feat(keycloak): add automation service account client support

Introduce a confidential service-account client (Option A) to replace user-based kcadm sessions. The client is created automatically, granted realm-admin role, and used for all subsequent Keycloak updates. Includes improved error handling for HTTP 401 responses. Discussion: https://chatgpt.com/share/68e01da3-39fc-800f-81be-2d0c8efd81a1
fix(sys-ctl-hlth-csp): ensure '--' separator is added when passing ignore list to checkcsp
2025-11-17 02:26:30 +00:00 · 2025-10-03 21:02:16 +02:00 · 2025-10-03 20:50:49 +02:00 · 2025-10-03 15:23:57 +02:00 · 2025-10-02 20:02:10 +02:00 · 2025-10-02 19:59:04 +02:00
808 changed files with 13942 additions and 5973 deletions
--- a/.github/workflows/test-cli.yml
+++ b/.github/workflows/test-cli.yml
@@ -21,12 +21,12 @@ jobs:

      - name: Clean build artifacts
        run: |
-          docker run --rm infinito:latest make clean
+          docker run --rm infinito:latest infinito make clean

      - name: Generate project outputs
        run: |
-          docker run --rm infinito:latest make build
+          docker run --rm infinito:latest infinito make build

      - name: Run tests
        run: |
-          docker run --rm infinito:latest make test
+          docker run --rm infinito:latest infinito make test
--- a/9
+++ b/9
@@ -59,11 +59,4 @@ RUN INFINITO_PATH=$(pkgmgr path infinito) && \
    ln -sf "$INFINITO_PATH"/main.py /usr/local/bin/infinito && \
    chmod +x /usr/local/bin/infinito

-# 10) Run integration tests
-# This needed to be deactivated becaus it doesn't work with gitthub workflow
-#RUN INFINITO_PATH=$(pkgmgr path infinito) && \
-#    cd "$INFINITO_PATH" && \
-#    make test
-
-ENTRYPOINT ["infinito"]
-CMD ["--help"]
+CMD sh -c "infinito --help && exec tail -f /dev/null"
--- a/2
+++ b/2
@@ -73,7 +73,7 @@ messy-test:
 	@echo "🧪 Running Python tests…"
 	PYTHONPATH=. python -m unittest discover -s tests
 	@echo "📑 Checking Ansible syntax…"
-	ansible-playbook playbook.yml --syntax-check
+	ansible-playbook -i localhost, -c local $(foreach f,$(wildcard group_vars/all/*.yml),-e @$(f)) playbook.yml --syntax-check

 install: build
 	@echo "⚙️  Install complete."
--- a/cli/TODO.md
+++ b/cli/TODO.md
@@ -1,3 +0,0 @@
-# Todo
- Test this script. It's just a draft. Checkout https://chatgpt.com/c/681d9e2b-7b28-800f-aef8-4f1427e9021d
- Solve bugs in show_vault_variables.py
--- a/cli/create/role.py
+++ b/cli/create/role.py
@@ -11,7 +11,7 @@ sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')
 from module_utils.entity_name_utils import get_entity_name

 # Paths to the group-vars files
-PORTS_FILE = './group_vars/all/09_ports.yml'
+PORTS_FILE = './group_vars/all/10_ports.yml'
 NETWORKS_FILE = './group_vars/all/09_networks.yml'
 ROLE_TEMPLATE_DIR = './templates/roles/web-app'
 ROLES_DIR = './roles'
--- a/cli/deploy.py
+++ b/cli/deploy.py
@@ -5,6 +5,9 @@ import subprocess
 import os
 import datetime
 import sys
+import re
+from typing import Optional, Dict, Any, List
+

 def run_ansible_playbook(
    inventory,
@@ -13,21 +16,20 @@ def run_ansible_playbook(
    allowed_applications=None,
    password_file=None,
    verbose=0,
-    skip_tests=False,
-    skip_validation=False,
    skip_build=False,
-    cleanup=False,
+    skip_tests=False,
    logs=False
 ):
    start_time = datetime.datetime.now()
    print(f"\n▶️ Script started at: {start_time.isoformat()}\n")

-    if cleanup:
+    # Cleanup is now handled via MODE_CLEANUP
+    if modes.get("MODE_CLEANUP", False):
        cleanup_command = ["make", "clean-keep-logs"] if logs else ["make", "clean"]
-        print("\n🧹 Cleaning up project (" + " ".join(cleanup_command) +")...\n")
+        print("\n🧹 Cleaning up project (" + " ".join(cleanup_command) + ")...\n")
        subprocess.run(cleanup_command, check=True)
    else:
-        print("\n⚠️ Skipping build as requested.\n")
+        print("\n⚠️ Skipping cleanup as requested.\n")

    if not skip_build:
        print("\n🛠️  Building project (make messy-build)...\n")
@@ -38,26 +40,24 @@ def run_ansible_playbook(
    script_dir = os.path.dirname(os.path.realpath(__file__))
    playbook = os.path.join(os.path.dirname(script_dir), "playbook.yml")

-    # Inventory validation step
-    if not skip_validation:
+    # Inventory validation is controlled via MODE_ASSERT
+    if modes.get("MODE_ASSERT", None) is False:
+        print("\n⚠️ Skipping inventory validation as requested.\n")
+    elif "MODE_ASSERT" not in modes or modes["MODE_ASSERT"] is True:
        print("\n🔍 Validating inventory before deployment...\n")
        try:
            subprocess.run(
-                [sys.executable,
-                 os.path.join(script_dir, "validate/inventory.py"),
-                 os.path.dirname(inventory)
+                [
+                    sys.executable,
+                    os.path.join(script_dir, "validate", "inventory.py"),
+                    os.path.dirname(inventory),
                ],
-                check=True
+                check=True,
            )
        except subprocess.CalledProcessError:
-            print(
-                "\n❌ Inventory validation failed. Deployment aborted.\n",
-                file=sys.stderr
-            )
+            print("\n❌ Inventory validation failed. Deployment aborted.\n", file=sys.stderr)
            sys.exit(1)
-    else:
-        print("\n⚠️ Skipping inventory validation as requested.\n")
-
+            
    if not skip_tests:
        print("\n🧪 Running tests (make messy-test)...\n")
        subprocess.run(["make", "messy-test"], check=True)
@@ -93,25 +93,136 @@ def run_ansible_playbook(
    duration = end_time - start_time
    print(f"⏱️ Total execution time: {duration}\n")

+
 def validate_application_ids(inventory, app_ids):
    """
    Abort the script if any application IDs are invalid, with detailed reasons.
    """
    from module_utils.valid_deploy_id import ValidDeployId
+
    validator = ValidDeployId()
    invalid = validator.validate(inventory, app_ids)
    if invalid:
        print("\n❌ Detected invalid application_id(s):\n")
        for app_id, status in invalid.items():
            reasons = []
-            if not status['in_roles']:
+            if not status["in_roles"]:
                reasons.append("not defined in roles (infinito)")
-            if not status['in_inventory']:
+            if not status["in_inventory"]:
                reasons.append("not found in inventory file")
            print(f"  - {app_id}: " + ", ".join(reasons))
        sys.exit(1)


+MODE_LINE_RE = re.compile(
+    r"""^\s*(?P<key>[A-Z0-9_]+)\s*:\s*(?P<value>.+?)\s*(?:#\s*(?P<cmt>.*))?\s*$"""
+)
+
+
+def _parse_bool_literal(text: str) -> Optional[bool]:
+    t = text.strip().lower()
+    if t in ("true", "yes", "on"):
+        return True
+    if t in ("false", "no", "off"):
+        return False
+    return None
+
+
+def load_modes_from_yaml(modes_yaml_path: str) -> List[Dict[str, Any]]:
+    """
+    Parse group_vars/all/01_modes.yml line-by-line to recover:
+      - name (e.g., MODE_TEST)
+      - default (True/False/None if templated/unknown)
+      - help (from trailing # comment, if present)
+    """
+    modes = []
+    if not os.path.exists(modes_yaml_path):
+        raise FileNotFoundError(f"Modes file not found: {modes_yaml_path}")
+
+    with open(modes_yaml_path, "r", encoding="utf-8") as fh:
+        for line in fh:
+            line = line.rstrip()
+            if not line or line.lstrip().startswith("#"):
+                continue
+            m = MODE_LINE_RE.match(line)
+            if not m:
+                continue
+            key = m.group("key")
+            val = m.group("value").strip()
+            cmt = (m.group("cmt") or "").strip()
+
+            if not key.startswith("MODE_"):
+                continue
+
+            default_bool = _parse_bool_literal(val)
+            modes.append(
+                {
+                    "name": key,
+                    "default": default_bool,
+                    "help": cmt or f"Toggle {key}",
+                }
+            )
+    return modes
+
+
+def add_dynamic_mode_args(
+    parser: argparse.ArgumentParser, modes_meta: List[Dict[str, Any]]
+) -> Dict[str, Dict[str, Any]]:
+    """
+    Add argparse options based on modes metadata.
+    Returns a dict mapping mode name -> { 'dest': <argparse_dest>, 'default': <bool/None>, 'kind': 'bool_true'|'bool_false'|'explicit' }.
+    """
+    spec: Dict[str, Dict[str, Any]] = {}
+    for m in modes_meta:
+        name = m["name"]
+        default = m["default"]
+        desc = m["help"]
+        short = name.replace("MODE_", "").lower()
+
+        if default is True:
+            opt = f"--skip-{short}"
+            dest = f"skip_{short}"
+            help_txt = desc or f"Skip/disable {short} (default: enabled)"
+            parser.add_argument(opt, action="store_true", help=help_txt, dest=dest)
+            spec[name] = {"dest": dest, "default": True, "kind": "bool_true"}
+        elif default is False:
+            opt = f"--{short}"
+            dest = short
+            help_txt = desc or f"Enable {short} (default: disabled)"
+            parser.add_argument(opt, action="store_true", help=help_txt, dest=dest)
+            spec[name] = {"dest": dest, "default": False, "kind": "bool_false"}
+        else:
+            opt = f"--{short}"
+            dest = short
+            help_txt = desc or f"Set {short} explicitly (true/false). If omitted, keep inventory default."
+            parser.add_argument(opt, choices=["true", "false"], help=help_txt, dest=dest)
+            spec[name] = {"dest": dest, "default": None, "kind": "explicit"}
+
+    return spec
+
+
+def build_modes_from_args(
+    spec: Dict[str, Dict[str, Any]], args_namespace: argparse.Namespace
+) -> Dict[str, Any]:
+    """
+    Using the argparse results and the spec, compute the `modes` dict to pass to Ansible.
+    """
+    modes: Dict[str, Any] = {}
+    for mode_name, info in spec.items():
+        dest = info["dest"]
+        kind = info["kind"]
+        val = getattr(args_namespace, dest, None)
+
+        if kind == "bool_true":
+            modes[mode_name] = False if val else True
+        elif kind == "bool_false":
+            modes[mode_name] = True if val else False
+        else:
+            if val is not None:
+                modes[mode_name] = True if val == "true" else False
+    return modes
+
+
 def main():
    parser = argparse.ArgumentParser(
        description="Run the central Ansible deployment script to manage infrastructure, updates, and tests."
@@ -119,88 +230,74 @@ def main():

    parser.add_argument(
        "inventory",
-        help="Path to the inventory file (INI or YAML) containing hosts and variables."
+        help="Path to the inventory file (INI or YAML) containing hosts and variables.",
    )
    parser.add_argument(
-        "-l", "--limit",
-        help="Restrict execution to a specific host or host group from the inventory."
+        "-l",
+        "--limit",
+        help="Restrict execution to a specific host or host group from the inventory.",
    )
    parser.add_argument(
-        "-T", "--host-type",
+        "-T",
+        "--host-type",
        choices=["server", "desktop"],
        default="server",
-        help="Specify whether the target is a server or a personal computer. Affects role selection and variables."
+        help="Specify whether the target is a server or a personal computer. Affects role selection and variables.",
    )
    parser.add_argument(
-        "-r", "--reset", action="store_true",
-        help="Reset all Infinito.Nexus files and configurations, and run the entire playbook (not just individual roles)."
+        "-p",
+        "--password-file",
+        help="Path to the file containing the Vault password. If not provided, prompts for the password interactively.",
    )
    parser.add_argument(
-        "-t", "--test", action="store_true",
-        help="Run test routines instead of production tasks. Useful for local testing and CI pipelines."
+        "-B",
+        "--skip-build",
+        action="store_true",
+        help="Skip running 'make build' before deployment.",
    )
    parser.add_argument(
-        "-u", "--update", action="store_true",
-        help="Enable the update procedure to bring software and roles up to date."
+        "-t",
+        "--skip-tests",
+        action="store_true",
+        help="Skip running 'make messy-tests' before deployment.",
    )
    parser.add_argument(
-        "-b", "--backup", action="store_true",
-        help="Perform a full backup of critical data and configurations before the update process."
-    )
-    parser.add_argument(
-        "-c", "--cleanup", action="store_true",
-        help="Clean up unused files and outdated configurations after all tasks are complete. Also cleans up the repository before the deployment procedure."
-    )
-    parser.add_argument(
-        "-d", "--debug", action="store_true",
-        help="Enable detailed debug output for Ansible and this script."
-    )
-    parser.add_argument(
-        "-p", "--password-file",
-        help="Path to the file containing the Vault password. If not provided, prompts for the password interactively."
-    )
-    parser.add_argument(
-        "-s", "--skip-tests", action="store_true",
-        help="Skip running 'make test' even if tests are normally enabled."
-    )
-    parser.add_argument(
-        "-V", "--skip-validation", action="store_true",
-        help="Skip inventory validation before deployment."
-    )
-    parser.add_argument(
-        "-B", "--skip-build", action="store_true",
-        help="Skip running 'make build' before deployment."
-    )
-    parser.add_argument(
-        "-i", "--id", 
+        "-i",
+        "--id",
        nargs="+",
        default=[],
        dest="id",
-        help="List of application_id's for partial deploy. If not set, all application IDs defined in the inventory will be executed."
+        help="List of application_id's for partial deploy. If not set, all application IDs defined in the inventory will be executed.",
    )
    parser.add_argument(
-        "-v", "--verbose", action="count", default=0,
-        help="Increase verbosity level. Multiple -v flags increase detail (e.g., -vvv for maximum log output)."
+        "-v",
+        "--verbose",
+        action="count",
+        default=0,
+        help="Increase verbosity level. Multiple -v flags increase detail (e.g., -vvv for maximum log output).",
    )
    parser.add_argument(
-        "--logs", action="store_true",
-        help="Keep the CLI logs during cleanup command"
+        "--logs",
+        action="store_true",
+        help="Keep the CLI logs during cleanup command",
    )

+    # ---- Dynamically add mode flags from group_vars/all/01_modes.yml ----
+    script_dir = os.path.dirname(os.path.realpath(__file__))
+    repo_root = os.path.dirname(script_dir)
+    modes_yaml_path = os.path.join(repo_root, "group_vars", "all", "01_modes.yml")
+    modes_meta = load_modes_from_yaml(modes_yaml_path)
+    modes_spec = add_dynamic_mode_args(parser, modes_meta)
+
    args = parser.parse_args()
    validate_application_ids(args.inventory, args.id)

-    modes = {
-        "MODE_RESET": args.reset,
-        "MODE_TEST": args.test,
-        "MODE_UPDATE": args.update,
-        "MODE_BACKUP": args.backup,
-        "MODE_CLEANUP": args.cleanup,
-        "MODE_LOGS": args.logs,
-        "MODE_DEBUG": args.debug,
-        "MODE_ASSERT": not args.skip_validation,
-        "host_type": args.host_type
-    }
+    # Build modes from dynamic args
+    modes = build_modes_from_args(modes_spec, args)
+
+    # Additional non-dynamic flags
+    modes["MODE_LOGS"] = args.logs
+    modes["host_type"] = args.host_type

    run_ansible_playbook(
        inventory=args.inventory,
@@ -209,11 +306,9 @@ def main():
        allowed_applications=args.id,
        password_file=args.password_file,
        verbose=args.verbose,
-        skip_tests=args.skip_tests,
-        skip_validation=args.skip_validation,
        skip_build=args.skip_build,
-        cleanup=args.cleanup,
-        logs=args.logs
+        skip_tests=args.skip_tests,
+        logs=args.logs,
    )


--- a/cli/fix/move_unnecessary_dependencies.py
+++ b/cli/fix/move_unnecessary_dependencies.py
@@ -228,7 +228,7 @@ def parse_meta_dependencies(role_dir: str) -> List[str]:
 def sanitize_run_once_var(role_name: str) -> str:
    """
    Generate run_once variable name from role name.
-    Example: 'sys-srv-web-inj-logout' -> 'run_once_sys_srv_web_inj_logout'
+    Example: 'sys-front-inj-logout' -> 'run_once_sys_front_inj_logout'
    """
    return "run_once_" + role_name.replace("-", "_")

--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,60 @@
+version: "3.9"
+
+services:
+  infinito:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      network: host
+    pull_policy: never
+    container_name: infinito_nexus
+    image: infinito_nexus
+    restart: unless-stopped
+    volumes:
+      - data:/var/lib/docker/volumes/
+      - backups:/Backups/
+      - letsencrypt:/etc/letsencrypt/
+    ports:
+      # --- Mail services (classic + secure) ---
+      - "${BIND_IP:-127.0.0.1}:25:25"                     # SMTP
+      - "${BIND_IP:-127.0.0.1}:110:110"                   # POP3
+      - "${BIND_IP:-127.0.0.1}:143:143"                   # IMAP
+      - "${BIND_IP:-127.0.0.1}:465:465"                   # SMTPS
+      - "${BIND_IP:-127.0.0.1}:587:587"                   # Submission (SMTP)
+      - "${BIND_IP:-127.0.0.1}:993:993"                   # IMAPS (bound to public IP)
+      - "${BIND_IP:-127.0.0.1}:995:995"                   # POP3S
+      - "${BIND_IP:-127.0.0.1}:4190:4190"                 # Sieve (ManageSieve)
+
+      # --- Web / API services ---
+      - "${BIND_IP:-127.0.0.1}:80:80"                     # HTTP
+      - "${BIND_IP:-127.0.0.1}:443:443"                   # HTTPS
+      - "${BIND_IP:-127.0.0.1}:8448:8448"                 # Matrix federation port
+
+      # --- TURN / STUN (UDP + TCP) ---
+      - "${BIND_IP:-127.0.0.1}:3478-3480:3478-3480/udp"   # TURN/STUN UDP
+      - "${BIND_IP:-127.0.0.1}:3478-3480:3478-3480"       # TURN/STUN TCP
+
+      # --- Streaming / RTMP ---
+      - "${BIND_IP:-127.0.0.1}:1935:1935"                 # Peertube
+
+      # --- Custom / application ports ---
+      - "${BIND_IP:-127.0.0.1}:2201:2201"                 # Gitea
+      - "${BIND_IP:-127.0.0.1}:2202:2202"                 # Gitlab
+      - "${BIND_IP:-127.0.0.1}:2203:22"                   # SSH
+      - "${BIND_IP:-127.0.0.1}:33552:33552"
+
+      # --- Consecutive ranges ---
+      - "${BIND_IP:-127.0.0.1}:48081-48083:48081-48083"
+      - "${BIND_IP:-127.0.0.1}:48087:48087"
+volumes:
+  data:
+  backups:
+  letsencrypt:
+networks:
+  default:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet:  ${SUBNET:-172.30.0.0/24}
+          gateway: ${GATEWAY:-172.30.0.1}
--- a/docs/guides/administrator/README.md
+++ b/docs/guides/administrator/README.md
@@ -15,7 +15,7 @@ Follow these guides to install and configure Infinito.Nexus:
 - **Networking & VPN** - Configure `WireGuard`, `OpenVPN`, and `Nginx Reverse Proxy`.

 ## Managing & Updating Infinito.Nexus 🔄
- Regularly update services using `update-docker`, `update-pacman`, or `update-apt`.
+- Regularly update services using `update-pacman`, or `update-apt`.
 - Monitor system health with `sys-ctl-hlth-btrfs`, `sys-ctl-hlth-webserver`, and `sys-ctl-hlth-docker-container`.
 - Automate system maintenance with `sys-lock`, `sys-ctl-cln-bkps`, and `sys-ctl-rpr-docker-hard`.

--- a/env.sample
+++ b/env.sample
@@ -0,0 +1,3 @@
+BIND_IP=127.0.0.1
+SUBNET=172.30.0.0/24
+GATEWAY=172.30.0.1
--- a/filter_plugins/active_docker.py
+++ b/filter_plugins/active_docker.py
@@ -0,0 +1,79 @@
+# -*- coding: utf-8 -*-
+"""
+Ansible filter to count active docker services for current host.
+
+Active means:
+- application key is in group_names
+- application key matches prefix regex (default: ^(web-|svc-).* )
+- under applications[app]['docker']['services'] each service is counted if:
+  - 'enabled' is True, OR
+  - 'enabled' is missing/undefined  (treated as active)
+
+Returns an integer. If ensure_min_one=True, returns at least 1.
+"""
+
+import re
+from typing import Any, Dict, Mapping, Iterable
+
+
+def _is_mapping(x: Any) -> bool:
+    # be liberal: Mapping covers dict-like; fallback to dict check
+    try:
+        return isinstance(x, Mapping)
+    except Exception:
+        return isinstance(x, dict)
+
+
+def active_docker_container_count(applications: Mapping[str, Any],
+                                  group_names: Iterable[str],
+                                  prefix_regex: str = r'^(web-|svc-).*',
+                                  ensure_min_one: bool = False) -> int:
+    if not _is_mapping(applications):
+        return 1 if ensure_min_one else 0
+
+    group_set = set(group_names or [])
+    try:
+        pattern = re.compile(prefix_regex)
+    except re.error:
+        pattern = re.compile(r'^(web-|svc-).*')  # fallback
+
+    count = 0
+
+    for app_key, app_val in applications.items():
+        # host selection + name prefix
+        if app_key not in group_set:
+            continue
+        if not pattern.match(str(app_key)):
+            continue
+
+        docker = app_val.get('docker') if _is_mapping(app_val) else None
+        services = docker.get('services') if _is_mapping(docker) else None
+        if not _is_mapping(services):
+            # sometimes roles define a single service name string; ignore
+            continue
+
+        for _svc_name, svc_cfg in services.items():
+            if not _is_mapping(svc_cfg):
+                # allow shorthand like: service: {} or image string -> counts as enabled
+                count += 1
+                continue
+            enabled = svc_cfg.get('enabled', True)
+            if isinstance(enabled, bool):
+                if enabled:
+                    count += 1
+            else:
+                # non-bool enabled -> treat "truthy" as enabled
+                if bool(enabled):
+                    count += 1
+
+    if ensure_min_one and count < 1:
+        return 1
+    return count
+
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            # usage: {{ applications | active_docker_container_count(group_names) }}
+            'active_docker_container_count': active_docker_container_count,
+        }
--- a/filter_plugins/alias_domains_map.py
+++ b/filter_plugins/alias_domains_map.py
@@ -1,86 +0,0 @@
-from ansible.errors import AnsibleFilterError
-
-class FilterModule(object):
-    def filters(self):
-        return {'alias_domains_map': self.alias_domains_map}
-
-    def alias_domains_map(self, apps, PRIMARY_DOMAIN):
-        """
-        Build a map of application IDs to their alias domains.
-
-        - If no `domains` key → []  
-        - If `domains` exists but is an empty dict → return the original cfg  
-        - Explicit `aliases` are used (default appended if missing)  
-        - If only `canonical` defined and it doesn't include default, default is added  
-        - Invalid types raise AnsibleFilterError
-        """
-        def parse_entry(domains_cfg, key, app_id):
-            if key not in domains_cfg:
-                return None
-            entry = domains_cfg[key]
-            if isinstance(entry, dict):
-                values = list(entry.values())
-            elif isinstance(entry, list):
-                values = entry
-            else:
-                raise AnsibleFilterError(
-                    f"Unexpected type for 'domains.{key}' in application '{app_id}': {type(entry).__name__}"
-                )
-            for d in values:
-                if not isinstance(d, str) or not d.strip():
-                    raise AnsibleFilterError(
-                        f"Invalid domain entry in '{key}' for application '{app_id}': {d!r}"
-                    )
-            return values
-
-        def default_domain(app_id, primary):
-            return f"{app_id}.{primary}"
-
-        # 1) Precompute canonical domains per app (fallback to default)
-        canonical_map = {}
-        for app_id, cfg in apps.items():
-            domains_cfg = cfg.get('server',{}).get('domains',{})
-            entry = domains_cfg.get('canonical')
-            if entry is None:
-                canonical_map[app_id] = [default_domain(app_id, PRIMARY_DOMAIN)]
-            elif isinstance(entry, dict):
-                canonical_map[app_id] = list(entry.values())
-            elif isinstance(entry, list):
-                canonical_map[app_id] = list(entry)
-            else:
-                raise AnsibleFilterError(
-                    f"Unexpected type for 'server.domains.canonical' in application '{app_id}': {type(entry).__name__}"
-                )
-
-        # 2) Build alias list per app
-        result = {}
-        for app_id, cfg in apps.items():
-            domains_cfg = cfg.get('server',{}).get('domains')
-
-            # no domains key → no aliases
-            if domains_cfg is None:
-                result[app_id] = []
-                continue
-
-            # empty domains dict → return the original cfg
-            if isinstance(domains_cfg, dict) and not domains_cfg:
-                result[app_id] = cfg
-                continue
-
-            # otherwise, compute aliases
-            aliases = parse_entry(domains_cfg, 'aliases', app_id) or []
-            default = default_domain(app_id, PRIMARY_DOMAIN)
-            has_aliases = 'aliases' in domains_cfg
-            has_canon   = 'canonical' in domains_cfg
-
-            if has_aliases:
-                if default not in aliases:
-                    aliases.append(default)
-            elif has_canon:
-                canon = canonical_map.get(app_id, [])
-                if default not in canon and default not in aliases:
-                    aliases.append(default)
-
-            result[app_id] = aliases
-
-        return result
--- a/filter_plugins/csp_filters.py
+++ b/filter_plugins/csp_filters.py
@@ -1,10 +1,14 @@
 from ansible.errors import AnsibleFilterError
 import hashlib
 import base64
-import sys, os
+import sys
+import os

+# Ensure module_utils is importable when this filter runs from Ansible
 sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
 from module_utils.config_utils import get_app_conf
+from module_utils.get_url import get_url
+

 class FilterModule(object):
    """
@@ -16,10 +20,14 @@ class FilterModule(object):
            'build_csp_header': self.build_csp_header,
        }

+    # -------------------------------
+    # Helpers
+    # -------------------------------
+
    @staticmethod
    def is_feature_enabled(applications: dict, feature: str, application_id: str) -> bool:
        """
-        Return True if applications[application_id].features[feature] is truthy.
+        Returns True if applications[application_id].features[feature] is truthy.
        """
        return get_app_conf(
            applications,
@@ -31,6 +39,10 @@ class FilterModule(object):

    @staticmethod
    def get_csp_whitelist(applications, application_id, directive):
+        """
+        Returns a list of additional whitelist entries for a given directive.
+        Accepts both scalar and list in config; always returns a list.
+        """
        wl = get_app_conf(
            applications,
            application_id,
@@ -47,28 +59,37 @@ class FilterModule(object):
    @staticmethod
    def get_csp_flags(applications, application_id, directive):
        """
-        Dynamically extract all CSP flags for a given directive and return them as tokens,
-        e.g., "'unsafe-eval'", "'unsafe-inline'", etc.
+        Returns CSP flag tokens (e.g., "'unsafe-eval'", "'unsafe-inline'") for a directive,
+        merging sane defaults with app config.
+        Default: 'unsafe-inline' is enabled for style-src and style-src-elem.
        """
-        flags = get_app_conf(
+        # Defaults that apply to all apps
+        default_flags = {}
+        if directive in ('style-src', 'style-src-elem'):
+            default_flags = {'unsafe-inline': True}
+
+        configured = get_app_conf(
            applications,
            application_id,
            'server.csp.flags.' + directive,
            False,
            {}
        )
-        tokens = []

-        for flag_name, enabled in flags.items():
+        # Merge defaults with configured flags (configured overrides defaults)
+        merged = {**default_flags, **configured}
+
+        tokens = []
+        for flag_name, enabled in merged.items():
            if enabled:
                tokens.append(f"'{flag_name}'")
-
        return tokens

    @staticmethod
    def get_csp_inline_content(applications, application_id, directive):
        """
-        Return inline script/style snippets to hash for a given CSP directive.
+        Returns inline script/style snippets to hash for a given directive.
+        Accepts both scalar and list in config; always returns a list.
        """
        snippets = get_app_conf(
            applications,
@@ -86,7 +107,7 @@ class FilterModule(object):
    @staticmethod
    def get_csp_hash(content):
        """
-        Compute the SHA256 hash of the given inline content and return
+        Computes the SHA256 hash of the given inline content and returns
        a CSP token like "'sha256-<base64>'".
        """
        try:
@@ -96,6 +117,10 @@ class FilterModule(object):
        except Exception as exc:
            raise AnsibleFilterError(f"get_csp_hash failed: {exc}")

+    # -------------------------------
+    # Main builder
+    # -------------------------------
+
    def build_csp_header(
        self,
        applications,
@@ -105,80 +130,85 @@ class FilterModule(object):
        matomo_feature_name='matomo'
    ):
        """
-        Build the Content-Security-Policy header value dynamically based on application settings.
-        Inline hashes are read from applications[application_id].csp.hashes
+        Builds the Content-Security-Policy header value dynamically based on application settings.
+        - Flags (e.g., 'unsafe-eval', 'unsafe-inline') are read from server.csp.flags.<directive>,
+          with sane defaults applied in get_csp_flags (always 'unsafe-inline' for style-src and style-src-elem).
+        - Inline hashes are read from server.csp.hashes.<directive>.
+        - Whitelists are read from server.csp.whitelist.<directive>.
+        - Inline hashes are added only if the final tokens do NOT include 'unsafe-inline'.
        """
        try:
            directives = [
-                'default-src',
-                'connect-src',
-                'frame-ancestors',
-                'frame-src',
-                'script-src',
-                'script-src-elem',
-                'style-src',
-                'font-src',
-                'worker-src',
-                'manifest-src',
-                'media-src',
+                'default-src',      # Fallback source list for content types not explicitly listed
+                'connect-src',      # Allowed URLs for XHR, WebSockets, EventSource, fetch()
+                'frame-ancestors',  # Who may embed this page
+                'frame-src',        # Sources for nested browsing contexts (e.g., <iframe>)
+                'script-src',       # Sources for script execution
+                'script-src-elem',  # Sources for <script> elements
+                'style-src',        # Sources for inline styles and <style>/<link> elements
+                'style-src-elem',   # Sources for <style> and <link rel="stylesheet">
+                'font-src',         # Sources for fonts
+                'worker-src',       # Sources for workers
+                'manifest-src',     # Sources for web app manifests
+                'media-src',        # Sources for audio and video
            ]
+
            parts = []

            for directive in directives:
                tokens = ["'self'"]

-                # unsafe-eval / unsafe-inline flags
+                # Load flags (includes defaults from get_csp_flags)
                flags = self.get_csp_flags(applications, application_id, directive)
                tokens += flags

-                
-                if directive in ['script-src-elem', 'connect-src']:
-                    # Matomo integration
-                    if self.is_feature_enabled(applications, matomo_feature_name, application_id):
-                        matomo_domain = domains.get('web-app-matomo')[0]
-                        if matomo_domain:
-                            tokens.append(f"{web_protocol}://{matomo_domain}")
-                    
-                    # Allow the loading of js from the cdn        
-                    if self.is_feature_enabled(applications, 'logout', application_id) or self.is_feature_enabled(applications, 'desktop', application_id):
-                        domain = domains.get('web-svc-cdn')[0]
-                        tokens.append(f"{web_protocol}://{domain}")
+                # Allow fetching from internal CDN by default for selected directives
+                if directive in ['script-src-elem', 'connect-src', 'style-src-elem']:
+                    tokens.append(get_url(domains, 'web-svc-cdn', web_protocol))

-                # ReCaptcha integration: allow loading scripts from Google if feature enabled
+                # Matomo integration if feature is enabled
+                if directive in ['script-src-elem', 'connect-src']:
+                    if self.is_feature_enabled(applications, matomo_feature_name, application_id):
+                        tokens.append(get_url(domains, 'web-app-matomo', web_protocol))
+
+                # Simpleicons integration if feature is enabled
+                if directive in ['connect-src']:
+                    if self.is_feature_enabled(applications, 'simpleicons', application_id):
+                        tokens.append(get_url(domains, 'web-svc-simpleicons', web_protocol))
+
+                # ReCaptcha integration (scripts + frames) if feature is enabled
                if self.is_feature_enabled(applications, 'recaptcha', application_id):
-                    if directive in ['script-src-elem',"frame-src"]:
+                    if directive in ['script-src-elem', 'frame-src']:
                        tokens.append('https://www.gstatic.com')
                        tokens.append('https://www.google.com')

+                # Frame ancestors handling (desktop + logout support)
                if directive == 'frame-ancestors':
-                    # Enable loading via ancestors
                    if self.is_feature_enabled(applications, 'desktop', application_id):
+                        # Allow being embedded by the desktop app domain (and potentially its parent)
                        domain = domains.get('web-app-desktop')[0]
-                        sld_tld = ".".join(domain.split(".")[-2:])  # yields "example.com"
-                        tokens.append(f"{sld_tld}")                 # yields "*.example.com"
-                
+                        sld_tld = ".".join(domain.split(".")[-2:])  # e.g., example.com
+                        tokens.append(f"{sld_tld}")
                    if self.is_feature_enabled(applications, 'logout', application_id):
-                        
-                        # Allow logout via infinito logout proxy
-                        domain = domains.get('web-svc-logout')[0] 
-                        tokens.append(f"{web_protocol}://{domain}")
-                        
-                        # Allow logout via keycloak app
-                        domain = domains.get('web-app-keycloak')[0]
-                        tokens.append(f"{web_protocol}://{domain}")
-                        
-                # whitelist
+                        # Allow embedding via logout proxy and Keycloak app
+                        tokens.append(get_url(domains, 'web-svc-logout', web_protocol))
+                        tokens.append(get_url(domains, 'web-app-keycloak', web_protocol))
+
+                # Custom whitelist entries
                tokens += self.get_csp_whitelist(applications, application_id, directive)

-                # only add hashes if 'unsafe-inline' is NOT in flags
-                if "'unsafe-inline'" not in flags:
+                # Add inline content hashes ONLY if final tokens do NOT include 'unsafe-inline'
+                #    (Check tokens, not flags, to include defaults and later modifications.)
+                if "'unsafe-inline'" not in tokens:
                    for snippet in self.get_csp_inline_content(applications, application_id, directive):
                        tokens.append(self.get_csp_hash(snippet))

+                # Append directive
                parts.append(f"{directive} {' '.join(tokens)};")

-            # static img-src
+            # Static img-src directive (kept permissive for data/blob and any host)
            parts.append("img-src * data: blob:;")
+
            return ' '.join(parts)

        except Exception as exc:
--- a/filter_plugins/domain_redirect_mappings.py
+++ b/filter_plugins/domain_redirect_mappings.py
@@ -7,7 +7,7 @@ class FilterModule(object):
    def filters(self):
        return {'domain_mappings': self.domain_mappings}

-    def domain_mappings(self, apps, PRIMARY_DOMAIN):
+    def domain_mappings(self, apps, primary_domain, auto_build_alias):
        """
        Build a flat list of redirect mappings for all apps:
          - source: each alias domain
@@ -43,7 +43,7 @@ class FilterModule(object):
            domains_cfg = cfg.get('server',{}).get('domains',{})
            entry = domains_cfg.get('canonical')
            if entry is None:
-                canonical_map[app_id] = [default_domain(app_id, PRIMARY_DOMAIN)]
+                canonical_map[app_id] = [default_domain(app_id, primary_domain)]
            elif isinstance(entry, dict):
                canonical_map[app_id] = list(entry.values())
            elif isinstance(entry, list):
@@ -61,11 +61,11 @@ class FilterModule(object):
                alias_map[app_id] = []
                continue
            if isinstance(domains_cfg, dict) and not domains_cfg:
-                alias_map[app_id] = [default_domain(app_id, PRIMARY_DOMAIN)]
+                alias_map[app_id] = [default_domain(app_id, primary_domain)]
                continue

            aliases = parse_entry(domains_cfg, 'aliases', app_id) or []
-            default = default_domain(app_id, PRIMARY_DOMAIN)
+            default = default_domain(app_id, primary_domain)
            has_aliases = 'aliases' in domains_cfg
            has_canonical = 'canonical' in domains_cfg

@@ -74,7 +74,7 @@ class FilterModule(object):
                    aliases.append(default)
            elif has_canonical:
                canon = canonical_map.get(app_id, [])
-                if default not in canon and default not in aliases:
+                if default not in canon and default not in aliases and auto_build_alias:
                    aliases.append(default)

            alias_map[app_id] = aliases
@@ -84,7 +84,7 @@ class FilterModule(object):
        mappings = []
        for app_id, sources in alias_map.items():
            canon_list = canonical_map.get(app_id, [])
-            target = canon_list[0] if canon_list else default_domain(app_id, PRIMARY_DOMAIN)
+            target = canon_list[0] if canon_list else default_domain(app_id, primary_domain)
            for src in sources:
                if src == target:
                    # skip self-redirects
--- a/filter_plugins/generate_all_domains.py
+++ b/filter_plugins/generate_all_domains.py
@@ -4,7 +4,7 @@ class FilterModule(object):
    def filters(self):
        return {'generate_all_domains': self.generate_all_domains}

-    def generate_all_domains(self, domains_dict, include_www=True):
+    def generate_all_domains(self, domains_dict, include_www:bool=True):
        """
        Transform a dict of domains (values: str, list, dict) into a flat list,
        optionally add 'www.' prefixes, dedupe and sort alphabetically.
--- a/filter_plugins/get_application_id.py
+++ b/filter_plugins/get_application_id.py
@@ -1,49 +0,0 @@
-import os
-import re
-import yaml
-from ansible.errors import AnsibleFilterError
-
-
-def get_application_id(role_name):
-    """
-    Jinja2/Ansible filter: given a role name, load its vars/main.yml and return the application_id value.
-    """
-    # Construct path: assumes current working directory is project root
-    vars_file = os.path.join(os.getcwd(), 'roles', role_name, 'vars', 'main.yml')
-
-    if not os.path.isfile(vars_file):
-        raise AnsibleFilterError(f"Vars file not found for role '{role_name}': {vars_file}")
-
-    try:
-        # Read entire file content to avoid lazy stream issues
-        with open(vars_file, 'r', encoding='utf-8') as f:
-            content = f.read()
-        data = yaml.safe_load(content)
-    except Exception as e:
-        raise AnsibleFilterError(f"Error reading YAML from {vars_file}: {e}")
-
-    # Ensure parsed data is a mapping
-    if not isinstance(data, dict):
-        raise AnsibleFilterError(
-            f"Error reading YAML from {vars_file}: expected mapping, got {type(data).__name__}"
-        )
-
-    # Detect malformed YAML: no valid identifier-like keys
-    valid_key_pattern = re.compile(r'^[A-Za-z_][A-Za-z0-9_]*$')
-    if data and not any(valid_key_pattern.match(k) for k in data.keys()):
-        raise AnsibleFilterError(f"Error reading YAML from {vars_file}: invalid top-level keys")
-
-    if 'application_id' not in data:
-        raise AnsibleFilterError(f"Key 'application_id' not found in {vars_file}")
-
-    return data['application_id']
-
-
-class FilterModule(object):
-    """
-    Ansible filter plugin entry point.
-    """
-    def filters(self):
-        return {
-            'get_application_id': get_application_id,
-        }
--- a/filter_plugins/get_docker_paths.py
+++ b/filter_plugins/get_docker_paths.py
@@ -20,9 +20,10 @@ def get_docker_paths(application_id: str, path_docker_compose_instances: str) ->
            'config':   f"{base}config/",
        },
        'files': {
-            'env':            f"{base}.env/env",
-            'docker_compose': f"{base}docker-compose.yml",
-            'dockerfile':     f"{base}Dockerfile",
+            'env':                      f"{base}.env/env",
+            'docker_compose':           f"{base}docker-compose.yml",
+            'docker_compose_override':  f"{base}docker-compose.override.yml",
+            'dockerfile':               f"{base}Dockerfile",
        }
    }

--- a/filter_plugins/jvm_filters.py
+++ b/filter_plugins/jvm_filters.py
@@ -0,0 +1,77 @@
+from __future__ import annotations
+
+import sys, os, re
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
+
+from ansible.errors import AnsibleFilterError
+from module_utils.config_utils import get_app_conf
+from module_utils.entity_name_utils import get_entity_name
+
+_UNIT_RE = re.compile(r'^\s*(\d+(?:\.\d+)?)\s*([kKmMgGtT]?[bB]?)?\s*$')
+_FACTORS = {
+    '': 1, 'b': 1,
+    'k': 1024, 'kb': 1024,
+    'm': 1024**2, 'mb': 1024**2,
+    'g': 1024**3, 'gb': 1024**3,
+    't': 1024**4, 'tb': 1024**4,
+}
+
+def _to_bytes(v: str) -> int:
+    if v is None:
+        raise AnsibleFilterError("jvm_filters: size value is None")
+    s = str(v).strip()
+    m = _UNIT_RE.match(s)
+    if not m:
+        raise AnsibleFilterError(f"jvm_filters: invalid size '{v}'")
+    num, unit = m.group(1), (m.group(2) or '').lower()
+    try:
+        val = float(num)
+    except ValueError as e:
+        raise AnsibleFilterError(f"jvm_filters: invalid numeric size '{v}'") from e
+    factor = _FACTORS.get(unit)
+    if factor is None:
+        raise AnsibleFilterError(f"jvm_filters: unknown unit in '{v}'")
+    return int(val * factor)
+
+def _to_mb(v: str) -> int:
+    return max(0, _to_bytes(v) // (1024 * 1024))
+
+def _svc(app_id: str) -> str:
+    return get_entity_name(app_id)
+
+def _mem_limit_mb(apps: dict, app_id: str) -> int:
+    svc = _svc(app_id)
+    raw = get_app_conf(apps, app_id, f"docker.services.{svc}.mem_limit")
+    mb = _to_mb(raw)
+    if mb <= 0:
+        raise AnsibleFilterError(f"jvm_filters: mem_limit for '{svc}' must be > 0 MB (got '{raw}')")
+    return mb
+
+def _mem_res_mb(apps: dict, app_id: str) -> int:
+    svc = _svc(app_id)
+    raw = get_app_conf(apps, app_id, f"docker.services.{svc}.mem_reservation")
+    mb = _to_mb(raw)
+    if mb <= 0:
+        raise AnsibleFilterError(f"jvm_filters: mem_reservation for '{svc}' must be > 0 MB (got '{raw}')")
+    return mb
+
+def jvm_max_mb(apps: dict, app_id: str) -> int:
+    """Xmx = min( floor(0.7*limit), limit-1024, 12288 ) with floor at 1024 MB."""
+    limit_mb = _mem_limit_mb(apps, app_id)
+    c1 = (limit_mb * 7) // 10
+    c2 = max(0, limit_mb - 1024)
+    c3 = 12288
+    return max(1024, min(c1, c2, c3))
+
+def jvm_min_mb(apps: dict, app_id: str) -> int:
+    """Xms = min( floor(Xmx/2), mem_reservation, Xmx ) with floor at 512 MB."""
+    xmx = jvm_max_mb(apps, app_id)
+    res = _mem_res_mb(apps, app_id)
+    return max(512, min(xmx // 2, res, xmx))
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            "jvm_max_mb": jvm_max_mb,
+            "jvm_min_mb": jvm_min_mb,
+        }
--- a/filter_plugins/load_configuration.py
+++ b/filter_plugins/load_configuration.py
@@ -1,122 +0,0 @@
-import os
-import yaml
-import re
-from ansible.errors import AnsibleFilterError
-
-# in-memory cache: application_id → (parsed_yaml, is_nested)
-_cfg_cache = {}
-
-def load_configuration(application_id, key):
-    if not isinstance(key, str):
-        raise AnsibleFilterError("Key must be a dotted-string, e.g. 'features.matomo'")
-
-    # locate roles/
-    here = os.path.dirname(__file__)
-    root = os.path.abspath(os.path.join(here, '..'))
-    roles_dir = os.path.join(root, 'roles')
-    if not os.path.isdir(roles_dir):
-        raise AnsibleFilterError(f"Roles directory not found at {roles_dir}")
-
-    # first time? load & cache
-    if application_id not in _cfg_cache:
-        config_path = None
-
-        # 1) primary: vars/main.yml declares it
-        for role in os.listdir(roles_dir):
-            mv = os.path.join(roles_dir, role, 'vars', 'main.yml')
-            if os.path.exists(mv):
-                try:
-                    md = yaml.safe_load(open(mv)) or {}
-                except Exception:
-                    md = {}
-                if md.get('application_id') == application_id:
-                    cf = os.path.join(roles_dir, role, "config" , "main.yml")
-                    if not os.path.exists(cf):
-                        raise AnsibleFilterError(
-                            f"Role '{role}' declares '{application_id}' but missing config/main.yml"
-                        )
-                    config_path = cf
-                    break
-
-        # 2) fallback nested
-        if config_path is None:
-            for role in os.listdir(roles_dir):
-                cf = os.path.join(roles_dir, role, "config" , "main.yml")
-                if not os.path.exists(cf):
-                    continue
-                try:
-                    dd = yaml.safe_load(open(cf)) or {}
-                except Exception:
-                    dd = {}
-                if isinstance(dd, dict) and application_id in dd:
-                    config_path = cf
-                    break
-
-        # 3) fallback flat
-        if config_path is None:
-            for role in os.listdir(roles_dir):
-                cf = os.path.join(roles_dir, role, "config" , "main.yml")
-                if not os.path.exists(cf):
-                    continue
-                try:
-                    dd = yaml.safe_load(open(cf)) or {}
-                except Exception:
-                    dd = {}
-                # flat style: dict with all non-dict values
-                if isinstance(dd, dict) and not any(isinstance(v, dict) for v in dd.values()):
-                    config_path = cf
-                    break
-
-        if config_path is None:
-            return None
-
-        # parse once
-        try:
-            parsed = yaml.safe_load(open(config_path)) or {}
-        except Exception as e:
-            raise AnsibleFilterError(f"Error loading config/main.yml at {config_path}: {e}")
-
-        # detect nested vs flat
-        is_nested = isinstance(parsed, dict) and (application_id in parsed)
-        _cfg_cache[application_id] = (parsed, is_nested)
-
-    parsed, is_nested = _cfg_cache[application_id]
-
-    # pick base entry
-    entry = parsed[application_id] if is_nested else parsed
-
-    # resolve dotted key
-    key_parts = key.split('.')
-    for part in key_parts:
-        # Check if part has an index (e.g., domains.canonical[0])
-        match = re.match(r'([^\[]+)\[([0-9]+)\]', part)
-        if match:
-            part, index = match.groups()
-            index = int(index)
-            if isinstance(entry, dict) and part in entry:
-                entry = entry[part]
-                # Check if entry is a list and access the index
-                if isinstance(entry, list) and 0 <= index < len(entry):
-                    entry = entry[index]
-                else:
-                    raise AnsibleFilterError(
-                        f"Index '{index}' out of range for key '{part}' in application '{application_id}'"
-                    )
-            else:
-                raise AnsibleFilterError(
-                    f"Key '{part}' not found under application '{application_id}'"
-                )
-        else:
-            if isinstance(entry, dict) and part in entry:
-                entry = entry[part]
-            else:
-                raise AnsibleFilterError(
-                    f"Key '{part}' not found under application '{application_id}'"
-                )
-
-    return entry
-
-
-class FilterModule(object):
-    def filters(self):
-        return {'load_configuration': load_configuration}
--- a/filter_plugins/resource_filter.py
+++ b/filter_plugins/resource_filter.py
@@ -0,0 +1,40 @@
+# filter_plugins/resource_filter.py
+from __future__ import annotations
+
+import sys, os
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
+
+from module_utils.config_utils import get_app_conf, AppConfigKeyError, ConfigEntryNotSetError  # noqa: F401
+from module_utils.entity_name_utils import get_entity_name
+
+from ansible.errors import AnsibleFilterError
+
+
+def resource_filter(
+    applications: dict,
+    application_id: str,
+    key: str,
+    service_name: str,
+    hard_default,
+):
+    """
+    Lookup order:
+      1) docker.services.<service_name or get_entity_name(application_id)>.<key>
+      2) hard_default (mandatory)
+
+    - service_name may be "" → will resolve to get_entity_name(application_id).
+    - hard_default is mandatory (no implicit None).
+    - required=False always.
+    """
+    try:
+        primary_service = service_name if service_name != "" else get_entity_name(application_id)
+        return get_app_conf(applications, application_id, f"docker.services.{primary_service}.{key}", False, hard_default)
+    except (AppConfigKeyError, ConfigEntryNotSetError) as e:
+        raise AnsibleFilterError(str(e))
+
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            "resource_filter": resource_filter,
+        }
--- a/filter_plugins/safe.py
+++ b/filter_plugins/safe.py
@@ -1,55 +0,0 @@
-from jinja2 import Undefined
-
-
-def safe_placeholders(template: str, mapping: dict = None) -> str:
-    """
-    Format a template like "{url}/logo.png".
-    If mapping is provided (not None) and ANY placeholder is missing or maps to None/empty string, the function will raise KeyError.
-    If mapping is None, missing placeholders or invalid templates return empty string.
-    Numerical zero or False are considered valid values.
-    Any other formatting errors return an empty string.
-    """
-    # Non-string templates yield empty
-    if not isinstance(template, str):
-        return ''
-
-    class SafeDict(dict):
-        def __getitem__(self, key):
-            val = super().get(key, None)
-            # Treat None or empty string as missing
-            if val is None or (isinstance(val, str) and val == ''):
-                raise KeyError(key)
-            return val
-        def __missing__(self, key):
-            raise KeyError(key)
-
-    silent = mapping is None
-    data = mapping or {}
-    try:
-        return template.format_map(SafeDict(data))
-    except KeyError:
-        if silent:
-            return ''
-        raise
-    except Exception:
-        return ''
-
-def safe_var(value):
-    """
-    Ansible filter: returns the value unchanged unless it's Undefined or None,
-    in which case returns an empty string.
-    Catches all exceptions and yields ''.
-    """
-    try:
-        if isinstance(value, Undefined) or value is None:
-            return ''
-        return value
-    except Exception:
-        return ''
-
-class FilterModule(object):
-    def filters(self):
-        return {
-            'safe_var': safe_var,
-            'safe_placeholders': safe_placeholders,
-        }
--- a/filter_plugins/safe_join.py
+++ b/filter_plugins/safe_join.py
@@ -1,28 +0,0 @@
-"""
-Ansible filter plugin that joins a base string and a tail path safely.
-If the base is falsy (None, empty, etc.), returns an empty string.
-"""
-
-def safe_join(base, tail):
-    """
-    Safely join base and tail into a path or URL.
-
-    - base: the base string. If falsy, returns ''.
-    - tail: the string to append. Leading/trailing slashes are handled.
-    - On any exception, returns ''.
-    """
-    try:
-        if not base:
-            return ''
-        base_str = str(base).rstrip('/')
-        tail_str = str(tail).lstrip('/')
-        return f"{base_str}/{tail_str}"
-    except Exception:
-        return ''
-
-
-class FilterModule(object):
-    def filters(self):
-        return {
-            'safe_join': safe_join,
-        }
--- a/filter_plugins/url_join.py
+++ b/filter_plugins/url_join.py
@@ -0,0 +1,146 @@
+"""
+Ansible filter plugin that safely joins URL components from a list.
+- Requires a valid '<scheme>://' in the first element (any RFC-3986-ish scheme)
+- Preserves the double slash after the scheme, collapses other duplicate slashes
+- Supports query parts introduced by elements starting with '?' or '&'
+  * first query element uses '?', subsequent use '&' (regardless of given prefix)
+  * each query element must be exactly one 'key=value' pair
+  * query elements may only appear after path elements; once query starts, no more path parts
+- Raises specific AnsibleFilterError messages for common misuse
+"""
+
+import re
+from ansible.errors import AnsibleFilterError
+
+_SCHEME_RE = re.compile(r'^([a-zA-Z][a-zA-Z0-9+.\-]*://)(.*)$')
+_QUERY_PAIR_RE = re.compile(r'^[^&=?#]+=[^&?#]*$')  # key=value (no '&', no extra '?' or '#')
+
+def _to_str_or_error(obj, index):
+    """Cast to str, raising a specific AnsibleFilterError with index context."""
+    try:
+        return str(obj)
+    except Exception as e:
+        raise AnsibleFilterError(
+            f"url_join: unable to convert part at index {index} to string: {e}"
+        )
+
+def url_join(parts):
+    """
+    Join a list of URL parts, URL-aware (scheme, path, query).
+
+    Args:
+        parts (list|tuple): URL segments. First element MUST include '<scheme>://'.
+            Path elements are plain strings.
+            Query elements must start with '?' or '&' and contain exactly one 'key=value'.
+
+    Returns:
+        str: Joined URL.
+
+    Raises:
+        AnsibleFilterError: with specific, descriptive messages.
+    """
+    # --- basic input validation ---
+    if parts is None:
+        raise AnsibleFilterError("url_join: parts must be a non-empty list; got None")
+    if not isinstance(parts, (list, tuple)):
+        raise AnsibleFilterError(
+            f"url_join: parts must be a list/tuple; got {type(parts).__name__}"
+        )
+    if len(parts) == 0:
+        raise AnsibleFilterError("url_join: parts must be a non-empty list")
+
+    # --- first element must carry a scheme ---
+    first_raw = parts[0]
+    if first_raw is None:
+        raise AnsibleFilterError(
+            "url_join: first element must include a scheme like 'https://'; got None"
+        )
+
+    first_str = _to_str_or_error(first_raw, 0)
+    m = _SCHEME_RE.match(first_str)
+    if not m:
+        raise AnsibleFilterError(
+            "url_join: first element must start with '<scheme>://', e.g. 'https://example.com'; "
+            f"got '{first_str}'"
+        )
+
+    scheme = m.group(1)                    # e.g., 'https://', 'ftp://', 'myapp+v1://'
+    after_scheme = m.group(2).lstrip('/')  # strip only leading slashes right after scheme
+
+    # --- iterate parts: collect path parts until first query part; then only query parts allowed ---
+    path_parts = []
+    query_pairs = []
+    in_query = False
+
+    for i, p in enumerate(parts):
+        if p is None:
+            # skip None silently (consistent with path_join-ish behavior)
+            continue
+
+        s = _to_str_or_error(p, i)
+
+        # disallow additional scheme in later parts
+        if i > 0 and "://" in s:
+            raise AnsibleFilterError(
+                f"url_join: only the first element may contain a scheme; part at index {i} "
+                f"looks like a URL with scheme ('{s}')."
+            )
+
+        # first element: replace with remainder after scheme and continue
+        if i == 0:
+            s = after_scheme
+
+        # check if this is a query element (starts with ? or &)
+        if s.startswith('?') or s.startswith('&'):
+            in_query = True
+            raw_pair = s[1:]  # strip the leading ? or &
+            if raw_pair == '':
+                raise AnsibleFilterError(
+                    f"url_join: query element at index {i} is empty; expected '?key=value' or '&key=value'"
+                )
+            # Disallow multiple pairs in a single element; enforce exactly one key=value
+            if '&' in raw_pair:
+                raise AnsibleFilterError(
+                    f"url_join: query element at index {i} must contain exactly one 'key=value' pair "
+                    f"without '&'; got '{s}'"
+                )
+            if not _QUERY_PAIR_RE.match(raw_pair):
+                raise AnsibleFilterError(
+                    f"url_join: query element at index {i} must match 'key=value' (no extra '?', '&', '#'); got '{s}'"
+                )
+            query_pairs.append(raw_pair)
+        else:
+            # non-query element
+            if in_query:
+                # once query started, no more path parts allowed
+                raise AnsibleFilterError(
+                    f"url_join: path element found at index {i} after query parameters started; "
+                    f"query parts must come last"
+                )
+            # normal path part: strip slashes to avoid duplicate '/'
+            path_parts.append(s.strip('/'))
+
+    # normalize path: remove empty chunks
+    path_parts = [p for p in path_parts if p != '']
+
+    # --- build result ---
+    # path portion
+    if path_parts:
+        joined_path = "/".join(path_parts)
+        base = scheme + joined_path
+    else:
+        # no path beyond scheme
+        base = scheme
+
+    # query portion
+    if query_pairs:
+        base = base + "?" + "&".join(query_pairs)
+
+    return base
+
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            'url_join': url_join,
+        }
--- a/filter_plugins/volume_path.py
+++ b/filter_plugins/volume_path.py
@@ -0,0 +1,21 @@
+from ansible.errors import AnsibleFilterError
+
+def docker_volume_path(volume_name: str) -> str:
+    """
+    Returns the absolute filesystem path of a Docker volume.
+
+    Example:
+        "akaunting_data" -> "/var/lib/docker/volumes/akaunting_data/_data/"
+    """
+    if not volume_name or not isinstance(volume_name, str):
+        raise AnsibleFilterError(f"Invalid volume name: {volume_name}")
+
+    return f"/var/lib/docker/volumes/{volume_name}/_data/"
+
+class FilterModule(object):
+    """Docker volume path filters."""
+
+    def filters(self):
+        return {
+            "docker_volume_path": docker_volume_path,
+        }
--- a/group_vars/all/00_general.yml
+++ b/group_vars/all/00_general.yml
@@ -29,8 +29,13 @@ WEB_PORT:               "{{ 443 if WEB_PROTOCOL == 'https' else 80 }}"  # Defaul
 # Websocket
 WEBSOCKET_PROTOCOL:     "{{ 'wss' if WEB_PROTOCOL == 'https' else 'ws' }}"

+# WWW-Redirect to None WWW-Domains enabled
+WWW_REDIRECT_ENABLED:   "{{ ('web-opt-rdr-www' in group_names) | bool }}"
+
+AUTO_BUILD_ALIASES:     False # If enabled it creates an alias domain for each web application by the entity name, recommended to set to false to safge domain space
+
 # Domain
-PRIMARY_DOMAIN:         "localhost" # Primary Domain of the server
+PRIMARY_DOMAIN:                           "localhost" # Primary Domain of the server

 DNS_PROVIDER:                             cloudflare              # The DNS Provider\Registrar for the domain

@@ -55,7 +60,7 @@ DOCKER_WHITELISTET_ANON_VOLUMES: []

 # Asyn Confitguration
 ASYNC_ENABLED:  "{{ not MODE_DEBUG | bool }}"                  # Activate async, deactivated for debugging
-ASYNC_TIME:     "{{ 300 if ASYNC_ENABLED | bool else omit }}"  # Run for mnax 5min
+ASYNC_TIME:     "{{ 300 if ASYNC_ENABLED | bool else omit }}"  # Run for max 5min
 ASYNC_POLL:     "{{ 0 if ASYNC_ENABLED | bool else 10 }}"      # Don't wait for task

 # default value if not set via CLI (-e) or in playbook vars
@@ -81,4 +86,4 @@ _applications_nextcloud_oidc_flavor: >-
 RBAC:
  GROUP:
    NAME:   "/roles"  # Name of the group which holds the RBAC roles
-    CLAIM:  "groups"  # Name of the claim containing the RBAC groups
+    CLAIM:  "groups"  # Name of the claim containing the RBAC groups
--- a/group_vars/all/01_modes.yml
+++ b/group_vars/all/01_modes.yml
@@ -1,10 +1,10 @@
 # Mode

 # The following modes can be combined with each other
-MODE_TEST:    false               # Executes test routines instead of productive routines
-MODE_UPDATE:  true                # Executes updates
-MODE_DEBUG:   false               # This enables debugging in ansible and in the apps, You SHOULD NOT enable this on production servers
-MODE_RESET:   false               # Cleans up all Infinito.Nexus files. It's necessary to run to whole playbook and not particial roles when using this function.
-MODE_BACKUP:  "{{ MODE_UPDATE }}" # Activates the backup before the update procedure
-MODE_CLEANUP: "{{ MODE_DEBUG }}"  # Cleanup unused files and configurations
-MODE_ASSERT:  "{{ MODE_DEBUG }}"  # Executes validation tasks during the run.
+MODE_DUMMY:   false                       # Executes dummy/test routines instead of productive routines
+MODE_UPDATE:  true                        # Executes updates
+MODE_DEBUG:   false                       # This enables debugging in ansible and in the apps, You SHOULD NOT enable this on production servers
+MODE_RESET:   false                       # Cleans up all Infinito.Nexus files. It's necessary to run to whole playbook and not particial roles when using this function.
+MODE_CLEANUP: "{{ MODE_DEBUG  | bool }}"  # Cleanup unused files and configurations
+MODE_ASSERT:  "{{ MODE_DEBUG  | bool }}"  # Executes validation tasks during the run.
+MODE_BACKUP:  true                        # Executes the Backup before the deployment
--- a/group_vars/all/05_webserver.yml
+++ b/group_vars/all/05_webserver.yml
@@ -29,4 +29,31 @@ NGINX:
      IMAGE:          "/tmp/cache_nginx_image/"             # Directory which nginx uses to cache images
  USER:               "http"                                # Default nginx user in ArchLinux

+# Effective CPUs (float) across proxy and the current app
+WEBSERVER_CPUS_EFFECTIVE: >-
+  {{
+    [
+      (applications | resource_filter('svc-prx-openresty', 'cpus', service_name | default(''), RESOURCE_CPUS)) | float,
+      (applications | resource_filter(application_id,           'cpus', service_name | default(''), RESOURCE_CPUS)) | float
+    ] | min
+  }}
+
+# Nginx requires an integer for worker_processes:
+# - if cpus < 1 → 1
+# - else → floor to int
+WEBSERVER_WORKER_PROCESSES: >-
+  {{
+    1 if (WEBSERVER_CPUS_EFFECTIVE | float) < 1
+    else (WEBSERVER_CPUS_EFFECTIVE | float | int)
+  }}
+
+# worker_connections from pids_limit (use the smaller one), with correct key/defaults
+WEBSERVER_WORKER_CONNECTIONS: >-
+  {{
+    [
+      (applications | resource_filter('svc-prx-openresty', 'pids_limit', service_name | default(''), RESOURCE_PIDS_LIMIT)) | int,
+      (applications | resource_filter(application_id,      'pids_limit', service_name | default(''), RESOURCE_PIDS_LIMIT)) | int
+    ] | min
+  }}
+
 # @todo It propably makes sense to distinguish between target and source mount path, so that the config files can be stored in the openresty volumes folder
--- a/group_vars/all/07_services.yml
+++ b/group_vars/all/07_services.yml
@@ -5,14 +5,15 @@
 SYS_SERVICE_SUFFIX:                     ".{{ SOFTWARE_NAME | lower }}.service"

 ## Names
+SYS_SERVICE_CLEANUP_BACKUPS:            "{{ 'sys-ctl-cln-bkps'          | get_service_name(SOFTWARE_NAME) }}"
 SYS_SERVICE_CLEANUP_BACKUPS_FAILED:     "{{ 'sys-ctl-cln-faild-bkps'    | get_service_name(SOFTWARE_NAME) }}"
 SYS_SERVICE_CLEANUP_ANONYMOUS_VOLUMES:  "{{ 'sys-ctl-cln-anon-volumes'  | get_service_name(SOFTWARE_NAME) }}"
+SYS_SERVICE_CLEANUP_DISC_SPACE:         "{{ 'sys-ctl-cln-disc-space'    | get_service_name(SOFTWARE_NAME) }}"
 SYS_SERVICE_OPTIMIZE_DRIVE:             "{{ 'svc-opt-ssd-hdd'           | get_service_name(SOFTWARE_NAME) }}"
 SYS_SERVICE_BACKUP_RMT_2_LOC:           "{{ 'svc-bkp-rmt-2-loc'         | get_service_name(SOFTWARE_NAME) }}"
 SYS_SERVICE_BACKUP_DOCKER_2_LOC:        "{{ 'sys-ctl-bkp-docker-2-loc'  | get_service_name(SOFTWARE_NAME) }}"
 SYS_SERVICE_REPAIR_DOCKER_SOFT:         "{{ 'sys-ctl-rpr-docker-soft'   | get_service_name(SOFTWARE_NAME) }}"
 SYS_SERVICE_REPAIR_DOCKER_HARD:         "{{ 'sys-ctl-rpr-docker-hard'   | get_service_name(SOFTWARE_NAME) }}"
-SYS_SERVICE_UPDATE_DOCKER:              "{{ 'update-docker'             | get_service_name(SOFTWARE_NAME) }}"

 ## On Failure
 SYS_SERVICE_ON_FAILURE_COMPOSE:         "{{ ('sys-ctl-alm-compose@') | get_service_name(SOFTWARE_NAME, False) }}%n.service"
@@ -46,8 +47,7 @@ SYS_SERVICE_GROUP_MANIPULATION: >
      SYS_SERVICE_GROUP_CLEANUP +
      SYS_SERVICE_GROUP_REPAIR +
      SYS_SERVICE_GROUP_OPTIMIZATION +
-      SYS_SERVICE_GROUP_MAINTANANCE +
-      [ SYS_SERVICE_UPDATE_DOCKER ]
+      SYS_SERVICE_GROUP_MAINTANANCE
    ) | sort
  }}

--- a/group_vars/all/08_schedule.yml
+++ b/group_vars/all/08_schedule.yml
@@ -6,12 +6,12 @@ SYS_TIMER_ALL_ENABLED:                        "{{ MODE_DEBUG }}"   # Runtime Var

 ## Server Tact Variables 

-HOURS_SERVER_AWAKE:                           "0..23" # Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance
+HOURS_SERVER_AWAKE:                           "6..23" # Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance
 RANDOMIZED_DELAY_SEC:                         "5min"  # Random delay for systemd timers to avoid peak loads.

 ## Timeouts for all services
 SYS_TIMEOUT_DOCKER_RPR_HARD:                  "10min"
-SYS_TIMEOUT_DOCKER_RPR_SOFT:                 "{{ SYS_TIMEOUT_DOCKER_RPR_HARD }}"
+SYS_TIMEOUT_DOCKER_RPR_SOFT:                  "{{ SYS_TIMEOUT_DOCKER_RPR_HARD }}"
 SYS_TIMEOUT_CLEANUP_SERVICES:                 "15min"
 SYS_TIMEOUT_DOCKER_UPDATE:                    "20min"
 SYS_TIMEOUT_STORAGE_OPTIMIZER:                "{{ SYS_TIMEOUT_DOCKER_UPDATE }}"
@@ -37,7 +37,6 @@ SYS_SCHEDULE_CLEANUP_FAILED_BACKUPS:          "*-*-* 12:00:00"

 ### Schedule for repair services
 SYS_SCHEDULE_REPAIR_BTRFS_AUTO_BALANCER:      "Sat *-*-01..07 00:00:00"               # Execute btrfs auto balancer every first Saturday of a month
-SYS_SCHEDULE_REPAIR_DOCKER_SOFT:              "*-*-* {{ HOURS_SERVER_AWAKE }}:30:00"  # Heal unhealthy docker instances once per hour
 SYS_SCHEDULE_REPAIR_DOCKER_HARD:              "Sun *-*-* 08:00:00"                    # Restart docker instances every Sunday at 8:00 AM

 ### Schedule for backup tasks
--- a/group_vars/all/09_networks.yml
+++ b/group_vars/all/09_networks.yml
@@ -10,8 +10,8 @@ defaults_networks:
    # /28 Networks, 14 Usable Ip Addresses
    web-app-akaunting:
      subnet: 192.168.101.0/28
-    # Free:
-    #  subnet: 192.168.101.16/28
+    web-app-confluence:
+      subnet: 192.168.101.16/28
    web-app-baserow:
      subnet: 192.168.101.32/28
    web-app-mobilizon:
@@ -34,8 +34,8 @@ defaults_networks:
      subnet: 192.168.101.176/28
    web-app-listmonk:
      subnet: 192.168.101.192/28
-    # Free:
-    #  subnet: 192.168.101.208/28
+    web-app-jira:
+      subnet: 192.168.101.208/28
    web-app-matomo:
      subnet: 192.168.101.224/28
    web-app-mastodon:
@@ -48,8 +48,8 @@ defaults_networks:
      subnet:       192.168.102.16/28
    web-app-moodle:
      subnet: 192.168.102.32/28
-    # Free:
-    #  subnet: 192.168.102.48/28
+    web-app-bookwyrm:
+      subnet: 192.168.102.48/28
    web-app-nextcloud:
      subnet: 192.168.102.64/28
    web-app-openproject:
@@ -96,6 +96,22 @@ defaults_networks:
      subnet: 192.168.103.160/28
    web-svc-logout:
      subnet: 192.168.103.176/28
+    web-app-chess:
+      subnet: 192.168.103.192/28
+    web-app-magento:
+      subnet: 192.168.103.208/28
+    web-app-bridgy-fed:
+      subnet: 192.168.103.224/28
+    web-app-xwiki:
+      subnet: 192.168.103.240/28
+    web-app-openwebui:
+      subnet: 192.168.104.0/28
+    web-app-flowise:
+      subnet: 192.168.104.16/28
+    web-app-minio:
+      subnet: 192.168.104.32/28
+    web-svc-coturn:
+      subnet: 192.168.104.48/28

    # /24 Networks / 254 Usable Clients
    web-app-bigbluebutton:
@@ -108,3 +124,5 @@ defaults_networks:
      subnet: 192.168.201.0/24
    svc-db-openldap:
      subnet: 192.168.202.0/24
+    svc-ai-ollama:
+      subnet: 192.168.203.0/24 # Big network to bridge applications into ai
--- a/group_vars/all/10_ports.yml
+++ b/group_vars/all/10_ports.yml
@@ -2,12 +2,12 @@ ports:
  # Ports which are exposed to localhost
  localhost:
    database:
-      svc-db-postgres: 5432
-      svc-db-mariadb: 3306
+      svc-db-postgres:    5432
+      svc-db-mariadb:     3306
    # https://developer.mozilla.org/de/docs/Web/API/WebSockets_API
    websocket:
-      web-app-mastodon: 4001
-      web-app-espocrm: 4002
+      web-app-mastodon:   4001
+      web-app-espocrm:    4002
    oauth2_proxy:
      web-app-phpmyadmin: 4181
      web-app-lam: 4182
@@ -26,7 +26,7 @@ ports:
      web-app-gitea: 8002
      web-app-wordpress: 8003
      web-app-mediawiki: 8004
-      # Free: 8005
+      web-app-confluence: 8005
      web-app-yourls: 8006
      web-app-mailu: 8007
      web-app-elk: 8008
@@ -36,7 +36,7 @@ ports:
      web-app-funkwhale: 8012
      web-app-roulette-wheel: 8013
      web-app-joomla: 8014
-      # Free: 8015
+      web-app-jira: 8015
      web-app-pgadmin: 8016
      web-app-baserow: 8017
      web-app-matomo: 8018
@@ -70,19 +70,39 @@ ports:
      web-app-pretix: 8046
      web-app-mig: 8047
      web-svc-logout: 8048
+      web-app-bookwyrm: 8049
+      web-app-chess: 8050
+      web-app-bluesky_view: 8051
+      web-app-magento: 8052
+      web-app-bridgy-fed: 8053
+      web-app-xwiki: 8054
+      web-app-openwebui: 8055
+      web-app-flowise: 8056
+      web-app-minio_api: 8057
+      web-app-minio_console: 8058
      web-app-bigbluebutton: 48087    # This port is predefined by bbb. @todo Try to change this to a 8XXX port
  public:
    # The following ports should be changed to 22 on the subdomain via stream mapping
    ssh:
-      web-app-gitea: 2201
-      web-app-gitlab: 2202
+      web-app-gitea:          2201
+      web-app-gitlab:         2202
    ldaps:
-      svc-db-openldap: 636
-    stun:
-      web-app-bigbluebutton: 3478    # Not sure if it's right placed here or if it should be moved to localhost section
-      web-app-nextcloud: 3479
-    turn:
-      web-app-bigbluebutton: 5349    # Not sure if it's right placed here or if it should be moved to localhost section
-      web-app-nextcloud: 5350        # Not used yet
+      svc-db-openldap:        636
+    stun_turn:
+      web-app-bigbluebutton:  3478  # Not sure if it's right placed here or if it should be moved to localhost section
+      # Occupied by BBB:      3479
+      web-app-nextcloud:      3480
+      web-svc-coturn:         3481
+    stun_turn_tls:
+      web-app-bigbluebutton:  5349  # Not sure if it's right placed here or if it should be moved to localhost section
+      web-app-nextcloud:      5350  # Not used yet
+      web-svc-coturn:         5351
    federation:
      web-app-matrix_synapse: 8448
+    relay_port_ranges:
+      web-svc-coturn_start:         20000
+      web-svc-coturn_end:           39999
+      web-app-bigbluebutton_start:  40000
+      web-app-bigbluebutton_end:    49999
+      web-app-nextcloud_start:      50000
+      web-app-nextcloud_end:        59999
--- a/group_vars/all/16_storage.yml
+++ b/group_vars/all/16_storage.yml
@@ -3,4 +3,3 @@ BACKUPS_FOLDER_PATH:              "/Backups/"   # Path to the backups folder
 # Storage Space-Related Configurations          
 SIZE_PERCENT_MAXIMUM_BACKUP:      75  # Maximum storage space in percent for backups
 SIZE_PERCENT_CLEANUP_DISC_SPACE:  85  # Threshold for triggering cleanup actions
-SIZE_PERCENT_DISC_SPACE_WARNING:  90  # Warning threshold in percent for free disk space
--- a/group_vars/all/17_ai.yml
+++ b/group_vars/all/17_ai.yml
@@ -0,0 +1,3 @@
+# URL of Local Ollama Container
+OLLAMA_BASE_LOCAL_URL:  "http://{{ applications | get_app_conf('svc-ai-ollama', 'docker.services.ollama.name') }}:{{ applications | get_app_conf('svc-ai-ollama', 'docker.services.ollama.port') }}"
+OLLAMA_LOCAL_ENABLED:   "{{ applications | get_app_conf(application_id, 'features.local_ai') }}"
--- a/group_vars/all/18_resource.yml
+++ b/group_vars/all/18_resource.yml
@@ -0,0 +1,47 @@
+# Host resources
+RESOURCE_HOST_CPUS:  "{{ ansible_processor_vcpus | int }}"
+RESOURCE_HOST_MEM:   "{{ (ansible_memtotal_mb | int) // 1024 }}"
+
+# Reserve for OS
+RESOURCE_HOST_RESERVE_CPU: 2
+RESOURCE_HOST_RESERVE_MEM: 4
+
+# Available for apps
+RESOURCE_AVAIL_CPUS: "{{ (RESOURCE_HOST_CPUS | int) - (RESOURCE_HOST_RESERVE_CPU | int) }}"
+RESOURCE_AVAIL_MEM:  "{{ (RESOURCE_HOST_MEM  | int) - (RESOURCE_HOST_RESERVE_MEM | int) }}"
+
+# Count active docker services (only roles starting with web- or svc-; service counts if enabled==true OR enabled is undefined)
+RESOURCE_ACTIVE_DOCKER_CONTAINER_COUNT: >-
+  {{
+    applications
+    | active_docker_container_count(group_names, '^(web-|svc-).*', ensure_min_one=True)
+  }}
+
+# Per-container fair share (numbers!), later we append 'g' only for the string fields in compose
+RESOURCE_CPUS_NUM: >-
+  {{
+    [
+      (
+        ((RESOURCE_AVAIL_CPUS | float) / (RESOURCE_ACTIVE_DOCKER_CONTAINER_COUNT | float))
+        | round(2)
+      ),
+      0.5
+    ] | max
+  }}
+
+RESOURCE_MEM_RESERVATION_NUM: >-
+  {{
+    (((RESOURCE_AVAIL_MEM  | float) / (RESOURCE_ACTIVE_DOCKER_CONTAINER_COUNT | float)) * 0.7)
+    | round(1)
+  }}
+RESOURCE_MEM_LIMIT_NUM: >-
+  {{
+    (((RESOURCE_AVAIL_MEM  | float) / (RESOURCE_ACTIVE_DOCKER_CONTAINER_COUNT | float)) * 1.0)
+    | round(1)
+  }}
+
+# Final strings with units for compose defaults (keep numbers above for math elsewhere if needed)
+RESOURCE_CPUS:            "{{ RESOURCE_CPUS_NUM }}"
+RESOURCE_MEM_RESERVATION: "{{ RESOURCE_MEM_RESERVATION_NUM }}g"
+RESOURCE_MEM_LIMIT:       "{{ RESOURCE_MEM_LIMIT_NUM }}g"
+RESOURCE_PIDS_LIMIT:      512
--- a/lookup_plugins/local_mtime_qs.py
+++ b/lookup_plugins/local_mtime_qs.py
@@ -0,0 +1,53 @@
+from __future__ import annotations
+from ansible.plugins.lookup import LookupBase
+from ansible.errors import AnsibleError
+import os
+
+class LookupModule(LookupBase):
+    """
+    Return a cache-busting string based on the LOCAL file's mtime.
+
+    Usage (single path → string via Jinja):
+      {{ lookup('local_mtime_qs', '/path/to/file.css') }}
+      -> "?version=1712323456"
+
+    Options:
+      param (str): query parameter name (default: "version")
+      mode  (str): "qs" (default) → returns "?<param>=<mtime>"
+                   "epoch"        → returns "<mtime>"
+
+    Multiple paths (returns list, one result per term):
+      {{ lookup('local_mtime_qs', '/a.js', '/b.js', param='v') }}
+    """
+
+    def run(self, terms, variables=None, **kwargs):
+        if not terms:
+            return []
+
+        param = kwargs.get('param', 'version')
+        mode  = kwargs.get('mode', 'qs')
+
+        if mode not in ('qs', 'epoch'):
+            raise AnsibleError("local_mtime_qs: 'mode' must be 'qs' or 'epoch'")
+
+        results = []
+        for term in terms:
+            path = os.path.abspath(os.path.expanduser(str(term)))
+
+            # Fail fast if path is missing or not a regular file
+            if not os.path.exists(path):
+                raise AnsibleError(f"local_mtime_qs: file does not exist: {path}")
+            if not os.path.isfile(path):
+                raise AnsibleError(f"local_mtime_qs: not a regular file: {path}")
+
+            try:
+                mtime = int(os.stat(path).st_mtime)
+            except OSError as e:
+                raise AnsibleError(f"local_mtime_qs: cannot stat '{path}': {e}")
+
+            if mode == 'qs':
+                results.append(f"?{param}={mtime}")
+            else:  # mode == 'epoch'
+                results.append(str(mtime))
+
+        return results
--- a/module_utils/manager/inventory.py
+++ b/module_utils/manager/inventory.py
@@ -142,7 +142,8 @@ class InventoryManager:
        """
        if algorithm == "random_hex":
            return secrets.token_hex(64)
-        
+        if algorithm == "random_hex_32":
+            return secrets.token_hex(32)
        if algorithm == "sha256":
            return hashlib.sha256(secrets.token_bytes(32)).hexdigest()
        if algorithm == "sha1":
--- a/playbook.yml
+++ b/playbook.yml
@@ -1,10 +1,10 @@
- name: Execute {{ SOFTWARE_NAME }} Play
+- name: "Execute {{ SOFTWARE_NAME }} Play"
  hosts: all
  tasks:
  - name: "Load 'constructor' tasks"
    include_tasks: "tasks/stages/01_constructor.yml"
-  - name: "Load '{{host_type}}' tasks"
-    include_tasks: "tasks/stages/02_{{host_type}}.yml"
+  - name: "Load '{{ host_type }}' tasks"
+    include_tasks: "tasks/stages/02_{{ host_type }}.yml"
  - name: "Load 'destructor' tasks"
    include_tasks: "tasks/stages/03_destructor.yml"
  become: true
--- a/roles/TODO.md
+++ b/roles/TODO.md
@@ -1,3 +0,0 @@
-# Todos
- Use at all applications the ansible role name as application_id
- Implement filter_plugins/get_infinito_path.py
--- a/roles/categories.yml
+++ b/roles/categories.yml
@@ -56,16 +56,21 @@ roles:
      description: "Stack levels to setup the server"
      icon: "fas fa-bars-staggered"
      invokable: false
+    front:
+      title: "System Frontend Helpers"
+      description: "Frontend helpers for reverse-proxied apps (injection, shared assets, CDN plumbing)."
+      icon: "fas fa-wand-magic-sparkles"
+      invokable: false
+      inj:
+        title: "Injection"
+        description: "Composable HTML injection roles (CSS, JS, logout interceptor, analytics, desktop iframe) for Nginx/OpenResty via sub_filter/Lua with CDN-backed assets."
+        icon: "fas fa-filter"
+        invokable: false
  update:
    title: "Updates & Package Management"
    description: "OS & package updates"
    icon: "fas fa-sync"
    invokable: true
-    pkgmgr:
-      title: "Package Manager Helpers"
-      description: "Helpers for package managers and unified install flows."
-      icon: "fas fa-box-open"
-      invokable: false
  drv:
    title: "Drivers"
    description: "Roles for installing and configuring hardware drivers—covering printers, graphics, input devices, and other peripheral support."
@@ -101,21 +106,6 @@ roles:
      description: "Developer-centric server utilities and admin toolkits."
      icon: "fas fa-code"
      invokable: false
-  srv:
-    title: "Server"
-    description: "General server roles for provisioning and managing server infrastructure—covering web servers, proxy servers, network services, and other backend components."
-    icon: "fas fa-server"
-    invokable: false
-    web:
-      title: "Webserver"
-      description: "Web-server roles for installing and configuring Nginx (core, TLS, injection filters, composer modules)."
-      icon: "fas fa-server"
-      invokable: false
-    proxy:
-      title: "Proxy Server"
-      description: "Proxy-server roles for virtual-host orchestration and reverse-proxy setups."
-      icon: "fas fa-project-diagram"
-      invokable: false
  web:
    title: "Web Infrastructure"
    description: "Roles for managing web infrastructure—covering static content services and deployable web applications."
@@ -158,6 +148,11 @@ roles:
      description: "Network setup (DNS, Let's Encrypt HTTP, WireGuard, etc.)"
      icon: "fas fa-globe"
      invokable: true 
+    ai:
+      title: "AI Services"
+      description: "Core AI building blocks—model serving, OpenAI-compatible gateways, vector databases, orchestration, and chat UIs."
+      icon: "fas fa-brain"
+      invokable: true
  user:
    title: "Users & Access"
    description: "User accounts & access control"
--- a/roles/desk-gnome-caffeine/tasks/01_core.yml
+++ b/roles/desk-gnome-caffeine/tasks/01_core.yml
@@ -19,3 +19,5 @@
  template:
    src: caffeine.desktop.j2
    dest: "{{auto_start_directory}}caffeine.desktop"
+
+- include_tasks: utils/run_once.yml
--- a/roles/desk-gnome-caffeine/tasks/main.yml
+++ b/roles/desk-gnome-caffeine/tasks/main.yml
@@ -1,4 +1,3 @@
 - block:
  - include_tasks: 01_core.yml
-  - include_tasks: utils/run_once.yml
  when: run_once_desk_gnome_caffeine is not defined
--- a/roles/desk-nextcloud/tasks/main.yml
+++ b/roles/desk-nextcloud/tasks/main.yml
@@ -5,8 +5,8 @@

 - name: Link homefolders to cloud
  ansible.builtin.file:
-    src: "{{nextcloud_cloud_directory}}{{item}}"
-    dest: "{{nextcloud_user_home_directory}}{{item}}"
+    src: "{{nextcloud_cloud_directory}}{{ item }}"
+    dest: "{{nextcloud_user_home_directory}}{{ item }}"
    owner: "{{ users[desktop_username].username }}"
    group: "{{ users[desktop_username].username }}"
    state: link
--- a/roles/desk-ssh/tasks/01_core.yml
+++ b/roles/desk-ssh/tasks/01_core.yml
@@ -48,4 +48,6 @@
    state: present
    create: yes
    mode: "0644"
-  become: false
+  become: false
+
+- include_tasks: utils/run_once.yml
--- a/roles/desk-ssh/tasks/main.yml
+++ b/roles/desk-ssh/tasks/main.yml
@@ -1,4 +1,3 @@
 - block:
  - include_tasks: 01_core.yml
-  - include_tasks: utils/run_once.yml
  when: run_once_desk_ssh is not defined
--- a/roles/desk-virtualbox/handlers/main.yml
+++ b/roles/desk-virtualbox/handlers/main.yml
@@ -1,4 +0,0 @@
---
- name: reload virtualbox kernel modules
-  become: true
-  command: vboxreload
--- a/roles/dev-locales/tasks/main.yml
+++ b/roles/dev-locales/tasks/main.yml
@@ -1,8 +1,14 @@
 ---
 - name: Setup locale.gen
-  template: src=locale.gen dest=/etc/locale.gen
+  template:
+    src:  locale.gen.j2
+    dest: /etc/locale.gen
+
 - name: Setup locale.conf
-  template: src=locale.conf dest=/etc/locale.conf
+  template:
+    src:  locale.conf.j2
+    dest: /etc/locale.conf
+
 - name: Generate locales
  shell: locale-gen
  become: true
--- a/roles/dev-locales/templates/locale.conf
+++ b/roles/dev-locales/templates/locale.conf
@@ -1,2 +0,0 @@
-LANG=en_US.UTF-8
-LANGUAGE=en_US.UTF-8
--- a/roles/dev-locales/templates/locale.conf.j2
+++ b/roles/dev-locales/templates/locale.conf.j2
@@ -0,0 +1,2 @@
+LANG={{ HOST_LL_CC }}.UTF-8
+LANGUAGE={{ HOST_LL_CC }}.UTF-8
--- a/roles/dev-locales/templates/locale.gen.j2
+++ b/roles/dev-locales/templates/locale.gen.j2
--- a/roles/dev-yay/defaults/main.yml
+++ b/roles/dev-yay/defaults/main.yml
@@ -0,0 +1,4 @@
+AUR_HELPER:               yay
+AUR_BUILDER_USER:         aur_builder
+AUR_BUILDER_GROUP:        wheel
+AUR_BUILDER_SUDOERS_PATH: /etc/sudoers.d/11-install-aur_builder
--- a/roles/dev-yay/tasks/01_core.yml
+++ b/roles/dev-yay/tasks/01_core.yml
@@ -6,42 +6,53 @@
  - dev-git
  - dev-base-devel

- name: install yay
+- name: Install yay build prerequisites
  community.general.pacman:
    name:
    - base-devel
    - patch
    state: present

- name: Create the `aur_builder` user
+- name: Create the AUR builder user
  become: true
  ansible.builtin.user:
-    name: aur_builder
+    name: "{{ AUR_BUILDER_USER }}"
    create_home: yes
-    group: wheel
+    group: "{{ AUR_BUILDER_GROUP }}"

- name: Allow the `aur_builder` user to run `sudo pacman` without a password
+- name: Allow AUR builder to run pacman without password
  become: true
  ansible.builtin.lineinfile:
-    path: /etc/sudoers.d/11-install-aur_builder
-    line: 'aur_builder ALL=(ALL) NOPASSWD: /usr/bin/pacman'
+    path: "{{ AUR_BUILDER_SUDOERS_PATH }}"
+    line: '{{ AUR_BUILDER_USER }} ALL=(ALL) NOPASSWD: /usr/bin/pacman'
    create: yes
    validate: 'visudo -cf %s'

 - name: Clone yay from AUR
  become: true
-  become_user: aur_builder
+  become_user: "{{ AUR_BUILDER_USER }}"
  git:
    repo: https://aur.archlinux.org/yay.git
-    dest: /home/aur_builder/yay
+    dest: "/home/{{ AUR_BUILDER_USER }}/yay"
    clone: yes
    update: yes

 - name: Build and install yay
  become: true
-  become_user: aur_builder
+  become_user: "{{ AUR_BUILDER_USER }}"
  shell: |
-    cd /home/aur_builder/yay
+    cd /home/{{ AUR_BUILDER_USER }}/yay
    makepkg -si --noconfirm
  args:
    creates: /usr/bin/yay
+
+- name: upgrade the system using yay, only act on AUR packages.
+  become: true
+  become_user: "{{ AUR_BUILDER_USER }}"
+  kewlfft.aur.aur:
+    upgrade: yes
+    use: "{{ AUR_HELPER }}"
+    aur_only: yes
+  when: MODE_UPDATE | bool
+
+- include_tasks: utils/run_once.yml
--- a/roles/dev-yay/tasks/main.yml
+++ b/roles/dev-yay/tasks/main.yml
@@ -1,5 +1,3 @@
 - block:
  - include_tasks: 01_core.yml
-  - set_fact:
-      run_once_dev_yay: true
  when: run_once_dev_yay is not defined
--- a/roles/docker-compose/README.md
+++ b/roles/docker-compose/README.md
@@ -20,7 +20,7 @@ To offer a centralized, extensible system for managing containerized application
 - **Reset Logic:** Cleans previous Compose project files and data when `MODE_RESET` is enabled.
 - **Handlers for Runtime Control:** Automatically builds, sets up, or restarts containers based on handlers.
 - **Template-ready Service Files:** Predefined service base and health check templates.
- **Integration Support:** Compatible with `srv-proxy-core` and other Infinito.Nexus service roles.
+- **Integration Support:** Compatible with `sys-svc-proxy` and other Infinito.Nexus service roles.

 ## Administration Tips

--- a/roles/docker-compose/defaults/main.yml
+++ b/roles/docker-compose/defaults/main.yml
@@ -1,3 +1,3 @@
-docker_compose_skipp_file_creation: false # If set to true the file creation will be skipped
-docker_pull_git_repository:         false # Activates docker repository download and routine
-docker_compose_flush_handlers:      false # Set to true in the vars/main.yml of the including role to autoflush after docker compose routine
+docker_compose_file_creation_enabled: true  # If set to true the file creation will be skipped
+docker_pull_git_repository:           false # Activates docker repository download and routine
+docker_compose_flush_handlers:        false # Set to true in the vars/main.yml of the including role to autoflush after docker compose routine
--- a/roles/docker-compose/handlers/main.yml
+++ b/roles/docker-compose/handlers/main.yml
@@ -9,16 +9,22 @@
  listen:
    - docker compose up
    - docker compose restart
-    - docker compose just up
  when: MODE_ASSERT | bool

 - name: docker compose pull
  shell: |
    set -euo pipefail
-    lock="{{ [ PATH_DOCKER_COMPOSE_PULL_LOCK_DIR, docker_compose.directories.instance ] | path_join | hash('sha1') }}"
+    lock="{{ [ PATH_DOCKER_COMPOSE_PULL_LOCK_DIR, (docker_compose.directories.instance | hash('sha1')) ~ '.lock' ] | path_join }}"
    if [ ! -e "$lock" ]; then
      mkdir -p "$(dirname "$lock")"
-      docker compose pull
+      if docker compose config | grep -qE '^[[:space:]]+build:'; then
+        docker compose build --pull
+      fi
+      if docker compose pull --help 2>/dev/null | grep -q -- '--ignore-buildable'; then
+        docker compose pull --ignore-buildable
+      else
+        docker compose pull || true
+      fi
      : > "$lock"
      echo "pulled"
    fi
@@ -34,9 +40,8 @@
  listen:
    - docker compose up
    - docker compose restart
-    - docker compose just up

- name: Build docker compose 
+- name: Build docker compose
  shell: |
    set -euo pipefail
    docker compose build || { 
@@ -70,7 +75,6 @@
    DOCKER_CLIENT_TIMEOUT: 600
  listen:
    - docker compose up
-    - docker compose just up # @todo replace later just up by up when code is refactored, build atm is also listening to up

 - name: docker compose restart
  command:
--- a/roles/docker-compose/tasks/03_repository.yml
+++ b/roles/docker-compose/tasks/03_repository.yml
@@ -1,15 +1,18 @@
 - name: Set default docker_repository_path
  set_fact:
-    docker_repository_path: "{{docker_compose.directories.services}}repository/"
+    docker_repository_path: "{{ [ docker_compose.directories.services, 'repository/' ] | path_join }}"

 - name: pull docker repository
  git:
-    repo:       "{{ docker_repository_address }}"
-    dest:       "{{ docker_repository_path }}"
-    version:    "{{ docker_repository_branch | default('main') }}"
-    depth:      1
-    update:     yes
-    recursive:  yes
+    repo:           "{{ docker_repository_address }}"
+    dest:           "{{ docker_repository_path }}"
+    version:        "{{ docker_repository_branch | default('main') }}"
+    single_branch:  yes
+    depth:          1
+    update:         yes
+    recursive:      yes
+    force:          yes
+    accept_hostkey: yes
  notify:
    - docker compose build
    - docker compose up
--- a/roles/docker-compose/tasks/04_files.yml
+++ b/roles/docker-compose/tasks/04_files.yml
@@ -5,7 +5,9 @@
  loop:
    - "{{ application_id | abs_role_path_by_application_id }}/templates/Dockerfile.j2"
    - "{{ application_id | abs_role_path_by_application_id }}/files/Dockerfile"
-  notify: docker compose up
+  notify: 
+    - docker compose build
+    - docker compose up
  register: create_dockerfile_result
  failed_when:
    - create_dockerfile_result is failed
@@ -26,6 +28,21 @@
    - env_template is failed
    - "'Could not find or access' not in env_template.msg"

+- name:           "Create (optional) '{{ docker_compose.files.docker_compose_override }}'"
+  template:
+    src:          "{{ item }}"
+    dest:         "{{ docker_compose.files.docker_compose_override }}"
+    mode:         '770'
+    force:        yes
+  notify:         docker compose up
+  register:       docker_compose_override_template
+  loop:
+    - "{{ application_id | abs_role_path_by_application_id }}/templates/docker-compose.override.yml.j2"
+    - "{{ application_id | abs_role_path_by_application_id }}/files/docker-compose.override.yml"
+  failed_when:
+    - docker_compose_override_template is failed
+    - "'Could not find or access' not in docker_compose_override_template.msg"
+
 - name:           "Create (obligatoric) '{{ docker_compose.files.docker_compose }}'"
  template:
    src:          "docker-compose.yml.j2"
--- a/roles/docker-compose/tasks/main.yml
+++ b/roles/docker-compose/tasks/main.yml
@@ -24,7 +24,7 @@
    include_tasks: "04_files.yml"
  - name: "Ensure that {{ docker_compose.directories.instance }} is up"
    include_tasks: "05_ensure_up.yml"
-  when: not docker_compose_skipp_file_creation | bool
+  when: docker_compose_file_creation_enabled | bool

 - name: "flush docker compose for '{{ application_id }}'"
  meta: flush_handlers
--- a/roles/docker-compose/templates/networks.yml.j2
+++ b/roles/docker-compose/templates/networks.yml.j2
@@ -1,5 +1,6 @@
 {# This template needs to be included in docker-compose.yml #}
 networks:
+{# Central RDMS-Database Network #}
 {% if 
  (applications | get_app_conf(application_id, 'features.central_database', False) and database_type is defined) or
  application_id in ['svc-db-mariadb','svc-db-postgres']
@@ -7,6 +8,7 @@ networks:
  {{ applications | get_app_conf('svc-db-' ~ database_type, 'docker.network') }}:
    external: true
 {% endif %}
+{# Central LDAP Network #}
 {% if 
  applications | get_app_conf(application_id, 'features.ldap', False) and 
  applications | get_app_conf('svc-db-openldap', 'network.docker', False)
@@ -14,7 +16,13 @@ networks:
  {{ applications | get_app_conf('svc-db-openldap', 'docker.network') }}:
    external: true
 {% endif %}
-{% if not application_id.startswith('svc-db-') %}
+{# Central AI Network #}
+{% if applications | get_app_conf(application_id, 'features.local_ai', False) %}
+  {{ applications | get_app_conf('svc-ai-ollama', 'docker.network') }}:
+    external: true
+{% endif %}
+{# Default Network #}
+{% if not application_id.startswith('svc-db-') and not application_id.startswith('svc-ai-') %}
  default:
 {% if
  application_id in networks.local and 
@@ -25,7 +33,7 @@ networks:
    ipam:
      driver: default
      config:
-        - subnet: {{networks.local[application_id].subnet}}
+        - subnet: {{ networks.local[application_id].subnet }}
 {% endif %}
 {% endif %}
 {{ "\n" }}
--- a/roles/docker-compose/users/main.yml
+++ b/roles/docker-compose/users/main.yml
@@ -1,4 +1,6 @@
 users:
  blackhole:
    description: "Everything what will be send to this user will disapear"
-    username: "blackhole"
+    username: "blackhole"
+    roles:
+      - mail-bot
--- a/roles/docker-compose/vars/docker-compose.yml
+++ b/roles/docker-compose/vars/docker-compose.yml
@@ -1,2 +1,4 @@
 # @See https://chatgpt.com/share/67a23d18-fb54-800f-983c-d6d00752b0b4
-docker_compose: "{{ application_id | get_docker_paths(PATH_DOCKER_COMPOSE_INSTANCES) }}"
+docker_compose:               "{{ application_id | get_docker_paths(PATH_DOCKER_COMPOSE_INSTANCES) }}"
+docker_compose_command_base:  "docker compose --env-file {{ docker_compose.files.env }}"
+docker_compose_command_exec:  "{{ docker_compose_command_base }} exec"
--- a/roles/docker-container/templates/base.yml.j2
+++ b/roles/docker-container/templates/base.yml.j2
@@ -1,11 +1,13 @@
 {# Base for docker services #}

-    restart: {{ DOCKER_RESTART_POLICY }}
+    restart: {{ docker_restart_policy | default(DOCKER_RESTART_POLICY) }}
 {% if application_id | has_env  %}
    env_file:
      - "{{ docker_compose.files.env }}"
 {% endif %}
    logging:
      driver: journald
-
+{% filter indent(4) %}
+    {% include 'roles/docker-container/templates/resource.yml.j2' %}
+{% endfilter %}
 {{ "\n" }}
--- a/roles/docker-container/templates/build.yml.j2
+++ b/roles/docker-container/templates/build.yml.j2
@@ -0,0 +1,6 @@
+{# integrate it into service sections to be build by Dockerfile #}
+pull_policy: never
+build:
+  context: .
+  dockerfile: Dockerfile
+{# pass Arguments here #}
--- a/roles/docker-container/templates/healthcheck/curl.yml.j2
+++ b/roles/docker-container/templates/healthcheck/curl.yml.j2
@@ -3,6 +3,10 @@
        - "CMD"
        - "curl"
        - "-f"
+{% if container_hostname is defined %}
+        - "-H"
+        - "Host: {{ container_hostname }}"
+{% endif %}
        - "http://127.0.0.1{{ (":" ~ container_port) if container_port is defined else '' }}/{{ container_healthcheck | default('') }}"
      interval: 1m
      timeout: 10s
--- a/roles/docker-container/templates/healthcheck/nc.yml.j2
+++ b/roles/docker-container/templates/healthcheck/nc.yml.j2
@@ -0,0 +1,7 @@
+    healthcheck:
+      test: ["CMD-SHELL", "nc -z localhost {{ container_port }} || exit 1"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
+      start_period: 10s
+{{ "\n" }}
--- a/roles/docker-container/templates/networks.yml.j2
+++ b/roles/docker-container/templates/networks.yml.j2
@@ -1,15 +1,25 @@
 {# This template needs to be included in docker-compose.yml containers #}
    networks:
+{# Central RDMS-Database Network #}
 {% if 
  (applications | get_app_conf(application_id, 'features.central_database', False) and database_type is defined) or
  application_id in ['svc-db-mariadb','svc-db-postgres']
 %}
      {{ applications | get_app_conf('svc-db-' ~ database_type, 'docker.network') }}:
+{% if application_id in ['svc-db-mariadb','svc-db-postgres'] %}
+          aliases:
+            - {{ database_type }}
 {% endif %}
+{% endif %}
+{# Central LDAP Network #}
 {% if applications | get_app_conf(application_id, 'features.ldap', False) and applications | get_app_conf('svc-db-openldap', 'network.docker') %}
      {{ applications | get_app_conf('svc-db-openldap', 'docker.network') }}:
 {% endif %}
-{% if application_id != 'svc-db-openldap' %}
+{# Central AI Network #}
+{% if applications | get_app_conf(application_id, 'features.local_ai', False) %}
+      {{ applications | get_app_conf('svc-ai-ollama', 'docker.network') }}:
+{% endif %}
+{% if not application_id.startswith('svc-db-') and not application_id.startswith('svc-ai-') %}
      default:
 {% endif %}
 {{ "\n" }}
--- a/roles/docker-container/templates/resource.yml.j2
+++ b/roles/docker-container/templates/resource.yml.j2
@@ -0,0 +1,4 @@
+cpus:               {{ applications | resource_filter(application_id, 'cpus',            service_name | default(''), RESOURCE_CPUS) }}
+mem_reservation:    {{ applications | resource_filter(application_id, 'mem_reservation', service_name | default(''), RESOURCE_MEM_RESERVATION) }}
+mem_limit:          {{ applications | resource_filter(application_id, 'mem_limit',       service_name | default(''), RESOURCE_MEM_LIMIT) }}
+pids_limit:         {{ applications | resource_filter(application_id, 'pids_limit',      service_name | default(''), RESOURCE_PIDS_LIMIT) }}
--- a/roles/pkgmgr-install/tasks/main.yml
+++ b/roles/pkgmgr-install/tasks/main.yml
@@ -4,7 +4,7 @@
      run_once_pkgmgr_install: true
  when: run_once_pkgmgr_install is not defined

- name: update {{ package_name }}
+- name: "update {{ package_name }}"
  ansible.builtin.shell: |
    source ~/.venvs/pkgmgr/bin/activate
    pkgmgr update {{ package_name }} --dependencies --clone-mode https
--- a/roles/pkgmgr/tasks/01_core.yml
+++ b/roles/pkgmgr/tasks/01_core.yml
@@ -43,3 +43,7 @@
    chdir: "{{ PKGMGR_INSTALL_PATH }}"
    executable: /bin/bash
  become: true
+
+- name: "Update all repositories with pkgmgr"
+  command: "pkgmgr pull --all"
+  when: MODE_UPDATE | bool
--- a/roles/srv-composer/tasks/main.yml
+++ b/roles/srv-composer/tasks/main.yml
@@ -1,9 +0,0 @@
-# run_once_srv_composer: deactivated
-
- name: "include role sys-srv-web-inj-compose for '{{ domain }}'"
-  include_role: 
-    name: sys-srv-web-inj-compose
-
- name: "include role sys-svc-certs for '{{ domain }}'"
-  include_role: 
-    name: sys-svc-certs
--- a/roles/srv-core/tasks/main.yml
+++ b/roles/srv-core/tasks/main.yml
@@ -1,5 +0,0 @@
---
- block:
-  - include_tasks: 01_core.yml
-  - include_tasks: utils/run_once.yml
-  when: run_once_srv_core is not defined
--- a/roles/srv-letsencrypt/tasks/01_core.yml
+++ b/roles/srv-letsencrypt/tasks/01_core.yml
@@ -1,14 +0,0 @@
-  - name: Include dependency 'sys-ctl-mtn-cert-renew'
-    include_role:
-      name: sys-ctl-mtn-cert-renew
-    when: run_once_sys_ctl_mtn_cert_renew is not defined
-
-  - name: create nginx letsencrypt config file
-    template:
-      src: "letsencrypt.conf.j2"
-      dest: "{{NGINX.DIRECTORIES.HTTP.GLOBAL}}letsencrypt.conf"
-    notify: restart openresty
-
-  - name: "Set CAA records for all base domains"
-    include_tasks: 01_set-caa-records.yml
-    when: DNS_PROVIDER == 'cloudflare'
--- a/roles/srv-letsencrypt/tasks/main.yml
+++ b/roles/srv-letsencrypt/tasks/main.yml
@@ -1,4 +0,0 @@
- block:
-  - include_tasks: 01_core.yml
-  - include_tasks: utils/run_once.yml
-  when: run_once_srv_letsencrypt is not defined
--- a/roles/srv-letsencrypt/vars/main.yml
+++ b/roles/srv-letsencrypt/vars/main.yml
@@ -1,4 +0,0 @@
-caa_entries:
- tag: issue
-  value: letsencrypt.org
-base_sld_domains: '{{ CURRENT_PLAY_DOMAINS_ALL | generate_base_sld_domains }}'
--- a/roles/srv-proxy-core/tasks/main.yml
+++ b/roles/srv-proxy-core/tasks/main.yml
@@ -1,9 +0,0 @@
- block:
-  - name: Include dependencies
-    include_role:
-      name: '{{ item }}'
-    loop:
-    - sys-stk-front-pure
-    - srv-core
-  - include_tasks: utils/run_once.yml
-  when: run_once_srv_proxy_core is not defined
--- a/roles/srv-proxy-core/templates/location/ws.conf.j2
+++ b/roles/srv-proxy-core/templates/location/ws.conf.j2
@@ -1,14 +0,0 @@
-location {{ location_ws }} {
-  proxy_set_header Host              $host;
-  proxy_set_header X-Real-IP         $remote_addr;
-  proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-  proxy_set_header X-Forwarded-Proto $scheme;
-  proxy_pass                         http://127.0.0.1:{{ ws_port }};
-  
-  # Proxy buffering needs to be disabled for websockets. 
-  proxy_buffering      off;
-  proxy_http_version   1.1;
-  proxy_set_header     Upgrade        $http_upgrade;
-  proxy_set_header     Connection     $connection_upgrade;
-  tcp_nodelay          on;
-}
--- a/roles/svc-ai-ollama/README.md
+++ b/roles/svc-ai-ollama/README.md
@@ -0,0 +1,23 @@
+
+# Ollama
+
+## Description
+
+**Ollama** is a local model server that runs open LLMs on your hardware and exposes a simple HTTP API. It’s the backbone for privacy-first AI: prompts and data stay on your machines.
+
+## Overview
+
+After the first model pull, Ollama serves models to clients like Open WebUI (for chat) and Flowise (for workflows). Models are cached locally for quick reuse and can run fully offline when required.
+
+## Features
+
+* Run popular open models (chat, code, embeddings) locally
+* Simple, predictable HTTP API for developers
+* Local caching to avoid repeated downloads
+* Works seamlessly with Open WebUI and Flowise
+* Offline-capable for air-gapped deployments
+
+## Further Resources
+
+* Ollama — [https://ollama.com](https://ollama.com)
+* Ollama Model Library — [https://ollama.com/library](https://ollama.com/library)
--- a/roles/svc-ai-ollama/config/main.yml
+++ b/roles/svc-ai-ollama/config/main.yml
@@ -0,0 +1,22 @@
+features: 
+  local_ai: true # Needs to be set so that network is loaded
+docker:
+  services:
+    ollama:
+      backup:
+        no_stop_required: true
+      image:              ollama/ollama
+      version:            latest
+      name:               ollama
+      port:               11434
+      cpus:               "4.0"
+      mem_reservation:    "6g"
+      mem_limit:          "8g"
+      pids_limit:         2048
+  volumes:
+    models:     "ollama_models"
+  network:      "ollama"
+preload_models:
+  - "llama3:latest"
+  - "mistral:latest"
+  - "nomic-embed-text:latest"
--- a/roles/svc-ai-ollama/meta/main.yml
+++ b/roles/svc-ai-ollama/meta/main.yml
@@ -0,0 +1,25 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Installs Ollama — a local model server for running open LLMs with a simple HTTP API."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: | 
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  galaxy_tags:
+    - ai
+    - llm
+    - inference
+    - offline
+    - privacy
+    - self-hosted
+    - ollama
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://s.infinito.nexus/code/"
+  logo:
+    class: "fa-solid fa-microchip"
+  run_after: [] 
+dependencies: []
--- a/roles/svc-ai-ollama/tasks/01_core.yml
+++ b/roles/svc-ai-ollama/tasks/01_core.yml
@@ -0,0 +1,38 @@
+- name: create docker network for Ollama, so that other applications can access it
+  community.docker.docker_network:
+    name: "{{ OLLAMA_NETWORK }}"
+    state: present
+    ipam_config:
+      - subnet: "{{ networks.local[application_id].subnet }}"
+
+- name: Include dependency 'sys-svc-docker'
+  include_role:
+    name: sys-svc-docker
+  when: run_once_sys_svc_docker is not defined
+
+- name: "include docker-compose role"
+  include_role:
+    name: docker-compose
+  vars:
+    docker_compose_flush_handlers: true
+
+- name: Pre-pull Ollama models
+  vars:
+    _cmd: "docker exec -i {{ OLLAMA_CONTAINER }} ollama pull {{ model }}"
+  shell: "{{ _cmd }}"
+  register: pull_result
+  loop: "{{ OLLAMA_PRELOAD_MODELS }}"
+  loop_control:
+    loop_var: model
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+  changed_when: >
+    (not (ASYNC_ENABLED | bool)) and (
+      'downloaded' in (pull_result.stdout | default('')) or
+      'pulling manifest' in (pull_result.stdout | default(''))
+    )
+  failed_when: >
+    (pull_result.rc | default(0)) != 0 and
+    ('up to date' not in (pull_result.stdout | default('')))
+
+- include_tasks: utils/run_once.yml
--- a/roles/svc-ai-ollama/tasks/main.yml
+++ b/roles/svc-ai-ollama/tasks/main.yml
@@ -0,0 +1,5 @@
+- block:
+  - include_tasks: 01_core.yml
+    vars:
+      flush_handlers: true
+  when: run_once_svc_ai_ollama is not defined
--- a/roles/svc-ai-ollama/templates/docker-compose.yml.j2
+++ b/roles/svc-ai-ollama/templates/docker-compose.yml.j2
@@ -0,0 +1,17 @@
+{% include 'roles/docker-compose/templates/base.yml.j2' %}
+
+  ollama:
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+    image: {{ OLLAMA_IMAGE }}:{{ OLLAMA_VERSION }}
+    container_name: {{ OLLAMA_CONTAINER }}
+    expose:
+      - "{{ OLLAMA_PORT }}"
+    volumes:
+      - ollama_models:/root/.ollama
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+  
+{% include 'roles/docker-compose/templates/networks.yml.j2' %}
+
+{% include 'roles/docker-compose/templates/volumes.yml.j2' %}
+  ollama_models:
+    name: {{ OLLAMA_VOLUME }}
--- a/roles/svc-ai-ollama/vars/main.yml
+++ b/roles/svc-ai-ollama/vars/main.yml
@@ -0,0 +1,16 @@
+# General
+application_id:                 "svc-ai-ollama"
+
+# Docker
+docker_compose_flush_handlers:  true
+
+# Ollama
+# https://ollama.com/
+OLLAMA_VERSION:                 "{{ applications | get_app_conf(application_id, 'docker.services.ollama.version') }}"
+OLLAMA_IMAGE:                   "{{ applications | get_app_conf(application_id, 'docker.services.ollama.image') }}"
+OLLAMA_CONTAINER:               "{{ applications | get_app_conf(application_id, 'docker.services.ollama.name') }}"
+OLLAMA_PORT:                    "{{ applications | get_app_conf(application_id, 'docker.services.ollama.port') }}"
+OLLAMA_VOLUME:                  "{{ applications | get_app_conf(application_id, 'docker.volumes.models') }}"
+OLLAMA_NETWORK:                 "{{ applications | get_app_conf(application_id, 'docker.network') }}"
+OLLAMA_PRELOAD_MODELS:          "{{ applications | get_app_conf(application_id, 'preload_models') }}"
+
--- a/roles/svc-bkp-loc-2-usb/handlers/main.yml
+++ b/roles/svc-bkp-loc-2-usb/handlers/main.yml
@@ -1,6 +0,0 @@
-
- name: "reload svc-bkp-loc-2-usb service"
-  systemd:
-    name: "{{ 'svc-bkp-loc-2-usb' | get_service_name(SOFTWARE_NAME) }}"
-    state: reloaded
-    daemon_reload: yes
--- a/roles/svc-db-mariadb/config/main.yml
+++ b/roles/svc-db-mariadb/config/main.yml
@@ -1,11 +1,16 @@
 docker:
  services:
    mariadb:
-      version:          "latest"
-      image:            "mariadb"
-      name:             "mariadb"
+      version:            "latest"
+      image:              "mariadb"
+      name:               "mariadb"
      backup:
        database_routine: true
+      # Performance Variables aren't used yet, but will be in the future as soon as an docker file is implemented
+      cpus:               "2.0"
+      mem_reservation:    "2g"
+      mem_limit:          "4g"
+      pids_limit:         1024
  network:              "mariadb"
  volumes:
    data:               "mariadb_data"
--- a/roles/svc-db-openldap/config/main.yml
+++ b/roles/svc-db-openldap/config/main.yml
@@ -5,7 +5,7 @@ network:
 docker: 
  services:
    openldap:     
-      image:      "bitnami/openldap"
+      image:      "bitnamilegacy/openldap"
      name:       "openldap"
      version:    "latest"
  network:        "openldap"
--- a/roles/svc-db-openldap/filter_plugins/build_ldap_nested_group_entries.py
+++ b/roles/svc-db-openldap/filter_plugins/build_ldap_nested_group_entries.py
@@ -1,77 +0,0 @@
-def build_ldap_nested_group_entries(applications, users, ldap):
-    """
-    Builds structured LDAP role entries using the global `ldap` configuration.
-    Supports objectClasses: posixGroup (adds gidNumber, memberUid), groupOfNames (adds member).
-    Now nests roles under an application-level OU: application-id/role.
-    """
-
-    result = {}
-
-    # Base DN components
-    role_dn_base = ldap["DN"]["OU"]["ROLES"]
-    user_dn_base = ldap["DN"]["OU"]["USERS"]
-    ldap_user_attr = ldap["USER"]["ATTRIBUTES"]["ID"]
-
-    # Supported objectClass flavors
-    flavors = ldap.get("RBAC").get("FLAVORS")
-
-    for application_id, app_config in applications.items():
-        # Compute the DN for the application-level OU
-        app_ou_dn = f"ou={application_id},{role_dn_base}"
-
-        ou_entry = {
-            "dn": app_ou_dn,
-            "objectClass": ["top", "organizationalUnit"],
-            "ou": application_id,
-            "description": f"Roles for application {application_id}" 
-        }
-        result[app_ou_dn] = ou_entry
-
-        # Standard roles with an extra 'administrator'
-        base_roles = app_config.get("rbac", {}).get("roles", {})
-        roles = {
-            **base_roles,
-            "administrator": {
-                "description": "Has full administrative access: manage themes, plugins, settings, and users"
-            }
-        }
-
-        group_id = app_config.get("group_id")
-
-        for role_name, role_conf in roles.items():
-            # Build CN under the application OU
-            cn = role_name
-            dn = f"cn={cn},{app_ou_dn}"
-
-            entry = {
-                "dn": dn,
-                "cn": cn,
-                "description": role_conf.get("description", ""),
-                "objectClass": ["top"] + flavors,
-            }
-
-            member_dns = []
-            member_uids = []
-            for username, user_conf in users.items():
-                if role_name in user_conf.get("roles", []):
-                    member_dns.append(f"{ldap_user_attr}={username},{user_dn_base}")
-                    member_uids.append(username)
-
-            if "posixGroup" in flavors:
-                entry["gidNumber"] = group_id
-                if member_uids:
-                    entry["memberUid"] = member_uids
-
-            if "groupOfNames" in flavors and member_dns:
-                entry["member"] = member_dns
-
-            result[dn] = entry
-
-    return result
-
-
-class FilterModule(object):
-    def filters(self):
-        return {
-            "build_ldap_nested_group_entries": build_ldap_nested_group_entries
-        }
--- a/roles/svc-db-openldap/handlers/main.yml
+++ b/roles/svc-db-openldap/handlers/main.yml
@@ -1,42 +1,28 @@
 - name: Load memberof module from file in OpenLDAP container
  shell: >
-    docker exec -i {{ openldap_name }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ openldap_ldif_docker_path }}configuration/01_member_of_configuration.ldif
-  listen: 
+    docker exec -i {{ OPENLDAP_CONTAINER }} ldapmodify -Y EXTERNAL -H ldapi:/// -f "{{ [OPENLDAP_LDIF_PATH_DOCKER, 'configuration/01_member_of_configuration.ldif' ] | path_join }}"
+  listen:
    - "Import configuration LDIF files"
-    - "Import all LDIF files"
  # @todo Remove the following ignore errors when setting up a new server
  # Just here because debugging would take to much time
  ignore_errors: true

 - name: Refint Module Activation for OpenLDAP
  shell: >
-    docker exec -i {{ openldap_name }} ldapadd -Y EXTERNAL -H ldapi:/// -f {{ openldap_ldif_docker_path }}configuration/02_member_of_configuration.ldif
-  listen: 
+    docker exec -i {{ OPENLDAP_CONTAINER }} ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ [ OPENLDAP_LDIF_PATH_DOCKER, 'configuration/02_member_of_configuration.ldif' ] | path_join }}"
+  listen:
    - "Import configuration LDIF files"
-    - "Import all LDIF files"
  register: ldapadd_result
  failed_when: ldapadd_result.rc not in [0, 68]
  # @todo Remove the following ignore errors when setting up a new server
  # Just here because debugging would take to much time
  ignore_errors: true

- name: "Import schemas"
-  shell: >
-    docker exec -i {{ openldap_name }} ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ openldap_ldif_docker_path }}schema/{{ item | basename | regex_replace('\.j2$', '') }}"
-  register: ldapadd_result
-  changed_when: "'adding new entry' in ldapadd_result.stdout"
-  failed_when: ldapadd_result.rc not in [0, 80]
-  listen:
-    - "Import schema LDIF files"
-    - "Import all LDIF files"
-  loop: "{{ lookup('fileglob', role_path ~ '/templates/ldif/schema/*.j2', wantlist=True) }}"
-
 - name: Refint Overlay Configuration for OpenLDAP
  shell: >
-    docker exec -i {{ openldap_name }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ openldap_ldif_docker_path }}configuration/03_member_of_configuration.ldif
+    docker exec -i {{ OPENLDAP_CONTAINER }} ldapmodify -Y EXTERNAL -H ldapi:/// -f "{{ [ OPENLDAP_LDIF_PATH_DOCKER, 'configuration/03_member_of_configuration.ldif' ] | path_join }}"
  listen:
    - "Import configuration LDIF files"
-    - "Import all LDIF files"
  register: ldapadd_result
  failed_when: ldapadd_result.rc not in [0, 68]
  # @todo Remove the following ignore errors when setting up a new server
@@ -45,11 +31,10 @@

 - name: "Import users, groups, etc. to LDAP"
  shell: >
-    docker exec -i {{ openldap_name }} ldapadd -x -D "{{LDAP.DN.ADMINISTRATOR.DATA}}" -w "{{ LDAP.BIND_CREDENTIAL }}" -c -f "{{ openldap_ldif_docker_path }}groups/{{ item | basename | regex_replace('\.j2$', '') }}"
+    docker exec -i {{ OPENLDAP_CONTAINER }} ldapadd -x -D "{{ LDAP.DN.ADMINISTRATOR.DATA }}" -w "{{ LDAP.BIND_CREDENTIAL }}" -c -f "{{ [ OPENLDAP_LDIF_PATH_DOCKER, 'groups', (item | basename | regex_replace('\.j2$', '')) ] | path_join }}"
  register: ldapadd_result
  changed_when: "'adding new entry' in ldapadd_result.stdout"
  failed_when: ldapadd_result.rc not in [0, 20, 68, 65]
  listen:
    - "Import groups LDIF files"
-    - "Import all LDIF files"
-  loop: "{{ query('fileglob', role_path ~ '/templates/ldif/groups/*.j2') | sort }}"
+  loop: "{{ query('fileglob', role_path ~ '/templates/ldif/groups/*.j2') | sort }}"
--- a/roles/svc-db-openldap/tasks/01_credentials.yml
+++ b/roles/svc-db-openldap/tasks/01_credentials.yml
@@ -3,7 +3,7 @@

 - name: "Query available LDAP databases"
  shell: |
-    docker exec {{ openldap_name }} \
+    docker exec {{ OPENLDAP_CONTAINER }} \
      ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config "(olcDatabase=*)" dn
  register: ldap_databases

@@ -27,13 +27,13 @@

 - name: "Generate hash for Database Admin password"
  shell: |
-    docker exec {{ openldap_name }} \
+    docker exec {{ OPENLDAP_CONTAINER }} \
      slappasswd -s "{{ LDAP.BIND_CREDENTIAL }}"
  register: database_admin_pw_hash

 - name: "Reset Database Admin password in LDAP (olcRootPW)"
  shell: |
-    docker exec -i {{ openldap_name }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+    docker exec -i {{ OPENLDAP_CONTAINER }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
    dn: {{ data_backend_dn }}
    changetype: modify
    replace: olcRootPW
@@ -42,13 +42,13 @@

 - name: "Generate hash for Configuration Admin password"
  shell: |
-    docker exec {{ openldap_name }} \
+    docker exec {{ OPENLDAP_CONTAINER }} \
      slappasswd -s "{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}"
  register: config_admin_pw_hash

 - name: "Reset Configuration Admin password in LDAP (olcRootPW)"
  shell: |
-    docker exec -i {{ openldap_name }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+    docker exec -i {{ OPENLDAP_CONTAINER }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
    dn: {{ config_backend_dn }}
    changetype: modify
    replace: olcRootPW
--- a/roles/svc-db-openldap/tasks/03_users.yml
+++ b/roles/svc-db-openldap/tasks/03_users.yml
@@ -4,7 +4,7 @@
 - name: Ensure LDAP users exist
  community.general.ldap_entry:
    dn:           "{{ LDAP.USER.ATTRIBUTES.ID }}={{ item.key }},{{ LDAP.DN.OU.USERS }}"
-    server_uri:   "{{ openldap_server_uri }}"
+    server_uri:   "{{ OPENLDAP_SERVER_URI }}"
    bind_dn:      "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
    bind_pw:      "{{ LDAP.BIND_CREDENTIAL }}"
    objectClass:  "{{ LDAP.USER.OBJECTS.STRUCTURAL }}"
@@ -30,7 +30,7 @@
 - name: Ensure required objectClass values and mail address are present
  community.general.ldap_attrs:
    dn: "{{ LDAP.USER.ATTRIBUTES.ID }}={{ item.key }},{{ LDAP.DN.OU.USERS }}"
-    server_uri: "{{ openldap_server_uri }}"
+    server_uri: "{{ OPENLDAP_SERVER_URI }}"
    bind_dn: "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
    bind_pw: "{{ LDAP.BIND_CREDENTIAL }}"
    attributes:
@@ -46,7 +46,7 @@
 - name: "Ensure container for application roles exists"
  community.general.ldap_entry:
    dn: "{{ LDAP.DN.OU.ROLES }}"
-    server_uri: "{{ openldap_server_uri }}"
+    server_uri: "{{ OPENLDAP_SERVER_URI }}"
    bind_dn:  "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
    bind_pw:  "{{ LDAP.BIND_CREDENTIAL }}"
    objectClass: organizationalUnit
--- a/roles/svc-db-openldap/tasks/04_update.yml
+++ b/roles/svc-db-openldap/tasks/04_update.yml
@@ -1,6 +1,6 @@
 - name: Gather all users with their current objectClass list
  community.general.ldap_search:
-    server_uri: "{{ openldap_server_uri }}"
+    server_uri: "{{ OPENLDAP_SERVER_URI }}"
    bind_dn:    "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
    bind_pw:    "{{ LDAP.BIND_CREDENTIAL }}"
    dn:         "{{ LDAP.DN.OU.USERS }}"
@@ -14,16 +14,16 @@

 - name: Add only missing auxiliary classes
  community.general.ldap_attrs:
-    server_uri: "{{ openldap_server_uri }}"
+    server_uri: "{{ OPENLDAP_SERVER_URI }}"
    bind_dn:    "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
    bind_pw:    "{{ LDAP.BIND_CREDENTIAL }}"
    dn:         "{{ item.dn }}"
    attributes:
      objectClass: "{{ missing_auxiliary }}"
    state: present
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  loop: "{{ ldap_users_with_classes.results }}"
+  async:  "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:   "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+  loop:   "{{ ldap_users_with_classes.results }}"
  loop_control:
    label: "{{ item.dn }}"
  vars:
--- a/roles/svc-db-openldap/tasks/_ldifs_creation.yml
+++ b/roles/svc-db-openldap/tasks/_ldifs_creation.yml
@@ -1,7 +1,7 @@
- name: "Create LDIF files at {{ openldap_ldif_host_path }}{{ folder }}"
+- name: "Create LDIF files at {{ OPENLDAP_LDIF_PATH_HOST }}{{ folder }}"
  template:
    src: "{{ item }}"
-    dest: "{{ openldap_ldif_host_path }}{{ folder }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
+    dest: "{{ OPENLDAP_LDIF_PATH_HOST }}{{ folder }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
    mode: "0770"
  loop: >-
    {{
--- a/roles/svc-db-openldap/tasks/main.yml
+++ b/roles/svc-db-openldap/tasks/main.yml
@@ -1,25 +1,25 @@
 ---

 - name: "include docker-compose role"
-  include_role: 
+  include_role:
    name: docker-compose

 - name: Create {{ domains | get_domain(application_id) }}.conf if LDAP is exposed to internet
-  template: 
+  template:
    src:  "nginx.stream.conf.j2" 
    dest: "{{ NGINX.DIRECTORIES.STREAMS }}{{ domains | get_domain(application_id) }}.conf"
  notify: restart openresty
-  when: applications | get_app_conf(application_id, 'network.public', True) | bool
+  when: OPENLDAP_NETWORK_SWITCH_PUBLIC | bool

 - name: Remove {{ domains | get_domain(application_id) }}.conf if LDAP is not exposed to internet
  file:
    path: "{{ NGINX.DIRECTORIES.STREAMS }}{{ domains | get_domain(application_id) }}.conf"
    state: absent
-  when: not applications | get_app_conf(application_id, 'network.public', True) | bool
+  when: not OPENLDAP_NETWORK_SWITCH_PUBLIC | bool

 - name: create docker network for LDAP, so that other applications can access it
  community.docker.docker_network:
-    name: "{{ openldap_network }}"
+    name: "{{ OPENLDAP_NETWORK }}"
    state: present
    ipam_config:
      - subnet: "{{ networks.local[application_id].subnet }}"
@@ -37,23 +37,23 @@
 - name: "Reset LDAP Credentials"
  include_tasks: 01_credentials.yml
  when:
-    - applications | get_app_conf(application_id, 'network.local', True)
-    - applications | get_app_conf(application_id, 'provisioning.credentials', True)
+    - OPENLDAP_NETWORK_SWITCH_LOCAL | bool
+    - applications | get_app_conf(application_id, 'provisioning.credentials')

- name: "create directory {{openldap_ldif_host_path}}{{item}}"
+- name: "create directory {{ OPENLDAP_LDIF_PATH_HOST }}{{ item }}"
  file:
-    path: "{{openldap_ldif_host_path}}{{item}}"
+    path: "{{ OPENLDAP_LDIF_PATH_HOST }}{{ item }}"
    state: directory
    mode: "0755"
-  loop: "{{openldap_ldif_types}}"
+  loop: "{{ OPENLDAP_LDIF_TYPES }}"

 - name: "Import LDIF Configuration"
-  include_tasks: ldifs_creation.yml
+  include_tasks: _ldifs_creation.yml
  loop:
    - configuration
  loop_control:
    loop_var: folder
-  when: applications | get_app_conf(application_id, 'provisioning.configuration', True)
+  when: applications | get_app_conf(application_id, 'provisioning.configuration')

 - name: flush LDIF handlers
  meta: flush_handlers
@@ -66,20 +66,22 @@

 - name: "Include Schemas (if enabled)"
  include_tasks: 02_schemas.yml
-  when: applications | get_app_conf(application_id, 'provisioning.schemas', True)
+  when: applications | get_app_conf(application_id, 'provisioning.schemas')

 - name: "Import LDAP Entries (if enabled)"
  include_tasks: 03_users.yml
-  when: applications | get_app_conf(application_id, 'provisioning.users', True)
+  when: applications | get_app_conf(application_id, 'provisioning.users')

 - name: "Import LDIF Data (if enabled)"
-  include_tasks: ldifs_creation.yml
+  include_tasks: _ldifs_creation.yml
  loop:
    - groups
  loop_control:
    loop_var: folder
-  when: applications | get_app_conf(application_id, 'provisioning.groups', True)
+  when: applications | get_app_conf(application_id, 'provisioning.groups')
+
+- meta: flush_handlers

 - name: "Add Objects to all users"
  include_tasks: 04_update.yml
-  when: applications | get_app_conf(application_id, 'provisioning.update', True)
+  when: applications | get_app_conf(application_id, 'provisioning.update')
--- a/roles/svc-db-openldap/tasks/schemas/nextcloud.yml
+++ b/roles/svc-db-openldap/tasks/schemas/nextcloud.yml
@@ -13,9 +13,9 @@
      - "( 1.3.6.1.4.1.99999.2 NAME '{{ LDAP.USER.OBJECTS.AUXILIARY.NEXTCLOUD_USER }}' DESC 'Auxiliary class for Nextcloud attributes' AUXILIARY MAY ( {{ LDAP.USER.ATTRIBUTES.NEXTCLOUD_QUOTA }} ) )"
  command: >
    ldapsm
-      -s {{ openldap_server_uri }}
-      -D '{{ openldap_bind_dn }}'
-      -W '{{ openldap_bind_pw }}'
+      -s {{ OPENLDAP_SERVER_URI }}
+      -D '{{ OPENLDAP_BIND_DN }}'
+      -W '{{ OPENLDAP_BIND_PW }}'
      -n {{ schema_name }}
      {% for at in attribute_defs %}
      -a "{{ at }}"
--- a/roles/svc-db-openldap/tasks/schemas/openssh_lpk.yml
+++ b/roles/svc-db-openldap/tasks/schemas/openssh_lpk.yml
@@ -21,9 +21,9 @@

  command: >
    ldapsm
-      -s {{ openldap_server_uri }}
-      -D '{{ openldap_bind_dn }}'
-      -W '{{ openldap_bind_pw }}'
+      -s {{ OPENLDAP_SERVER_URI }}
+      -D '{{ OPENLDAP_BIND_DN }}'
+      -W '{{ OPENLDAP_BIND_PW }}'
      -n {{ schema_name }}
      {% for at in attribute_defs %}
      -a "{{ at }}"
--- a/roles/svc-db-openldap/templates/docker-compose.yml.j2
+++ b/roles/svc-db-openldap/templates/docker-compose.yml.j2
@@ -1,20 +1,20 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}

  application:
-    image: "{{ openldap_image }}:{{ openldap_version }}"
-    container_name: "{{ openldap_name }}"
+    image: "{{ OPENLDAP_IMAGE }}:{{ OPENLDAP_VERSION }}"
+    container_name: "{{ OPENLDAP_CONTAINER }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-{% if openldap_network_expose_local %}
+{% if OPENLDAP_NETWORK_EXPOSE_LOCAL | bool %}
    ports:
-      - 127.0.0.1:{{ports.localhost.ldap['svc-db-openldap']}}:{{openldap_docker_port_open}}
+      - 127.0.0.1:{{ports.localhost.ldap['svc-db-openldap']}}:{{ OPENLDAP_DOCKER_PORT_OPEN }}
 {% endif %}
    volumes:
      - 'data:/bitnami/openldap'
-      - '{{openldap_ldif_host_path}}:{{ openldap_ldif_docker_path }}:ro'
+      - '{{ OPENLDAP_LDIF_PATH_HOST }}:{{ OPENLDAP_LDIF_PATH_DOCKER }}:ro'
    healthcheck:
      test: >
        bash -c '
-        ldapsearch -x -H ldap://localhost:{{ openldap_docker_port_open }} \
+        ldapsearch -x -H ldap://localhost:{{ OPENLDAP_DOCKER_PORT_OPEN }} \
          -D "{{ LDAP.DN.ADMINISTRATOR.DATA }}" -w "{{ LDAP.BIND_CREDENTIAL }}" -b "{{ LDAP.DN.ROOT }}" > /dev/null \
        && ldapsearch -Y EXTERNAL -H ldapi:/// \
          -b cn=config "(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))" \
@@ -24,6 +24,6 @@

 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
  data:
-    name: "{{ openldap_volume }}"
+    name: "{{ OPENLDAP_VOLUME }}"

 {% include 'roles/docker-compose/templates/networks.yml.j2' %}
--- a/roles/svc-db-openldap/templates/env.j2
+++ b/roles/svc-db-openldap/templates/env.j2
@@ -3,24 +3,24 @@
      
 # GENERAL
 ## Admin (Data)
-LDAP_ADMIN_USERNAME=        {{ applications | get_app_conf(application_id, 'users.administrator.username') }} # LDAP database admin user.
-LDAP_ADMIN_PASSWORD=        {{ LDAP.BIND_CREDENTIAL }}                                      # LDAP database admin password.
+LDAP_ADMIN_USERNAME=        {{ applications | get_app_conf(application_id, 'users.administrator.username') }}   # LDAP database admin user.
+LDAP_ADMIN_PASSWORD=        {{ LDAP.BIND_CREDENTIAL }}                                                          # LDAP database admin password.

 ## Users
-LDAP_USERS=                 ' '                             # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
-LDAP_PASSWORDS=             ' '                             # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami2
-LDAP_ROOT=                  {{ LDAP.DN.ROOT }}                # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
+LDAP_USERS=                 ' '                                 # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
+LDAP_PASSWORDS=             ' '                                 # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami2
+LDAP_ROOT=                  {{ LDAP.DN.ROOT }}                  # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org

 ## Admin (Config)
-LDAP_ADMIN_DN=              {{LDAP.DN.ADMINISTRATOR.DATA}}
+LDAP_ADMIN_DN=              {{ LDAP.DN.ADMINISTRATOR.DATA }}
 LDAP_CONFIG_ADMIN_ENABLED=  yes
 LDAP_CONFIG_ADMIN_USERNAME= {{ applications | get_app_conf(application_id, 'users.administrator.username') }}
 LDAP_CONFIG_ADMIN_PASSWORD= {{ applications | get_app_conf(application_id, 'credentials.administrator_password') }}
  
 # Network
-LDAP_PORT_NUMBER=           {{openldap_docker_port_open}}            # Route to default port
-LDAP_ENABLE_TLS=            no                              # Using nginx proxy for tls
-LDAP_LDAPS_PORT_NUMBER=     {{openldap_docker_port_secure}}           # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).
+LDAP_PORT_NUMBER=           {{ OPENLDAP_DOCKER_PORT_OPEN }}             # Route to default port
+LDAP_ENABLE_TLS=            no                                          # Using nginx proxy for tls
+LDAP_LDAPS_PORT_NUMBER=     {{ OPENLDAP_DOCKER_PORT_SECURE }}           # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).

 # Security
-LDAP_ALLOW_ANON_BINDING=    no                              # Allow anonymous bindings to the LDAP server. Default: yes.
+LDAP_ALLOW_ANON_BINDING=    no                                          # Allow anonymous bindings to the LDAP server. Default: yes.
--- a/roles/svc-db-openldap/templates/ldif/groups/01_rbac_group.ldif.j2
+++ b/roles/svc-db-openldap/templates/ldif/groups/01_rbac_group.ldif.j2
@@ -1,30 +0,0 @@
-{# 
-@todo: activate
-{% for dn, entry in (applications | build_ldap_role_entries(users, ldap)).items() %}
-
-dn: {{ dn }}
-{% for oc in entry.objectClass %}
-objectClass: {{ oc }}
-{% endfor %}
-{% if entry.ou is defined %}
-ou: {{ entry.ou }}
-{% else %}
-cn: {{ entry.cn }}
-{% endif %}
-{% if entry.gidNumber is defined %}
-gidNumber: {{ entry.gidNumber }}
-{% endif %}
-description: {{ entry.description }}
-{% if entry.memberUid is defined %}
-{% for uid in entry.memberUid %}
-memberUid: {{ uid }}
-{% endfor %}
-{% endif %}
-{% if entry.member is defined %}
-{% for m in entry.member %}
-member: {{ m }}
-{% endfor %}
-{% endif %}
-
-{% endfor %}
-#}
--- a/roles/svc-db-openldap/templates/ldif/groups/01_rbac_roles.ldif.j2
+++ b/roles/svc-db-openldap/templates/ldif/groups/01_rbac_roles.ldif.j2
@@ -1,4 +1,4 @@
-{% for dn, entry in (applications | build_ldap_role_entries(users, ldap)).items() %}
+{% for dn, entry in (applications | build_ldap_role_entries(users, LDAP)).items() %}

 dn: {{ dn }}
 {% for oc in entry.objectClass %}
--- a/roles/svc-db-openldap/templates/nginx.stream.conf.j2
+++ b/roles/svc-db-openldap/templates/nginx.stream.conf.j2
@@ -2,5 +2,5 @@ server {
    listen {{ ports.public.ldaps['svc-db-openldap'] }}ssl;
    proxy_pass 127.0.0.1:{{ ports.localhost.ldap['svc-db-openldap'] }};
    
-    {% include 'roles/srv-letsencrypt/templates/ssl_credentials.j2' %}
+    {% include 'roles/sys-svc-letsencrypt/templates/ssl_credentials.j2' %}
 }
--- a/Show More
+++ b/Show More