test": args.test,
            "mode_update": args.update,
            "mode_backup": args.backup,
            "mode_cleanup": args.cleanup,
            "enable_debug": args.debug,
            "host_type": args.host_type
        }
        # Use a fixed playbook file "playbook.yml"
        run_ansible_playbook(args.inventory, "playbook.yml", modes, args.limit, args.password_file, args.verbose)
 if __name__ == "__main__":
    main()
--- a/playbook.destructor.yml
+++ b/playbook.destructor.yml
@ -1,6 +0,0 @@
 - name: optimize storage performance
  hosts:  all
  become: true
  roles:
    - role: system-storage-optimizer
      when: "(path_mass_storage is defined or path_rapid_storage is defined) and enable_system_storage_optimizer | bool and (docker_enabled is defined and docker_enabled | bool) "
--- a/playbook.pcs.yml
+++ b/playbook.pcs.yml
@ -1,105 +0,0 @@
 ---
 - import_playbook: playbook.constructor.yml
 ## pc applications
 - name: general host setup
  hosts: personal_computers
  become: true
  roles:
    - pc-administrator-tools
    - driver-non-free
 - name: pc-office
  hosts: collection_officetools
  become: true
  roles:
    - pc-office
    - pc-jrnl
 - name: personal computer for business
  hosts: business_personal_computer
  become: true
  roles:
    - pc-gnucash
 - name: pc-designer-tools
  hosts: collection_designer
  become: true
  roles:
    - pc-designer-tools
 - name: pc-qbittorrent
  hosts: collection_torrent
  become: true
  roles:
    - pc-qbittorrent
 - name: pc-streaming-tools
  hosts: collection_streamer
  become: true
  roles:
    - pc-streaming-tools
 - name: pc-bluray-player-tools
  hosts: collection_bluray_player
  become: true
  roles:
    - pc-bluray-player-tools
 - name: pc-latex
  hosts: latex
  become: true
  roles:
    - pc-latex
 - name: GNOME setup
  hosts: gnome
  become: true
  roles:
    - pc-gnome
 - name: setup ssh client
  hosts: ssh
  become: false
  roles:
    - pc-ssh
 - name: setup gaming hosts
  hosts: gaming
  become: true
  roles:
    - pc-games
 - name: setup entertainment hosts
  hosts: entertainment
  become: true
  roles:
    - pc-spotify
 - name: setup torbrowser hosts
  hosts: torbrowser
  become: true
  roles:
    - pc-torbrowser
 - name: setup nextcloud
  hosts: nextcloud_client
  become: true
  roles:
    - pc-nextcloud
 - name: setup docker
  hosts: docker
  become: true
  roles:
    - pc-docker
 # driver 
 - name: setup msi rgb keyboard
  hosts: msi_perkeyrgb
  become: true
  roles:
    - driver-msi-keyboard-color
 - import_playbook: playbook.destructor.yml
--- a/playbook.servers.yml
+++ b/playbook.servers.yml
@ -1,262 +0,0 @@
 ---
 - import_playbook: playbook.constructor.yml
 - name: servers host setup
  hosts: servers
  become: true
  roles:
    - system-security
    - journalctl
    - health-disc-space
    - cleanup-disc-space
    - health-btrfs
    - system-btrfs-auto-balancer
 - name: "setup corporate identity"
  hosts: corporate_identity
  become: true
  roles:
   -  role: corporate-identity
 #########################################################################
 ### Docker Roles                                                      ###
 #########################################################################
 - name: "setup matomo"
  hosts: matomo
  become: true
  roles:
   -  role: docker-matomo
 - name: setup ldap
  hosts: ldap
  become: true
  roles:
   -  role: docker-ldap
 - name: setup keycloak
  hosts: keycloak
  become: true
  roles:
   -  role: docker-keycloak
 - name: setup nextcloud hosts
  hosts: nextcloud
  become: true
  roles:
   -  role: docker-nextcloud
 - name: setup gitea hosts
  hosts: gitea
  become: true
  roles:
   -  role: docker-gitea
      vars:
        run_mode: prod
 - name: setup wordpress hosts
  hosts: wordpress
  become: true
  roles:
  - role: docker-wordpress
 - name: setup mediawiki hosts
  hosts: mediawiki
  become: true
  roles:
   -  role: docker-mediawiki
 - name: setup mybb hosts
  hosts: mybb
  become: true
  roles:
   -  role: docker-mybb
      vars:
        mybb_domains: "{{domains.mybb}}"
 - name: setup yourls hosts
  hosts: yourls
  become: true
  roles:
   -  role: docker-yourls
 - name: setup mailu hosts
  hosts: mailu
  become: true
  roles:
   -  role: docker-mailu
 - name: setup elk hosts
  hosts: elk
  become: true
  roles:
   -  role: docker-elk
 - name: setup mastodon hosts
  hosts: mastodon
  become: true
  roles:
   -  role: docker-mastodon
 - name: setup pixelfed hosts
  hosts: pixelfed
  become: true
  roles:
   -  role: docker-pixelfed
 - name: setup peertube hosts
  hosts: peertube
  become: true
  roles:
   -  role: docker-peertube
 - name: setup bigbluebutton hosts
  hosts: bigbluebutton
  become: true
  roles:
   -  role: docker-bigbluebutton
      vars:
        domain: "{{domains.bigbluebutton}}"
 - name: setup funkwhale hosts
  hosts: funkwhale
  become: true
  roles:
   -  role: docker-funkwhale
 - name: setup roulette-wheel hosts
  hosts: roulette-wheel
  become: true
  roles:
   -  role: docker-roulette-wheel
 - name: setup joomla hosts
  hosts: joomla
  become: true
  roles:
   -  role: docker-joomla
 - name: setup attendize
  hosts: attendize
  become: true
  roles:
   -  role: docker-attendize
 - name: setup baserow hosts
  hosts: baserow
  become: true
  roles:
   -  role: docker-baserow
 - name: setup listmonk
  hosts: listmonk
  become: true
  roles:
   -  role: docker-listmonk
 - name: setup discourse
  hosts: discourse
  become: true
  roles:
   -  role: docker-discourse
 - name: setup matrix
  hosts: matrix
  become: true
  roles:
   -  role: docker-matrix-ansible
      when: applications.matrix.role == 'ansible'
   -  role: docker-matrix-compose
      when: applications.matrix.role == 'compose'
 - name: setup open project instances
  hosts: openproject
  become: true
  roles:
   -  role: docker-openproject
 - name: setup gitlab hosts
  hosts: gitlab
  become: true
  roles:
   -  role: docker-gitlab
 - name: setup akaunting hosts
  hosts: akaunting
  become: true
  roles:
   -  role: docker-akaunting
 - name: setup moodle instance
  hosts: moodle
  become: true
  roles:
   -  role: docker-moodle
 - name: setup taiga instance
  hosts: taiga
  become: true
  roles:
   -  role: docker-taiga
 - name: setup friendica hosts
  hosts: friendica
  become: true
  roles:
   -  role: docker-friendica
 - name: setup portfolio
  hosts: portfolio
  become: true
  roles:
   -  role: docker-portfolio
 - name: setup bluesky
  hosts: bluesky
  become: true
  roles:
   -  role: docker-bluesky
 - name: setup PHPMyAdmin
  hosts: phpmyadmin
  become: true
  roles:
   -  role: docker-phpmyadmin
 - name: setup SNIPE-IT
  hosts: snipe_it
  become: true
  roles:
   -  role: docker-snipe_it
 - name: setup sphinx
  hosts: sphinx
  become: true
  roles:
   -  role: docker-sphinx
 # Native Webserver Roles
 - name: setup nginx-serve-htmls
  hosts: nginx-serve-htmls
  become: true
  roles:
   -  role: nginx-serve-html
      vars:
        domain: "{{primary_domain}}"
 - name: setup redirect hosts
  hosts: redirect
  become: true
  roles:
   -  role: nginx-redirect-domain
      vars:
        domain_mappings: "{{redirect_domain_mappings}}"
 - name: setup www redirect 
  hosts: www_redirect
  become: true
  roles:
   -  role: nginx-redirect-www
 - import_playbook: playbook.destructor.yml
--- a/playbook.yml
+++ b/playbook.yml
@ -0,0 +1,10 @@
 - name: Execute CyMaIS Play
  hosts: all
  tasks:
  - name: "Load 'constructor' tasks"
    include_tasks: "tasks/constructor.yml"
  - name: "Load '{{host_type}}' tasks"
    include_tasks: "tasks/{{host_type}}.yml"
  - name: "Load 'destructor' tasks"
    include_tasks: "tasks/destructor.yml"
  become: true
--- a/requirements.yml
+++ b/requirements.yml
@ -1,2 +1,4 @@
 collections:
  - name: kewlfft.aur
 pacman:
  - ansible
--- a/roles/docker-keycloak/templates/docker-compose.yml.j2
+++ b/roles/docker-keycloak/templates/docker-compose.yml.j2
@ -5,7 +5,7 @@ services:
  application:
    image: quay.io/keycloak/keycloak:{{applications.keycloak.version}}
    container_name: {{container_name}}
-    command: start --import-realm # imports realms on startup
+    command: start {% if applications[application_id].import_realm | bool %}--import-realm{% endif %}
    {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
    ports:
      - "127.0.0.1:{{ports.localhost.http[application_id]}}:8080"
--- a/roles/docker-ldap/Administration.md
+++ b/roles/docker-ldap/Administration.md
@ -13,14 +13,19 @@ docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'c
 docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=olcModuleList)'"
 ```
 ### Databases Overview
 ```bash
 docker exec -it openldap ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcDatabase=*)"
 ```
 ## Show all Entries
 ```bash 
-docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" LDAP_DN_BASE="$LDAP_DN_BASE" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"\$LDAP_DN_BASE\"";
+docker exec -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"\$LDAP_ADMIN_DN\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"\$LDAP_ROOT\"";
 ```
 ### Delete Groups and Subgroup
 To delete the group inclusive all subgroups use:
 ```bash
-docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"ou=applications,ou=groups,\$LDAP_DN_BASE\" dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D \"cn=administrator,\$LDAP_DN_BASE\" -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"
+docker exec -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D \"\$LDAP_ADMIN_DN\" -w \"\$LDAP_ADMIN_PASSWORD\" -b \"ou=applications,ou=groups,\$LDAP_ROOT\" dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D \"\$LDAP_ADMIN_DN\" -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"
 ```
--- a/roles/docker-ldap/Change_DN.md
+++ b/roles/docker-ldap/Change_DN.md
@ -0,0 +1,139 @@
 Here is the full content in English with all instructions, formatted as a markdown (`CHANGE_DN.md`) file:
 ```md
 # Change Distinguished Name (DN) in OpenLDAP Docker
 This document provides a step-by-step guide on how to rename the Distinguished Name (DN) from `cn=administrator,dc=flock,dc=town` to `cn=administrator,dc=cymais,dc=cloud` in an **OpenLDAP Docker** environment.
 **Reference:** [Conversation Link](https://chatgpt.com/share/67d9a2f7-4e04-800f-9a0f-1673194f276c)
 ---
 ## 1. Export the Current Entry
 Connect to the OpenLDAP container and export the current entry:
 ```sh
 docker exec -it openldap sh -c 'ldapsearch -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" -b "$LDAP_ROOT"' > all_entries.ldif
 ```
 If your ***LDAP_ADMIN_DN*** and ***LDAP_ROOT***  are not accured pass them via ``--env``.
 ---
 ## 2. Modify the LDIF File
 Open `all_entries.ldif` and update the DN (`dn:` line) and `dc` attributes.
 - Open the file in an editor (`nano`, `vim`, `sed`).
 - Replace **all occurrences** of `dc=flock,dc=town` with `dc=cymais,dc=cloud`.
 **Using `sed` to modify automatically:**
 ```sh
 sed -i 's/dc=flock,dc=town/dc=cymais,dc=cloud/g' all_entries.ldif
 ```
 **Before:**
 ```ldif
 dn: cn=administrator,dc=flock,dc=town
 cn: administrator
 objectClass: organizationalRole
 objectClass: simpleSecurityObject
 userPassword: {SSHA}...
 ```
 **After:**
 ```ldif
 dn: cn=administrator,dc=cymais,dc=cloud
 cn: administrator
 objectClass: organizationalRole
 objectClass: simpleSecurityObject
 userPassword: {SSHA}...
 ```
 ---
 ## 3. Delete the Old Entry
 ### Generate a Recursive Delete LDIF
 We need an **LDIF file that deletes all objects** under `dc=flock,dc=town`.
 Instead of manually writing an LDIF file, you can use `ldapsearch` and `awk` to generate it dynamically:
 ```sh
 docker exec -it openldap sh -c 'ldapsearch -x -D "cn=administrator,dc=flock,dc=town" -w "$LDAP_ADMIN_PASSWORD" -b "dc=flock,dc=town" dn' | awk "/^dn:/ {print \$2}" | tac > delete_all_dns.txt
 ```
 This creates an **ordered delete list**, starting with child objects before deleting `dc=flock,dc=town`.
 ---
 #### Apply the Recursive Delete
 Now apply the generated `delete_all.ldif` to delete all entries **recursively**:
 ```sh
 docker exec -i openldap sh -c '
 while read dn; do
  ldapdelete -x -D "cn=administrator,dc=flock,dc=town" -w "$LDAP_ADMIN_PASSWORD" "$dn"
 done' < delete_all_dns.txt
 ```
 ---
 #### Verify That Everything Is Deleted
 After running the delete command, verify that `dc=flock,dc=town` is empty:
 ```sh
 docker exec -it openldap sh -c 'ldapsearch -x -D "cn=administrator,dc=flock,dc=town" -w "$LDAP_ADMIN_PASSWORD" -b "dc=flock,dc=town"'
 ```
 - ✅ If **no results** are returned, the domain has been deleted successfully.
 - ❌ If results still exist, some entries were not removed.
 #### Create new_database.ldif
 docker exec -i openldap ldapadd -Y EXTERNAL -H ldapi:/// -f /dev/stdin < new_database.ldif
 ## 4. Add the New Entry
 Now, upload the modified `all_entries.ldif`:
 ```sh
 cat all_entries.ldif | docker exec -i openldap sh -c 'ldapadd -x -D "cn=admin,dc=cymais,dc=cloud" -w "$LDAP_ADMIN_PASSWORD"'
 ```
 ---
 ## 5. Update Root DN Configuration
 If `cn=administrator` is used as `rootdn`, update the OpenLDAP configuration file (`slapd.conf` or `olcDatabase={1}mdb.ldif` under `cn=config`).
 Find:
 ```ldif
 olcRootDN: cn=administrator,dc=flock,dc=town
 ```
 Replace with:
 ```ldif
 olcRootDN: cn=administrator,dc=cymais,dc=cloud
 ```
 Save the change and apply it:
 ```sh
 docker exec -it openldap ldapmodify -Y EXTERNAL -H ldapi:/// -f config_update.ldif
 ```
 ---
 ## 6. Restart OpenLDAP
 Restart the OpenLDAP container if necessary:
 ```sh
 docker restart openldap
 ```
 Now, `cn=administrator,dc=cymais,dc=cloud` should be active as the new administrator account.
 ```
 This file contains the complete set of instructions in English, properly formatted, and ready to be used in OpenLDAP Docker. Let me know if you need any adjustments! 🚀
--- a/roles/docker-ldap/templates/env.j2
+++ b/roles/docker-ldap/templates/env.j2
@ -3,8 +3,8 @@
 # GENERAL
 ## Database
-LDAP_ADMIN_USERNAME=        {{applications.ldap.users.administrator.username}}          # LDAP database admin user.
+LDAP_ADMIN_USERNAME=        {{applications.ldap.users.administrator.username}}      # LDAP database admin user.
-LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}} # LDAP database admin password.
+LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}}   # LDAP database admin password.
 ## Users
 LDAP_USERS=                 ' '                             # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
--- a/roles/docker-portfolio/templates/config.yaml.j2
+++ b/roles/docker-portfolio/templates/config.yaml.j2
@ -25,6 +25,7 @@ accounts:
          class: fa-brands fa-mastodon
        url: "https://{{ service_provider.contact.mastodon.split('@')[2] }}/@{{ service_provider.contact.mastodon.split('@')[1] }}"
        identifier: "{{service_provider.contact.mastodon}}"
        iframe: true
 {% endif %}
 {% if service_provider.contact.bluesky is defined and service_provider.contact.bluesky != "" %}
@ -47,6 +48,7 @@ accounts:
          class: fa-solid fa-camera
      identifier: "{{service_provider.contact.pixelfed}}"
      url: "https://{{ service_provider.contact.pixelfed.split('@')[2] }}/@{{ service_provider.contact.pixelfed.split('@')[1] }}"
      iframe: true
 {% endif %}
 {% if service_provider.contact.peertube  is defined and service_provider.contact.peertube  != "" %}
@ -58,6 +60,7 @@ accounts:
        class: fa-solid fa-video
      identifier: "{{service_provider.contact.peertube}}"
      url: "https://{{ service_provider.contact.peertube.split('@')[2] }}/@{{ service_provider.contact.peertube.split('@')[1] }}"
      iframe: true
 {% endif %}
 {% if service_provider.contact.wordpress is defined and service_provider.contact.wordpress != "" %}
@ -69,6 +72,7 @@ accounts:
        class: fa-solid fa-blog
      identifier: "{{service_provider.contact.wordpress}}"
      url: "https://{{ service_provider.contact.wordpress.split('@')[2] }}/@{{ service_provider.contact.wordpress.split('@')[1] }}"
      iframe: true
 {% endif %}
 {% if service_provider.contact.source_code is defined and service_provider.contact.source_code != "" %}
@ -90,6 +94,7 @@ accounts:
      class: fas fa-network-wired
    identifier: "{{service_provider.contact.friendica}}"
    url: "https://{{ service_provider.contact.friendica.split('@')[2] }}/@{{ service_provider.contact.friendica.split('@')[1] }}"
    iframe: true
 {% endif %}
@ -105,6 +110,7 @@ cards:
  text: "Experience the power of Matomo, an innovative open-source analytics platform that delivers real-time insights, robust visitor tracking, and privacy-first features to elevate your website performance. Dive into actionable data with unmatched precision and clarity!"
  url: https://{{domains.matomo}}
  link_text: "Discover Matomo Now!"
  iframe: true
 {% endif %}
 {% if "ldap" in group_names %}
@ -115,6 +121,7 @@ cards:
  text: "Unleash the potential of centralized identity management with our vibrant LDAP solution. Enjoy seamless authentication, efficient user management, and enhanced security that empowers your organization to stay connected, agile, and ahead of the curve in digital transformation."
  url: https://{{domains.ldap}}
  link_text: "Empower Your Network!"
  iframe: true
 {% endif %}
 {% if "keycloak" in group_names %}
@ -125,6 +132,7 @@ cards:
  text: "Step into a secure future with Keycloak! Our dynamic identity and access management solution offers streamlined SSO capabilities, robust security measures, and an intuitive user experience that propels your applications to unprecedented heights of performance and reliability."
  url: https://{{domains.keycloak}}
  link_text: "Secure Your Future Now!"
  iframe: true
 {% endif %}
 {% if "nextcloud" in group_names %}
@ -135,6 +143,7 @@ cards:
  text: "Elevate your collaboration with Nextcloud, a vibrant self-hosted cloud solution designed for dynamic file sharing, seamless communication, and effortless teamwork. Embrace unparalleled control, flexibility, and a boosted digital workspace that adapts to your every need."
  url: https://{{domains.nextcloud}}
  link_text: "Experience Nextcloud Today!"
  iframe: true
 {% endif %}
 {% if "gitea" in group_names %}
@ -145,6 +154,7 @@ cards:
  text: "Boost your development journey with Gitea, a lightweight and energetic self-hosted Git service that offers efficient code collaboration, intuitive version control, and an agile environment for your projects. Ignite your coding spirit, innovate faster, and code with confidence!"
  url: https://{{domains.gitea}}
  link_text: "Ignite Your Code Now!"
  iframe: true
 {% endif %}
 {% if "wordpress" in group_names %}
@ -165,6 +175,7 @@ cards:
  text: "Empower your knowledge base with MediaWiki, a versatile and collaborative platform designed to build comprehensive, user-driven documentation. Embrace an energetic community and innovative tools that turn information into a vibrant, living resource."
  url: https://{{domains.mediawiki}}
  link_text: "Explore MediaWiki Now!"
  iframe: true
 {% endif %}
 {% if "mybb" in group_names %}
@ -175,6 +186,7 @@ cards:
  text: "Transform your community engagement with MyBB, a feature-rich forum solution that combines modern design with robust functionality. Enjoy dynamic discussions, intuitive moderation, and an energetic user interface that brings people together like never before."
  url: https://{{domains.mybb}}
  link_text: "Join the Conversation!"
  iframe: true
 {% endif %}
 {% if "yourls" in group_names %}
@ -185,6 +197,7 @@ cards:
  text: "Streamline your online presence with YOURLS, a nimble URL shortening solution that makes sharing links faster, easier, and more engaging. Enjoy the benefits of enhanced tracking and a user-friendly interface that energizes your digital strategy."
  url: https://{{domains.yourls}}
  link_text: "Shorten Links Instantly!"
  iframe: true
 {% endif %}
 {% if "mailu" in group_names %}
@ -195,6 +208,7 @@ cards:
  text: "Revolutionize your email communications with Mailu, a secure and flexible mail server solution that integrates seamlessly into your workflow. Experience enhanced reliability, robust security, and an energetic approach to managing your digital correspondence."
  url: https://{{domains.mailu}}
  link_text: "Elevate Your Email Now!"
  iframe: true
 {% endif %}
 {% if "mastodon" in group_names %}
@ -205,6 +219,7 @@ cards:
  text: "Dive into a decentralized social experience with Mastodon, a vibrant platform that redefines online communication with its community-driven approach. Enjoy a refreshing burst of innovation, freedom, and energetic interaction every time you connect."
  url: https://{{domains.mastodon}}
  link_text: "Join the Social Revolution!"
  iframe: true
 {% endif %}
 {% if "pixelfed" in group_names %}
@ -215,6 +230,7 @@ cards:
  text: "Showcase your visual story with Pixelfed, an inspiring self-hosted image sharing platform that champions creativity and privacy. Revel in a dynamic, artistic environment where every photo is a window to endless possibilities and vibrant expression."
  url: https://{{domains.pixelfed}}
  link_text: "Share Your Vision Now!"
  iframe: true
 {% endif %}
 {% if "peertube" in group_names %}
@ -225,6 +241,7 @@ cards:
  text: "Embrace a new era of video hosting with PeerTube, a decentralized platform that empowers creators with freedom, innovation, and a community-focused approach. Experience seamless streaming and dynamic sharing that fuels your creative ambitions."
  url: https://{{domains.peertube}}
  link_text: "Stream with Freedom!"
  iframe: true
 {% endif %}
 {% if "bigbluebutton" in group_names %}
@ -235,6 +252,7 @@ cards:
  text: "Transform online learning and collaboration with BigBlueButton, an interactive web conferencing solution designed to energize virtual classrooms and meetings. Enjoy dynamic tools and an engaging environment that makes every session a powerful learning experience."
  url: https://{{domains.bigbluebutton}}
  link_text: "Start Your Virtual Session!"
  iframe: true
 {% endif %}
 {% if "funkwhale" in group_names %}
@ -245,6 +263,7 @@ cards:
  text: "Dive into a world of rhythm and sound with Funkwhale, an innovative self-hosted music sharing platform that celebrates creativity and community. Experience an energetic soundscape and seamless music streaming that amplifies your passion for tunes."
  url: https://{{domains.funkwhale}}
  link_text: "Jam Out Now!"
  iframe: true
 {% endif %}
 {% if "joomla" in group_names %}
@ -255,6 +274,7 @@ cards:
  text: "Elevate your website management with Joomla, a powerful content management system that fuses versatility with dynamic design. Experience a vibrant platform that inspires creativity and drives your digital presence to new, energetic heights."
  url: https://{{domains.joomla}}
  link_text: "Build with Joomla Today!"
  iframe: true
 {% endif %}
 {% if "attendize" in group_names %}
@ -265,6 +285,7 @@ cards:
  text: "Revolutionize your event management with Attendize, an energetic and intuitive platform designed to streamline ticketing and event planning. Enjoy a feature-rich, user-friendly solution that transforms every event into an unforgettable experience."
  url: https://{{domains.attendize}}
  link_text: "Plan Your Event Now!"
  iframe: true
 {% endif %}
 {% if "baserow" in group_names %}
@ -275,6 +296,7 @@ cards:
  text: "Empower your data management with Baserow, an innovative platform that makes building and managing databases both fun and efficient. Enjoy a dynamic interface, seamless collaboration, and energetic tools that supercharge your workflow."
  url: https://{{domains.baserow}}
  link_text: "Manage Data with Ease!"
  iframe: true
 {% endif %}
 {% if "listmonk" in group_names %}
@ -285,6 +307,7 @@ cards:
  text: "Elevate your email marketing with Listmonk, a high-energy, self-hosted solution that offers powerful newsletter management and analytics. Enjoy an intuitive design, robust features, and a spirited approach that takes your campaigns to the next level."
  url: https://{{domains.listmonk}}
  link_text: "Boost Your Campaigns Now!"
  iframe: true
 {% endif %}
 {% if "discourse" in group_names %}
@ -295,6 +318,7 @@ cards:
  text: "Ignite community conversations with Discourse, an innovative forum platform that redefines online discussions with its modern, engaging interface. Experience an energetic, user-friendly environment that brings people together and fuels vibrant exchanges."
  url: https://{{domains.discourse}}
  link_text: "Join the Discussion!"
  iframe: true
 {% endif %}
 {% if "matrix" in group_names %}
@ -305,6 +329,7 @@ cards:
  text: "Step into the future of communication with Matrix, a dynamic and decentralized platform that delivers secure, real-time messaging and collaboration. Enjoy an innovative ecosystem that energizes your digital interactions and connects you globally."
  url: https://{{domains.matrix_synapse}}
  link_text: "Connect on Matrix Now!"
  iframe: true
 {% endif %}
 {% if "openproject" in group_names %}
@ -315,6 +340,7 @@ cards:
  text: "Transform your project management with OpenProject, a vibrant and collaborative tool that brings clarity and energy to your planning, tracking, and team communication. Experience streamlined workflows and an innovative platform that propels your projects forward."
  url: https://{{domains.openproject}}
  link_text: "Manage Projects Dynamically!"
  iframe: true
 {% endif %}
 {% if "gitlab" in group_names %}
@ -325,6 +351,7 @@ cards:
  text: "Accelerate your software development with GitLab, an energetic, all-in-one platform for source code management and continuous integration. Experience a robust, collaborative environment that empowers teams to innovate and deliver exceptional results."
  url: https://{{domains.gitlab}}
  link_text: "Revolutionize Your DevOps!"
  iframe: true
 {% endif %}
 {% if "akaunting" in group_names %}
@ -335,6 +362,7 @@ cards:
  text: "Empower your financial management with Akaunting, a dynamic and feature-rich accounting platform designed to simplify your bookkeeping and boost your business growth. Enjoy intuitive tools, real-time insights, and an energetic approach to your finances."
  url: https://{{domains.akaunting}}
  link_text: "Transform Your Finances Today!"
  iframe: true
 {% endif %}
 {% if "moodle" in group_names %}
@ -345,6 +373,7 @@ cards:
  text: "Ignite the learning experience with Moodle, a powerful and versatile platform for online education that energizes classrooms and fosters interactive learning. Embrace innovative tools, engaging content, and a dynamic community of educators and learners."
  url: https://{{domains.moodle}}
  link_text: "Start Learning Now!"
  iframe: true
 {% endif %}
 {% if "taiga" in group_names %}
@ -355,6 +384,7 @@ cards:
  text: "Supercharge your project management with Taiga, a dynamic and agile tool designed for teams that thrive on creativity and collaboration. Experience a vibrant interface, robust task tracking, and an energetic platform that drives your projects to success."
  url: https://{{domains.taiga}}
  link_text: "Boost Your Projects Now!"
  iframe: true
 {% endif %}
 {% if "friendica" in group_names %}
@ -365,6 +395,7 @@ cards:
  text: "Connect and share like never before with Friendica, an innovative social networking platform that celebrates community, freedom, and dynamic interactions. Enjoy a spirited and open environment where every connection is a step toward a more engaging digital world."
  url: https://{{domains.friendica}}
  link_text: "Join the Social Movement!"
  iframe: true
 {% endif %}
 {% if "portfolio" in group_names %}
@ -375,6 +406,7 @@ cards:
  text: "Showcase your professional journey with Portfolio, a dynamic platform that combines creativity and functionality to highlight your achievements. Experience an energetic design, intuitive features, and a compelling way to present your work to the world."
  url: https://{{domains.portfolio}}
  link_text: "Elevate Your Profile Now!"
  iframe: true
 {% endif %}
 {% if "bluesky" in group_names %}
@ -385,6 +417,7 @@ cards:
  text: "Soar to new digital heights with Bluesky, an innovative platform that reimagines social networking with its forward-thinking, community-driven approach. Experience a burst of energy, creativity, and the freedom to connect in a truly inspiring way."
  url: https://{{domains.bluesky}}
  link_text: "Soar with Bluesky Today!"
  iframe: true
 {% endif %}
@ -396,6 +429,7 @@ cards:
  text: "Unlock comprehensive insights with our extensive documentation. Explore guides, tutorials, and support resources designed to help you navigate our software effortlessly."
  url: https://{{domains.sphinx}}
  link_text: "Explore Documentation Now!"
  iframe: true
 {% endif %}
@ -408,6 +442,7 @@ cards:
  text: "Manage your databases with confidence using PHPMyAdmin, a robust and dynamic tool designed to simplify administration and enhance productivity. Enjoy an intuitive interface, powerful features, and an energetic approach that makes database management a breeze."
  url: https://{{domains.phpmyadmin}}
  link_text: "Optimize Your Database Now!"
  iframe: true
 {% endif %}
 {% if "snipe_it" in group_names %}
@ -418,6 +453,7 @@ cards:
  text: "Streamline your asset management with SNIPE-IT, a cutting-edge solution that brings efficiency, clarity, and energy to tracking your hardware and software inventory. Experience a user-friendly design and dynamic features that make asset management simple and engaging."
  url: https://{{domains.snipe_it}}
  link_text: "Manage Assets Effortlessly!"
  iframe: true
 {% endif %}
@ -504,6 +540,7 @@ navigation:
          icon:
            class: fa-brands fa-discourse
          url: https://{{domains.discourse}}/
          iframe: true
    {% endif %}
    {% if "moodle" in group_names %}
@ -513,6 +550,7 @@ navigation:
          icon:
            class: fa-solid fa-graduation-cap
          url: https://{{domains.moodle}}/
          iframe: true
    {% endif %}
    {% if "listmonk" in group_names %}
@ -522,6 +560,7 @@ navigation:
          icon:
            class: fa-solid fa-envelope-open-text
          url: https://{{domains.listmonk}}/subscription/form
          iframe: true
    {% endif %}
  {% endif %}
@ -540,6 +579,7 @@ navigation:
          icon:
            class: fa-solid fa-tasks
          url: https://{{domains.openproject}}/
          iframe: true
    {% endif %}
    {% if "taiga" in group_names %}       
@ -549,6 +589,7 @@ navigation:
          icon:
            class: bi bi-clipboard2-check-fill
          url: https://{{domains.taiga}}/
          iframe: true
    {% endif %}
    {% if "snipe_it" in group_names %}        
@ -558,6 +599,7 @@ navigation:
          icon:
            class: fas fa-box-open
          url: https://{{domains.snipe_it}}/
          iframe: true
    {% endif %}
  {% endif %}
@ -575,6 +617,7 @@ navigation:
          icon:
            class: fa-solid fa-comment
          url: https://{{domains.matrix_element}}/
          iframe: true
    {% endif %}
    {% if "bigbluebutton" in group_names %}             
@ -584,6 +627,7 @@ navigation:
          icon:
            class: fa-solid fa-video
          url: https://{{domains.bigbluebutton}}/
          iframe: true
    {% endif %}
    {% if "mailu" in group_names %}            
@ -593,6 +637,7 @@ navigation:
          icon:
            class: fa-solid fa-envelope
          url: https://{{domains.mailu}}/
          iframe: true
    {% endif %}
  {% endif %}
@ -610,6 +655,7 @@ navigation:
          icon:
            class: fa-solid fa-chart-simple
          url: https://{{domains.matomo}}/
          iframe: true
    {% endif %}
    {% if "phpmyadmin" in group_names %}   
@ -619,6 +665,7 @@ navigation:
          icon:
            class: fas fa-database
          url: https://{{domains.phpmyadmin}}/
          iframe: true
    {% endif %}
    {% if "keycloak" in group_names %}   
@ -628,6 +675,7 @@ navigation:
          icon:
            class: fas fa-user-shield
          url: https://{{domains.keycloak}}/admin
          iframe: true
    {% endif %}
    {% if "ldap" in group_names %}   
@ -637,6 +685,7 @@ navigation:
          icon:
            class: fas fa-key
          url: https://{{domains.ldap}}/
          iframe: true
    {% endif %}
  {% endif %}
@ -654,6 +703,7 @@ navigation:
          icon:
            class: fa-solid fa-table
          url: https://{{domains.baserow}}/
          iframe: true  
    {% endif %}
    {% if "yourls" in group_names %}   
@ -663,6 +713,7 @@ navigation:
          icon:
            class: bi bi-link
          url: https://{{domains.yourls}}/admin/
          iframe: true
    {% endif %}
    {% if "nextcloud" in group_names %}
@ -672,6 +723,7 @@ navigation:
          icon:
            class: fa-solid fa-cloud
          url: https://{{domains.nextcloud}}/
          iframe: true
    {% endif %}
  {% endif %}
@ -710,6 +762,7 @@ navigation:
      icon:
        class: fas fa-book
      url: https://{{domains.sphinx}}
      iframe: true
 {% endif %}
@ -718,3 +771,4 @@ navigation:
      icon:
          class: fa-solid fa-scale-balanced
      url: "{{service_provider.legal.imprint}}"
      iframe: true
--- a/roles/journalctl/tasks/main.yml
+++ b/roles/journalctl/tasks/main.yml
@ -1,3 +1,5 @@
 - name: copy journald.conf
-  template: src=templates/journald.conf.j2 dest=/etc/systemd/journald.conf
+  template: 
    src: templates/journald.conf.j2
    dest: /etc/systemd/journald.conf
  notify: restart systemd-journald
--- a/roles/nginx-docker-cert-deploy/CONFIGURATION.md
+++ b/roles/nginx-docker-cert-deploy/CONFIGURATION.md
@ -0,0 +1,19 @@
 # Configuration Options 📋
 ## One Wildcard Certificate for All Subdomains
 By default, each subdomain gets its own certificate. You can **enable a wildcard certificate** by setting:
 ```yaml
 enable_wildcard_certificate: true
 ```
 ## Pros & Cons of a Wildcard Certificate
 ### Pros
 - ✅ **Improves performance** by reducing TLS handshakes.  
 - ✅ **Simplifies certificate management** (one cert for all subdomains).  
 ### Cons
 - ⚠ **Requires manual DNS challenge setup** for Let's Encrypt.  
 - ⚠ **Needs additional configuration for automation** (see below).  
 If enabled, update your inventory file and follow the **[manual wildcard certificate setup](SETUP.md)**.
--- a/roles/nginx-docker-cert-deploy/README.md
+++ b/roles/nginx-docker-cert-deploy/README.md
@ -17,25 +17,6 @@ This Ansible role simplifies the deployment of **Let's Encrypt certificates** in
 ---
 ## 📋 **Configuration Options**
 ### 🔹 **One Wildcard Certificate for All Subdomains**
 By default, each subdomain gets its own certificate. You can **enable a wildcard certificate** by setting:
 ```yaml
 enable_wildcard_certificate: true
 ```
 📌 **Pros & Cons of a Wildcard Certificate:**
 ✅ **Improves performance** by reducing TLS handshakes.  
 ✅ **Simplifies certificate management** (one cert for all subdomains).  
 ⚠ **Requires manual DNS challenge setup** for Let's Encrypt.  
 ⚠ **Needs additional configuration for automation** (see below).  
 If enabled, update your inventory file and follow the **manual wildcard certificate setup** below.
 ---
 ## 🔧 **Tasks Overview**
 ### **1️⃣ Main Tasks**
@ -57,64 +38,6 @@ If enabled, update your inventory file and follow the **manual wildcard certific
 ---
 ## **🔐 Wildcard Certificate Setup with Let's Encrypt**
 If you enabled `enable_wildcard_certificate`, follow these steps to manually request a **wildcard certificate**.
 ### **1️⃣ Run the Certbot Command 🖥️**
 ```sh
 certbot certonly --manual --preferred-challenges=dns --agree-tos \
 --email administrator@primary_domain -d primary_domain -d "*.primary_domain"
 ```
 ### **2️⃣ Add DNS TXT Record for Validation 📜**
 Certbot will prompt you to add a DNS TXT record:
 ```
 Please create a TXT record under the name:
 _acme-challenge.primary_domain.
 with the following value:
 9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA
 ```
 ➡ **Go to your DNS provider** and create a new **TXT record**:  
   - **Host:** `_acme-challenge.primary_domain`  
   - **Value:** `"9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA"`  
   - **TTL:** Set to **300 seconds (or lowest possible)**  
 ✅ **Verify the DNS record** before continuing:  
 ```sh
 dig TXT _acme-challenge.primary_domain @8.8.8.8
 ```
 ### **3️⃣ Complete the Certificate Request ✅**
 Once the DNS changes have propagated, **press Enter** in the Certbot terminal.  
 If successful, Certbot will save the certificates under:  
 ```
 /etc/letsencrypt/live/primary_domain/
 ```
 - **fullchain.pem** → The certificate  
 - **privkey.pem** → The private key  
 ---
 ## **📂 File & Directory Structure**
 ```sh
 roles/nginx-docker-cert-deploy/
 ├── files/
 │   ├── nginx-docker-cert-deploy.sh  # Deployment script
 ├── handlers/
 │   ├── main.yml  # Restart Nginx handler
 ├── meta/
 │   ├── main.yml  # Dependencies
 ├── tasks/
 │   ├── main.yml  # Main Ansible tasks
 ├── templates/
 │   ├── nginx-docker-cert-deploy.service.j2  # Systemd service template
 ├── vars/
 │   ├── main.yml  # Variable definitions
 ```
 ---
 ## **🔧 Deploying Certificates into Docker Containers**
 The role **automates copying certificates** into Docker Compose setups.
@ -129,20 +52,6 @@ This script:
 sh nginx-docker-cert-deploy.sh primary_domain /path/to/docker/compose
 ```
 ### **2️⃣ Systemd Service & Timer**
 The role includes a **`systemd` service** that runs the deployment script whenever certificates are updated.
 Example `nginx-docker-cert-deploy.service.j2`:
 ```ini
 [Unit]
 Description=Let's Encrypt deploy to {{docker_compose.directories.instance}}
 OnFailure=systemd-notifier.cymais@%n.service
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/bash {{path_administrator_scripts}}/nginx-docker-cert-deploy.sh {{primary_domain}} {{docker_compose.directories.instance}}
 ```
 ---
 ## 🎯 **Summary**
--- a/roles/nginx-docker-cert-deploy/SETUP.md
+++ b/roles/nginx-docker-cert-deploy/SETUP.md
@ -0,0 +1,36 @@
 ## **🔐 Wildcard Certificate Setup with Let's Encrypt**
 If you enabled `enable_wildcard_certificate`, follow these steps to manually request a **wildcard certificate**.
 ### **1️⃣ Run the Certbot Command 🖥️**
 ```sh
 certbot certonly --manual --preferred-challenges=dns --agree-tos \
 --email administrator@primary_domain -d primary_domain -d "*.primary_domain"
 ```
 ### **2️⃣ Add DNS TXT Record for Validation 📜**
 Certbot will prompt you to add a DNS TXT record:
 ```
 Please create a TXT record under the name:
 _acme-challenge.primary_domain.
 with the following value:
 9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA
 ```
 ➡ **Go to your DNS provider** and create a new **TXT record**:  
   - **Host:** `_acme-challenge.primary_domain`  
   - **Value:** `"9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA"`  
   - **TTL:** Set to **300 seconds (or lowest possible)**  
 ✅ **Verify the DNS record** before continuing:  
 ```sh
 dig TXT _acme-challenge.primary_domain @8.8.8.8
 ```
 ### **3️⃣ Complete the Certificate Request ✅**
 Once the DNS changes have propagated, **press Enter** in the Certbot terminal.  
 If successful, Certbot will save the certificates under:  
 ```
 /etc/letsencrypt/live/primary_domain/
 ```
 - **fullchain.pem** → The certificate  
 - **privkey.pem** → The private key  
--- a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
@ -14,6 +14,13 @@ location {{location | default("/")}}
  proxy_set_header X-Forwarded-Port 443;
  proxy_set_header Accept-Encoding "";
 {% if nginx.iframe | bool %}
  # activate embedding via iframe
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header Content-Security-Policy "frame-ancestors {{primary_domain}} 'self' *.{{primary_domain}};" always;
 {% endif %}
  # WebSocket specific header
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
--- a/roles/nginx-https-get-cert/tasks/main.yml
+++ b/roles/nginx-https-get-cert/tasks/main.yml
@ -8,7 +8,7 @@
      # Wildcard certificate should not be used
      # OR: The domain is not a first-level subdomain of the primary domain
- name: "recieve wildcard certificate for *{{ primary_domain }}"
+- name: "recieve wildcard certificate *{{ primary_domain }} for {{domain}}"
  command: >-
    certbot certonly --agree-tos --email {{ users.administrator.email }}                                          
    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
@ -20,8 +20,6 @@
      # AND: The domain is a direct first-level subdomain of the primary domain
    - run_once_recieve_certificate is not defined  
      # Ensure this task runs only once for the wildcard certificate
    - domain == primary_domain  
      # The domain is the primary domain
 - name: "Cleanup dedicated cert for {{ domain }}"
  command: >-
--- a/tasks/README.md
+++ b/tasks/README.md
@ -0,0 +1,22 @@
 # Deploy
 This guide explains how to deploy and manage the Cyber Master Infrastructure Solution (CyMaIS) using Ansible. CyMaIS is based on a collection of ansible tasks. The tasks use different “modes” to control behavior such as updates, backups, resets, and cleanup tasks. 
 ## Prerequisites
 - **Inventory File:** Have an inventory file that lists your servers and PCs. (Paths in examples are general; adjust them to your environment.)
 - **Cymais Installed:** CyMaIS is installed via [Kevin's Package-Manager](https://github.com/kevinveenbirkenbach/package-manager).
 - **Vault Password File (Optional):** Prepare a file with your vault password if you prefer not to enter it interactively.
 ## Deploying on Servers
 To get detailled information how to use CyMaIS to deploy software to your server execute:
 ```sh
 cymais --help
 ```
 ## Using a Password File
 To avoid entering your vault password interactively every time, use the `--password-file` option:
 ```bash
 --password-file /path/to/your/vault_pass.txt
 ```
 Ensure the vault password file is stored securely.
--- a/playbook.constructor.yml
+++ b/playbook.constructor.yml
@ -1,7 +1,6 @@
 ---
 - name: Merge variables
-  hosts: all
+  block:
  tasks:
  - name: Merge users
    set_fact:
      users: "{{ default_users | combine(users, recursive=True) }}"
@ -61,60 +60,50 @@
    when: enable_debug | bool
 - name: update device
-  hosts:  all
+  include_role:
-  become: true
+    name: update
-  roles:
+  when: mode_update | bool
    - role: update
      when: mode_update | bool
 - name: setup standard wireguard
-  hosts: wireguard_server
+  when: ("wireguard_server" in group_names)
-  become: true
+  include_role:
-  roles:
+    name: wireguard
    - wireguard
 # vpn setup
 - name: setup wireguard client behind firewall\nat
-  hosts: wireguard_behind_firewall
+  when: ("wireguard_behind_firewall" in group_names)
-  become: true
+  include_role:
-  roles:
+    name: client-wireguard-behind-firewall
    - client-wireguard-behind-firewall
 - name: setup wireguard client
-  hosts: wireguard_client
+  when: ("wireguard_client" in group_names)
-  become: true
+  include_role:
-  roles:
+    name: client-wireguard
    - client-wireguard
 ## backup setup
 - name: setup replica backup hosts
-  hosts: backup_remote_to_local
+  when: ("backup_remote_to_local" in group_names)
-  become: true
+  include_role:
-  roles:
+    name: backup-remote-to-local
    - role: backup-remote-to-local
 - name: setup backup to swappable
-  hosts: backup_to_usb
+  when: ("backup_to_usb" in group_names)
-  become: true
+  include_role:
-  roles:
+    name: backup-data-to-usb
    - backup-data-to-usb
 ## driver setup
 - name: driver-intel
-  hosts: intel
+  when: ("intel" in group_names)
-  become: true
+  include_role:
-  roles:
+    name: driver-intel
    - driver-intel
 - name: setup multiprinter hosts
-  hosts: epson_multiprinter
+  when: ("epson_multiprinter" in group_names)
-  become: true
+  include_role:
-  roles:
+    name: driver-epson-multiprinter
    - driver-epson-multiprinter
 ## system setup 
 - name: setup swapfile hosts
-  hosts: swapfile
+  when: ("swapfile" in group_names)
-  become: false
+  include_role:
-  roles:
+    name: system-swapfile
    - system-swapfile
--- a/tasks/destructor.yml
+++ b/tasks/destructor.yml
@ -0,0 +1,4 @@
 - name: optimize storage performance
  include_role:
    name: system-storage-optimizer
  when: "(path_mass_storage is defined or path_rapid_storage is defined) and enable_system_storage_optimizer | bool and (docker_enabled is defined and docker_enabled | bool) "
--- a/tasks/personal_computer.yml
+++ b/tasks/personal_computer.yml
@ -0,0 +1,90 @@
 ---
 ## pc applications
 - name: general host setup
  when: ("personal_computers" in group_names)
  include_role:
    name: "{{ item }}"
  loop:
    - pc-administrator-tools
    - driver-non-free
 - name: pc-office
  when: ("collection_officetools
  include_role:
    name: "{{ item }}"
  loop:
    - pc-office
    - pc-jrnl
 - name: personal computer for business
  when: ("business_personal_computer" in group_names)
  include_role:
    name: pc-gnucash
 - name: pc-designer-tools
  when: ("collection_designer" in group_names)
  include_role:
    name: pc-designer-tools
 - name: pc-qbittorrent
  when: ("collection_torrent" in group_names)
  include_role:
    name: pc-qbittorrent
 - name: pc-streaming-tools
  when: ("collection_streamer" in group_names)
  include_role:
    name: pc-streaming-tools
 - name: pc-bluray-player-tools
  when: ("collection_bluray_player" in group_names)
  include_role:
    name: pc-bluray-player-tools
 - name: pc-latex
  when: ("latex" in group_names)
  include_role:
    name: pc-latex
 - name: GNOME setup
  when: ("gnome
  include_role:
    name: pc-gnome
 - name: setup ssh client
  when: ("ssh" in group_names)
  become: false
  include_role:
    name: pc-ssh
 - name: setup gaming hosts
  when: ("gaming" in group_names)
  include_role:
    name: pc-games
 - name: setup entertainment hosts
  when: ("entertainment" in group_names)
  include_role:
    name: pc-spotify
 - name: setup torbrowser hosts
  when: ("torbrowser" in group_names)
  include_role:
    name: pc-torbrowser
 - name: setup nextcloud
  when: ("nextcloud_client" in group_names)
  include_role:
    name: pc-nextcloud
 - name: setup docker
  when: ("dockerin group_names)
  include_role:
    name: pc-docker
 # driver 
 - name: setup msi rgb keyboard
  when: ("msi_perkeyrgb" in group_names)
  include_role:
    name: driver-msi-keyboard-color
--- a/tasks/server.yml
+++ b/tasks/server.yml
@ -0,0 +1,222 @@
 ---
 - name: servers host setup
  when: ("servers" in group_names)
  include_role:
    name: "{{ item }}"
  loop:
    - system-security
    - journalctl
    - health-disc-space
    - cleanup-disc-space
    - health-btrfs
    - system-btrfs-auto-balancer
 #########################################################################
 ### Docker Roles                                                      ###
 #########################################################################
 - name: "setup matomo"
  when: ("matomo" in group_names)
  include_role:
    name: docker-matomo
 - name: setup ldap
  when: ("ldap" in group_names)
  include_role:
    name: docker-ldap
 - name: setup keycloak
  when: ("keycloak" in group_names)
  include_role:
    name: docker-keycloak
 - name: setup nextcloud hosts
  when: ("nextcloud" in group_names)
  include_role:
    name: docker-nextcloud
 - name: setup gitea hosts
  when: ("gitea" in group_names)
  include_role:
    name: docker-gitea
  vars:
    run_mode: prod
 - name: setup wordpress hosts
  when: ("wordpress" in group_names)
  include_role:
    name: docker-wordpress
 - name: setup mediawiki hosts
  when: ("mediawiki" in group_names)
  include_role:
    name: docker-mediawiki
 - name: setup mybb hosts
  when: ("mybb" in group_names)
  include_role:
    name: docker-mybb
  vars:
    mybb_domains: "{{domains.mybb}}"
 - name: setup yourls hosts
  when: ("yourls" in group_names)
  include_role:
    name: docker-yourls
 - name: setup mailu hosts
  when: ("mailu" in group_names)
  include_role:
    name: docker-mailu
 - name: setup elk hosts
  when: ("elk" in group_names)
  include_role:
    name: docker-elk
 - name: setup mastodon hosts
  when: ("mastodon" in group_names)
  include_role:
    name: docker-mastodon
 - name: setup pixelfed hosts
  when: ("pixelfed" in group_names)
  include_role:
    name: docker-pixelfed
 - name: setup peertube hosts
  when: ("peertube" in group_names)
  include_role:
    name: docker-peertube
 - name: setup bigbluebutton hosts
  when: ("bigbluebutton" in group_names)
  include_role:
    name: docker-bigbluebutton
  vars:
    domain: "{{domains.bigbluebutton}}"
 - name: setup funkwhale hosts
  when: ("funkwhale" in group_names)
  include_role:
    name: docker-funkwhale
 - name: setup roulette-wheel hosts
  when: ("roulette-wheel" in group_names)
  include_role:
    name: docker-roulette-wheel
 - name: setup joomla hosts
  when: ("joomla" in group_names)
  include_role:
    name: docker-joomla
 - name: setup attendize
  when: ("attendize" in group_names)
  include_role:
    name: docker-attendize
 - name: setup baserow hosts
  when: ("baserow" in group_names)
  include_role:
    name: docker-baserow
 - name: setup listmonk
  when: ("listmonk" in group_names)
  include_role:
    name: docker-listmonk
 - name: setup discourse
  when: ("discourse" in group_names)
  include_role:
    name: docker-discourse
 - name: setup matrix with flavor 'ansible'
  include_role:
    name: docker-matrix-ansible
  when: applications.matrix.role == 'ansible' and ("matrix" in group_names)
 - name: setup matrix with flavor 'compose'
  include_role:
    name: docker-matrix-compose
  when: applications.matrix.role == 'compose' and ("matrix" in group_names)
 - name: setup open project instances
  when: ("openproject" in group_names)
  include_role:
    name: docker-openproject
 - name: setup gitlab hosts
  when: ("gitlab" in group_names)
  include_role:
    name: docker-gitlab
 - name: setup akaunting hosts
  when: ("akaunting" in group_names)
  include_role:
    name: docker-akaunting
 - name: setup moodle instance
  when: ("moodle" in group_names)
  include_role:
    name: docker-moodle
 - name: setup taiga instance
  when: ("taiga" in group_names)
  include_role:
    name: docker-taiga
 - name: setup friendica hosts
  when: ("friendica" in group_names)
  include_role:
    name: docker-friendica
 - name: setup portfolio
  when: ("portfolio" in group_names)
  include_role:
    name: docker-portfolio
 - name: setup bluesky
  when: ("bluesky" in group_names)
  include_role:
    name: docker-bluesky
 - name: setup PHPMyAdmin
  when: ("phpmyadmin" in group_names)
  include_role:
    name: docker-phpmyadmin
 - name: setup SNIPE-IT
  when: ("snipe_it" in group_names)
  include_role:
    name: docker-snipe_it
 - name: setup sphinx
  when: ("sphinx" in group_names)
  include_role:
    name: docker-sphinx
 # Native Webserver Roles
 - name: setup nginx-serve-htmls
  when: ("nginx-serve-htmls" in group_names)
  include_role:
    name: nginx-serve-html
  vars:
    domain: "{{primary_domain}}"
 - name: "setup corporate identity"
  when: ("corporate_identity" in group_names)
  include_role:
    name: corporate-identity
 - name: setup redirect hosts
  when: ("redirect" in group_names)
  include_role:
    name: nginx-redirect-domain
  vars:
    domain_mappings: "{{redirect_domain_mappings}}"
 - name: setup www redirect 
  when: ("www_redirect" in group_names)
  include_role:
    name: nginx-redirect-www
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	57c3cfc8fa	Implemented vault password	2025-03-19 15:43:04 +01:00
Kevin Veen-Birkenbach	8e0bb19e49	Refactored code	2025-03-19 15:37:29 +01:00
Kevin Veen-Birkenbach	fd1b160d93	Implemented realm import parameter	2025-03-19 15:37:12 +01:00
Kevin Veen-Birkenbach	718bd41666	Implemented iframe option	2025-03-19 15:36:36 +01:00
Kevin Veen-Birkenbach	e92515184a	Changed mode for main.py	2025-03-19 15:35:16 +01:00
Kevin Veen-Birkenbach	e78d6edefa	Solved matomo bug	2025-03-19 15:34:51 +01:00
Kevin Veen-Birkenbach	1620a3f7ed	Optimized READMEs	2025-03-19 15:34:13 +01:00
Kevin Veen-Birkenbach	24cb08b358	Removed playbook.constructor.yml	2025-03-19 13:22:20 +01:00
Kevin Veen-Birkenbach	83de47921d	Refactored playbooks and optimized main.py	2025-03-19 13:05:03 +01:00
Kevin Veen-Birkenbach	bd4241d74e	Removed buggy condition for wildcard cert	2025-03-19 09:23:46 +01:00
Kevin Veen-Birkenbach	dea7052da0	Activated iframe loading for proxy	2025-03-19 09:21:55 +01:00
Kevin Veen-Birkenbach	8be422cc99	Updated ldap docu and implemented change draft	2025-03-18 20:25:07 +01:00
Kevin Veen-Birkenbach	1712088c5a	Added draft for main.py	2025-03-18 16:38:01 +01:00