Release version 0.2.1

* Remove outdated `Installation.md` and `Administration.md` documentation from Akaunting and Peertube roles
* Fix `server_mode` conditional in `web-app-pgadmin` to avoid unintended defaults
* Normalize formatting of git repository variables in `web-app-roulette-wheel`
* Explicitly set `application_id` when loading `sys-stk-full-stateless` in `web-app-sphinx` to prevent scoping issues

https://chatgpt.com/share/6939d42e-483c-800f-b0fc-be61caab615d

CHANGELOG.md

@@ -1,3 +1,13 @@
+## [0.2.1] - 2025-12-10
+
+* restored full deployability of the Sphinx app by fixing the application_id scoping bug.
+
+
+## [0.2.0] - 2025-12-10
+
+* Added full Nix installer integration with dynamic upstream SHA256 verification, OS-specific installation paths, template-driven configuration, and updated pkgmgr integration.
+
+
 ## [0.1.1] - 2025-12-10
 
 * PKGMGR will now be pulled again

roles/dev-nix/TODO.md

@@ -0,0 +1,2 @@
+# to-dos
+- Implement better hash validation for security

roles/dev-nix/defaults/main.yml

@@ -1,14 +1,22 @@
 ---
-# Path to the installer script inside this role
-dev_nix_installer_source: "nix-install.sh"
+# Nix version to install via official installer
+dev_nix_installer_version: "2.32.4"
 
-# Path where the installer will be copied on the target host
+# Base URL for Nix releases
+dev_nix_installer_base_url: "https://releases.nixos.org/nix"
+
+# Full URL to the installer script (can be overridden if needed)
+dev_nix_installer_url: >-
+  {{ dev_nix_installer_base_url }}/nix-{{ dev_nix_installer_version }}/install
+
+# Full URL to the SHA256 checksum file
+dev_nix_installer_sha256_url: "{{ dev_nix_installer_url }}.sha256"
+
+# Path where the installer will be downloaded on the target host
 dev_nix_installer_dest: "/usr/local/share/nix-install.sh"
 
-# Expected SHA256 of the installer file.
-# You MUST set this to the actual hash of files/nix-install.sh, e.g.:
-#   sha256sum roles/dev-nix/files/nix-install.sh
-dev_nix_installer_sha256: "CHANGE_ME_SHA256_OF_INSTALLER"
+# Will be filled at runtime from dev_nix_installer_sha256_url
+dev_nix_installer_sha256: ""
 
 # Whether to drop a small shell snippet into /etc/profile.d to ensure
 # Nix environment is available for login shells.
@@ -16,3 +24,11 @@ dev_nix_enable_shell_snippet: false
 
 # Path of the profile.d snippet
 dev_nix_shell_snippet_path: "/etc/profile.d/nix.sh"
+
+# Enable experimental features such as nix-command and flakes
+dev_nix_enable_experimental_features: true
+
+# List of experimental features to enable when dev_nix_enable_experimental_features is true
+dev_nix_experimental_features:
+  - nix-command
+  - flakes

roles/dev-nix/tasks/01_core.yml

@@ -0,0 +1,49 @@
+---
+# Install Nix differently depending on the target platform:
+# - Arch-based systems: install via package manager
+# - Non-Arch systems: use the official installer with SHA256 verification
+
+# 1) Arch-based systems: just install the distro package
+- name: Install Nix via package manager on Arch-based systems
+  community.general.pacman:
+    name: nix
+    state: present
+  become: true
+  when: ansible_facts.os_family == "Archlinux"
+
+# 2) Non-Arch systems: delegate installer logic to a separate task file
+- name: Include non-Arch installer logic
+  ansible.builtin.include_tasks: 02_non_arch_installer.yml
+  when: ansible_facts.os_family != "Archlinux"
+
+# 3) Configure Nix experimental features (common for all platforms)
+- name: Ensure Nix config directory exists
+  ansible.builtin.file:
+    path: /etc/nix
+    state: directory
+    mode: "0755"
+  when: dev_nix_enable_experimental_features | bool
+  become: true
+
+- name: Deploy Nix configuration (nix.conf)
+  ansible.builtin.template:
+    src: "nix.conf.j2"
+    dest: "/etc/nix/nix.conf"
+    mode: "0644"
+  become: true
+
+# 4) Optionally drop shell snippet for Nix
+- name: Optionally drop shell snippet for Nix
+  ansible.builtin.copy:
+    dest: "{{ dev_nix_shell_snippet_path }}"
+    mode: "0644"
+    content: |
+      # Added by dev-nix Ansible role
+      if [ -e /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]; then
+        . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+      fi
+  when: dev_nix_enable_shell_snippet | bool
+  become: true
+
+# 5) Mark this role as "run once" in your global once-flag system
+- include_tasks: utils/once/flag.yml

roles/dev-nix/tasks/02_non_arch_installer.yml

@@ -0,0 +1,37 @@
+---
+# Non-Arch installer logic:
+# Download the official Nix installer and its SHA256 from releases.nixos.org
+# and run the daemon (multi-user) installer.
+
+# 1) Fetch the official SHA256 from releases.nixos.org on the control node
+- name: Fetch official Nix installer SHA256
+  ansible.builtin.uri:
+    url: "{{ dev_nix_installer_sha256_url }}"
+    return_content: true
+  register: dev_nix_official_sha_response
+  delegate_to: localhost
+  run_once: true
+
+- name: Set expected installer checksum from official SHA256
+  ansible.builtin.set_fact:
+    dev_nix_installer_sha256: >-
+      {{ dev_nix_official_sha_response.content.split()[0] | trim }}
+  run_once: true
+
+# 2) Download installer script on the target and verify via checksum
+- name: Download Nix installer script from official releases
+  ansible.builtin.get_url:
+    url: "{{ dev_nix_installer_url }}"
+    dest: "{{ dev_nix_installer_dest }}"
+    mode: "0755"
+    # get_url will verify the checksum and fail if it does not match
+    checksum: "sha256:{{ dev_nix_installer_sha256 }}"
+  become: true
+
+# 3) Run Nix installer in daemon (multi-user) mode if Nix is not installed
+- name: Run Nix installer in daemon (multi-user) mode if Nix is not installed
+  ansible.builtin.shell: >
+    "{{ dev_nix_installer_dest }}" --daemon
+  args:
+    creates: "/nix/store"
+  become: true

roles/dev-nix/tasks/install.yml

@@ -1,44 +0,0 @@
----
-# Install Nix using a locally stored installer script with SHA256 verification.
-
-- name: Ensure Nix installer script is present on target
-  ansible.builtin.copy:
-    src: "{{ dev_nix_installer_source }}"
-    dest: "{{ dev_nix_installer_dest }}"
-    mode: "0755"
-  become: true
-
-- name: Verify Nix installer SHA256 checksum
-  ansible.builtin.command: >
-    sh -c "sha256sum '{{ dev_nix_installer_dest }}' | awk '{print $1}'"
-  register: dev_nix_checksum_result
-  changed_when: false
-  become: true
-
-- name: Fail if Nix installer checksum does not match
-  ansible.builtin.fail:
-    msg: >-
-      Nix installer checksum mismatch.
-      Expected '{{ dev_nix_installer_sha256 }}', got '{{ dev_nix_checksum_result.stdout }}'.
-      Refusing to execute the installer.
-  when: dev_nix_checksum_result.stdout != dev_nix_installer_sha256
-
-# Nix multi-user (daemon) mode: creates /nix/store when successful.
-- name: Run Nix installer in daemon (multi-user) mode if Nix is not installed
-  ansible.builtin.shell: >
-    "{{ dev_nix_installer_dest }}" --daemon
-  args:
-    creates: "/nix/store"
-  become: true
-
-- name: Optionally drop shell snippet for Nix
-  ansible.builtin.copy:
-    dest: "{{ dev_nix_shell_snippet_path }}"
-    mode: "0644"
-    content: |
-      # Added by dev-nix Ansible role
-      if [ -e /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]; then
-        . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
-      fi
-  when: dev_nix_enable_shell_snippet | bool
-  become: true

roles/dev-nix/tasks/main.yml

@@ -1,5 +1,3 @@
 ---
-# Main entrypoint for the dev-nix role
-
-- name: Include installation tasks for Nix
-  ansible.builtin.include_tasks: install.yml
+- include_tasks: 01_core.yml
+  when: run_once_dev_nix is not defined

roles/dev-nix/templates/nix.conf.j2

@@ -0,0 +1,12 @@
+# Nix configuration file
+# Managed by the {{ SOFTWARE_NAME }}dev-nix Ansible role
+
+# Unix group containing the Nix build user accounts
+build-users-group = nixbld
+
+# Enable experimental features if configured
+{% if dev_nix_enable_experimental_features %}
+experimental-features = {{ dev_nix_experimental_features | join(" ") }}
+{% endif %}
+
+# (Optional) Add more global nix.conf options below

roles/pkgmgr/tasks/01_core.yml

@@ -4,7 +4,7 @@
   loop:
     - dev-git
     - dev-make
-    - dev-python-yaml
+    - dev-nix
 
 - name: Ensure OpenSSH client is installed
   community.general.pacman:
@@ -66,7 +66,7 @@
   become: true
 
 - name: "Update all repositories with pkgmgr"
-  command: "pkgmgr pull --all"
+  command: "pkgmgr update --all --clone-mode shallow"
   when: MODE_UPDATE | bool
 
 - include_tasks: utils/once/flag.yml

roles/web-app-akaunting/Installation.md

@@ -1,29 +0,0 @@
-# Installation Guide
-
-1. **Navigate to the Docker Compose Directory**  
-   Change into the directory where the Docker Compose files reside.
-   ```bash
-   cd {{ PATH_DOCKER_COMPOSE_INSTANCES }}akaunting/
-   ```
-
-2. **Set Environment Variables**  
-   Ensure timeouts are increased to handle long operations:
-   ```bash
-   export COMPOSE_HTTP_TIMEOUT=600
-   export DOCKER_CLIENT_TIMEOUT=600
-   ```
-
-3. **Start Akaunting Service**  
-   Run the setup command with the `AKAUNTING_SETUP` variable:
-   ```bash
-   AKAUNTING_SETUP=true docker-compose -p akaunting up -d
-   ```
-
-4. **Finalizing Setup**  
-   After verifying that the web interface works, restart services:
-   ```bash
-   docker-compose down
-   docker-compose -p akaunting up -d
-   ```
-
-For further details, visit the [Akaunting Documentation](https://akaunting.com/) and the [Akaunting GitHub Repository](https://github.com/akaunting/docker).

roles/web-app-peertube/Administration.md

@@ -1,29 +0,0 @@
-# Administration 
-
-## track docker container status
-```bash
-watch -n 2 "docker ps  -a | grep peertube"
-```
-
-## clean rebuild
-```bash
-cd {{ PATH_DOCKER_COMPOSE_INSTANCES }}peertube/ &&
-docker-compose down 
-docker volume rm peertube_assets peertube_config peertube_data peertube_database peertube_redis
-docker-compose up -d 
-```
-
-## access terminal
-```bash
-docker-compose exec -it application /bin/bash
-```
-
-## update config
-```bash
-apt update && apt install nano && nano ./config/default.yaml
-```
-
-## get root pasword
-```bash
-docker logs peertube-application-1 | grep -A1 root
-```

roles/web-app-pgadmin/tasks/main.yml

@@ -5,4 +5,4 @@
 
 - name: "configure pgadmin servers"
   include_tasks: configuration.yml
-  when: applications | get_app_conf(application_id, 'server_mode', True) | bool
+  when: applications | get_app_conf(application_id, 'server_mode') | bool

roles/web-app-roulette-wheel/tasks/main.yml

@@ -3,6 +3,6 @@
     name: sys-stk-full-stateless
   vars: 
     docker_compose_flush_handlers:  true
-    docker_git_repository_address:      "https://github.com/kevinveenbirkenbach/roulette-wheel.git"
+    docker_git_repository_address:  "https://github.com/kevinveenbirkenbach/roulette-wheel.git"
     docker_git_repository_pull:     true
-    docker_git_repository_branch:       "master"
+    docker_git_repository_branch:   "master"

roles/web-app-sphinx/tasks/main.yml

@@ -16,6 +16,8 @@
 - name: "load docker, proxy for '{{ application_id }}'"
   include_role:
     name: sys-stk-full-stateless
+  vars:  
+    application_id: "web-app-sphinx"
 
 # Hack because it wasn't possible to fix an handler bug in pkgmgr install
 - name: „Trigger“ docker compose up

tests/integration/test_no_module_redirections_in_logs.py

@@ -1,71 +0,0 @@
-# tests/integration/test_no_module_redirections_in_logs.py
-import os
-import glob
-import re
-import unittest
-from collections import defaultdict
-
-REDIR_RE = re.compile(r"redirecting \(type: modules\)\s+(\S+)\s+to\s+(\S+)", re.IGNORECASE)
-
-class ModuleRedirectionLogTest(unittest.TestCase):
-    """
-    Fail if logs/*.log contains Ansible module redirections like:
-      'redirecting (type: modules) ansible.builtin.pacman to community.general.pacman'
-    Rationale: These lookups add overhead and clutter logs. Use fully-qualified
-    collection names directly in tasks to improve performance and clarity.
-    """
-
-    def test_no_module_redirections(self):
-        project_root = os.path.abspath(os.path.join(os.path.dirname(__file__), "..", ".."))
-        log_glob = os.path.join(project_root, "logs", "*.log")
-        files = sorted(glob.glob(log_glob))
-
-        if not files:
-            self.skipTest(f"No log files found at {log_glob}")
-
-        hits = []
-        mappings = defaultdict(int)
-
-        for path in files:
-            try:
-                with open(path, "r", encoding="utf-8", errors="replace") as fh:
-                    for lineno, line in enumerate(fh, 1):
-                        m = REDIR_RE.search(line)
-                        if m:
-                            src, dst = m.group(1), m.group(2)
-                            hits.append((path, lineno, src, dst, line.strip()))
-                            mappings[(src, dst)] += 1
-            except OSError as e:
-                self.fail(f"Cannot read log file {path}: {e}")
-
-        if hits:
-            # Build helpful failure message
-            suggestions = []
-            regex_hints = []
-            for (src, dst), count in sorted(mappings.items(), key=lambda x: (-x[1], x[0])):
-                suggestions.append(f"- Replace '{src}' with '{dst}' in your tasks ({count} occurrences).")
-                # Create VS Code regex for finding these in YAML
-                src_name = re.escape(src.split('.')[-1])  # only short module name
-                regex_hints.append(f"(?<!{re.escape(dst.rsplit('.',1)[0])}\\.){src_name}:")
-
-            examples = []
-            for i, (path, lineno, src, dst, text) in enumerate(hits[:10], 1):
-                examples.append(f"{i:02d}. {path}:{lineno}: {text}")
-
-            msg = (
-                f"Found {len(hits)} Ansible module redirections in logs/*.log.\n"
-                f"These slow down execution and clutter logs. "
-                f"Use fully-qualified module names to avoid runtime redirection.\n\n"
-                f"Suggested replacements:\n"
-                + "\n".join(suggestions)
-                + "\n\nExamples:\n"
-                + "\n".join(examples)
-                + "\n\nVS Code regex to find each occurrence in your code:\n"
-                + "\n".join(f"- {hint}" for hint in sorted(set(regex_hints)))
-                + "\n\nExample fix:\n"
-                f"  # Instead of:\n"
-                f"  pacman:\n"
-                f"  # Use:\n"
-                f"  community.general.pacman:\n"
-            )
-            self.fail(msg)