Refactor everything

_ansible/inventory/group_vars/all/compose_defaults.yml

@@ -25,3 +25,9 @@ compose_file_volumes:
   services:
     app:
       volumes: "{{ compose.volumes }}"
+
+compose_file_monitoring_label:
+  services:
+    app:
+      labels:
+        com.influxdata.telegraf.enable: true

_ansible/local-dev.yml

@@ -7,6 +7,8 @@
 
   hosts: local-dev
   roles:
+    - common
+
     - acme-dns
     - coder
     - faas

_ansible/node001.yml

@@ -2,5 +2,9 @@
 - name: Run roles for node001
   hosts: node001
   roles:
-    - mailcow
+    - common
-    - minecraft-2
+
+    - role: mailcow
+      tags: [mailcow, mail, communication]
+    - role: minecraft_2
+      tags: [minecraft-2, minecraft, games]

_ansible/node002.yml

@@ -2,24 +2,47 @@
 - name: Run roles for node002
   hosts: node002
   roles:
-    - acme-dns
+    - common
-    - authentik
+
-    - coder
+    - role: acme_dns
-    - faas
+      tags: [acme-dns, certificates]
-    - forgejo
+    - role: authentik
-    - forgejo-runner
+      tags: [authentik, authentication]
-    - harbor
+    - role: coder
-    - healthcheck
+      tags: [coder, development]
-    - homebox
+    - role: faas
-    - influxdb
+      tags: [faas]
-    - jellyfin
+    - role: forgejo
-    - synapse
+      tags: [forgejo, git, development]
-    - tandoor
+    - role: forgejo_runner
-    - telegraf
+      tags: [forgejo-runner, ci, development]
-    - tinytinyrss
+    - role: harbor
-    - umami
+      tags: [harbor, registry, development]
-    - uptime-kuma
+    - role: healthcheck
-    - watchtower
+      tags: [healthcheck, monitoring]
-    - webdis
+    - role: homebox
-    - wiki-js
+      tags: [homebox, inventory]
-    - woodpecker
+    - role: influxdb
+      tags: [influxdb, sensors, monitoring]
+    - role: jellyfin
+      tags: [jellyfin, media]
+    - role: synapse
+      tags: [synapse, matrix, communication]
+    - role: tandoor
+      tags: [tandoor, recipes]
+    - role: telegraf
+      tags: [telegraf, monitoring]
+    - role: tinytinyrss
+      tags: [tinytinyrss, news]
+    - role: umami
+      tags: [umami, analytics]
+    - role: uptime_kuma
+      tags: [uptime-kuma, monitoring]
+    - role: watchtower
+      tags: [watchtower]
+    - role: webdis
+      tags: [webdis]
+    - role: wiki_js
+      tags: [wiki-js]
+    - role: woodpecker
+      tags: [woodpecker, ci, development]

_ansible/node003.yml

@@ -2,4 +2,7 @@
 - name: Run roles for node003
   hosts: node003
   roles:
-    - minio
+    - common
+
+    - role: minio
+      tags: [minio, storage]

_ansible/roles/acme_dns/tasks/main.yml

@@ -1,11 +1,15 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - acme-dns
+    svc: "{{ acme_dns_svc }}"
-    - certificates
+    env: "{{ acme_dns_env }}"
+    compose: "{{ acme_dns_compose }}"
   block:
-    - import_tasks: steps/create-service-directory.yml
+    - name: Import prepare tasks for common service
-    - import_tasks: steps/template-docker-compose.yml
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
 
     - name: Setting the service config path
       ansible.builtin.set_fact:
@@ -23,5 +27,5 @@
         dest: "{{ (config_path, 'config.cfg') | path_join }}"
         mode: "0600"
 
-    - import_tasks: steps/template-site-config.yml
+    - name: Import start tasks for common service
-    - import_tasks: steps/start-service.yml
+      ansible.builtin.import_tasks: tasks/start-common-service.yml

_ansible/roles/acme_dns/vars/main.yml

@@ -1,5 +1,6 @@
-svc:
+---
-  domain: "acme.serguzim.me"
+acme_dns_svc:
+  domain: acme.serguzim.me
   name: acme-dns
   port: 80
   nsadmin: "{{ admin_email | regex_replace('@', '.') }}"
@@ -12,9 +13,9 @@ svc:
     pass: "{{ vault_acmedns.db.pass }}"
     db: acme_dns
 
-
+acme_dns_compose:
-compose:
   watchtower: true
+  monitoring: true
   image: joohoi/acme-dns
   volumes:
     - ./config:/etc/acme-dns:ro
@@ -23,4 +24,4 @@ compose:
       app:
         ports:
           - "53:53"
-          - "53:53/udp"
+          - 53:53/udp

_ansible/roles/authentik/tasks/main.yml

@@ -1,7 +1,12 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - authentik
+    svc: "{{ authentik_svc }}"
-    - authentication
+    env: "{{ authentik_env }}"
+    compose: "{{ authentik_compose }}"
   block:
-    - import_tasks: deploy-common-service.yml
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml

_ansible/roles/authentik/vars/main.yml

@@ -1,5 +1,6 @@
-svc:
+---
-  domain: "auth.serguzim.me"
+authentik_svc:
+  domain: auth.serguzim.me
   name: authentik
   port: 9000
   image_tag: 2023.8
@@ -9,7 +10,7 @@ svc:
     user: "{{ vault_authentik.db.user }}"
     pass: "{{ vault_authentik.db.pass }}"
 
-svc_env:
+authentik_env:
   AUTHENTIK_SECRET_KEY: "{{ vault_authentik.secret_key }}"
 
   AUTHENTIK_EMAIL__HOST: "{{ mailer.host }}"
@@ -30,10 +31,9 @@ svc_env:
   AUTHENTIK_POSTGRESQL__USER: "{{ svc.db.user }}"
   AUTHENTIK_POSTGRESQL__PASSWORD: "{{ svc.db.pass }}"
 
-compose:
+authentik_compose:
   watchtower: false
-  image: "ghcr.io/goauthentik/server:{{ svc.image_tag }}"
+  image: ghcr.io/goauthentik/server:{{ svc.image_tag }}
-  env: true
   file:
     services:
       app:
@@ -41,7 +41,7 @@ compose:
         depends_on:
           - redis
       worker:
-        image: "ghcr.io/goauthentik/server:{{ svc.image_tag }}"
+        image: ghcr.io/goauthentik/server:{{ svc.image_tag }}
         restart: always
         command: worker
         user: root
@@ -53,7 +53,6 @@ compose:
           - redis
         networks:
           default:
-
       redis:
         image: redis:alpine
         restart: always

_ansible/roles/caddy/tasks/main.yml

@@ -1,11 +1,18 @@
 ---
-- name: Deploy {{ svc.name }}
+- name: Set common facts
-  tags:
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
-    - caddy
-    - reverse_proxy
-    - webserver
-  block:
-    - import_tasks: deploy-common-service.yml
 
-    - import_tasks: clean-sites.yml
+- name: Deploy {{ svc.name }}
-    - import_tasks: reload-caddy.yml
+  vars:
+    svc: "{{ caddy_svc }}"
+    env: "{{ caddy_env }}"
+    compose: "{{ caddy_compose }}"
+- name: Deploy {{ svc.name }}
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
+
+    - name: Import tasks for cleaning sites
+      ansible.builtin.import_tasks: tasks/clean-sites.yml
+    - name: Import tasks to reload caddy
+      ansible.builtin.import_tasks: tasks/reload-caddy.yml

_ansible/roles/coder/tasks/main.yml

@@ -1,6 +1,12 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - coder
+    svc: "{{ coder_svc }}"
+    env: "{{ coder_env }}"
+    compose: "{{ coder_compose }}"
   block:
-    - import_tasks: deploy-common-service.yml
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml

_ansible/roles/coder/vars/main.yml

@@ -1,8 +1,9 @@
-svc:
+---
-  domain: "coder.serguzim.me"
+coder_svc:
+  domain: coder.serguzim.me
   additional_domains:
     - "*.coder.serguzim.me"
-  caddy_extra: "import acmedns"
+  caddy_extra: import acmedns
   name: coder
   port: 7080
   db:
@@ -11,22 +12,24 @@ svc:
   ssh_port: 22
   ssh_port_alt: 3022
 
-svc_env:
+coder_env:
   CODER_ADDRESS: "0.0.0.0:7080"
-  CODER_ACCESS_URL: "https://{{ svc.domain }}"
+  CODER_ACCESS_URL: https://{{ svc.domain }}
   CODER_WILDCARD_ACCESS_URL: "*.{{ svc.domain }}"
 
-  CODER_PG_CONNECTION_URL: "postgres://{{ vault_coder.db.user }}:{{ vault_coder.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/coder?sslmode=verify-full"
+  CODER_PG_CONNECTION_URL: postgres://{{ vault_coder.db.user }}:{{ vault_coder.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/coder?sslmode=verify-full
 
-  CODER_OIDC_ISSUER_URL: "https://auth.serguzim.me/application/o/coder-serguzim-me/"
+  CODER_OIDC_ISSUER_URL: https://auth.serguzim.me/application/o/coder-serguzim-me/
   CODER_OIDC_CLIENT_ID: "{{ vault_coder.oidc_client.id }}"
   CODER_OIDC_CLIENT_SECRET: "{{ vault_coder.oidc_client.secret }}"
 
-compose:
+coder_compose:
   watchtower: true
   image: ghcr.io/coder/coder:latest
-  env: true
-  group_add:
-  - "972" # docker group on host
   volumes:
-  - /var/run/docker.sock:/var/run/docker.sock
+    - /var/run/docker.sock:/var/run/docker.sock
+  file:
+    services:
+      app:
+        group_add:
+          - "972" # docker group on host

_ansible/roles/common/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Reload caddy
+  ansible.builtin.command:
+    cmd: docker compose exec app sh -c "caddy validate --config /etc/caddy/Caddyfile && caddy reload --config /etc/caddy/Caddyfile"
+    chdir: "{{ caddy_path }}"
+  when: "'local-dev' != inventory_hostname"
+  changed_when: true

_ansible/roles/faas/tasks/main.yml

@@ -1,6 +1,10 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - faas
+    svc: "{{ faas_svc }}"
   block:
-    - import_tasks: steps/template-site-config.yml
+    - name: Import tasks to template the site and functions for the reverse proxy
+      ansible.builtin.import_tasks: tasks/steps/template-site-config.yml

_ansible/roles/faas/vars/main.yml

@@ -1,30 +1,31 @@
-svc:
+---
+faas_svc:
   name: faas
   domain: faas.serguzim.me
   docker_host: host.docker.internal
   port: 8080
   extra_svcs:
-  - domain: link.serguzim.me
+    - domain: link.serguzim.me
-    faas_function: url-mapper
+      faas_function: url-mapper
-  - domain: msrg.cc
+    - domain: msrg.cc
-    faas_function: webpage-msrg-cc
+      faas_function: webpage-msrg-cc
-    caddy_extra: |
+      caddy_extra: |
-      header /.well-known/* Access-Control-Allow-Origin *
+        header /.well-known/* Access-Control-Allow-Origin *
 
-      handle /.well-known/webfinger {
+        handle /.well-known/webfinger {
-          map {query.resource} {user} {
+            map {query.resource} {user} {
-              acct:tobias@msrg.cc serguzim
+                acct:tobias@msrg.cc serguzim
-              acct:serguzim@msrg.cc serguzim
+                acct:serguzim@msrg.cc serguzim
-          }
+            }
-          rewrite * /.well-known/webfinger/{user}.json
+            rewrite * /.well-known/webfinger/{user}.json
-          import faas webpage-msrg-cc
+            import faas webpage-msrg-cc
-      }
+        }
-  - domain: serguzim.me
+    - domain: serguzim.me
-    faas_function: webpage-serguzim-me
+      faas_function: webpage-serguzim-me
-    www_domain: true
+      www_domain: true
-    hsts: true
+      hsts: true
-  - domain: team-leon.eu
+    - domain: team-leon.eu
-    faas_function: webpage-team-leon-eu
+      faas_function: webpage-team-leon-eu
-    www_domain: true
+      www_domain: true
-  - domain: xn--sder-5qa.stream
+    - domain: xn--sder-5qa.stream
-    faas_function: webpage-soeder-stream
+      faas_function: webpage-soeder-stream

_ansible/roles/forgejo-runner/tasks/main.yml

@@ -1,36 +0,0 @@
----
-- name: Deploy {{ svc.name }}
-  tags:
-    - git
-    - forgejo
-    - ci
-    - forgejo-runner
-  block:
-    - import_tasks: steps/create-service-directory.yml
-    - import_tasks: steps/template-docker-compose.yml
-
-    - name: Copy the config
-      ansible.builtin.copy:
-        src: config.yml
-        dest: "{{ (service_path, 'config.yml') | path_join }}"
-        mode: '0755'
-
-    - name: Check if service.env already exists
-      ansible.builtin.stat:
-        path: "{{ (service_path, 'service.env') | path_join }}"
-      register: svc_env_file
-
-    - import_tasks: prompt-registration-token.yml
-      when: not svc_env_file.stat.exists or
-        force_forgejo_runner_registration | default(False)
-
-    - import_tasks: steps/template-service-env.yml
-
-    - import_tasks: steps/start-service.yml
-
-    - name: Register runner
-      ansible.builtin.command:
-        cmd: docker compose run --rm -it app sh -c 'forgejo-runner register --no-interactive --token ${FORGEJO_RUNNER_REGISTRATION_TOKEN} --instance ${FORGEJO_INSTANCE_URL}'
-        chdir: "{{ service_path }}"
-      when: not svc_env_file.stat.exists or
-        force_forgejo_runner_registration | default(False)

_ansible/roles/forgejo-runner/tasks/prompt-registration-token.yml

@@ -1,11 +0,0 @@
-- name: Input forgejo-runner registration token
-  ansible.builtin.pause:
-    prompt: "Enter a secret"
-    echo: no
-  register: promt_registration_token
-
-- name: Put registration token into env vars
-  ansible.builtin.set_fact:
-    svc_env: "{{ svc_env | combine({
-        'FORGEJO_RUNNER_REGISTRATION_TOKEN': promt_registration_token.user_input
-      }, recursive=True) }}"

_ansible/roles/forgejo/tasks/main.yml

@@ -1,7 +1,12 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - forgejo
+    svc: "{{ forgejo_svc }}"
-    - git
+    env: "{{ forgejo_env }}"
+    compose: "{{ forgejo_compose }}"
   block:
-    - import_tasks: deploy-common-service.yml
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml

_ansible/roles/forgejo/vars/main.yml

@@ -1,5 +1,6 @@
-svc:
+---
-  domain: "git.serguzim.me"
+forgejo_svc:
+  domain: git.serguzim.me
   name: forgejo
   port: 3000
   caddy_extra: header /attachments/* Access-Control-Allow-Origin *
@@ -9,27 +10,27 @@ svc:
   ssh_port: 22
   ssh_port_alt: 3022
 
-svc_env:
+forgejo_env:
-  FORGEJO__database__DB_TYPE: "postgres"
+  FORGEJO__database__DB_TYPE: postgres
   FORGEJO__database__HOST: "{{ svc.db.host }}:{{ svc.db.port }}"
-  FORGEJO__database__NAME: "forgejo"
+  FORGEJO__database__NAME: forgejo
   FORGEJO__database__USER: "{{ vault_forgejo.db.user }}"
   FORGEJO__database__PASSWD: "{{ vault_forgejo.db.pass }}"
-  FORGEJO__database__SSL_MODE: "verify-full"
+  FORGEJO__database__SSL_MODE: verify-full
 
   FORGEJO__repository__ENABLE_PUSH_CREATE_USER: true
   FORGEJO__repository__ENABLE_PUSH_CREATE_ORG: true
-  FORGEJO__repository__DEFAULT_BRANCH: "main"
+  FORGEJO__repository__DEFAULT_BRANCH: main
 
   FORGEJO__cors__ENABLED: true
-  FORGEJO__cors__SCHEME: "https"
+  FORGEJO__cors__SCHEME: https
 
-  FORGEJO__ui__DEFAULT_THEME: "arc-green"
+  FORGEJO__ui__DEFAULT_THEME: arc-green
 
   FORGEJO__server__DOMAIN: "{{ svc.domain }}"
   FORGEJO__server__SSH_DOMAIN: "{{ svc.domain }}"
   FORGEJO__server__SSH_PORT: "{{ svc.ssh_port }}"
-  FORGEJO__server__ROOT_URL: "https://{{ svc.domain }}"
+  FORGEJO__server__ROOT_URL: https://{{ svc.domain }}
   FORGEJO__server__OFFLINE_MODE: true
   FORGEJO__server__LFS_JWT_SECRET: "{{ vault_forgejo.server_lfs_jwt_secret }}"
   FORGEJO__server__LFS_START_SERVER: true
@@ -44,43 +45,42 @@ svc_env:
   FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: true
   FORGEJO__service__ENABLE_BASIC_AUTHENTICATION: false
   FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE: true
-  FORGEJO__service__NO_REPLY_ADDRESS: "discard.msrg.cc"
+  FORGEJO__service__NO_REPLY_ADDRESS: discard.msrg.cc
 
   FORGEJO__webhook__DELIVER_TIMEOUT: 60
 
   FORGEJO__mailer__ENABLED: true
-  FORGEJO__mailer__PROTOCOL: "smtp+starttls"
+  FORGEJO__mailer__PROTOCOL: smtp+starttls
-  FORGEJO__mailer__SMTP_ADDR: "mail.serguzim.me"
+  FORGEJO__mailer__SMTP_ADDR: mail.serguzim.me
   FORGEJO__mailer__SMTP_PORT: 587
-  FORGEJO__mailer__FROM: "Forgejo <git@serguzim.me>"
+  FORGEJO__mailer__FROM: Forgejo <git@serguzim.me>
-  FORGEJO__mailer__USER: "git@serguzim.me"
+  FORGEJO__mailer__USER: git@serguzim.me
   FORGEJO__mailer__PASSWD: "{{ vault_forgejo.mailer_passwd }}"
   FORGEJO__mailer__SEND_AS_PLAIN_TEXT: true
 
   FORGEJO__picture__DISABLE_GRAVATAR: true
 
-  FORGEJO__oauth2__JWT_SECRET: "{{ vault_forgejo. oauth2_jwt_secret}}"
+  FORGEJO__oauth2__JWT_SECRET: "{{ vault_forgejo.oauth2_jwt_secret }}"
 
   FORGEJO__metrics__ENABLED: true
   FORGEJO__metrics__TOKEN: "{{ vault_metrics_token }}"
 
   FORGEJO__actions__ENABLED: true
 
-  FORGEJO__storage__STORAGE_TYPE: "minio"
+  FORGEJO__storage__STORAGE_TYPE: minio
-  FORGEJO__storage__MINIO_ENDPOINT: "s3.serguzim.me"
+  FORGEJO__storage__MINIO_ENDPOINT: s3.serguzim.me
   FORGEJO__storage__MINIO_ACCESS_KEY_ID: "{{ vault_forgejo.minio.access_key_id }}"
   FORGEJO__storage__MINIO_SECRET_ACCESS_KEY: "{{ vault_forgejo.minio.secret_access_key }}"
-  FORGEJO__storage__MINIO_BUCKET: "forgejo"
+  FORGEJO__storage__MINIO_BUCKET: forgejo
-  FORGEJO__storage__MINIO_LOCATION: "de-contabo-1"
+  FORGEJO__storage__MINIO_LOCATION: de-contabo-1
   FORGEJO__storage__MINIO_USE_SSL: true
 
   FORGEJO__other__SHOW_FOOTER_VERSION: true
   FORGEJO__other__SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
 
-compose:
+forgejo_compose:
   watchtower: true
   image: codeberg.org/forgejo/forgejo:1.21
-  env: true
   volumes:
     - data:/data
     - /etc/timezone:/etc/timezone:ro
@@ -93,4 +93,3 @@ compose:
           - "{{ svc.ssh_port_alt }}:{{ svc.ssh_port }}"
     volumes:
       data:
-

_ansible/roles/forgejo_runner/tasks/main.yml

@@ -0,0 +1,42 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ forgejo_runner_svc }}"
+    env: "{{ forgejo_runner_env }}"
+    compose: "{{ forgejo_runner_compose }}"
+  block:
+    - name: Import tasks to create service directory
+      ansible.builtin.import_tasks: tasks/steps/create-service-directory.yml
+    - name: Import tasks to template docker compose file
+      ansible.builtin.import_tasks: tasks/steps/template-docker-compose.yml
+
+    - name: Copy the config
+      ansible.builtin.copy:
+        src: config.yml
+        dest: "{{ (service_path, 'config.yml') | path_join }}"
+        mode: "0755"
+
+    - name: Check if service.env already exists
+      ansible.builtin.stat:
+        path: "{{ (service_path, 'service.env') | path_join }}"
+      register: env_file
+
+    - name: Import tasks to prompt for the registration token
+      ansible.builtin.import_tasks: tasks/prompt-registration-token.yml
+      when: not env_file.stat.exists or force_forgejo_runner_registration | default(False)
+
+    - name: Import tasks create a service.env file
+      ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
+
+    - name: Register runner
+      ansible.builtin.command:
+        cmd: docker compose run --rm -it app sh -c
+          'forgejo-runner register --no-interactive --token ${FORGEJO_RUNNER_REGISTRATION_TOKEN} --instance ${FORGEJO_INSTANCE_URL}'
+        chdir: "{{ service_path }}"
+      when: not env_file.stat.exists or force_forgejo_runner_registration | default(False)
+      changed_when: true # "when" checks enough. We are sure to change something here.

_ansible/roles/forgejo_runner/tasks/prompt-registration-token.yml

@@ -0,0 +1,10 @@
+---
+- name: Input forgejo-runner registration token
+  ansible.builtin.pause:
+    prompt: Enter a secret
+    echo: false
+  register: promt_registration_token
+
+- name: Put registration token into env vars
+  ansible.builtin.set_fact:
+    forgejo_runner_env: "{{ forgejo_runner_env | combine({'FORGEJO_RUNNER_REGISTRATION_TOKEN': promt_registration_token.user_input}, recursive=True) }}"

_ansible/roles/forgejo_runner/vars/main.yml

@@ -1,15 +1,15 @@
-svc:
+---
+forgejo_runner_svc:
   name: forgejo-runner
 
-svc_env:
+forgejo_runner_env:
-  FORGEJO_INSTANCE_URL: "https://git.serguzim.me/"
+  FORGEJO_INSTANCE_URL: https://git.serguzim.me/
   FORGEJO_RUNNER_REGISTRATION_TOKEN:
   DOCKER_HOST: tcp://docker-in-docker:2375
 
-compose:
+forgejo_runner_compose:
   watchtower: true
   image: code.forgejo.org/forgejo/runner:3.3.0
-  env: true
   volumes:
     - ./config.yml:/config/config.yml
     - data:/data
@@ -17,7 +17,7 @@ compose:
     services:
       app:
         hostname: "{{ ansible_facts.hostname }}"
-        command: "forgejo-runner --config /config/config.yml daemon"
+        command: forgejo-runner --config /config/config.yml daemon
         depends_on:
           - docker-in-docker
         links:
@@ -25,7 +25,7 @@ compose:
       docker-in-docker:
         image: docker:dind
         privileged: true
-        command: "dockerd -H tcp://0.0.0.0:2375 --tls=false"
+        command: dockerd -H tcp://0.0.0.0:2375 --tls=false
         networks:
           default:
     volumes:

_ansible/roles/harbor/files/msrg.cc.log.config

@@ -1,22 +0,0 @@
-version: 1
-
-formatters:
-  precise:
-   format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
-
-handlers:
-  console:
-    class: logging.StreamHandler
-    formatter: precise
-
-loggers:
-    synapse.storage.SQL:
-        # beware: increasing this to DEBUG will make synapse log sensitive
-        # information such as access tokens.
-        level: INFO
-
-root:
-    level: INFO
-    handlers: [console]
-
-disable_existing_loggers: false

_ansible/roles/harbor/tasks/main.yml

@@ -1,11 +1,18 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - harbor
+    svc: "{{ harbor_svc }}"
-    - registry
+    env: "{{ harbor_env }}"
+    yml: "{{ harbor_yml }}"
   block:
-    - import_tasks: steps/create-service-directory.yml
+    - name: Import prepare tasks for common service
-    - import_tasks: steps/template-site-config.yml
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Import tasks to template the site for the reverse proxy
+      ansible.builtin.import_tasks: tasks/steps/template-site-config.yml
 
     - name: Template config
       ansible.builtin.template:
@@ -17,12 +24,13 @@
       ansible.builtin.unarchive:
         src: https://github.com/goharbor/harbor/releases/download/v{{ svc.harbor_version }}/harbor-online-installer-v{{ svc.harbor_version }}.tgz
         dest: "{{ service_path }}"
-        remote_src: yes
+        remote_src: true
 
     - name: Run the harbor prepare command
       ansible.builtin.command:
         cmd: "{{ service_path }}/harbor/prepare"
         chdir: "{{ service_path }}"
+        creates: "{{ (service_path, 'docker-compose.yml') | path_join }}"
       environment:
         HARBOR_BUNDLE_DIR: "{{ service_path }}"
 
@@ -33,3 +41,4 @@
       environment:
         HARBOR_BUNDLE_DIR: "{{ service_path }}"
       become: true
+      changed_when: true # TODO find way to recognize need to run install command

_ansible/roles/harbor/vars/main.yml

@@ -1,14 +1,21 @@
-svc_ports:
+---
-  http: 20080
+harbor_port_http: 20080
-  https: 20443
+harbor_port_https: 20443
-  metrics: 29000
+harbor_port_metrics: 29000
 
-svc:
+harbor_db_host: "{{ postgres.host }}"
+harbor_db_port: "{{ postgres.port }}"
+harbor_db_database: harbor
+harbor_db_user: "{{ vault_harbor.db.user }}"
+harbor_db_pass: "{{ vault_harbor.db.pass }}"
+harbor_version: 2.9.0
+
+harbor_svc:
   name: harbor
-  domain: "registry.serguzim.me"
+  domain: registry.serguzim.me
   caddy_extra: |
-    reverse_proxy /metrics host.docker.internal:{{ svc_ports.metrics }}
+    reverse_proxy /metrics host.docker.internal:{{ harbor_port_metrics }}
-    reverse_proxy host.docker.internal:{{ svc_ports.https }} {
+    reverse_proxy host.docker.internal:{{ harbor_port_https }} {
         transport http {
             tls
             tls_server_name registry.serguzim.me
@@ -23,12 +30,12 @@ svc:
     pass: "{{ vault_harbor.db.pass }}"
   harbor_version: 2.9.0
 
-svc_yml:
+harbor_yml:
-  hostname: "{{ svc.domain }}"
+  hostname: "{{ harbor_svc.domain }}"
   http:
-    port: "{{ svc_ports.http }}"
+    port: "{{ harbor_port_http }}"
   https:
-    port: "{{ svc_ports.https }}"
+    port: "{{ harbor_port_https }}"
     certificate: /opt/services/.lego/certificates/registry.serguzim.me.crt
     private_key: /opt/services/.lego/certificates/registry.serguzim.me.key
   external_url: https://registry.serguzim.me
@@ -63,28 +70,28 @@ svc_yml:
       rotate_count: 50
       rotate_size: 200M
       location: /var/log/harbor
-  _version: "{{ svc.harbor_version }}"
+  _version: "{{ harbor_version }}"
   external_database:
     harbor:
-      host: "{{ svc.db.host }}"
+      host: "{{ harbor_db_host }}"
-      port: "{{ svc.db.port }}"
+      port: "{{ harbor_db_port }}"
-      db_name: "{{ svc.db.database }}"
+      db_name: "{{ harbor_db_database }}"
-      username: "{{ svc.db.user }}"
+      username: "{{ harbor_db_user }}"
-      password: "{{ svc.db.pass }}"
+      password: "{{ harbor_db_pass }}"
       ssl_mode: verify-full
       max_idle_conns: 2
       max_open_conns: 0
   proxy:
-    http_proxy: null
+    http_proxy:
-    https_proxy: null
+    https_proxy:
-    no_proxy: null
+    no_proxy:
     components:
       - core
       - jobservice
       - trivy
   metric:
     enabled: enabled
-    port: "{{ svc_ports.metrics }}"
+    port: "{{ harbor_port_metrics }}"
     path: /metrics
   upload_purging:
     enabled: true

_ansible/roles/healthcheck/tasks/main.yml

@@ -1,40 +1,47 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - healthcheck
+    svc: "{{ healthcheck_svc }}"
+    env: "{{ healthcheck_env }}"
+    compose: "{{ healthcheck_compose }}"
   block:
-    - import_tasks: steps/create-service-directory.yml
+    - name: Import tasks to create service directory
+      ansible.builtin.import_tasks: tasks/steps/create-service-directory.yml
 
     - name: Copy the docker-compose file
       ansible.builtin.copy:
         src: docker-compose.yml
         dest: "{{ (service_path, 'docker-compose.yml') | path_join }}"
-        mode: '0644'
+        mode: "0644"
     - name: Copy the Dockerfile
       ansible.builtin.copy:
         src: Dockerfile
         dest: "{{ (service_path, 'Dockerfile') | path_join }}"
-        mode: '0644'
+        mode: "0644"
     - name: Copy the data files
       ansible.builtin.copy:
         src: data
         dest: "{{ service_path }}"
-        mode: '0755'
+        mode: "0755"
 
     - name: Copy the system service
       ansible.builtin.copy:
         src: healthcheck@.service
-        dest: "/etc/systemd/system/healthcheck@.service"
+        dest: /etc/systemd/system/healthcheck@.service
-        mode: '0644'
+        mode: "0644"
       become: true
     - name: Copy the system timer
       ansible.builtin.copy:
         src: healthcheck@.timer
-        dest: "/etc/systemd/system/healthcheck@.timer"
+        dest: /etc/systemd/system/healthcheck@.timer
-        mode: '0644'
+        mode: "0644"
       become: true
 
-    - import_tasks: steps/template-service-env.yml
+    - name: Import tasks create a service.env file
+      ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
 
     - name: Build service
       ansible.builtin.command:
@@ -43,4 +50,4 @@
       when:
         - "'local-dev' != inventory_hostname"
       register: cmd_result
-      changed_when: True
+      changed_when: true

_ansible/roles/healthcheck/vars/main.yml

@@ -1,13 +1,14 @@
-svc:
+---
+healthcheck_svc:
   name: healthcheck
 
-svc_env:
+healthcheck_env:
-  USER_AGENT: "healthcheck-bot for serguzim.net"
+  USER_AGENT: healthcheck-bot for serguzim.net
 
   HTTP_HC_UID: "{{ vault_healthcheck.hc_uid.http }}"
 
-  MATRIX_SERVER: "https://matrix.msrg.cc"
+  MATRIX_SERVER: https://matrix.msrg.cc
-  MATRIX_SERVER_FEDTESTER: "msrg.cc"
+  MATRIX_SERVER_FEDTESTER: msrg.cc
   MATRIX_HC_UID: "{{ vault_healthcheck.hc_uid.matrix }}"
   MATRIX_TOKEN: "{{ vault_healthcheck.matrix.token }}"
   MATRIX_ROOM: "{{ vault_healthcheck.matrix.room }}"

_ansible/roles/homebox/tasks/main.yml

@@ -1,7 +1,12 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - homebox
+    svc: "{{ homebox_svc }}"
-    - inventory
+    env: "{{ homebox_env }}"
+    compose: "{{ homebox_compose }}"
   block:
-    - import_tasks: deploy-common-service.yml
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml

_ansible/roles/homebox/vars/main.yml

@@ -1,9 +1,10 @@
-svc:
+---
-  domain: "inventory.serguzim.me"
+homebox_svc:
+  domain: inventory.serguzim.me
   name: homebox
   port: 7745
 
-svc_env:
+homebox_env:
   HBOX_OPTIONS_ALLOW_REGISTRATION: false
   HBOX_MAILER_HOST: mail.serguzim.me
   HBOX_MAILER_PORT: 587
@@ -12,13 +13,11 @@ svc_env:
   HBOX_MAILER_FROM: Homebox <inventory@serguzim.me>
   HBOX_SWAGGER_SCHEMA: https
 
-compose:
+homebox_compose:
   watchtower: true
   image: ghcr.io/hay-kot/homebox:latest-rootless
-  env: true
   volumes:
     - data:/data
   file:
     volumes:
       data:
-

_ansible/roles/influxdb/tasks/main.yml

@@ -1,11 +1,16 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - influxdb
+    svc: "{{ influxdb_svc }}"
-    - sensors
+    env: "{{ influxdb_env }}"
+    compose: "{{ influxdb_compose }}"
+    yml: "{{ influxdb_yml }}"
   block:
-    - import_tasks: steps/create-service-directory.yml
+    - name: Import prepare tasks for common service
-    - import_tasks: steps/template-docker-compose.yml
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
 
     - name: Template config
       ansible.builtin.template:
@@ -13,5 +18,5 @@
         dest: "{{ (service_path, 'influxdb.yml') | path_join }}"
         mode: "0600"
 
-    - import_tasks: steps/template-site-config.yml
+    - name: Import start tasks for common service
-    - import_tasks: steps/start-service.yml
+      ansible.builtin.import_tasks: tasks/start-common-service.yml

_ansible/roles/influxdb/vars/main.yml

@@ -1,16 +1,17 @@
-svc:
+---
-  domain: "tick.serguzim.me"
+influxdb_svc:
+  domain: tick.serguzim.me
   name: influxdb
   port: 8086
-  data_dir: "/var/lib/influxdb2"
+  data_dir: /var/lib/influxdb2
 
-svc_yml:
+influxdb_yml:
   assets-path: ""
   bolt-path: "{{ (svc.data_dir, 'influxd.bolt') | path_join }}"
   e2e-testing: false
   engine-path: "{{ (svc.data_dir, 'engine') | path_join }}"
   feature-flags: {}
-  http-bind-address: 0.0.0.0:{{ svc.port }}
+  http-bind-address: "0.0.0.0:{{ svc.port }}"
   influxql-max-select-buckets: 0
   influxql-max-select-point: 0
   influxql-max-select-series: 0
@@ -42,7 +43,7 @@ svc_yml:
   storage-shard-precreator-check-interval: 10m0s
   storage-tsm-use-madv-willneed: false
   storage-validate-keys: false
-  storage-wal-fsync-delay: 0s
+  storage-wal-fsync-delay: "0s"
   store: bolt
   testing-always-allow-setup: false
   tls-cert: ""
@@ -55,13 +56,13 @@ svc_yml:
   vault-capath: ""
   vault-client-cert: ""
   vault-client-key: ""
-  vault-client-timeout: 0s
+  vault-client-timeout: "0s"
   vault-max-retries: 0
   vault-skip-verify: false
   vault-tls-server-name: ""
   vault-token: ""
 
-compose:
+influxdb_compose:
   watchtower: false
   image: influxdb:2.7
   volumes:

_ansible/roles/jellyfin/tasks/main.yml

@@ -1,7 +1,12 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - jellyfin
+    svc: "{{ jellyfin_svc }}"
-    - media
+    env: "{{ jellyfin_env }}"
+    compose: "{{ jellyfin_compose }}"
   block:
-    - import_tasks: deploy-common-service.yml
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml

_ansible/roles/jellyfin/vars/main.yml

@@ -1,18 +1,18 @@
-svc:
+---
-  domain: "media.serguzim.me"
+jellyfin_svc:
+  domain: media.serguzim.me
   name: jellyfin
   port: 8096
   db:
     host: "{{ postgres.host }}"
     port: "{{ postgres.port }}"
 
-svc_env:
+jellyfin_env:
-  JELLYFIN_PublishedServerUrl: "https://{{ svc. domain }}"
+  JELLYFIN_PublishedServerUrl: https://{{ svc.domain }}
 
-compose:
+jellyfin_compose:
   watchtower: true
   image: jellyfin/jellyfin
-  env: true
   volumes:
     - config:/config
     - cache:/cache
@@ -25,4 +25,3 @@ compose:
       config:
       cache:
       media:
-

_ansible/roles/mailcow/tasks/main.yml

@@ -1,7 +1,10 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - mailcow
+    svc: "{{ mailcow_svc }}"
-    - email
   block:
-    - import_tasks: steps/template-site-config.yml
+    - name: Import tasks to template the site for the reverse proxy
+      ansible.builtin.import_tasks: tasks/steps/template-site-config.yml

_ansible/roles/mailcow/vars/main.yml

@@ -1,4 +1,5 @@
-svc:
+---
+mailcow_svc:
   name: mailcow
   domain: mail.serguzim.me
   docker_host: host.docker.internal

_ansible/roles/minecraft-2/tasks/main.yml

@@ -1,8 +0,0 @@
----
-- name: Deploy {{ svc.name }}
-  tags:
-    - minecraft-2
-    - minecraft
-    - games
-  block:
-    - import_tasks: deploy-common-service.yml

_ansible/roles/minecraft_2/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ minecraft_2_svc }}"
+    env: "{{ minecraft_2_env }}"
+    compose: "{{ minecraft_2_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml

_ansible/roles/minecraft_2/vars/main.yml

@@ -1,7 +1,8 @@
-svc:
+---
+minecraft_2_svc:
   name: minecraft-2
 
-svc_env:
+minecraft_2_env:
   ALLOW_FLIGHT: true
   ALLOW_NETHER: true
   ANNOUNCE_PLAYER_ACHIEVEMENTS: true
@@ -21,7 +22,7 @@ svc_env:
   FUNCTION_PERMISSION_LEVEL: 2
   GENERATE_STRUCTURES: true
   HARDCORDE: false
-  ICON: 
+  ICON:
   LEVEL_TYPE: DEFAULT
   MAX_BUILD_HEIGHT: 512
   MAX_MEMORY: 4G
@@ -29,7 +30,7 @@ svc_env:
   MAX_PLAYERS: 64
   MAX_WORLD_SIZE: 30000000
   MODE: survival
-  MOTD: 
+  MOTD:
   NETWORK_COMPRESSION_THRESHOLD: 256
   PVP: true
   SERVER_NAME: minecraft.serguzim.me
@@ -53,16 +54,15 @@ svc_env:
   VIEW_DISTANCE: 10
   WHITELIST: "{{ vault_minecraft_2.whitelist }}"
 
-compose:
+minecraft_2_compose:
   watchtower: false
   image: itzg/minecraft-server
-  env: true
   volumes:
     - data:/data
   file:
     services:
       app:
         ports:
-          - "25565:25565"
+          - 25565:25565
     volumes:
       data:

_ansible/roles/minio/tasks/main.yml

@@ -1,7 +1,12 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - minio
+    svc: "{{ minio_svc }}"
-    - storage
+    env: "{{ minio_env }}"
+    compose: "{{ minio_compose }}"
   block:
-    - import_tasks: deploy-common-service.yml
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml

_ansible/roles/minio/vars/main.yml

@@ -1,29 +1,29 @@
-svc:
+---
-  domain: "s3.serguzim.me"
+minio_svc:
+  domain: s3.serguzim.me
   name: minio
   port: 9000
   caddy_extra: |
-     @nocache {
+    @nocache {
-        query nocache=*
+       query nocache=*
-     }
+    }
-     header @nocache "Cache-Control" "no-store, no-cache"
+    header @nocache "Cache-Control" "no-store, no-cache"
   extra_svcs:
-  - domain: console.s3.serguzim.me
+    - domain: console.s3.serguzim.me
-    docker_host: minio
+      docker_host: minio
-    port: 9001
+      port: 9001
 
-svc_env:
+minio_env:
-  MINIO_SERVER_URL: "https://{{ svc.domain }}/"
+  MINIO_SERVER_URL: https://{{ svc.domain }}/
-  MINIO_BROWSER_REDIRECT_URL: "https://console.{{ svc.domain }}"
+  MINIO_BROWSER_REDIRECT_URL: https://console.{{ svc.domain }}
-  MINIO_VOLUMES: "/data"
+  MINIO_VOLUMES: /data
 
   MINIO_ROOT_USER: "{{ vault_minio.user }}"
   MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}"
 
-compose:
+minio_compose:
   watchtower: true
   image: minio/minio
-  env: true
   volumes:
     - data:/data
   file:

_ansible/roles/synapse/tasks/main.yml

@@ -1,14 +1,21 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - synapse
+    svc: "{{ synapse_svc }}"
-    - matrix
+    env: "{{ synapse_env }}"
+    compose: "{{ synapse_compose }}"
+    yml: "{{ synapse_yml }}"
   block:
-    - import_tasks: prepare-common-service.yml
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
 
     - name: Set synapse config path
       ansible.builtin.set_fact:
         config_path: "{{ (service_path, svc.config_path) | path_join }}"
+
     - name: Create config directory
       ansible.builtin.file:
         path: "{{ config_path }}"
@@ -20,17 +27,18 @@
         src: service.yml.j2
         dest: "{{ (config_path, 'homeserver.yaml') | path_join }}"
         mode: "0644"
-    
+
     - name: Copy the log config
       ansible.builtin.copy:
         src: msrg.cc.log.config
         dest: "{{ (config_path, 'msrg.cc.log.config') | path_join }}"
-        mode: '0644'
+        mode: "0644"
 
     - name: Copy the signing key
       ansible.builtin.copy:
         content: "{{ vault_synapse.signing_key }}"
         dest: "{{ (config_path, 'msrg.cc.signing.key') | path_join }}"
-        mode: '0644'
+        mode: "0644"
 
-    - import_tasks: start-common-service.yml
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml

_ansible/roles/synapse/vars/main.yml

@@ -1,6 +1,7 @@
-svc:
+---
+synapse_svc:
   name: synapse
-  domain: "matrix.msrg.cc"
+  domain: matrix.msrg.cc
   docker_host: synapse-admin
   port: 80
   caddy_extra: |
@@ -11,7 +12,7 @@ svc:
         reverse_proxy synapse:8008
     }
   extra_svcs:
-    - domain: "msrg.cc:8008"
+    - domain: msrg.cc:8008
       additional_domains:
         - matrix.msrg.cc:8448
         - matrix.msrg.cc:8008
@@ -25,12 +26,12 @@ svc:
     pass: "{{ vault_synapse.db.pass }}"
   config_path: config
 
-svc_env:
+synapse_env:
   SYNAPSE_CONFIG_PATH: "{{ ('/', svc.config_path) | path_join }}"
   REACT_APP_SERVER: https://matrix.msrg.cc
 
-svc_yml:
+synapse_yml:
-  server_name: "msrg.cc"
+  server_name: msrg.cc
   pid_file: "{{ (svc.config_path, 'homeserver.pid') | path_join }}"
   public_baseurl: https://matrix.msrg.cc/
   allow_public_rooms_without_auth: true
@@ -43,28 +44,28 @@ svc_yml:
       x_forwarded: true
       resources:
         - names:
-          - client
+            - client
-          - federation
+            - federation
-          - metrics
+            - metrics
           compress: false
 
-  admin_contact: "mailto:{{ admin_email }}"
+  admin_contact: mailto:{{ admin_email }}
 
   acme:
-      enabled: false
+    enabled: false
 
   database:
-   name: "psycopg2"
+    name: psycopg2
-   args:
+    args:
-     user: "{{ svc.db.user }}"
+      user: "{{ svc.db.user }}"
-     password: "{{ svc.db.pass }}"
+      password: "{{ svc.db.pass }}"
-     database: "{{ svc.db.database }}"
+      database: "{{ svc.db.database }}"
-     host: "{{ svc.db.host }}"
+      host: "{{ svc.db.host }}"
-     cp_min: 5
+      cp_min: 5
-     cp_max: 10
+      cp_max: 10
 
   log_config: "{{ (svc.config_path, 'msrg.cc.log.config') | path_join }}"
-  media_store_path: "/media_store"
+  media_store_path: /media_store
   max_upload_size: 500M
   enable_registration: false
   enable_metrics: true
@@ -75,19 +76,19 @@ svc_yml:
   signing_key_path: "{{ (svc.config_path, 'msrg.cc.signing.key') | path_join }}"
 
   trusted_key_servers:
-    - server_name: "matrix.org"
+    - server_name: matrix.org
   suppress_key_server_warning: true
 
   oidc_providers:
-    - idp_id: "auth_serguzim_me"
+    - idp_id: auth_serguzim_me
-      idp_name: "auth.serguzim.me"
+      idp_name: auth.serguzim.me
-      issuer: "https://auth.serguzim.me/application/o/matrix_serguzim_me/"
+      issuer: https://auth.serguzim.me/application/o/matrix_serguzim_me/
       client_id: "{{ vault_synapse.oidc_client.id }}"
       client_secret: "{{ vault_synapse.oidc_client.secret }}"
       scopes:
-        - "openid"
+        - openid
-        - "profile"
+        - profile
-        - "email"
+        - email
       user_mapping_provider:
         config:
           localpart_template: "{{ '{{ user.preferred_username }}' }}"
@@ -96,30 +97,29 @@ svc_yml:
   email:
     smtp_host: mail.serguzim.me
     smtp_port: 587
-    smtp_user: "matrix@serguzim.me"
+    smtp_user: matrix@serguzim.me
     smtp_pass: "{{ vault_synapse.mail.pass }}"
     require_transport_security: true
-    notif_from: "Matrix <matrix@serguzim.me>"
+    notif_from: Matrix <matrix@serguzim.me>
 
-compose:
+synapse_compose:
   watchtower: true
-  env: true
+  image: ghcr.io/matrix-org/synapse:v1.98.0
-  image: ghcr.io/matrix-org/synapse
   volumes:
     - ./config:/config
     - media_store:/media_store
   file:
     services:
       synapse-admin:
-         image: awesometechnologies/synapse-admin
+        image: awesometechnologies/synapse-admin
-         restart: always
+        restart: always
-         labels:
+        labels:
-           com.centurylinklabs.watchtower.enable: true
+          com.centurylinklabs.watchtower.enable: true
-         env_file:
+        env_file:
-           - service.env
+          - service.env
-         networks:
+        networks:
-           apps:
+          apps:
-             aliases:
+            aliases:
-               - synapse-admin
+              - synapse-admin
     volumes:
       media_store:

_ansible/roles/tandoor/tasks/main.yml

@@ -1,7 +1,12 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - tandoor
+    svc: "{{ tandoor_svc }}"
-    - recipies
+    env: "{{ tandoor_env }}"
+    compose: "{{ tandoor_compose }}"
   block:
-    - import_tasks: deploy-common-service.yml
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml

_ansible/roles/tandoor/vars/main.yml

@@ -1,5 +1,6 @@
-svc:
+---
-  domain: "recipes.serguzim.me"
+tandoor_svc:
+  domain: recipes.serguzim.me
   name: tandoor
   port: 80
   db:
@@ -9,7 +10,7 @@ svc:
     user: "{{ vault_tandoor.db.user }}"
     pass: "{{ vault_tandoor.db.pass }}"
 
-svc_env:
+tandoor_env:
   DEBUG: 0
   SQL_DEBUG: 0
 
@@ -18,7 +19,7 @@ svc_env:
   TZ: "{{ timezone }}"
 
   DB_ENGINE: django.db.backends.postgresql
-  DB_OPTIONS: "{\"sslmode\": \"require\"}"
+  DB_OPTIONS: '{"sslmode": "require"}'
   POSTGRES_HOST: "{{ svc.db.host }}"
   POSTGRES_PORT: "{{ svc.db.port }}"
   POSTGRES_DB: "{{ svc.db.database }}"
@@ -34,10 +35,9 @@ svc_env:
   SOCIAL_DEFAULT_ACCESS: 1
   SOCIAL_DEFAULT_GROUP: guest
 
-compose:
+tandoor_compose:
   watchtower: true
   image: nginx:mainline-alpine
-  env: true
   volumes:
     - nginx_config:/etc/nginx/conf.d:ro
     - staticfiles:/static
@@ -61,4 +61,3 @@ compose:
       nginx_config:
       staticfiles:
       mediafiles:
-

_ansible/roles/telegraf/tasks/main.yml

@@ -1,11 +1,15 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - telegraf
+    svc: "{{ telegraf_svc }}"
-    - monitoring
+    env: "{{ telegraf_env }}"
+    compose: "{{ telegraf_compose }}"
   block:
-    - import_tasks: steps/create-service-directory.yml
+    - name: Import prepare tasks for common service
-    - import_tasks: steps/template-docker-compose.yml
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
 
     - name: Template config
       ansible.builtin.template:
@@ -14,10 +18,10 @@
         mode: "0664"
       register: cmd_result
 
-
     - name: Set the docker force-recreate flag
       ansible.builtin.set_fact:
-        docker_force_recreate: "--force-recreate"
+        docker_force_recreate: --force-recreate
-      when: cmd_result.changed
+      when: cmd_result.changed # noqa: no-handler We need to handle the restart per service. Handlers don't support variables.
 
-    - import_tasks: steps/start-service.yml
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml

_ansible/roles/telegraf/templates/telegraf.conf.j2

@@ -18,9 +18,9 @@
 
 [[inputs.prometheus]]
   urls = [
-    {%- for url in svc.prometheus.urls -%}
+  {%- for url in svc.prometheus.urls -%}
-		"{{ url }}",
+    "{{ url }}",
-	{%- endfor -%}
+  {%- endfor -%}
   ]
 
   bearer_token_string = "{{ svc.prometheus.bearer_token }}"
@@ -30,3 +30,11 @@
   ignored_databases = ["postgres", "template0", "template1"]
   prepared_statements = true
 
+[[inputs.docker_log]]
+  endpoint = "{{ svc.docker_log.endpoint }}"
+
+  docker_label_include = [
+    "com.influxdata.telegraf.enable"
+  ]
+
+  source_tag = {{ svc.docker_log.source_tag|lower }}

_ansible/roles/telegraf/vars/main.yml

@@ -1,7 +1,8 @@
-svc:
+---
+telegraf_svc:
   name: telegraf
   influxdb:
-    url: "https://tick.serguzim.me"
+    url: https://tick.serguzim.me
     token: "{{ vault_telegraf.influxdb_token }}"
     organization: serguzim.net
     bucket: metrics
@@ -17,13 +18,22 @@ svc:
     pass: "{{ vault_telegraf.db.pass }}"
     host: "{{ postgres.host }}"
     port: "{{ postgres.port }}"
-    database: "telegraf"
+    database: telegraf
+  docker_log:
+    endpoint: unix:///var/run/docker.sock
+    source_tag: false
 
-compose:
+telegraf_compose:
   watchtower: false
   image: telegraf:1.28
   volumes:
+    - /var/run/docker.sock:/var/run/docker.sock
     - ./telegraf.conf:/etc/telegraf/telegraf.conf:ro
   file:
+    services:
+      app:
+        user: telegraf
+        group_add:
+          - "972" # docker group on host
     volumes:
       data:

_ansible/roles/tinytinyrss/tasks/main.yml

@@ -1,16 +1,21 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - tinytinyrss
+    svc: "{{ tinytinyrss_svc }}"
-    - tt-rss
+    env: "{{ tinytinyrss_env }}"
-    - news
+    compose: "{{ tinytinyrss_compose }}"
   block:
-    - import_tasks: prepare-common-service.yml
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
 
     - name: Copy the nginx-config
       ansible.builtin.copy:
         src: nginx.conf
         dest: "{{ (service_path, 'nginx.conf') | path_join }}"
-        mode: '0644'
+        mode: "0644"
 
-    - import_tasks: start-common-service.yml
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml

_ansible/roles/tinytinyrss/vars/main.yml

@@ -1,5 +1,6 @@
-svc:
+---
-  domain: "rss.serguzim.me"
+tinytinyrss_svc:
+  domain: rss.serguzim.me
   name: tinytinyrss
   port: 80
   db:
@@ -9,7 +10,7 @@ svc:
     user: "{{ vault_tinytinyrss.db.user }}"
     pass: "{{ vault_tinytinyrss.db.pass }}"
 
-svc_env:
+tinytinyrss_env:
   TTRSS_DB_TYPE: pgsql
   TTRSS_DB_HOST: "{{ svc.db.host }}"
   TTRSS_DB_NAME: "{{ svc.db.database }}"
@@ -18,18 +19,17 @@ svc_env:
 
   TTRSS_SELF_URL_PATH: https://{{ svc.domain }}/tt-rss/
 
-compose:
+tinytinyrss_compose:
   watchtower: false
   image: cthulhoo/ttrss-web-nginx
-  env: true
   volumes:
     - app:/var/www/html:ro
     - ./nginx.conf:/etc/nginx/nginx.conf
   file:
-    app:
-      depends_on:
-        - tt-rss
     services:
+      app:
+        depends_on:
+          - tt-rss
       tt-rss:
         image: cthulhoo/ttrss-fpm-pgsql-static
         restart: always
@@ -39,7 +39,6 @@ compose:
           - app:/var/www/html
         networks:
           default:
-
       updater:
         image: cthulhoo/ttrss-fpm-pgsql-static
         restart: always
@@ -54,4 +53,3 @@ compose:
           default:
     volumes:
       app:
-

_ansible/roles/umami/tasks/main.yml

@@ -1,7 +1,12 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - umami
+    svc: "{{ umami_svc }}"
-    - analytics
+    env: "{{ umami_env }}"
+    compose: "{{ umami_compose }}"
   block:
-    - import_tasks: deploy-common-service.yml
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml

_ansible/roles/umami/vars/main.yml

@@ -1,20 +1,24 @@
-svc:
+---
-  domain: "analytics.serguzim.me"
+umami_db_host: "{{ postgres.host }}"
+umami_db_user: "{{ vault_umami.db.user }}"
+umami_db_pass: "{{ vault_umami.db.pass }}"
+umami_db_database: umami
+
+umami_hash_salt: "{{ vault_umami.hash_salt }}"
+
+umami_docker_image: docker.umami.dev/umami-software/umami:postgresql-latest
+
+umami_svc:
+  domain: analytics.serguzim.me
   name: umami
   port: 3000
-  db:
-    host: "{{ postgres.host }}"
-    user: "{{ vault_umami.db.user }}"
-    pass: "{{ vault_umami.db.pass }}"
-    db: umami
 
-svc_env:
+umami_env:
-  DATABASE_URL: postgres://{{ svc.db.user }}:{{ svc.db.pass }}@{{ svc.db.host }}/{{ svc.db.db }}
+  DATABASE_URL: postgres://{{ umami_db_user }}:{{ umami_db_pass }}@{{ umami_db_host }}/{{ umami_db_database }}
   DATABASE_TYPE: postgresql
   FORCE_SSL: 1
-  HASH_SALT: "{{ vault_umami.hash_salt }}"
+  HASH_SALT: "{{ umami_hash_salt }}"
 
-compose:
+umami_compose:
   watchtower: true
-  image: docker.umami.dev/umami-software/umami:postgresql-latest
+  image: "{{ umami_docker_image }}"
-  env: true

_ansible/roles/uptime-kuma/tasks/main.yml

@@ -1,7 +0,0 @@
----
-- name: Deploy {{ svc.name }}
-  tags:
-    - uptime-kuma
-    - status
-  block:
-    - import_tasks: deploy-common-service.yml

_ansible/roles/uptime_kuma/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ uptime_kuma_svc }}"
+    env: "{{ uptime_kuma_env }}"
+    compose: "{{ uptime_kuma_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml

_ansible/roles/uptime_kuma/vars/main.yml

@@ -1,11 +1,12 @@
-svc:
+---
-  domain: "status.serguzim.me"
+uptime_kuma_svc:
+  domain: status.serguzim.me
   additional_domains:
-    - "status.serguzim.net"
+    - status.serguzim.net
   name: uptime-kuma
   port: 3001
 
-compose:
+uptime_kuma_compose:
   watchtower: true
   image: louislam/uptime-kuma:1
   volumes:
@@ -13,4 +14,3 @@ compose:
   file:
     volumes:
       data:
-

_ansible/roles/watchtower/tasks/main.yml

@@ -1,13 +1,18 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - watchtower
+    svc: "{{ watchtower_svc }}"
-    - container
+    env: "{{ watchtower_env }}"
+    compose: "{{ watchtower_compose }}"
   block:
-    - import_tasks: deploy-common-service.yml
+    - name: Import tasks to deploy common service
-    
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
+
     - name: Copy the run-once script
       ansible.builtin.copy:
         src: run-once.sh
         dest: "{{ (service_path, 'run-once.sh') | path_join }}"
-        mode: '0755'
+        mode: "0755"

_ansible/roles/watchtower/vars/main.yml

@@ -1,7 +1,8 @@
-svc:
+---
+watchtower_svc:
   name: watchtower
 
-svc_env:
+watchtower_env:
   WATCHTOWER_LABEL_ENABLE: true
   WATCHTOWER_CLEANUP: true
   WATCHTOWER_SCHEDULE: "0 27 20 * * *"
@@ -15,10 +16,9 @@ svc_env:
   WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD: "{{ vault_watchtower.mailer.pass }}"
   WATCHTOWER_NOTIFICATION_EMAIL_DELAY: 5
 
-compose:
+watchtower_compose:
   watchtower: false
   image: containrrr/watchtower
-  env: true
   volumes:
     - /var/run/docker.sock:/var/run/docker.sock
   file:

_ansible/roles/webdis/tasks/main.yml

@@ -1,14 +1,21 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - webdis
+    svc: "{{ webdis_svc }}"
+    env: "{{ webdis_env }}"
+    compose: "{{ webdis_compose }}"
   block:
-    - import_tasks: steps/create-service-directory.yml
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
 
     - name: Copy the config
       ansible.builtin.copy:
         src: webdis.json
         dest: "{{ (service_path, 'webdis.json') | path_join }}"
-        mode: '0755'
+        mode: "0755"
 
-    - import_tasks: deploy-common-service.yml
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml

_ansible/roles/webdis/vars/main.yml

@@ -1,9 +1,10 @@
-svc:
+---
+webdis_svc:
   name: webdis
-  domain: "webdis.huck.serguzim.me"
+  domain: webdis.huck.serguzim.me
   port: 7379
 
-compose:
+webdis_compose:
   watchtower: true
   image: nicolas/webdis
   volumes:

_ansible/roles/wiki-js/tasks/main.yml

@@ -1,6 +0,0 @@
----
-- name: Deploy {{ svc.name }}
-  tags:
-    - wiki-js
-  block:
-    - import_tasks: deploy-common-service.yml

_ansible/roles/wiki_js/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ svc.name }}
+  vars:
+    svc: "{{ wiki_js_svc }}"
+    env: "{{ wiki_js_env }}"
+    compose: "{{ wiki_js_compose }}"
+  block:
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml

_ansible/roles/wiki_js/vars/main.yml

@@ -1,5 +1,6 @@
-svc:
+---
-  domain: "wiki.serguzim.me"
+wiki_js_svc:
+  domain: wiki.serguzim.me
   name: wiki-js
   port: 3000
   db:
@@ -7,9 +8,9 @@ svc:
     port: "{{ postgres.port }}"
     user: "{{ vault_wiki_js.db.user }}"
     pass: "{{ vault_wiki_js.db.pass }}"
-    name: "wikijs"
+    name: wikijs
 
-svc_env:
+wiki_js_env:
   DB_TYPE: postgres
   DB_HOST: "{{ svc.db.host }}"
   DB_PORT: "{{ svc.db.port }}"
@@ -18,7 +19,6 @@ svc_env:
   DB_NAME: "{{ svc.db.name }}"
   DB_SSL: 1
 
-compose:
+wiki_js_compose:
   watchtower: true
   image: requarks/wiki
-  env: true

_ansible/roles/woodpecker/tasks/main.yml

@@ -1,7 +1,12 @@
 ---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
 - name: Deploy {{ svc.name }}
-  tags:
+  vars:
-    - woodpecker
+    svc: "{{ woodpecker_svc }}"
-    - ci
+    env: "{{ woodpecker_env }}"
+    compose: "{{ woodpecker_compose }}"
   block:
-    - import_tasks: deploy-common-service.yml
+    - name: Import tasks to deploy common service
+      ansible.builtin.import_tasks: tasks/deploy-common-service.yml

_ansible/roles/woodpecker/vars/main.yml

@@ -1,11 +1,12 @@
-svc:
+---
-  domain: "ci.serguzim.me"
+woodpecker_svc:
+  domain: ci.serguzim.me
   name: woodpecker
   port: 8000
   extra_svcs:
-  - domain: agents.ci.serguzim.me
+    - domain: agents.ci.serguzim.me
-    docker_host: h2c://woodpecker
+      docker_host: h2c://woodpecker
-    port: 9000
+      port: 9000
   db:
     host: "{{ postgres.host }}"
     port: "{{ postgres.port }}"
@@ -13,10 +14,10 @@ svc:
     user: "{{ vault_woodpecker.db.user }}"
     pass: "{{ vault_woodpecker.db.pass }}"
 
-svc_env:
+woodpecker_env:
   WOODPECKER_OPEN: true
-  WOODPECKER_HOST: "https://{{ svc.domain }}"
+  WOODPECKER_HOST: https://{{ svc.domain }}
-  WOODPECKER_ADMIN: "serguzim"
+  WOODPECKER_ADMIN: serguzim
   WOODPECKER_AGENT_SECRET: "{{ vault_woodpecker.agent_secret }}"
   WOODPECKER_PROMETHEUS_AUTH_TOKEN: "{{ vault_metrics_token }}"
 
@@ -24,17 +25,16 @@ svc_env:
   WOODPECKER_GRPC_SECURE: true
 
   WOODPECKER_GITEA: true
-  WOODPECKER_GITEA_URL: "https://git.serguzim.me"
+  WOODPECKER_GITEA_URL: https://git.serguzim.me
   WOODPECKER_GITEA_CLIENT: "{{ vault_woodpecker.gitea.client }}"
   WOODPECKER_GITEA_SECRET: "{{ vault_woodpecker.gitea.secret }}"
 
-  WOODPECKER_DATABASE_DRIVER: "postgres"
+  WOODPECKER_DATABASE_DRIVER: postgres
-  WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ svc.db.user }}:{{ svc.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/{{ svc.db.database }}?sslmode=verify-full"
+  WOODPECKER_DATABASE_DATASOURCE: postgres://{{ svc.db.user }}:{{ svc.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/{{ svc.db.database }}?sslmode=verify-full
 
-compose:
+woodpecker_compose:
   watchtower: true
   image: woodpeckerci/woodpecker-server
-  env: true
   file:
     services:
       agent:

_ansible/tasks/deploy-common-service.yml

@@ -1,2 +1,5 @@
-- import_tasks: prepare-common-service.yml
+---
-- import_tasks: start-common-service.yml
+- name: Import prepare tasks for common service
+  ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+- name: Import start tasks for common service
+  ansible.builtin.import_tasks: tasks/start-common-service.yml

_ansible/tasks/prepare-common-service.yml

@@ -1,4 +1,11 @@
-- import_tasks: steps/create-service-directory.yml
+---
-- import_tasks: steps/template-docker-compose.yml
+- name: Import tasks to create service directory
-- import_tasks: steps/template-service-env.yml
+  ansible.builtin.import_tasks: tasks/steps/create-service-directory.yml
-  when: compose.env|default(False) == True
+
+- name: Import tasks to template docker compose file
+  ansible.builtin.import_tasks: tasks/steps/template-docker-compose.yml
+  when: compose is defined
+
+- name: Import tasks create a service.env file
+  ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
+  when: env is defined

_ansible/tasks/set-default-facts.yml

@@ -0,0 +1,5 @@
+---
+- name: Set common facts
+  ansible.builtin.set_fact:
+    service_path: "{{ (services_path, role_name | replace('_', '-')) | path_join }}"
+    docker_force_recreate: ""

_ansible/tasks/start-common-service.yml

@@ -1,3 +1,6 @@
-- include_tasks: steps/template-site-config.yml
+---
+- name: Import tasks to template the site for the reverse proxy
+  ansible.builtin.include_tasks: tasks/steps/template-site-config.yml
   when: svc.domain is defined
-- import_tasks: steps/start-service.yml
+- name: Import tasks to start the service
+  ansible.builtin.import_tasks: tasks/steps/start-service.yml

_ansible/tasks/steps/create-service-directory.yml

@@ -1,8 +1,4 @@
-- name: Set common facts
+---
-  ansible.builtin.set_fact:
-    service_path: "{{ (services_path, svc.name) | path_join }}"
-    docker_force_recreate: ""
-
 - name: Create a service directory
   ansible.builtin.file:
     path: "{{ service_path }}"

_ansible/tasks/steps/start-service.yml

@@ -1,3 +1,4 @@
+---
 - name: Build service
   ansible.builtin.command:
     cmd: docker compose build --pull
@@ -7,7 +8,7 @@
     - docker_update is defined
     - docker_update
   register: cmd_result
-  changed_when: True
+  changed_when: true
 
 - name: Pull service
   ansible.builtin.command:
@@ -18,7 +19,7 @@
     - docker_update is defined
     - docker_update
   register: cmd_result
-  changed_when: True
+  changed_when: true
 
 - name: Start service
   ansible.builtin.command:
@@ -26,4 +27,4 @@
     chdir: "{{ service_path }}"
   when: "'local-dev' != inventory_hostname"
   register: cmd_result
-  changed_when: "cmd_result.stderr | regex_search('Started$')"
+  changed_when: cmd_result.stderr | regex_search('Started$')

_ansible/tasks/steps/template-docker-compose.yml

@@ -1,3 +1,4 @@
+---
 - name: Template docker-compose
   ansible.builtin.template:
     src: docker-compose.yml.j2

_ansible/tasks/steps/template-service-env.yml

@@ -1,3 +1,4 @@
+---
 - name: Template service.env file
   ansible.builtin.template:
     src: service.env.j2

_ansible/tasks/steps/template-site-config.yml

@@ -1,17 +1,12 @@
+---
 - name: Template caddy site
   ansible.builtin.template:
     src: caddy_site.conf.j2
     dest: "{{ (caddy_config_path, svc.domain + '.conf') | path_join }}"
     mode: "0644"
-  register: template_result
+  notify:
+    - Reload caddy
 
 - name: Register caddy site
   ansible.builtin.set_fact:
     managed_sites: "{{ managed_sites + [svc.domain + '.conf'] }}"
-
-- name: Reload caddy
-  ansible.builtin.command:
-    cmd: docker compose exec app sh -c "caddy validate --config /etc/caddy/Caddyfile && caddy reload --config /etc/caddy/Caddyfile"
-    chdir: "{{ caddy_path }}"
-  when: "'local-dev' != inventory_hostname"
-  changed_when: template_result.changed

_ansible/templates/docker-compose.yml.j2

@@ -1,7 +1,7 @@
 {%- set compose_file = compose.file | default({}) -%}
 {%- set compose_file = compose_file_main | combine(compose_file, recursive=True) -%}
 
-{%- if compose.env | default(False) -%}
+{%- if env is defined -%}
     {%- set compose_file = compose_file | combine(compose_file_env, recursive=True) -%}
 {%- endif -%}
 
@@ -9,4 +9,8 @@
     {%- set compose_file = compose_file | combine(compose_file_volumes, recursive=True) -%}
 {%- endif -%}
 
+{%- if compose.monitoring | default(False) -%}
+    {%- set compose_file = compose_file | combine(compose_file_monitoring_label, recursive=True) -%}
+{%- endif -%}
+
 {{ compose_file | to_nice_yaml }}

_ansible/templates/service.env.j2

@@ -1,3 +1,3 @@
-{% for key, value in svc_env.items() %}
+{% for key, value in env.items() %}
 {{ key }}={{ value }}
 {% endfor %}

_ansible/templates/service.yml.j2

@@ -1 +1 @@
-{{ svc_yml | to_nice_yaml }}
+{{ yml | to_nice_yaml }}

backup/Dockerfile

@@ -1,6 +1,3 @@
-FROM ubuntu
+FROM restic/restic
 
-ENV DEBIAN_FRONTEND=noninteractive
+RUN apk add curl
-
-RUN apt update -y \
-	&& apt install -y curl restic