Refactor role naming for TLS and proxy stack

- Renamed role `srv-tls-core` → `sys-svc-certs`
- Renamed role `srv-https-stack` → `sys-stk-front-pure`
- Renamed role `sys-stk-front` → `sys-stk-front-proxy`
- Updated all includes, READMEs, meta, and dependent roles accordingly

This improves clarity and consistency of naming conventions for certificate management and proxy orchestration.

See: https://chatgpt.com/share/68b19f2c-22b0-800f-ba9b-3f2c8fd427b0

group_vars/all/09_networks.yml

@@ -10,8 +10,8 @@ defaults_networks:
     # /28 Networks, 14 Usable Ip Addresses
     web-app-akaunting:
       subnet: 192.168.101.0/28
-    web-app-attendize:
+    # Free:
-      subnet: 192.168.101.16/28
+    #  subnet: 192.168.101.16/28
     web-app-baserow:
       subnet: 192.168.101.32/28
     web-app-mobilizon:

group_vars/all/09_ports.yml

@@ -36,7 +36,7 @@ ports:
       web-app-funkwhale: 8012
       web-app-roulette-wheel: 8013
       web-app-joomla: 8014
-      web-app-attendize: 8015
+      # Free: 8015
       web-app-pgadmin: 8016
       web-app-baserow: 8017
       web-app-matomo: 8018

group_vars/all/12_oidc.yml

@@ -25,7 +25,7 @@ defaults_oidc:
   URL:                    "{{ _oidc_url }}"
   CLIENT:
     ID:                   "{{ _oidc_client_id }}"                                                 # Client identifier, typically matching your primary domain
-#   secret:                                                                                       # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
+#   SECRET:                                                                                       # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
     REALM:                "{{ _oidc_client_realm }}"                                              # The realm to which the client belongs in the OIDC provider
     ISSUER_URL:           "{{ _oidc_client_issuer_url }}"                                         # Base URL of the OIDC provider (issuer)
     DISCOVERY_DOCUMENT:   "{{ _oidc_client_issuer_url ~ '/.well-known/openid-configuration' }}"   # URL for fetching the provider's configuration details

roles/docker-compose/handlers/main.yml

@@ -15,7 +15,7 @@
 - name: docker compose pull
   shell: |
     set -euo pipefail
-    lock="{{ [ PATH_DOCKER_COMPOSE_PULL_LOCK_DIR | docker_compose.directories.instance ] | path_join | hash('sha1') }}"
+    lock="{{ [ PATH_DOCKER_COMPOSE_PULL_LOCK_DIR, docker_compose.directories.instance ] | path_join | hash('sha1') }}"
     if [ ! -e "$lock" ]; then
       mkdir -p "$(dirname "$lock")"
       docker compose pull

roles/pkgmgr/tasks/01_core.yml

@@ -16,29 +16,23 @@
 
 - name: Create installation directory for Kevin's Package Manager
   file:
-    path: "{{ pkgmgr_install_path }}"
+    path: "{{ PKGMGR_INSTALL_PATH }}"
     state: directory
     mode: '0755'
   become: true
 
 - name: Clone Kevin's Package Manager repository
   git:
-    repo: "{{ pkgmgr_repo_url }}"
+    repo: "{{ PKGMGR_REPO_URL }}"
-    dest: "{{ pkgmgr_install_path }}"
+    dest: "{{ PKGMGR_INSTALL_PATH }}"
     version: "HEAD"
     force: yes
   become: true
 
-- name: Ensure main.py is executable
-  file:
-    path: "{{ pkgmgr_install_path }}/main.py"
-    mode: '0755'
-  become: true
-
 - name: create config.yaml
   template:
     src: config.yaml.j2
-    dest: "{{ pkgmgr_config_path }}"
+    dest: "{{ PKGMGR_CONFIG_PATH }}"
   become: true
 
 - name: Run the Package Manager install command to create an alias for Kevins package manager
@@ -46,6 +40,6 @@
     source ~/.venvs/pkgmgr/bin/activate
     make setup
   args:
-    chdir: "{{ pkgmgr_install_path }}"
+    chdir: "{{ PKGMGR_INSTALL_PATH }}"
     executable: /bin/bash
   become: true

roles/pkgmgr/templates/config.yaml.j2

@@ -1,3 +1,3 @@
 directories: 
-  repositories: "{{repositories_directory}}"
+  repositories: "{{ PKGMGR_REPOSITORIES_DIR }}"
-  binaries:     "{{binaries_directory}}"
+  binaries:     "{{ PKGMGR_BINARIES_DIR }}"

roles/pkgmgr/vars/main.yml

@@ -2,16 +2,16 @@
 # Variables for Kevin's Package Manager installation
 
 # The Git repository URL for Kevin's Package Manager
-pkgmgr_repo_url:        "https://github.com/kevinveenbirkenbach/package-manager.git"
+PKGMGR_REPO_URL:        "https://github.com/kevinveenbirkenbach/package-manager.git"
-
-# Directory which contains all Repositories managed by Kevin's Package Manager
-repositories_directory: "/opt/Repositories/"
-
-# The directory where the repository will be cloned
-pkgmgr_install_path:    "{{repositories_directory}}github.com/kevinveenbirkenbach/package-manager"
-
-# File containing the configuration
-pkgmgr_config_path:     "{{pkgmgr_install_path}}/config/config.yaml"
 
 # The directory where executable aliases will be installed (ensure it's in your PATH)
-binaries_directory:     "/usr/local/bin" 
+PKGMGR_BINARIES_DIR:     "/usr/local/bin" 
+
+# Directory which contains all Repositories managed by Kevin's Package Manager
+PKGMGR_REPOSITORIES_DIR: "/opt/Repositories/"
+
+# The directory where the repository will be cloned
+PKGMGR_INSTALL_PATH:    "{{ [ PKGMGR_REPOSITORIES_DIR, 'github.com/kevinveenbirkenbach/package-manager' ] | path_join }}"
+
+# File containing the configuration
+PKGMGR_CONFIG_PATH:     "{{ [ PKGMGR_INSTALL_PATH, 'config/config.yaml' ] | path_join }}"

roles/srv-composer/README.md

@@ -4,7 +4,7 @@ This Ansible role composes and orchestrates all necessary HTTPS-layer tasks and
 
 1. **`sys-srv-web-inj-compose`**
    Injects global HTML snippets (CSS, Matomo tracking, iFrame notifier, custom JavaScript) into responses using Nginx `sub_filter`.
-2. **`srv-tls-core`**
+2. **`sys-svc-certs`**
    Handles issuing, renewing, and managing TLS certificates via ACME/Certbot.
 
 By combining encryption setup with content enhancements, this role streamlines domain provisioning for secure, fully-featured HTTP/HTTPS delivery.
@@ -16,7 +16,7 @@ By combining encryption setup with content enhancements, this role streamlines d
 * **Content Injection**
   Adds global theming, analytics, and custom scripts before `</head>` and tracking noscript tags before `</body>`.
 * **Certificate Management**
-  Automates cert issuance and renewal via `srv-tls-core`.
+  Automates cert issuance and renewal via `sys-svc-certs`.
 * **Idempotent Workflow**
   Ensures each component runs only once per domain.
 * **Simplified Playbooks**

roles/srv-composer/tasks/main.yml

@@ -4,6 +4,6 @@
   include_role: 
     name: sys-srv-web-inj-compose
 
-- name: "include role srv-tls-core for '{{ domain }}'"
+- name: "include role sys-svc-certs for '{{ domain }}'"
   include_role: 
-    name: srv-tls-core
+    name: sys-svc-certs

roles/srv-proxy-core/README.md

@@ -16,7 +16,7 @@ The goal of this role is to deliver a **hassle-free, production-ready reverse pr
 
 ## Features
 
-- **Automatic TLS & HSTS** — integrates with the *srv-https-stack* role for certificate management.  
+- **Automatic TLS & HSTS** — integrates with the *sys-stk-front-pure* role for certificate management.  
 - **Flexible vHost templates** — *basic* and *ws_generic* flavours cover standard HTTP and WebSocket applications.  
 - **Security headers** — sensible defaults plus optional X-Frame-Options / CSP based on application settings.  
 - **WebSocket & HTTP/2 aware** — upgrades, keep-alive tuning, and gzip already configured.  

roles/srv-proxy-core/tasks/main.yml

@@ -3,7 +3,7 @@
     include_role:
       name: '{{ item }}'
     loop:
-    - srv-https-stack
+    - sys-stk-front-pure
     - srv-core
   - include_tasks: utils/run_once.yml
   when: run_once_srv_proxy_core is not defined

roles/svc-net-wireguard-core/tasks/main.yml

@@ -18,10 +18,10 @@
     group: root
   notify: reload sysctl configuration
 
-- name: create /etc/wireguard/wg0.{{ SOFTWARE_NAME | lower }}.conf
+- name: "deploy {{ WG0_CONF_DEST }}"
   copy:
-    src: "{{ inventory_dir }}/files/{{ inventory_hostname }}/etc/wireguard/wg0.conf"
+    src:    "{{ [inventory_dir, 'files', inventory_hostname, 'etc/wireguard/wg0.conf' ] | path_join }}"
-    dest: /etc/wireguard/wg0.{{ SOFTWARE_NAME | lower }}.conf
+    dest:   "{{ WG0_CONF_DEST }}"
-    owner: root
+    owner:  root
-    group: root
+    group:  root
   notify: restart wireguard

roles/svc-net-wireguard-core/vars/main.yml

@@ -1 +1,3 @@
 application_id: svc-net-wireguard-core
+
+WG0_CONF_DEST:  "/etc/wireguard/wg0.conf"

roles/sys-ctl-hlth-journalctl/tasks/01_core.yml

@@ -9,4 +9,4 @@
     system_service_on_calendar:     "{{ SYS_SCHEDULE_HEALTH_JOURNALCTL }}"
     system_service_timer_enabled:   true
     system_service_tpl_on_failure:  "{{ SYS_SERVICE_ON_FAILURE_COMPOSE }}"
-#    system_service_suppress_flush:  true # There are almost allways errors in the journalctl logs so suppression is neccessary to let playbook run
+    system_service_suppress_flush:  true # There are almost allways errors in the journalctl logs so suppression is neccessary to let playbook run

roles/sys-stk-front-proxy/README.md

@@ -6,10 +6,10 @@ This role bootstraps **per-domain Nginx configuration**: it requests TLS certifi
 
 ## Overview
 
-A higher-level orchestration wrapper, *sys-stk-front* ties together several lower-level roles:
+A higher-level orchestration wrapper, *sys-stk-front-proxy* ties together several lower-level roles:
 
 1. **`sys-srv-web-inj-compose`** – applies global tweaks and includes.  
-2. **`srv-tls-core`** – obtains Let’s Encrypt certificates.  
+2. **`sys-svc-certs`** – obtains Let’s Encrypt certificates.  
 3. **Domain template deployment** – copies a Jinja2 vHost from *srv-proxy-core*.  
 4. **`web-app-oauth2-proxy`** *(optional)* – protects the site with OAuth2.
 

roles/sys-stk-front-proxy/tasks/main.yml

@@ -4,7 +4,7 @@
       name: srv-proxy-core
     when: run_once_srv_proxy_core is not defined
   - include_tasks: utils/run_once.yml
-  when: run_once_sys_stk_front is not defined
+  when: run_once_sys_stk_front_proxy is not defined
 
 - include_tasks: "01_cloudflare.yml"
   when: DNS_PROVIDER == "cloudflare"

roles/sys-stk-front-pure/README.md

@@ -1,7 +1,7 @@
 # Webserver HTTPS Provisioning 🚀
 
 ## Description
-The **srv-https-stack** role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS:
+The **sys-stk-front-pure** role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS:
 
 1. Ensures your Nginx server is configured for SSL/TLS.
 2. Pulls in Let’s Encrypt ACME challenge handling.
@@ -13,7 +13,7 @@ This role is built on top of your existing `srv-core` role, and it automates the
 
 ## Overview
 
-When you apply **srv-https-stack**, it will:
+When you apply **sys-stk-front-pure**, it will:
 
 1. **Include** the `srv-core` role to install and configure Nginx.  
 2. **Clean up** any stale vHost files under `sys-svc-cln-domains`.  

roles/sys-stk-front-pure/tasks/main.yml

@@ -7,4 +7,4 @@
     - sys-svc-cln-domains
     - srv-letsencrypt
   - include_tasks: utils/run_once.yml
-  when: run_once_srv_https_stack is not defined
+  when: run_once_sys_stk_front_pure is not defined

roles/sys-stk-full-stateful/README.md

@@ -8,4 +8,4 @@ This role builds on `sys-stk-back-stateful` by adding a reverse-proxy frontend f
   Leverages the `sys-stk-back-stateful` role to stand up your containerized database (PostgreSQL, MariaDB, etc.) with backups and user management.
 
 - **Reverse Proxy**  
-  Includes the `sys-stk-front` role to configure a proxy (e.g. nginx) for routing HTTP(S) traffic to your database UI or management endpoint.
+  Includes the `sys-stk-front-proxy` role to configure a proxy (e.g. nginx) for routing HTTP(S) traffic to your database UI or management endpoint.

roles/sys-stk-full-stateful/meta/main.yml

@@ -1,7 +1,7 @@
 galaxy_info:
   author: "Kevin Veen-Birkenbach"
   description: >
-    Extends sys-stk-back-stateful by adding an HTTP reverse proxy via sys-stk-front.
+    Extends sys-stk-back-stateful by adding an HTTP reverse proxy via sys-stk-front-proxy.
   company: |
     Kevin Veen-Birkenbach
     Consulting & Coaching Solutions

roles/sys-stk-full-stateful/tasks/main.yml

@@ -4,9 +4,9 @@
   vars:
     handler_role_name: "svc-prx-openresty"
 
-- name: "For '{{ application_id }}': include role sys-stk-front"
+- name: "For '{{ application_id }}': include role sys-stk-front-proxy"
   include_role:
-    name: sys-stk-front
+    name: sys-stk-front-proxy
   vars:
     domain:     "{{ domains | get_domain(application_id) }}"
     http_port:  "{{ ports.localhost.http[application_id] }}"

roles/sys-stk-full-stateless/README.md

@@ -8,4 +8,4 @@ This role combines the standard Docker Compose setup with a reverse-proxy for an
   Brings up containers, networks, and volumes via the `docker-compose` role.
 
 - **Reverse Proxy**  
-  Uses the `sys-stk-front` role to expose your application under a custom domain and port.
+  Uses the `sys-stk-front-proxy` role to expose your application under a custom domain and port.

roles/sys-stk-full-stateless/meta/main.yml

@@ -1,7 +1,7 @@
 galaxy_info:
   author: "Kevin Veen-Birkenbach"
   description: >
-    Combines the docker-compose role with sys-stk-front to
+    Combines the docker-compose role with sys-stk-front-proxy to
     deploy applications behind a reverse proxy.
   company: |
     Kevin Veen-Birkenbach

roles/sys-stk-full-stateless/tasks/main.yml

@@ -1,9 +1,9 @@
 # run_once_sys_stk_full_stateless: deactivated
 
 # Load the proxy first, so that openresty handlers are flushed before the main docker compose
-- name: "For '{{ application_id }}': include role sys-stk-front"
+- name: "For '{{ application_id }}': include role sys-stk-front-proxy"
   include_role:
-    name: sys-stk-front
+    name: sys-stk-front-proxy
   vars:
     domain:   "{{ domains | get_domain(application_id) }}"
     http_port:   "{{ ports.localhost.http[application_id] }}"

roles/sys-svc-certs/tasks/main.yml

@@ -1,13 +1,13 @@
 - block:
-  - name: Include dependency 'srv-https-stack'
+  - name: Include dependency 'sys-stk-front-pure'
     include_role:
-      name: srv-https-stack
+      name: sys-stk-front-pure
-    when: run_once_srv_https_stack is not defined
+    when: run_once_sys_stk_front_pure is not defined
   - include_tasks: utils/run_once.yml
-  when: run_once_srv_tls_core is not defined
+  when: run_once_sys_svc_certs is not defined
 
 - name: "Include flavor '{{ CERTBOT_FLAVOR }}' for '{{ domain }}'"
-  include_tasks: "{{ role_path }}/tasks/flavors/{{ CERTBOT_FLAVOR }}.yml"
+  include_tasks: "{{ [role_path, 'tasks/flavors', CERTBOT_FLAVOR ~'.yml'] | path_join }}"
 
 #- name: "Cleanup dedicated cert for '{{ domain }}'"
 #  command: >-

roles/web-app-attendize/Installation.md

@@ -1,5 +0,0 @@
-## Setup Instructions
-
-```bash
-bash ./Makefile setup
-```

roles/web-app-attendize/README.md

@@ -1,39 +0,0 @@
-# Attendize (Deprecated)
-
-## Warning
-
-> **Note:** This role is a work in progress. Use with caution and check for updates.
-> The role wasn't updated since over 3 years. propably it makes sense to focus on the **web-app-pretix** app instead
-
-## Description
-
-Revolutionize your event management with Attendize, an energetic and intuitive platform designed to streamline ticketing and event planning. Enjoy a feature-rich, user-friendly solution that transforms every event into an unforgettable experience.
-
-## Installation
-
-For detailed setup instructions, please refer to [Installation.md](./Installation.md).
-
-## Features
-
-- **Dynamic Ticketing System:** Manage ticket sales, event registrations, and seating arrangements with ease.
-- **Customizable Events:** Create and tailor events to fit various event types and needs.
-- **Integrated Payment Processing:** Simplify ticket purchases with support for multiple payment gateways.
-- **Real-Time Analytics:** Monitor event performance and attendee behavior via interactive dashboards.
-- **User-Friendly Interface:** Experience a seamless design that caters to both administrators and attendees.
-- **Robust API:** Extend functionalities and easily integrate with other systems.
-
-For more information about Attendize and its capabilities, please visit the [Attendize Homepage](https://attendize.com).
-
-## Further Resources
-
-- [Attendize GitHub Repository](https://github.com/Attendize/Attendize.git)
-- [Attendize Documentation](https://github.com/Attendize/Attendize)
-- [Attendize Issue Tracker](https://github.com/Attendize/Attendize/issues)
-
-## Credits
-
-Developed and maintained by **Kevin Veen-Birkenbach**.  
-Learn more at [veen.world](https://www.veen.world).
-
-Part of the [Infinito.Nexus Project](https://s.infinito.nexus/code)  
-Licensed under [Infinito.Nexus NonCommercial License](https://s.infinito.nexus/license).

roles/web-app-attendize/TODO.md

@@ -1,2 +0,0 @@
-# Todo
-- Remove as soon as pretix app is included

roles/web-app-attendize/config/main.yml

@@ -1,22 +0,0 @@
-features:
-  matomo:           true
-  css:              true
-  desktop:          true
-  central_database: true
-  logout:           true
-docker:
-  services:
-    redis:
-      enabled: true
-    database: 
-      enabled: true
-    web:              
-      image:    "attendize_web"
-      version:  "latest"
-    worker:           
-      image:    "attendize_worker"
-      version:  "latest"
-server:
-  domains:
-    canonical:
-      - "tickets.{{ PRIMARY_DOMAIN }}"

roles/web-app-attendize/meta/main.yml

@@ -1,26 +0,0 @@
----
-galaxy_info:
-  author: "Kevin Veen-Birkenbach"
-  description: "Revolutionize your event management with Attendize, an energetic and intuitive platform designed to streamline ticketing and event planning. Enjoy a feature-rich, user-friendly solution that transforms every event into an unforgettable experience."
-  license: "Infinito.Nexus NonCommercial License"
-  license_url: "https://s.infinito.nexus/license"
-  company: |
-    Kevin Veen-Birkenbach
-    Consulting & Coaching Solutions
-    https://www.veen.world
-  galaxy_tags:
-    - attendize
-    - docker
-    - event management
-    - ticketing
-    - automation
-  repository: https://s.infinito.nexus/code
-  issue_tracker_url: https://s.infinito.nexus/issues
-  documentation: "https://docs.infinito.nexus/"
-  logo:
-    class: "fa-solid fa-calendar-check"
-  run_after:
-    - web-app-matomo
-    - web-app-keycloak
-    - web-app-mailu
-dependencies: []

roles/web-app-attendize/tasks/main.yml

@@ -1,22 +0,0 @@
----
-- name: "For '{{ application_id }}': include role to receive certs & do modification routines"
-  include_role:
-    name: srv-composer
-  vars:
-    domain: "{{ item }}"
-    http_port:   "{{ ports.localhost.http[application_id] }}"
-  loop:
-    - "{{ domains | get_domain('web-app-mailu') }}"
-    - "{{ domain }}"
-
-- name: "For '{{ application_id }}': load docker and db"
-  include_role: 
-    name: sys-stk-back-stateful
-  vars:
-    docker_compose_flush_handlers: true 
-    
-- name: "For '{{ application_id }}': configure {{ domains | get_domain(application_id) }}.conf"
-  template: 
-    src: roles/srv-proxy-core/templates/vhost/basic.conf.j2 
-    dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domains | get_domain(application_id) }}.conf"
-  notify: restart openresty

roles/web-app-attendize/templates/docker-compose.yml.j2

@@ -1,28 +0,0 @@
-{% include 'roles/docker-compose/templates/base.yml.j2' %}
-
-  web:
-    image: "{{ ATTENDIZE_WEB_IMAGE }}:{{ ATTENDIZE_WEB_VERSION }}"
-    ports:
-    - "{{ ports.localhost.http[application_id] }}:80"
-    volumes:
-      - .:/usr/share/nginx/html
-      - .:/var/www
-{% include 'roles/docker-container/templates/depends_on/dmbs_incl.yml.j2' %}
-      maildev:
-      worker:
-    env_file:
-      - ./.env
-{% include 'roles/docker-container/templates/networks.yml.j2' %}
-
-  worker:
-    image: "{{ ATTENDIZE_WORKER_IMAGE }}:{{ ATTENDIZE_WORKER_VERSION }}"
-{% include 'roles/docker-container/templates/depends_on/dmbs_incl.yml.j2' %}
-      maildev:
-{% include 'roles/docker-container/templates/networks.yml.j2' %}
-    volumes:
-      - .:/usr/share/nginx/html
-      - .:/var/www
-
-{% include 'roles/docker-compose/templates/volumes.yml.j2' %}
-
-{% include 'roles/docker-compose/templates/networks.yml.j2' %}

roles/web-app-attendize/templates/env.j2

@@ -1,76 +0,0 @@
-# https://github.com/Attendize/Attendize/blob/develop/.env.example
-
-ATTENDIZE_DEV=true
-ATTENDIZE_CLOUD=false
-
-APP_NAME=Attendize
-APP_ENV=local
-APP_KEY=
-APP_DEBUG=true
-APP_URL=https://localhost:8081
-
-LOG_CHANNEL=stack
-
-DB_CONNECTION=mysql
-DB_HOST=db
-DB_PORT=3306
-DB_DATABASE=attendize
-DB_USERNAME=attendize
-DB_PASSWORD=attendize
-
-BROADCAST_DRIVER=log
-CACHE_DRIVER=file
-QUEUE_CONNECTION=sync
-SESSION_DRIVER=file
-SESSION_LIFETIME=120
-
-REDIS_HOST=127.0.0.1
-REDIS_PASSWORD=null
-REDIS_PORT=6379
-
-MAIL_DRIVER=smtp
-MAIL_HOST=maildev
-MAIL_PORT=1025
-MAIL_USERNAME=null
-MAIL_PASSWORD=null
-MAIL_ENCRYPTION=null
-
-AWS_ACCESS_KEY_ID=
-AWS_SECRET_ACCESS_KEY=
-AWS_DEFAULT_REGION=us-east-1
-AWS_BUCKET=
-
-PUSHER_APP_ID=
-PUSHER_APP_KEY=
-PUSHER_APP_SECRET=
-PUSHER_APP_CLUSTER=mt1
-
-MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
-MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
-
-# Attendize Variables
-DEFAULT_DATEPICKER_SEPERATOR="-"
-DEFAULT_DATEPICKER_FORMAT="yyyy-MM-dd HH:mm"
-DEFAULT_DATETIME_FORMAT="Y-m-d H:i"
-APP_TIMEZONE=
-
-MAIL_FROM_ADDRESS=testing@attendize.com
-MAIL_FROM_NAME=testing_service
-
-# https://github.com/NitMedia/wkhtml2pdf#driver-types
-WKHTML2PDF_BIN_FILE=wkhtmltopdf-amd64
-
-# Google Analytics
-GOOGLE_ANALYTICS_ID=
-GOOGLE_MAPS_GEOCODING_KEY=
-
-# Captcha Configuration
-CAPTCHA_IS_ON=false
-# can be recaptcha or hcaptcha
-CAPTCHA_TYPE=
-CAPTCHA_KEY=
-CAPTCHA_SECRET=
-
-TWITTER_WIDGET_ID=
-
-LOG=errorlog

roles/web-app-attendize/vars/main.yml

@@ -1,14 +0,0 @@
-# General
-application_id:             "web-app-attendize"
-
-# Database
-database_type:              "mariadb"
-
-# Docker
-docker_repository_address:  "https://github.com/Attendize/Attendize.git"
-
-# Attendize
-ATTENDIZE_WEB_IMAGE:        "{{ applications | get_app_conf(application_id, 'docker.services.web.image') }}"
-ATTENDIZE_WEB_VERSION:      "{{ applications | get_app_conf(application_id, 'docker.services.web.version') }}"
-ATTENDIZE_WORKER_IMAGE:     "{{ applications | get_app_conf(application_id, 'docker.services.worker.image') }}"
-ATTENDIZE_WORKER_VERSION:   "{{ applications | get_app_conf(application_id, 'docker.services.worker.version') }}"

roles/web-app-bluesky/tasks/main.yml

@@ -2,9 +2,9 @@
   include_role: 
     name: docker-compose
 
-- name: "include role sys-stk-front for {{ application_id }}"
+- name: "include role sys-stk-front-proxy for {{ application_id }}"
   include_role:
-    name: sys-stk-front
+    name: sys-stk-front-proxy
   vars:
     domain: "{{ item.domain }}"
     http_port: "{{ item.http_port }}"

roles/web-app-desktop/tasks/01_core.yml

@@ -9,9 +9,9 @@
   include_role:
     name: sys-stk-full-stateless
 
-- name: "Check if host-specific config.yaml exists in {{ DESKTOP_INVENTORY_CONFIG_PATH }}"
+- name: "Check if host-specific config.yaml exists in {{ DESKTOP_CONFIG_INV_PATH }}"
   stat:
-    path: "{{ DESKTOP_INVENTORY_CONFIG_PATH }}"
+    path: "{{ DESKTOP_CONFIG_INV_PATH }}"
   delegate_to: localhost
   become: false
   register: config_file
@@ -45,15 +45,15 @@
 
 - name: Copy host-specific config.yaml if it exists
   template:
-    src: "{{ DESKTOP_INVENTORY_CONFIG_PATH }}"
+    src: "{{ DESKTOP_CONFIG_INV_PATH }}"
-    dest: "{{ docker_repository_path }}/app/config.yaml"
+    dest: "{{ DESKTOP_CONFIG_YML_DEST }}"
   notify: docker compose up
   when: config_file.stat.exists
 
 - name: Copy default config.yaml from the role template if host-specific file does not exist
   template:
-    src: "config.yaml.j2"
+    src: "{{ DESKTOP_CONFIG_YML_SRC_FILE }}"
-    dest: "{{ docker_repository_path }}/app/config.yaml"
+    dest: "{{ DESKTOP_CONFIG_YML_DEST }}"
   notify: docker compose up
   when: not config_file.stat.exists
 

roles/web-app-desktop/vars/main.yml

@@ -22,7 +22,9 @@ DESKTOP_LOCATION_SILENT_CHECK:    "/silent-check-sso.html"
 
 
 ## Configuration
-DESKTOP_INVENTORY_CONFIG_PATH:    "{{ inventory_dir }}/files/{{ inventory_hostname }}/docker/web-app-desktop/config.yaml.j2"
+DESKTOP_CONFIG_YML_SRC_FILE:      "config.yaml.j2"
+DESKTOP_CONFIG_INV_PATH:          "{{ [ inventory_dir, 'files', inventory_hostname ,'docker',application_id,DESKTOP_CONFIG_YML_SRC_FILE] | path_join }}"
+DESKTOP_CONFIG_YML_DEST:          "{{ [ docker_repository_path, 'app/config.yaml'] | path_join }}"
 
 ## OIDC
 DESKTOP_KEYCLOAK_LOGIN_URL: >-

roles/web-app-elk/tasks/main.yml

@@ -1,8 +1,8 @@
 ---
 
-- name: "include role sys-stk-front for {{ application_id }}"
+- name: "include role sys-stk-front-proxy for {{ application_id }}"
   include_role:
-    name: sys-stk-front
+    name: sys-stk-front-proxy
   vars:
     domain:   "{{ domains | get_domain(application_id) }}"
     http_port:   "{{ ports.localhost.http[application_id] }}"

roles/web-app-fusiondirectory/README.md

@@ -9,7 +9,7 @@ This Ansible role deploys and configures [FusionDirectory](https://www.fusiondir
 - Loads and templating of FusionDirectory-specific variables  
 - Generates a `.env` file for the container environment  
 - Deploys the FusionDirectory container via Docker Compose  
-- Configures NGINX (via the `sys-stk-front` role) to expose the service  
+- Configures NGINX (via the `sys-stk-front-proxy` role) to expose the service  
 - Integrates with your central LDAP server for authentication  
 
 ## Features

roles/web-app-gitlab/config/main.yml

@@ -1,20 +1,24 @@
 features:
-  matomo:             true
+  matomo:           true
-  css:                true
+  css:              true
-  desktop:            true
+  desktop:          true
-  central_database:   true
+  central_database: true
-  logout:             true
+  logout:           true
+  oidc:             true 
 docker:
   services:
     redis:
-      enabled: true
+      enabled:      true
     database: 
-      enabled: true
+      enabled:      true
-    gitlab: 
+    gitlab:
-      image:    "gitlab/gitlab-ee"
+      image:        "gitlab/gitlab-ee"
-      version:  "latest"
+      version:      "latest"
-credentials:
+      name:         "gitlab"
-  initial_root_password: "{{ users.administrator.password }}"
+  volumes:
+    data:           "gitlab_data"
+    logs:           "gitlab_logs"
+    config:         "gitlab_config"
 server:
   domains:
     canonical:

roles/web-app-gitlab/schema/main.yml

@@ -1,5 +0,0 @@
-credentials:
-  initial_root_password:
-    description: "Initial password for the GitLab root user"
-    algorithm: "sha256"
-    validation: "^[a-f0-9]{64}$"

roles/web-app-gitlab/templates/docker-compose.yml.j2

@@ -1,8 +1,9 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   web:
-    image: "{{ gitlab_image }}:{{ gitlab_version }}"
+    image: "{{ GITLAB_IMAGE }}:{{ GITLAB_VERSION }}"
-    hostname: '{{ domains | get_domain(application_id) }}'
+    hostname: '{{ GITLAB_HOSTNAME }}'
+    container_name:  "{{ GITLAB_CONTAINER }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     ports:
       - "127.0.0.1:{{ ports.localhost.http[application_id] }}:80"
@@ -17,7 +18,10 @@
 
 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
   config:
+    name: {{ GITLAB_CONF_VOLUME }}
   logs:
+    name: {{ GITLAB_LOGS_VOLUME }}
   data:
+    name: {{ GITLAB_DATA_VOLUME }}
 
 {% include 'roles/docker-compose/templates/networks.yml.j2' %}

roles/web-app-gitlab/templates/env.j2

@@ -1,22 +1 @@
-{# env.j2 #}
+GITLAB_OMNIBUS_CONFIG="{{ GITLAB_OMNIBUS_ALL | join('\\n') }}"
-{% set config_lines = [
-  "external_url 'https://{{ domain }}'",
-  "postgresql['enable']=false",
-  "gitlab_rails['gitlab_shell_ssh_port']={{ ports.public.ssh[application_id] }}",
-  "gitlab_rails['db_adapter']='postgresql'",
-  "gitlab_rails['db_encoding']='utf8'",
-  "gitlab_rails['db_host']='{{ database_host }}'",
-  "gitlab_rails['db_port']='{{ database_port }}'",
-  "gitlab_rails['db_username']='{{ database_username }}'",
-  "gitlab_rails['db_password']='{{ database_password }}'",
-  "gitlab_rails['db_database']=\"{{ database_name }}\"",
-  "nginx['listen_port']=80",
-  "nginx['listen_https']=false",
-  "",
-  "gitlab_rails['initial_root_password']=\"{{ gitlab_initial_root_password }}\"",
-  "",
-  "redis['enable']=false",
-  "gitlab_rails['redis_host']='redis'",
-  "gitlab_rails['redis_port']='6379'"
-] %}
-GITLAB_OMNIBUS_CONFIG="{{ config_lines | join('\\n') }}"

roles/web-app-gitlab/vars/main.yml

@@ -1,5 +1,69 @@
+# General
 application_id:               "web-app-gitlab"
 database_type:                "postgres"
-gitlab_initial_root_password: "{{ applications | get_app_conf(application_id, 'credentials.initial_root_password') }}"
+
-gitlab_version:               "{{ applications | get_app_conf(application_id, 'docker.services.gitlab.version', True) }}"
+# GitLab
-gitlab_image:                 "{{ applications | get_app_conf(application_id, 'docker.services.gitlab.image', True) }}"
+GITLAB_URL:                 "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
+GITLAB_HOSTNAME:            "{{ domains | get_domain(application_id) }}"
+
+## OIDC
+GITLAB_OIDC_ENABLED:        "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
+GITLAB_OIDC_LABEL:          "{{ OIDC.BUTTON_TEXT }}"
+GITLAB_OIDC_UID_FIELD:      "{{ OIDC.ATTRIBUTES.USERNAME }}"
+GITLAB_OIDC_CLIENT_ID:      "{{ OIDC.CLIENT.ID }}"
+GITLAB_OIDC_CLIENT_SECRET:  "{{ OIDC.CLIENT.SECRET }}"
+GITLAB_OIDC_ISSUER:         "{{ OIDC.CLIENT.ISSUER_URL }}"
+GITLAB_OIDC_REDIRECT_URI:   "{{ GITLAB_URL }}/users/auth/openid_connect/callback"
+
+## Docker
+GITLAB_INIT_ROOT_PASSWORD:  "{{ users.administrator.password }}"
+GITLAB_VERSION:             "{{ applications | get_app_conf(application_id, 'docker.services.gitlab.version') }}"
+GITLAB_IMAGE:               "{{ applications | get_app_conf(application_id, 'docker.services.gitlab.image') }}"
+GITLAB_CONTAINER:           "{{ applications | get_app_conf(application_id, 'docker.services.gitlab.name') }}"
+GITLAB_CONF_VOLUME:         "{{ applications | get_app_conf(application_id, 'docker.volumes.config') }}"
+GITLAB_LOGS_VOLUME:         "{{ applications | get_app_conf(application_id, 'docker.volumes.logs') }}"
+GITLAB_DATA_VOLUME:         "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
+
+## Configuration
+GITLAB_OMNIBUS_BASE:
+  - "external_url '{{ GITLAB_URL }}'"
+  - "postgresql['enable']=false"
+  - "gitlab_rails['gitlab_shell_ssh_port']={{ ports.public.ssh[application_id] }}"
+  - "gitlab_rails['db_adapter']='postgresql'"
+  - "gitlab_rails['db_encoding']='utf8'"
+  - "gitlab_rails['db_host']='{{ database_host }}'"
+  - "gitlab_rails['db_port']='{{ database_port }}'"
+  - "gitlab_rails['db_username']='{{ database_username }}'"
+  - "gitlab_rails['db_password']='{{ database_password }}'"
+  - "gitlab_rails['db_database']='{{ database_name }}'"
+  - "nginx['listen_port']=80"
+  - "nginx['listen_https']=false"
+  - ""
+  - "gitlab_rails['initial_root_password']='{{ GITLAB_INIT_ROOT_PASSWORD }}'"
+  - ""
+  - "redis['enable']=false"
+  - "gitlab_rails['redis_host']='redis'"
+  - "gitlab_rails['redis_port']='6379'"
+
+GITLAB_OMNIBUS_OIDC:
+  - ""
+  - "gitlab_rails['omniauth_enabled']=true"
+  - "gitlab_rails['omniauth_allow_single_sign_on']=['openid_connect']"
+  - "gitlab_rails['omniauth_block_auto_created_users']=false"
+  - "gitlab_rails['omniauth_auto_link_user']=['openid_connect']"
+  - "gitlab_rails['omniauth_providers']=[{ name: 'openid_connect', label: '{{ GITLAB_OIDC_LABEL | replace(\"'\",\"\\\\'\") }}', args: {"
+  - "  name: 'openid_connect',"
+  - "  scope: ['openid','profile','email'],"
+  - "  response_type: 'code',"
+  - "  issuer: '{{ GITLAB_OIDC_ISSUER | replace(\"'\",\"\\\\'\") }}',"
+  - "  discovery: true,"
+  - "  uid_field: '{{ GITLAB_OIDC_UID_FIELD | replace(\"'\",\"\\\\'\") }}',"
+  - "  pkce: true,"
+  - "  client_options: {"
+  - "    identifier: '{{ GITLAB_OIDC_CLIENT_ID | replace(\"'\",\"\\\\'\") }}',"
+  - "    secret: '{{ GITLAB_OIDC_CLIENT_SECRET | replace(\"'\",\"\\\\'\") }}',"
+  - "    redirect_uri: '{{ GITLAB_OIDC_REDIRECT_URI | replace(\"'\",\"\\\\'\") }}'"
+  - "  }"
+  - "} }]"
+
+GITLAB_OMNIBUS_ALL: "{{ GITLAB_OMNIBUS_BASE + (GITLAB_OMNIBUS_OIDC if GITLAB_OIDC_ENABLED else []) }}"

roles/web-app-joomla/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
-- name: "Include role sys-stk-front for {{ application_id }}"
+- name: "Include role sys-stk-front-proxy for {{ application_id }}"
   include_role:
-    name: sys-stk-front
+    name: sys-stk-front-proxy
   loop: "{{ JOOMLA_DOMAINS }}"
   loop_control:
     loop_var: domain

roles/web-app-mastodon/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: "Include setup for domain '{{ domain }}'"
   include_role: 
-    name: sys-stk-front
+    name: sys-stk-front-proxy
   loop: "{{ domains['web-app-mastodon'] }}"
   loop_control:
     loop_var: domain

roles/web-app-mastodon/templates/env.j2

@@ -67,7 +67,7 @@ OIDC_SCOPE="openid,profile,email"
 # @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
 OIDC_UID_FIELD={{ OIDC.ATTRIBUTES.USERNAME }}
 OIDC_CLIENT_ID={{ OIDC.CLIENT.ID }}
-OIDC_REDIRECT_URI=https://{{ domains | get_domain(application_id) }}/auth/auth/openid_connect/callback
+OIDC_REDIRECT_URI={{ domains | get_url(application_id, WEB_PROTOCOL) }}/auth/auth/openid_connect/callback
 OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
 OIDC_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}
 # uncomment to only use OIDC for login / registration buttons

roles/web-app-matrix/tasks/03_webserver.yml

@@ -9,9 +9,9 @@
     src:  "well-known.j2" 
     dest: "{{ MATRIX_WELL_KNOWN_FILE }}"
         
-- name: "include role sys-stk-front for {{ MATRIX_ELEMENT_DOMAIN }}"
+- name: "include role sys-stk-front-proxy for {{ MATRIX_ELEMENT_DOMAIN }}"
   include_role: 
-    name: sys-stk-front
+    name: sys-stk-front-proxy
   vars:        
     domain:     "{{ MATRIX_ELEMENT_DOMAIN }}"
     http_port:  "{{ MATRIX_ELEMENT_PORT }}"

roles/web-app-pretix/config/main.yml

@@ -1,31 +1,36 @@
-
 credentials: {}
 docker:
-  images: {}                # @todo Move under services
-  versions: {}              # @todo Move under services
   services:
     redis:
-      enabled:      false   # Enable Redis 
+      enabled:  true
     database:
-      enabled:      false   # Enable the database 
+      enabled:  true
+    application:
+      image:    pretix/standalone
+      version:  stable
+      name:     pretix
+  volumes:
+    data:       "pretix_data"
+    config:     "pretix_config"
 features:
-  matomo:           true    # Enable Matomo Tracking
+  matomo:           true
-  css:              true    # Enable Global CSS Styling
+  css:              true
-  desktop:  true    # Enable loading of app in iframe
+  desktop:          true
-  ldap:             false   # Enable LDAP Network
+  central_database: true
-  central_database: false   # Enable Central Database Network
-  recaptcha:        false   # Enable ReCaptcha
-  oauth2:           false   # Enable the OAuth2-Proy
-  javascript:       false   # Enables the custom JS in the javascript.js.j2 file   
   logout:           true
+  oidc:             true
 server:
   csp:
-    whitelist:        {}      # URL's which should be whitelisted
+    whitelist:      {}
-    flags:            {}      # Flags which should be set
+    flags:          {}
   domains:
     canonical:
+      - "ticket.{{ PRIMARY_DOMAIN }}"
+    aliases:
       - "pretix.{{ PRIMARY_DOMAIN }}"
-    aliases:          []      # Alias redirections to the first element of the canonical domains
 rbac:
   roles: {}
+plugins:
+  oidc:
+    version: "2.3.1"
 

roles/web-app-pretix/templates/Dockerfile.j2

@@ -0,0 +1,4 @@
+ARG PRETIX_BASE_IMAGE={{ PRETIX_IMAGE }}:{{ PRETIX_VERSION }}
+FROM ${PRETIX_BASE_IMAGE}
+# Install OIDC auth plugin for Pretix
+RUN python -m pip install --no-cache-dir "pretix-oidc=={{ PRETIX_OIDC_PLUGIN_VERSION }}"

roles/web-app-pretix/templates/docker-compose.yml.j2

@@ -1,20 +1,32 @@
-
 services:
-
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
+    build:
-    volumes: []
+      context: .
+      dockerfile: Dockerfile
+      args:
+        PRETIX_BASE_IMAGE: "{{ PRETIX_IMAGE }}:{{ PRETIX_VERSION }}"
+    image: "{{ PRETIX_IMAGE }}:{{ PRETIX_VERSION }}-oidc"
+    container_name: "{{ PRETIX_CONTAINER }}"
+    hostname: '{{ PRETIX_HOSTNAME}}'
+    command: ["all"]
     ports:
-      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
+      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:80"
+    volumes:
+      - 'data:/data'
+      - 'config:/etc/pretix'
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
+    depends_on:
+      - database
+      - redis
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 
 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
+  config:
+    name: {{ PRETIX_CONF_VOLUME }}
+  data:
+    name: {{ PRETIX_DATA_VOLUME }}
 
 {% include 'roles/docker-compose/templates/networks.yml.j2' %}
-
-

roles/web-app-pretix/templates/env.j2

@@ -0,0 +1,34 @@
+## Pretix core
+PRETIX_PRETIX_INSTANCE_NAME="{{ PRIMARY_DOMAIN | upper }} Tickets"
+PRETIX_PRETIX_URL="{{ PRETIX_URL }}"
+PRETIX_PRETIX_AUTH_BACKENDS="pretix.base.auth.NativeAuthBackend{% if PRETIX_OIDC_ENABLED %},pretix_oidc.auth.OIDCAuthBackend{% endif %}"
+
+## Locale
+PRETIX_LOCALE_TIMEZONE="{{ HOST_TIMEZONE }}"
+
+## Database
+PRETIX_DATABASE_BACKEND="postgresql"
+PRETIX_DATABASE_NAME="{{ database_name }}"
+PRETIX_DATABASE_USER="{{ database_username }}"
+PRETIX_DATABASE_PASSWORD="{{ database_password }}"
+PRETIX_DATABASE_HOST="{{ database_host }}"
+PRETIX_DATABASE_PORT="{{ database_port }}"
+
+## Redis
+PRETIX_REDIS_LOCATION="redis://redis:6379/1"
+PRETIX_REDIS_SESSIONS="true"
+
+## OIDC (plugin)
+{% if PRETIX_OIDC_ENABLED %}
+PRETIX_OIDC_TITLE="{{ PRETIX_OIDC_LABEL | replace('\"','\\\"') }}"
+PRETIX_OIDC_ISSUER="{{ PRETIX_OIDC_ISSUER }}"
+PRETIX_OIDC_AUTHORIZATION_ENDPOINT="{{ PRETIX_OIDC_AUTH_URL }}"
+PRETIX_OIDC_TOKEN_ENDPOINT="{{ PRETIX_OIDC_TOKEN_URL }}"
+PRETIX_OIDC_USERINFO_ENDPOINT="{{ PRETIX_OIDC_USERINFO_URL }}"
+PRETIX_OIDC_END_SESSION_ENDPOINT="{{ PRETIX_OIDC_LOGOUT_URL }}"
+PRETIX_OIDC_JWKS_URI="{{ PRETIX_OIDC_JWKS_URL }}"
+PRETIX_OIDC_CLIENT_ID="{{ PRETIX_OIDC_CLIENT_ID }}"
+PRETIX_OIDC_CLIENT_SECRET="{{ PRETIX_OIDC_CLIENT_SECRET }}"
+PRETIX_OIDC_SCOPES="{{ PRETIX_OIDC_SCOPES }}"
+PRETIX_OIDC_UNIQUE_ATTRIBUTE="{{ PRETIX_OIDC_UNIQUE_ATTRIBUTE }}"
+{% endif %}

roles/web-app-pretix/vars/main.yml

@@ -1,2 +1,30 @@
-application_id: web-app-pretix # ID of the application
+application_id:                 "web-app-pretix"
-database_type:  0                    # Database type [postgres, mariadb]
+database_type:                  "postgres"
+container_port:                 80
+
+# URLs
+PRETIX_URL:                     "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
+PRETIX_HOSTNAME:                "{{ domains | get_domain(application_id) }}"
+
+# OIDC (mirrors GitLab’s pattern)
+PRETIX_OIDC_ENABLED:            "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
+PRETIX_OIDC_LABEL:              "{{ OIDC.BUTTON_TEXT }}"
+PRETIX_OIDC_CLIENT_ID:          "{{ OIDC.CLIENT.ID }}"
+PRETIX_OIDC_CLIENT_SECRET:      "{{ OIDC.CLIENT.SECRET }}"
+PRETIX_OIDC_ISSUER:             "{{ OIDC.CLIENT.ISSUER_URL }}"
+PRETIX_OIDC_AUTH_URL:           "{{ OIDC.CLIENT.AUTHORIZE_URL }}"
+PRETIX_OIDC_TOKEN_URL:          "{{ OIDC.CLIENT.TOKEN_URL }}"
+PRETIX_OIDC_USERINFO_URL:       "{{ OIDC.CLIENT.USER_INFO_URL }}"
+PRETIX_OIDC_LOGOUT_URL:         "{{ OIDC.CLIENT.LOGOUT_URL }}"
+PRETIX_OIDC_JWKS_URL:           "{{ OIDC.CLIENT.CERTS }}"
+PRETIX_OIDC_SCOPES:             "openid,email,profile"
+# Use Keycloak username claim by default (plugin default is 'sub')
+PRETIX_OIDC_UNIQUE_ATTRIBUTE:   "{{ OIDC.ATTRIBUTES.USERNAME }}"
+
+# Docker
+PRETIX_VERSION:                 "{{ applications | get_app_conf(application_id, 'docker.services.application.version') }}"
+PRETIX_IMAGE:                   "{{ applications | get_app_conf(application_id, 'docker.services.application.image') }}"
+PRETIX_CONTAINER:               "{{ applications | get_app_conf(application_id, 'docker.services.application.name') }}"
+PRETIX_DATA_VOLUME:             "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
+PRETIX_CONF_VOLUME:             "{{ applications | get_app_conf(application_id, 'docker.volumes.config') }}"
+PRETIX_OIDC_PLUGIN_VERSION:     "{{ applications | get_app_conf(application_id, 'plugins.oidc.version') }}"

roles/web-app-taiga/README.md

@@ -39,7 +39,7 @@ By using this role, teams can set up Taiga in minutes on Arch Linux systems —
     - [taiga-contrib-oidc-auth (official)](https://github.com/taigaio/taiga-contrib-oidc-auth)
 - 📨 **Email Backend:** Supports SMTP and console backends for development.
 - 🔁 **Async & Realtime Events:** Includes RabbitMQ and support for Taiga’s event system.
-- 🌐 **Reverse Proxy Ready:** Integrates with Nginx using the `sys-stk-front` role.
+- 🌐 **Reverse Proxy Ready:** Integrates with Nginx using the `sys-stk-front-proxy` role.
 - 🧩 **Composable Design:** Integrates cleanly with other Infinito.Nexus infrastructure roles.
 
 ---

roles/web-app-wordpress/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
-- name: "Include role sys-stk-front for {{ application_id }}"
+- name: "Include role sys-stk-front-proxy for {{ application_id }}"
   include_role:
-    name: sys-stk-front
+    name: sys-stk-front-proxy
   loop: "{{ WORDPRESS_DOMAINS }}"
   loop_control:
     loop_var: domain

roles/web-opt-rdr-domains/README.md

@@ -9,7 +9,7 @@ This Ansible role configures Nginx to perform 301 redirects from one domain to a
 
 ## Dependencies
 
-- `srv-https-stack`: A role for setting up HTTPS for Nginx
+- `sys-stk-front-pure`: A role for setting up HTTPS for Nginx
 - `letsencrypt`: A role for managing SSL certificates with Let's Encrypt
 
 ## Author Information

roles/web-opt-rdr-domains/tasks/main.yml

@@ -1,8 +1,8 @@
 - block:
-  - name: Include dependency 'srv-https-stack'
+  - name: Include dependency 'sys-stk-front-pure'
     include_role:
-      name: srv-https-stack
+      name: sys-stk-front-pure
-    when: run_once_srv_https_stack is not defined
+    when: run_once_sys_stk_front_pure is not defined
   - include_tasks: utils/run_once.yml
   when: run_once_web_opt_rdr_domains is not defined
 

roles/web-opt-rdr-domains/tasks/redirect-domain.yml

@@ -1,6 +1,6 @@
 - name: "include task receive certbot certificate"
   include_role: 
-    name: srv-tls-core
+    name: sys-svc-certs
 
 - name: "Deploying NGINX redirect configuration for '{{ domain }}'"
   template:

roles/web-svc-cdn/tasks/01_core.yml

@@ -2,7 +2,7 @@
   include_role:
     name: '{{ item }}'
   loop:
-  - srv-https-stack
+  - sys-stk-front-pure
   - dev-git
   
 - name: "include role for {{ application_id }} to receive certs & do modification routines"

roles/web-svc-file/tasks/main.yml

@@ -3,7 +3,7 @@
     include_role:
       name: '{{ item }}'
     loop:
-    - srv-https-stack
+    - sys-stk-front-pure
     - dev-git
   - include_tasks: utils/run_once.yml
   when: run_once_web_svc_file is not defined

roles/web-svc-html/tasks/main.yml

@@ -3,7 +3,7 @@
     include_role:
       name: '{{ item }}'
     loop:
-    - srv-https-stack
+    - sys-stk-front-pure
     - dev-git
   - include_tasks: utils/run_once.yml
   when: run_once_web_svc_html is not defined