Move _ansible directory into main directory

2023-12-16 02:25:14 +01:00 · 2023-12-16 02:25:14 +01:00 · 40742e3214
commit 40742e3214
parent 519882db43
124 changed files with 246 additions and 141 deletions
--- a/roles/acme_dns/tasks/main.yml
+++ b/roles/acme_dns/tasks/main.yml
@ -0,0 +1,31 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ acme_dns_svc }}"
+    env: "{{ acme_dns_env }}"
+    compose: "{{ acme_dns_compose }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Setting the service config path
+      ansible.builtin.set_fact:
+        config_path: "{{ (service_path, 'config') | path_join }}"
+
+    - name: Create a service-config directory
+      ansible.builtin.file:
+        path: "{{ config_path }}"
+        state: directory
+        mode: "0700"
+
+    - name: Template config
+      ansible.builtin.template:
+        src: config.cfg.j2
+        dest: "{{ (config_path, 'config.cfg') | path_join }}"
+        mode: "0600"
+
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
--- a/roles/acme_dns/templates/config.cfg.j2
+++ b/roles/acme_dns/templates/config.cfg.j2
@ -0,0 +1,31 @@
+[general]
+listen = "0.0.0.0:53"
+protocol = "both"
+domain = "{{ svc.domain }}"
+nsname = "{{ svc.domain }}"
+nsadmin = "{{ svc.nsadmin }}"
+records = [
+    "{{ svc.domain }}. A {{ svc.records.a }}",
+    "{{ svc.domain }}. NS {{ svc.domain }}.",
+]
+debug = false
+
+[database]
+engine = "postgres"
+connection = "postgres://{{ svc.db.user }}:{{ svc.db.pass }}@{{ svc.db.host }}/{{ svc.db.db }}"
+
+[api]
+ip = "0.0.0.0"
+disable_registration = false
+port = "{{ svc.port }}"
+tls = "none"
+corsorigins = [
+    "*"
+]
+use_header = true
+header_name = "X-Forwarded-For"
+
+[logconfig]
+loglevel = "info"
+logtype = "stdout"
+logformat = "text"
--- a/roles/acme_dns/vars/main.yml
+++ b/roles/acme_dns/vars/main.yml
@ -0,0 +1,27 @@
+---
+acme_dns_svc:
+  domain: acme.serguzim.me
+  name: acme-dns
+  port: 80
+  nsadmin: "{{ admin_email | regex_replace('@', '.') }}"
+  records:
+    a: "{{ ansible_facts.default_ipv4.address }}"
+  db:
+    host: "{{ postgres.host }}"
+    port: "{{ postgres.port }}"
+    user: "{{ vault_acmedns.db.user }}"
+    pass: "{{ vault_acmedns.db.pass }}"
+    db: acme_dns
+
+acme_dns_compose:
+  watchtower: true
+  monitoring: true
+  image: joohoi/acme-dns
+  volumes:
+    - ./config:/etc/acme-dns:ro
+  file:
+    services:
+      app:
+        ports:
+          - "53:53"
+          - 53:53/udp
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ authentik_svc }}"
+    env: "{{ authentik_env }}"
+    compose: "{{ authentik_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/authentik/vars/main.yml
+++ b/roles/authentik/vars/main.yml
@ -0,0 +1,60 @@
+---
+authentik_svc:
+  domain: auth.serguzim.me
+  name: authentik
+  port: 9000
+  image_tag: 2023.8
+  db:
+    host: "{{ postgres.host }}"
+    database: authentik
+    user: "{{ vault_authentik.db.user }}"
+    pass: "{{ vault_authentik.db.pass }}"
+
+authentik_env:
+  AUTHENTIK_SECRET_KEY: "{{ vault_authentik.secret_key }}"
+
+  AUTHENTIK_EMAIL__HOST: "{{ mailer.host }}"
+  AUTHENTIK_EMAIL__PORT: "{{ mailer.port }}"
+  AUTHENTIK_EMAIL__USERNAME: "{{ vault_authentik.mail.user }}"
+  AUTHENTIK_EMAIL__PASSWORD: "{{ vault_authentik.mail.pass }}"
+  AUTHENTIK_EMAIL__USE_TLS: true
+  AUTHENTIK_EMAIL__USE_SSL: false
+  AUTHENTIK_EMAIL__TIMEOUT: 10
+  AUTHENTIK_EMAIL__FROM: auth@serguzim.me
+
+  AUTHENTIK_AVATARS: none
+
+  AUTHENTIK_REDIS__HOST: redis
+
+  AUTHENTIK_POSTGRESQL__HOST: "{{ svc.db.host }}"
+  AUTHENTIK_POSTGRESQL__NAME: "{{ svc.db.database }}"
+  AUTHENTIK_POSTGRESQL__USER: "{{ svc.db.user }}"
+  AUTHENTIK_POSTGRESQL__PASSWORD: "{{ svc.db.pass }}"
+
+authentik_compose:
+  watchtower: false
+  image: ghcr.io/goauthentik/server:{{ svc.image_tag }}
+  file:
+    services:
+      app:
+        command: server
+        depends_on:
+          - redis
+      worker:
+        image: ghcr.io/goauthentik/server:{{ svc.image_tag }}
+        restart: always
+        command: worker
+        user: root
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock
+        env_file:
+          - service.env
+        depends_on:
+          - redis
+        networks:
+          default:
+      redis:
+        image: redis:alpine
+        restart: always
+        networks:
+          default:
--- a/roles/backup/files/Dockerfile
+++ b/roles/backup/files/Dockerfile
@ -0,0 +1,3 @@
+FROM restic/restic
+
+RUN apk add curl
--- a/roles/backup/files/backup.timer
+++ b/roles/backup/files/backup.timer
@ -0,0 +1,4 @@
+[Timer]
+OnCalendar=*-*-* 04:10:00
+[Install]
+WantedBy=timers.target
--- a/roles/backup/files/docker-compose.yml
+++ b/roles/backup/files/docker-compose.yml
@ -0,0 +1,30 @@
+version: "3.7"
+
+services:
+  backup:
+    build:
+      context: .
+    image: backup
+    restart: never
+    env_file:
+      - service.env
+    volumes:
+      - /tmp/backup-misc:/backup/misc
+      - gitea_data:/backup/volumes/gitea_data
+      - influxdb_data:/backup/volumes/influxdb_data
+      - reitanlage_data:/backup/volumes/reitanlage_data
+      - synapse_media_store:/backup/volumes/synapse_media_store
+      - tandoor_mediafiles:/backup/volumes/tandoor_mediafiles
+    command: restic backup /backup
+
+volumes:
+  gitea_data:
+    external: true
+  influxdb_data:
+    external: true
+  reitanlage_data:
+    external: true
+  synapse_media_store:
+    external: true
+  tandoor_mediafiles:
+    external: true
--- a/roles/backup/files/node001/mailcow.sh
+++ b/roles/backup/files/node001/mailcow.sh
@ -0,0 +1,3 @@
+export MAILCOW_BACKUP_LOCATION="$BACKUP_LOCATION/mailcow"
+mkdir -p "$MAILCOW_BACKUP_LOCATION"
+/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all
--- a/roles/backup/files/node002/postgres.sh
+++ b/roles/backup/files/node002/postgres.sh
@ -0,0 +1,14 @@
+mkdir -p "$BACKUP_LOCATION/postgres"
+cd "$BACKUP_LOCATION/postgres" || exit
+
+postgres_tables=$(sudo -u postgres psql -Atc "SELECT datname FROM pg_database WHERE datistemplate = false;")
+
+for i in $postgres_tables
+do
+	printf "dumping %s ..." "$i"
+	sudo -u postgres pg_dump "$i" | gzip >"pg_dump_$i.gz"
+	echo " done"
+done
+
+echo "dumping all"
+sudo -u postgres pg_dumpall | gzip >"pg_dumpall.gz"
--- a/roles/backup/tasks/main.yml
+++ b/roles/backup/tasks/main.yml
@ -0,0 +1,84 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ backup_svc }}"
+    env: "{{ backup_env }}"
+    compose: "{{ backup_compose }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Copy the Dockerfile
+      ansible.builtin.copy:
+        src: Dockerfile
+        dest: "{{ (service_path, 'Dockerfile') | path_join }}"
+        mode: "0644"
+      register: cmd_result
+
+    - name: Set the docker rebuild flag
+      ansible.builtin.set_fact:
+        docker_rebuild: true
+      when: cmd_result.changed # noqa: no-handler We need to handle the restart per service. Handlers don't support variables.
+
+    - name: Set backup.d path
+      ansible.builtin.set_fact:
+        backup_d_path: "{{ (service_path, 'backup.d') | path_join }}"
+
+    - name: Create backup.d directory
+      ansible.builtin.file:
+        path: "{{ backup_d_path }}"
+        state: directory
+        mode: "0755"
+
+    - name: Copy the additional backup scripts
+      ansible.builtin.copy:
+        src: "{{ item }}"
+        dest: "{{ backup_d_path }}"
+        mode: "0755"
+      with_fileglob:
+        - "{{ ansible_facts.hostname }}/*"
+
+    - name: Copy the main backup scripts
+      ansible.builtin.template:
+        src: "backup.sh.j2"
+        dest: "{{ (service_path, 'backup.sh') | path_join }}"
+        mode: "0755"
+
+    - name: Copy the system service
+      ansible.builtin.template:
+        src: backup.service.j2
+        dest: /etc/systemd/system/backup.service
+        mode: "0644"
+      become: true
+    - name: Copy the system timer
+      ansible.builtin.copy:
+        src: backup.timer
+        dest: /etc/systemd/system/backup.timer
+        mode: "0644"
+      become: true
+    - name: Enable the system timer
+      ansible.builtin.systemd_service:
+        name: backup.timer
+        state: started
+        enabled: true
+        daemon_reload: true
+      become: true
+
+    - name: Import tasks create a service.env file
+      ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
+
+    - name: Build service
+      ansible.builtin.command:
+        cmd: docker compose build --pull
+        chdir: "{{ service_path }}"
+      register: cmd_result
+      changed_when: true # TODO
+
+    - name: Verify service
+      ansible.builtin.command:
+        cmd: docker compose run --rm app check
+        chdir: "{{ service_path }}"
+      changed_when: false
--- a/roles/backup/templates/backup.service.j2
+++ b/roles/backup/templates/backup.service.j2
@ -0,0 +1,4 @@
+[Service]
+Type=oneshot
+ExecStart={{ service_path }}/backup.sh
+WorkingDirectory={{ service_path }}
--- a/roles/backup/templates/backup.sh.j2
+++ b/roles/backup/templates/backup.sh.j2
@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -e
+
+set -a
+. "{{ service_path }}/service.env"
+set +a
+
+hc_url="https://hc-ping.com/$HC_UID"
+_hc_ping () {
+	curl -fsSL --retry 3 "$hc_url$1" >/dev/null
+}
+
+_hc_fail () {
+	_hc_ping "/fail"
+	exit 1
+}
+
+_hc_ping "/start"
+duration_start=$(date +%s)
+
+BACKUP_LOCATION="$(mktemp -d)"
+export BACKUP_LOCATION
+cd "$BACKUP_LOCATION" || exit
+
+shopt -s nullglob
+for file in "{{ service_path }}/backup.d/"*
+do
+	echo ""
+	echo "running $file"
+	time "$file" || _hc_fail
+done || true
+
+cd "{{ service_path }}"
+docker compose run --rm -v "$BACKUP_LOCATION:/backup/misc" app backup /backup || _hc_fail
+
+duration_end=$(date +%s)
+_hc_ping
+
+duration=$((duration_end - duration_start))
+curl -fsSL --retry 3 "https://status.serguzim.me/api/push/$UPTIME_KUMA_TOKEN?status=up&msg=OK&ping=${duration}000"
+
+rm -rf "$BACKUP_LOCATION"
+
+echo "forgetting old backups for $(hostname)"
+docker compose run --rm app forget --host "$(hostname)" --prune \
+	--keep-daily 14 \
+	--keep-weekly 28 \
+	--keep-monthly 12 \
+	--keep-yearly 2 
--- a/roles/backup/vars/main.yml
+++ b/roles/backup/vars/main.yml
@ -0,0 +1,28 @@
+---
+backup_svc:
+  name: backup
+
+backup_volumes_service: "{{ host_backup.backup.volumes | map_backup_volumes_service }}"
+
+backup_env:
+  HC_UID: "{{ host_backup.backup.hc_uid }}"
+  UPTIME_KUMA_TOKEN: "{{ host_backup.backup.uptime_kuma_token }}"
+
+  RESTIC_REPOSITORY: "{{ vault_backup.restic.repository }}"
+  RESTIC_PASSWORD: "{{ vault_backup.restic.password }}"
+
+  AWS_ACCESS_KEY_ID: "{{ vault_backup.aws_secret.key_id }}"
+  AWS_SECRET_ACCESS_KEY: "{{ vault_backup.aws_secret.access_key }}"
+
+backup_compose:
+  watchtower: false
+  image: backup
+  volumes: "{{ backup_volumes_service }}"
+  file:
+    services:
+      app:
+        build:
+          context: .
+        restart: never
+        hostname: "{{ ansible_facts.hostname }}"
+    volumes: "{{ host_backup.backup.volumes | map_backup_volumes }}"
--- a/roles/caddy/defaults/main.yml
+++ b/roles/caddy/defaults/main.yml
@ -0,0 +1 @@
+caddy_ports_extra: []
--- a/roles/caddy/files/Dockerfile
+++ b/roles/caddy/files/Dockerfile
@ -0,0 +1,8 @@
+FROM caddy:2-builder AS builder
+
+RUN xcaddy build \
+    --with github.com/caddy-dns/acmedns@main
+
+FROM caddy:2-alpine
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
--- a/roles/caddy/files/snippets
+++ b/roles/caddy/files/snippets
@ -0,0 +1,37 @@
+(auth_serguzim_me) {
+    # always forward outpost path to actual outpost
+    reverse_proxy /outpost.goauthentik.io/* authentik:9000
+
+    # forward authentication to outpost
+    forward_auth authentik:9000 {
+        uri /outpost.goauthentik.io/auth/caddy
+
+        # capitalization of the headers is important, otherwise they will be empty
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+
+        # optional, in this config trust all private ranges, should probably be set to the outposts IP
+        trusted_proxies private_ranges
+    }
+}
+
+(default) {
+	encode zstd gzip
+}
+
+(acmedns) {
+	tls {
+		dns acmedns {
+			username "{$ACMEDNS_USER}"
+			password "{$ACMEDNS_PASS}"
+			subdomain "{$ACMEDNS_SUBD}"
+			server_url "{$ACMEDNS_URL}"
+		}
+	}
+}
+
+(faas) {
+		rewrite * /function/{args[0]}{uri}
+		reverse_proxy https://faas.serguzim.me {
+			header_up Host {http.reverse_proxy.upstream.hostport}
+		}
+}
--- a/roles/caddy/tasks/main.yml
+++ b/roles/caddy/tasks/main.yml
@ -0,0 +1,43 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ caddy_svc }}"
+    env: "{{ caddy_env }}"
+    compose: "{{ caddy_compose }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Set caddy config path
+      ansible.builtin.set_fact:
+        config_path: "{{ (service_path, 'config') | path_join }}"
+
+    - name: Create config directory
+      ansible.builtin.file:
+        path: "{{ config_path }}"
+        state: directory
+        mode: "0755"
+
+    - name: Template caddyfile
+      ansible.builtin.template:
+        src: Caddyfile.j2
+        dest: "{{ (config_path, 'Caddyfile') | path_join }}"
+        mode: "0644"
+
+    - name: Copy snippets file
+      ansible.builtin.copy:
+        src: snippets
+        dest: "{{ (config_path, 'snippets') | path_join }}"
+        mode: "0644"
+
+    - name: Create sites-config directory
+      ansible.builtin.file:
+        path: "{{ caddy_config_path }}"
+        state: directory
+        mode: "0755"
+
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
--- a/roles/caddy/templates/Caddyfile.j2
+++ b/roles/caddy/templates/Caddyfile.j2
@ -0,0 +1,10 @@
+{
+	email {{ admin_email }}
+
+	servers {
+		strict_sni_host on
+	}
+}
+
+import /etc/caddy/snippets
+import /etc/caddy/conf.d/*.conf
--- a/roles/caddy/vars/main.yml
+++ b/roles/caddy/vars/main.yml
@ -0,0 +1,37 @@
+---
+caddy_acmedns_user: "{{ vault_caddy.acmedns.user }}"
+caddy_acmedns_pass: "{{ vault_caddy.acmedns.pass }}"
+caddy_acmedns_subd: "{{ vault_caddy.acmedns.subd }}"
+caddy_acmedns_url: "https://acme.serguzim.me"
+
+caddy_ports_default:
+  - 80:80
+  - 443:443
+  - 443:443/udp
+caddy_ports: "{{ caddy_ports_default | union(caddy_ports_extra) }}"
+
+caddy_svc:
+  name: caddy
+
+caddy_env:
+  ACMEDNS_USER: "{{ caddy_acmedns_user }}"
+  ACMEDNS_PASS: "{{ caddy_acmedns_pass }}"
+  ACMEDNS_SUBD: "{{ caddy_acmedns_subd }}"
+  ACMEDNS_URL: "{{ caddy_acmedns_url }}"
+
+caddy_compose:
+  watchtower: false
+  image: caddy-custom:2-alpine
+  volumes:
+    - "./config:/etc/caddy/"
+    - data:/data
+  file:
+    services:
+      app:
+        build:
+          context: .
+        ports: "{{ caddy_ports }}"
+        extra_hosts:
+          - host.docker.internal:host-gateway
+    volumes:
+      data:
--- a/roles/coder/tasks/main.yml
+++ b/roles/coder/tasks/main.yml
@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ coder_svc }}"
+    env: "{{ coder_env }}"
+    compose: "{{ coder_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/coder/vars/main.yml
+++ b/roles/coder/vars/main.yml
@ -0,0 +1,35 @@
+---
+coder_svc:
+  domain: coder.serguzim.me
+  additional_domains:
+    - "*.coder.serguzim.me"
+  caddy_extra: import acmedns
+  name: coder
+  port: 7080
+  db:
+    host: "{{ postgres.host }}"
+    port: "{{ postgres.port }}"
+  ssh_port: 22
+  ssh_port_alt: 3022
+
+coder_env:
+  CODER_ADDRESS: "0.0.0.0:7080"
+  CODER_ACCESS_URL: https://{{ svc.domain }}
+  CODER_WILDCARD_ACCESS_URL: "*.{{ svc.domain }}"
+
+  CODER_PG_CONNECTION_URL: postgres://{{ vault_coder.db.user }}:{{ vault_coder.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/coder?sslmode=verify-full
+
+  CODER_OIDC_ISSUER_URL: https://auth.serguzim.me/application/o/coder-serguzim-me/
+  CODER_OIDC_CLIENT_ID: "{{ vault_coder.oidc_client.id }}"
+  CODER_OIDC_CLIENT_SECRET: "{{ vault_coder.oidc_client.secret }}"
+
+coder_compose:
+  watchtower: true
+  image: ghcr.io/coder/coder:latest
+  volumes:
+    - /var/run/docker.sock:/var/run/docker.sock
+  file:
+    services:
+      app:
+        group_add:
+          - "972" # docker group on host
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -0,0 +1,7 @@
+---
+- name: Reload caddy
+  ansible.builtin.command:
+    cmd: docker compose exec app sh -c "caddy validate --config /etc/caddy/Caddyfile && caddy reload --config /etc/caddy/Caddyfile"
+    chdir: "{{ caddy_path }}"
+  when: "'local-dev' != inventory_hostname"
+  changed_when: true
--- a/roles/extra_services/tasks/main.yml
+++ b/roles/extra_services/tasks/main.yml
@ -0,0 +1,11 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy extra services
+  block:
+    - name: Import tasks to template the site and functions for the reverse proxy
+      ansible.builtin.include_tasks: tasks/steps/template-site-config.yml
+      loop: "{{ extra_services_all }}"
+      loop_control:
+        loop_var: svc
--- a/roles/extra_services/vars/main.yml
+++ b/roles/extra_services/vars/main.yml
@ -0,0 +1,14 @@
+---
+extra_services_default:
+  - domain: cloud-old.serguzim.me
+    docker_host: host.docker.internal
+    port: 3015
+    caddy_extra: |
+      redir /.well-known/host-meta         /public.php?service=host-meta 301
+      redir /.well-known/host-meta.json    /public.php?service=host-meta-json 301
+      redir /.well-known/webfinger         /public.php?service=webfinger 301
+      redir /.well-known/carddav           /remote.php/dav/ 301
+      redir /.well-known/caldav            /remote.php/dav/ 301
+
+extra_services_hidden: "{{ vault_extra_services }}"
+extra_services_all: "{{ extra_services_default | union(extra_services_hidden) }}"
--- a/roles/faas/tasks/main.yml
+++ b/roles/faas/tasks/main.yml
@ -0,0 +1,10 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ faas_svc }}"
+  block:
+    - name: Import tasks to template the site and functions for the reverse proxy
+      ansible.builtin.import_tasks: tasks/steps/template-site-config.yml
--- a/roles/faas/vars/main.yml
+++ b/roles/faas/vars/main.yml
@ -0,0 +1,31 @@
+---
+faas_svc:
+  name: faas
+  domain: faas.serguzim.me
+  docker_host: host.docker.internal
+  port: 8080
+  extra_svcs:
+    - domain: link.serguzim.me
+      faas_function: url-mapper
+    - domain: msrg.cc
+      faas_function: webpage-msrg-cc
+      caddy_extra: |
+        header /.well-known/* Access-Control-Allow-Origin *
+
+        handle /.well-known/webfinger {
+            map {query.resource} {user} {
+                acct:tobias@msrg.cc serguzim
+                acct:serguzim@msrg.cc serguzim
+            }
+            rewrite * /.well-known/webfinger/{user}.json
+            import faas webpage-msrg-cc
+        }
+    - domain: serguzim.me
+      faas_function: webpage-serguzim-me
+      www_domain: true
+      hsts: true
+    - domain: team-leon.eu
+      faas_function: webpage-team-leon-eu
+      www_domain: true
+    - domain: xn--sder-5qa.stream
+      faas_function: webpage-soeder-stream
--- a/roles/forgejo/tasks/main.yml
+++ b/roles/forgejo/tasks/main.yml
@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ forgejo_svc }}"
+    env: "{{ forgejo_env }}"
+    compose: "{{ forgejo_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/forgejo/vars/main.yml
+++ b/roles/forgejo/vars/main.yml
@ -0,0 +1,95 @@
+---
+forgejo_svc:
+  domain: git.serguzim.me
+  name: forgejo
+  port: 3000
+  caddy_extra: header /attachments/* Access-Control-Allow-Origin *
+  db:
+    host: "{{ postgres.host }}"
+    port: "{{ postgres.port }}"
+  ssh_port: 22
+  ssh_port_alt: 3022
+
+forgejo_env:
+  FORGEJO__database__DB_TYPE: postgres
+  FORGEJO__database__HOST: "{{ svc.db.host }}:{{ svc.db.port }}"
+  FORGEJO__database__NAME: forgejo
+  FORGEJO__database__USER: "{{ vault_forgejo.db.user }}"
+  FORGEJO__database__PASSWD: "{{ vault_forgejo.db.pass }}"
+  FORGEJO__database__SSL_MODE: verify-full
+
+  FORGEJO__repository__ENABLE_PUSH_CREATE_USER: true
+  FORGEJO__repository__ENABLE_PUSH_CREATE_ORG: true
+  FORGEJO__repository__DEFAULT_BRANCH: main
+
+  FORGEJO__cors__ENABLED: true
+  FORGEJO__cors__SCHEME: https
+
+  FORGEJO__ui__DEFAULT_THEME: arc-green
+
+  FORGEJO__server__DOMAIN: "{{ svc.domain }}"
+  FORGEJO__server__SSH_DOMAIN: "{{ svc.domain }}"
+  FORGEJO__server__SSH_PORT: "{{ svc.ssh_port }}"
+  FORGEJO__server__ROOT_URL: https://{{ svc.domain }}
+  FORGEJO__server__OFFLINE_MODE: true
+  FORGEJO__server__LFS_JWT_SECRET: "{{ vault_forgejo.server_lfs_jwt_secret }}"
+  FORGEJO__server__LFS_START_SERVER: true
+
+  FORGEJO__security__INSTALL_LOCK: true
+  FORGEJO__security__INTERNAL_TOKEN: "{{ vault_forgejo.security_internal_token }}"
+  FORGEJO__security__SECRET_KEY: "{{ vault_forgejo.security_secret_key }}"
+
+  FORGEJO__openid__ENABLE_OPENID_SIGNUP: true
+  FORGEJO__openid__ENABLE_OPENID_SIGNIN: false
+
+  FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: true
+  FORGEJO__service__ENABLE_BASIC_AUTHENTICATION: false
+  FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE: true
+  FORGEJO__service__NO_REPLY_ADDRESS: discard.msrg.cc
+
+  FORGEJO__webhook__DELIVER_TIMEOUT: 60
+
+  FORGEJO__mailer__ENABLED: true
+  FORGEJO__mailer__PROTOCOL: smtp+starttls
+  FORGEJO__mailer__SMTP_ADDR: mail.serguzim.me
+  FORGEJO__mailer__SMTP_PORT: 587
+  FORGEJO__mailer__FROM: Forgejo <git@serguzim.me>
+  FORGEJO__mailer__USER: git@serguzim.me
+  FORGEJO__mailer__PASSWD: "{{ vault_forgejo.mailer_passwd }}"
+  FORGEJO__mailer__SEND_AS_PLAIN_TEXT: true
+
+  FORGEJO__picture__DISABLE_GRAVATAR: true
+
+  FORGEJO__oauth2__JWT_SECRET: "{{ vault_forgejo.oauth2_jwt_secret }}"
+
+  FORGEJO__metrics__ENABLED: true
+  FORGEJO__metrics__TOKEN: "{{ vault_metrics_token }}"
+
+  FORGEJO__actions__ENABLED: true
+
+  FORGEJO__storage__STORAGE_TYPE: minio
+  FORGEJO__storage__MINIO_ENDPOINT: s3.serguzim.me
+  FORGEJO__storage__MINIO_ACCESS_KEY_ID: "{{ vault_forgejo.minio.access_key_id }}"
+  FORGEJO__storage__MINIO_SECRET_ACCESS_KEY: "{{ vault_forgejo.minio.secret_access_key }}"
+  FORGEJO__storage__MINIO_BUCKET: forgejo
+  FORGEJO__storage__MINIO_LOCATION: de-contabo-1
+  FORGEJO__storage__MINIO_USE_SSL: true
+
+  FORGEJO__other__SHOW_FOOTER_VERSION: true
+  FORGEJO__other__SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
+
+forgejo_compose:
+  watchtower: true
+  image: codeberg.org/forgejo/forgejo:1.21
+  volumes:
+    - data:/data
+    - /etc/timezone:/etc/timezone:ro
+    - /etc/localtime:/etc/localtime:ro
+  file:
+    services:
+      app:
+        ports:
+          - "{{ svc.ssh_port }}:{{ svc.ssh_port }}"
+          - "{{ svc.ssh_port_alt }}:{{ svc.ssh_port }}"
+    volumes:
+      data:
--- a/roles/forgejo_runner/files/config.yml
+++ b/roles/forgejo_runner/files/config.yml
@ -0,0 +1,81 @@
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: /data/.runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 1
+  # Extra environment variables to run jobs.
+  #envs:
+  #  A_TEST_ENV_NAME_1: a_test_env_value_1
+  #  A_TEST_ENV_NAME_2: a_test_env_value_2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  #env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Forgejo instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Forgejo instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Forgejo instance.
+  insecure: false
+  # The timeout for fetching the job from the Forgejo instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Forgejo instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `deamon`, will use labels in `.runner` file.
+  labels: []
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 0
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, create a network automatically.
+  network: ""
+  # Whether to create networks with IPv6 enabled. Requires the Docker daemon to be set up accordingly.
+  # Only takes effect if "network" is set to "".
+  enable_ipv6: false
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.forgejo.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:
--- a/roles/forgejo_runner/tasks/main.yml
+++ b/roles/forgejo_runner/tasks/main.yml
@ -0,0 +1,42 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ forgejo_runner_svc }}"
+    env: "{{ forgejo_runner_env }}"
+    compose: "{{ forgejo_runner_compose }}"
+  block:
+    - name: Import tasks to create service directory
+      ansible.builtin.import_tasks: tasks/steps/create-service-directory.yml
+    - name: Import tasks to template docker compose file
+      ansible.builtin.import_tasks: tasks/steps/template-docker-compose.yml
+
+    - name: Copy the config
+      ansible.builtin.copy:
+        src: config.yml
+        dest: "{{ (service_path, 'config.yml') | path_join }}"
+        mode: "0755"
+
+    - name: Check if service.env already exists
+      ansible.builtin.stat:
+        path: "{{ (service_path, 'service.env') | path_join }}"
+      register: env_file
+
+    - name: Import tasks to prompt for the registration token
+      ansible.builtin.import_tasks: tasks/prompt-registration-token.yml
+      when: not env_file.stat.exists or force_forgejo_runner_registration | default(False)
+
+    - name: Import tasks create a service.env file
+      ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
+
+    - name: Register runner
+      ansible.builtin.command:
+        cmd: docker compose run --rm -it app sh -c
+          'forgejo-runner register --no-interactive --token ${FORGEJO_RUNNER_REGISTRATION_TOKEN} --instance ${FORGEJO_INSTANCE_URL}'
+        chdir: "{{ service_path }}"
+      when: not env_file.stat.exists or force_forgejo_runner_registration | default(False)
+      changed_when: true # "when" checks enough. We are sure to change something here.
--- a/roles/forgejo_runner/tasks/prompt-registration-token.yml
+++ b/roles/forgejo_runner/tasks/prompt-registration-token.yml
@ -0,0 +1,10 @@
+---
+- name: Input forgejo-runner registration token
+  ansible.builtin.pause:
+    prompt: Enter a secret
+    echo: false
+  register: promt_registration_token
+
+- name: Put registration token into env vars
+  ansible.builtin.set_fact:
+    forgejo_runner_env: "{{ forgejo_runner_env | combine({'FORGEJO_RUNNER_REGISTRATION_TOKEN': promt_registration_token.user_input}, recursive=True) }}"
--- a/roles/forgejo_runner/vars/main.yml
+++ b/roles/forgejo_runner/vars/main.yml
@ -0,0 +1,32 @@
+---
+forgejo_runner_svc:
+  name: forgejo-runner
+
+forgejo_runner_env:
+  FORGEJO_INSTANCE_URL: https://git.serguzim.me/
+  FORGEJO_RUNNER_REGISTRATION_TOKEN:
+  DOCKER_HOST: tcp://docker-in-docker:2375
+
+forgejo_runner_compose:
+  watchtower: true
+  image: code.forgejo.org/forgejo/runner:3.3.0
+  volumes:
+    - ./config.yml:/config/config.yml
+    - data:/data
+  file:
+    services:
+      app:
+        hostname: "{{ ansible_facts.hostname }}"
+        command: forgejo-runner --config /config/config.yml daemon
+        depends_on:
+          - docker-in-docker
+        links:
+          - docker-in-docker
+      docker-in-docker:
+        image: docker:dind
+        privileged: true
+        command: dockerd -H tcp://0.0.0.0:2375 --tls=false
+        networks:
+          default:
+    volumes:
+      data:
--- a/roles/harbor/tasks/main.yml
+++ b/roles/harbor/tasks/main.yml
@ -0,0 +1,44 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ harbor_svc }}"
+    env: "{{ harbor_env }}"
+    yml: "{{ harbor_yml }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Import tasks to template the site for the reverse proxy
+      ansible.builtin.import_tasks: tasks/steps/template-site-config.yml
+
+    - name: Template config
+      ansible.builtin.template:
+        src: service.yml.j2
+        dest: "{{ (service_path, 'harbor.yml') | path_join }}"
+        mode: "0644"
+
+    - name: Download harbor
+      ansible.builtin.unarchive:
+        src: https://github.com/goharbor/harbor/releases/download/v{{ svc.harbor_version }}/harbor-online-installer-v{{ svc.harbor_version }}.tgz
+        dest: "{{ service_path }}"
+        remote_src: true
+
+    - name: Run the harbor prepare command
+      ansible.builtin.command:
+        cmd: "{{ service_path }}/harbor/prepare"
+        chdir: "{{ service_path }}"
+        creates: "{{ (service_path, 'docker-compose.yml') | path_join }}"
+      environment:
+        HARBOR_BUNDLE_DIR: "{{ service_path }}"
+
+    - name: Run the harbor install command
+      ansible.builtin.command:
+        cmd: "{{ service_path }}/harbor/install.sh"
+        chdir: "{{ service_path }}"
+      environment:
+        HARBOR_BUNDLE_DIR: "{{ service_path }}"
+      become: true
+      changed_when: true # TODO find way to recognize need to run install command
--- a/roles/harbor/vars/main.yml
+++ b/roles/harbor/vars/main.yml
@ -0,0 +1,103 @@
+---
+harbor_port_http: 20080
+harbor_port_https: 20443
+harbor_port_metrics: 29000
+
+harbor_db_host: "{{ postgres.host }}"
+harbor_db_port: "{{ postgres.port }}"
+harbor_db_database: harbor
+harbor_db_user: "{{ vault_harbor.db.user }}"
+harbor_db_pass: "{{ vault_harbor.db.pass }}"
+harbor_version: 2.9.0
+
+harbor_svc:
+  name: harbor
+  domain: registry.serguzim.me
+  caddy_extra: |
+    reverse_proxy /metrics host.docker.internal:{{ harbor_port_metrics }}
+    reverse_proxy host.docker.internal:{{ harbor_port_https }} {
+        transport http {
+            tls
+            tls_server_name registry.serguzim.me
+        }
+    }
+  caddy_default: false
+  db:
+    host: "{{ postgres.host }}"
+    port: "{{ postgres.port }}"
+    database: harbor
+    user: "{{ vault_harbor.db.user }}"
+    pass: "{{ vault_harbor.db.pass }}"
+  harbor_version: 2.9.0
+
+harbor_yml:
+  hostname: "{{ harbor_svc.domain }}"
+  http:
+    port: "{{ harbor_port_http }}"
+  https:
+    port: "{{ harbor_port_https }}"
+    certificate: /opt/services/.lego/certificates/registry.serguzim.me.crt # TODO
+    private_key: /opt/services/.lego/certificates/registry.serguzim.me.key # TODO
+  external_url: https://registry.serguzim.me
+  harbor_admin_password: "{{ vault_harbor.admin_password }}"
+  data_volume: "{{ (service_path, 'data') | path_join }}"
+  storage_service:
+    s3:
+      accesskey: "{{ vault_harbor.minio.accesskey }}"
+      secretkey: "{{ vault_harbor.minio.secretkey }}"
+      region: de-contabo-1
+      regionendpoint: https://s3.serguzim.me
+      bucket: registry
+      secure: true
+  trivy:
+    ignore_unfixed: false
+    skip_update: false
+    offline_scan: false
+    security_check: vuln
+    insecure: false
+  jobservice:
+    max_job_workers: 10
+    job_loggers:
+      - STD_OUTPUT
+      - FILE
+    logger_sweeper_duration: 1
+  notification:
+    webhook_job_max_retry: 3
+    webhook_job_http_client_timeout: 3
+  log:
+    level: info
+    local:
+      rotate_count: 50
+      rotate_size: 200M
+      location: /var/log/harbor
+  _version: "{{ harbor_version }}"
+  external_database:
+    harbor:
+      host: "{{ harbor_db_host }}"
+      port: "{{ harbor_db_port }}"
+      db_name: "{{ harbor_db_database }}"
+      username: "{{ harbor_db_user }}"
+      password: "{{ harbor_db_pass }}"
+      ssl_mode: verify-full
+      max_idle_conns: 2
+      max_open_conns: 0
+  proxy:
+    http_proxy:
+    https_proxy:
+    no_proxy:
+    components:
+      - core
+      - jobservice
+      - trivy
+  metric:
+    enabled: enabled
+    port: "{{ harbor_port_metrics }}"
+    path: /metrics
+  upload_purging:
+    enabled: true
+    age: 168h
+    interval: 24h
+    dryrun: false
+  cache:
+    enabled: false
+    expire_hours: 24
--- a/roles/healthcheck/files/Dockerfile
+++ b/roles/healthcheck/files/Dockerfile
@ -0,0 +1,7 @@
+FROM ubuntu
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt update -y \
+	&& apt install -y curl dnsutils msmtp gettext-base python3-pip python3-requests \
+	&& pip install matrix-nio
--- a/roles/healthcheck/files/data/http
+++ b/roles/healthcheck/files/data/http
@ -0,0 +1,54 @@
+#!/usr/bin/sh
+
+cd /opt/ || exit
+
+hc_url="https://hc-ping.com/$HTTP_HC_UID"
+services_down=""
+error=""
+
+alias curl_hc='curl -LA "$USER_AGENT" --retry 3'
+
+check_url ()
+{
+	url="https://$1$2"
+    printf "checking url %s ." "$url"
+    dig A "$1" >/dev/null
+	printf "."
+	result=$(curl -LsSfv --retry 3 "$url" 2>&1)
+	code="$?"
+	printf ".\n"
+	#shellcheck disable=SC2181
+	if [ "$code" = "0" ]
+    then
+		echo "... good"
+	else
+		services_down=$(printf "%s\n%s" "$services_down" "$1")
+		error=$(printf "%s\n==========\n%s:\n%s" "$error" "$1" "$result")
+		echo "... bad"
+    fi
+}
+
+check_url "acme.serguzim.me" "/health"
+check_url "analytics.serguzim.me"
+check_url "auth.serguzim.me"
+check_url "ci.serguzim.me"
+#check_url "cloud.serguzim.me" "/login?noredir=1"
+check_url "git.serguzim.me"
+check_url "hook.serguzim.me"
+check_url "mail.serguzim.me"
+#check_url "msrg.cc" # disabled because it keeps creating false alerts
+check_url "registry.serguzim.me" "/account/sign-in"
+check_url "rss.serguzim.me"
+#check_url "serguzim.me" # disabled because it keeps creating false alerts
+check_url "status.serguzim.me" "/status/serguzim-net"
+check_url "tick.serguzim.me"
+check_url "wiki.serguzim.me"
+check_url "www.reitanlage-oranienburg.de"
+
+if [ "$error" = "" ]
+then
+    curl_hc "$hc_url" >/dev/null
+	echo "ALL GOOD"
+else
+	curl_hc --data-raw "$services_down$error" "$hc_url/fail" >/dev/null
+fi
--- a/roles/healthcheck/files/data/mail
+++ b/roles/healthcheck/files/data/mail
@ -0,0 +1,17 @@
+#!/usr/bin/sh
+
+cd /opt/ || exit
+
+hc_url="https://hc-ping.com/$MAIL_HC_UID"
+
+alias curl_hc='curl -LA "$USER_AGENT" --retry 3'
+
+envsubst < template.msmtprc > /tmp/msmtprc
+envsubst < mailcheck.template.mail > /tmp/mailcheck.mail
+
+result=$(msmtp -C /tmp/msmtprc -a default "$MAIL_HC_UID@hc-ping.com" < /tmp/mailcheck.mail 2>&1)
+if [ "$?" != "0" ]
+then
+	echo "$result"
+	curl_hc --data-raw "$result" "$hc_url/fail" >/dev/null
+fi
--- a/roles/healthcheck/files/data/mailcheck.template.mail
+++ b/roles/healthcheck/files/data/mailcheck.template.mail
@ -0,0 +1,5 @@
+To: ${MAIL_HC_UID}@hc-ping.com
+From: ${MAIL_USER}
+Subject: Healthcheck
+
+Mailserver alive
--- a/roles/healthcheck/files/data/matrix
+++ b/roles/healthcheck/files/data/matrix
@ -0,0 +1,54 @@
+#!/usr/bin/python3
+
+import datetime
+import os
+import requests
+import sys
+
+import asyncio
+from nio import AsyncClient, RoomMessageNotice
+
+healthcheck_url = "https://hc-ping.com/" + os.environ['MATRIX_HC_UID']
+
+def send_ping(success, msg=""):
+    url = healthcheck_url
+    if not success:
+        url += "/fail"
+
+    requests.get(url, data=msg, headers={'user-agent': os.environ['USER_AGENT']})
+
+async def main():
+    try:
+        client = AsyncClient(os.environ['MATRIX_SERVER'])
+        client.access_token = os.environ['MATRIX_TOKEN']
+        client.device_id = os.environ['USER_AGENT']
+        await client.room_send(
+            room_id = os.environ['MATRIX_ROOM'],
+            message_type = "m.room.message",
+            content = {
+                "msgtype": "m.text",
+                "body": "!ping"
+            }
+        )
+    except Exception as e:
+        print(e)
+
+        print("exception during login or sending")
+        send_ping(False)
+        sys.exit(1)
+    await client.close()
+
+    url = "https://federationtester.matrix.org/api/report?server_name=" \
+        + os.environ['MATRIX_SERVER_FEDTESTER']
+    resp = requests.get(url)
+    data = resp.json() # Check the JSON Response Content documentation below
+    if data["FederationOK"] != True:
+        send_ping(False)
+        sys.exit(1)
+
+    send_ping(True)
+    sys.exit(0)
+
+
+
+asyncio.new_event_loop().run_until_complete(main())
--- a/roles/healthcheck/files/data/template.msmtprc
+++ b/roles/healthcheck/files/data/template.msmtprc
@ -0,0 +1,13 @@
+defaults
+auth on
+tls on
+tls_trust_file /etc/ssl/certs/ca-certificates.crt
+logfile /tmp/msmtp.log
+
+account default
+host ${MAIL_HOST}
+port ${MAIL_PORT}
+tls_starttls on
+from ${MAIL_USER}
+user ${MAIL_USER}
+password ${MAIL_PASS}
--- a/roles/healthcheck/files/docker-compose.yml
+++ b/roles/healthcheck/files/docker-compose.yml
@ -0,0 +1,24 @@
+version: "3.7"
+
+x-common-elements:
+  &common-elements
+  build:
+    context: .
+  image: healthcheck
+  restart: never
+  env_file:
+    - service.env
+  volumes:
+    - ./data/:/opt
+  network_mode: host
+
+services:
+  http:
+    <<: *common-elements
+    command: "/opt/http"
+  matrix:
+    <<: *common-elements
+    command: "/opt/matrix"
+  mail:
+    <<: *common-elements
+    command: "/opt/mail"
--- a/roles/healthcheck/files/healthcheck@.service
+++ b/roles/healthcheck/files/healthcheck@.service
@ -0,0 +1,4 @@
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/docker compose run --rm %i
+WorkingDirectory={{ service_path }}
--- a/roles/healthcheck/files/healthcheck@.timer
+++ b/roles/healthcheck/files/healthcheck@.timer
@ -0,0 +1,4 @@
+[Timer]
+OnCalendar=*:0/5
+[Install]
+WantedBy=timers.target
--- a/roles/healthcheck/tasks/main.yml
+++ b/roles/healthcheck/tasks/main.yml
@ -0,0 +1,61 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ healthcheck_svc }}"
+    env: "{{ healthcheck_env }}"
+    compose: "{{ healthcheck_compose }}"
+  block:
+    - name: Import tasks to create service directory
+      ansible.builtin.import_tasks: tasks/steps/create-service-directory.yml
+
+    - name: Copy the docker-compose file
+      ansible.builtin.copy:
+        src: docker-compose.yml
+        dest: "{{ (service_path, 'docker-compose.yml') | path_join }}"
+        mode: "0644"
+    - name: Copy the Dockerfile
+      ansible.builtin.copy:
+        src: Dockerfile
+        dest: "{{ (service_path, 'Dockerfile') | path_join }}"
+        mode: "0644"
+    - name: Copy the data files
+      ansible.builtin.copy:
+        src: data
+        dest: "{{ service_path }}"
+        mode: "0755"
+
+    - name: Copy the system service
+      ansible.builtin.copy:
+        src: healthcheck@.service
+        dest: /etc/systemd/system/healthcheck@.service
+        mode: "0644"
+      become: true
+    - name: Copy the system timer
+      ansible.builtin.copy:
+        src: healthcheck@.timer
+        dest: /etc/systemd/system/healthcheck@.timer
+        mode: "0644"
+      become: true
+    - name: Enable the system timer
+      ansible.builtin.systemd_service:
+        name: healthcheck@{{ item }}.timer
+        state: started
+        enabled: true
+        daemon_reload: true
+      loop: "{{ healthcheck_svc.checks }}"
+      become: true
+
+    - name: Import tasks create a service.env file
+      ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
+
+    - name: Build service
+      ansible.builtin.command:
+        cmd: docker compose build --pull
+        chdir: "{{ service_path }}"
+      when:
+        - "'local-dev' != inventory_hostname"
+      register: cmd_result
+      changed_when: true
--- a/roles/healthcheck/vars/main.yml
+++ b/roles/healthcheck/vars/main.yml
@ -0,0 +1,24 @@
+---
+healthcheck_svc:
+  name: healthcheck
+  checks:
+    - http
+    - mail
+    - matrix
+
+healthcheck_env:
+  USER_AGENT: healthcheck-bot for serguzim.net
+
+  HTTP_HC_UID: "{{ vault_healthcheck.hc_uid.http }}"
+
+  MATRIX_SERVER: https://matrix.msrg.cc
+  MATRIX_SERVER_FEDTESTER: msrg.cc
+  MATRIX_HC_UID: "{{ vault_healthcheck.hc_uid.matrix }}"
+  MATRIX_TOKEN: "{{ vault_healthcheck.matrix.token }}"
+  MATRIX_ROOM: "{{ vault_healthcheck.matrix.room }}"
+
+  MAIL_HC_UID: "{{ vault_healthcheck.hc_uid.mail }}"
+  MAIL_HOST: "{{ mailer.host }}"
+  MAIL_PORT: "{{ mailer.port }}"
+  MAIL_USER: "{{ vault_healthcheck.mailer.user }}"
+  MAIL_PASS: "{{ vault_healthcheck.mailer.pass }}"
--- a/roles/homebox/tasks/main.yml
+++ b/roles/homebox/tasks/main.yml
@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ homebox_svc }}"
+    env: "{{ homebox_env }}"
+    compose: "{{ homebox_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/homebox/vars/main.yml
+++ b/roles/homebox/vars/main.yml
@ -0,0 +1,23 @@
+---
+homebox_svc:
+  domain: inventory.serguzim.me
+  name: homebox
+  port: 7745
+
+homebox_env:
+  HBOX_OPTIONS_ALLOW_REGISTRATION: false
+  HBOX_MAILER_HOST: mail.serguzim.me
+  HBOX_MAILER_PORT: 587
+  HBOX_MAILER_USERNAME: inventory@serguzim.me
+  HBOX_MAILER_PASSWORD: "{{ vault_homebox.mailer_passwd }}"
+  HBOX_MAILER_FROM: Homebox <inventory@serguzim.me>
+  HBOX_SWAGGER_SCHEMA: https
+
+homebox_compose:
+  watchtower: true
+  image: ghcr.io/hay-kot/homebox:latest-rootless
+  volumes:
+    - data:/data
+  file:
+    volumes:
+      data:
--- a/roles/influxdb/tasks/main.yml
+++ b/roles/influxdb/tasks/main.yml
@ -0,0 +1,22 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ influxdb_svc }}"
+    env: "{{ influxdb_env }}"
+    compose: "{{ influxdb_compose }}"
+    yml: "{{ influxdb_yml }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Template config
+      ansible.builtin.template:
+        src: service.yml.j2
+        dest: "{{ (service_path, 'influxdb.yml') | path_join }}"
+        mode: "0600"
+
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
--- a/roles/influxdb/vars/main.yml
+++ b/roles/influxdb/vars/main.yml
@ -0,0 +1,73 @@
+---
+influxdb_svc:
+  domain: tick.serguzim.me
+  name: influxdb
+  port: 8086
+  data_dir: /var/lib/influxdb2
+
+influxdb_yml:
+  assets-path: ""
+  bolt-path: "{{ (svc.data_dir, 'influxd.bolt') | path_join }}"
+  e2e-testing: false
+  engine-path: "{{ (svc.data_dir, 'engine') | path_join }}"
+  feature-flags: {}
+  http-bind-address: "0.0.0.0:{{ svc.port }}"
+  influxql-max-select-buckets: 0
+  influxql-max-select-point: 0
+  influxql-max-select-series: 0
+  key-name: ""
+  log-level: info
+  nats-max-payload-bytes: 1048576
+  nats-port: 4222
+  no-tasks: false
+  query-concurrency: 10
+  query-initial-memory-bytes: 0
+  query-max-memory-bytes: 0
+  query-memory-bytes: 9223372036854775807
+  query-queue-size: 10
+  reporting-disabled: false
+  secret-store: bolt
+  session-length: 60
+  session-renew-disabled: false
+  storage-cache-max-memory-size: 1073741824
+  storage-cache-snapshot-memory-size: 26214400
+  storage-cache-snapshot-write-cold-duration: 10m0s
+  storage-compact-full-write-cold-duration: 4h0m0s
+  storage-compact-throughput-burst: 50331648
+  storage-max-concurrent-compactions: 0
+  storage-max-index-log-file-size: 1048576
+  storage-retention-check-interval: 30m0s
+  storage-series-file-max-concurrent-snapshot-compactions: 0
+  storage-series-id-set-cache-size: 0
+  storage-shard-precreator-advance-period: 30m0s
+  storage-shard-precreator-check-interval: 10m0s
+  storage-tsm-use-madv-willneed: false
+  storage-validate-keys: false
+  storage-wal-fsync-delay: "0s"
+  store: bolt
+  testing-always-allow-setup: false
+  tls-cert: ""
+  tls-key: ""
+  tls-min-version: "1.2"
+  tls-strict-ciphers: false
+  tracing-type: ""
+  vault-addr: ""
+  vault-cacert: ""
+  vault-capath: ""
+  vault-client-cert: ""
+  vault-client-key: ""
+  vault-client-timeout: "0s"
+  vault-max-retries: 0
+  vault-skip-verify: false
+  vault-tls-server-name: ""
+  vault-token: ""
+
+influxdb_compose:
+  watchtower: false
+  image: influxdb:2.7
+  volumes:
+    - ./influxdb.yml:/etc/influxdb2/config.yml
+    - data:{{ svc.data_dir }}
+  file:
+    volumes:
+      data:
--- a/roles/jellyfin/tasks/main.yml
+++ b/roles/jellyfin/tasks/main.yml
@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ jellyfin_svc }}"
+    env: "{{ jellyfin_env }}"
+    compose: "{{ jellyfin_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/jellyfin/vars/main.yml
+++ b/roles/jellyfin/vars/main.yml
@ -0,0 +1,27 @@
+---
+jellyfin_svc:
+  domain: media.serguzim.me
+  name: jellyfin
+  port: 8096
+  db:
+    host: "{{ postgres.host }}"
+    port: "{{ postgres.port }}"
+
+jellyfin_env:
+  JELLYFIN_PublishedServerUrl: https://{{ svc.domain }}
+
+jellyfin_compose:
+  watchtower: true
+  image: jellyfin/jellyfin
+  volumes:
+    - config:/config
+    - cache:/cache
+    - media:/media
+  file:
+    services:
+      app:
+        user: 8096:8096
+    volumes:
+      config:
+      cache:
+      media:
--- a/roles/mailcow/tasks/main.yml
+++ b/roles/mailcow/tasks/main.yml
@ -0,0 +1,10 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ mailcow_svc }}"
+  block:
+    - name: Import tasks to template the site for the reverse proxy
+      ansible.builtin.import_tasks: tasks/steps/template-site-config.yml
--- a/roles/mailcow/vars/main.yml
+++ b/roles/mailcow/vars/main.yml
@ -0,0 +1,7 @@
+---
+mailcow_svc:
+  name: mailcow
+  domain: mail.serguzim.me
+  docker_host: host.docker.internal
+  port: 3004
+  additional_domains: "{{ ['autodiscover', 'autoconfig'] | product(vault_mailcow.domains) | map('join', '.') }}"
--- a/roles/minecraft_2/tasks/main.yml
+++ b/roles/minecraft_2/tasks/main.yml
@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ minecraft_2_svc }}"
+    env: "{{ minecraft_2_env }}"
+    compose: "{{ minecraft_2_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/minecraft_2/vars/main.yml
+++ b/roles/minecraft_2/vars/main.yml
@ -0,0 +1,68 @@
+---
+minecraft_2_svc:
+  name: minecraft-2
+
+minecraft_2_env:
+  ALLOW_FLIGHT: true
+  ALLOW_NETHER: true
+  ANNOUNCE_PLAYER_ACHIEVEMENTS: true
+  BROADCAST_CONSOLE_TO_OPS: true
+  BROADCAST_RCON_TO_OPS: true
+  CONSOLE: false
+  ENABLE_AUTOPAUSE: true
+  ENABLE_COMMAND_BLOCK: true
+  ENABLE_JMX: false
+  ENABLE_RCON: true
+  ENABLE_STATUS: true
+  ENABLE_WHITELIST: true
+  ENFORCE_WHITELIST: true
+  ENTITY_BROADCAST_RANGE_PERCENTAGE: 100
+  EULA: true
+  FORCE_GAMEMODE: false
+  FUNCTION_PERMISSION_LEVEL: 2
+  GENERATE_STRUCTURES: true
+  HARDCORDE: false
+  ICON:
+  LEVEL_TYPE: DEFAULT
+  MAX_BUILD_HEIGHT: 512
+  MAX_MEMORY: 4G
+  MAX_TICK_TIME: -1
+  MAX_PLAYERS: 64
+  MAX_WORLD_SIZE: 30000000
+  MODE: survival
+  MOTD:
+  NETWORK_COMPRESSION_THRESHOLD: 256
+  PVP: true
+  SERVER_NAME: minecraft.serguzim.me
+  SNOOPER_ENABLED: false
+  SPAWN_ANIMALS: true
+  SPAWN_MONSTERS: true
+  SPAWN_NPCS: true
+  SPAWN_PROTECTION: 0
+  SYNC_CHUNK_WRITES: true
+  TYPE: PAPER
+  ONLINE_MODE: true
+  OP_PERMISSION_LEVEL: 4
+  OPS: "{{ vault_minecraft_2.ops }}"
+  OVERRIDE_ICON: true
+  OVERRIDE_SERVER_PROPERTIES: true
+  PLAYER_IDLE_TIMEOUT: 0
+  PREVENT_PROXY_CONNECTIONS: false
+  SEED: "{{ vault_minecraft_2.seed }}"
+  USE_NATIVE_TRANSPORT: true
+  VERSION: LATEST
+  VIEW_DISTANCE: 10
+  WHITELIST: "{{ vault_minecraft_2.whitelist }}"
+
+minecraft_2_compose:
+  watchtower: false
+  image: itzg/minecraft-server
+  volumes:
+    - data:/data
+  file:
+    services:
+      app:
+        ports:
+          - 25565:25565
+    volumes:
+      data:
--- a/roles/minio/tasks/main.yml
+++ b/roles/minio/tasks/main.yml
@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ minio_svc }}"
+    env: "{{ minio_env }}"
+    compose: "{{ minio_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/minio/vars/main.yml
+++ b/roles/minio/vars/main.yml
@ -0,0 +1,34 @@
+---
+minio_svc:
+  domain: s3.serguzim.me
+  name: minio
+  port: 9000
+  caddy_extra: |
+    @nocache {
+       query nocache=*
+    }
+    header @nocache "Cache-Control" "no-store, no-cache"
+  extra_svcs:
+    - domain: console.s3.serguzim.me
+      docker_host: minio
+      port: 9001
+
+minio_env:
+  MINIO_SERVER_URL: https://{{ svc.domain }}/
+  MINIO_BROWSER_REDIRECT_URL: https://console.{{ svc.domain }}
+  MINIO_VOLUMES: /data
+
+  MINIO_ROOT_USER: "{{ vault_minio.user }}"
+  MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}"
+
+minio_compose:
+  watchtower: true
+  image: minio/minio
+  volumes:
+    - data:/data
+  file:
+    services:
+      app:
+        command: server --console-address ":9001"
+    volumes:
+      data:
--- a/roles/reitanlage_oranienburg/tasks/main.yml
+++ b/roles/reitanlage_oranienburg/tasks/main.yml
@ -0,0 +1,26 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ reitanlage_oranienburg_svc }}"
+    compose: "{{ reitanlage_oranienburg_compose }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Get the Dockerfile
+      ansible.builtin.get_url:
+        url: https://raw.githubusercontent.com/getgrav/docker-grav/master/Dockerfile
+        dest: "{{ (service_path, 'Dockerfile') | path_join }}"
+        mode: "0644"
+      register: cmd_result
+
+    - name: Set the docker rebuild flag
+      ansible.builtin.set_fact:
+        docker_rebuild: true
+      when: cmd_result.changed # noqa: no-handler We need to handle the restart per service. Handlers don't support variables.
+
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
--- a/roles/reitanlage_oranienburg/vars/main.yml
+++ b/roles/reitanlage_oranienburg/vars/main.yml
@ -0,0 +1,23 @@
+---
+reitanlage_oranienburg_svc:
+  name: reitanlage-oranienburg
+  domain: reitanlage-oranienburg.de
+  www_domain: true
+  port: 80
+  caddy_extra: |
+    header /images/* Cache-Control "max-age=31536000"
+    header /assets/* Cache-Control "max-age=2629800"
+    header /user/themes/* Cache-Control "max-age=2629800"
+
+reitanlage_oranienburg_compose:
+  watchtower: false
+  image: grav
+  volumes:
+    - data:/var/www/html/
+  file:
+    services:
+      app:
+        build:
+          context: .
+    volumes:
+      data:
--- a/roles/synapse/files/msrg.cc.log.config
+++ b/roles/synapse/files/msrg.cc.log.config
@ -0,0 +1,22 @@
+version: 1
+
+formatters:
+  precise:
+   format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+root:
+    level: INFO
+    handlers: [console]
+
+disable_existing_loggers: false
--- a/roles/synapse/tasks/main.yml
+++ b/roles/synapse/tasks/main.yml
@ -0,0 +1,44 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ synapse_svc }}"
+    env: "{{ synapse_env }}"
+    compose: "{{ synapse_compose }}"
+    yml: "{{ synapse_yml }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Set synapse config path
+      ansible.builtin.set_fact:
+        config_path: "{{ (service_path, svc.config_path) | path_join }}"
+
+    - name: Create config directory
+      ansible.builtin.file:
+        path: "{{ config_path }}"
+        state: directory
+        mode: "0755"
+
+    - name: Template config
+      ansible.builtin.template:
+        src: service.yml.j2
+        dest: "{{ (config_path, 'homeserver.yaml') | path_join }}"
+        mode: "0644"
+
+    - name: Copy the log config
+      ansible.builtin.copy:
+        src: msrg.cc.log.config
+        dest: "{{ (config_path, 'msrg.cc.log.config') | path_join }}"
+        mode: "0644"
+
+    - name: Copy the signing key
+      ansible.builtin.copy:
+        content: "{{ vault_synapse.signing_key }}"
+        dest: "{{ (config_path, 'msrg.cc.signing.key') | path_join }}"
+        mode: "0644"
+
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
--- a/roles/synapse/vars/main.yml
+++ b/roles/synapse/vars/main.yml
@ -0,0 +1,125 @@
+---
+synapse_svc:
+  name: synapse
+  domain: matrix.msrg.cc
+  docker_host: synapse-admin
+  port: 80
+  caddy_extra: |
+    handle /_matrix/* {
+        reverse_proxy synapse:8008
+    }
+    handle /_synapse/* {
+        reverse_proxy synapse:8008
+    }
+  extra_svcs:
+    - domain: msrg.cc:8008
+      additional_domains:
+        - matrix.msrg.cc:8448
+        - matrix.msrg.cc:8008
+        - msrg.cc:8448
+      docker_host: synapse
+      port: 8008
+  db:
+    host: "{{ postgres.host }}"
+    database: synapse
+    user: "{{ vault_synapse.db.user }}"
+    pass: "{{ vault_synapse.db.pass }}"
+  config_path: config
+
+synapse_env:
+  SYNAPSE_CONFIG_PATH: "{{ ('/', svc.config_path) | path_join }}"
+  REACT_APP_SERVER: https://matrix.msrg.cc
+
+synapse_yml:
+  server_name: msrg.cc
+  pid_file: "{{ (svc.config_path, 'homeserver.pid') | path_join }}"
+  public_baseurl: https://matrix.msrg.cc/
+  allow_public_rooms_without_auth: true
+  allow_public_rooms_over_federation: true
+
+  listeners:
+    - port: 8008
+      tls: false
+      type: http
+      x_forwarded: true
+      resources:
+        - names:
+            - client
+            - federation
+            - metrics
+          compress: false
+
+  admin_contact: mailto:{{ admin_email }}
+
+  acme:
+    enabled: false
+
+  database:
+    name: psycopg2
+    args:
+      user: "{{ svc.db.user }}"
+      password: "{{ svc.db.pass }}"
+      database: "{{ svc.db.database }}"
+      host: "{{ svc.db.host }}"
+      cp_min: 5
+      cp_max: 10
+
+  log_config: "{{ (svc.config_path, 'msrg.cc.log.config') | path_join }}"
+  media_store_path: /media_store
+  max_upload_size: 500M
+  enable_registration: false
+  enable_metrics: true
+  report_stats: true
+
+  macaroon_secret_key: "{{ vault_synapse.macaroon_secret_key }}"
+  form_secret: "{{ vault_synapse.form_secret }}"
+  signing_key_path: "{{ (svc.config_path, 'msrg.cc.signing.key') | path_join }}"
+
+  trusted_key_servers:
+    - server_name: matrix.org
+  suppress_key_server_warning: true
+
+  oidc_providers:
+    - idp_id: auth_serguzim_me
+      idp_name: auth.serguzim.me
+      issuer: https://auth.serguzim.me/application/o/matrix_serguzim_me/
+      client_id: "{{ vault_synapse.oidc_client.id }}"
+      client_secret: "{{ vault_synapse.oidc_client.secret }}"
+      scopes:
+        - openid
+        - profile
+        - email
+      user_mapping_provider:
+        config:
+          localpart_template: "{{ '{{ user.preferred_username }}' }}"
+          display_name_template: "{{ '{{ user.name }}' }}"
+
+  email:
+    smtp_host: mail.serguzim.me
+    smtp_port: 587
+    smtp_user: matrix@serguzim.me
+    smtp_pass: "{{ vault_synapse.mail.pass }}"
+    require_transport_security: true
+    notif_from: Matrix <matrix@serguzim.me>
+
+synapse_compose:
+  watchtower: true
+  image: ghcr.io/element-hq/synapse:latest
+  volumes:
+    - ./config:/config
+    - media_store:/media_store
+  file:
+    services:
+      synapse-admin:
+        image: awesometechnologies/synapse-admin
+        restart: always
+        labels:
+          com.centurylinklabs.watchtower.enable: true
+        env_file:
+          - service.env
+        networks:
+          apps:
+            aliases:
+              - synapse-admin
+    volumes:
+      media_store:
--- a/roles/tandoor/tasks/main.yml
+++ b/roles/tandoor/tasks/main.yml
@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ tandoor_svc }}"
+    env: "{{ tandoor_env }}"
+    compose: "{{ tandoor_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/tandoor/vars/main.yml
+++ b/roles/tandoor/vars/main.yml
@ -0,0 +1,63 @@
+---
+tandoor_svc:
+  domain: recipes.serguzim.me
+  name: tandoor
+  port: 80
+  db:
+    host: "{{ postgres.host }}"
+    port: "{{ postgres.port }}"
+    database: tandoor
+    user: "{{ vault_tandoor.db.user }}"
+    pass: "{{ vault_tandoor.db.pass }}"
+
+tandoor_env:
+  DEBUG: 0
+  SQL_DEBUG: 0
+
+  ALLOWED_HOSTS: recipes.serguzim.me
+  SECRET_KEY: "{{ vault_tandoor.secret_key }}"
+  TZ: "{{ timezone }}"
+
+  DB_ENGINE: django.db.backends.postgresql
+  DB_OPTIONS: '{"sslmode": "require"}'
+  POSTGRES_HOST: "{{ svc.db.host }}"
+  POSTGRES_PORT: "{{ svc.db.port }}"
+  POSTGRES_DB: "{{ svc.db.database }}"
+  POSTGRES_USER: "{{ svc.db.user }}"
+  POSTGRES_PASSWORD: "{{ svc.db.pass }}"
+
+  SHOPPING_MIN_AUTOSYNC_INTERVAL: 5
+
+  ENABLE_SIGNUP: 0
+  ENABLE_METRICS: 1
+  ENABLE_PDF_EXPORT: 1
+
+  SOCIAL_DEFAULT_ACCESS: 1
+  SOCIAL_DEFAULT_GROUP: guest
+
+tandoor_compose:
+  watchtower: true
+  image: nginx:mainline-alpine
+  volumes:
+    - nginx_config:/etc/nginx/conf.d:ro
+    - staticfiles:/static
+    - mediafiles:/media
+  file:
+    services:
+      web_recipes:
+        image: vabene1111/recipes
+        restart: always
+        labels:
+          com.centurylinklabs.watchtower.enable: true
+        env_file:
+          - service.env
+        volumes:
+          - staticfiles:/opt/recipes/staticfiles
+          - nginx_config:/opt/recipes/nginx/conf.d
+          - mediafiles:/opt/recipes/mediafiles
+        networks:
+          default:
+    volumes:
+      nginx_config:
+      staticfiles:
+      mediafiles:
--- a/roles/telegraf/tasks/main.yml
+++ b/roles/telegraf/tasks/main.yml
@ -0,0 +1,27 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ telegraf_svc }}"
+    env: "{{ telegraf_env }}"
+    compose: "{{ telegraf_compose }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Template config
+      ansible.builtin.template:
+        src: telegraf.conf.j2
+        dest: "{{ (service_path, 'telegraf.conf') | path_join }}"
+        mode: "0664"
+      register: cmd_result
+
+    - name: Set the docker force-recreate flag
+      ansible.builtin.set_fact:
+        docker_force_recreate: --force-recreate
+      when: cmd_result.changed # noqa: no-handler We need to handle the restart per service. Handlers don't support variables.
+
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
--- a/roles/telegraf/templates/telegraf.conf.j2
+++ b/roles/telegraf/templates/telegraf.conf.j2
@ -0,0 +1,40 @@
+[agent]
+  interval = "60s"
+  round_interval = true
+  metric_batch_size = 1000
+  metric_buffer_limit = 10000
+  collection_jitter = "0s"
+  flush_interval = "10s"
+  flush_jitter = "0s"
+  precision = ""
+  hostname = "node002.serguzim.me"
+  omit_hostname = false
+
+[[outputs.influxdb_v2]]
+  urls = ["{{ svc.influxdb.url }}"]
+  token = "{{ svc.influxdb.token }}"
+  organization = "{{ svc.influxdb.organization }}"
+  bucket = "{{ svc.influxdb.bucket }}"
+
+[[inputs.prometheus]]
+  urls = [
+  {%- for url in svc.prometheus.urls -%}
+    "{{ url }}",
+  {%- endfor -%}
+  ]
+
+  bearer_token_string = "{{ svc.prometheus.bearer_token }}"
+
+[[inputs.postgresql]]
+  address = "postgres://{{ svc.postgresql.user }}:{{ svc.postgresql.pass }}@{{ svc.postgresql.host }}:{{ svc.postgresql.port }}/{{ svc.postgresql.database }}?sslmode=verify-full"
+  ignored_databases = ["postgres", "template0", "template1"]
+  prepared_statements = true
+
+[[inputs.docker_log]]
+  endpoint = "{{ svc.docker_log.endpoint }}"
+
+  docker_label_include = [
+    "com.influxdata.telegraf.enable"
+  ]
+
+  source_tag = {{ svc.docker_log.source_tag|lower }}
--- a/roles/telegraf/vars/main.yml
+++ b/roles/telegraf/vars/main.yml
@ -0,0 +1,39 @@
+---
+telegraf_svc:
+  name: telegraf
+  influxdb:
+    url: https://tick.serguzim.me
+    token: "{{ vault_telegraf.influxdb_token }}"
+    organization: serguzim.net
+    bucket: metrics
+  prometheus:
+    urls:
+      - https://ci.serguzim.me/metrics
+      - https://git.serguzim.me/metrics
+      - https://matrix.msrg.cc/_synapse/metrics
+      - https://tick.serguzim.me/metrics
+    bearer_token: "{{ vault_metrics_token }}"
+  postgresql:
+    user: "{{ vault_telegraf.db.user }}"
+    pass: "{{ vault_telegraf.db.pass }}"
+    host: "{{ postgres.host }}"
+    port: "{{ postgres.port }}"
+    database: telegraf
+  docker_log:
+    endpoint: unix:///var/run/docker.sock
+    source_tag: false
+
+telegraf_compose:
+  watchtower: false
+  image: telegraf:1.28
+  volumes:
+    - /var/run/docker.sock:/var/run/docker.sock
+    - ./telegraf.conf:/etc/telegraf/telegraf.conf:ro
+  file:
+    services:
+      app:
+        user: telegraf
+        group_add:
+          - "972" # docker group on host
+    volumes:
+      data:
--- a/roles/tinytinyrss/files/nginx.conf
+++ b/roles/tinytinyrss/files/nginx.conf
@ -0,0 +1,61 @@
+worker_processes auto;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+	include /etc/nginx/mime.types;
+	default_type  application/octet-stream;
+
+	access_log /dev/stdout;
+	error_log /dev/stderr warn;
+
+	sendfile on;
+
+	index index.php;
+
+	upstream app {
+		server tt-rss:9000;
+	}
+
+	server {
+		listen 80;
+		listen [::]:80;
+
+		root /var/www/html;
+
+		location /tt-rss/cache {
+			aio threads;
+			internal;
+		}
+
+		location /tt-rss/backups {
+			internal;
+		}
+
+		location ~ \.php$ {
+			# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+			fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+
+			# Check that the PHP script exists before passing it
+			try_files $fastcgi_script_name =404;
+
+			# Bypass the fact that try_files resets $fastcgi_path_info
+			# see: http://trac.nginx.org/nginx/ticket/321
+			set $path_info $fastcgi_path_info;
+			fastcgi_param PATH_INFO $path_info;
+
+			fastcgi_index index.php;
+			include fastcgi.conf;
+
+			fastcgi_pass app;
+		}
+
+		location / {
+			try_files $uri $uri/ =404;
+		}
+
+	}
+}
--- a/roles/tinytinyrss/tasks/main.yml
+++ b/roles/tinytinyrss/tasks/main.yml
@ -0,0 +1,21 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ tinytinyrss_svc }}"
+    env: "{{ tinytinyrss_env }}"
+    compose: "{{ tinytinyrss_compose }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Copy the nginx-config
+      ansible.builtin.copy:
+        src: nginx.conf
+        dest: "{{ (service_path, 'nginx.conf') | path_join }}"
+        mode: "0644"
+
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
--- a/roles/tinytinyrss/vars/main.yml
+++ b/roles/tinytinyrss/vars/main.yml
@ -0,0 +1,55 @@
+---
+tinytinyrss_svc:
+  domain: rss.serguzim.me
+  name: tinytinyrss
+  port: 80
+  db:
+    host: "{{ postgres.host }}"
+    port: "{{ postgres.port }}"
+    database: tinytinyrss
+    user: "{{ vault_tinytinyrss.db.user }}"
+    pass: "{{ vault_tinytinyrss.db.pass }}"
+
+tinytinyrss_env:
+  TTRSS_DB_TYPE: pgsql
+  TTRSS_DB_HOST: "{{ svc.db.host }}"
+  TTRSS_DB_NAME: "{{ svc.db.database }}"
+  TTRSS_DB_USER: "{{ svc.db.user }}"
+  TTRSS_DB_PASS: "{{ svc.db.pass }}"
+
+  TTRSS_SELF_URL_PATH: https://{{ svc.domain }}/tt-rss/
+
+tinytinyrss_compose:
+  watchtower: false
+  image: cthulhoo/ttrss-web-nginx
+  volumes:
+    - app:/var/www/html:ro
+    - ./nginx.conf:/etc/nginx/nginx.conf
+  file:
+    services:
+      app:
+        depends_on:
+          - tt-rss
+      tt-rss:
+        image: cthulhoo/ttrss-fpm-pgsql-static
+        restart: always
+        env_file:
+          - service.env
+        volumes:
+          - app:/var/www/html
+        networks:
+          default:
+      updater:
+        image: cthulhoo/ttrss-fpm-pgsql-static
+        restart: always
+        env_file:
+          - service.env
+        volumes:
+          - app:/var/www/html
+        depends_on:
+          - tt-rss
+        command: /opt/tt-rss/updater.sh
+        networks:
+          default:
+    volumes:
+      app:
--- a/roles/umami/tasks/main.yml
+++ b/roles/umami/tasks/main.yml
@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ umami_svc }}"
+    env: "{{ umami_env }}"
+    compose: "{{ umami_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/umami/vars/main.yml
+++ b/roles/umami/vars/main.yml
@ -0,0 +1,24 @@
+---
+umami_db_host: "{{ postgres.host }}"
+umami_db_user: "{{ vault_umami.db.user }}"
+umami_db_pass: "{{ vault_umami.db.pass }}"
+umami_db_database: umami
+
+umami_hash_salt: "{{ vault_umami.hash_salt }}"
+
+umami_docker_image: docker.umami.dev/umami-software/umami:postgresql-latest
+
+umami_svc:
+  domain: analytics.serguzim.me
+  name: umami
+  port: 3000
+
+umami_env:
+  DATABASE_URL: postgres://{{ umami_db_user }}:{{ umami_db_pass }}@{{ umami_db_host }}/{{ umami_db_database }}
+  DATABASE_TYPE: postgresql
+  FORCE_SSL: 1
+  HASH_SALT: "{{ umami_hash_salt }}"
+
+umami_compose:
+  watchtower: true
+  image: "{{ umami_docker_image }}"
--- a/roles/uptime_kuma/tasks/main.yml
+++ b/roles/uptime_kuma/tasks/main.yml
@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ uptime_kuma_svc }}"
+    env: "{{ uptime_kuma_env }}"
+    compose: "{{ uptime_kuma_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/uptime_kuma/vars/main.yml
+++ b/roles/uptime_kuma/vars/main.yml
@ -0,0 +1,16 @@
+---
+uptime_kuma_svc:
+  domain: status.serguzim.me
+  additional_domains:
+    - status.serguzim.net
+  name: uptime-kuma
+  port: 3001
+
+uptime_kuma_compose:
+  watchtower: true
+  image: louislam/uptime-kuma:1
+  volumes:
+    - data:/app/data
+  file:
+    volumes:
+      data:
--- a/roles/watchtower/files/run-once.sh
+++ b/roles/watchtower/files/run-once.sh
@ -0,0 +1,3 @@
+#!/usr/bin/env sh
+
+docker compose run -e WATCHTOWER_RUN_ONCE=true -e WATCHTOWER_NOTIFICATIONS= watchtower
--- a/roles/watchtower/tasks/main.yml
+++ b/roles/watchtower/tasks/main.yml
@ -0,0 +1,18 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ watchtower_svc }}"
+    env: "{{ watchtower_env }}"
+    compose: "{{ watchtower_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
+
+    - name: Copy the run-once script
+      ansible.builtin.copy:
+        src: run-once.sh
+        dest: "{{ (service_path, 'run-once.sh') | path_join }}"
+        mode: "0755"
--- a/roles/watchtower/vars/main.yml
+++ b/roles/watchtower/vars/main.yml
@ -0,0 +1,27 @@
+---
+watchtower_svc:
+  name: watchtower
+
+watchtower_env:
+  WATCHTOWER_LABEL_ENABLE: true
+  WATCHTOWER_CLEANUP: true
+  WATCHTOWER_SCHEDULE: "0 27 20 * * *"
+
+  WATCHTOWER_NOTIFICATIONS: email
+  WATCHTOWER_NOTIFICATION_EMAIL_FROM: "{{ svc.name }}@serguzim.me"
+  WATCHTOWER_NOTIFICATION_EMAIL_TO: "{{ admin_email }}"
+  WATCHTOWER_NOTIFICATION_EMAIL_SERVER: "{{ mailer.host }}"
+  WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT: "{{ mailer.port }}"
+  WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER: "{{ svc.name }}@serguzim.me"
+  WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD: "{{ vault_watchtower.mailer.pass }}"
+  WATCHTOWER_NOTIFICATION_EMAIL_DELAY: 5
+
+watchtower_compose:
+  watchtower: false
+  image: containrrr/watchtower
+  volumes:
+    - /var/run/docker.sock:/var/run/docker.sock
+  file:
+    services:
+      app:
+        hostname: "{{ ansible_facts.hostname }}"
--- a/roles/webdis/files/webdis.json
+++ b/roles/webdis/files/webdis.json
@ -0,0 +1,31 @@
+{
+    "redis_host":	"redis",
+
+    "redis_port":	6379,
+    "redis_auth":	null,
+
+    "http_host":	"0.0.0.0",
+    "http_port":	7379,
+
+    "threads":	5,
+    "pool_size": 20,
+
+    "daemonize":	false,
+    "websockets":	false,
+
+    "database":	0,
+
+    "acl": [
+        {
+            "disabled":	["DEBUG"]
+        },
+
+        {
+            "http_basic_auth":	"user:password",
+            "enabled":		["DEBUG"]
+        }
+    ],
+
+    "verbosity": 4,
+    "logfile": "/dev/stderr"
+}
--- a/roles/webdis/tasks/main.yml
+++ b/roles/webdis/tasks/main.yml
@ -0,0 +1,21 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ webdis_svc }}"
+    env: "{{ webdis_env }}"
+    compose: "{{ webdis_compose }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Copy the config
+      ansible.builtin.copy:
+        src: webdis.json
+        dest: "{{ (service_path, 'webdis.json') | path_join }}"
+        mode: "0755"
+
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
--- a/roles/webdis/vars/main.yml
+++ b/roles/webdis/vars/main.yml
@ -0,0 +1,24 @@
+---
+webdis_svc:
+  name: webdis
+  domain: webdis.huck.serguzim.me
+  port: 7379
+
+webdis_compose:
+  watchtower: true
+  image: nicolas/webdis
+  volumes:
+    - ./webdis.json:/config/webdis.json
+  file:
+    services:
+      app:
+        command: /usr/local/bin/webdis /config/webdis.json
+        depends_on:
+          - redis
+      redis:
+        image: redis:6.2.6
+        restart: always
+        labels:
+          com.centurylinklabs.watchtower.enable: true
+    networks:
+      default:
--- a/roles/webhook/files/teamspeak-fallback-db
+++ b/roles/webhook/files/teamspeak-fallback-db
@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+
+chown -R "${TEAMSPEAK_USER}:${TEAMSPEAK_GROUP}" /mnt/teamspeak-fallback-data
+install -o "${TEAMSPEAK_USER}" -g "${TEAMSPEAK_GROUP}" -m 644 "$WEBHOOK_DATA" "/mnt/teamspeak-fallback-data/ts3server.sqlitedb"
--- a/roles/webhook/tasks/main.yml
+++ b/roles/webhook/tasks/main.yml
@ -0,0 +1,44 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ webhook_svc }}"
+    compose: "{{ webhook_compose }}"
+    env: "{{ webhook_env }}"
+    yml: "{{ webhook_yml }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Set webhook config path
+      ansible.builtin.set_fact:
+        config_path: "{{ (service_path, 'config') | path_join }}"
+
+    - name: Create config directory
+      ansible.builtin.file:
+        path: "{{ config_path }}"
+        state: directory
+        mode: "0755"
+
+    - name: Template main config
+      ansible.builtin.template:
+        src: service.yml.j2
+        dest: "{{ (config_path, 'hooks.yml') | path_join }}"
+        mode: "0644"
+      register: cmd_result
+
+    - name: Set the docker force-recreate flag
+      ansible.builtin.set_fact:
+        docker_force_recreate: --force-recreate
+      when: cmd_result.changed # noqa: no-handler We need to handle the restart per service. Handlers don't support variables.
+
+    - name: Copy the teamspeak-fallback-db script
+      ansible.builtin.copy:
+        src: teamspeak-fallback-db
+        dest: "{{ (config_path, 'teamspeak-fallback-db') | path_join }}"
+        mode: "0755"
+
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
--- a/roles/webhook/vars/main.yml
+++ b/roles/webhook/vars/main.yml
@ -0,0 +1,45 @@
+---
+webhook_teamspeak_fallback_db_token: "{{ vault_webhook.teamspeak_fallback_db_token }}"
+webhook_teamspeak_user: 9987
+webhook_teamspeak_group: 9987
+
+webhook_svc:
+  name: webhook
+  domain: hook.serguzim.me
+  port: 9000
+
+webhook_env:
+  TEAMSPEAK_USER: "{{ webhook_teamspeak_user }}"
+  TEAMSPEAK_GROUP: "{{ webhook_teamspeak_group }}"
+
+webhook_yml:
+  - id: teamspeak-fallback-db
+    trigger-rule-mismatch-http-response-code: 400
+    execute-command: /config/teamspeak-fallback-db
+    pass-file-to-command:
+      - source: payload
+        name: data
+        envname: WEBHOOK_DATA
+        base64decode: true
+    trigger-rule:
+      and:
+        - match:
+            type: value
+            value: "{{ webhook_teamspeak_fallback_db_token }}"
+            parameter:
+              source: header
+              name: X-Webhook-Token
+
+webhook_compose:
+  watchtower: true
+  image: ghcr.io/thecatlady/webhook
+  volumes:
+    - ./config:/config:ro
+    - teamspeak-fallback-data:/mnt/teamspeak-fallback-data
+  file:
+    services:
+      app:
+        command: ["-verbose", "-hooks=/config/hooks.yml"]
+    volumes:
+      teamspeak-fallback-data:
+        name: teamspeak-fallback-data
--- a/roles/wiki_js/tasks/main.yml
+++ b/roles/wiki_js/tasks/main.yml
@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ wiki_js_svc }}"
+    env: "{{ wiki_js_env }}"
+    compose: "{{ wiki_js_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/wiki_js/vars/main.yml
+++ b/roles/wiki_js/vars/main.yml
@ -0,0 +1,24 @@
+---
+wiki_js_svc:
+  domain: wiki.serguzim.me
+  name: wiki-js
+  port: 3000
+  db:
+    host: "{{ postgres.host }}"
+    port: "{{ postgres.port }}"
+    user: "{{ vault_wiki_js.db.user }}"
+    pass: "{{ vault_wiki_js.db.pass }}"
+    name: wikijs
+
+wiki_js_env:
+  DB_TYPE: postgres
+  DB_HOST: "{{ svc.db.host }}"
+  DB_PORT: "{{ svc.db.port }}"
+  DB_USER: "{{ svc.db.user }}"
+  DB_PASS: "{{ svc.db.pass }}"
+  DB_NAME: "{{ svc.db.name }}"
+  DB_SSL: 1
+
+wiki_js_compose:
+  watchtower: true
+  image: requarks/wiki
--- a/roles/woodpecker/tasks/main.yml
+++ b/roles/woodpecker/tasks/main.yml
@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ woodpecker_svc }}"
+    env: "{{ woodpecker_env }}"
+    compose: "{{ woodpecker_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/woodpecker/vars/main.yml
+++ b/roles/woodpecker/vars/main.yml
@ -0,0 +1,53 @@
+---
+woodpecker_svc:
+  domain: ci.serguzim.me
+  name: woodpecker
+  port: 8000
+  extra_svcs:
+    - domain: agents.ci.serguzim.me
+      docker_host: h2c://woodpecker
+      port: 9000
+  db:
+    host: "{{ postgres.host }}"
+    port: "{{ postgres.port }}"
+    database: woodpecker
+    user: "{{ vault_woodpecker.db.user }}"
+    pass: "{{ vault_woodpecker.db.pass }}"
+
+woodpecker_env:
+  WOODPECKER_OPEN: true
+  WOODPECKER_HOST: https://{{ svc.domain }}
+  WOODPECKER_ADMIN: serguzim
+  WOODPECKER_AGENT_SECRET: "{{ vault_woodpecker.agent_secret }}"
+  WOODPECKER_PROMETHEUS_AUTH_TOKEN: "{{ vault_metrics_token }}"
+
+  WOODPECKER_SERVER: "{{ svc.extra_svcs[0].domain }}:443"
+  WOODPECKER_GRPC_SECURE: true
+
+  WOODPECKER_GITEA: true
+  WOODPECKER_GITEA_URL: https://git.serguzim.me
+  WOODPECKER_GITEA_CLIENT: "{{ vault_woodpecker.gitea.client }}"
+  WOODPECKER_GITEA_SECRET: "{{ vault_woodpecker.gitea.secret }}"
+
+  WOODPECKER_DATABASE_DRIVER: postgres
+  WOODPECKER_DATABASE_DATASOURCE: postgres://{{ svc.db.user }}:{{ svc.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/{{ svc.db.database }}?sslmode=verify-full
+
+woodpecker_compose:
+  watchtower: true
+  image: woodpeckerci/woodpecker-server
+  file:
+    services:
+      agent:
+        image: woodpeckerci/woodpecker-agent:latest
+        restart: always
+        labels:
+          com.centurylinklabs.watchtower.enable: true
+        command: agent
+        env_file:
+          - service.env
+        depends_on:
+          - app
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock
+        networks:
+          default: