Add all: init

Revert "Rename init to all in Makefile"
This reverts commit 7df888f633.
2022-11-26 21:54:11 +01:00 · 2022-11-26 21:40:21 +01:00 · 2022-11-26 21:36:40 +01:00 · 2022-11-26 10:47:37 +01:00 · 2022-11-26 09:52:41 +01:00
129 changed files with 2341 additions and 2458 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -42,7 +42,7 @@ use_default_rules: true

 # Ansible-lint completely ignores rules or tags listed below
 skip_list:
-  - skip_this_tag
+  - no-log-password

 # Ansible-lint does not automatically load rules that have the 'opt-in' tag.
 # You must enable opt-in rules by listing each rule 'id' below.
@ -108,4 +108,4 @@ kinds:

 # List of additions modules to allow in only-builtins rule.
 # only_builtins_allow_modules:
-#   - example_module
+#   - example_module
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,4 @@
-*.retry
+playbook.retry
 *.sw*
 .vagrant/
 *.log
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -1,14 +1,15 @@
+---
 repos:

-#- repo: https://github.com/semaphor-dk/dansabel
-#  rev: b72c70351d1a9e32a75db505fcb3aa414f3282f8
-#  hooks:
-#  - id: dansabel
+  - repo: https://github.com/lyz-code/yamlfix/
+    rev: 1.1.1
+    hooks:
+      - id: yamlfix

- repo: https://github.com/ansible/ansible-lint
-  rev: v6.9.0
-  hooks:
-  - id: ansible-lint
-    files: \.(yaml|yml)$
-    additional_dependencies:
-      - ansible
+  - repo: https://github.com/ansible/ansible-lint
+    rev: v6.9.0
+    hooks:
+      - id: ansible-lint
+        files: \.(yaml|yml)$
+        additional_dependencies:
+          - ansible
--- a/6
+++ b/6
@ -1,3 +1,7 @@
+# Makefile for initializing pre-commit hooks
+
+all: init
+
 init: create_venv install_pre_commit install_ansible_galaxy_modules

 create_venv:
@ -9,4 +13,4 @@ install_pre_commit:
 	venv/bin/pre-commit install

 install_ansible_galaxy_modules:
-	venv/bin/ansible-galaxy collection install community.general
+	venv/bin/ansible-galaxy collection install community.general
--- a/README.md
+++ b/README.md
@ -1,108 +0,0 @@
-# data.coop infrastructure
-
-This repository contains the code used to deploy data.coop's services
-and websites. We use Ansible to encode our infrastructure setup. Only
-the association's administrators have access to deploy the services.
-
-## Deploying
-
-To deploy the services, the included `deploy.sh` script can be used. The
-Ansible playbook uses two custom-made roles (in the `roles/` directory):
-
- `ubuntu_base` - used to configure the host itself and install the
-  necessary packages
- `docker` - used to deploy our services and websites with Docker
-  containers
-
-The script has options to deploy only one of the roles. Select services
-only can also be specified. By default, the script deploys everything.
-
-Here is a summary of the options that can be used with the script:
-
-```sh
-# deploy everything
-./deploy.sh
-
-# deploy the ubuntu_base role only
-./deploy.sh base
-
-# deploy user setup only
-./deploy.sh users
-
-# deploy the docker role only
-./deploy.sh services
-
-# deploy SINGLE_SERVICE Docker service only
-./deploy.sh services SINGLE_SERVICE
-```
-
-`SINGLE_SERVICE` should match one of the service names in the `services`
-dictionary in `roles/docker/defaults/main.yml` (e.g. `gitea` or
-`data_coop_website`).
-
-## Testing
-
-In order for us to be able to test our setup locally, we use Vagrant to
-deploy the services in a virtual machine. To do this, Vagrant and
-VirtualBox must both be installed on the development machine. Then, the
-services can be deployed locally by using the `vagrant` command-line
-tool. The working directory needs to be the root of the repository for
-this to work properly.
-
-> Note: As our secrets are contained in an Ansible Vault file, only the
-> administrators have the ability to run the deployment in Vagrant.
-> However, one could replace the vault file for testing purposes.
-
-Here is a summary of the commands that are available with the `vagrant`
-command-line tool:
-
-```sh
-# Create and provision the VM
-vagrant up
-
-# Re-provision the VM
-vagrant provision
-
-# SSH into the VM
-vagrant ssh
-
-# Power down the VM
-vagrant halt
-
-# Power down and delete the VM
-vagrant destroy
-```
-
-The `vagrant` command-line tool does not support supplying extra
-variables to Ansible on runtime, so to be able to deploy only parts of
-the Ansible playbook to Vagrant, the `deploy.sh` script can be used with
-the `--vagrant` flag. Here are some examples:
-
-```sh
-# deploy the ubuntu_base role only in the Vagrant VM
-./deploy.sh --vagrant base
-
-# deploy SINGLE_SERVICE Docker service only in the Vagrant VM
-./deploy.sh --vagrant services SINGLE_SERVICE
-```
-
-Note that the `--vagrant` flag should be the first argument when using
-the script.
-
-## Contributing
-
-If you want to contribute, you can fork the repository and submit a pull
-request. We use a pre-commit hook for linting the YAML files before
-every commit, so please use that. To initialize pre-commit, you need to
-have Python and GNU make installed. Then, just run the following shell
-command:
-
-```sh
-make init
-```
-
-## Nice tools
-
- [J2Live](https://j2live.ttl255.com/): A live Jinja2 parser, nice to
-  test out filters
-
--- a/13
+++ b/13
@ -13,8 +13,7 @@ Vagrant.configure(2) do |config|
  config.vm.hostname = "datacoop"

  config.vm.provider :virtualbox do |v|
-    v.cpus = 8
-    v.memory = 16384
+    v.memory = 4096
  end

  config.vm.provision :ansible do |ansible|
@ -22,17 +21,15 @@ Vagrant.configure(2) do |config|
    ansible.playbook = "playbook.yml"
    ansible.ask_vault_pass = true
    ansible.verbose = "v"
+    ansible.extra_vars = {
+      base_domain: "datacoop.devel"
+    }

    # If the VM is already provisioned, we need to use the new port
    if provisioned?
      config.ssh.guest_port = PORT
      ansible.extra_vars = {
-        ansible_port: PORT,
-        from_vagrant: true
-      }
-    else
-      ansible.extra_vars = {
-        from_vagrant: true
+        ansible_port: PORT
      }
    end
  end
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,8 +1,3 @@
 [defaults]
-ask_vault_pass = True
-inventory = datacoop_hosts
-interpreter_python = /usr/bin/python3
 remote_user = root
-retry_files_enabled = True
-use_persistent_connections = True
-forks = 10
+inventory = datacoop_hosts
--- a/8
+++ b/8
@ -1,5 +1,3 @@
-[production]
-hevonen.servers.data.coop ansible_port=19022
-
-[monitoring]
-uptime.data.coop
+######################################
+### All hosts
+85.209.118.131 ansible_port=19022 ansible_python_interpreter=/usr/bin/python3
--- a/deploy.sh
+++ b/deploy.sh
@ -1,19 +1,9 @@
 #!/bin/sh

-usage () {
-    {
-        echo "Usage: $0 [--vagrant]"
-        echo "Usage: $0 [--vagrant] base"
-        echo "Usage: $0 [--vagrant] users"
-        echo "Usage: $0 [--vagrant] services [SERVICE]"
-    } >&2
-}
-
-BASE_CMD="ansible-playbook playbook.yml"
+BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass"

 if [ "$1" = "--vagrant" ]; then
-    BASE_CMD="$BASE_CMD --verbose --inventory=vagrant_host"
-    VAGRANT_VAR="from_vagrant"
+    BASE_CMD="$BASE_CMD --inventory=vagrant_host"
    shift
 fi

@ -30,21 +20,16 @@ else
        "services")
            if [ -z "$2" ]; then
                echo "Deploying all services!"
-                eval "$BASE_CMD --tags setup_services $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
+                $BASE_CMD --tags setup_services
            else
                echo "Deploying service: $2"
-                $BASE_CMD --tags setup_services --extra-vars '{"single_service": "'"$2"'"'"$(test -z "$VAGRANT_VAR" || printf '%s' ', "'"$VAGRANT_VAR"'": true')"'}'
+                $BASE_CMD --tags setup_services --extra-vars "single_service=$2"
            fi
-        ;;
+	    ;;
        "base")
-            eval "$BASE_CMD --tags base_only $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
-        ;;
-        "users")
-            eval "$BASE_CMD --tags setup-users $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
-        ;;
+            $BASE_CMD --tags base_only
+	    ;;
        *)
-            usage
-            exit 1
-        ;;
+            echo "Command \"$1\" not found!"
    esac
 fi
--- a/group_vars/all/secrets.yml
+++ b/group_vars/all/secrets.yml
@ -1,170 +1,141 @@
 $ANSIBLE_VAULT;1.1;AES256
-30613439636234396439623634656338666330643936373563656336323831353464353239353661
-6234316535383838653865643964353033623935313432630a666563316534343733363464396635
-34396664643137643136633837656432623633383361633336343562333039326538393034616637
-6634613631636433610a663835343739376534356133323163343132323233643135613333313132
-65373233666535366137343839363938303561653731633038376631386161653038613631396364
-33636131636536306134346336636332393436303063306262333430613137376438626133353963
-66396332363335333436623335613966323730616139353762656662386530356435623831656632
-30333363376132653362323339386437346134323232363336363461323332613962613131386264
-37383435653061653466613834346430656632626338316564656136666266353231363661666461
-32646461313365626232376536376463313531613861363462643062326538326234613332646430
-33383438613961623134343665383638346164653031363435656162306163653232353162343431
-38333239393332613466663231383932316330376535383466643233326134623530306361393639
-63386530643733393033646139613730313239313866343730643337393533366330373363353338
-62313739613531636166663135646262396334373538636634393534616337363337323630666261
-39643164363437653661633666376431303662396431633661663933343666613234326637636231
-38383537333532326636343366343564646630363838323162373339323365666262303836636232
-31343637616261636130656637393633383165353332346239323063646162306235313962363935
-64633639653261363563646664393630666564646165393736363562623231626634326163306630
-37613635306136643334616364303439323332666431386264623265323636623738303364396636
-37626161363466646166633434333265623236633033666562643264303662333363396631646638
-36626636363261313966393235313866353936323064343331626362306162323166323063656433
-63303762346330323031353034356162373433356436663134373930633634366330653233613139
-63363639343833616431633765613938623037323961623663336662666135313466303661316133
-39353664633036323031373862393530653433373062623233313965653735353566306538393439
-30366162663138326535346639393337393362366630343266643035353465663332333539613337
-30666666363134313239306231356663343166363137366636643931313039333732383833313036
-37393064396662623063613462336363386336393839313465323062646535373733326338353766
-31666639303836316266343764336462343765363930326338313635336633323662366238356264
-38613631313434383830333031643938393566633236383861633266326336653033663163336132
-61313132643062666434346333653234393865656463343363313636613364616361353561343739
-38313231333431303664323730626162613264343630356438336636373739653234336666646438
-37636437623336323461613063396137396533353265333034333435306666636261353933613232
-65363632383039666666323030323830333534376362326136313232393732613166303461383933
-62303166396533616538666566356238393265663163343264333664393936613066313665616137
-38613030623937633730646461666233333035323661363835313161613930336237396332623338
-30666166636662613130363430333436613532326437393730376536353963356633393736303065
-31393534646537323037316664313438643836386333613961663031383231663932633934656461
-62313163616635626131663961326438396439383432346337386261313330343330353637376330
-38346532396533326135303264613361663836646163623630323832653032396237353966663661
-36353365313962663832393333336138346335363832396535346336643565366465643565616638
-63616565356663623531323935393334326639626236353338643237343764366464666131393332
-64396665343535323339383434366133613235313866653663313639633930323864646536346232
-65316465643662376264373536393232326666663335316631376433343062646361376165363732
-66326165643163333737313139386461363431353239626236366238343035386663363435366464
-31633738336263633961306436613233303861633263343030336637373165663261316632663537
-31613636663163323365303038373134306264343831326264326261633834393366623061616262
-63393463333833393636666232626662643738653634306364326231343830633834643664353730
-37346131346263356539363630363230626364663161643064323538396131636633623866383939
-66346434323935353632633837363530663438636539616130633532346236343661633766383434
-34343339646662393030323661623665643432376365633435666333316439356631386234303062
-35346631656230346565323130333765663933373638303639363530373431343232393864656639
-33666433366131396464323137393239653531376662646235343962613639343831636261326265
-65663564613766313634653938316339306434663463623563316431633234323330623738646636
-37643535623664323433626561383462393033343232303838333930653366376536353765613036
-35663165623265616630373161336632646435613331373166303632373633313865386134636362
-61636134343839643735636461626663626237613262316564646339323933363864303935353834
-39396637646264633736366336616336643032313237653662646331383963366533373766356539
-35306165306534393463663332336430336635666135643561303935386635393838323865623162
-36323565616232353261303139623465646234313136383436376162376165303664613164356162
-33373237333666616135636231653637396330663930663962636161326664333261343737343735
-37313465396130653138613539376436373237343138636535626632326435383234326466363235
-34646663653038396630353637636166346261346233333632363361326536383634663433613564
-35633864343630333033613133626635313931333031643564396164393135346131343832363861
-61366664363838653438653137383933386233633836323332643531303936353237623734666135
-31356166613664636634336536343032646239643130346564303162356431346539646336323339
-61626236346535336638353134353838333434663838303730613363393365633739383563613434
-64336331306639323061386338656361653636353831346237373134346538623464343562393735
-39333764343139333133393233626564643266373034623764633835383561366265636632633937
-62343635343161363231653138613263313562366439316435633964396161343566316435303465
-39666236316339653839313333396264623636663561653932386638366366663933353761353162
-61343038383939396231346534336361306430373564353633653139306334623630343738636430
-66376631366662313131646130363530323232383535333163363466636262363461633232343532
-63626430336261353861633362396638643937623832386638626334663333363637393637373939
-64303039666432303535636265613564376139333331653336666563663238366639393366363334
-36303635633933333832396562373965653361303034653139643466656534326231383162336366
-31656138656539383539396462326134333331653131306537643962653762373035343235333233
-34373730623663346430303962653061623330653263393633383835663739663961326566323036
-30336365616532303362396230616531386639333636336332366335613935623836616134393033
-62653535396630383436393631396337336163323361663930323532633666663238333366383462
-36393261376262643336643761613731643032626632646332366661626331333233363436613937
-34653731666137313733653863396164323963383037353265373532303137623037343733616537
-66336433343334626536323639636139653931383466633833326234633332613431353432343561
-36626339656536383862623833633634356435393764316633353135326639623534366538313330
-62633333303266613630326330333336353264343937393864393239623664323366373565383334
-37383237376664643065383834633961366632643261343635336335353765353863323131653866
-31326531303461323736303730623638663863353939636437636231636437323730656463633733
-65383934343534383631363162363830386365313935663337366335326131393262353030663765
-30643665383332613030336439346332363135366232303166623534333637366133656437643231
-30306634636430643864363561316334383530613165326663326665613633636237353830393334
-62653333623563626131666166646335663334393662336337333836376631303631666136376332
-37316537356531346464623363653033306537636239633065646533643239653063613835363665
-30383139326465613864316533643033333430326230646334353364633138666532353736313265
-34623733613864646661353730666433613961643261346166303264386435643565373565323864
-61346465336231613865363263303034396439346163393534666439666437353266323565653032
-39386439646438313938356237643831643434666161383632316530356465616632313235643834
-33303865653836303632656663366465333331616634313863656438393838636631313364633637
-38646230643734393733663261326161376536643237626130353831363731306231313864613066
-34623239396362336639363163313161323065653461363563353631613730373830643133336464
-31336439636361363539383539323631303462633833353032373530333539336538363033383363
-32613733623839623938326165356237313165383366646233393933393965613363666532646434
-63316133613130313363303537366230646235663130313538333761633237383262316633366364
-65373664616237316534613831313966623939396331626334313430386638653461386334363939
-35333339643837666264356535643365353331393437313866643034663934336466336534343035
-61313837666662343363613962623462333935353837333336363839623466303534303837396634
-38656330666661356235626130303538666533666563323936633564383164633834353831306634
-36343836353464623962333362353133386563343831336463646635646263383832666232323736
-38613730316634373365343938623237356231643931303333366462373134383137366339613662
-62643832323734363635643634373066303366306366663036623139393761636533326130313336
-30316536396466383463393233363035393335343565323635333665346464366139626165636661
-39363066643437613537653836636363376532643038363063383234353066313737663061363334
-38306563613561663165623630366135303332636133343733343836383865613661393761333031
-62653162626461616564643138613737623632313739393962396439306133646138303936636435
-39393663653865363166316365376562353461633163353734343132343831386434653037323732
-36356162356336616330636630376438636165653439376137313934663939376639396266323962
-37383736333536653438363963316435326632393966383534326337303336386135616636363936
-35393331313938653830646332376631623763383439623633396433633739663038313264323835
-33373664313562366664363630316132643465363964383339363339656237323465626262306364
-33306133373065303135613235623262396365363634316365356364373561363762666235666430
-62336362643564313238363933623366396138646237336336623062326161326536323534326364
-39316162643966616436343737313434616230346237346237363962653033613930623462386431
-38343662356665383763633034393236613733643430313937326335356466376139653533333965
-39386138623134666132663837616637376362303561393133656139653438386363613965393661
-36343566643931393061373031343331336463643034383065383763663234373438383064303232
-64666236313935346237666466333562613935646163653331303661386138313739326538353935
-64323737323532663731353136336138633533386464616362333838396332323563353537613430
-33633631326238366166346437316638363161386562383630623466386564323266333033313461
-63666535363034613232346239636233623130393032353030363334333531646238373262323765
-61373739396162643661353031613663353531653836323730326166383463613330333966336233
-30386136346466336361303237303534373064353230653238363231633530613866663461643465
-30396266356164353063323432663561396564636231346534366661663766613634376235356637
-39313839616336666461313431326430333932623262333437386464636264373430653566386631
-64653866623662363864376663613136306165393863346533303634623936373835633864313462
-61333562646233303232623861366634383466633537383831626334356561353637663038643531
-39386635326366646134333231653737653630356135396634326537633232333166616161653136
-33393562383233656564356530386465623239386666313964343534343466616134373132636631
-39666365393063323838343963366339373434353839383039383238613133636237316365323861
-30626330643665626465666338353030653839383234393237623633646566376361646536353233
-31393235623561323765633835313139313538343761393064353632316335656231353930656437
-31313639313931636633333230653730666638373864326239333561393134356632623138366131
-65356462373336383039316131626562633330666363386631383663343838393435663538343934
-65386339626362623664393532386131303234633466363437383236616463343831353862323961
-39663835313234326137303965663963663761656531653437343234643634316565333762663139
-65393830633237623031303234636134633539316131396135616237316266333437633861303831
-62656630373763343366636635653033666630613533363365636261323661383364343161343439
-35626531346665656263643461306261376238353033343032353731373861333239333862653231
-31336562653133623163353230633331346237356534333534613161323462636639636662623435
-63633035336662376636623339326433393035646539626231363762643532323463316263393736
-62613038333733636362356636373331313661663830633433643039653233626261613739663836
-38643030313338383266323134326337323334343230623331386664333937316266623134336362
-61373037353664623863393233376264616438656332386130316361663665323135386463383763
-33303633356133353439393664363630336133306364363430393232326665393339323265383630
-31656463343064383837333630366465396633393465666235626330343937313630623039383465
-63326361663238653035613935343932623237396362643833313731323830313962616362613539
-32346165303930323739313837643933363863643937346561643930653530393636383036613235
-61376166386563643733333233343437623630323632643463353131386461663936313065313562
-31393032646262386634353436643466323731366631393136393433616332613036666163336635
-37303365633338613630656463663533653336666562653236336264303238383930383132346365
-35386662636439653930343738633265363635626132343030653462306431363234633635643537
-61666363346430653131623762666564313665653262386332396532646339383136383337353863
-38386632316632373338653535323335363265653563376330663239343861346563646366313039
-33306364623536346339393566326533633133393866303535326535306435626531346264616138
-34356231373561633337653663643566633632393330386564393966666365306565316135646163
-63366365383839343134303635376233343865663631633331333230616630366633396231333435
-30366137383238393139336433353764633038616238326136663636656132626538393565393130
-38653765326137393136386233383636383165613235373437353730306564643033306534386666
-61623538663537653166313264303533623162356134393333373732383535386261333535383039
-65613166666230336265366335323434636336663835323034373930393430363065376665666337
-35363265666130653830333536326433316639613638613730666139623137333736663535633032
-33363135376636636536623731323134343237393633333038393364376237386165
+35343731613336373363633564396639393230633664336338396164303238316564326663643638
+3365306264343434623836656435653436396636353866620a646336316338373866313362363664
+65363931633031613362383337643038636435303739376131643564633831316435653937353061
+6330306330383865640a643937326634393437313864326361373634373930623464613363663831
+37373230366262323261316134326333663262643764623639306239623066613335616531613662
+32343331313266363630343465376332303862353834653262306536623538383662366562616635
+34636561663366323434356337376261373039353931636139656437346165656663653233333266
+62353961626665636463396566626330383836383030363032303563633466326339626263306165
+31313266636330653933363630396166333339376564333133623237373962386164616332616438
+39623132663766633331306636613532333739613938333435393633386166333335393565633963
+30363165643038623962353762323338306466353031383531623066363632363033383639393537
+31333037626638353830653538373634666432346166373661313531656466383263323262373565
+38383766343030643939633830343332666165643661363631633963393632666632643361656139
+35346131363539613137396465306663363836666662303932646262383231363634373231373333
+34366636346530383736393532646563643139343764333661663033316432386632393139326439
+39303661333732376433663539383662363232313135663838616231343863326631353434326337
+36313335393262663932666365336334396131393362636637653630653965643662626434323736
+65663966306661646131643962336366643235353863646136613463323337663865323262613461
+33363636386665646538333334373564396333316665343566653662666331666236303438343962
+63396164316561363132306237336365313835346663616339666538643033356637633432383331
+64363964356264643038396139383838616131383466666565383131663331336530663832306635
+30643630623861633939646665326262393635626265323261653339646263386334353064393534
+63303464623433333863386136626566336135346561343964323436643739343037383839373332
+34656439333538653461663764323265303064643165663263316164396633623232626535353863
+64643766623032653838306134376131623564363735386531383732346438343932353966333062
+30613166623138333865343735663530346635383162616635326330636161303863626539663166
+31336333643765303635643862666234643538313033663563663034343632653466626661343639
+33656436393738326135363166623633366331633065373633313864353333316131346664353532
+66646239373166376361326664646263616263323632636235353864656438383038663662376164
+37336431306166366561623836373938366336623866653730353861333431383832313039313739
+61616435666236373463616162653732373766336365313930383665363661356565613461373165
+66636537333333633832366234633066366537646138346233313233376135666666336264316435
+64613030323430343764336465353334633836653133343532386435636136336638313162626462
+33363830396462616662313030316166646531643238363130613036666631643737306138326234
+65323763636363393031616633633338653531633639356238316236303264303034623632626261
+36626639633234396230356236643766306232646230623665633866643434313334303265323465
+66386461323563343236633864396562306165616338306334353563656461346464353930646161
+36653064613736346237363362663835656365616334363238376566316137303737316630316363
+65393139313832353461313634393931633761666531316333373762373265613464303365326338
+66393165366334636431353836336535636233336332336664613263613465393235363235623037
+61313037633761366661303663636364346131326334393765646262393863363062333739376466
+65653434336532323365376233646365323537313131306661306363313864326361646432326632
+64383533313833333466313231353863656634623135386631363864363834633035636632366164
+66356539353264633461396132336435353234333132376130616335613136356364643165346537
+62366630363439336432353066323238363233613032343635663731613134393639656535333736
+32623733333866393565366661643030376137646437616336386530363230376637316436313763
+36323532643763363864336634623132343530333531363231383130333064653233363339646136
+35343165623864646530633731373539356665316164653365303965663862313462313362643637
+34633163363833626635613634633938656334366366316266636532613065333436663633656530
+65623561326565643739303931323539643337373736646663363362646139323333346237353731
+32643739626561396664646537376139326339626235336464343964613761396430343461346639
+33326631373030653637393865333837386432333634653066353366613334396639626631653737
+34353831386366636663323761656431663965303561636236366538393261653333396537326461
+31323332613737646364616565393534306131323234633933636638333637623661343334383561
+30323464373365626662323062363135333932666163323235633131303566323964343734383238
+32376435363737373336363363613738366337626162333236643738373266633933363162303833
+37366631343933313934313463363834643835333766663361303335313539363839663231333963
+66326261323631386532346637376132646263303466383330373833633034373933616538306330
+33386334306330346161633131386130636634643531633233376337343637363235356135383366
+31366463323831636438646262613239663830333531386330326131643032653033336339643561
+64636439323065343564306163303134623439343963383136633864623633363364646535666565
+31393564316234343066303664396534386537303364343234303832346331326430386432636332
+38316565346433663639646330393339303530623636386332633666656363376239383535386134
+35376135306461333237383562356162326338363435643133653838343535326535326337376130
+37306462633835666132653466373163613566633863343363653539343239316233616661633532
+64386538363163653963363331623531313237636431343934643136656536323734636261656333
+39636132613431653562393238346565323330656539666230643566633663316239353436383566
+64303535353031636662643062326565313837393932346431326137316337376361363338383533
+34613632323230393233666437346466626232363636636636393836333832633335393734343565
+33333461343530333135663436343333623966363230666330323562363136383166666665333861
+65366436643363383331353361656434336631396437616562303861666263353533313738326138
+33653735333230636437643038633763343063336262386663313237653661346262653834616665
+37343834323937623761386639653736313232323166373561643235336261306430393533376139
+31653132613331626435623333343862393038643364616236626466333338646639663930663436
+66636462646130653537343739646437363130313766636438663130616665333232396331303531
+30373762343531383239653132633363386239643666316166363931326563343633653433383538
+36333733626363626464636435626131653439313862666230393334353938356436376664323961
+62326566646463396536633265333461306430616437646630363239653333643732366430373133
+32323636636161623932376235383430366661636439643565366532376239613366303039376434
+39646437363636633265313838616463383231643030643732306364333161656236303131333533
+62343539613264383830306639303164643233653032616566646163656564356262323065303134
+61613563646538316232353833636536633435336663326262663062663030326234316131353835
+34363564306335356633343438396434363261646665653665633235303932383266393630623238
+31323037336566633035366464386232616561383566343061343031623630383238643433376231
+64633634616133386138326138393138353937363332646637663363363064393065336438303932
+38393139306330396338646233366235316435313838633563353838303832616630633731323535
+31393039306630613734343433633662343831313336616561656136323039333235383733363364
+66383836363239376539316362646232356636336665316664653565653439353932663433346438
+65306365623334656133636332393265643163313939363537323738646664326364343064396337
+37383637383064643763363135386434316664306231376462653066653063313962316231386162
+63343533386262616631333233316330666263656532306466623733343764646361666165393863
+62326435346532623635343535353263626566313061643563613937346562643962386565396439
+62616661626464613366656462353932323732313062363566316562396134346433376237326664
+39333238346464393930653435363336333365323537356531313830626437303736333635356534
+62653766323065373662366162333363343466373135623262663436626438306337333365633633
+37333931623434666564366430666462343162303030643733623637656337393763393437656335
+36393162363765383464316562306532336265373130623566646134666337333133363863373964
+33666437323733396139653436323262383336306561643738366463646461646462333338623662
+30656135343934633335376634326533313663653761656235626165313834356464636535326439
+32343834316433393236353739646663393930663635646366623835633363653662626535366361
+64626561613064646431306634393330333265366530353063653132353735663564326563323961
+39663535346539326165313263383933653633306330303930376336316632636537363437663063
+64376465663634363838623230386139636231353665616165323065633661343339373432373732
+63356130653535303934396335306566646538383938636331333362353534366632663930393732
+37353365343532646137343631383833616430326631323564666361323934383839303130636333
+38653139303663356337376261616463303665623431613963643137356439326162386337326161
+61383434383534353732343733326139313462396432366336653139363466653336626338366365
+31386438333438633465666337393732343533373363646234383265323132303433316135396232
+39373764333863626634343636306533393361643135323531383963366137626464353064613065
+61623063303865646161363432643765323361363364383635646538636232353337636235613861
+36396631383639633263303131383537326464313433663032346230386432633864613335616533
+61373238363930653866643933623561613363333139373135633332643563613838346434623033
+34353161396433663632656633356536323662386332626566393636323463363334613234376137
+38643465656262656236666332383361616164366230323936346565303961333761613136353435
+63643839636464323362396235333738626132393030393737373438393032323931643936306239
+31643537353462626238306563316132663139393635356631373839653462613238323831303537
+33626362636362383530386333343266383061646436353635396230396231343364323631343037
+65663363656463393234313465386233663635626333346132353539366464653532333830326661
+64343136323366346239373737666435366363663237663039636631656266333562376532396661
+35666430626233333166356139613233306536303365313262363366316135326662636166393031
+38356661396232366236303732326666353864353735336161326663623030343766633266623236
+65626237636133626335656663323533386236353164303230313237643130386133613466613933
+31343261356632643265623866373965326561363538326336656561373631373938343334653662
+32616366373839373737393262633064666437303538386363616431386138346439353534623631
+63323063346564646462313034623630396462623565646430363338393239343761396235303863
+31636531323732303230626437363764306631366363643766633734353336373564393731366238
+32623563633661646465396136396462663363376333613434666632383637616133626132616362
+61343032643966323539353033643136616463353563666462313731386261633333623832643439
+38323666666330356538313730306334336433613364313065313761636261363433356438323136
+61343233643138646263626333306265366239613266646663323733636162323332643531643331
+39396433636233366365336166356661623132656261656666386361326164643634366436303737
+61653832373162356634313163363233323964303738366266376665346365396635343332396166
+35393263373732313734353332663238326563366534623131386233633365303664616562386231
+36326138356230663731306339666138343161386331313137313861633039303930623663646333
+65336461653033333332323162363539663366653762303266656366386665396463626265303264
+35666437663966663130633663643861326563336466633133646562383230363332646639616436
+36656137653061303262633736653433343838323666646261386266353735326564386465646334
+34633339336336613531666132633832363838343333353862333136616532613462343364616539
+37363437613236323235383936613763383966366265303731303034373430333936366339323437
+32303537653062663233
--- a/group_vars/all/secrets.yml.contents
+++ b/group_vars/all/secrets.yml.contents
@ -1,14 +1,14 @@
 # These are the variables contained in secrets.yml
 # Secrets are usually 32 characters or more, matching [a-Z0-9]
---
+
 postgres_passwords:
  nextcloud: xxx
  passit: xxx
  gitea: xxx
  matrix: xxx
+  codimd: xxx
  mailu: xxx
  keycloak: xxx
-  hedgedoc: xxx
  mastodon: xxx
  rallly: xxx
  membersystem: xxx
@ -31,9 +31,8 @@ drone_secrets:
  rpc_shared_secret: xxx

 restic_secrets:
-  repository_password: xxx
-  ssh_privkey: xxx
-  uptime_kuma_url: xxx
+  user_secret: xxx
+  encryption_secret: xxx

 matrix_secrets:
  registration_shared_secret: xxx
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -1,4 +1,3 @@
-# vim: ft=yaml.ansible
 ---
 users:
  - name: graffen
@ -13,8 +12,8 @@ users:
    groups:
      - sudo
    ssh_keys:
-      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
-      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0=
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH
+        valberg

  - name: reynir
    comment: Reynir Björnsson
@ -22,8 +21,10 @@ users:
    groups:
      - sudo
    ssh_keys:
-      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t reynir@spurv
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw==
+        reynir yubikey
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t
+        reynir@spurv

  - name: samsapti
    comment: Sam Al-Sapti
@ -31,5 +32,5 @@ users:
    groups:
      - sudo
    ssh_keys:
-      - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf
+        samsapti
--- a/playbook.yml
+++ b/playbook.yml
@ -1,27 +1,25 @@
-# vim: ft=yaml.ansible
 ---
- hosts: production
+- name: Deploy data.coop services
+  hosts: all
  gather_facts: true
  become: true
  vars:
-    ldap_dn: "dc=data,dc=coop"
+    base_domain: data.coop
+    letsencrypt_email: admin@data.coop
+    ldap_dn: dc=data,dc=coop

-    vagrant: "{{ from_vagrant is defined and from_vagrant }}"
-    letsencrypt_enabled: "{{ not vagrant }}"
+    vagrant: "{{ ansible_virtualization_role == 'guest' }}"
+    letsencrypt_enabled: '{{ not vagrant }}'

-    base_domain: "{{ 'datacoop.devel' if vagrant else 'data.coop' }}"
-    letsencrypt_email: "admin@{{ base_domain }}"
-
-    smtp_host: "postfix"
-    smtp_port: "587"
-
-    services_exclude:
-      - uptime_kuma
+    smtp_host: postfix
+    smtp_port: '587'

  tasks:
-    - import_role:
+    - name: Setup host basics
+      ansible.builtin.import_role:
        name: ubuntu_base
      tags:
        - base_only
-    - import_role:
+    - name: Deploy docker containers (services)
+      ansible.builtin.import_role:
        name: docker
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@ -1,227 +1,169 @@
-# vim: ft=yaml.ansible
 ---
-volume_root_folder: "/docker-volumes"
-volume_website_folder: "{{ volume_root_folder }}/websites"
+volume_root_folder: /docker-volumes

 services:
-  ### Internal services ###
+
+   ### Internal services  ###
  postfix:
-    domain: "smtp.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/postfix"
-    pre_deploy_tasks: true
-    version: "v3.6.1-alpine"
+    file: postfix.yml
+    version: v3.5.0

  nginx_proxy:
-    volume_folder: "{{ volume_root_folder }}/nginx"
-    pre_deploy_tasks: true
-    version: "1.3-alpine"
-    acme_companion_version: "2.2"
+    file: nginx_proxy.yml
+    version: 1.0-alpine
+    volume_folder: '{{ volume_root_folder }}/nginx'
+
+  nginx_acme_companion:
+    version: '2.2'

  openldap:
-    domain: "ldap.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/openldap"
-    pre_deploy_tasks: true
-    version: "1.5.0"
-    phpldapadmin_version: "0.9.0"
+    file: openldap.yml
+    domain: ldap.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/openldap'
+    version: 1.5.0
+
+  phpldapadmin:
+    version: 0.9.0

  netdata:
-    domain: "netdata.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/netdata"
-    version: "v1"
+    file: netdata.yml
+    domain: netdata.{{ base_domain }}
+    version: v1

  portainer:
-    domain: "portainer.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/portainer"
-    version: "2.19.0"
+    file: portainer.yml
+    domain: portainer.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/portainer'
+    version: 2.16.2

  keycloak:
+    file: keycloak.yml
    domain: sso.{{ base_domain }}
-    volume_folder: "{{ volume_root_folder }}/keycloak"
-    version: "22.0"
-    postgres_version: "10"
-    allowed_sender_domain: true
+    volume_folder: '{{ volume_root_folder }}/keycloak'
+    version: '20.0'

  restic:
-    volume_folder: "{{ volume_root_folder }}/restic"
-    pre_deploy_tasks: true
-    remote_user: dc-user
-    remote_domain: rynkeby.skovgaard.tel
-    host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
-    repository: restic
-    version: "1.7.0"
+    file: restic_backup.yml
+    user: datacoop
+    domain: restic.cannedtuna.org
+    repository: datacoop-hevonen
+    version: 1.6.0
    disabled_in_vagrant: true
-    # mail dance
-    domain: "noreply.{{ base_domain }}"
-    allowed_sender_domain: true
-    mail_from: "backup@noreply.{{ base_domain }}"

  docker_registry:
-    domain: "docker.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/docker-registry"
-    pre_deploy_tasks: true
-    post_deploy_tasks: true
-    username: "docker"
-    password: "{{ docker_password }}"
-    version: "2"
+    file: docker_registry.yml
+    domain: docker.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/docker-registry'
+    username: docker
+    password: '{{ docker_password }}'
+    version: '2'
+
+   ### External services  ###

-  ### External services ###
  nextcloud:
-    domain: "cloud.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/nextcloud"
-    pre_deploy_tasks: true
-    version: 28-apache
-    postgres_version: "10"
-    redis_version: 7-alpine
-    allowed_sender_domain: true
+    file: nextcloud.yml
+    domain: cloud.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/nextcloud'
+    version: 25-apache

-  forgejo:
-    domain: "git.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/forgejo"
-    version: "1.21.8-0"
+  gitea:
+    file: gitea.yml
+    domain: git.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/gitea'
+    version: 1.17.3
    allowed_sender_domain: true

  passit:
-    domain: "passit.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/passit"
+    file: passit.yml
+    domain: passit.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/passit'
    version: stable
-    postgres_version: 15-alpine
    allowed_sender_domain: true

  matrix:
-    domain: "matrix.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/matrix"
-    pre_deploy_tasks: true
-    version: v1.98.0
-    postgres_version: 15-alpine
-    allowed_sender_domain: true
+    file: matrix_riot.yml
+    domain: matrix.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/matrix'
+    version: v1.63.1

-  element:
-    domain: "element.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/element"
-    pre_deploy_tasks: true
-    version: v1.11.51
+  riot:
+    domains:
+      - riot.{{ base_domain }}
+      - element.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/riot'
+    version: v1.11.8

  privatebin:
-    domain: "paste.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/privatebin"
-    pre_deploy_tasks: true
-    version: "20221009"
+    file: privatebin.yml
+    domain: paste.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/privatebin'
+    version: 20221009
+
+  codimd:
+    domain: oldpad.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/codimd'

  hedgedoc:
-    domain: "pad.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/hedgedoc"
-    pre_deploy_tasks: true
-    version: 1.9.9-alpine
-    postgres_version: 10-alpine
+    file: hedgedoc.yml
+    domain: pad.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/hedgedoc'
+    version: 1.9.6

  data_coop_website:
-    domain: "{{ base_domain }}"
-    www_domain: "www.{{ base_domain }}"
-    volume_folder: "{{ volume_website_folder }}/datacoop"
-    pre_deploy_tasks: true
-    version: stable
-    staging_domain: "staging.{{ base_domain }}"
-    staging_version: staging
-
-  slides_2022_website:
-    domain: "2022.slides.{{ base_domain }}"
-    volume_folder: "{{ volume_website_folder }}/slides-2022"
-    version: latest
-
-  fedi_dk_website:
-    domain: fedi.dk
-    volume_folder: "{{ volume_website_folder }}/fedidk"
-    version: latest
-
-  vhs_website:
-    domain: vhs.data.coop
-    volume_folder: "{{ volume_website_folder }}/vhs"
-    version: latest
+    file: websites/data.coop.yml
+    domains:
+      - '{{ base_domain }}'
+      - www.{{ base_domain }}

  cryptohagen_website:
+    file: websites/cryptohagen.dk.yml
    domains:
-      - "cryptohagen.dk"
-      - "www.cryptohagen.dk"
-    volume_folder: "{{ volume_website_folder }}/cryptohagen"
+      - cryptohagen.dk
+      - www.cryptohagen.dk

  ulovliglogning_website:
+    file: websites/ulovliglogning.dk.yml
    domains:
-      - "ulovliglogning.dk"
-      - "www.ulovliglogning.dk"
-      - "ulovlig-logning.dk"
-      - "www.ulovlig-logning.dk"
-    volume_folder: "{{ volume_website_folder }}/ulovliglogning"
+      - ulovliglogning.dk
+      - www.ulovliglogning.dk
+      - ulovlig-logning.dk

  cryptoaarhus_website:
+    file: websites/cryptoaarhus.dk.yml
    domains:
-      - "cryptoaarhus.dk"
-      - "www.cryptoaarhus.dk"
-    volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
+      - cryptoaarhus.dk
+      - www.cryptoaarhus.dk

  drone:
-    domain: "drone.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/drone"
-    version: "1"
+    file: drone.yml
+    domain: drone.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/drone'
+    version: 1

  mailu:
-    domain: "mail.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/mailu"
-    pre_deploy_tasks: true
+    file: mailu.yml
+    version: 1.6
+    domain: mail.{{ base_domain }}
    dns: 192.168.203.254
    subnet: 192.168.203.0/24
-    version: "2.0"
-    postgres_version: 14-alpine
-    redis_version: alpine
+    volume_folder: '{{ volume_root_folder }}/mailu'

  mastodon:
-    domain: "social.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/mastodon"
-    pre_deploy_tasks: true
-    post_deploy_tasks: true
-    version: v4.2.9
-    postgres_version: 14-alpine
-    redis_version: 6-alpine
+    file: mastodon.yml
+    domain: social.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/mastodon'
+    version: v4.0.2
    allowed_sender_domain: true

  rallly:
-    domain: "when.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/rallly"
-    pre_deploy_tasks: true
-    version: "2"
-    postgres_version: 14-alpine
+    file: rallly.yml
+    domain: when.{{ base_domain }}
+    volume_folder: '{{ volume_root_folder }}/rallly'
+    version: a21f92bf74308d66cfcd545d49b81eba0211a222
    allowed_sender_domain: true

  membersystem:
-    domain: "member.{{ base_domain }}"
-    django_admins: "Vidir:valberg@orn.li"
-    volume_folder: "{{ volume_root_folder }}/membersystem"
-    version: latest
-    postgres_version: 13-alpine
+    file: membersystem.yml
+    domain: member.{{ base_domain }}
+    django_admins: Vidir:valberg@orn.li
    allowed_sender_domain: true
-
-  writefreely:
-    domain: "write.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/writefreely"
-    pre_deploy_tasks: true
-    version: v0.15.0
-    mariadb_version: "11.2"
-    allowed_sender_domain: true
-
-  watchtower:
-    volume_folder: "{{ volume_root_folder }}/watchtower"
-    version: "1.5.3"
-
-  diun:
-    version: "4.27"
-    volume_folder: "{{ volume_root_folder }}/diun"
-
-  ### Uptime monitoring ###
-  uptime_kuma:
-    domain: "uptime.{{ base_domain }}"
-    status_domain: "status.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/uptime_kuma"
-    pre_deploy_tasks: true
-    version: "latest"
-
-services_exclude: []
-services_include: "{{ services | dict2items | map(attribute='key') | list | difference(services_exclude) }}"
--- a/roles/docker/files/configs/docker_registry/nginx.conf
+++ b/roles/docker/files/configs/docker_registry/nginx.conf
--- a/roles/docker/files/configs/mastodon/env_file.j2
+++ b/roles/docker/files/configs/mastodon/env_file.j2
--- a/roles/docker/files/configs/mastodon/vhost-mastodon
+++ b/roles/docker/files/configs/mastodon/vhost-mastodon
--- a/roles/docker/files/configs/matrix/homeserver.yaml.j2
+++ b/roles/docker/files/configs/matrix/homeserver.yaml.j2
@ -339,7 +339,7 @@ database:
    user: "synapse"
    password: "{{ postgres_passwords.matrix }}"
    database: "synapse"
-    host: "postgres"
+    host: "matrix_db"
    port: "5432"
    cp_min: 5
    cp_max: 10
@ -416,7 +416,7 @@ uploads_path: "/data/uploads"

 # The largest allowed upload size in bytes
 #
-max_upload_size: "512M"
+max_upload_size: "50M"

 # Maximum number of pixels that will be thumbnailed
 #
@ -676,8 +676,15 @@ report_stats: false

 ## API Configuration ##

-room_prejoin_state:
-  disable_default_event_types: false
+# A list of event types that will be included in the room_invite_state
+#
+room_invite_state_types:
+    - "m.room.join_rules"
+    - "m.room.canonical_alias"
+    - "m.room.avatar"
+    - "m.room.encryption"
+    - "m.room.name"
+

 # A list of application service config file to use
 #
@ -820,10 +827,23 @@ password_config:
 # If your SMTP server requires authentication, the optional smtp_user &
 # smtp_pass variables should be used
 #
-email:
-  smtp_host: "{{ smtp_host }}"
-  smtp_port: {{ smtp_port }}
-  notif_from: "{{ services.matrix.domain }} <no-reply@{{ services.matrix.domain }}>"
+#email:
+#   enable_notifs: false
+#   smtp_host: "localhost"
+#   smtp_port: 25
+#   smtp_user: "exampleusername"
+#   smtp_pass: "examplepassword"
+#   require_transport_security: False
+#   notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>"
+#   app_name: Matrix
+#   # if template_dir is unset, uses the example templates that are part of
+#   # the Synapse distribution.
+#   #template_dir: res/templates
+#   notif_template_html: notif_mail.html
+#   notif_template_text: notif_mail.txt
+#   notif_for_new_users: True
+#   riot_base_url: "http://localhost/riot"
+

 #password_providers:
 #    - module: "ldap_auth_provider.LdapAuthProvider"
--- a/roles/docker/files/configs/matrix/matrix.data.coop.log.config
+++ b/roles/docker/files/configs/matrix/matrix.data.coop.log.config
--- a/roles/docker/files/configs/matrix/vhost-matrix
+++ b/roles/docker/files/configs/matrix/vhost-matrix
@ -0,0 +1,2 @@
+listen 8008;
+client_max_body_size 50M; # default is 1M
--- a/roles/docker/files/configs/matrix/vhost-riot
+++ b/roles/docker/files/configs/matrix/vhost-riot
@ -0,0 +1 @@
+client_max_body_size 50M; # default is 1M
--- a/roles/docker/files/configs/matrix/vhost-root
+++ b/roles/docker/files/configs/matrix/vhost-root
--- a/roles/docker/files/configs/nextcloud/vhost
+++ b/roles/docker/files/configs/nextcloud/vhost
--- a/roles/docker/files/configs/privatebin-conf.php
+++ b/roles/docker/files/configs/privatebin-conf.php
--- a/roles/docker/files/configs/rallly/env_file.j2
+++ b/roles/docker/files/configs/rallly/env_file.j2
@ -1,5 +1,5 @@
 NEXT_PUBLIC_BASE_URL="https://{{ services.rallly.domain }}"
-DATABASE_URL="postgres://postgres:{{ postgres_passwords.rallly }}@db:5432/rallly_db"
+DATABASE_URL="postgres://postgres:{{ postgres_passwords.rallly }}@rallly_db:5432/rallly_db"
 SECRET_PASSWORD="{{ rallly_secrets.secret_password }}"
 SUPPORT_EMAIL="noreply@{{ services.rallly.domain }}"
 SMTP_HOST="{{ smtp_host }}"
--- a/roles/docker/templates/element/config.json.j2
+++ b/roles/docker/templates/element/config.json.j2
--- a/roles/docker/files/configs/riot/riot.im.conf
+++ b/roles/docker/files/configs/riot/riot.im.conf
--- a/roles/docker/files/configs/thelounge.js
+++ b/roles/docker/files/configs/thelounge.js
@ -0,0 +1,511 @@
+"use strict";
+
+module.exports = {
+        //
+        // Set the server mode.
+        // Public servers does not require authentication.
+        //
+        // Set to 'false' to enable users.
+        //
+        // @type     boolean
+        // @default  false
+        //
+        public: false,
+
+        //
+        // IP address or hostname for the web server to listen on.
+        // Setting this to undefined will listen on all interfaces.
+        //
+        // For UNIX domain sockets, use unix:/absolute/path/to/file.sock.
+        //
+        // @type     string
+        // @default  undefined
+        //
+        host: undefined,
+
+        //
+        // Set the port to listen on.
+        //
+        // @type     int
+        // @default  9000
+        //
+        port: 9000,
+
+        //
+        // Set the local IP to bind to for outgoing connections. Leave to undefined
+        // to let the operating system pick its preferred one.
+        //
+        // @type     string
+        // @default  undefined
+        //
+        bind: undefined,
+
+        //
+        // Sets whether the server is behind a reverse proxy and should honor the
+        // X-Forwarded-For header or not.
+        //
+        // @type     boolean
+        // @default  false
+        //
+        reverseProxy: false,
+
+        //
+        // Set the default theme.
+        // Find out how to add new themes at https://thelounge.github.io/docs/plugins/themes.html
+        //
+        // @type     string
+        // @default  "example"
+        //
+        theme: "example",
+
+        //
+        // Prefetch URLs
+        //
+        // If enabled, The Lounge will try to load thumbnails and site descriptions from
+        // URLs posted in channels.
+        //
+        // @type     boolean
+        // @default  false
+        //
+        prefetch: false,
+
+        //
+        // Store and proxy prefetched images and thumbnails.
+        // This improves security and privacy by not exposing client IP address,
+        // and always loading images from The Lounge instance and making all assets secure,
+        // which in result fixes mixed content warnings.
+        //
+        // If storage is enabled, The Lounge will fetch and store images and thumbnails
+        // in the `${THELOUNGE_HOME}/storage` folder.
+        //
+        // Images are deleted when they are no longer referenced by any message (controlled by maxHistory),
+        // and the folder is cleaned up on every The Lounge restart.
+        //
+        // @type     boolean
+        // @default  false
+        //
+        prefetchStorage: false,
+
+        //
+        // Prefetch URLs Image Preview size limit
+        //
+        // If prefetch is enabled, The Lounge will only display content under the maximum size.
+        // Specified value is in kilobytes. Default value is 2048 kilobytes.
+        //
+        // @type     int
+        // @default  2048
+        //
+        prefetchMaxImageSize: 2048,
+
+        //
+        // Display network
+        //
+        // If set to false network settings will not be shown in the login form.
+        //
+        // @type     boolean
+        // @default  true
+        //
+        displayNetwork: true,
+
+        //
+        // Lock network
+        //
+        // If set to true, users will not be able to modify host, port and tls
+        // settings and will be limited to the configured network.
+        //
+        // @type     boolean
+        // @default  false
+        //
+        lockNetwork: false,
+
+        //
+        // Hex IP
+        //
+        // If enabled, clients' username will be set to their IP encoded has hex.
+        // This is done to share the real user IP address with the server for host masking purposes.
+        //
+        // @type     boolean
+        // @default  false
+        //
+        useHexIp: false,
+
+        //
+        // WEBIRC support
+        //
+        // If enabled, The Lounge will pass the connecting user's host and IP to the
+        // IRC server. Note that this requires to obtain a password from the IRC network
+        // The Lounge will be connecting to and generally involves a lot of trust from the
+        // network you are connecting to.
+        //
+        // Format (standard): {"irc.example.net": "hunter1", "irc.example.org": "passw0rd"}
+        // Format (function):
+        //   {"irc.example.net": function(client, args, trusted) {
+        //       // here, we return a webirc object fed directly to `irc-framework`
+        //       return {username: "thelounge", password: "hunter1", address: args.ip, hostname: "webirc/"+args.hostname};
+        //   }}
+        //
+        // @type     string | function(client, args):object(webirc)
+        // @default  null
+        webirc: null,
+
+        //
+        // Log settings
+        //
+        // Logging has to be enabled per user. If enabled, logs will be stored in
+        // the 'logs/<user>/<network>/' folder.
+        //
+        // @type     object
+        // @default  {}
+        //
+        logs: {
+                //
+                // Timestamp format
+                //
+                // @type     string
+                // @default  "YYYY-MM-DD HH:mm:ss"
+                //
+                format: "YYYY-MM-DD HH:mm:ss",
+
+                //
+                // Timezone
+                //
+                // @type     string
+                // @default  "UTC+00:00"
+                //
+                timezone: "UTC+00:00",
+        },
+
+        //
+        // Maximum number of history lines per channel
+        //
+        // Defines the maximum number of history lines that will be kept in
+        // memory per channel/query, in order to reduce the memory usage of
+        // the server. Setting this to -1 will keep unlimited amount.
+        //
+        // @type     integer
+        // @default  10000
+        maxHistory: 10000,
+
+        //
+        // Default values for the 'Connect' form.
+        //
+        // @type     object
+        // @default  {}
+        //
+        defaults: {
+                //
+                // Name
+                //
+                // @type     string
+                // @default  "Freenode"
+                //
+                name: "Freenode",
+
+                //
+                // Host
+                //
+                // @type     string
+                // @default  "chat.freenode.net"
+                //
+                host: "chat.freenode.net",
+
+                //
+                // Port
+                //
+                // @type     int
+                // @default  6697
+                //
+                port: 6697,
+
+                //
+                // Password
+                //
+                // @type     string
+                // @default  ""
+                //
+                password: "",
+
+                //
+                // Enable TLS/SSL
+                //
+                // @type     boolean
+                // @default  true
+                //
+                tls: true,
+
+                //
+                // Nick
+                //
+                // @type     string
+                // @default  "lounge-user"
+                //
+                nick: "lounge-user",
+
+                //
+                // Username
+                //
+                // @type     string
+                // @default  "lounge-user"
+                //
+                username: "lounge-user",
+
+                //
+                // Real Name
+                //
+                // @type     string
+                // @default  "The Lounge User"
+                //
+                realname: "The Lounge User",
+
+                //
+                // Channels
+                // This is a comma-separated list.
+                //
+                // @type     string
+                // @default  "#thelounge"
+                //
+                join: "#thelounge",
+        },
+
+        //
+        // Set socket.io transports
+        //
+        // @type     array
+        // @default  ["polling", "websocket"]
+        //
+        transports: ["polling", "websocket"],
+
+        //
+        // Run The Lounge using encrypted HTTP/2.
+        // This will fallback to regular HTTPS if HTTP/2 is not supported.
+        //
+        // @type     object
+        // @default  {}
+        //
+        https: {
+                //
+                // Enable HTTP/2 / HTTPS support.
+                //
+                // @type     boolean
+                // @default  false
+                //
+                enable: false,
+
+                //
+                // Path to the key.
+                //
+                // @type     string
+                // @example  "sslcert/key.pem"
+                // @default  ""
+                //
+                key: "",
+
+                //
+                // Path to the certificate.
+                //
+                // @type     string
+                // @example  "sslcert/key-cert.pem"
+                // @default  ""
+                //
+                certificate: "",
+
+                //
+                // Path to the CA bundle.
+                //
+                // @type     string
+                // @example  "sslcert/bundle.pem"
+                // @default  ""
+                //
+                ca: "",
+        },
+
+        //
+        // Default quit and part message if none is provided.
+        //
+        // @type     string
+        // @default  "The Lounge - https://thelounge.github.io"
+        //
+        leaveMessage: "The Lounge - https://thelounge.github.io",
+
+        //
+        // Run The Lounge with identd support.
+        //
+        // @type     object
+        // @default  {}
+        //
+        identd: {
+                //
+                // Run the identd daemon on server start.
+                //
+                // @type     boolean
+                // @default  false
+                //
+                enable: false,
+
+                //
+                // Port to listen for ident requests.
+                //
+                // @type     int
+                // @default  113
+                //
+                port: 113,
+        },
+
+        //
+        // Enable oidentd support using the specified file
+        //
+        // Example: oidentd: "~/.oidentd.conf",
+        //
+        // @type     string
+        // @default  null
+        //
+        oidentd: null,
+
+        //
+        // LDAP authentication settings (only available if public=false)
+        // @type    object
+        // @default {}
+        //
+        // The authentication process works as follows:
+        //
+        //   1. Lounge connects to the LDAP server with its system credentials
+        //   2. It performs a LDAP search query to find the full DN associated to the
+        //      user requesting to log in.
+        //   3. Lounge tries to connect a second time, but this time using the user's
+        //      DN and password. Auth is validated iff this connection is successful.
+        //
+        // The search query takes a couple of parameters in `searchDN`:
+        //   - a base DN `searchDN/base`. Only children nodes of this DN will be likely
+        //     to be returned;
+        //   - a search scope `searchDN/scope` (see LDAP documentation);
+        //   - the query itself, build as (&(<primaryKey>=<username>) <filter>)
+        //     where <username> is the user name provided in the log in request,
+        //     <primaryKey> is provided by the config and <fitler> is a filtering complement
+        //     also given in the config, to filter for instance only for nodes of type
+        //     inetOrgPerson, or whatever LDAP search allows.
+        //
+        // Alternatively, you can specify the `bindDN` parameter. This will make the lounge
+        // ignore searchDN options and assume that the user DN is always:
+        //     <bindDN>,<primaryKey>=<username>
+        // where <username> is the user name provided in the log in request, and <bindDN>
+        // and <primaryKey> are provided by the config.
+        //
+        ldap: {
+                //
+                // Enable LDAP user authentication
+                //
+                // @type     boolean
+                // @default  false
+                //
+                enable: true,
+
+                //
+                // LDAP server URL
+                //
+                // @type     string
+                //
+                url: "ldap://{{ services.openldap.domain }}",
+
+                //
+                // LDAP connection tls options (only used if scheme is ldaps://)
+                //
+                // @type     object (see nodejs' tls.connect() options)
+                // @default {}
+                //
+                // Example:
+                //   You can use this option in order to force the use of IPv6:
+                //   {
+                //     host: 'my::ip::v6',
+                //     servername: 'example.com'
+                //   }
+                tlsOptions: {},
+
+                //
+                // LDAP base dn, alternative to searchDN
+                //
+                // @type     string
+                //
+                // baseDN: "",
+
+                //
+                // LDAP primary key
+                //
+                // @type     string
+                // @default  "uid"
+                //
+                primaryKey: "uid",
+
+                //
+                // LDAP search dn settings. This defines the procedure by which the
+                // lounge first look for user DN before authenticating her.
+                // Ignored if baseDN is specified
+                //
+                // @type     object
+                //
+                searchDN: {
+
+                        //
+                        // LDAP searching bind DN
+                        // This bind DN is used to query the server for the DN of the user.
+                        // This is supposed to be a system user that has access in read only to
+                        // the DNs of the people that are allowed to log in.
+                        //
+                        // @type     string
+                        //
+                        rootDN: "cn=admin,dc=data,dc=coop",
+
+                        //
+                        // Password of the lounge LDAP system user
+                        //
+                        // @type     string
+                        //
+                        rootPassword: "{{ ldap_admin_password }}",
+
+                        //
+                        // LDAP filter
+                        //
+                        // @type     string
+                        // @default  "uid"
+                        //
+                        //filter: "(objectClass=inetOrgPerson)(memberOf=ou=members,dc=data,dc=coop)",
+                        filter: "(objectClass=inetOrgPerson)",
+
+                        //
+                        // LDAP search base (search only within this node)
+                        //
+                        // @type     string
+                        //
+                        base: "{{ ldap_dn }}",
+
+                        //
+                        // LDAP search scope
+                        //
+                        // @type     string
+                        // @default  "sub"
+                        //
+                        scope: "sub",
+
+                },
+        },
+
+        // Extra debugging
+        //
+        // @type     object
+        // @default  {}
+        //
+        debug: {
+                // Enables extra debugging output provided by irc-framework.
+                //
+                // @type     boolean
+                // @default  false
+                //
+                ircFramework: false,
+
+                // Enables logging raw IRC messages into each server window.
+                //
+                // @type     boolean
+                // @default  false
+                //
+                raw: false,
+        },
+};
--- a/roles/docker/files/mastodon/postgresql.conf
+++ b/roles/docker/files/mastodon/postgresql.conf
@ -1,20 +0,0 @@
-# DB Version: 14
-# OS Type: linux
-# DB Type: oltp
-# Total Memory (RAM): 16 GB
-# Connections num: 300
-# Data Storage: hdd
-
-listen_addresses = '*'
-max_connections = 300
-shared_buffers = 4GB
-effective_cache_size = 12GB
-maintenance_work_mem = 1GB
-checkpoint_completion_target = 0.9
-wal_buffers = 16MB
-default_statistics_target = 100
-random_page_cost = 4
-effective_io_concurrency = 2
-work_mem = 6990kB
-min_wal_size = 2GB
-max_wal_size = 8GB
--- a/roles/docker/files/vhost/matrix
+++ b/roles/docker/files/vhost/matrix
@ -1,2 +0,0 @@
-listen 8008;
-client_max_body_size 1G; # default is 1M
--- a/roles/docker/files/vhost/nextcloud
+++ b/roles/docker/files/vhost/nextcloud
@ -1 +0,0 @@
-client_max_body_size 1G; # default is 1M
--- a/roles/docker/files/vhost/uptime_kuma
+++ b/roles/docker/files/vhost/uptime_kuma
@ -1,4 +0,0 @@
-proxy_set_header   Upgrade $http_upgrade;
-proxy_set_header   Connection "upgrade";
-proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header   Host $host;
--- a/roles/docker/files/vhost/www.base_domain
+++ b/roles/docker/files/vhost/www.base_domain
@ -1,2 +0,0 @@
-server_name www.data.coop;
-return 301 $scheme://data.coop$request_uri;
--- a/roles/docker/handlers/main.yml
+++ b/roles/docker/handlers/main.yml
@ -1,6 +1,6 @@
-# vim: ft=yaml.ansible
 ---
- name: restart nginx
-  command: docker compose restart proxy
-  args:
-    chdir: "{{ services.nginx_proxy.volume_folder }}"
+- name: Restart nginx
+  community.docker.docker_container:
+    name: nginx-proxy
+    restart: 'yes'
+    state: started
--- a/roles/docker/tasks/block.yml
+++ b/roles/docker/tasks/block.yml
@ -1,26 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create volume folder for service {{ service.name }}
-  file:
-    name: "{{ service.vars.volume_folder }}"
-    state: directory
-
- name: Upload Compose file for service {{ service.name }}
-  template:
-    src: compose-files/{{ service.name }}.yml.j2
-    dest: "{{ service.vars.volume_folder }}/docker-compose.yml"
-    owner: root
-    mode: u=rw,go=
-
- name: Run pre-deployment tasks for service {{ service.name }}
-  include_tasks: pre_deploy/{{ service.name }}.yml
-  when: service.vars.pre_deploy_tasks is defined and service.vars.pre_deploy_tasks
-
- name: Deploy Compose stack for service {{ service.name }}
-  command: docker compose up -d --remove-orphans --pull always
-  args:
-    chdir: "{{ service.vars.volume_folder }}"
-
- name: Run post-deployment tasks for service {{ service.name }}
-  include_tasks: post_deploy/{{ service.name }}.yml
-  when: service.vars.post_deploy_tasks is defined and service.vars.post_deploy_tasks
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -1,44 +1,33 @@
-# vim: ft=yaml.ansible
 ---
- name: Add Docker PGP key
-  apt_key:
+- name: Add docker gpg key
+  ansible.builtin.apt_key:
    keyserver: pgp.mit.edu
    id: 8D81803C0EBFCD88
    state: present

- name: Add Docker apt repository
-  apt_repository:
+- name: Add docker apt repository
+  ansible.builtin.apt_repository:
    repo: deb https://download.docker.com/linux/ubuntu bionic stable
    state: present
-    update_cache: yes
+    update_cache: true

- name: Install Docker
-  apt:
-    name: "{{ pkgs }}"
+- name: Install docker-ce
+  ansible.builtin.apt:
+    name: docker-ce
    state: present
-  vars:
-    pkgs:
-      - docker-ce
-      - docker-compose-plugin

- name: Configure cron job to prune unused Docker data weekly
-  cron:
-    name: Prune unused Docker data
-    cron_file: ansible_docker_prune
-    job: 'docker system prune -fa && docker volume prune -fa'
-    special_time: weekly
-    user: root
+- name: Install docker python bindings
+  ansible.builtin.pip:
+    executable: pip3
+    name: docker-compose
    state: present

 - name: Create folder structure for bind mounts
-  file:
-    name: "{{ item }}"
+  ansible.builtin.file:
+    name: '{{ volume_root_folder }}'
    state: directory
-  loop:
-    - "{{ volume_root_folder }}"
-    - "{{ volume_website_folder }}"

- name: Set up services
-  import_tasks: services.yml
+- name: Setup services
+  ansible.builtin.import_tasks: services.yml
  tags:
    - setup_services
--- a/roles/docker/tasks/post_deploy/docker_registry.yml
+++ b/roles/docker/tasks/post_deploy/docker_registry.yml
@ -1,13 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Generate htpasswd file
-  shell: docker compose exec registry htpasswd -Bbn docker {{ docker_password }} > auth/htpasswd
-  args:
-    chdir: "{{ services.docker_registry.volume_folder }}"
-    creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
-
- name: log in to registry
-  docker_login:
-    registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
-    username: docker
-    password: "{{ docker_password }}"
--- a/roles/docker/tasks/post_deploy/mastodon.yml
+++ b/roles/docker/tasks/post_deploy/mastodon.yml
@ -1,19 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Configure cron job to remove old Mastodon media daily
-  cron:
-    name: Clean Mastodon media data older than a week
-    cron_file: ansible_mastodon_clean_media
-    job: docker exec mastodon-web-1 tootctl media remove --days 7
-    special_time: daily
-    user: root
-    state: present
-
- name: Configure cron job to remove old Mastodon preview cards daily
-  cron:
-    name: Clean Mastodon preview card data older than two weeks
-    cron_file: ansible_mastodon_clean_preview_cards
-    job: docker exec mastodon-web-1 tootctl preview_cards remove --days 14
-    special_time: daily
-    user: root
-    state: present
--- a/roles/docker/tasks/pre_deploy/data_coop_website.yml
+++ b/roles/docker/tasks/pre_deploy/data_coop_website.yml
@ -1,11 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Upload vhost config for root domain
-  copy:
-    src: vhost/base_domain
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.domain }}"
-
- name: Upload vhost config for WWW domain
-  copy:
-    src: vhost/www.base_domain
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.www_domain }}"
--- a/roles/docker/tasks/pre_deploy/docker_registry.yml
+++ b/roles/docker/tasks/pre_deploy/docker_registry.yml
@ -1,17 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create subfolders
-  file:
-    path: "{{ services.docker_registry.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - auth
-    - registry
-  loop_control:
-    loop_var: volume
-
- name: Copy docker registry vhost configuration
-  copy:
-    src: vhost/docker_registry
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.docker_registry.domain }}"
-    mode: "0644"
--- a/roles/docker/tasks/pre_deploy/element.yml
+++ b/roles/docker/tasks/pre_deploy/element.yml
@ -1,21 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create subfolder
-  file:
-    name: "{{ services.element.volume_folder }}/data"
-    state: directory
-
- name: Upload config.json
-  template:
-    src: element/config.json.j2
-    dest: "{{ services.element.volume_folder }}/data/config.json"
-
- name: Upload riot.im.conf
-  copy:
-    src: element/riot.im.conf
-    dest: "{{ services.element.volume_folder }}/data/riot.im.conf"
-
- name: Upload vhost config for Element domain
-  copy:
-    src: vhost/element
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.element.domain }}"
--- a/roles/docker/tasks/pre_deploy/hedgedoc.yml
+++ b/roles/docker/tasks/pre_deploy/hedgedoc.yml
@ -1,17 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create subfolders
-  file:
-    name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - db
-    - hedgedoc/uploads
-  loop_control:
-    loop_var: volume
-
- name: Copy SSO certificate
-  copy:
-    src: sso/sso.data.coop.pem
-    dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
-    mode: "0644"
--- a/roles/docker/tasks/pre_deploy/mailu.yml
+++ b/roles/docker/tasks/pre_deploy/mailu.yml
@ -1,45 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create subfolders
-  file:
-    name: "{{ services.mailu.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - redis
-    - certs
-    - data
-    - dkim
-    - mail
-    - mailqueue
-    - filter
-    - postgres
-    - webmail
-    - overrides
-    - overrides/nginx
-    - overrides/dovecot
-    - overrides/postfix
-    - overrides/rspamd
-    - overrides/snappymail
-  loop_control:
-    loop_var: volume
-
- name: Upload mailu.env file
-  template:
-    src: mailu/env.j2
-    dest: "{{ services.mailu.volume_folder }}/mailu.env"
-
- name: Hard link to Let's Encrypt TLS certificate
-  file:
-    src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
-    dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
-    state: hard
-    force: true
-  when: letsencrypt_enabled
-
- name: Hard link to Let's Encrypt TLS key
-  file:
-    src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
-    dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
-    state: hard
-    force: true
-  when: letsencrypt_enabled
--- a/roles/docker/tasks/pre_deploy/mastodon.yml
+++ b/roles/docker/tasks/pre_deploy/mastodon.yml
@ -1,45 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create subfolder for Mastodon data
-  file:
-    name: "{{ services.mastodon.volume_folder }}/mastodon_data"
-    state: directory
-    owner: "991"
-    mode: u=rwx,g=rx,o=rx
-
- name: Create subfolder for PostgreSQL data
-  file:
-    name: "{{ services.mastodon.volume_folder }}/postgres_data"
-    state: directory
-    owner: "70"
-    mode: u=rwx,go=
-
- name: Create subfolder for PostgreSQL config
-  file:
-    name: "{{ services.mastodon.volume_folder }}/postgres_config"
-    state: directory
-    owner: root
-    mode: u=rwx,g=rx,o=rx
-
- name: Create subfolder for Redis data
-  file:
-    name: "{{ services.mastodon.volume_folder }}/redis_data"
-    state: directory
-    owner: "999"
-    group: "1000"
-    mode: u=rwx,g=rx,o=rx
-
- name: Upload mastodon.env file
-  template:
-    src: mastodon/env.j2
-    dest: "{{ services.mastodon.volume_folder }}/mastodon.env"
-
- name: Upload vhost config for Mastodon domain
-  copy:
-    src: vhost/mastodon
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
-
- name: Upload PostgreSQL config
-  copy:
-    src: mastodon/postgresql.conf
-    dest: "{{ services.mastodon.volume_folder }}/postgres_config/postgresql.conf"
--- a/roles/docker/tasks/pre_deploy/matrix.yml
+++ b/roles/docker/tasks/pre_deploy/matrix.yml
@ -1,34 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create subfolders
-  file:
-    name: "{{ services.matrix.volume_folder }}/{{ volume }}"
-    state: directory
-    owner: "991"
-    group: "991"
-  loop:
-    - data
-    - data/uploads
-    - data/media
-  loop_control:
-    loop_var: volume
-
- name: Create Matrix DB subfolder
-  file:
-    name: "{{ services.matrix.volume_folder }}/db"
-    state: directory
-
- name: Upload vhost config for Matrix domain
-  copy:
-    src: vhost/matrix
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
-
- name: Upload homeserver.yaml
-  template:
-    src: matrix/homeserver.yaml.j2
-    dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
-
- name: Upload Matrix logging config
-  copy:
-    src: matrix/log.config
-    dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"
--- a/roles/docker/tasks/pre_deploy/nextcloud.yml
+++ b/roles/docker/tasks/pre_deploy/nextcloud.yml
@ -1,17 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create subfolders
-  file:
-    path: "{{ services.nextcloud.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - app
-    - postgres
-  loop_control:
-    loop_var: volume
-
- name: Upload vhost config for Nextcloud domain
-  copy:
-    src: vhost/nextcloud
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
-  notify: "restart nginx"
--- a/roles/docker/tasks/pre_deploy/nginx_proxy.yml
+++ b/roles/docker/tasks/pre_deploy/nginx_proxy.yml
@ -1,14 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create subfolders
-  file:
-    name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - conf
-    - vhost
-    - html
-    - dhparam
-    - certs
-  loop_control:
-    loop_var: volume
--- a/roles/docker/tasks/pre_deploy/openldap.yml
+++ b/roles/docker/tasks/pre_deploy/openldap.yml
@ -1,12 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create subfolders
-  file:
-    name: "{{ services.openldap.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - var/lib/ldap
-    - etc/slapd
-    - certs
-  loop_control:
-    loop_var: volume
--- a/roles/docker/tasks/pre_deploy/postfix.yml
+++ b/roles/docker/tasks/pre_deploy/postfix.yml
@ -1,13 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Set up network for Postfix
-  docker_network:
-    name: postfix
-    ipam_config:
-      - subnet: '172.16.0.0/16'
-        gateway: 172.16.0.1
-
- name: Create subfolder
-  file:
-    name: "{{ services.postfix.volume_folder }}/dkim"
-    state: directory
--- a/roles/docker/tasks/pre_deploy/privatebin.yml
+++ b/roles/docker/tasks/pre_deploy/privatebin.yml
@ -1,16 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create subfolders
-  file:
-    name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - cfg
-    - data
-  loop_control:
-    loop_var: volume
-
- name: Upload PrivateBin config
-  copy:
-    src: privatebin/conf.php
-    dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"
--- a/roles/docker/tasks/pre_deploy/rallly.yml
+++ b/roles/docker/tasks/pre_deploy/rallly.yml
@ -1,11 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create subfolder
-  file:
-    name: "{{ services.rallly.volume_folder }}/postgres"
-    state: directory
-
- name: Copy rallly.env file
-  template:
-    src: rallly/env.j2
-    dest: "{{ services.rallly.volume_folder }}/rallly.env"
--- a/roles/docker/tasks/pre_deploy/restic.yml
+++ b/roles/docker/tasks/pre_deploy/restic.yml
@ -1,72 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create SSH directory
-  file:
-    path: "{{ services.restic.volume_folder }}/ssh"
-    owner: root
-    group: root
-    mode: '0755'
-    state: directory
-
- name: Upload private SSH key
-  copy:
-    dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
-    owner: root
-    group: root
-    mode: '0600'
-    content: "{{ restic_secrets.ssh_privkey }}"
-
- name: Derive public SSH key
-  shell: >-
-    ssh-keygen -f {{ services.restic.volume_folder }}/ssh/id_ed25519 -y
-      > {{ services.restic.volume_folder }}/ssh/id_ed25519.pub
-  args:
-    creates: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
-
- name: Set file permissions on public SSH key
-  file:
-    path: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
-    owner: root
-    group: root
-    mode: '0644'
-    state: touch
-
- name: Upload SSH config
-  template:
-    src: restic/ssh.config.j2
-    dest: "{{ services.restic.volume_folder }}/ssh/config"
-    owner: root
-    group: root
-    mode: '0600'
-
- name: Upload SSH known_hosts file
-  template:
-    src: restic/ssh.known_hosts.j2
-    dest: "{{ services.restic.volume_folder }}/ssh/known_hosts"
-    owner: root
-    group: root
-    mode: '0600'
-
- name: Create scripts directory
-  file:
-    path: "{{ services.restic.volume_folder }}/scripts"
-    owner: root
-    group: root
-    mode: '0755'
-    state: directory
-
- name: Upload failure.sh script
-  template:
-    src: restic/failure.sh.j2
-    dest: "{{ services.restic.volume_folder }}/scripts/failure.sh"
-    owner: root
-    group: root
-    mode: '0755'
-
- name: Upload success.sh script
-  template:
-    src: restic/success.sh.j2
-    dest: "{{ services.restic.volume_folder }}/scripts/success.sh"
-    owner: root
-    group: root
-    mode: '0755'
--- a/roles/docker/tasks/pre_deploy/uptime_kuma.yml
+++ b/roles/docker/tasks/pre_deploy/uptime_kuma.yml
@ -1,9 +0,0 @@
- name: Upload vhost config for uptime domain
-  copy:
-    src: vhost/uptime_kuma
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.uptime_kuma.domain }}_location"
-
- name: Upload vhost config for status domain
-  copy:
-    src: vhost/uptime_kuma
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.uptime_kuma.status_domain }}_location"
--- a/roles/docker/tasks/pre_deploy/writefreely.yml
+++ b/roles/docker/tasks/pre_deploy/writefreely.yml
@ -1,20 +0,0 @@
-# vim: ft=yaml.ansible
---
- name: Create subfolder for MariaDB data
-  file:
-    name: "{{ services.writefreely.volume_folder }}/db"
-    owner: "999"
-    group: "999"
-    state: directory
-
- name: Create subfolder for encryption keys
-  file:
-    name: "{{ services.writefreely.volume_folder }}/keys"
-    owner: "2"
-    group: "2"
-    state: directory
-
- name: Upload config.ini
-  template:
-    src: "writefreely/config.ini.j2"
-    dest: "{{ services.writefreely.volume_folder }}/config.ini"
--- a/roles/docker/tasks/services.yml
+++ b/roles/docker/tasks/services.yml
@ -1,28 +1,17 @@
-# vim: ft=yaml.ansible
 ---
- name: Set up external services network
-  docker_network:
+- name: setup external services network
+  community.docker.docker_network:
    name: external_services

- name: Deploy all services
-  include_tasks:
-    file: block.yml
-  vars:
-    service:
-      name: "{{ item }}"
-      vars: "{{ services[item] }}"
-  loop: "{{ services_include }}"
-  when: single_service is not defined and
-        (item.vars.disabled_in_vagrant is not defined or
-        not (item.vars.disabled_in_vagrant and vagrant))
+- name: setup services
+  include_tasks: services/{{ docker_service.value.file }}
+  loop: '{{ services | dict2items }}'
+  loop_control:
+    loop_var: docker_service
+  when: single_service is not defined and docker_service.value.file is defined and
+    docker_service.value.disabled_in_vagrant is not defined

- name: Deploy single service
-  include_tasks:
-    file: block.yml
-  vars:
-    service:
-      name: "{{ single_service }}"
-      vars: "{{ services[single_service] }}"
-  when: single_service is defined and single_service in services and
-        (services[single_service].disabled_in_vagrant is not defined or
-        not (services[single_service].disabled_in_vagrant and vagrant))
+- name: setup single service
+  include_tasks: services/{{ services[single_service].file }}
+  when: single_service is defined and single_service in services and services[single_service].file
+    is defined and services[single_service].disabled_in_vagrant is not defined
--- a/roles/docker/tasks/services/codimd.yml
+++ b/roles/docker/tasks/services/codimd.yml
@ -0,0 +1,57 @@
+---
+
+- name: codimd network
+  community.docker.docker_network:
+    name: codimd
+
+- name: create codimd volume folders
+  ansible.builtin.file:
+    name: '{{ codimd.volume_folder }}/{{ volume }}'
+    state: directory
+  loop:
+    - db
+    - codimd/uploads
+
+  loop_control:
+    loop_var: volume
+
+- name: codimd database container
+  community.docker.docker_container:
+    name: codimd_db
+    image: postgres:10
+    state: started
+    restart_policy: unless-stopped
+    networks:
+      - name: codimd
+    volumes:
+      - '{{ codimd.volume_folder }}/db:/var/lib/postgresql/data'
+    env:
+      POSTGRES_USER: codimd
+      POSTGRES_PASSWORD: '{{ postgres_passwords.codimd }}'
+
+- name: codimd app container
+  community.docker.docker_container:
+    name: codimd_app
+    image: hackmdio/hackmd:1.3.0
+    restart_policy: unless-stopped
+    networks:
+      - name: codimd
+      - name: ldap
+      - name: external_services
+    volumes:
+      - '{{ codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads'
+
+    env:
+      CMD_DB_URL: postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd
+      CMD_ALLOW_EMAIL_REGISTER: 'False'
+      CMD_IMAGE_UPLOAD_TYPE: filesystem
+      CMD_EMAIL: 'False'
+      CMD_LDAP_URL: ldap://openldap
+      CMD_LDAP_BINDDN: cn=admin,dc=data,dc=coop
+      CMD_LDAP_BINDCREDENTIALS: '{{ ldap_admin_password }}'
+      CMD_LDAP_SEARCHBASE: dc=data,dc=coop
+      CMD_LDAP_SEARCHFILTER: (&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))
+      CMD_USECDN: 'false'
+      VIRTUAL_HOST: '{{ codimd.domain }}'
+      LETSENCRYPT_HOST: '{{ codimd.domain }}'
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
--- a/roles/docker/tasks/services/docker_registry.yml
+++ b/roles/docker/tasks/services/docker_registry.yml
@ -0,0 +1,37 @@
+---
+- name: copy docker registry nginx configuration
+  ansible.builtin.copy:
+    src: files/configs/docker_registry/nginx.conf
+    dest: /docker-volumes/nginx/vhost/{{ services.docker_registry.domain }}
+    mode: '0644'
+
+- name: docker registry container
+  community.docker.docker_container:
+    name: registry
+    image: registry:{{ services.docker_registry.version }}
+    restart_policy: always
+    volumes:
+      - '{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry'
+      - '{{ services.docker_registry.volume_folder }}/auth:/auth'
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: '{{ services.docker_registry.domain }}'
+      LETSENCRYPT_HOST: '{{ services.docker_registry.domain }}'
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+      REGISTRY_AUTH: htpasswd
+      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
+      REGISTRY_AUTH_HTPASSWD_REALM: data.coop docker registry
+
+- name: generate htpasswd file
+  shell: docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > services.docker_registry.volume_folder
+    }}/auth/htpasswd
+  args:
+    creates: '{{ services.docker_registry.volume_folder }}/auth/htpasswd'
+
+- name: log in to registry
+  docker_login:
+    registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain\
+      \  }}"
+    username: docker
+    password: '{{ docker_password }}'
--- a/roles/docker/tasks/services/drone.yml
+++ b/roles/docker/tasks/services/drone.yml
@ -0,0 +1,51 @@
+---
+- name: set up drone with docker runner
+  community.docker.docker_compose:
+    project_name: drone
+    pull: true
+    definition:
+      version: '3.6'
+      services:
+        drone:
+          container_name: drone
+          image: drone/drone:1
+          restart: unless-stopped
+          networks:
+            - external_services
+            - drone
+          volumes:
+            - '{{ services.drone.volume_folder }}:/data'
+            - /var/run/docker.sock:/var/run/docker.sock
+          environment:
+            DRONE_GITEA_SERVER: https://{{ services.gitea.domain }}
+            DRONE_GITEA_CLIENT_ID: '{{ drone_secrets.oauth_client_id }}'
+            DRONE_GITEA_CLIENT_SECRET: '{{ drone_secrets.oauth_client_secret }}'
+            DRONE_GIT_ALWAYS_AUTH: 'true'
+            DRONE_SERVER_HOST: '{{ services.drone.domain }}'
+            DRONE_SERVER_PROTO: https
+            DRONE_RPC_SECRET: '{{ drone_secrets.rpc_shared_secret }}'
+            PLUGIN_CUSTOM_DNS: 91.239.100.100
+            VIRTUAL_HOST: '{{ services.drone.domain }}'
+            LETSENCRYPT_HOST: '{{ services.drone.domain }}'
+            LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+
+        drone-runner-docker:
+          container_name: drone-runner-docker
+          image: drone/drone-runner-docker:{{ services.drone.version }}
+          restart: unless-stopped
+          networks:
+            - drone
+          volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+          environment:
+            DRONE_RPC_HOST: '{{ services.drone.domain }}'
+            DRONE_RPC_PROTO: https
+            DRONE_RPC_SECRET: '{{ drone_secrets.rpc_shared_secret }}'
+            DRONE_RUNNER_CAPACITY: 2
+            DRONE_RUNNER_NAME: data.coop_drone_runner
+
+      networks:
+        drone:
+        external_services:
+          external:
+            name: external_services
--- a/roles/docker/tasks/services/gitea.yml
+++ b/roles/docker/tasks/services/gitea.yml
@ -0,0 +1,38 @@
+---
+- name: gitea network
+  community.docker.docker_network:
+    name: gitea
+
+# old DNS: 138.68.71.153
+- name: gitea container
+  community.docker.docker_container:
+    name: gitea
+    image: gitea/gitea:{{ services.gitea.version }}
+    restart_policy: unless-stopped
+    networks:
+      - name: gitea
+      - name: postfix
+      - name: external_services
+    volumes:
+      - '{{ services.gitea.volume_folder }}:/data'
+    published_ports:
+      - 22:22
+    env:
+      VIRTUAL_HOST: '{{ services.gitea.domain }}'
+      VIRTUAL_PORT: '3000'
+      LETSENCRYPT_HOST: '{{ services.gitea.domain }}'
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+# Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
+# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
+      GITEA__mailer__ENABLED: 'true'
+      GITEA__mailer__FROM: noreply@{{ services.gitea.domain }}
+      GITEA__mailer__MAILER_TYPE: smtp
+      GITEA__mailer__HOST: '{{ smtp_host }}:{{ smtp_port }}'
+      GITEA__mailer__USER: noop
+      GITEA__mailer__PASSWD: noop
+      GITEA__security__LOGIN_REMEMBER_DAYS: '60'
+      GITEA__security__PASSWORD_COMPLEXITY: 'off'
+      GITEA__security__MIN_PASSWORD_LENGTH: '8'
+      GITEA__security__PASSWORD_CHECK_PWN: 'true'
+      GITEA__service__ENABLE_NOTIFY_MAIL: 'true'
+      GITEA__service__REGISTER_EMAIL_CONFIRM: 'true'
--- a/roles/docker/tasks/services/hedgedoc.yml
+++ b/roles/docker/tasks/services/hedgedoc.yml
@ -0,0 +1,65 @@
+---
+- name: create hedgedoc volume folders
+  ansible.builtin.file:
+    name: '{{ services.hedgedoc.volume_folder }}/{{ volume }}'
+    state: directory
+  loop:
+    - db
+    - hedgedoc/uploads
+  loop_control:
+    loop_var: volume
+
+- name: copy sso public certificate
+  ansible.builtin.copy:
+    src: files/sso/sso.data.coop.pem
+    dest: '{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem'
+    mode: '0644'
+
+- name: setup hedgedoc
+  community.docker.docker_compose:
+    project_name: hedgedoc
+    pull: true
+    definition:
+      services:
+        database:
+          image: postgres:10-alpine
+          environment:
+            POSTGRES_USER: codimd
+            POSTGRES_PASSWORD: '{{ postgres_passwords.hedgedoc }}'
+            POSTGRES_DB: codimd
+          restart: unless-stopped
+          networks:
+            - hedgedoc
+          volumes:
+            - '{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data'
+        app:
+          image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
+          environment:
+            CMD_DB_URL: postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd
+            CMD_DOMAIN: '{{ services.hedgedoc.domain }}'
+            CMD_ALLOW_EMAIL_REGISTER: 'False'
+            CMD_IMAGE_UPLOAD_TYPE: filesystem
+            CMD_EMAIL: 'False'
+            CMD_SAML_IDPCERT: /sso.data.coop.pem
+            CMD_SAML_IDPSSOURL: https://sso.data.coop/auth/realms/datacoop/protocol/saml
+            CMD_SAML_ISSUER: hedgedoc
+            CMD_SAML_IDENTIFIERFORMAT: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+            CMD_USECDN: 'false'
+            CMD_PROTOCOL_USESSL: 'true'
+            VIRTUAL_HOST: '{{ services.hedgedoc.domain }}'
+            LETSENCRYPT_HOST: '{{ services.hedgedoc.domain }}'
+            LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+          volumes:
+            - '{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads'
+            - '{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem'
+          restart: unless-stopped
+          networks:
+            - hedgedoc
+            - external_services
+          depends_on:
+            - database
+
+      networks:
+        hedgedoc:
+        external_services:
+          external: true
--- a/roles/docker/tasks/services/keycloak.yml
+++ b/roles/docker/tasks/services/keycloak.yml
@ -0,0 +1,44 @@
+---
+- name: setup keycloak containers for sso.data.coop
+  community.docker.docker_compose:
+    project_name: keycloak
+    pull: true
+    definition:
+      version: '3.6'
+      services:
+
+        postgres:
+          image: postgres:10
+          restart: unless-stopped
+          networks:
+            - keycloak
+          volumes:
+            - '{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data'
+          environment:
+            POSTGRES_USER: keycloak
+            POSTGRES_PASSWORD: '{{ postgres_passwords.keycloak }}'
+            POSTGRES_DB: keycloak
+
+        app:
+          image: quay.io/keycloak/keycloak:{{ services.keycloak.version }}
+          restart: unless-stopped
+          networks:
+            - keycloak
+            - postfix
+            - external_services
+          command: start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak
+            --db-username=keycloak --db-password={{ postgres_passwords.keycloak
+            }} --hostname={{ services.keycloak.domain }} --proxy=edge --https-port=8080
+            --http-relative-path=/auth
+          environment:
+            VIRTUAL_HOST: '{{ services.keycloak.domain }}'
+            VIRTUAL_PORT: '8080'
+            LETSENCRYPT_HOST: '{{ services.keycloak.domain }}'
+            LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+
+      networks:
+        keycloak:
+        postfix:
+          external: true
+        external_services:
+          external: true
--- a/roles/docker/tasks/services/mailu.yml
+++ b/roles/docker/tasks/services/mailu.yml
@ -0,0 +1,164 @@
+---
+
+- name: create mailu volume folders
+  ansible.builtin.file:
+    name: '{{ services.mailu.volume_folder }}/{{ volume }}'
+    state: directory
+  loop:
+    - redis
+    - certs
+    - overrides
+    - data
+    - dkim
+    - mail
+    - filter
+    - dav
+    - webmail
+  loop_control:
+    loop_var: volume
+
+- name: upload mailu.env file
+  ansible.builtin.template:
+    src: mailu.env.j2
+    dest: '{{ services.mailu.volume_folder}}/mailu.env'
+
+- name: hard link to Let's Encrypt TLS certificate
+  ansible.builtin.file:
+    src: '{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain
+      }}/fullchain.pem'
+    dest: '{{ services.mailu.volume_folder }}/certs/cert.pem'
+    state: hard
+    force: true
+  when: letsencrypt_enabled
+
+- name: hard link to Let's Encrypt TLS key
+  ansible.builtin.file:
+    src: '{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain
+      }}/key.pem'
+    dest: '{{ services.mailu.volume_folder }}/certs/key.pem'
+    state: hard
+    force: true
+  when: letsencrypt_enabled
+
+- name: run mail server containers
+  community.docker.docker_compose:
+    project_name: mail_server
+    pull: true
+    definition:
+      version: '3.6'
+      services:
+        redis:
+          image: redis:alpine
+          restart: always
+          volumes:
+            - '{{ services.mailu.volume_folder }}/redis:/data'
+
+        database:
+          image: mailu/postgresql:{{ services.mailu.version }}
+          restart: always
+          env_file: '{{ services.mailu.volume_folder}}/mailu.env'
+          volumes:
+            - '{{ services.mailu.volume_folder }}/data/psql_db:/data'
+            - '{{ services.mailu.volume_folder }}/data/psql_backup:/backup'
+          networks:
+            - default
+            - external_services
+
+        front:
+          image: mailu/nginx:{{ services.mailu.version }}
+          restart: always
+          env_file: '{{ services.mailu.volume_folder}}/mailu.env'
+          environment:
+            VIRTUAL_HOST: '{{ services.mailu.domain }}'
+            LETSENCRYPT_HOST: '{{ services.mailu.domain }}'
+            LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+          volumes:
+            - '{{ services.mailu.volume_folder }}/certs:/certs'
+            - '{{ services.mailu.volume_folder }}/overrides/nginx:/overrides'
+          expose:
+            - '80'
+          ports:
+            - 993:993
+            - 25:25
+            - 587:587
+            - 465:465
+          networks:
+            - default
+            - external_services
+
+        resolver:
+          image: mailu/unbound:{{ services.mailu.version }}
+          restart: always
+          env_file: '{{ services.mailu.volume_folder}}/mailu.env'
+          networks:
+            default:
+              ipv4_address: '{{ services.mailu.dns }}'
+
+        admin:
+          image: mailu/admin:{{ services.mailu.version }}
+          restart: always
+          env_file: '{{ services.mailu.volume_folder}}/mailu.env'
+          volumes:
+            - '{{ services.mailu.volume_folder }}/data:/data'
+            - '{{ services.mailu.volume_folder }}/dkim:/dkim'
+          depends_on:
+            - redis
+
+        imap:
+          image: mailu/dovecot:{{ services.mailu.version }}
+          restart: always
+          env_file: '{{ services.mailu.volume_folder}}/mailu.env'
+          volumes:
+            - '{{ services.mailu.volume_folder }}/mail:/mail'
+            - '{{ services.mailu.volume_folder }}/overrides:/overrides'
+          depends_on:
+            - front
+
+        smtp:
+          image: mailu/postfix:{{ services.mailu.version }}
+          restart: always
+          env_file: '{{ services.mailu.volume_folder}}/mailu.env'
+          volumes:
+            - '{{ services.mailu.volume_folder }}/overrides:/overrides'
+          depends_on:
+            - front
+            - resolver
+          dns:
+            - '{{ services.mailu.dns }}'
+
+        antispam:
+          image: mailu/rspamd:{{ services.mailu.version }}
+          restart: always
+          env_file: '{{ services.mailu.volume_folder}}/mailu.env'
+          volumes:
+            - '{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd'
+            - '{{ services.mailu.volume_folder }}/dkim:/dkim'
+            - '{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d'
+          depends_on:
+            - front
+            - resolver
+          dns:
+            - '{{ services.mailu.dns }}'
+
+        webmail:
+          image: mailu/rainloop:1.6
+          restart: always
+          env_file: '{{ services.mailu.volume_folder}}/mailu.env'
+          volumes:
+            - '{{ services.mailu.volume_folder }}/webmail:/data'
+          depends_on:
+            - front
+            - resolver
+          dns:
+            - '{{ services.mailu.dns }}'
+
+      networks:
+        default:
+          driver: bridge
+          ipam:
+            driver: default
+            config:
+              - subnet: '{{ services.mailu.subnet }}'
+        external_services:
+          external:
+            name: external_services
--- a/roles/docker/tasks/services/mastodon.yml
+++ b/roles/docker/tasks/services/mastodon.yml
@ -0,0 +1,126 @@
+---
+- name: create mastodon volume folders
+  ansible.builtin.file:
+    name: '{{ services.mastodon.volume_folder }}/{{ volume }}'
+    state: directory
+    owner: '991'
+    group: '991'
+  loop:
+    - postgres_data
+    - redis_data
+    - mastodon_data
+  loop_control:
+    loop_var: volume
+
+- name: Copy mastodon environment file
+  ansible.builtin.template:
+    src: files/configs/mastodon/env_file.j2
+    dest: '{{ services.mastodon.volume_folder }}/env_file'
+
+- name: upload vhost config for root domain
+  ansible.builtin.template:
+    src: files/configs/mastodon/vhost-mastodon
+    dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain
+      }}'
+
+- name: set up mastodon
+  community.docker.docker_compose:
+    project_name: mastodon
+    pull: true
+    definition:
+      version: '3'
+      services:
+        db:
+          restart: always
+          image: postgres:14-alpine
+          shm_size: 256mb
+          networks:
+            - internal_network
+          healthcheck:
+            test: [CMD, pg_isready, -U, postgres]
+          volumes:
+            - '{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data'
+          environment:
+            - POSTGRES_HOST_AUTH_METHOD=trust
+
+        redis:
+          restart: always
+          image: redis:6-alpine
+          networks:
+            - internal_network
+          healthcheck:
+            test: [CMD, redis-cli, ping]
+          volumes:
+            - '{{ services.mastodon.volume_folder }}/redis_data:/data'
+
+        web:
+          image: tootsuite/mastodon:{{ services.mastodon.version }}
+          restart: always
+          env_file: '{{ services.mastodon.volume_folder }}/env_file'
+          command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails
+            s -p 3000"
+          networks:
+            - external_services
+            - internal_network
+          healthcheck:
+            test: |
+              [CMD-SHELL, wget -q --spider --proxy=off localhost:3000/health || exit 1]
+          depends_on:
+            - db
+            - redis
+          volumes:
+            - '{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system'
+          environment:
+            VIRTUAL_HOST: '{{ services.mastodon.domain }}'
+            VIRTUAL_PORT: '3000'
+            VIRTUAL_PATH: /
+            LETSENCRYPT_HOST: '{{ services.mastodon.domain }}'
+            LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+
+        streaming:
+          image: tootsuite/mastodon:{{ services.mastodon.version }}
+          restart: always
+          env_file: '{{ services.mastodon.volume_folder }}/env_file'
+          command: node ./streaming
+          networks:
+            - external_services
+            - internal_network
+          healthcheck:
+            test: |
+              [CMD-SHELL, wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1]
+          ports:
+            - 127.0.0.1:4000:4000
+          depends_on:
+            - db
+            - redis
+          environment:
+            VIRTUAL_HOST: '{{ services.mastodon.domain }}'
+            VIRTUAL_PORT: '4000'
+            VIRTUAL_PATH: /api/v1/streaming
+
+        sidekiq:
+          image: tootsuite/mastodon:{{ services.mastodon.version }}
+          restart: always
+          env_file: '{{ services.mastodon.volume_folder }}/env_file'
+          command: bundle exec sidekiq -c 32
+          environment:
+            DB_POOL: 32
+          depends_on:
+            - db
+            - redis
+          networks:
+            - postfix
+            - external_services
+            - internal_network
+          volumes:
+            - '{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system'
+          healthcheck:
+            test: [CMD-SHELL, "ps aux | grep '[s]idekiq 6' || false"]
+
+      networks:
+        external_services:
+          external: true
+        postfix:
+          external: true
+        internal_network:
+          internal: true
--- a/roles/docker/tasks/services/matrix_riot.yml
+++ b/roles/docker/tasks/services/matrix_riot.yml
@ -0,0 +1,127 @@
+---
+- name: create matrix volume folders
+  ansible.builtin.file:
+    name: '{{ services.matrix.volume_folder }}/{{ volume }}'
+    state: directory
+    owner: '991'
+    group: '991'
+  loop:
+    - data
+    - data/uploads
+    - data/media
+  loop_control:
+    loop_var: volume
+
+- name: create matrix DB folder
+  ansible.builtin.file:
+    name: '{{ services.matrix.volume_folder }}/db'
+    state: directory
+
+- name: create riot volume folders
+  ansible.builtin.file:
+    name: '{{ services.riot.volume_folder }}/{{ volume }}'
+    state: directory
+  loop:
+    - data
+  loop_control:
+    loop_var: volume
+
+- name: upload riot config.json
+  ansible.builtin.template:
+    src: files/configs/riot/config.json
+    dest: '{{ services.riot.volume_folder }}/data/config.json'
+
+- name: upload riot.im.conf
+  ansible.builtin.template:
+    src: files/configs/riot/riot.im.conf
+    dest: '{{ services.riot.volume_folder }}/data/riot.im.conf'
+
+- name: upload vhost config for root domain
+  ansible.builtin.template:
+    src: files/configs/matrix/vhost-root
+    dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}'
+
+- name: upload vhost config for matrix domain
+  ansible.builtin.template:
+    src: files/configs/matrix/vhost-matrix
+    dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain
+      }}'
+
+- name: upload vhost config for riot domain
+  ansible.builtin.template:
+    src: files/configs/matrix/vhost-riot
+    dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ domain }}'
+  loop: '{{ services.riot.domains }}'
+  loop_control:
+    loop_var: domain
+
+- name: upload homeserver.yaml
+  ansible.builtin.template:
+    src: files/configs/matrix/homeserver.yaml.j2
+    dest: '{{ services.matrix.volume_folder }}/data/homeserver.yaml'
+
+- name: upload matrix logging config
+  ansible.builtin.template:
+    src: files/configs/matrix/matrix.data.coop.log.config
+    dest: '{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config'
+
+- name: set up matrix and riot
+  community.docker.docker_compose:
+    project_name: matrix
+    pull: true
+    definition:
+      version: '3.6'
+      services:
+        matrix_db:
+          container_name: matrix_db
+          image: postgres:10
+          restart: unless-stopped
+          networks:
+            - matrix
+          volumes:
+            - '{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data'
+          environment:
+            POSTGRES_USER: synapse
+            POSTGRES_PASSWORD: '{{ postgres_passwords.matrix }}'
+
+        matrix_app:
+          container_name: matrix
+          image: matrixdotorg/synapse:{{ services.matrix.version }}
+          restart: unless-stopped
+          networks:
+            - matrix
+            - external_services
+          volumes:
+            - '{{ services.matrix.volume_folder }}/data:/data'
+          environment:
+            SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
+            SYNAPSE_CACHE_FACTOR: '2'
+            SYNAPSE_LOG_LEVEL: INFO
+            VIRTUAL_HOST: '{{ services.matrix.domain }}'
+            VIRTUAL_PORT: '8008'
+            LETSENCRYPT_HOST: '{{ services.matrix.domain }}'
+            LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+
+        riot:
+          container_name: riot_app
+          image: avhost/docker-matrix-riot:{{ services.riot.version }}
+          restart: unless-stopped
+          networks:
+            - matrix
+            - external_services
+          expose:
+            - 8080
+          volumes:
+            - '{{ services.riot.volume_folder }}/data:/data'
+          environment:
+            VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}"
+            VIRTUAL_PORT: '8080'
+            LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}"
+            LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+
+      networks:
+        external_services:
+          external:
+            name: external_services
+        matrix:
+          name: matrix
--- a/roles/docker/tasks/services/membersystem.yml
+++ b/roles/docker/tasks/services/membersystem.yml
@ -0,0 +1,55 @@
+---
+
+- name: run membersystem containers
+  community.docker.docker_compose:
+    project_name: member.data.coop
+    pull: true
+    definition:
+      version: '3'
+      services:
+        backend:
+          image: docker.data.coop/membersystem:latest
+          restart: always
+          user: $UID:$GID
+          tty: true
+          depends_on:
+            - postgres
+          networks:
+            - membersystem
+            - external_services
+            - postfix
+          environment:
+            SECRET_KEY: '{{ membersystem_secrets.secret_key }}'
+            DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem
+              }}@postgres:5432/postgres
+            POSTGRES_HOST: postgres
+            POSTGRES_PORT: 5432
+            EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend
+            EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
+            VIRTUAL_HOST: '{{ services.membersystem.domain }}'
+            VIRTUAL_PORT: '8000'
+            LETSENCRYPT_HOST: '{{ services.membersystem.domain }}'
+            LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+            ALLOWED_HOSTS: '{{ services.membersystem.domain }}'
+            CSRF_TRUSTED_ORIGINS: https://{{ services.membersystem.domain }}
+            DJANGO_ADMINS: '{{ services.membersystem.django_admins }}'
+            DEFAULT_FROM_EMAIL: noreply@{{ services.membersystem.domain }}
+          labels:
+            com.centurylinklabs.watchtower.enable: 'true'
+
+        postgres:
+          image: postgres:13-alpine
+          restart: always
+          volumes:
+            - '{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data'
+          networks:
+            - membersystem
+          environment:
+            POSTGRES_PASSWORD: '{{ postgres_passwords.membersystem }}'
+
+      networks:
+        membersystem:
+        external_services:
+          external: true
+        postfix:
+          external: true
--- a/roles/docker/tasks/services/netdata.yml
+++ b/roles/docker/tasks/services/netdata.yml
@ -0,0 +1,25 @@
+---
+
+- name: setup netdata docker container for system monitoring
+  community.docker.docker_container:
+    name: netdata
+    image: netdata/netdata:{{ services.netdata.version }}
+    restart_policy: unless-stopped
+    hostname: hevonen.servers.{{ base_domain }}
+    capabilities:
+      - SYS_PTRACE
+    security_opts:
+      - apparmor:unconfined
+    volumes:
+      - /proc:/host/proc:ro
+      - /sys:/host/sys:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: '{{ services.netdata.domain }}'
+      LETSENCRYPT_HOST: '{{ services.netdata.domain }}'
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+      PGID: '999'
+    labels:
+      com.centurylinklabs.watchtower.enable: 'true'
--- a/roles/docker/tasks/services/nextcloud.yml
+++ b/roles/docker/tasks/services/nextcloud.yml
@ -0,0 +1,76 @@
+---
+- name: upload vhost config for cloud.data.coop
+  ansible.builtin.template:
+    src: files/configs/nextcloud/vhost
+    dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain
+      }}'
+  notify: restart nginx
+
+- name: setup nextcloud containers
+  community.docker.docker_compose:
+    project_name: nextcloud
+    pull: true
+    definition:
+      services:
+        postgres:
+          image: postgres:10
+          restart: unless-stopped
+          networks:
+            - nextcloud
+          volumes:
+            - '{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data'
+          environment:
+            POSTGRES_DB: nextcloud
+            POSTGRES_PASSWORD: '{{ postgres_passwords.nextcloud }}'
+            POSTGRES_USER: nextcloud
+
+        redis:
+          image: redis:7-alpine
+          restart: unless-stopped
+          command: redis-server --requirepass {{ nextcloud_secrets.redis_password
+            }}
+          tmpfs:
+            - /var/lib/redis
+          networks:
+            - nextcloud
+
+        cron:
+          image: nextcloud:{{ services.nextcloud.version }}
+          restart: unless-stopped
+          entrypoint: /cron.sh
+          networks:
+            - nextcloud
+          volumes:
+            - '{{ services.nextcloud.volume_folder }}/app:/var/www/html'
+          depends_on:
+            - postgres
+            - redis
+        app:
+          image: nextcloud:{{ services.nextcloud.version }}
+          restart: unless-stopped
+          networks:
+            - nextcloud
+            - postfix
+            - external_services
+          volumes:
+            - '{{ services.nextcloud.volume_folder }}/app:/var/www/html'
+          environment:
+            VIRTUAL_HOST: '{{ services.nextcloud.domain }}'
+            LETSENCRYPT_HOST: '{{ services.nextcloud.domain }}'
+            LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+            POSTGRES_HOST: postgres
+            POSTGRES_DB: nextcloud
+            POSTGRES_USER: nextcloud
+            POSTGRES_PASSWORD: '{{ postgres_passwords.nextcloud }}'
+            REDIS_HOST: redis
+            REDIS_HOST_PASSWORD: '{{ nextcloud_secrets.redis_password }}'
+          depends_on:
+            - postgres
+            - redis
+
+      networks:
+        nextcloud:
+        postfix:
+          external: true
+        external_services:
+          external: true
--- a/roles/docker/tasks/services/nginx_proxy.yml
+++ b/roles/docker/tasks/services/nginx_proxy.yml
@ -0,0 +1,47 @@
+---
+
+- name: create nginx-proxy volume folders
+  ansible.builtin.file:
+    name: '{{ services.nginx_proxy.volume_folder }}/{{ volume }}'
+    state: directory
+  loop:
+    - conf
+    - vhost
+    - html
+    - dhparam
+    - certs
+  loop_control:
+    loop_var: volume
+
+- name: nginx proxy container
+  community.docker.docker_container:
+    name: nginx-proxy
+    image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
+    restart_policy: always
+    networks:
+      - name: external_services
+    published_ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - '{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d'
+      - '{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d'
+      - '{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html'
+      - '{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam'
+      - '{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro'
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+
+- name: nginx letsencrypt container
+  community.docker.docker_container:
+    name: nginx-proxy-le
+    image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }}
+    restart_policy: always
+    volumes:
+      - '{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d'
+      - '{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html'
+      - '{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro'
+      - '{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs'
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    env:
+      NGINX_PROXY_CONTAINER: nginx-proxy
+  when: letsencrypt_enabled
--- a/roles/docker/tasks/services/openldap.yml
+++ b/roles/docker/tasks/services/openldap.yml
@ -0,0 +1,73 @@
+---
+- name: create ldap volume folders
+  ansible.builtin.file:
+    name: '{{ services.openldap.volume_folder }}/{{ volume }}'
+    state: directory
+  loop:
+    - var/lib/ldap
+    - etc/slapd
+    - certs
+  loop_control:
+    loop_var: volume
+
+- name: Create a network for ldap
+  community.docker.docker_network:
+    name: ldap
+
+- name: openLDAP container
+  community.docker.docker_container:
+    name: openldap
+    image: osixia/openldap:{{ services.openldap.version }}
+    tty: true
+    interactive: true
+    restart_policy: unless-stopped
+    volumes:
+      - '{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap'
+      - '{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d'
+      - '{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/'
+    published_ports:
+      - 389:389
+      - 636:636
+    hostname: '{{ services.openldap.domain }}'
+    domainname: '{{ services.openldap.domain }}' # important: same as hostname
+    networks:
+      - name: ldap
+    env:
+      LDAP_LOG_LEVEL: '256'
+      LDAP_ORGANISATION: '{{ base_domain }}'
+      LDAP_DOMAIN: '{{ base_domain }}'
+      LDAP_BASE_DN: ''
+      LDAP_ADMIN_PASSWORD: '{{ ldap_admin_password }}'
+      LDAP_CONFIG_PASSWORD: '{{ ldap_config_password }}'
+      LDAP_READONLY_USER: 'false'
+      LDAP_RFC2307BIS_SCHEMA: 'false'
+      LDAP_BACKEND: mdb
+      LDAP_TLS: 'true'
+      LDAP_TLS_CRT_FILENAME: ldap.crt
+      LDAP_TLS_KEY_FILENAME: ldap.key
+      LDAP_TLS_CA_CRT_FILENAME: ca.crt
+      LDAP_TLS_ENFORCE: 'false'
+      LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
+      LDAP_TLS_PROTOCOL_MIN: '3.1'
+      LDAP_TLS_VERIFY_CLIENT: demand
+      LDAP_REPLICATION: 'false'
+      KEEP_EXISTING_CONFIG: 'false'
+      LDAP_REMOVE_CONFIG_AFTER_SETUP: 'true'
+      LDAP_SSL_HELPER_PREFIX: ldap
+
+- name: phpLDAPadmin container
+  community.docker.docker_container:
+    name: phpldapadmin
+    image: osixia/phpldapadmin:{{ services.phpldapadmin.version }}
+    restart_policy: unless-stopped
+    networks:
+      - name: external_services
+      - name: ldap
+    env:
+      PHPLDAPADMIN_LDAP_HOSTS: openldap
+      PHPLDAPADMIN_HTTPS: 'false'
+      PHPLDAPADMIN_TRUST_PROXY_SSL: 'true'
+
+      VIRTUAL_HOST: '{{ services.openldap.domain }}'
+      LETSENCRYPT_HOST: '{{ services.openldap.domain }}'
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
--- a/roles/docker/tasks/services/passit.yml
+++ b/roles/docker/tasks/services/passit.yml
@ -0,0 +1,46 @@
+---
+
+- name: setup passit containers
+  community.docker.docker_compose:
+    project_name: passit
+    pull: true
+    definition:
+      version: '3.6'
+      services:
+        passit_db:
+          image: postgres:10
+          restart: always
+          networks:
+            - passit
+          volumes:
+            - '{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data'
+          environment:
+            POSTGRES_USER: passit
+            POSTGRES_PASSWORD: '{{ postgres_passwords.passit }}'
+
+        passit_app:
+          image: passit/passit:{{ services.passit.version }}
+          command: bin/start.sh
+          restart: always
+          networks:
+            - passit
+            - postfix
+            - external_services
+          environment:
+            DATABASE_URL: postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit
+            SECRET_KEY: '{{ passit_secret_key }}'
+            IS_DEBUG: 'False'
+            EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
+            DEFAULT_FROM_EMAIL: noreply@{{ services.passit.domain }}
+            EMAIL_CONFIRMATION_HOST: https://{{ services.passit.domain }}
+            FIDO_SERVER_ID: '{{ services.passit.domain }}'
+            VIRTUAL_HOST: '{{ services.passit.domain }}'
+            LETSENCRYPT_HOST: '{{ services.passit.domain }}'
+            LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+
+      networks:
+        passit:
+        postfix:
+          external: true
+        external_services:
+          external: true
--- a/roles/docker/tasks/services/portainer.yml
+++ b/roles/docker/tasks/services/portainer.yml
@ -0,0 +1,22 @@
+---
+
+- name: create portainer volume folder
+  ansible.builtin.file:
+    name: '{{ services.portainer.volume_folder }}'
+    state: directory
+
+- name: run portainer
+  community.docker.docker_container:
+    name: portainer
+    image: portainer/portainer-ee:{{ services.portainer.version }}
+    restart_policy: always
+    networks:
+      - name: external_services
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - '{{ services.portainer.volume_folder }}:/data'
+    env:
+      VIRTUAL_HOST: '{{ services.portainer.domain }}'
+      VIRTUAL_PORT: '9000'
+      LETSENCRYPT_HOST: '{{ services.portainer.domain }}'
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
--- a/roles/docker/tasks/services/postfix.yml
+++ b/roles/docker/tasks/services/postfix.yml
@ -0,0 +1,21 @@
+---
+
+- name: setup network for postfix
+  community.docker.docker_network:
+    name: postfix
+    ipam_config:
+      - subnet: 172.16.0.0/16
+        gateway: 172.16.0.1
+
+- name: setup postfix docker container for outgoing mail
+  community.docker.docker_container:
+    name: postfix
+    image: boky/postfix:{{ services.postfix.version }}
+    restart_policy: always
+    networks:
+      - name: postfix
+    env:
+# Get all services which have allowed_sender_domain defined
+      ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain',\
+        \ 'defined') | map(attribute='value.domain') | list | join(' ') }}"
+      HOSTNAME: smtp.data.coop # the name the smtp server will identify itself as
--- a/roles/docker/tasks/services/privatebin.yml
+++ b/roles/docker/tasks/services/privatebin.yml
@ -0,0 +1,31 @@
+---
+
+- name: create privatebin volume folders
+  ansible.builtin.file:
+    name: '{{ services.privatebin.volume_folder }}/{{ volume }}'
+    state: directory
+  loop:
+    - cfg
+    - data
+  loop_control:
+    loop_var: volume
+
+- name: upload privatebin config
+  ansible.builtin.template:
+    src: files/configs/privatebin-conf.php
+    dest: '{{ services.privatebin.volume_folder }}/cfg/conf.php'
+
+- name: privatebin app container
+  community.docker.docker_container:
+    name: privatebin
+    image: jgeusebroek/privatebin:{{ services.privatebin.version }}
+    restart_policy: unless-stopped
+    volumes:
+      - '{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg'
+      - '{{ services.privatebin.volume_folder }}/data:/privatebin/data'
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: '{{ services.privatebin.domain }}'
+      LETSENCRYPT_HOST: '{{ services.privatebin.domain }}'
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
--- a/roles/docker/tasks/services/rallly.yml
+++ b/roles/docker/tasks/services/rallly.yml
@ -0,0 +1,64 @@
+---
+- name: Create rallly volume folders
+  ansible.builtin.file:
+    name: '{{ services.rallly.volume_folder }}/postgres'
+    state: directory
+
+- name: Copy Rallly environment file
+  ansible.builtin.template:
+    src: files/configs/rallly/env_file.j2
+    dest: '{{ services.rallly.volume_folder }}/env_file'
+
+- name: Set up Rallly
+  community.docker.docker_compose:
+    project_name: rallly
+    pull: true
+    definition:
+      version: '3.8'
+      services:
+        rallly_db:
+          image: postgres:14-alpine
+          restart: always
+          shm_size: 256mb
+          networks:
+            rallly_internal:
+          volumes:
+            - '{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data'
+          environment:
+            POSTGRES_PASSWORD: '{{ postgres_passwords.rallly }}'
+            POSTGRES_DB: rallly_db
+          healthcheck:
+            test: [CMD-SHELL, pg_isready -U postgres]
+            interval: 5s
+            timeout: 5s
+            retries: 5
+          labels:
+            com.centurylinklabs.watchtower.enable: 'true'
+
+        rallly:
+          image: lukevella/rallly:{{ services.rallly.version }}
+          restart: always
+          networks:
+            rallly_internal:
+            external_services:
+            postfix:
+          depends_on:
+            rallly_db:
+              condition: service_healthy
+          env_file:
+            - '{{ services.rallly.volume_folder }}/env_file'
+          environment:
+            VIRTUAL_HOST: '{{ services.rallly.domain }}'
+            VIRTUAL_PORT: '3000'
+            LETSENCRYPT_HOST: '{{ services.rallly.domain }}'
+            LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+          labels:
+            com.centurylinklabs.watchtower.enable: 'true'
+
+      networks:
+        rallly_internal:
+          internal: true
+        external_services:
+          external: true
+        postfix:
+          external: true
--- a/roles/docker/tasks/services/restic_backup.yml
+++ b/roles/docker/tasks/services/restic_backup.yml
@ -0,0 +1,40 @@
+---
+- name: Setup restic backup
+  community.docker.docker_compose:
+    project_name: restic_backup
+    pull: true
+    definition:
+      version: '3.6'
+      services:
+        restic-backup:
+          image: mazzolino/restic:{{ services.restic.version }}
+          restart: always
+          environment:
+            RUN_ON_STARTUP: 'true'
+            BACKUP_CRON: 0 30 3 * * *
+            RESTIC_REPOSITORY: rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password
+              }}@{{ services.restic.domain }}/{{ services.restic.repository }}
+            RESTIC_PASSWORD: '{{ restic_secrets.repository_password }}'
+            RESTIC_BACKUP_SOURCES: /mnt/volumes
+            RESTIC_BACKUP_ARGS: >-
+              --tag datacoop-volumes
+              --exclude='*.tmp'
+              --verbose
+            RESTIC_FORGET_ARGS: >-
+              --keep-last 10
+              --keep-daily 7
+              --keep-weekly 5
+              --keep-monthly 12
+            TZ: Europe/Copenhagen
+          volumes:
+            - /docker-volumes:/mnt/volumes:ro
+
+        restic-prune:
+          image: mazzolino/restic:{{ services.restic.version }}
+          environment:
+            RUN_ON_STARTUP: 'true'
+            PRUNE_CRON: 0 0 4 * * *
+            RESTIC_REPOSITORY: rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password
+              }}@{{ services.restic.domain }}/{{ services.restic.repository }}
+            RESTIC_PASSWORD: '{{ restic_secrets.repository_password }}'
+            TZ: Europe/copenhagen
--- a/roles/docker/tasks/services/watchtower.yml
+++ b/roles/docker/tasks/services/watchtower.yml
@ -0,0 +1,14 @@
+---
+- name: watchtower container
+  community.docker.docker_container:
+    name: watchtower
+    image: containrrr/watchtower:1.4.0
+    restart_policy: unless-stopped
+    networks:
+      - name: external_services
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - '{{ services.docker_registry.volume_folder }}/auth/config.json:/config.json'
+    env:
+      WATCHTOWER_LABEL_ENABLE: 'true'
+      WATCHTOWER_POLL_INTERVAL: '60'
--- a/roles/docker/tasks/services/websites/2022.slides.data.coop.yml
+++ b/roles/docker/tasks/services/websites/2022.slides.data.coop.yml
@ -0,0 +1,24 @@
+---
+
+- name: setup 2022.slides.data.coop website using unipi
+  community.docker.docker_container:
+    name: 2022.slides.data.coop_website
+    image: docker.data.coop/unipi:latest
+    restart_policy: unless-stopped
+    purge_networks: true
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: 2022.slides.{{ services.data_coop_website.domains|join(',')
+        }}
+      LETSENCRYPT_HOST: 2022.slides.{{ services.data_coop_website.domains|join(',')
+        }}
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+# Temporarily hosting on github
+    command: --remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022
+    capabilities:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun
+    labels:
+      com.centurylinklabs.watchtower.enable: 'true'
--- a/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml
+++ b/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml
@ -0,0 +1,15 @@
+---
+
+- name: setup cryptoaarhus.dk website docker container
+  community.docker.docker_container:
+    name: cryptoaarhus_website
+    restart_policy: unless-stopped
+    image: docker.data.coop/cryptoaarhus-website
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+    labels:
+      com.centurylinklabs.watchtower.enable: 'true'
--- a/roles/docker/tasks/services/websites/cryptohagen.dk.yml
+++ b/roles/docker/tasks/services/websites/cryptohagen.dk.yml
@ -0,0 +1,15 @@
+---
+
+- name: setup cryptohagen.dk website docker container
+  community.docker.docker_container:
+    name: cryptohagen_website
+    restart_policy: unless-stopped
+    image: docker.data.coop/cryptohagen-website
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+    labels:
+      com.centurylinklabs.watchtower.enable: 'true'
--- a/roles/docker/tasks/services/websites/data.coop.yml
+++ b/roles/docker/tasks/services/websites/data.coop.yml
@ -0,0 +1,15 @@
+---
+
+- name: setup data.coop website docker container
+  community.docker.docker_container:
+    name: data.coop_website
+    image: docker.data.coop/data-coop-website
+    restart_policy: unless-stopped
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: "{{ services.data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+    labels:
+      com.centurylinklabs.watchtower.enable: 'true'
--- a/roles/docker/tasks/services/websites/new-new.data.coop.yml
+++ b/roles/docker/tasks/services/websites/new-new.data.coop.yml
@ -0,0 +1,23 @@
+---
+- name: setup new-new data.coop website using unipi
+  community.docker.docker_container:
+    name: new-new.data.coop_website
+    image: docker.data.coop/unipi:latest
+    restart_policy: unless-stopped
+    purge_networks: true
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: new-new.{{ services.data_coop_website.domains | join(',') }}
+      LETSENCRYPT_HOST: new-new.{{ services.data_coop_website.domains | join(',')
+        }}
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+# The ssh-key is for read-only only
+    command: --remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU=
+      --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI
+    capabilities:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun
+    labels:
+      com.centurylinklabs.watchtower.enable: 'true'
--- a/roles/docker/tasks/services/websites/new.data.coop.yml
+++ b/roles/docker/tasks/services/websites/new.data.coop.yml
@ -0,0 +1,15 @@
+---
+
+- name: setup new data.coop website using hugo
+  community.docker.docker_container:
+    name: new.data.coop_website
+    image: docker.data.coop/data-coop-website:hugo
+    restart_policy: unless-stopped
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: new.{{ services.data_coop_website.domains|join(',') }}
+      LETSENCRYPT_HOST: new.{{ services.data_coop_website.domains|join(',') }}
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+    labels:
+      com.centurylinklabs.watchtower.enable: 'true'
--- a/roles/docker/tasks/services/websites/ulovliglogning.dk.yml
+++ b/roles/docker/tasks/services/websites/ulovliglogning.dk.yml
@ -0,0 +1,14 @@
+---
+- name: setup ulovliglogning.dk website docker container
+  community.docker.docker_container:
+    name: ulovliglogning_website
+    restart_policy: unless-stopped
+    image: ulovliglogning/ulovliglogning.dk:latest
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
+      LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
+    labels:
+      com.centurylinklabs.watchtower.enable: 'true'
--- a/roles/docker/templates/compose-files/cryptoaarhus_website.yml.j2
+++ b/roles/docker/templates/compose-files/cryptoaarhus_website.yml.j2
@ -1,17 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  web:
-    image: docker.data.coop/cryptoaarhus-website
-    restart: unless-stopped
-    networks:
-      - external_services
-    environment:
-      VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains | join(',') }}"
-      LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains | join(',') }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-networks:
-  external_services:
-    external: true
--- a/roles/docker/templates/compose-files/cryptohagen_website.yml.j2
+++ b/roles/docker/templates/compose-files/cryptohagen_website.yml.j2
@ -1,17 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  web:
-    image: docker.data.coop/cryptohagen-website
-    restart: unless-stopped
-    networks:
-      - external_services
-    environment:
-      VIRTUAL_HOST : "{{ services.cryptohagen_website.domains | join(',') }}"
-      LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains | join(',') }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-networks:
-  external_services:
-    external: true
--- a/roles/docker/templates/compose-files/data_coop_website.yml.j2
+++ b/roles/docker/templates/compose-files/data_coop_website.yml.j2
@ -1,27 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  prod-web:
-    image: docker.data.coop/data-coop-website:{{ services.data_coop_website.version }}
-    restart: unless-stopped
-    networks:
-      - external_services
-    environment:
-      VIRTUAL_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
-      LETSENCRYPT_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-  staging-web:
-    image: docker.data.coop/data-coop-website:{{ services.data_coop_website.staging_version }}
-    restart: unless-stopped
-    networks:
-      - external_services
-    environment:
-      VIRTUAL_HOST: "{{ services.data_coop_website.staging_domain }}"
-      LETSENCRYPT_HOST: "{{ services.data_coop_website.staging_domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-networks:
-  external_services:
-    external: true
--- a/roles/docker/templates/compose-files/diun.yml.j2
+++ b/roles/docker/templates/compose-files/diun.yml.j2
@ -1,21 +0,0 @@
-# vim: ft=yaml.ansible
---
-version: "3.5"
-
-services:
-  diun:
-    image: "ghcr.io/crazy-max/diun:{{ services.diun.version }}"
-    command: serve
-    volumes:
-      - "./data:/data"
-      - "/var/run/docker.sock:/var/run/docker.sock"
-    environment:
-      - "TZ=Europe/Paris"
-      - "DIUN_WATCH_WORKERS=20"
-      - "DIUN_WATCH_SCHEDULE=0 */6 * * *"
-      - "DIUN_WATCH_JITTER=30s"
-      - "DIUN_PROVIDERS_DOCKER=true"
-      - "DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true"
-    labels:
-      - "diun.enable=true"
-    restart: always
--- a/roles/docker/templates/compose-files/docker_registry.yml.j2
+++ b/roles/docker/templates/compose-files/docker_registry.yml.j2
@ -1,23 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  app:
-    image: registry:{{ services.docker_registry.version }}
-    restart: always
-    networks:
-      - external_services
-    volumes:
-      - "./registry:/var/lib/registry"
-      - "./auth:/auth"
-    environment:
-      VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
-      LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-      REGISTRY_AUTH: "htpasswd"
-      REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
-      REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
-
-networks:
-  external_services:
-    external: true
--- a/roles/docker/templates/compose-files/drone.yml.j2
+++ b/roles/docker/templates/compose-files/drone.yml.j2
@ -1,40 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  app:
-    image: drone/drone:{{ services.drone.version }}
-    restart: unless-stopped
-    networks:
-      - default
-      - external_services
-    volumes:
-      - ".:/data"
-      - "/var/run/docker.sock:/var/run/docker.sock"
-    environment:
-      DRONE_GITEA_SERVER: https://{{ services.forgejo.domain }}
-      DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
-      DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
-      DRONE_GIT_ALWAYS_AUTH: true
-      DRONE_SERVER_HOST: "{{ services.drone.domain }}"
-      DRONE_SERVER_PROTO: https
-      DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
-      VIRTUAL_HOST: "{{ services.drone.domain }}"
-      LETSENCRYPT_HOST: "{{ services.drone.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-  runner:
-    image: drone/drone-runner-docker:{{ services.drone.version }}
-    restart: unless-stopped
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock"
-    environment:
-      DRONE_RPC_HOST: "{{ services.drone.domain }}"
-      DRONE_RPC_PROTO: https
-      DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
-      DRONE_RUNNER_CAPACITY: 2
-      DRONE_RUNNER_NAME: data.coop_drone_runner
-
-networks:
-  external_services:
-    external: true
--- a/roles/docker/templates/compose-files/element.yml.j2
+++ b/roles/docker/templates/compose-files/element.yml.j2
@ -1,22 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  app:
-    image: avhost/docker-matrix-element:{{ services.element.version }}
-    restart: unless-stopped
-    networks:
-      - external_services
-    expose:
-      - "8080"
-    volumes:
-      - "./data:/data"
-    environment:
-      VIRTUAL_HOST: "{{ services.element.domain }}"
-      VIRTUAL_PORT: "8080"
-      LETSENCRYPT_HOST: "{{ services.element.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-networks:
-  external_services:
-    external: true
--- a/roles/docker/templates/compose-files/fedi_dk_website.yml.j2
+++ b/roles/docker/templates/compose-files/fedi_dk_website.yml.j2
@ -1,22 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  web:
-    image: docker.data.coop/unipi:{{ services.fedi_dk_website.version }}
-    restart: unless-stopped
-    networks:
-      - external_services
-    environment:
-      VIRTUAL_HOST: "{{ services.fedi_dk_website.domain }}"
-      LETSENCRYPT_HOST: "{{ services.fedi_dk_website.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-    command: --remote=https://git.data.coop/fedi.dk/website.git#main
-    cap_add:
-      - NET_ADMIN
-    devices:
-      - "/dev/net/tun"
-
-networks:
-  external_services:
-    external: true
--- a/roles/docker/templates/compose-files/forgejo.yml.j2
+++ b/roles/docker/templates/compose-files/forgejo.yml.j2
@ -1,38 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  app:
-    image: codeberg.org/forgejo/forgejo:{{ services.forgejo.version }}
-    restart: unless-stopped
-    networks:
-      - external_services
-      - postfix
-    volumes:
-      - ".:/data"
-    ports:
-      - "22:22"
-    environment:
-      VIRTUAL_HOST: "{{ services.forgejo.domain }}"
-      VIRTUAL_PORT: "3000"
-      LETSENCRYPT_HOST: "{{ services.forgejo.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-      # Forgejo customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
-      # https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
-      FORGEJO__mailer__ENABLED: true
-      FORGEJO__mailer__FROM: noreply@{{ services.forgejo.domain }}
-      FORGEJO__mailer__PROTOCOL: smtp
-      FORGEJO__mailer__SMTP_ADDR: "{{ smtp_host }}"
-      FORGEJO__mailer__SMTP_PORT: "{{ smtp_port }}"
-      FORGEJO__security__LOGIN_REMEMBER_DAYS: "60"
-      FORGEJO__security__PASSWORD_COMPLEXITY: off
-      FORGEJO__security__MIN_PASSWORD_LENGTH: "8"
-      FORGEJO__security__PASSWORD_CHECK_PWN: true
-      FORGEJO__service__ENABLE_NOTIFY_MAIL: true
-      FORGEJO__service__REGISTER_EMAIL_CONFIRM: true
-
-networks:
-  external_services:
-    external: true
-  postfix:
-    external: true
--- a/roles/docker/templates/compose-files/hedgedoc.yml.j2
+++ b/roles/docker/templates/compose-files/hedgedoc.yml.j2
@ -1,44 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  db:
-    image: postgres:{{ services.hedgedoc.postgres_version }}
-    restart: unless-stopped
-    volumes:
-      - "./db:/var/lib/postgresql/data"
-    environment:
-      POSTGRES_USER: codimd
-      POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
-      POSTGRES_DB: codimd
-
-  app:
-    image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
-    volumes:
-      - "./hedgedoc/uploads:/hedgedoc/public/uploads"
-      - "./sso.data.coop.pem:/sso.data.coop.pem"
-    restart: unless-stopped
-    networks:
-      - default
-      - external_services
-    environment:
-      CMD_DB_URL: postgres://codimd:{{ postgres_passwords.hedgedoc }}@db:5432/codimd
-      CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
-      CMD_ALLOW_EMAIL_REGISTER: False
-      CMD_IMAGE_UPLOAD_TYPE: filesystem
-      CMD_EMAIL: False
-      CMD_SAML_IDPCERT: /sso.data.coop.pem
-      CMD_SAML_IDPSSOURL: https://{{ services.keycloak.domain }}/auth/realms/datacoop/protocol/saml
-      CMD_SAML_ISSUER: hedgedoc
-      CMD_SAML_IDENTIFIERFORMAT: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-      CMD_USECDN: false
-      CMD_PROTOCOL_USESSL: true
-      VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
-      LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-    depends_on:
-      - db
-
-networks:
-  external_services:
-    external: true
--- a/roles/docker/templates/compose-files/keycloak.yml.j2
+++ b/roles/docker/templates/compose-files/keycloak.yml.j2
@ -1,42 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  db:
-    image: postgres:{{ services.keycloak.postgres_version }}
-    restart: unless-stopped
-    volumes:
-      - "./data:/var/lib/postgresql/data"
-    environment:
-      POSTGRES_USER: keycloak
-      POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
-      POSTGRES_DB: keycloak
-
-  app:
-    image: quay.io/keycloak/keycloak:{{ services.keycloak.version }}
-    restart: unless-stopped
-    networks:
-      - default
-      - postfix
-      - external_services
-    command:
-      - "start"
-      - "--db=postgres"
-      - "--db-url=jdbc:postgresql://db:5432/keycloak"
-      - "--db-username=keycloak"
-      - "--db-password={{ postgres_passwords.keycloak }}"
-      - "--hostname={{ services.keycloak.domain }}"
-      - "--proxy=edge"
-      - "--https-port=8080"
-      - "--http-relative-path=/auth"
-    environment:
-      VIRTUAL_HOST: "{{ services.keycloak.domain }}"
-      VIRTUAL_PORT: "8080"
-      LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-networks:
-  postfix:
-    external: true
-  external_services:
-    external: true
--- a/roles/docker/templates/compose-files/mailu.yml.j2
+++ b/roles/docker/templates/compose-files/mailu.yml.j2
@ -1,146 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  postgres:
-    image: postgres:{{ services.mailu.postgres_version }}
-    restart: unless-stopped
-    environment:
-      POSTGRES_DB: mailu
-      POSTGRES_USER: mailu
-      POSTGRES_PASSWORD: "{{ postgres_passwords.mailu }}"
-    volumes:
-      - "./postgres:/var/lib/postgresql/data"
-    dns:
-      - "{{ services.mailu.dns }}"
-
-  redis:
-    image: redis:{{ services.mailu.redis_version }}
-    restart: unless-stopped
-    volumes:
-      - "./redis:/data"
-    depends_on:
-      - resolver
-    dns:
-      - "{{ services.mailu.dns }}"
-
-  front:
-    image: ghcr.io/mailu/nginx:{{ services.mailu.version }}
-    restart: unless-stopped
-    env_file: mailu.env
-    environment:
-      VIRTUAL_HOST: "{{ services.mailu.domain }}"
-      LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-    volumes:
-      - "./certs:/certs"
-      - "./overrides/nginx:/overrides:ro"
-    expose:
-      - "80"
-    ports:
-      - "25:25"
-      - "465:465"
-      - "587:587"
-      - "110:110"
-      - "995:995"
-      - "143:143"
-      - "993:993"
-    networks:
-      - default
-      - webmail
-      - external_services
-    depends_on:
-      - resolver
-    dns:
-      - "{{ services.mailu.dns }}"
-
-  resolver:
-    image: ghcr.io/mailu/unbound:{{ services.mailu.version }}
-    restart: unless-stopped
-    env_file: mailu.env
-    networks:
-      default:
-        ipv4_address: "{{ services.mailu.dns }}"
-
-  admin:
-    image: ghcr.io/mailu/admin:{{ services.mailu.version }}
-    restart: unless-stopped
-    env_file: mailu.env
-    volumes:
-      - "./data:/data"
-      - "./dkim:/dkim"
-    networks:
-      default:
-        aliases:
-          - admin.mailu
-    depends_on:
-      - redis
-      - resolver
-    dns:
-      - "{{ services.mailu.dns }}"
-
-  imap:
-    image: ghcr.io/mailu/dovecot:{{ services.mailu.version }}
-    restart: unless-stopped
-    env_file: mailu.env
-    volumes:
-      - "./mail:/mail"
-      - "./overrides/dovecot:/overrides:ro"
-    depends_on:
-      - front
-      - resolver
-    dns:
-      - "{{ services.mailu.dns }}"
-
-  smtp:
-    image: ghcr.io/mailu/postfix:{{ services.mailu.version }}
-    restart: unless-stopped
-    env_file: mailu.env
-    volumes:
-      - "./mailqueue:/queue"
-      - "./overrides/postfix:/overrides:ro"
-    depends_on:
-      - front
-      - resolver
-    dns:
-      - "{{ services.mailu.dns }}"
-
-
-  antispam:
-    image: ghcr.io/mailu/rspamd:{{ services.mailu.version }}
-    hostname: antispam
-    restart: unless-stopped
-    env_file: mailu.env
-    volumes:
-      - "./filter:/var/lib/rspamd"
-      - "./overrides/rspamd:/overrides:ro"
-    depends_on:
-      - front
-      - redis
-      - resolver
-    dns:
-      - "{{ services.mailu.dns }}"
-
-  webmail:
-    image: ghcr.io/mailu/webmail:{{ services.mailu.version }}
-    restart: unless-stopped
-    env_file: mailu.env
-    volumes:
-      - "./webmail:/data"
-      - "./overrides/snappymail:/overrides:ro"
-    networks:
-      - webmail
-    depends_on:
-      - front
-
-networks:
-  default:
-    driver: bridge
-    ipam:
-      driver: default
-      config:
-        - subnet: "{{ services.mailu.subnet }}"
-  webmail:
-    driver: bridge
-  external_services:
-    external: true
--- a/roles/docker/templates/compose-files/mastodon.yml.j2
+++ b/roles/docker/templates/compose-files/mastodon.yml.j2
@ -1,146 +0,0 @@
-# vim: ft=yaml.docker-compose
-x-sidekiq: &sidekiq
-  image: tootsuite/mastodon:{{ services.mastodon.version }}
-  restart: always
-  env_file: mastodon.env
-  networks:
-    - default
-    - postfix
-    - external_services
-  volumes:
-    - "./mastodon_data:/mastodon/public/system"
-  healthcheck:
-    test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
-  depends_on:
-    db:
-      condition: service_healthy
-    redis:
-      condition: service_healthy
-
-version: "3.8"
-
-services:
-  db:
-    restart: always
-    image: postgres:{{ services.mastodon.postgres_version }}
-    shm_size: 256mb
-    volumes:
-      - "./postgres_data:/var/lib/postgresql/data"
-      - "./postgres_config:/config:ro"
-    command: postgres -c config_file=/config/postgresql.conf
-    environment:
-      POSTGRES_HOST_AUTH_METHOD: trust
-    healthcheck:
-      test: ['CMD', 'pg_isready', '-U', 'postgres']
-
-  redis:
-    restart: always
-    image: redis:{{ services.mastodon.redis_version }}
-    volumes:
-      - "./redis_data:/data"
-    healthcheck:
-      test: ['CMD', 'redis-cli', 'ping']
-
-  web:
-    image: tootsuite/mastodon:{{ services.mastodon.version }}
-    restart: always
-    env_file: mastodon.env
-    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
-    networks:
-      - default
-      - external_services
-    volumes:
-      - "./mastodon_data:/mastodon/public/system"
-    environment:
-      MAX_THREADS: 10
-      WEB_CONCURRENCY: 3
-      VIRTUAL_HOST: "{{ services.mastodon.domain }}"
-      VIRTUAL_PORT: "3000"
-      VIRTUAL_PATH: /
-      LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-    healthcheck:
-      test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
-    depends_on:
-      db:
-        condition: service_healthy
-      redis:
-        condition: service_healthy
-
-  streaming:
-    image: tootsuite/mastodon:{{ services.mastodon.version }}
-    restart: always
-    env_file: mastodon.env
-    command: node ./streaming
-    networks:
-      - default
-      - external_services
-    ports:
-      - "127.0.0.1:4000:4000"
-    environment:
-      DB_POOL: 15
-      VIRTUAL_HOST: "{{ services.mastodon.domain }}"
-      VIRTUAL_PORT: "4000"
-      VIRTUAL_PATH: "/api/v1/streaming"
-    healthcheck:
-      test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
-    depends_on:
-      db:
-        condition: service_healthy
-      redis:
-        condition: service_healthy
-
-  # sidekiq-default-push-pull: DB_POOL = 25, -c 25 for 25 connections
-  sidekiq-default-push-pull:
-    <<: *sidekiq
-    command: bundle exec sidekiq -c 25 -q default -q push -q pull
-    environment:
-      DB_POOL: 25
-
-  # sidekiq-default-pull-push: DB_POOL = 25, -c 25 for 25 connections
-  sidekiq-default-pull-push:
-    <<: *sidekiq
-    command: bundle exec sidekiq -c 25 -q default -q pull -q push
-    environment:
-      DB_POOL: 25
-
-  # sidekiq-pull-default-push: DB_POOL = 25, -c 25 for 25 connections
-  sidekiq-pull-default-push:
-    <<: *sidekiq
-    command: bundle exec sidekiq -c 25 -q pull -q default -q push
-    environment:
-      DB_POOL: 25
-
-  # sidekiq-push-default-pull: DB_POOL = 25, -c 25 for 25 connections
-  sidekiq-push-default-pull:
-    <<: *sidekiq
-    command: bundle exec sidekiq -c 25 -q push -q default -q pull
-    environment:
-      DB_POOL: 25
-
-  # sidekiq-push-scheduler: DB_POOL = 5, -c 5 for 5 connections
-  sidekiq-push-scheduler:
-    <<: *sidekiq
-    command: bundle exec sidekiq -c 5 -q push -q scheduler
-    environment:
-      DB_POOL: 5
-
-  # sidekiq-push-mailers: DB_POOL = 5, -c 5 for 5 connections
-  sidekiq-push-mailers:
-    <<: *sidekiq
-    command: bundle exec sidekiq -c 5 -q push -q mailers
-    environment:
-      DB_POOL: 5
-
-  # sidekiq-push-ingress: DB_POOL = 10, -c 10 for 10 connections
-  sidekiq-push-ingress:
-    <<: *sidekiq
-    command: bundle exec sidekiq -c 10 -q push -q ingress
-    environment:
-      DB_POOL: 10
-
-networks:
-  external_services:
-    external: true
-  postfix:
-    external: true
--- a/roles/docker/templates/compose-files/matrix.yml.j2
+++ b/roles/docker/templates/compose-files/matrix.yml.j2
@ -1,36 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  postgres:
-    image: postgres:{{ services.matrix.postgres_version }}
-    restart: unless-stopped
-    volumes:
-      - "./db:/var/lib/postgresql/data"
-    environment:
-      POSTGRES_USER: synapse
-      POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
-
-  synapse:
-    image: matrixdotorg/synapse:{{ services.matrix.version }}
-    restart: unless-stopped
-    networks:
-      - default
-      - external_services
-      - postfix
-    volumes:
-      - "./data:/data"
-    environment:
-      SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
-      SYNAPSE_CACHE_FACTOR: "2"
-      SYNAPSE_LOG_LEVEL: INFO
-      VIRTUAL_HOST: "{{ services.matrix.domain }}"
-      VIRTUAL_PORT: "8008"
-      LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-networks:
-  external_services:
-    external: true
-  postfix:
-    external: true
--- a/roles/docker/templates/compose-files/membersystem.yml.j2
+++ b/roles/docker/templates/compose-files/membersystem.yml.j2
@ -1,44 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  app:
-    image: docker.data.coop/membersystem:{{ services.membersystem.version }}
-    restart: always
-    user: "$UID:$GID"
-    tty: true
-    networks:
-      - default
-      - external_services
-      - postfix
-    environment:
-      SECRET_KEY: "{{ membersystem_secrets.secret_key }}"
-      DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres
-      POSTGRES_HOST: postgres
-      POSTGRES_PORT: 5432
-      EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend
-      EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
-      VIRTUAL_HOST: "{{ services.membersystem.domain }}"
-      VIRTUAL_PORT: "8000"
-      LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-      ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
-      CSRF_TRUSTED_ORIGINS: https://{{ services.membersystem.domain }}
-      DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
-      DEFAULT_FROM_EMAIL: noreply@{{ services.membersystem.domain }}
-    depends_on:
-      - postgres
-
-  postgres:
-    image: postgres:{{ services.membersystem.postgres_version }}
-    restart: always
-    volumes:
-      - "./postgres/data:/var/lib/postgresql/data"
-    environment:
-      POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}"
-
-networks:
-  external_services:
-    external: true
-  postfix:
-    external: true
--- a/roles/docker/templates/compose-files/netdata.yml.j2
+++ b/roles/docker/templates/compose-files/netdata.yml.j2
@ -1,36 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services: 
-  app:
-    image: netdata/netdata:{{ services.netdata.version }}
-    restart: unless-stopped
-    hostname: hevonen.servers.{{ base_domain }}
-    volumes: 
-      - "/proc:/host/proc:ro"
-      - "/sys:/host/sys:ro"
-      - "/etc/os-release:/host/etc/os-release:ro"
-    networks:
-      - default
-      - external_services
-    environment:
-      VIRTUAL_HOST : "{{ services.netdata.domain }}"
-      LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-      PGID: "999"
-      DOCKER_HOST: "socket_proxy:2375"
-    cap_add:
-      - SYS_PTRACE
-    security_opt:
-      - apparmor:unconfined
-
-  socket-proxy:
-    image: tecnativa/docker-socket-proxy:latest
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-    environment:
-      CONTAINERS: 1
-
-networks:
-  external_services:
-    external: true
--- a/roles/docker/templates/compose-files/nextcloud.yml.j2
+++ b/roles/docker/templates/compose-files/nextcloud.yml.j2
@ -1,59 +0,0 @@
-# vim: ft=yaml.docker-compose
-version: "3.8"
-
-services:
-  postgres:
-    image: postgres:{{ services.nextcloud.postgres_version }}
-    restart: unless-stopped
-    volumes:
-      - "./postgres:/var/lib/postgresql/data"
-    environment:
-      POSTGRES_DB: nextcloud
-      POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
-      POSTGRES_USER: nextcloud
-
-  redis:
-    image: redis:{{ services.nextcloud.redis_version }}
-    restart: unless-stopped
-    command: redis-server --requirepass {{ nextcloud_secrets.redis_password }}
-    tmpfs:
-      - /var/lib/redis
-
-  cron:
-    image: nextcloud:{{ services.nextcloud.version }}
-    restart: unless-stopped
-    entrypoint: /cron.sh
-    volumes:
-      - "./app:/var/www/html"
-    depends_on:
-      - postgres
-      - redis
-
-  app:
-    image: nextcloud:{{ services.nextcloud.version }}
-    restart: unless-stopped
-    networks:
-      - default
-      - postfix
-      - external_services
-    volumes:
-      - "./app:/var/www/html"
-    environment:
-      VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
-      LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-      POSTGRES_HOST: postgres
-      POSTGRES_DB: nextcloud
-      POSTGRES_USER: nextcloud
-      POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
-      REDIS_HOST: redis
-      REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}"
-    depends_on:
-      - postgres
-      - redis
-
-networks:
-  postfix:
-    external: true
-  external_services:
-    external: true
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Sam A.	5568254ddb	Add all: init	2022-11-26 21:54:11 +01:00
Sam A.	212a2a579e	Revert "Rename init to all in Makefile" This reverts commit `7df888f633`.	2022-11-26 21:40:21 +01:00
Sam A.	7df888f633	Rename init to all in Makefile	2022-11-26 21:36:40 +01:00
Víðir Valberg Guðmundsson	c870c2f14e	WIP.	2022-11-26 10:47:37 +01:00
Víðir Valberg Guðmundsson	62850cfba0	WIP.	2022-11-26 09:52:41 +01:00