Solved Matomo domain bug and refactored

Optimized iam and realm
Solved variable bug and updated README.md of docker
2025-04-28 10:26:54 +02:00 · 2025-02-19 02:00:41 +01:00 · 2025-02-18 21:54:40 +01:00 · 2025-02-18 21:16:27 +01:00 · 2025-02-18 21:00:14 +01:00
107 changed files with 421 additions and 346 deletions
--- a/README.md
+++ b/README.md
@ -73,7 +73,7 @@ Contact me for more details:
 ## Showcases
 The following list showcases the extensive range of solutions that CyMaIS incorporates, each playing a vital role in providing a comprehensive, efficient, and secure IT infrastructure setup:

-[ELK Stack](./roles/docker-elk), [Intel Driver](./roles/driver-intel), [Nginx Docker Reverse Proxy](./roles/nginx-docker-reverse-proxy), [Sudo](./roles/sudo), [Funkwhale](./roles/docker-funkwhale), [MSI Keyboard Color Driver](./roles/driver-msi-keyboard-color), [Nginx Domain Redirect](./roles/nginx-domain-redirect), [GnuCash](./roles/pc-gnucash), [Backup Data to USB](./roles/backup-data-to-usb), [Gitea](./roles/docker-gitea), [Non-Free Driver](./roles/driver-non-free), [Nginx Homepage](./roles/nginx-static-repository), [Jrnl](./roles/pc-jrnl), [Systemd Notifier](./roles/systemd-notifier), [Backup Docker to Local](./roles/backup-docker-to-local), [Jenkins](./roles/docker-jenkins), [Git](./roles/git), [Nginx HTTPS](./roles/nginx-https), [Latex](./roles/pc-latex), [Email Notifier](./roles/systemd-notifier-email), [Remote to Local Backup Solution](./roles/backup-remote-to-local), [Joomla](./roles/docker-joomla), [Heal Defect Docker Installations](./roles/heal-docker), [Nginx Matomo Tracking](./roles/nginx-global-matomo), [LibreOffice](./roles/pc-libreoffice), [Telegram Notifier](./roles/systemd-notifier-telegram), [Listmonk](./roles/docker-listmonk), [Btrfs Health Check](./roles/health-btrfs), [Nginx WWW Redirect](./roles/nginx-global-www), [Network Analyze Tools](./roles/pc-network-analyze-tools), [System Security](./roles/system-security), [Mailu](./roles/docker-mailu), [Disc Space Health Check](./roles/health-disc-space), [Administrator Tools](./roles/pc-administrator-tools), [Nextcloud Client](./roles/pc-nextcloud), [Swapfile Setup](./roles/system-swapfile), [Backups Cleanup](./roles/cleanup-backups-service), [Mastodon](./roles/docker-mastodon), [Docker Container Health Checker](./roles/health-docker-container), [Blu-ray Player Tools](./roles/pc-bluray-player-tools), [Office](./roles/pc-office), [Update Solutions](./roles/update), [Matomo](./roles/docker-matomo), [Docker Volumes Health Checker](./roles/health-docker-volumes), [Caffeine](./roles/pc-caffeine), [Qbittorrent](./roles/pc-qbittorrent), [Update Apt](./roles/update-apt), [Disc Space Cleanup](./roles/cleanup-disc-space), [Matrix](./roles/docker-matrix), [Health Journalctl](./roles/health-journalctl), [Designer Tools](./roles/pc-designer-tools), [Security Tools](./roles/pc-security-tools), [Update Docker](./roles/update-docker), [Failed Docker Backups Cleanup](./roles/cleanup-failed-docker-backups), [MediaWiki](./roles/docker-mediawiki), [Nginx Health Checker](./roles/health-nginx), [Developer Tools](./roles/pc-developer-tools), [Spotify](./roles/pc-spotify), [Update Pacman](./roles/update-pacman), [Client Wireguard](./roles/client-wireguard), [MyBB](./roles/docker-mybb), [Developer Tools for Arduino](./roles/pc-developer-tools-arduino), [SSH](./roles/pc-ssh), [Update Yay](./roles/update-yay), [Client Setup for Wireguard Behind Firewall](./roles/client-wireguard-behind-firewall), [Nextcloud Server](./roles/docker-nextcloud), [Hunspell](./roles/hunspell), [Developer Tools for Bash](./roles/pc-developer-tools-bash), [Streaming Tools](./roles/pc-streaming-tools), [Administrator](./roles/user-administrator), [Docker](./roles/docker), [Peertube](./roles/docker-peertube), [Java](./roles/java), [Developer Tools for Java](./roles/pc-developer-tools-java), [Tor Browser](./roles/pc-torbrowser), [Video Conference](./roles/pc-video-conference), [Wireguard](./roles/wireguard), [Akaunting](./roles/docker-akaunting), [Pixelfed](./roles/docker-pixelfed), [Journalctl](./roles/journalctl), [Developer Tools for PHP](./roles/pc-developer-tools-php), [Virtual Box](./roles/pc-virtual-box), [Postfix](./roles/postfix), [Attendize](./roles/docker-attendize), [Wordpress](./roles/docker-wordpress), [Locales](./roles/locales), [Docker for End Users](./roles/pc-docker), [Games](./roles/pc-games), [Python Pip](./roles/python-pip), [Discourse](./roles/docker-discourse), [Epson Multiprinter Driver](./roles/driver-epson-multiprinter), [Nginx Certbot](./roles/nginx-certbot), [Git](./roles/pc-git), [SSHD](./roles/sshd), [YOURLS](./roles/docker-yourls), [BigBlueButton](./roles/docker-bigbluebutton),[System Maintenance Lock](./roles/system-maintenance-lock),[Open Project](./roles/docker-openproject)...
+[ELK Stack](./roles/docker-elk), [Intel Driver](./roles/driver-intel), [Nginx Docker Reverse Proxy](./roles/nginx-docker-reverse-proxy), [Sudo](./roles/sudo), [Funkwhale](./roles/docker-funkwhale), [MSI Keyboard Color Driver](./roles/driver-msi-keyboard-color), [Nginx Domain Redirect](./roles/nginx-redirect-domain), [GnuCash](./roles/pc-gnucash), [Backup Data to USB](./roles/backup-data-to-usb), [Gitea](./roles/docker-gitea), [Non-Free Driver](./roles/driver-non-free), [Nginx Homepage](./roles/nginx-static-repository), [Jrnl](./roles/pc-jrnl), [Systemd Notifier](./roles/systemd-notifier), [Backup Docker to Local](./roles/backup-docker-to-local), [Jenkins](./roles/docker-jenkins), [Git](./roles/git), [Nginx HTTPS](./roles/nginx-https), [Latex](./roles/pc-latex), [Email Notifier](./roles/systemd-notifier-email), [Remote to Local Backup Solution](./roles/backup-remote-to-local), [Joomla](./roles/docker-joomla), [Heal Defect Docker Installations](./roles/heal-docker), [Nginx Matomo Tracking](./roles/nginx-modifier-matomo), [LibreOffice](./roles/pc-libreoffice), [Telegram Notifier](./roles/systemd-notifier-telegram), [Listmonk](./roles/docker-listmonk), [Btrfs Health Check](./roles/health-btrfs), [Nginx WWW Redirect](./roles/nginx-redirect-www), [Network Analyze Tools](./roles/pc-network-analyze-tools), [System Security](./roles/system-security), [Mailu](./roles/docker-mailu), [Disc Space Health Check](./roles/health-disc-space), [Administrator Tools](./roles/pc-administrator-tools), [Nextcloud Client](./roles/pc-nextcloud), [Swapfile Setup](./roles/system-swapfile), [Backups Cleanup](./roles/cleanup-backups-service), [Mastodon](./roles/docker-mastodon), [Docker Container Health Checker](./roles/health-docker-container), [Blu-ray Player Tools](./roles/pc-bluray-player-tools), [Office](./roles/pc-office), [Update Solutions](./roles/update), [Matomo](./roles/docker-matomo), [Docker Volumes Health Checker](./roles/health-docker-volumes), [Caffeine](./roles/pc-caffeine), [Qbittorrent](./roles/pc-qbittorrent), [Update Apt](./roles/update-apt), [Disc Space Cleanup](./roles/cleanup-disc-space), [Matrix](./roles/docker-matrix), [Health Journalctl](./roles/health-journalctl), [Designer Tools](./roles/pc-designer-tools), [Security Tools](./roles/pc-security-tools), [Update Docker](./roles/update-docker), [Failed Docker Backups Cleanup](./roles/cleanup-failed-docker-backups), [MediaWiki](./roles/docker-mediawiki), [Nginx Health Checker](./roles/health-nginx), [Developer Tools](./roles/pc-developer-tools), [Spotify](./roles/pc-spotify), [Update Pacman](./roles/update-pacman), [Client Wireguard](./roles/client-wireguard), [MyBB](./roles/docker-mybb), [Developer Tools for Arduino](./roles/pc-developer-tools-arduino), [SSH](./roles/pc-ssh), [Update Yay](./roles/update-yay), [Client Setup for Wireguard Behind Firewall](./roles/client-wireguard-behind-firewall), [Nextcloud Server](./roles/docker-nextcloud), [Hunspell](./roles/hunspell), [Developer Tools for Bash](./roles/pc-developer-tools-bash), [Streaming Tools](./roles/pc-streaming-tools), [Administrator](./roles/user-administrator), [Docker](./roles/docker), [Peertube](./roles/docker-peertube), [Java](./roles/java), [Developer Tools for Java](./roles/pc-developer-tools-java), [Tor Browser](./roles/pc-torbrowser), [Video Conference](./roles/pc-video-conference), [Wireguard](./roles/wireguard), [Akaunting](./roles/docker-akaunting), [Pixelfed](./roles/docker-pixelfed), [Journalctl](./roles/journalctl), [Developer Tools for PHP](./roles/pc-developer-tools-php), [Virtual Box](./roles/pc-virtual-box), [Postfix](./roles/postfix), [Attendize](./roles/docker-attendize), [Wordpress](./roles/docker-wordpress), [Locales](./roles/locales), [Docker for End Users](./roles/pc-docker), [Games](./roles/pc-games), [Python Pip](./roles/python-pip), [Discourse](./roles/docker-discourse), [Epson Multiprinter Driver](./roles/driver-epson-multiprinter), [Nginx Certbot](./roles/nginx-certbot), [Git](./roles/pc-git), [SSHD](./roles/sshd), [YOURLS](./roles/docker-yourls), [BigBlueButton](./roles/docker-bigbluebutton),[System Maintenance Lock](./roles/system-maintenance-lock),[Open Project](./roles/docker-openproject)...

 ## License

--- a/SERVER_APPLICATIONS.md
+++ b/SERVER_APPLICATIONS.md
@ -21,9 +21,9 @@ Focuses on web server roles and applications, covering SSL certificates, Nginx c
 - **[Nginx-Docker-Reverse-Proxy](./roles/nginx-docker-reverse-proxy/)**: Sets up a reverse proxy for Docker containers.
 - **[nginx-static-repository](./roles/nginx-static-repository/)**: Configures a homepage for Nginx.
 - **[Nginx-Https](./roles/nginx-https/)**: Enables HTTPS configuration for Nginx.
- **[nginx-global-matomo](./roles/nginx-global-matomo/)**: Integrates Matomo tracking with Nginx.
- **[Nginx-Domain-Redirect](./roles/nginx-domain-redirect/)**: Manages URL redirects in Nginx.
- **[nginx-global-www](./roles/nginx-global-www/)**: Redirects all domains with the prefix www. from www.domain.tld to domain.tld
+- **[nginx-modifier-matomo](./roles/nginx-modifier-matomo/)**: Integrates Matomo tracking with Nginx.
+- **[nginx-redirect-domain](./roles/nginx-redirect-domain/)**: Manages URL redirects in Nginx.
+- **[nginx-redirect-www](./roles/nginx-redirect-www/)**: Redirects all domains with the prefix www. from www.domain.tld to domain.tld
 - **[Nginx-Certbot](./roles/nginx-certbot/)**: Integrates Certbot with Nginx for SSL certificates.
 - **[Postfix](./roles/postfix/)**: Setup for the Postfix mail transfer agent.

--- a/group_vars/all/03_domains.yml
+++ b/group_vars/all/03_domains.yml
@ -19,6 +19,7 @@ defaults_domains:
  listmonk:                "newsletter.{{primary_domain}}"
  mailu:                   "{{system_email.host}}"
  mastodon:                "microblog.{{primary_domain}}"
+  # ATTENTION: Will be owerwritten by the values in domains. Not merged.
  mastodon_alternates:    ["mastodon.{{primary_domain}}"]
  matomo:                  "matomo.{{primary_domain}}"
  matrix_synapse:          "matrix.{{primary_domain}}"
@ -28,6 +29,7 @@ defaults_domains:
  nextcloud:               "cloud.{{primary_domain}}"
  openproject:             "project.{{primary_domain}}"
  peertube:                "video.{{primary_domain}}"
+  # ATTENTION: Will be owerwritten by the values in domains. Not merged.
  peertube_alternates:     []
  phpmyadmin:              "phpmyadmin.{{primary_domain}}"
  pixelfed:                "picture.{{primary_domain}}"
@ -36,7 +38,10 @@ defaults_domains:
  snipe_it:                "inventory.{{primary_domain}}"
  taiga:                   "kanban.{{primary_domain}}"
  yourls:                  "s.{{primary_domain}}"
-  wordpress:              ["wordpress.{{primary_domain}}","blog.{{primary_domain}}"]
+  # ATTENTION: Will be owerwritten by the values in domains. Not merged.
+  wordpress:              
+    - "wordpress.{{primary_domain}}"
+    - "blog.{{primary_domain}}"

 ## Domain Redirects
 defaults_redirect_domain_mappings:
--- a/group_vars/all/05_nginx.yml
+++ b/group_vars/all/05_nginx.yml
@ -3,18 +3,19 @@
 ## Nginx-Specific Path Configurations
 nginx:
  directories:
-    configuration:  "/etc/nginx/conf.d/"              # Configuration directory
+    configuration:                "/etc/nginx/conf.d/"              # Configuration directory
    http:
-      global:       "/etc/nginx/conf.d/http/global/"  # Contains global configurations which will be loaded into the http block
-      servers:      "/etc/nginx/conf.d/http/servers/" # Contains one configuration per domain
-      maps:         "/etc/nginx/conf.d/http/maps/"    # Contains mappings
-    streams:        "/etc/nginx/conf.d/streams/"      # Contains streams configuration e.g. for ldaps
-    well_known:     "/usr/share/nginx/well-known/"    # Path where well-known files are stored
-    homepage:       "/usr/share/nginx/homepage/"      # Path where the static homepage files are stored. @todo Move this variable to the role
-    global:         "/var/www/global/"                # Directory containing files which will be globaly accessable
-  user:             "http"                            # Default nginx user in ArchLinux
+      global:                     "/etc/nginx/conf.d/http/global/"  # Contains global configurations which will be loaded into the http block
+      servers:                    "/etc/nginx/conf.d/http/servers/" # Contains one configuration per domain
+      maps:                       "/etc/nginx/conf.d/http/maps/"    # Contains mappings
+    streams:                      "/etc/nginx/conf.d/streams/"      # Contains streams configuration e.g. for ldaps
+    well_known:                   "/usr/share/nginx/well-known/"    # Path where well-known files are stored
+    homepage:                     "/usr/share/nginx/homepage/"      # Path where the static homepage files are stored. @todo Move this variable to the role
+    global:                       "/var/www/global/"                # Directory containing files which will be globaly accessable
+  user:                           "http"                            # Default nginx user in ArchLinux

 ## Nginx static repository
-nginx_static_repository_address: NULL #This should contain the url to an git repository which has a static homepage included and an index.html file. @todo move this variable to the role
-
-global_matomo_tracking_enabled:                false   # Activates matomo tracking on all html pages
+nginx_static_repository_address:  NULL                              # This should contain the url to an git repository which has a static homepage included and an index.html file. @todo move this variable to the role
+                                                                    # @todo Move this to the dedicated role configuration
+## Matomo Tracking
+global_matomo_tracking_enabled:   false                             # Activates matomo tracking on all html pages. Change this in inventory.
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@ -54,7 +54,8 @@ defaults_applications:

  ## Funkwhale
  funkwhale:
-    version:              "1.4.0"
+    version:        "1.4.0"
+    ldap_enabled:   True    # Enables LDAP by default 

  ## Gitea
  gitea:
@ -70,11 +71,11 @@ defaults_applications:

  ## Keycloak
  keycloak:
-    version:              "latest"
-    administrator_username:  "{{administrator_username}}"  # Administrator Username for Keycloak
-#   database_password:        # Needs to be defined in inventory file   
-#   administrator_password:   # Needs to be defined in inventory file      
-
+    version:                  "latest"
+    administrator_username:   "{{administrator_username}}"  # Administrator Username for Keycloak
+    ldap_enabled:             True                          # Enables LDAP by default 
+#   database_password:                                      # Needs to be defined in inventory file   
+#   administrator_password:                                 # Needs to be defined in inventory file      

  ## LDAP
  ldap:
@ -92,15 +93,17 @@ defaults_applications:
      version:                        "2.0.0-dev"                               # @todo Attention: Change this as fast as released to latest
    webinterface:                     "lam"                                     # The webinterface which should be used. Possible: lam and phpldapadmin
    administrator_username:           "{{administrator_username}}"
-    # administrator_password:          # CHANGE for security reasons in inventory file
-    # administrator_database_password: # CHANGE for security reasons in inventory file
+    ldap_enabled:                     True                                      # Should have the same value as applications.ldap.openldap.network.local.
+                                                                                # Both need to be set to True to load the ldap_network in the docker compose file
+    # administrator_password:                                                   # CHANGE for security reasons in inventory file
+    # administrator_database_password:                                          # CHANGE for security reasons in inventory file

  ## Listmonk
  listmonk:
    administrator_username:           "{{administrator_username}}"
-    public_api_activated:             False # Security hole. Can be used for spaming
-    version:                          "latest"
-    setup:                            false # Set true in inventory file to execute the setup and initializing procedures
+    public_api_activated:             False     # Security hole. Can be used for spaming
+    version:                          "latest"  # Docker Image version
+    setup:                            false     # Set true in inventory file to execute the setup and initializing procedures

  ## MariaDB
  mariadb:
@ -148,19 +151,21 @@ defaults_applications:
  ## Nextcloud
  nextcloud:
    version:              "production"  # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
+    ldap_enabled:         True          # Enables LDAP by default 

  ## OAuth2 Proxy
  oauth2_proxy:
-    configuration_file: "oauth2-proxy-keycloak.cfg"                                                                 # Needs to be set true in the roles which use it
-    version:            "latest"
-    redirect_url:       "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
-    allowed_roles:      admin                                                                                       # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
-    cookie_secret: "{{ applications.oauth2_proxy.cookie_secret if applications.oauth2_proxy is defined else '' }}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
+    configuration_file: "oauth2-proxy-keycloak.cfg"                                                                     # Needs to be set true in the roles which use it
+    version:            "latest"                                                                                        # Docker Image version
+    redirect_url:       "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"      # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
+    allowed_roles:      admin                                                                                           # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
+    cookie_secret:      "{{ applications.oauth2_proxy.cookie_secret if applications.oauth2_proxy is defined else '' }}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16

  ## Open Project
  openproject:
-    version:              "13" # Update when available. Sadly no rolling release implemented
+    version:              "13"  # Update when available. Sadly no rolling release implemented
    oauth2_proxy_active:  true
+    ldap_enabled:         True  # Enables LDAP by default 

  ## Peertube
  peertube:
@ -174,8 +179,8 @@ defaults_applications:

  ## Pixelfed
  pixelfed:
-    titel:          "Pictures on {{primary_domain}}"
-    version:           "latest"
+    titel:    "Pictures on {{primary_domain}}"
+    version:  "latest"

  ## Postgres
  # Please set an version in your inventory file - Rolling release for postgres isn't recommended
@ -188,7 +193,7 @@ defaults_applications:

  ## Taiga
  taiga:
-    version:              "latest"
+    version:           "latest"

  ## YOURLS
  yourls:
--- a/group_vars/all/11_iam.yml
+++ b/group_vars/all/11_iam.yml
@ -12,18 +12,18 @@ _oidc_client_realm:       "{{ oidc.client.realm if oidc.client is defined and oi
 _oidc_client_issuer_url:  "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"

 defaults_oidc:
-  enabled:               true
+  enabled:               true # Enable OIDC functionality for all apps 
  client:
-    id:                   "{{primary_domain}}"
-#   secret:               # Define in inventory file
-    realm:                "{{_oidc_client_realm}}"
-    issuer_url:           "{{_oidc_client_issuer_url}}"
-    discovery_document:   "{{_oidc_client_issuer_url}}/.well-known/openid-configuration"
-    authorize_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth"
-    toke_url:             "{{_oidc_client_issuer_url}}/protocol/openid-connect/token"
-    user_info_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo"
-    logout_url:           "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"
-    change_credentials:   "{{_oidc_client_issuer_url}}account/account-security/signing-in"
+    id:                   "{{primary_domain}}"                                              # Client identifier, typically matching your primary domain
+#   secret:                                                                                 # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
+    realm:                "{{_oidc_client_realm}}"                                          # The realm to which the client belongs in the OIDC provider
+    issuer_url:           "{{_oidc_client_issuer_url}}"                                     # Base URL of the OIDC provider (issuer)
+    discovery_document:   "{{_oidc_client_issuer_url}}/.well-known/openid-configuration"    # URL for fetching the provider's configuration details
+    authorize_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth"        # Endpoint to start the authorization process
+    toke_url:             "{{_oidc_client_issuer_url}}/protocol/openid-connect/token"       # Endpoint to exchange authorization codes for tokens (note: 'toke_url' may be a typo for 'token_url')
+    user_info_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo"    # Endpoint to retrieve user information
+    logout_url:           "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"      # Endpoint to log out the user
+    change_credentials:   "{{_oidc_client_issuer_url}}account/account-security/signing-in"  # URL for managing or changing user credentials

 #############################################
 ### OAuth2-Proxy                          ###
@ -39,10 +39,6 @@ oauth2_proxy_active:                         false
 # Helper variables
 _ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"

-
-# This leads to that the role gets configured to use ldap
-ldap_enabled:                  false
-
 ldap:
  # Enables LDAP for all roles in play if true
  enabled:  true
--- a/playbook.servers.yml
+++ b/playbook.servers.yml
@ -245,7 +245,7 @@
  hosts: redirect
  become: true
  roles:
-   -  role: nginx-domain-redirect
+   -  role: nginx-redirect-domain
      vars:
        domain_mappings: "{{redirect_domain_mappings}}"

@ -253,13 +253,13 @@
  hosts: www_redirect
  become: true
  roles:
-   -  role: nginx-global-www
+   -  role: nginx-redirect-www

 # Helper Roles for partial deployment
 - name: Copy global css 
-  hosts: nginx-global-css
+  hosts: nginx-modifier-css
  become: true
  roles:
-   -  role: nginx-global-css
+   -  role: nginx-modifier-css

 - import_playbook: playbook.destructor.yml
--- a/roles/docker-akaunting/tasks/main.yml
+++ b/roles/docker-akaunting/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "include tasks update-repository-with-files.yml"
  include_tasks: update-repository-with-files.yml
--- a/roles/docker-baserow/tasks/main.yml
+++ b/roles/docker-baserow/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-bigbluebutton/tasks/main.yml
+++ b/roles/docker-bigbluebutton/tasks/main.yml
@ -15,8 +15,9 @@
 #    dest: "{{nginx.directories.http.servers}}{{domain}}.conf"
 #  notify: restart nginx

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: configure websocket_upgrade.conf
  copy: 
--- a/roles/docker-bluesky/tasks/main.yml
+++ b/roles/docker-bluesky/tasks/main.yml
@ -3,17 +3,15 @@
  include_role: 
    name: docker-compose

- name: "Include tasks for API domain"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role:
+    name: nginx-domain-setup
  vars:
-    domain: "{{ domains.bluesky_api }}"
-    http_port: "{{ ports.localhost.http.bluesky_api }}"
-
- name: "Include tasks for Web domain"
-  include_tasks: nginx-docker-proxy-domain.yml
-  vars:
-    domain: "{{ domains.bluesky_web }}"
-    http_port: "{{ ports.localhost.http.bluesky_web }}" 
+    domain: "{{ item.domain }}"
+    http_port: "{{ item.http_port }}"
+  loop:
+    - { domain: domains.bluesky_api, http_port: ports.localhost.http.bluesky_api }
+    - { domain: domains.bluesky_web, http_port: ports.localhost.http.bluesky_web }

 # The following lines should be removed when the following issue is closed:
 # https://github.com/bluesky-social/pds/issues/52
--- a/roles/docker-compose/tasks/main.yml
+++ b/roles/docker-compose/tasks/main.yml
@ -3,7 +3,10 @@

 - name: "Set global domain based on application_id"
  set_fact:
-    domain: "{{ domains[application_id] if application_id in domains else None }}"
+    domain: "{{ domains[application_id] }}"
+  when:
+    - application_id in domains
+    - domains[application_id] is string
  # Default case: One domain exists. Some applications like matrix don't have an default domain

 - name: "Set global http_port to {{ ports.localhost.http[application_id] }}"
--- a/roles/docker-discourse/tasks/main.yml
+++ b/roles/docker-discourse/tasks/main.yml
@ -10,8 +10,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "cleanup central database from {{application_id}}_default network"
  command:
--- a/roles/docker-elk/tasks/main.yml
+++ b/roles/docker-elk/tasks/main.yml
@ -1,7 +1,8 @@
 ---

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: create elasticsearch-sysctl.conf
  copy:
--- a/roles/docker-friendica/tasks/main.yml
+++ b/roles/docker-friendica/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-funkwhale/tasks/main.yml
+++ b/roles/docker-funkwhale/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-funkwhale/templates/env.j2
+++ b/roles/docker-funkwhale/templates/env.j2
@ -100,7 +100,7 @@ DJANGO_SETTINGS_MODULE=config.settings.production
 # Generate one using `openssl rand -base64 45`, for example
 DJANGO_SECRET_KEY={{funkwhale_django_secret}}

-{% if ldap_enabled | bool %}
+{% if applications[application_id].ldap_enabled | bool %}
 # LDAP settings
 # Use the following options to allow authentication on your Funkwhale instance
 # using a LDAP directory.
@ -110,7 +110,7 @@ DJANGO_SECRET_KEY={{funkwhale_django_secret}}
 LDAP_ENABLED        =   True
 LDAP_SERVER_URI     =   "{{ldap.server.uri}}"
 LDAP_BIND_DN        =   "{{ldap.dn.bind}}"
-LDAP_BIND_PASSWORD  =   "{{ldap.dn.bind_credential}}"
+LDAP_BIND_PASSWORD  =   "{{ldap.bind_credential}}"
 LDAP_SEARCH_FILTER  =   "(|(cn={0})(mail={0}))"
 LDAP_START_TLS      =   False
 LDAP_ROOT_DN        =   "{{ldap.dn.root}}"
--- a/roles/docker-funkwhale/vars/main.yml
+++ b/roles/docker-funkwhale/vars/main.yml
@ -2,7 +2,6 @@ application_id:                                 "funkwhale"
 nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 512M;"
 database_password:                              "{{funkwhale_database_password}}"
 database_type:                                  "postgres"
-ldap_enabled:                                   True
 media_root:                                     "/srv/funkwhale/data/"
 static_root:                                    "{{media_root}}static"
 celeryd_concurrency:                            1
--- a/roles/docker-gitea/tasks/main.yml
+++ b/roles/docker-gitea/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-gitlab/tasks/main.yml
+++ b/roles/docker-gitlab/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-jenkins/tasks/main.yml
+++ b/roles/docker-jenkins/tasks/main.yml
@ -1,5 +1,6 @@
- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "docker jenkins"
  docker_compose:
--- a/roles/docker-joomla/tasks/main.yml
+++ b/roles/docker-joomla/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup
  loop: "{{ domains }}"
  loop_control:
    loop_var: domain
--- a/roles/docker-keycloak/tasks/main.yml
+++ b/roles/docker-keycloak/tasks/main.yml
@ -3,8 +3,23 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
+
+- name: "create directory {{import_directory_host}}"
+  file:
+    path: "{{import_directory_host}}"
+    state: directory
+    mode: 0755
+
+- name: "Copy import files to {{ import_directory_host }}"
+  template:
+    src: "{{ item }}"
+    dest: "{{ import_directory_host }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
+    mode: '770'
+  loop: "{{ lookup('fileglob', '{{ role_path }}/templates/import/*.j2', wantlist=True) }}"
+  notify: docker compose project setup
--- a/roles/docker-keycloak/templates/docker-compose.yml.j2
+++ b/roles/docker-keycloak/templates/docker-compose.yml.j2
@ -4,11 +4,19 @@ services:

  application:
    image: quay.io/keycloak/keycloak:{{applications.keycloak.version}}
-    command: start
+    container_name: {{container_name}}
+    command: start --import-realm # imports realms on startup
    {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
    ports:
      - "127.0.0.1:{{http_port}}:8080"
+    volumes:
+      - "{{import_directory_host}}:{{import_directory_docker}}"
 {% include 'templates/docker/container/depends-on-just-database.yml.j2' %}
 {% include 'templates/docker/container/networks.yml.j2' %}
+    healthcheck:
+      test: ["CMD", "sh", "-c", "exec 3<>/dev/tcp/localhost/9000 && echo -e 'GET /health/live HTTP/1.1\\r\\nHost: {{domains.keycloak}}\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3"]
+      interval: 30s
+      timeout: 10s
+      retries: 3

 {% include 'templates/docker/compose/networks.yml.j2' %}
--- a/roles/docker-keycloak/templates/env.j2
+++ b/roles/docker-keycloak/templates/env.j2
@ -1,6 +1,15 @@
+# Environment File for Keycloak 
+# Documentation can be found here: 
+# @see https://www.keycloak.org/server/containers
+
 KC_HOSTNAME=                    https://{{domain}}
 KC_HTTP_ENABLED=                true
+
+# Health Checks
+# @see https://quarkus.io/guides/smallrye-health
 KC_HEALTH_ENABLED=              true
+KC_METRICS_ENABLED=             true
+
 KEYCLOAK_ADMIN=                 "{{applications.keycloak.administrator_username}}"
 KEYCLOAK_ADMIN_PASSWORD=        "{{applications.keycloak.administrator_password}}"
 KC_DB=                          postgres
--- a/roles/docker-keycloak/templates/import/realm.json.j2
+++ b/roles/docker-keycloak/templates/import/realm.json.j2
@ -825,9 +825,9 @@
      "clientId": "{{realm}}",
      "name": "",
      "description": "",
-      "rootUrl": "https://{{realm}}/",
+      "rootUrl":  "https://{{realm}}/",
      "adminUrl": "https://{{realm}}/",
-      "baseUrl": "https://{{realm}}/",
+      "baseUrl":  "https://{{realm}}/",
      "surrogateAuthRequired": false,
      "enabled": true,
      "alwaysDisplayInConsole": false,
@ -865,7 +865,7 @@
      "attributes": {
        "realm_client": "false",
        "oidc.ciba.grant.enabled": "false",
-        "client.secret.creation.time": "1737924347",
+        "client.secret.creation.time": "0",
        "backchannel.logout.session.required": "true",
        "post.logout.redirect.uris": "https://{{primary_domain}}/*##+",
        "frontchannel.logout.session.required": "true",
@ -1611,7 +1611,7 @@
    "replyTo": "",
    "host": "{{system_email.host}}",
    "from": "{{system_email.from}}",
-    "fromDisplayName": "Keycloak Authentification System - {{domain.keycloak}}",
+    "fromDisplayName": "Keycloak Authentification System - {{domains.keycloak}}",
    "envelopeFrom": "",
    "ssl": "true",
    "user": "{{system_email.username}}"
@ -1965,7 +1965,7 @@
            "false"
          ],
          "connectionUrl": [
-            "{{ldap.dn.server.uri}}"
+            "{{ldap.server.uri}}"
          ],
          "syncRegistrations": [
            "true"
--- a/roles/docker-keycloak/vars/main.yml
+++ b/roles/docker-keycloak/vars/main.yml
@ -1,5 +1,7 @@
-application_id:  	  "keycloak"
-database_type:      "postgres"
-database_password:  "{{applications.keycloak.database_password}}"
-ldap_enabled:       True
-realm:              "{{primary_domain}}" # This is the name of the default realm which is used by the applications
+application_id:  	        "keycloak"
+database_type:            "postgres"
+database_password:        "{{applications.keycloak.database_password}}"
+container_name:           "{{application_id}}_application"
+realm:                    "{{primary_domain}}"                              # This is the name of the default realm which is used by the applications
+import_directory_host:    "{{docker_compose.directories.volumes}}import/"   # Directory in which keycloack import files are placed on the host
+import_directory_docker:  "/opt/keycloak/data/import/"                      # Directory in which keycloack import files are placed in the running docker container
--- a/roles/docker-ldap/handlers/main.yml
+++ b/roles/docker-ldap/handlers/main.yml
@ -19,7 +19,7 @@

 - name: "Import Access Roles to OpenLDAP"
  shell: >
-    docker exec -i openldap ldapadd -x -D "{{ldap.dn.bind}}" -w "{{ldap.dn.bind_credential}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif"
+    docker exec -i openldap ldapadd -x -D "{{ldap.dn.bind}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif"
  register: ldapadd_result
  changed_when: "'adding new entry' in ldapadd_result.stdout"
  # Allow return code 0 (all entries added) or 68 (entry already exists)
--- a/roles/docker-ldap/tasks/main.yml
+++ b/roles/docker-ldap/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-compose

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: Create {{domain}}.conf if LDAP is exposed to internet
  template: 
--- a/roles/docker-ldap/templates/docker-compose.yml.j2
+++ b/roles/docker-ldap/templates/docker-compose.yml.j2
@ -34,7 +34,7 @@ services:
      - '{{ldif_host_path}}:{{ldif_docker_path}}:ro'                      # Mounting all ldif files for import
    healthcheck:
      test: >
-        ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.bind}}" -w "{{ldap.dn.bind_credential}}"
+        ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.bind}}" -w "{{ldap.bind_credential}}"
      interval: 30s
      timeout: 10s
      retries: 3
--- a/roles/docker-ldap/templates/lam.env.j2
+++ b/roles/docker-ldap/templates/lam.env.j2
@ -10,4 +10,4 @@ LAM_CONFIGURATION_DATABASE= files
 LDAP_SERVER=                {{ldap.server.domain}}                                  # domain of LDAP database root entry
 LDAP_BASE_DN=               {{ldap.dn.root}}                                        # LDAP base DN to overwrite value generated by LDAP_DOMAIN
 LDAP_USER=                  {{ldap.dn.bind}}                                        # LDAP admin user (set as login user for LAM)
-LDAP_ADMIN_PASSWORD=        {{ldap.dn.bind_credential}}                             # LDAP admin password
+LDAP_ADMIN_PASSWORD=        {{ldap.bind_credential}}                             # LDAP admin password
--- a/roles/docker-ldap/vars/main.yml
+++ b/roles/docker-ldap/vars/main.yml
@ -1,7 +1,6 @@
 application_id:       "ldap"
 ldaps_docker_port:    636
 ldap_docker_port:     389
-ldap_enabled:         True

 # OAuth2 Proxy Configuration
 oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
--- a/roles/docker-listmonk/tasks/main.yml
+++ b/roles/docker-listmonk/tasks/main.yml
@ -12,8 +12,9 @@
      ""
      {% endif %}

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-listmonk/templates/docker-compose.yml.j2
+++ b/roles/docker-listmonk/templates/docker-compose.yml.j2
@ -11,6 +11,8 @@ services:
      - {{docker_compose.directories.config}}config.toml:/listmonk/config.toml
 {% include 'templates/docker/container/networks.yml.j2' %}
 {% include 'templates/docker/container/depends-on-just-database.yml.j2' %}
+    healthcheck:
+      test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:9000/health || exit 1']

 {% include 'templates/docker/compose/volumes-just-database.yml.j2' %}

--- a/roles/docker-mailu/tasks/main.yml
+++ b/roles/docker-mailu/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup
  vars:
    nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 31M;"

--- a/roles/docker-mastodon/templates/mastodon.conf.j2
+++ b/roles/docker-mastodon/templates/mastodon.conf.j2
@ -8,7 +8,7 @@ server {

  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}

-  {% include 'roles/nginx-global/templates/global.includes.conf.j2'%}
+  {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}

  keepalive_timeout    70;
  sendfile             on;
--- a/roles/docker-matomo/README.md
+++ b/roles/docker-matomo/README.md
@ -8,14 +8,6 @@ This Ansible role deploys a [Matomo](https://matomo.org/) analytics platform ins
 - Nginx installed for reverse proxy configuration.
 - Certbot installed for SSL certificate generation.

-## Role Variables
-
- `domain`: The domain where Matomo will be accessible.
- `administrator_email`: The email used for SSL certificate registration.
- `path_docker_compose_instances`: Path to store Docker Compose files.
- `http_port`: The host port that Matomo will be accessible on.
- `matomo_database_password`: Password for the Matomo database.
-
 ## AI Generated
 This script was created with the help of ChatGPT. The full conversation is [here](https://chat.openai.com/share/49e0c7e4-a2af-4a04-adad-7a735bdd85c4) available.

--- a/roles/docker-matomo/tasks/main.yml
+++ b/roles/docker-matomo/tasks/main.yml
@ -18,8 +18,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-matomo/templates/docker-compose.yml.j2
+++ b/roles/docker-matomo/templates/docker-compose.yml.j2
@ -11,6 +11,11 @@ services:
      - data:/var/www/html
 {% include 'templates/docker/container/depends-on-just-database.yml.j2' %}
 {% include 'templates/docker/container/networks.yml.j2' %}
+    healthcheck:
+      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/80 && echo -e 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'HTTP/1.1'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3

 {% include 'templates/docker/compose/volumes.yml.j2' %}
  data:
--- a/roles/docker-matomo/templates/env.j2
+++ b/roles/docker-matomo/templates/env.j2
@ -1,3 +1,6 @@
+# Environment File for Matomo 
+# @see https://hub.docker.com/_/matomo/
+
 MATOMO_DATABASE_HOST=     "{{database_host}}:{{database_port}}"
 MATOMO_DATABASE_ADAPTER=  "mysql"
 MATOMO_DATABASE_USERNAME= "{{database_username}}"
--- a/roles/docker-matomo/vars/main.yml
+++ b/roles/docker-matomo/vars/main.yml
@ -1,8 +1,8 @@
 ---
-application_id:  	              "matomo"
-database_type:                  "mariadb"
-database_password:              "{{matomo_database_password}}"
-domain:                         "{{domains.matomo}}"
+application_id:  	  "matomo"
+database_type:      "mariadb"
+database_password:  "{{matomo_database_password}}"
+domain:             "{{domains.matomo}}"            # Don't know if this is still necessary

 # Disable matomo tracking for matomo, because otherwise recursiv loading technics would be neccessary
-# global_matomo_tracking_enabled: false 
+global_matomo_tracking_enabled: false 
--- a/roles/docker-matrix-ansible/tasks/main.yml
+++ b/roles/docker-matrix-ansible/tasks/main.yml
@ -1,6 +1,7 @@
 ---
- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup
  loop:
    - "{{domains.matrix_element}}"
    - "{{domains.matrix_synapse}}"
--- a/roles/docker-matrix-compose/tasks/main.yml
+++ b/roles/docker-matrix-compose/tasks/main.yml
@ -30,8 +30,9 @@
    http_port:  "{{ports.localhost.http.matrix_synapse}}"
  notify: restart nginx
        
- name: "include tasks nginx-docker-proxy-domain.yml for element"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup
  vars:        
    domain:     "{{domains.matrix_element}}"
    http_port:  "{{ports.localhost.http.matrix_element}}"
--- a/roles/docker-matrix-compose/templates/nginx.conf.j2
+++ b/roles/docker-matrix-compose/templates/nginx.conf.j2
@ -10,6 +10,6 @@ server {
    listen 8448 ssl default_server;
    listen [::]:8448 ssl default_server;

-    {% include 'roles/nginx-global/templates/global.includes.conf.j2'%}
+    {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
    {% include 'roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2' %}
 }
--- a/roles/docker-mediawiki/tasks/main.yml
+++ b/roles/docker-mediawiki/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: add docker-compose.yml
  template: src=docker-compose.yml.j2 dest={{docker_compose.directories.instance}}docker-compose.yml
--- a/roles/docker-moodle/tasks/main.yml
+++ b/roles/docker-moodle/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-moodle/templates/docker-compose.yml.j2
+++ b/roles/docker-moodle/templates/docker-compose.yml.j2
@ -10,17 +10,14 @@ services:
    volumes:
      - 'moodle:/bitnami/moodle'
      - 'data:/bitnami/moodledata'
-# Healthcheck is not possible due to missing curl and wget in container
-# @todo implement healthcheck
-#    healthcheck:
-#      test: ["CMD", "curl", "-f", "http://127.0.0.1:8080"]
-#      interval: 1m
-#      timeout: 10s
-#      retries: 3
+    healthcheck:
+      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/8080 && echo -e 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'HTTP/1.1'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
 {% include 'templates/docker/container/depends-on-just-database.yml.j2' %}
 {% include 'templates/docker/container/networks.yml.j2' %}

-
 {% include 'templates/docker/compose/volumes.yml.j2' %}
  moodle:
  data:
--- a/roles/docker-nextcloud/templates/proxy-nginx.conf.j2
+++ b/roles/docker-nextcloud/templates/proxy-nginx.conf.j2
@ -6,7 +6,7 @@ server

  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}

-  {% include 'roles/nginx-global/templates/global.includes.conf.j2'%}
+  {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
  # Remove X-Powered-By, which is an information leak
  fastcgi_hide_header X-Powered-By;

--- a/roles/docker-nextcloud/vars/main.yml
+++ b/roles/docker-nextcloud/vars/main.yml
@ -3,5 +3,4 @@ application_id:                       "nextcloud"
 database_password:  	                "{{nextcloud_database_password}}"
 database_type:                        "mariadb"
 nextcloud_application_container_name: "nextcloud-application"
-nextcloud_nginx_container_name:       "nextcloud-web"
-ldap_enabled:                         True
+nextcloud_nginx_container_name:       "nextcloud-web"
--- a/roles/docker-openproject/tasks/main.yml
+++ b/roles/docker-openproject/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 #- name: "include tasks update-repository-with-files.yml"
 #  include_tasks: update-repository-with-files.yml
--- a/roles/docker-openproject/vars/main.yml
+++ b/roles/docker-openproject/vars/main.yml
@ -13,6 +13,4 @@ dummy_volume:                                 "{{docker_compose.directories.volu

 # OAuth2 Proxy Configuration
 oauth2_proxy_upstream_application_and_port:   "proxy:80"
-oauth2_proxy_active:                          "{{ applications.openproject.oauth2_proxy_active | bool }}"
-
-ldap_enabled:                                 True
+oauth2_proxy_active:                          "{{ applications.openproject.oauth2_proxy_active | bool }}"
--- a/roles/docker-peertube/templates/docker-compose.yml.j2
+++ b/roles/docker-peertube/templates/docker-compose.yml.j2
@ -16,6 +16,12 @@ services:
      - config:/config
 {% include 'templates/docker/container/depends-on-database-redis.yml.j2' %}
 {% include 'templates/docker/container/networks.yml.j2' %}
+    healthcheck:
+      # This just tests if the service is running on port 9000. It doesn't check if there is an 200 or e.g. an 404 response
+      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/9000 && echo -e 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'HTTP/1.1'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3

 {% include 'templates/docker/compose/volumes.yml.j2' %}
  assets:
--- a/roles/docker-peertube/templates/peertube.conf.j2
+++ b/roles/docker-peertube/templates/peertube.conf.j2
@ -3,7 +3,7 @@ server {

  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}

-  {% include 'roles/nginx-global/templates/global.includes.conf.j2'%}
+  {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
  ##
  # Application
  ##
--- a/roles/docker-phpmyadmin/tasks/main.yml
+++ b/roles/docker-phpmyadmin/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-compose

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-phpmyadmin/templates/docker-compose.yml.j2
+++ b/roles/docker-phpmyadmin/templates/docker-compose.yml.j2
@ -10,5 +10,10 @@ services:
      - "127.0.0.1:{{http_port}}:80"
 {% include 'templates/docker/container/depends-on-just-database.yml.j2' %}
 {% include 'templates/docker/container/networks.yml.j2' %}
+    healthcheck:
+      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/80 && echo -e 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'HTTP/1.1'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3

 {% include 'templates/docker/compose/networks.yml.j2' %}
--- a/roles/docker-pixelfed/tasks/main.yml
+++ b/roles/docker-pixelfed/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-portfolio/tasks/main.yml
+++ b/roles/docker-portfolio/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-compose

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "include tasks update-repository-with-files.yml"
  include_tasks: update-repository-with-files.yml
--- a/roles/docker-portfolio/templates/docker-compose.yml.j2
+++ b/roles/docker-portfolio/templates/docker-compose.yml.j2
@ -11,5 +11,9 @@ services:
      - ./app:/app
    restart: unless-stopped
 {% include 'templates/docker/container/networks.yml.j2' %}
-
+    healthcheck:
+      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/5000 && echo -e 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'HTTP/1.1'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
 {% include 'templates/docker/compose/networks.yml.j2' %}
--- a/roles/docker-snipe_it/README.md
+++ b/roles/docker-snipe_it/README.md
@ -1,9 +1,6 @@
-# CyMaIS Role
+# Docker Snipe-IT

-🚀 **CyMaIS** - Centralized Management and Integration System for **[Snipe-IT](https://github.com/snipe/snipe-it)**
-
-## About 📖
-This role provides an automated deployment and configuration for **Snipe-IT**, an open-source asset management system. It leverages **Docker Compose**, **Ansible**, and **centralized database integration** to streamline deployment and maintenance.
+This 🚀 **CyMaIS** role provides an automated deployment and configuration for **[Snipe-IT](https://github.com/snipe/snipe-it)**, an open-source asset management system. It leverages **Docker Compose**, **Ansible**, and **centralized database integration** to streamline deployment and maintenance.

 👤 **Author:** Kevin Veen-Birkenbach  
 🔗 **Website:** [veen.world](https://veen.world)
@ -24,11 +21,6 @@ docker-compose exec application php artisan cache:clear
 docker-compose restart application
 ```

-## Configuration
- **Database:** The role supports **MariaDB** as the primary database.
- **Environment Variables:** Defined in `templates/env.j2`.
- **Nginx Proxy Support:** Automated through `nginx-docker-proxy-domain.yml`.
-
 ## Pending Issue 🚧
 To ensure full **SAML authentication integration**, this issue still needs to be resolved:  
 🔗 [GitHub Issue #16186](https://github.com/snipe/snipe-it/issues/16186)
--- a/roles/docker-snipe_it/tasks/main.yml
+++ b/roles/docker-snipe_it/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-snipe_it/templates/docker-compose.yml.j2
+++ b/roles/docker-snipe_it/templates/docker-compose.yml.j2
@ -13,7 +13,12 @@ services:
      - "127.0.0.1:{{ports.localhost.http.snipe_it}}:80"
 {% include 'templates/docker/container/depends-on-database-redis.yml.j2' %}
 {% include 'templates/docker/container/networks.yml.j2' %}
-
+    healthcheck:
+      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/80 && echo -e 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'HTTP/1.1'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      
 {% include 'templates/docker/compose/volumes.yml.j2' %}
  redis:
  data:
--- a/roles/docker-taiga/tasks/main.yml
+++ b/roles/docker-taiga/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: pull docker repository
  git:
--- a/roles/docker-wordpress/tasks/main.yml
+++ b/roles/docker-wordpress/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database
  
- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup
  loop: "{{ domains.wordpress }}"
  loop_control:
    loop_var: domain
--- a/roles/docker-yourls/tasks/main.yml
+++ b/roles/docker-yourls/tasks/main.yml
@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include tasks nginx-docker-proxy-domain.yml"
-  include_tasks: nginx-docker-proxy-domain.yml
+- name: "include role nginx-domain-setup for {{application_id}}"
+  include_role: 
+    name: nginx-domain-setup

 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker/README.md
+++ b/roles/docker/README.md
@ -1,19 +1,23 @@
-# role docker
+# Docker Role 🚀

-## maintenance
+This role is part of the [CyMaIS Project](https://github.com/kevinveenbirkenbach/cymais), maintained and developed by [Kevin Veen-Birkenbach](https://www.veen.world/).

-### list unused volumes
-```bash 
-    docker volume ls -q -f "dangling=true"
+---
+
+## Maintenance 🛠️
+
+### List Unused Volumes
+```bash
+docker volume ls -q -f "dangling=true"
 ```

-### remove all unused volumes
-```bash 
-    docker volume rm $(docker volume ls -q -f "dangling=true")
+### Remove All Unused Volumes
+```bash
+docker volume rm $(docker volume ls -q -f "dangling=true")
 ```

-### network issues
-```bash 
+### Network Issues Fixes
+```bash
 docker stop $(docker ps -a -q)
 docker rm $(docker ps -a -q)
 docker network prune -f
@ -21,9 +25,28 @@ sudo iptables -t nat -F DOCKER
 sudo iptables -t nat -F DOCKER-USER
 ```

+---

-## performance
- https://forums.docker.com/t/mysql-slow-performance-in-docker/37179/21
+## Warning ⚠️

-## see
- https://stackoverflow.com/questions/37599128/docker-how-do-you-disable-auto-restart-on-a-container
+**Caution:** The following instructions will delete **all Docker containers and volumes** on your server.  
+Make sure you have backups or that you're certain you want to clean your Docker environment completely.
+
+---
+
+## Cleaning Up Docker Containers and Volumes 🧹
+
+### Delete All Docker Containers
+```bash
+docker stop $(docker ps -a -q)
+docker rm $(docker ps -a -q)
+```
+
+### Delete All Docker Volumes
+```bash
+docker volume rm $(docker volume ls -q)
+```
+
+---
+
+Enjoy using this role and happy containerizing! 🎉
--- a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
@ -21,7 +21,7 @@ server
  }
  {% endif %}

-  {% include 'roles/nginx-global/templates/global.includes.conf.j2'%}
+  {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
  
  {% if nginx_docker_reverse_proxy_extra_configuration is defined %}
    # Additional Domain Specific Configuration
--- a/roles/nginx-domain-setup/README.md
+++ b/roles/nginx-domain-setup/README.md
@ -0,0 +1,16 @@
+# Nginx Domain Setup Role 🚀
+
+This role streamlines your Nginx configuration by performing several essential tasks:
+
+- **Modify Nginx configuration** with the `nginx-modifier-all` role.
+- **Request and receive HTTPS certificates** using the `nginx-https-recieve-certificate` role.
+- **Deploy a domain configuration file** from a Jinja2 template.
+- **Optionally secure your domain** with OAuth2 via the `docker-oauth2-proxy` role if enabled.
+
+## Author
+
+Developed by [Kevin Veen-Birkenbach](https://www.veen.world) 😎
+
+---
+
+Happy automating! 🎉
--- a/roles/nginx-domain-setup/tasks/main.yml
+++ b/roles/nginx-domain-setup/tasks/main.yml
@ -1,4 +1,8 @@
- name: "include role receive certbot certificate"
+- name: "include role nginx-modifier-all for {{domain}}"
+  include_role: 
+    name: nginx-modifier-all
+
+- name: "include role nginx-https-recieve-certificate for {{domain}}"
  include_role: 
    name: nginx-https-recieve-certificate

@ -8,7 +12,7 @@
    dest: "{{nginx.directories.http.servers}}{{domain}}.conf"
  notify: restart nginx
  
- name: include the docker-oauth2-proxy role
+- name: "include the docker-oauth2-proxy role {{domain}}"
  include_role:
    name: docker-oauth2-proxy
  when: oauth2_proxy_active | bool
--- a/roles/nginx-global-matomo/vars/main.yml
+++ b/roles/nginx-global-matomo/vars/main.yml
@ -1 +0,0 @@
-base_domain: "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
--- a/roles/nginx-global-www/README.md
+++ b/roles/nginx-global-www/README.md
@ -1,37 +0,0 @@
-# README.md for nginx-global-www Role
-
-## Overview
-The `nginx-global-www` role is designed to automate the process of setting up redirects from `www.domain.tld` to `domain.tld` for all domains and subdomains configured within the `{{nginx.directories.http.servers}}` directory. This role dynamically identifies configuration files following the pattern `*domain.tld.conf` and creates corresponding redirection rules.
-
-## Role Description
-This role performs several key tasks:
-1. **Find Configuration Files**: Locates all `.conf` files in the `{{nginx.directories.http.servers}}` directory that match the `*.*.conf` pattern, ensuring that only domain and subdomain configurations are selected.
-   
-2. **Filter Domain Names**: Processes each configuration file, extracting the domain names and removing both the `.conf` extension and the `{{nginx.directories.http.servers}}` path.
-
-3. **Prepare Redirect Domain Mappings**: Transforms the filtered domain names into a source-target mapping format, where `source` is `www.domain.tld` and `target` is `domain.tld`.
-
-4. **Include nginx-domain-redirect Role**: Applies the redirection configuration using the `nginx-domain-redirect` role with the dynamically generated domain mappings.
-
-## Usage
-To use this role, include it in your playbook and ensure that the `nginx-domain-redirect` role is available in your Ansible environment. No additional configuration is required as the role is designed to dynamically identify and process the domain configurations.
-
-Example playbook:
-```yaml
- hosts: web-servers
-  roles:
-    - nginx-global-www
-```
-
-## Requirements
- Ansible environment set up and configured to run roles.
- Access to the `{{nginx.directories.http.servers}}` directory on the target hosts.
- The `nginx-domain-redirect` role must be present and properly configured to handle the redirection mappings.
-
-## Notes
- This role is designed to work in environments where domain and subdomain configurations follow the naming pattern `*domain.tld.conf`.
- It automatically excludes any configurations that begin with `www.`, preventing duplicate redirects.
-
---
-
-This `nginx-global-www` role was crafted by [Kevin Veen-Birkenbach](https://www.veen.world) with insights and guidance provided by ChatGPT, an advanced AI language model from OpenAI. The development process, including the discussions with ChatGPT that shaped this role, can be [here](https://chat.openai.com/share/a68e3574-f543-467d-aea7-0895f0e00bbb) explored in detail.
--- a/roles/nginx-global/tasks/main.yml
+++ b/roles/nginx-global/tasks/main.yml
@ -1,13 +0,0 @@
- name: Activate Global Matomo tracking
-  include_role:
-    name: nginx-global-matomo
-  when: global_matomo_tracking_enabled | bool and domain is defined # @todo: Do I try run without is defined checking for domain
-
- name: Activate Global CSS
-  include_role:
-    name: nginx-global-css
-  when:
-    - global_theming_enabled | bool 
-    - run_once_nginx_global_css is not defined
-# - nginx-global-www Has to be loaded somehow different
-#  @todo implement better loading
--- a/roles/nginx-https/README.md
+++ b/roles/nginx-https/README.md
@ -0,0 +1 @@
+This role loads the components to create an nginx server with https
--- a/roles/nginx-https/meta/main.yml
+++ b/roles/nginx-https/meta/main.yml
@ -1,3 +1,3 @@
 dependencies:
 - nginx
- letsencrypt
+- letsencrypt
--- a/roles/nginx-modifier-all/README.md
+++ b/roles/nginx-modifier-all/README.md
@ -0,0 +1,29 @@
+# Nginx Global Matomo & Theming Modifier Role 🚀
+
+This role enhances your Nginx configuration by conditionally injecting global Matomo tracking and theming elements into your HTML responses. It uses Nginx sub-filters to seamlessly add tracking scripts and CSS links to your web pages.
+
+---
+
+## Features
+
+- **Global Matomo Tracking**  
+  When enabled (`global_matomo_tracking_enabled` is `true`), the role includes Matomo tracking configuration and injects the corresponding tracking script into your HTML.
+
+- **Global Theming**  
+  When enabled (`global_theming_enabled` is `true`), the role injects a global CSS link for consistent theming across your site.
+
+- **Smart Injection**  
+  Uses Nginx's `sub_filter` to insert the tracking and theming snippets right before the closing `</head>` tag of your HTML documents.
+
+
+This will automatically activate Matomo tracking and/or global theming based on your configuration.
+
+---
+
+## Author
+
+Developed by [Kevin Veen-Birkenbach](https://www.veen.world) 😎
+
+---
+
+Happy automating! 🎉
--- a/roles/nginx-modifier-all/meta/main.yml
+++ b/roles/nginx-modifier-all/meta/main.yml
@ -0,0 +1,2 @@
+dependencies:
+  - nginx-modifier-css # Just required to load once
--- a/roles/nginx-modifier-all/tasks/main.yml
+++ b/roles/nginx-modifier-all/tasks/main.yml
@ -0,0 +1,4 @@
+- name: "Activate Global Matomo Tracking for {{domain}}"
+  include_role:
+    name: nginx-modifier-matomo
+  when: global_matomo_tracking_enabled | bool
--- a/roles/nginx-modifier-all/templates/global.includes.conf.j2
+++ b/roles/nginx-modifier-all/templates/global.includes.conf.j2
@ -4,14 +4,14 @@ sub_filter_types text/html;

 {% if global_matomo_tracking_enabled | bool %}
  # Include Global Matomo Tracking
-  {% include 'roles/nginx-global-matomo/templates/matomo-tracking.conf.j2' %}
+  {% include 'roles/nginx-modifier-matomo/templates/matomo-tracking.conf.j2' %}
 {% endif %}

 {% if global_theming_enabled | bool or global_matomo_tracking_enabled | bool%}
-  sub_filter '</head>' '{% if global_matomo_tracking_enabled | bool %}{% include 'roles/nginx-global-matomo/templates/script.j2' %}{% endif %}{% if global_theming_enabled | bool %}{% include 'roles/nginx-global-css/templates/link.j2' %}{% endif %}</head>';
+  sub_filter '</head>' '{% if global_matomo_tracking_enabled | bool %}{% include 'roles/nginx-modifier-matomo/templates/script.j2' %}{% endif %}{% if global_theming_enabled | bool %}{% include 'roles/nginx-modifier-css/templates/link.j2' %}{% endif %}</head>';
 {% endif %}

 {% if global_theming_enabled | bool %}
  # Include Global CSS Location
-  {% include 'roles/nginx-global-css/templates/location.conf.j2' %}
+  {% include 'roles/nginx-modifier-css/templates/location.conf.j2' %}
 {% endif %}
--- a/roles/nginx-modifier-css/README.md
+++ b/roles/nginx-modifier-css/README.md
@ -13,23 +13,6 @@ This **Ansible role** provides a **global theming solution** for Nginx-based web

 ---

-## 📂 File Structure
-
-```
-.
-├── tasks/
-│   ├── main.yml        # Main Ansible tasks for deploying the global CSS
-├── vars/
-│   ├── main.yml        # Global variables (CSS paths, file names, etc.)
-├── templates/
-│   ├── global.css.j2   # Jinja2 template for generating the global CSS
-│   ├── location.conf.j2     # Nginx configuration for serving global.css
-│   ├── sub_filter.conf.j2   # Injects the global CSS link into served pages
-└── README.md           # You are here 🚀
-```
-
---
-
 ## 🎨 Theming Details

 The **CSS template (`global.css.j2`)** dynamically applies the defined theme colors and ensures **Bootstrap, buttons, alerts, forms, and other UI elements** follow the **unified design**.
--- a/roles/nginx-modifier-css/filter_plugins/color_filters.py
+++ b/roles/nginx-modifier-css/filter_plugins/color_filters.py
--- a/roles/nginx-modifier-css/meta/main.yml
+++ b/roles/nginx-modifier-css/meta/main.yml
@ -0,0 +1,2 @@
+dependencies:
+  - nginx
--- a/roles/nginx-modifier-css/tasks/main.yml
+++ b/roles/nginx-modifier-css/tasks/main.yml
@ -5,7 +5,7 @@
    owner: "{{nginx.user}}"
    group: "{{nginx.user}}"
    mode: '0755'
-  when: run_once_nginx_global_css is not defined
+  when: run_once_nginx_global_css is not defined and global_theming_enabled | bool

 - name: Deploy global.css from template
  template:
@ -14,18 +14,18 @@
    owner: "{{nginx.user}}"
    group: "{{nginx.user}}"
    mode: '0644'
-  when: run_once_nginx_global_css is not defined
+  when: run_once_nginx_global_css is not defined and global_theming_enabled | bool

 - name: Get stat for global.css destination file
  stat:
    path: "{{ global_css_destination }}"
  register: global_css_stat
-  when: run_once_nginx_global_css is not defined
+  when: run_once_nginx_global_css is not defined and global_theming_enabled | bool

 - name: Set global_css_version to file modification time
  set_fact:
    global_css_version: "{{ global_css_stat.stat.mtime }}"
-  when: run_once_nginx_global_css is not defined
+  when: run_once_nginx_global_css is not defined and global_theming_enabled | bool

 - name: Mark global css tasks as run once
  set_fact:
--- a/roles/nginx-modifier-css/templates/global.css.j2
+++ b/roles/nginx-modifier-css/templates/global.css.j2
--- a/roles/nginx-modifier-css/templates/link.j2
+++ b/roles/nginx-modifier-css/templates/link.j2
--- a/roles/nginx-modifier-css/templates/location.conf.j2
+++ b/roles/nginx-modifier-css/templates/location.conf.j2
--- a/roles/nginx-modifier-css/vars/main.yml
+++ b/roles/nginx-modifier-css/vars/main.yml
--- a/roles/nginx-modifier-matomo/README.md
+++ b/roles/nginx-modifier-matomo/README.md
--- a/roles/nginx-modifier-matomo/meta/main.yml
+++ b/roles/nginx-modifier-matomo/meta/main.yml
@ -0,0 +1,3 @@
+dependencies:
+  - docker-matomo
+  - nginx
--- a/roles/nginx-modifier-matomo/tasks/main.yml
+++ b/roles/nginx-modifier-matomo/tasks/main.yml
@ -1,11 +1,23 @@
- name: Check if site already exists in Matomo
+- name: "Relevant variables for role: {{ role_path | basename }}"
+  debug:
+    msg:
+      domain: "{{ domain }}"
+      base_domain: "{{ base_domain }}"
+      verification_url: "{{ verification_url }}"
+  when: enable_debug | bool
+
+- name: Check if site {{ domain }} is allready registered at Matomo
  uri:
-    url: "https://{{domains.matomo}}/index.php?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{base_domain}}&format=json&token_auth={{matomo_auth_token}}"
-    method: GET
+    url:            "{{verification_url}}"
+    method:         GET
    return_content: yes
-    status_code: 200
+    status_code:    200
    validate_certs: yes
-  register: site_check
+  register:         site_check
+
+- name: Set matomo_site_id to Null
+  set_fact:
+    matomo_site_id: Null

 - name: Set fact for site ID if site already exists
  set_fact:
@ -22,12 +34,12 @@
    return_content: yes
    validate_certs: yes
  register: add_site
-  when: "matomo_site_id is not defined"
+  when: "matomo_site_id is not defined or matomo_site_id is none"

 - name: Set fact for site ID if site was added
  set_fact:
    matomo_site_id: "{{ add_site.json.value }}"
-  when: "matomo_site_id is not defined"
+  when: "matomo_site_id is not defined or matomo_site_id is none"

 - name: Set the Matomo tracking code from a template file
  set_fact:
--- a/roles/nginx-modifier-matomo/templates/matomo-tracking.conf.j2
+++ b/roles/nginx-modifier-matomo/templates/matomo-tracking.conf.j2
--- a/roles/nginx-modifier-matomo/templates/matomo-tracking.js.j2
+++ b/roles/nginx-modifier-matomo/templates/matomo-tracking.js.j2
--- a/roles/nginx-modifier-matomo/templates/script.j2
+++ b/roles/nginx-modifier-matomo/templates/script.j2
--- a/roles/nginx-modifier-matomo/vars/main.yml
+++ b/roles/nginx-modifier-matomo/vars/main.yml
@ -0,0 +1,2 @@
+base_domain:      "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
+verification_url: "https://{{domains.matomo}}/index.php?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{base_domain}}&format=json&token_auth={{matomo_auth_token}}"
--- a/roles/nginx-redirect-domain/README.md
+++ b/roles/nginx-redirect-domain/README.md
@ -2,12 +2,6 @@

 This Ansible role configures Nginx to perform 301 redirects from one domain to another. It handles SSL certificate retrieval for the source domains and sets up the Nginx configuration to redirect to the specified target domains.

-## Requirements
-
- Ansible 2.9 or higher
- Nginx installed on the target machine
- Let's Encrypt for SSL certificate management
-
 ## Role Variables

 - `domain_mappings`: A list of objects with `source` and `target` properties specifying the domains to redirect from and to.
@ -18,13 +12,5 @@ This Ansible role configures Nginx to perform 301 redirects from one domain to a
 - `nginx-https`: A role for setting up HTTPS for Nginx
 - `letsencrypt`: A role for managing SSL certificates with Let's Encrypt

-## Example Playbook
-
-```yaml
- hosts: servers
-  roles:
-    - { role: nginx-domain-redirect, domain_mappings: [ {source: 'example.com', target: 'newdomain.com'} ] }
-``````
-
 ## Author Information
-This role was created in 2023 by Kevin Veen Birkenbach.
+This role was created in 2023 by [Kevin Veen-Birkenbach](https://www.veen.world/).
--- a/roles/nginx-redirect-domain/meta/main.yml
+++ b/roles/nginx-redirect-domain/meta/main.yml
--- a/roles/nginx-redirect-domain/tasks/main.yml
+++ b/roles/nginx-redirect-domain/tasks/main.yml
--- a/roles/nginx-redirect-domain/templates/redirect.domain.nginx.conf.j2
+++ b/roles/nginx-redirect-domain/templates/redirect.domain.nginx.conf.j2
--- a/roles/nginx-redirect-www/README.md
+++ b/roles/nginx-redirect-www/README.md
@ -0,0 +1,22 @@
+# nginx-redirect-www
+
+## Overview
+The `nginx-redirect-www` role is designed to automate the process of setting up redirects from `www.domain.tld` to `domain.tld` for all domains and subdomains configured within the `{{nginx.directories.http.servers}}` directory. This role dynamically identifies configuration files following the pattern `*domain.tld.conf` and creates corresponding redirection rules.
+
+## Role Description
+This role performs several key tasks:
+1. **Find Configuration Files**: Locates all `.conf` files in the `{{nginx.directories.http.servers}}` directory that match the `*.*.conf` pattern, ensuring that only domain and subdomain configurations are selected.
+   
+2. **Filter Domain Names**: Processes each configuration file, extracting the domain names and removing both the `.conf` extension and the `{{nginx.directories.http.servers}}` path.
+
+3. **Prepare Redirect Domain Mappings**: Transforms the filtered domain names into a source-target mapping format, where `source` is `www.domain.tld` and `target` is `domain.tld`.
+
+4. **Include nginx-redirect-domain Role**: Applies the redirection configuration using the `nginx-redirect-domain` role with the dynamically generated domain mappings.
+
+## Notes
+- This role is designed to work in environments where domain and subdomain configurations follow the naming pattern `*domain.tld.conf`.
+- It automatically excludes any configurations that begin with `www.`, preventing duplicate redirects.
+
+---
+
+This `nginx-redirect-www` role was crafted by [Kevin Veen-Birkenbach](https://www.veen.world) with insights and guidance provided by ChatGPT, an advanced AI language model from OpenAI. The development process, including the discussions with ChatGPT that shaped this role, can be [here](https://chat.openai.com/share/a68e3574-f543-467d-aea7-0895f0e00bbb) explored in detail.
--- a/roles/nginx-redirect-www/meta/main.yml
+++ b/roles/nginx-redirect-www/meta/main.yml
--- a/roles/nginx-redirect-www/tasks/main.yml
+++ b/roles/nginx-redirect-www/tasks/main.yml
@ -30,9 +30,9 @@
    var: filtered_domains_with_primary_domain
  when: enable_debug | bool

- name: Include nginx-domain-redirect role with dynamic domain mappings for domains with {{primary_domain}} included
+- name: Include nginx-redirect-domain role with dynamic domain mappings for domains with {{primary_domain}} included
  include_role:
-    name: nginx-domain-redirect
+    name: nginx-redirect-domain
  vars:
    domain_mappings: "{{ filtered_domains_with_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
  when: not enable_wildcard_certificate | bool
@ -57,9 +57,9 @@
    var: filtered_domains_without_primary_domain
  when: enable_debug | bool

- name: Include nginx-domain-redirect role with dynamic domain mappings for domains without primary domain
+- name: Include nginx-redirect-domain role with dynamic domain mappings for domains without primary domain
  include_role:
-    name: nginx-domain-redirect
+    name: nginx-redirect-domain
  vars:
    domain_mappings: "{{ filtered_domains_without_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"

--- a/roles/nginx-redirect-www/templates/www.wildcard.conf.j2
+++ b/roles/nginx-redirect-www/templates/www.wildcard.conf.j2
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	bd1395926b	Solved Matomo domain bug and refactored	2025-02-19 02:00:41 +01:00
Kevin Veen-Birkenbach	8b1ada7450	Optimized iam and realm	2025-02-18 21:54:40 +01:00
Kevin Veen-Birkenbach	c0916ce25b	Solved variable bug and updated README.md of docker	2025-02-18 21:16:27 +01:00
Kevin Veen-Birkenbach	0f44e65bf1	Optimized LDAP integration, keycloak realm import and health checks for docker images	2025-02-18 21:00:14 +01:00
				`@ -1 +0,0 @@`
				`base_domain: "{{ domain \| regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"`
				`@ -0,0 +1 @@`
				`This role loads the components to create an nginx server with https`