fix(ubuntu): Fixed pipefile sets (wip)

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>

.gitignore

@@ -1,2 +0,0 @@
-/secrets.yml
-*.ovpn

README.md

@@ -50,3 +50,25 @@ export KUBECONFIG=~/.kube/config
 ```
 
 Install flux and continue in the flux repository.
+
+## Longhorn Nodes
+
+To create longhorn nodes from existing kubernetes nodes we want to increase
+their storage capacity. Since we're using VMs for our k3s nodes we can
+resize the root-disk of the VMs in the proxmox GUI.
+
+Then we have to resize the partitions inside of the VM so the root partition
+uses the newly available space.
+When we have LVM-based root partition we can do the following:
+
+```sh
+# Create a new partition from the free space.
+sudo fdisk /dev/sda
+# echo "n\n\n\n\n\nw\n"
+# n > 5x\n > w > \n
+# Create a LVM volume on the new partition
+sudo pvcreate /dev/sda3
+sudo vgextend  k3s-vg /dev/sda3
+# Use the newly available storage in the root volume
+sudo lvresize -l +100%FREE -r /dev/k3s-vg/root
+```

Vagrantfile

@@ -0,0 +1,31 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+Vagrant.configure("2") do |config|
+  config.vm.box = "bento/ubuntu-24.04"
+  config.vm.box_version = "202404.26.0"
+
+  # Configure VM provider resources (optional)
+  config.vm.provider :virtualbox do |v|
+    v.memory = 4096
+    v.cpus = 2
+  end
+
+  
+  config.vm.define "test" do |v|
+    v.vm.hostname = "test"
+    v.vm.network :private_network, ip: "192.168.56.123"
+
+    v.vm.provision "bootstrap", type: "shell" do |s|
+      s.inline = "sudo apt install ansible -y"
+    end
+    #
+    # Use Ansible for provisioning
+    v.vm.provision "ansible" do |ansible|
+      ansible.playbook = "playbook.yml"  # Path to the Ansible playbook relative to the Vagrantfile
+      ansible.inventory_path = "inventory"  # Path to the inventory file
+      # Extra vars can be defined if needed
+      # ansible.extra_vars = { some_var: "value" }
+    end
+
+  end
+end

ansible.cfg

@@ -0,0 +1,39 @@
+[defaults]
+# (pathspec) Colon separated paths in which Ansible will search for Roles.
+roles_path=./roles
+
+# (pathlist) Comma separated list of Ansible inventory sources
+inventory=./inventory/production
+
+# (path) The vault password file to use. Equivalent to --vault-password-file or --vault-id
+# If executable, it will be run and the resulting stdout will be used as the password.
+vault_password_file=/media/veracrypt1/scripts/ansible_vault.sh
+
+# (path) The password file to use for the become plugin. --become-password-file.
+# If executable, it will be run and the resulting stdout will be used as the password.
+become_password_file=/media/veracrypt1/scripts/ansible_become.sh
+
+# (list) Check all of these extensions when looking for 'variable' files which should be YAML or JSON or vaulted versions of these.
+# This affects vars_files, include_vars, inventory and vars plugins among others.
+yaml_valid_extensions=.yml
+
+# (boolean) Set this to "False" if you want to avoid host key checking by the underlying tools Ansible uses to connect to the host
+host_key_checking=False
+
+# (bool) This controls whether a failed Ansible playbook should create a .retry file.
+;retry_files_enabled=False
+
+# (path) This sets the path in which Ansible will save .retry files when a playbook fails and retry files are enabled.
+# This file will be overwritten after each run with the list of failed hosts from all plays.
+;retry_files_save_path=
+
+# (list) Allows to change the group variable precedence merge order.
+;precedence=all_inventory, groups_inventory, all_plugins_inventory, all_plugins_play, groups_plugins_inventory, groups_plugins_play
+
+[colors]
+# (string) Defines the color to use when showing 'Skipped' task status
+skip=dark gray
+
+[tags]
+# (list) default list of tags to skip in your plays, has precedence over Run Tags
+;skip=

ansible.cfg.default

@@ -0,0 +1,691 @@
+[defaults]
+# (boolean) By default Ansible will issue a warning when received from a task action (module or action plugin)
+# These warnings can be silenced by adjusting this setting to False.
+;action_warnings=True
+
+# (list) Accept list of cowsay templates that are 'safe' to use, set to empty list if you want to enable all installed templates.
+;cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+
+# (string) Specify a custom cowsay path or swap in your cowsay implementation of choice
+;cowpath=
+
+# (string) This allows you to chose a specific cowsay stencil for the banners or use 'random' to cycle through them.
+;cow_selection=default
+
+# (boolean) This option forces color mode even when running without a TTY or the "nocolor" setting is True.
+;force_color=False
+
+# (path) The default root path for Ansible config files on the controller.
+;home=~/.ansible
+
+# (boolean) This setting allows suppressing colorizing output, which is used to give a better indication of failure and status information.
+;nocolor=False
+
+# (boolean) If you have cowsay installed but want to avoid the 'cows' (why????), use this.
+;nocows=False
+
+# (boolean) Sets the default value for the any_errors_fatal keyword, if True, Task failures will be considered fatal errors.
+;any_errors_fatal=False
+
+# (path) The password file to use for the become plugin. --become-password-file.
+# If executable, it will be run and the resulting stdout will be used as the password.
+;become_password_file=
+
+# (pathspec) Colon separated paths in which Ansible will search for Become Plugins.
+;become_plugins={{ ANSIBLE_HOME ~ "/plugins/become:/usr/share/ansible/plugins/become" }}
+
+# (string) Chooses which cache plugin to use, the default 'memory' is ephemeral.
+;fact_caching=memory
+
+# (string) Defines connection or path information for the cache plugin
+;fact_caching_connection=
+
+# (string) Prefix to use for cache plugin files/tables
+;fact_caching_prefix=ansible_facts
+
+# (integer) Expiration timeout for the cache plugin data
+;fact_caching_timeout=86400
+
+# (list) List of enabled callbacks, not all callbacks need enabling, but many of those shipped with Ansible do as we don't want them activated by default.
+;callbacks_enabled=
+
+# (string) When a collection is loaded that does not support the running Ansible version (with the collection metadata key `requires_ansible`).
+;collections_on_ansible_version_mismatch=warning
+
+# (pathspec) Colon separated paths in which Ansible will search for collections content. Collections must be in nested *subdirectories*, not directly in these directories. For example, if ``COLLECTIONS_PATHS`` includes ``'{{ ANSIBLE_HOME ~ "/collections" }}'``, and you want to add ``my.collection`` to that directory, it must be saved as ``'{{ ANSIBLE_HOME} ~ "/collections/ansible_collections/my/collection" }}'``.
+
+;collections_path={{ ANSIBLE_HOME ~ "/collections:/usr/share/ansible/collections" }}
+
+# (boolean) A boolean to enable or disable scanning the sys.path for installed collections
+;collections_scan_sys_path=True
+
+# (path) The password file to use for the connection plugin. --connection-password-file.
+;connection_password_file=
+
+# (pathspec) Colon separated paths in which Ansible will search for Action Plugins.
+;action_plugins={{ ANSIBLE_HOME ~ "/plugins/action:/usr/share/ansible/plugins/action" }}
+
+# (boolean) When enabled, this option allows lookup plugins (whether used in variables as ``{{lookup('foo')}}`` or as a loop as with_foo) to return data that is not marked 'unsafe'.
+# By default, such data is marked as unsafe to prevent the templating engine from evaluating any jinja2 templating language, as this could represent a security risk. This option is provided to allow for backward compatibility, however users should first consider adding allow_unsafe=True to any lookups which may be expected to contain data which may be run through the templating engine late
+;allow_unsafe_lookups=False
+
+# (boolean) This controls whether an Ansible playbook should prompt for a login password. If using SSH keys for authentication, you probably do not need to change this setting.
+;ask_pass=False
+
+# (boolean) This controls whether an Ansible playbook should prompt for a vault password.
+;ask_vault_pass=False
+
+# (pathspec) Colon separated paths in which Ansible will search for Cache Plugins.
+;cache_plugins={{ ANSIBLE_HOME ~ "/plugins/cache:/usr/share/ansible/plugins/cache" }}
+
+# (pathspec) Colon separated paths in which Ansible will search for Callback Plugins.
+;callback_plugins={{ ANSIBLE_HOME ~ "/plugins/callback:/usr/share/ansible/plugins/callback" }}
+
+# (pathspec) Colon separated paths in which Ansible will search for Cliconf Plugins.
+;cliconf_plugins={{ ANSIBLE_HOME ~ "/plugins/cliconf:/usr/share/ansible/plugins/cliconf" }}
+
+# (pathspec) Colon separated paths in which Ansible will search for Connection Plugins.
+;connection_plugins={{ ANSIBLE_HOME ~ "/plugins/connection:/usr/share/ansible/plugins/connection" }}
+
+# (boolean) Toggles debug output in Ansible. This is *very* verbose and can hinder multiprocessing.  Debug output can also include secret information despite no_log settings being enabled, which means debug mode should not be used in production.
+;debug=False
+
+# (string) This indicates the command to use to spawn a shell under for Ansible's execution needs on a target. Users may need to change this in rare instances when shell usage is constrained, but in most cases it may be left as is.
+;executable=/bin/sh
+
+# (string) This option allows you to globally configure a custom path for 'local_facts' for the implied :ref:`ansible_collections.ansible.builtin.setup_module` task when using fact gathering.
+# If not set, it will fallback to the default from the ``ansible.builtin.setup`` module: ``/etc/ansible/facts.d``.
+# This does **not** affect  user defined tasks that use the ``ansible.builtin.setup`` module.
+# The real action being created by the implicit task is currently    ``ansible.legacy.gather_facts`` module, which then calls the configured fact modules, by default this will be ``ansible.builtin.setup`` for POSIX systems but other platforms might have different defaults.
+;fact_path=
+
+# (pathspec) Colon separated paths in which Ansible will search for Jinja2 Filter Plugins.
+;filter_plugins={{ ANSIBLE_HOME ~ "/plugins/filter:/usr/share/ansible/plugins/filter" }}
+
+# (boolean) This option controls if notified handlers run on a host even if a failure occurs on that host.
+# When false, the handlers will not run if a failure has occurred on a host.
+# This can also be set per play or on the command line. See Handlers and Failure for more details.
+;force_handlers=False
+
+# (integer) Maximum number of forks Ansible will use to execute tasks on target hosts.
+;forks=5
+
+# (string) This setting controls the default policy of fact gathering (facts discovered about remote systems).
+# This option can be useful for those wishing to save fact gathering time. Both 'smart' and 'explicit' will use the cache plugin.
+;gathering=implicit
+
+# (list) Set the `gather_subset` option for the :ref:`ansible_collections.ansible.builtin.setup_module` task in the implicit fact gathering. See the module documentation for specifics.
+# It does **not** apply to user defined ``ansible.builtin.setup`` tasks.
+;gather_subset=
+
+# (integer) Set the timeout in seconds for the implicit fact gathering, see the module documentation for specifics.
+# It does **not** apply to user defined :ref:`ansible_collections.ansible.builtin.setup_module` tasks.
+;gather_timeout=
+
+# (string) This setting controls how duplicate definitions of dictionary variables (aka hash, map, associative array) are handled in Ansible.
+# This does not affect variables whose values are scalars (integers, strings) or arrays.
+# **WARNING**, changing this setting is not recommended as this is fragile and makes your content (plays, roles, collections) non portable, leading to continual confusion and misuse. Don't change this setting unless you think you have an absolute need for it.
+# We recommend avoiding reusing variable names and relying on the ``combine`` filter and ``vars`` and ``varnames`` lookups to create merged versions of the individual variables. In our experience this is rarely really needed and a sign that too much complexity has been introduced into the data structures and plays.
+# For some uses you can also look into custom vars_plugins to merge on input, even substituting the default ``host_group_vars`` that is in charge of parsing the ``host_vars/`` and ``group_vars/`` directories. Most users of this setting are only interested in inventory scope, but the setting itself affects all sources and makes debugging even harder.
+# All playbooks and roles in the official examples repos assume the default for this setting.
+# Changing the setting to ``merge`` applies across variable sources, but many sources will internally still overwrite the variables. For example ``include_vars`` will dedupe variables internally before updating Ansible, with 'last defined' overwriting previous definitions in same file.
+# The Ansible project recommends you **avoid ``merge`` for new projects.**
+# It is the intention of the Ansible developers to eventually deprecate and remove this setting, but it is being kept as some users do heavily rely on it. New projects should **avoid 'merge'**.
+;hash_behaviour=replace
+
+# (pathlist) Comma separated list of Ansible inventory sources
+;inventory=/etc/ansible/hosts
+
+# (pathspec) Colon separated paths in which Ansible will search for HttpApi Plugins.
+;httpapi_plugins={{ ANSIBLE_HOME ~ "/plugins/httpapi:/usr/share/ansible/plugins/httpapi" }}
+
+# (float) This sets the interval (in seconds) of Ansible internal processes polling each other. Lower values improve performance with large playbooks at the expense of extra CPU load. Higher values are more suitable for Ansible usage in automation scenarios, when UI responsiveness is not required but CPU usage might be a concern.
+# The default corresponds to the value hardcoded in Ansible <= 2.1
+;internal_poll_interval=0.001
+
+# (pathspec) Colon separated paths in which Ansible will search for Inventory Plugins.
+;inventory_plugins={{ ANSIBLE_HOME ~ "/plugins/inventory:/usr/share/ansible/plugins/inventory" }}
+
+# (string) This is a developer-specific feature that allows enabling additional Jinja2 extensions.
+# See the Jinja2 documentation for details. If you do not know what these do, you probably don't need to change this setting :)
+;jinja2_extensions=[]
+
+# (boolean) This option preserves variable types during template operations.
+;jinja2_native=False
+
+# (boolean) Enables/disables the cleaning up of the temporary files Ansible used to execute the tasks on the remote.
+# If this option is enabled it will disable ``ANSIBLE_PIPELINING``.
+;keep_remote_files=False
+
+# (boolean) Controls whether callback plugins are loaded when running /usr/bin/ansible. This may be used to log activity from the command line, send notifications, and so on. Callback plugins are always loaded for ``ansible-playbook``.
+;bin_ansible_callbacks=False
+
+# (tmppath) Temporary directory for Ansible to use on the controller.
+;local_tmp={{ ANSIBLE_HOME ~ "/tmp" }}
+
+# (list) List of logger names to filter out of the log file
+;log_filter=
+
+# (path) File to which Ansible will log on the controller. When empty logging is disabled.
+;log_path=
+
+# (pathspec) Colon separated paths in which Ansible will search for Lookup Plugins.
+;lookup_plugins={{ ANSIBLE_HOME ~ "/plugins/lookup:/usr/share/ansible/plugins/lookup" }}
+
+# (string) Sets the macro for the 'ansible_managed' variable available for :ref:`ansible_collections.ansible.builtin.template_module` and :ref:`ansible_collections.ansible.windows.win_template_module`.  This is only relevant for those two modules.
+;ansible_managed=Ansible managed
+
+# (string) This sets the default arguments to pass to the ``ansible`` adhoc binary if no ``-a`` is specified.
+;module_args=
+
+# (string) Compression scheme to use when transferring Python modules to the target.
+;module_compression=ZIP_DEFLATED
+
+# (string) Module to use with the ``ansible`` AdHoc command, if none is specified via ``-m``.
+;module_name=command
+
+# (pathspec) Colon separated paths in which Ansible will search for Modules.
+;library={{ ANSIBLE_HOME ~ "/plugins/modules:/usr/share/ansible/plugins/modules" }}
+
+# (pathspec) Colon separated paths in which Ansible will search for Module utils files, which are shared by modules.
+;module_utils={{ ANSIBLE_HOME ~ "/plugins/module_utils:/usr/share/ansible/plugins/module_utils" }}
+
+# (pathspec) Colon separated paths in which Ansible will search for Netconf Plugins.
+;netconf_plugins={{ ANSIBLE_HOME ~ "/plugins/netconf:/usr/share/ansible/plugins/netconf" }}
+
+# (boolean) Toggle Ansible's display and logging of task details, mainly used to avoid security disclosures.
+;no_log=False
+
+# (boolean) Toggle Ansible logging to syslog on the target when it executes tasks. On Windows hosts this will disable a newer style PowerShell modules from writing to the event log.
+;no_target_syslog=False
+
+# (raw) What templating should return as a 'null' value. When not set it will let Jinja2 decide.
+;null_representation=
+
+# (integer) For asynchronous tasks in Ansible (covered in Asynchronous Actions and Polling), this is how often to check back on the status of those tasks when an explicit poll interval is not supplied. The default is a reasonably moderate 15 seconds which is a tradeoff between checking in frequently and providing a quick turnaround when something may have completed.
+;poll_interval=15
+
+# (path) Option for connections using a certificate or key file to authenticate, rather than an agent or passwords, you can set the default value here to avoid re-specifying --private-key with every invocation.
+;private_key_file=
+
+# (boolean) By default, imported roles publish their variables to the play and other roles, this setting can avoid that.
+# This was introduced as a way to reset role variables to default values if a role is used more than once in a playbook.
+# Included roles only make their variables public at execution, unlike imported roles which happen at playbook compile time.
+;private_role_vars=False
+
+# (integer) Port to use in remote connections, when blank it will use the connection plugin default.
+;remote_port=
+
+# (string) Sets the login user for the target machines
+# When blank it uses the connection plugin's default, normally the user currently executing Ansible.
+;remote_user=
+
+# (pathspec) Colon separated paths in which Ansible will search for Roles.
+;roles_path={{ ANSIBLE_HOME ~ "/roles:/usr/share/ansible/roles:/etc/ansible/roles" }}
+
+# (string) Set the main callback used to display Ansible output. You can only have one at a time.
+# You can have many other callbacks, but just one can be in charge of stdout.
+# See :ref:`callback_plugins` for a list of available options.
+;stdout_callback=default
+
+# (string) Set the default strategy used for plays.
+;strategy=linear
+
+# (pathspec) Colon separated paths in which Ansible will search for Strategy Plugins.
+;strategy_plugins={{ ANSIBLE_HOME ~ "/plugins/strategy:/usr/share/ansible/plugins/strategy" }}
+
+# (boolean) Toggle the use of "su" for tasks.
+;su=False
+
+# (string) Syslog facility to use when Ansible logs to the remote target
+;syslog_facility=LOG_USER
+
+# (pathspec) Colon separated paths in which Ansible will search for Terminal Plugins.
+;terminal_plugins={{ ANSIBLE_HOME ~ "/plugins/terminal:/usr/share/ansible/plugins/terminal" }}
+
+# (pathspec) Colon separated paths in which Ansible will search for Jinja2 Test Plugins.
+;test_plugins={{ ANSIBLE_HOME ~ "/plugins/test:/usr/share/ansible/plugins/test" }}
+
+# (integer) This is the default timeout for connection plugins to use.
+;timeout=10
+
+# (string) Can be any connection plugin available to your ansible installation.
+# There is also a (DEPRECATED) special 'smart' option, that will toggle between 'ssh' and 'paramiko' depending on controller OS and ssh versions.
+;transport=ssh
+
+# (boolean) When True, this causes ansible templating to fail steps that reference variable names that are likely typoed.
+# Otherwise, any '{{ template_expression }}' that contains undefined variables will be rendered in a template or ansible action line exactly as written.
+;error_on_undefined_vars=True
+
+# (pathspec) Colon separated paths in which Ansible will search for Vars Plugins.
+;vars_plugins={{ ANSIBLE_HOME ~ "/plugins/vars:/usr/share/ansible/plugins/vars" }}
+
+# (string) The vault_id to use for encrypting by default. If multiple vault_ids are provided, this specifies which to use for encryption. The --encrypt-vault-id cli option overrides the configured value.
+;vault_encrypt_identity=
+
+# (string) The label to use for the default vault id label in cases where a vault id label is not provided
+;vault_identity=default
+
+# (list) A list of vault-ids to use by default. Equivalent to multiple --vault-id args. Vault-ids are tried in order.
+;vault_identity_list=
+
+# (string) If true, decrypting vaults with a vault id will only try the password from the matching vault-id
+;vault_id_match=False
+
+# (path) The vault password file to use. Equivalent to --vault-password-file or --vault-id
+# If executable, it will be run and the resulting stdout will be used as the password.
+;vault_password_file=
+
+# (integer) Sets the default verbosity, equivalent to the number of ``-v`` passed in the command line.
+;verbosity=0
+
+# (boolean) Toggle to control the showing of deprecation warnings
+;deprecation_warnings=True
+
+# (boolean) Toggle to control showing warnings related to running devel
+;devel_warning=True
+
+# (boolean) Normally ``ansible-playbook`` will print a header for each task that is run. These headers will contain the name: field from the task if you specified one. If you didn't then ``ansible-playbook`` uses the task's action to help you tell which task is presently running. Sometimes you run many of the same action and so you want more information about the task to differentiate it from others of the same action. If you set this variable to True in the config then ``ansible-playbook`` will also include the task's arguments in the header.
+# This setting defaults to False because there is a chance that you have sensitive values in your parameters and you do not want those to be printed.
+# If you set this to True you should be sure that you have secured your environment's stdout (no one can shoulder surf your screen and you aren't saving stdout to an insecure file) or made sure that all of your playbooks explicitly added the ``no_log: True`` parameter to tasks which have sensitive values See How do I keep secret data in my playbook? for more information.
+;display_args_to_stdout=False
+
+# (boolean) Toggle to control displaying skipped task/host entries in a task in the default callback
+;display_skipped_hosts=True
+
+# (string) Root docsite URL used to generate docs URLs in warning/error text; must be an absolute URL with valid scheme and trailing slash.
+;docsite_root_url=https://docs.ansible.com/ansible-core/
+
+# (pathspec) Colon separated paths in which Ansible will search for Documentation Fragments Plugins.
+;doc_fragment_plugins={{ ANSIBLE_HOME ~ "/plugins/doc_fragments:/usr/share/ansible/plugins/doc_fragments" }}
+
+# (string) By default Ansible will issue a warning when a duplicate dict key is encountered in YAML.
+# These warnings can be silenced by adjusting this setting to False.
+;duplicate_dict_key=warn
+
+# (boolean) Whether or not to enable the task debugger, this previously was done as a strategy plugin.
+# Now all strategy plugins can inherit this behavior. The debugger defaults to activating when
+# a task is failed on unreachable. Use the debugger keyword for more flexibility.
+;enable_task_debugger=False
+
+# (boolean) Toggle to allow missing handlers to become a warning instead of an error when notifying.
+;error_on_missing_handler=True
+
+# (list) Which modules to run during a play's fact gathering stage, using the default of 'smart' will try to figure it out based on connection type.
+# If adding your own modules but you still want to use the default Ansible facts, you will want to include 'setup' or corresponding network module to the list (if you add 'smart', Ansible will also figure it out).
+# This does not affect explicit calls to the 'setup' module, but does always affect the 'gather_facts' action (implicit or explicit).
+;facts_modules=smart
+
+# (boolean) Set this to "False" if you want to avoid host key checking by the underlying tools Ansible uses to connect to the host
+;host_key_checking=True
+
+# (boolean) Facts are available inside the `ansible_facts` variable, this setting also pushes them as their own vars in the main namespace.
+# Unlike inside the `ansible_facts` dictionary, these will have an `ansible_` prefix.
+;inject_facts_as_vars=True
+
+# (string) Path to the Python interpreter to be used for module execution on remote targets, or an automatic discovery mode. Supported discovery modes are ``auto`` (the default), ``auto_silent``, ``auto_legacy``, and ``auto_legacy_silent``. All discovery modes employ a lookup table to use the included system Python (on distributions known to include one), falling back to a fixed ordered list of well-known Python interpreter locations if a platform-specific default is not available. The fallback behavior will issue a warning that the interpreter should be set explicitly (since interpreters installed later may change which one is used). This warning behavior can be disabled by setting ``auto_silent`` or ``auto_legacy_silent``. The value of ``auto_legacy`` provides all the same behavior, but for backwards-compatibility with older Ansible releases that always defaulted to ``/usr/bin/python``, will use that interpreter if present.
+;interpreter_python=auto
+
+# (boolean) If 'false', invalid attributes for a task will result in warnings instead of errors
+;invalid_task_attribute_failed=True
+
+# (boolean) Toggle to control showing warnings related to running a Jinja version older than required for jinja2_native
+;jinja2_native_warning=True
+
+# (boolean) By default Ansible will issue a warning when there are no hosts in the inventory.
+# These warnings can be silenced by adjusting this setting to False.
+;localhost_warning=True
+
+# (int) Maximum size of files to be considered for diff display
+;max_diff_size=104448
+
+# (list) List of extensions to ignore when looking for modules to load
+# This is for rejecting script and binary module fallback extensions
+;module_ignore_exts={{(REJECT_EXTS + ('.yaml', '.yml', '.ini'))}}
+
+# (bool) Enables whether module responses are evaluated for containing non UTF-8 data
+# Disabling this may result in unexpected behavior
+# Only ansible-core should evaluate this configuration
+;module_strict_utf8_response=True
+
+# (list) TODO: write it
+;network_group_modules=eos, nxos, ios, iosxr, junos, enos, ce, vyos, sros, dellos9, dellos10, dellos6, asa, aruba, aireos, bigip, ironware, onyx, netconf, exos, voss, slxos
+
+# (boolean) Previously Ansible would only clear some of the plugin loading caches when loading new roles, this led to some behaviours in which a plugin loaded in previous plays would be unexpectedly 'sticky'. This setting allows to return to that behaviour.
+;old_plugin_cache_clear=False
+
+# (path) A number of non-playbook CLIs have a ``--playbook-dir`` argument; this sets the default value for it.
+;playbook_dir=
+
+# (string) This sets which playbook dirs will be used as a root to process vars plugins, which includes finding host_vars/group_vars
+;playbook_vars_root=top
+
+# (path) A path to configuration for filtering which plugins installed on the system are allowed to be used.
+# See :ref:`plugin_filtering_config` for details of the filter file's format.
+#  The default is /etc/ansible/plugin_filters.yml
+;plugin_filters_cfg=
+
+# (string) Attempts to set RLIMIT_NOFILE soft limit to the specified value when executing Python modules (can speed up subprocess usage on Python 2.x. See https://bugs.python.org/issue11284). The value will be limited by the existing hard limit. Default value of 0 does not attempt to adjust existing system-defined limits.
+;python_module_rlimit_nofile=0
+
+# (bool) This controls whether a failed Ansible playbook should create a .retry file.
+;retry_files_enabled=False
+
+# (path) This sets the path in which Ansible will save .retry files when a playbook fails and retry files are enabled.
+# This file will be overwritten after each run with the list of failed hosts from all plays.
+;retry_files_save_path=
+
+# (str) This setting can be used to optimize vars_plugin usage depending on user's inventory size and play selection.
+;run_vars_plugins=demand
+
+# (bool) This adds the custom stats set via the set_stats plugin to the default output
+;show_custom_stats=False
+
+# (string) Action to take when a module parameter value is converted to a string (this does not affect variables). For string parameters, values such as '1.00', "['a', 'b',]", and 'yes', 'y', etc. will be converted by the YAML parser unless fully quoted.
+# Valid options are 'error', 'warn', and 'ignore'.
+# Since 2.8, this option defaults to 'warn' but will change to 'error' in 2.12.
+;string_conversion_action=warn
+
+# (boolean) Allows disabling of warnings related to potential issues on the system running ansible itself (not on the managed hosts)
+# These may include warnings about 3rd party packages or other conditions that should be resolved if possible.
+;system_warnings=True
+
+# (boolean) This option defines whether the task debugger will be invoked on a failed task when ignore_errors=True is specified.
+# True specifies that the debugger will honor ignore_errors, False will not honor ignore_errors.
+;task_debugger_ignore_errors=True
+
+# (integer) Set the maximum time (in seconds) that a task can run for.
+# If set to 0 (the default) there is no timeout.
+;task_timeout=0
+
+# (string) Make ansible transform invalid characters in group names supplied by inventory sources.
+;force_valid_group_names=never
+
+# (boolean) Toggles the use of persistence for connections.
+;use_persistent_connections=False
+
+# (bool) A toggle to disable validating a collection's 'metadata' entry for a module_defaults action group. Metadata containing unexpected fields or value types will produce a warning when this is True.
+;validate_action_group_metadata=True
+
+# (list) Accept list for variable plugins that require it.
+;vars_plugins_enabled=host_group_vars
+
+# (list) Allows to change the group variable precedence merge order.
+;precedence=all_inventory, groups_inventory, all_plugins_inventory, all_plugins_play, groups_plugins_inventory, groups_plugins_play
+
+# (string) The salt to use for the vault encryption. If it is not provided, a random salt will be used.
+;vault_encrypt_salt=
+
+# (bool) Force 'verbose' option to use stderr instead of stdout
+;verbose_to_stderr=False
+
+# (integer) For asynchronous tasks in Ansible (covered in Asynchronous Actions and Polling), this is how long, in seconds, to wait for the task spawned by Ansible to connect back to the named pipe used on Windows systems. The default is 5 seconds. This can be too low on slower systems, or systems under heavy load.
+# This is not the total time an async command can run for, but is a separate timeout to wait for an async command to start. The task will only start to be timed against its async_timeout once it has connected to the pipe, so the overall maximum duration the task can take will be extended by the amount specified here.
+;win_async_startup_timeout=5
+
+# (list) Check all of these extensions when looking for 'variable' files which should be YAML or JSON or vaulted versions of these.
+# This affects vars_files, include_vars, inventory and vars plugins among others.
+;yaml_valid_extensions=.yml, .yaml, .json
+
+
+[privilege_escalation]
+# (boolean) Display an agnostic become prompt instead of displaying a prompt containing the command line supplied become method
+;agnostic_become_prompt=True
+
+# (boolean) This setting controls if become is skipped when remote user and become user are the same. I.E root sudo to root.
+# If executable, it will be run and the resulting stdout will be used as the password.
+;become_allow_same_user=False
+
+# (boolean) Toggles the use of privilege escalation, allowing you to 'become' another user after login.
+;become=False
+
+# (boolean) Toggle to prompt for privilege escalation password.
+;become_ask_pass=False
+
+# (string) executable to use for privilege escalation, otherwise Ansible will depend on PATH
+;become_exe=
+
+# (string) Flags to pass to the privilege escalation executable.
+;become_flags=
+
+# (string) Privilege escalation method to use when `become` is enabled.
+;become_method=sudo
+
+# (string) The user your login/remote user 'becomes' when using privilege escalation, most systems will use 'root' when no user is specified.
+;become_user=root
+
+
+[persistent_connection]
+# (path) Specify where to look for the ansible-connection script. This location will be checked before searching $PATH.
+# If null, ansible will start with the same directory as the ansible script.
+;ansible_connection_path=
+
+# (int) This controls the amount of time to wait for response from remote device before timing out persistent connection.
+;command_timeout=30
+
+# (integer) This controls the retry timeout for persistent connection to connect to the local domain socket.
+;connect_retry_timeout=15
+
+# (integer) This controls how long the persistent connection will remain idle before it is destroyed.
+;connect_timeout=30
+
+# (path) Path to socket to be used by the connection persistence system.
+;control_path_dir={{ ANSIBLE_HOME ~ "/pc" }}
+
+
+[connection]
+# (boolean) This is a global option, each connection plugin can override either by having more specific options or not supporting pipelining at all.
+# Pipelining, if supported by the connection plugin, reduces the number of network operations required to execute a module on the remote server, by executing many Ansible modules without actual file transfer.
+# It can result in a very significant performance improvement when enabled.
+# However this conflicts with privilege escalation (become). For example, when using 'sudo:' operations you must first disable 'requiretty' in /etc/sudoers on all managed hosts, which is why it is disabled by default.
+# This setting will be disabled if ``ANSIBLE_KEEP_REMOTE_FILES`` is enabled.
+;pipelining=False
+
+
+[colors]
+# (string) Defines the color to use on 'Changed' task status
+;changed=yellow
+
+# (string) Defines the default color to use for ansible-console
+;console_prompt=white
+
+# (string) Defines the color to use when emitting debug messages
+;debug=dark gray
+
+# (string) Defines the color to use when emitting deprecation messages
+;deprecate=purple
+
+# (string) Defines the color to use when showing added lines in diffs
+;diff_add=green
+
+# (string) Defines the color to use when showing diffs
+;diff_lines=cyan
+
+# (string) Defines the color to use when showing removed lines in diffs
+;diff_remove=red
+
+# (string) Defines the color to use when emitting error messages
+;error=red
+
+# (string) Defines the color to use for highlighting
+;highlight=white
+
+# (string) Defines the color to use when showing 'OK' task status
+;ok=green
+
+# (string) Defines the color to use when showing 'Skipped' task status
+;skip=cyan
+
+# (string) Defines the color to use on 'Unreachable' status
+;unreachable=bright red
+
+# (string) Defines the color to use when emitting verbose messages. i.e those that show with '-v's.
+;verbose=blue
+
+# (string) Defines the color to use when emitting warning messages
+;warn=bright purple
+
+
+[selinux]
+# (boolean) This setting causes libvirt to connect to lxc containers by passing --noseclabel to virsh. This is necessary when running on systems which do not have SELinux.
+;libvirt_lxc_noseclabel=False
+
+# (list) Some filesystems do not support safe operations and/or return inconsistent errors, this setting makes Ansible 'tolerate' those in the list w/o causing fatal errors.
+# Data corruption may occur and writes are not always verified when a filesystem is in the list.
+;special_context_filesystems=fuse, nfs, vboxsf, ramfs, 9p, vfat
+
+
+[diff]
+# (bool) Configuration toggle to tell modules to show differences when in 'changed' status, equivalent to ``--diff``.
+;always=False
+
+# (integer) How many lines of context to show when displaying the differences between files.
+;context=3
+
+
+[galaxy]
+# (path) The directory that stores cached responses from a Galaxy server.
+# This is only used by the ``ansible-galaxy collection install`` and ``download`` commands.
+# Cache files inside this dir will be ignored if they are world writable.
+;cache_dir={{ ANSIBLE_HOME ~ "/galaxy_cache" }}
+
+# (bool) whether ``ansible-galaxy collection install`` should warn about ``--collections-path`` missing from configured :ref:`collections_paths`
+;collections_path_warning=True
+
+# (path) Collection skeleton directory to use as a template for the ``init`` action in ``ansible-galaxy collection``, same as ``--collection-skeleton``.
+;collection_skeleton=
+
+# (list) patterns of files to ignore inside a Galaxy collection skeleton directory
+;collection_skeleton_ignore=^.git$, ^.*/.git_keep$
+
+# (bool) Disable GPG signature verification during collection installation.
+;disable_gpg_verify=False
+
+# (bool) Some steps in ``ansible-galaxy`` display a progress wheel which can cause issues on certain displays or when outputting the stdout to a file.
+# This config option controls whether the display wheel is shown or not.
+# The default is to show the display wheel if stdout has a tty.
+;display_progress=
+
+# (path) Configure the keyring used for GPG signature verification during collection installation and verification.
+;gpg_keyring=
+
+# (boolean) If set to yes, ansible-galaxy will not validate TLS certificates. This can be useful for testing against a server with a self-signed certificate.
+;ignore_certs=
+
+# (list) A list of GPG status codes to ignore during GPG signature verification. See L(https://github.com/gpg/gnupg/blob/master/doc/DETAILS#general-status-codes) for status code descriptions.
+# If fewer signatures successfully verify the collection than `GALAXY_REQUIRED_VALID_SIGNATURE_COUNT`, signature verification will fail even if all error codes are ignored.
+;ignore_signature_status_codes=
+
+# (str) The number of signatures that must be successful during GPG signature verification while installing or verifying collections.
+# This should be a positive integer or all to indicate all signatures must successfully validate the collection.
+# Prepend + to the value to fail if no valid signatures are found for the collection.
+;required_valid_signature_count=1
+
+# (path) Role skeleton directory to use as a template for the ``init`` action in ``ansible-galaxy``/``ansible-galaxy role``, same as ``--role-skeleton``.
+;role_skeleton=
+
+# (list) patterns of files to ignore inside a Galaxy role or collection skeleton directory
+;role_skeleton_ignore=^.git$, ^.*/.git_keep$
+
+# (string) URL to prepend when roles don't specify the full URI, assume they are referencing this server as the source.
+;server=https://galaxy.ansible.com
+
+# (list) A list of Galaxy servers to use when installing a collection.
+# The value corresponds to the config ini header ``[galaxy_server.{{item}}]`` which defines the server details.
+# See :ref:`galaxy_server_config` for more details on how to define a Galaxy server.
+# The order of servers in this list is used to as the order in which a collection is resolved.
+# Setting this config option will ignore the :ref:`galaxy_server` config option.
+;server_list=
+
+# (int) The default timeout for Galaxy API calls. Galaxy servers that don't configure a specific timeout will fall back to this value.
+;server_timeout=60
+
+# (path) Local path to galaxy access token file
+;token_path={{ ANSIBLE_HOME ~ "/galaxy_token" }}
+
+
+[inventory]
+# (string) This setting changes the behaviour of mismatched host patterns, it allows you to force a fatal error, a warning or just ignore it
+;host_pattern_mismatch=warning
+
+# (boolean) If 'true', it is a fatal error when any given inventory source cannot be successfully parsed by any available inventory plugin; otherwise, this situation only attracts a warning.
+
+;any_unparsed_is_failed=False
+
+# (bool) Toggle to turn on inventory caching.
+# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
+# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory configuration.
+# This message will be removed in 2.16.
+;cache=False
+
+# (string) The plugin for caching inventory.
+# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
+# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration.
+# This message will be removed in 2.16.
+;cache_plugin=
+
+# (string) The inventory cache connection.
+# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
+# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration.
+# This message will be removed in 2.16.
+;cache_connection=
+
+# (string) The table prefix for the cache plugin.
+# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
+# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration.
+# This message will be removed in 2.16.
+;cache_prefix=ansible_inventory_
+
+# (string) Expiration timeout for the inventory cache plugin data.
+# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
+# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration.
+# This message will be removed in 2.16.
+;cache_timeout=3600
+
+# (list) List of enabled inventory plugins, it also determines the order in which they are used.
+;enable_plugins=host_list, script, auto, yaml, ini, toml
+
+# (bool) Controls if ansible-inventory will accurately reflect Ansible's view into inventory or its optimized for exporting.
+;export=False
+
+# (list) List of extensions to ignore when using a directory as an inventory source
+;ignore_extensions={{(REJECT_EXTS + ('.orig', '.ini', '.cfg', '.retry'))}}
+
+# (list) List of patterns to ignore when using a directory as an inventory source
+;ignore_patterns=
+
+# (bool) If 'true' it is a fatal error if every single potential inventory source fails to parse, otherwise this situation will only attract a warning.
+
+;unparsed_is_failed=False
+
+# (boolean) By default Ansible will issue a warning when no inventory was loaded and notes that it will use an implicit localhost-only inventory.
+# These warnings can be silenced by adjusting this setting to False.
+;inventory_unparsed_warning=True
+
+
+[netconf_connection]
+# (string) This variable is used to enable bastion/jump host with netconf connection. If set to True the bastion/jump host ssh settings should be present in ~/.ssh/config file, alternatively it can be set to custom ssh configuration file path to read the bastion/jump host settings.
+;ssh_config=
+
+
+[paramiko_connection]
+# (boolean) TODO: write it
+;host_key_auto_add=False
+
+# (boolean) TODO: write it
+;look_for_keys=True
+
+
+[jinja2]
+# (list) This list of filters avoids 'type conversion' when templating variables
+# Useful when you want to avoid conversion into lists or dictionaries for JSON strings, for example.
+;dont_type_filters=string, to_json, to_nice_json, to_yaml, to_nice_yaml, ppretty, json
+
+
+[tags]
+# (list) default list of tags to run in your plays, Skip Tags has precedence.
+;run=
+
+# (list) default list of tags to skip in your plays, has precedence over Run Tags
+;skip=
+

group_vars/all/secrets.yml

@@ -0,0 +1,56 @@
+$ANSIBLE_VAULT;1.1;AES256
+34623331393561623539666362643966336661326136363431666465356535343663376236663066
+3235363061633666626133313363373336656438633566630a383230393161323862303863656464
+61633861323966343263363466343130306635343539326464363637383139343033656130336464
+3163373535613961340a643335626165306663363063656339653862393533633534366331336231
+63393432383731633463323164333831313535373261336166326237306230326465616239306536
+37663863663161393130373835373062393866633864373465333937633838303130386334356566
+64303663303862623038646235303934376230393538353466393232363764366339616633343433
+65343730663864393766313134653335396562646135306637613031333461613965666465376532
+32643261626665396338313836633337383932616265613662383132303539623239623965333966
+66333638643635313262616434396164313833303065303662303736303232346535613834643435
+32316434343231363662393163353832393166643739396165313631363539663439316133616361
+61623830613035396333303363383332653736666231343763353666356539633433373066613330
+65656631343764323234333161636632616130353139626362343361386535313336666566636464
+35323434656439346262336335383366626565333765343562633236636132636532333761663535
+31383565313436633438633336306430343733663539666631386532313836623166356332626664
+39653762353265643861633237326662383466373539633732323833376238383963393837636466
+66656631666131623166393731643537393161303636353932653062363137376334356238643064
+34303666656638396263336639636135393536623037666137653132633264316431656438386432
+34333632616265343435306365373039653036353337633563393739653632656163316636363336
+32346638393364353634386231616639386164326531353134366639653837653236333030666139
+64656334336231636337656233383834343763393738643362626665333362353335656131653165
+35376330336433383262653039643131313437643265343663626363373439643932643063646439
+37663630363839643263373630646430386536346132383564396463376361343661346661333636
+39643961643031626462363537633263393838363262626439313838313039373035373634633462
+38363938343932626131343966616638323632303636383034383536616164393539343635666166
+39383434313863356434383961383139623436636230323866396366326665623863336438623335
+33346634303639643131333933363838666336306438646335343931366437326462376438663837
+34353938343837663930356464373332356530643231653166616331376335643832316365303164
+32393062313638393936393863613731363233376537323834623164613231393133353635623866
+35626337336562653265613730363961633662653331663966333430343462666535306133663835
+64663539303765366331613666653632313233626231313264346332323266653230323332373836
+33303564633464333064613431383230383535633362373839323334353162623433646230393838
+33306162613739393338373361616634396636313765326465393332396537613263383339626666
+63613162616363363138323965373966353366323463313934356530663931653565656164346363
+37633862366436623030303233396639393434336438623433383530393836626164353064366432
+35303532393437316162346366346636633135383938323631316563323935383561326335323438
+30613266643232656138663431666162663330643133643263343237663565323231316239633037
+39323732386236396136633539383335646634306139643533666636633131623566333137376236
+39616134306463613864353135313636343365643437323465643862303137663937376233306261
+31383862356535646563383438396363323838613237623034656561396163376433663262366137
+63323562346633303162666530616534386539383238366139376263326265343138373139393432
+35643335363139373139666230626363386232316536306431653964376333366235303763336135
+65623231336638643034373932376263636336653561646664366138643031316438316465353363
+38386539363631393433313664323135646562313537376236653635303263633230383866653039
+66636534336234363438363139366531653237323137613961383831376665626365393462363834
+36333965366463636233643433616431376436323535396238363933326363333661326462353161
+66626435373938633832393662313161663336613862343332643766333633653866316464653735
+31356135363662633961386264613836323435323836386635336338353663333137336666323531
+36663731336664633763633634613136663866363530613264356431326539316530326161313362
+62616539356537353261343464356334636134396664353463623163313765633432653932346136
+32326239373333643461333733646264353238356134613037663836643131316664653539643839
+30613235623933356565336630323939633266613164306262386666363137666661666131613962
+61623930663536646462343264336535353634373833316537613839396566376466653736333830
+33376663613063326230346439626237373232656665633832373364653931663361666432303166
+663564323132383864336332363139393534

group_vars/all/vars.yml

@@ -2,11 +2,12 @@
 # Essential
 #
 
+root: root
 user: tudattr
 timezone: Europe/Berlin
 puid: "1000"
 pgid: "1000"
-pk_path: "/mnt/veracrypt1/genesis"
+pk_path: "/media/veracrypt1/genesis"
 pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqc9fnzfCz8fQDFzla+D8PBhvaMmFu2aF+TYkkZRxl9 tuan@genesis-2022-01-20"
 
 public_domain: tudattr.dev
@@ -27,3 +28,9 @@ common_packages:
   - sudo
   - systemd-timesyncd
   - tree
+  - screen
+  - bat
+  - fd-find
+  - ripgrep
+
+arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"

group_vars/docker/vars.yml

@@ -0,0 +1,532 @@
+docker:
+  url: "https://download.docker.com/linux"
+  apt_release_channel: "stable"
+  directories:
+    config: "/opt/docker/config/"
+    compose: "/opt/docker/compose/"
+    media: "/media/docker/data/"
+
+caddy:
+  admin_email: me+acme@tudattr.dev
+
+domain: "seyshiro.de"
+
+elk_version: 8.17.0
+
+services:
+  - name: syncthing
+    vm:
+      - docker-host00
+    container_name: syncthing
+    image: syncthing/syncthing
+    restart: unless-stopped
+    volumes:
+      - name: "Data"
+        internal: /var/syncthing/
+        external: /media/docker/data/syncthing/
+    ports:
+      - name: "http"
+        internal: 8384
+        external: 8384
+      - name: ""
+        internal: 22000
+        external: 22000
+      - name: ""
+        internal: 22000
+        external: 22000
+      - name: ""
+        internal: 21027
+        external: 21027
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+  - name: status
+    vm:
+      - docker-host00
+    container_name: kuma
+    image: louislam/uptime-kuma:1
+    restart: unless-stopped
+    volumes:
+      - name: "Data"
+        internal: /app/data
+        external: /opt/local/kuma/
+    ports:
+      - name: "http"
+        internal: 3001
+        external: 3001
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+  - name: plex
+    vm:
+      - docker-host00
+    container_name: plex
+    image: lscr.io/linuxserver/plex:latest
+    restart: unless-stopped
+    volumes:
+      - name: "Configuration"
+        internal: /config
+        external: /opt/local/plex/config/
+      - name: "TV Series"
+        internal: /tv:ro
+        external: /media/series
+      - name: "Movies"
+        internal: /movies:ro
+        external: /media/movies
+      - name: "Music"
+        internal: /music:ro
+        external: /media/songs
+    devices:
+      - name: "Graphics Card"
+        internal: /dev/dri
+        external: /dev/dri
+    ports:
+      - name: "http"
+        internal: 32400
+        external: 32400
+      - name: ""
+        internal: 1900
+        external: 1900
+      - name: ""
+        internal: 3005
+        external: 3005
+      - name: ""
+        internal: 5353
+        external: 5353
+      - name: ""
+        internal: 32410
+        external: 32410
+      - name: ""
+        internal: 8324
+        external: 8324
+      - name: ""
+        internal: 32412
+        external: 32412
+      - name: ""
+        internal: 32469
+        external: 32469
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+      - VERSION=docker
+  - name: jellyfin
+    vm:
+      - docker-host02
+    container_name: jellyfin
+    image: jellyfin/jellyfin
+    restart: "unless-stopped"
+    volumes:
+      - name: "Configuration"
+        internal: /config
+        external: /opt/local/jellyfin/config
+      - name: "Cache"
+        internal: /cache
+        external: "{{ docker.directories.config }}/jellyfin/cache"
+      - name: "Tv Series"
+        internal: /tv:ro
+        external: /media/series
+      - name: "Music"
+        internal: /movies:ro
+        external: /media/movies
+      - name: "Music"
+        internal: /music:ro
+        external: /media/songs
+    devices:
+      - name: "Graphics Card"
+        internal: /dev/dri
+        external: /dev/dri
+    ports:
+      - name: "http"
+        internal: 8096
+        external: 8096
+    environment:
+  - name: hass
+    vm:
+      - docker-host02
+    container_name: homeassistant
+    image: "ghcr.io/home-assistant/home-assistant:stable"
+    restart: unless-stopped
+    privileged: true
+    volumes:
+      - name: "Configuration"
+        internal: /config/
+        external: /opt/local/home-assistant/config/
+      - name: "Local Time"
+        internal: /etc/localtime:ro
+        external: /etc/localtime
+    ports:
+      - name: "http"
+        internal: 8123
+        external: 8123
+      - name: ""
+        internal: 4357
+        external: 4357
+      - name: ""
+        internal: 5683
+        external: 5683
+      - name: ""
+        internal: 5683
+        external: 5683
+  - name: ddns
+    vm:
+      - docker-host00
+    container_name: ddns-updater
+    image: ghcr.io/qdm12/ddns-updater
+    restart: unless-stopped
+    volumes:
+      - name: "Configuration"
+        internal: /updater/data/"
+        external: "{{ docker.directories.config }}/ddns-updater/data/"
+    ports:
+      - name: "http"
+        internal: 8000
+        external: 8001
+  - name: sonarr
+    vm:
+      - docker-host00
+    container_name: sonarr
+    image: lscr.io/linuxserver/sonarr:latest
+    restart: unless-stopped
+    volumes:
+      - name: "Configuration"
+        internal: /config
+        external: /opt/local/sonarr/config
+      - name: "Tv Series"
+        internal: /tv
+        external: /media/series
+      - name: "Torrent Downloads"
+        internal: /downloads
+        external: /media/docker/data/arr_downloads/sonarr
+    ports:
+      - name: "http"
+        internal: 8989
+        external: 8989
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+  - name: radarr
+    vm:
+      - docker-host00
+    container_name: radarr
+    image: lscr.io/linuxserver/radarr:latest
+    restart: unless-stopped
+    volumes:
+      - name: "Configuration"
+        internal: /config
+        external: /opt/local/radarr/config
+      - name: "Movies"
+        internal: /movies
+        external: /media/movies
+      - name: "Torrent Downloads"
+        internal: /downloads
+        external: /media/docker/data/arr_downloads/radarr
+    ports:
+      - name: "http"
+        internal: 7878
+        external: 7878
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+  - name: lidarr
+    vm:
+      - docker-host00
+    container_name: lidarr
+    image: lscr.io/linuxserver/lidarr:latest
+    restart: unless-stopped
+    volumes:
+      - name: "Configuration"
+        internal: /config
+        external: /opt/local/lidarr/config
+      - name: "Music"
+        internal: /music
+        external: /media/songs
+      - name: "Torrent Downloads"
+        internal: /downloads
+        external: /media/docker/data/arr_downloads/lidarr
+    ports:
+      - name: "http"
+        internal: 8686
+        external: 8686
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+  - name: prowlarr
+    vm:
+      - docker-host00
+    container_name: prowlarr
+    image: lscr.io/linuxserver/prowlarr:latest
+    restart: unless-stopped
+    volumes:
+      - name: "Configuration"
+        internal: /config
+        external: /opt/local/prowlarr/config
+    ports:
+      - name: "http"
+        internal: 9696
+        external: 9696
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+  - name: paperless
+    vm:
+      - docker-host00
+    container_name: paperless
+    image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    restart: unless-stopped
+    depends_on:
+      - paperless-postgres
+      - paperless-broker
+    volumes:
+      - name: "Configuration"
+        internal: /usr/src/paperless/data
+        external: /opt/local/paperless/data/data
+      - name: "Media"
+        internal: /usr/src/paperless/media
+        external: /opt/local/paperless/data/media
+      - name: "Document Export"
+        internal: /usr/src/paperless/export
+        external: /opt/local/paperless/data/export
+      - name: "Document Consume"
+        internal: /usr/src/paperless/consume
+        external: /opt/local/paperless/data/consume
+    environment:
+      - "PAPERLESS_REDIS=redis://paperless-broker:6379"
+      - "PAPERLESS_DBHOST=paperless-postgres"
+      - "PAPERLESS_DBUSER=paperless"
+      - "PAPERLESS_DBPASS={{ vault.docker.paperless.dbpass }}"
+      - "USERMAP_UID=1000"
+      - "USERMAP_GID=1000"
+      - "PAPERLESS_URL=https://paperless.{{ domain }}"
+      - "PAPERLESS_TIME_ZONE=Europe/Berlin"
+      - "PAPERLESS_OCR_LANGUAGE=deu"
+    ports:
+      - name: "http"
+        internal: 8000
+        external: 8000
+  - name: pdf
+    vm:
+      - docker-host00
+    container_name: stirling
+    image: frooodle/s-pdf:latest
+    restart: unless-stopped
+    ports:
+      - name: "http"
+        internal: 8080
+        external: 8080
+  - name: git
+    vm:
+      - docker-host02
+    container_name: gitea
+    image: gitea/gitea:1.23.1-rootless
+    restart: unless-stopped
+    volumes:
+      - name: "Configuration"
+        internal: /etc/gitea
+        external: /opt/local/gitea/config
+      - name: "Data"
+        internal: /var/lib/gitea
+        external: /opt/local/gitea/data
+      - name: "Time Zone"
+        internal: /etc/timezone:ro
+        external: /etc/timezone
+      - name: "Local Time"
+        internal: /etc/localtime:ro
+        external: /etc/localtime
+    ports:
+      - name: "http"
+        internal: 3000
+        external: 3000
+      - name: "ssh"
+        internal: 2222
+        external: 2222
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+  - name: changedetection
+    vm:
+      - docker-host00
+    container_name: changedetection
+    image: dgtlmoon/changedetection.io
+    restart: unless-stopped
+    volumes:
+      - name: "Data"
+        internal: /datastore
+        external: "{{ docker.directories.config }}/changedetection/data/"
+    ports:
+      - name: "http"
+        internal: 5000
+        external: 5000
+  - name: gluetun
+    vm:
+      - docker-host00
+    container_name: gluetun
+    image: qmcgaw/gluetun
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - name: "Tunnel"
+        internal: /dev/net/tun
+        external: /dev/net/tun
+    volumes:
+      - name: "Configuration"
+        internal: /gluetun
+        external: "{{ docker.directories.config }}/gluetun/config"
+    ports:
+      - name: "Qbit Client"
+        internal: 8082
+        external: 8082
+      - name: "Torrentleech Client"
+        internal: 8083
+        external: 8083
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+      - VPN_SERVICE_PROVIDER=protonvpn
+      - UPDATER_VPN_SERVICE_PROVIDERS=protonvpn
+      - UPDATER_PERIOD=24h
+      - "SERVER_COUNTRIES={{ vault.docker.proton.country }}"
+      - "OPENVPN_USER={{ vault.docker.proton.openvpn_user }}"
+      - "OPENVPN_PASSWORD={{ vault.docker.proton.openvpn_password }}"
+  - name: torrentleech
+    vm:
+      - docker-host00
+    container_name: torrentleech
+    image: qbittorrentofficial/qbittorrent-nox
+    restart: unless-stopped
+    depends_on:
+      - gluetun
+    network_mode: "container:gluetun"
+    volumes:
+      - name: "Configuration"
+        internal: /config
+        external: "{{ docker.directories.config }}/torrentleech/config"
+      - name: "Downloads"
+        internal: /downloads
+        external: /media/docker/data/arr_downloads
+    ports:
+      - name: "http"
+        internal: proxy_only
+        external: 8083
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+      - QBT_EULA="accept"
+      - QBT_WEBUI_PORT="8083"
+  - name: qbit
+    vm:
+      - docker-host00
+    container_name: qbit
+    image: qbittorrentofficial/qbittorrent-nox
+    restart: unless-stopped
+    depends_on:
+      - gluetun
+    network_mode: "container:gluetun"
+    volumes:
+      - name: "Configuration"
+        internal: /config
+        external: "{{ docker.directories.config }}/qbit/config"
+      - name: "Downloads"
+        internal: /downloads
+        external: /media/docker/data/arr_downloads
+    ports:
+      - name: "http"
+        internal: proxy_only
+        external: 8082
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+      - QBT_EULA="accept"
+      - QBT_WEBUI_PORT="8082"
+  - name: cadvisor
+    vm:
+      - docker-host00
+      - docker-host01
+      - docker-host02
+    container_name: cadvisor
+    image: gcr.io/cadvisor/cadvisor:latest
+    restart: unless-stopped
+    ports:
+      - name: ""
+        internal: 8080
+        external: 8081
+    volumes:
+      - name: "Root"
+        internal: /rootfs:ro
+        external: /
+      - name: "Run"
+        internal: /var/run:rw
+        external: /var/run
+      - name: "System"
+        internal: /sys:ro
+        external: /sys
+      - name: "Docker"
+        internal: /var/lib/docker:ro
+        external: /var/lib/docker
+  - name: elasticsearch
+    vm:
+      - docker-host01
+    container_name: elasticsearch
+    image: "docker.elastic.co/elasticsearch/elasticsearch:{{ elk_version }}"
+    restart: unless-stopped
+    ports:
+      - name: ""
+        internal: 9200
+        external: 9200
+      - name: ""
+        internal: 9300
+        external: 9300
+    volumes:
+      - name: "data"
+        internal: /usr/share/elasticsearch/data
+        external: "{{ docker.directories.config }}/elk/elasticsearch/data"
+      - name: "certs"
+        internal: /usr/share/elasticsearch/config/certs
+        external: "{{ docker.directories.config }}/elk/certs"
+    environment:
+      - node.name=elasticsearch
+      - cluster.name=docker-cluster
+      - discovery.type=single-node
+      - "ELASTIC_PASSWORD={{ vault.docker.elk.elastic.password }}"
+      - xpack.security.enabled=true
+      - xpack.security.authc.api_key.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.key=certs/elasticsearch.key
+      - xpack.security.http.ssl.certificate=certs/elasticsearch.crt
+      - xpack.security.http.ssl.certificate_authorities=certs/ca.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.key=certs/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=certs/elasticsearch.crt
+      - xpack.security.transport.ssl.certificate_authorities=certs/ca.crt
+  - name: kibana
+    vm:
+      - docker-host01
+    container_name: kibana
+    image: "docker.elastic.co/kibana/kibana:{{ elk_version }}"
+    restart: unless-stopped
+    ports:
+      - name: "http"
+        internal: 5601
+        external: 5601
+    volumes:
+      - name: "certs"
+        internal: /usr/share/kibana/config/certs
+        external: "{{ docker.directories.config }}/elk/certs/"
+    environment:
+      - ELASTICSEARCH_HOSTS=["https://elasticsearch:9200"]
+      - ELASTICSEARCH_USERNAME=kibana_system
+      - ELASTICSEARCH_PASSWORD={{ vault.docker.elk.elastic.password }}
+      - SERVER_SSL_ENABLED=true
+      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/certs/kibana.crt
+      - SERVER_SSL_KEY=/usr/share/kibana/config/certs/kibana.key

group_vars/k3s/vars.yml

@@ -3,7 +3,7 @@ db:
     user: "postgres"
   name: "k3s"
   user: "k3s"
-  password: "{{ vault.k3s.db.password }}"
+  password: "{{ vault.k3s.postgres.db.password }}"
   listen_address: "{{ k3s.db.ip }}"
 
 k3s:
@@ -12,6 +12,7 @@ k3s:
     ips:
       - 192.168.20.21
       - 192.168.20.24
+      - 192.168.20.30
   loadbalancer:
     ip: 192.168.20.22
     default_port: 6443
@@ -24,4 +25,4 @@ k3s:
       - 192.168.20.26
       - 192.168.20.27
 
-k3s_db_connection_string: "postgres://{{db.user}}:{{db.password}}@{{k3s.db.ip}}:{{k3s.db.default_port}}/{{db.name}}"
+k3s_db_connection_string: "postgres://{{ db.user }}:{{ db.password }}@{{ k3s.db.ip }}:{{ k3s.db.default_port }}/{{ db.name }}"

host_vars/aya01.yml

@@ -0,0 +1,10 @@
+---
+ansible_user: "root"
+ansible_host: 192.168.20.12
+ansible_port: 22
+ansible_ssh_private_key_file: "{{ pk_path }}"
+ansible_become_pass: "{{ vault.pve.aya01.root.sudo }}"
+
+host:
+  hostname: "aya01"
+  ip: "{{ ansible_host }}"

host_vars/docker-host00.yml

@@ -0,0 +1,10 @@
+---
+ansible_user: "{{ user }}"
+ansible_host: 192.168.20.34
+ansible_port: 22
+ansible_ssh_private_key_file: "{{ pk_path }}"
+ansible_become_pass: "{{ vault.docker.host00.sudo }}"
+
+host:
+  hostname: "docker-host00"
+  ip: "{{ ansible_host }}"

host_vars/docker-host01.yml

@@ -0,0 +1,10 @@
+---
+ansible_user: "{{ user }}"
+ansible_host: 192.168.20.35
+ansible_port: 22
+ansible_ssh_private_key_file: "{{ pk_path }}"
+ansible_become_pass: "{{ vault.docker.host01.sudo }}"
+
+host:
+  hostname: "docker-host01"
+  ip: "{{ ansible_host }}"

host_vars/docker-host02.yml

@@ -0,0 +1,10 @@
+---
+ansible_user: "{{ user }}"
+ansible_host: 192.168.20.36
+ansible_port: 22
+ansible_ssh_private_key_file: "{{ pk_path }}"
+ansible_become_pass: "{{ vault.docker.host02.sudo }}"
+
+host:
+  hostname: "docker-host02"
+  ip: "{{ ansible_host }}"

host_vars/docker-lb.yml

@@ -0,0 +1,10 @@
+---
+ansible_user: "{{ user }}"
+ansible_host: 192.168.20.37
+ansible_port: 22
+ansible_ssh_private_key_file: "{{ pk_path }}"
+ansible_become_pass: "{{ vault.docker.lb.sudo }}"
+
+host:
+  hostname: "docker-lb"
+  ip: "{{ ansible_host }}"

host_vars/inko.yml

@@ -0,0 +1,10 @@
+---
+ansible_user: "root"
+ansible_host: 192.168.20.14
+ansible_port: 22
+ansible_ssh_private_key_file: "{{ pk_path }}"
+ansible_become_pass: "{{ vault.pve.inko.root.sudo }}"
+
+host:
+  hostname: "inko"
+  ip: "{{ ansible_host }}"

host_vars/k3s-agent00.yml

@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.25
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.server01.sudo }}"
+ansible_become_pass: "{{ vault.k3s.agent00.sudo }}"
 
 host:
   hostname: "k3s-agent00"

host_vars/k3s-agent01.yml

@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.26
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.server01.sudo }}"
+ansible_become_pass: "{{ vault.k3s.agent01.sudo }}"
 
 host:
   hostname: "k3s-agent01"

host_vars/k3s-agent02.yml

@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.27
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.server01.sudo }}"
+ansible_become_pass: "{{ vault.k3s.agent02.sudo }}"
 
 host:
   hostname: "k3s-agent02"

host_vars/k3s-longhorn00.yml

@@ -0,0 +1,10 @@
+---
+ansible_user: "{{ user }}"
+ansible_host: 192.168.20.32
+ansible_port: 22
+ansible_ssh_private_key_file: "{{ pk_path }}"
+ansible_become_pass: "{{ vault.k3s.longhorn00.sudo }}"
+
+host:
+  hostname: "k3s-longhorn00"
+  ip: "{{ ansible_host }}"

host_vars/k3s-longhorn01.yml

@@ -0,0 +1,10 @@
+---
+ansible_user: "{{ user }}"
+ansible_host: 192.168.20.33
+ansible_port: 22
+ansible_ssh_private_key_file: "{{ pk_path }}"
+ansible_become_pass: "{{ vault.k3s.longhorn01.sudo }}"
+
+host:
+  hostname: "k3s-longhorn01"
+  ip: "{{ ansible_host }}"

host_vars/k3s-longhorn02.yml

@@ -0,0 +1,10 @@
+---
+ansible_user: "{{ user }}"
+ansible_host: 192.168.20.31
+ansible_port: 22
+ansible_ssh_private_key_file: "{{ pk_path }}"
+ansible_become_pass: "{{ vault.k3s.longhorn02.sudo }}"
+
+host:
+  hostname: "k3s-longhorn02"
+  ip: "{{ ansible_host }}"

host_vars/k3s-server02.yml

@@ -0,0 +1,10 @@
+---
+ansible_user: "{{ user }}"
+ansible_host: 192.168.20.30
+ansible_port: 22
+ansible_ssh_private_key_file: "{{ pk_path }}"
+ansible_become_pass: "{{ vault.k3s.server02.sudo }}"
+
+host:
+  hostname: "k3s-server02"
+  ip: "{{ ansible_host }}"

host_vars/lulu.yml

@@ -0,0 +1,10 @@
+---
+ansible_user: "root"
+ansible_host: 192.168.20.28
+ansible_port: 22
+ansible_ssh_private_key_file: "{{ pk_path }}"
+ansible_become_pass: "{{ vault.pve.lulu.root.sudo }}"
+
+host:
+  hostname: "lulu"
+  ip: "{{ ansible_host }}"

inventory/production

@@ -0,0 +1,58 @@
+[proxmox]
+aya01
+lulu
+inko
+
+[k3s]
+k3s-postgres
+k3s-loadbalancer
+k3s-server[00:02]
+k3s-agent[00:02]
+k3s-longhorn[00:02]
+
+[vm]
+k3s-postgres
+k3s-loadbalancer
+k3s-agent[00:02]
+k3s-server[00:02]
+k3s-longhorn[00:02]
+docker-host[00:02]
+
+[k3s_nodes]
+k3s-server[00:02]
+k3s-agent[00:02]
+k3s-longhorn[00:02]
+
+[docker]
+docker-host[00:02]
+docker-lb
+
+[vps]
+mii
+
+[k3s_server]
+k3s-server[00:02]
+
+[k3s_agent]
+k3s-agent[00:02]
+
+[k3s_storage]
+k3s-longhorn[00:02]
+
+[db]
+k3s-postgres
+
+[loadbalancer]
+k3s-loadbalancer
+
+[docker_host]
+docker-host[00:02]
+
+[docker_lb]
+docker-lb
+
+[local]
+localhost ansible_connection=local
+
+[vm:vars]
+ansible_ssh_common_args='-o ProxyCommand="ssh -p 22 -W %h:%p -q aya01"'

inventory/test

@@ -0,0 +1,2 @@
+[local]
+test ansible_connection=local ansible_become_pass=vagrant

playbooks/db.yml

@@ -14,3 +14,6 @@
     - role: node_exporter
       tags:
         - node_exporter
+    - role: postgres_exporter
+      tags:
+        - postgres_exporter

playbooks/docker-host.yml

@@ -0,0 +1,13 @@
+---
+- name: Set up Servers
+  hosts: docker_host
+  gather_facts: yes
+  vars_files:
+    - secrets.yml
+  roles:
+    - role: common
+      tags:
+        - common
+    - role: docker_host
+      tags:
+        - docker_host

playbooks/docker-lb.yml

@@ -0,0 +1,13 @@
+---
+- name: Set up reverse proxy for docker
+  hosts: docker_lb
+  gather_facts: yes
+  vars_files:
+    - secrets.yml
+  roles:
+    - role: common
+      tags:
+        - common
+    - role: reverse_proxy
+      tags:
+        - reverse_proxy

playbooks/k3s-storage.yml

@@ -0,0 +1,31 @@
+- name: Set up storage
+  hosts: k3s_nodes
+  gather_facts: yes
+  vars_files:
+    - secrets.yml
+  pre_tasks:
+    - name: Get K3s token from the first server
+      when: host.ip == k3s.server.ips[0] and inventory_hostname in groups["k3s_server"]
+      slurp:
+        src: /var/lib/rancher/k3s/server/node-token
+      register: k3s_token
+      become: true
+
+    - name: Set fact on k3s.server.ips[0]
+      when: host.ip == k3s.server.ips[0] and inventory_hostname in groups["k3s_server"]
+      set_fact: k3s_token="{{ k3s_token['content'] | b64decode | trim }}"
+
+  roles:
+    - role: common
+      when: inventory_hostname in groups["k3s_storage"]
+      tags:
+        - common
+    - role: k3s_storage
+      when: inventory_hostname in groups["k3s_storage"]
+      k3s_token: "{{ hostvars[(hostvars | dict2items | map(attribute='value') | map('dict2items') | map('selectattr', 'key', 'match', 'host') | map('selectattr', 'value.ip', 'match', k3s.server.ips[0] ) | select() | first | items2dict).host.hostname].k3s_token }}"
+      tags:
+        - k3s_storage
+    - role: node_exporter
+      when: inventory_hostname in groups["k3s_storage"]
+      tags:
+        - node_exporter

playbooks/ubuntu.yml

@@ -0,0 +1,5 @@
+- name: Provision Local Ubuntu Machine
+  hosts: local
+  gather_facts: true
+  roles:
+    - ubuntu

production

@@ -1,45 +0,0 @@
-[vps]
-mii
-
-[k3s]
-k3s-postgres
-k3s-loadbalancer
-k3s-server00
-k3s-server01
-k3s-agent00
-k3s-agent01
-k3s-agent02
-
-[k3s_server]
-k3s-server00
-k3s-server01
-
-[k3s_agent]
-k3s-agent00
-k3s-agent01
-k3s-agent02
-
-[vm]
-k3s-agent00
-k3s-agent01
-k3s-agent02
-k3s-server00
-k3s-server01
-k3s-postgres
-k3s-loadbalancer
-
-[k3s_nodes]
-k3s-server00
-k3s-server01
-k3s-agent00
-k3s-agent01
-k3s-agent02
-
-[db]
-k3s-postgres
-
-[loadbalancer]
-k3s-loadbalancer
-
-[vm:vars]
-ansible_ssh_common_args='-o ProxyCommand="ssh -p 22 -W %h:%p -q aya01"'

roles/common/files/bash/bash_aliases

@@ -0,0 +1,4 @@
+alias cat=batcat
+alias vim=nvim
+alias fd=fdfind
+alias ls=eza

roles/common/files/bash/bashrc

@@ -1,7 +1,7 @@
 export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 case $- in
-    *i*) ;;
+*i*) ;;
-      *) return;;
+*) return ;;
 esac
 HISTCONTROL=ignoreboth
 shopt -s histappend
@@ -9,39 +9,38 @@ HISTSIZE=1000
 HISTFILESIZE=2000
 shopt -s checkwinsize
 if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
-    debian_chroot=$(cat /etc/debian_chroot)
+  debian_chroot=$(cat /etc/debian_chroot)
 fi
 case "$TERM" in
-    xterm-color|*-256color) color_prompt=yes;;
+xterm-color | *-256color) color_prompt=yes ;;
 esac
 if [ -n "$force_color_prompt" ]; then
-    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
+  if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
-	color_prompt=yes
+    color_prompt=yes
-    else
+  else
-	color_prompt=
+    color_prompt=
-    fi
+  fi
 fi
 if [ "$color_prompt" = yes ]; then
-    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+  PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
 else
-    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+  PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
 fi
 unset color_prompt force_color_prompt
 case "$TERM" in
-xterm*|rxvt*)
+xterm* | rxvt*)
-    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
+  PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
-    ;;
+  ;;
-*)
+*) ;;
-    ;;
 esac
 
 if [ -x /usr/bin/dircolors ]; then
-    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
+  test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
-    alias ls='ls --color=auto'
+  alias ls='ls --color=auto'
 fi
 
 if [ -f ~/.bash_aliases ]; then
-    . ~/.bash_aliases
+  . ~/.bash_aliases
 fi
 
 if ! shopt -oq posix; then
@@ -51,3 +50,7 @@ if ! shopt -oq posix; then
     . /etc/bash_completion
   fi
 fi
+
+if [ -f /etc/profile ]; then
+  . /etc/profile
+fi

roles/common/tasks/bash.yml

@@ -1,9 +1,12 @@
 ---
-- name: Copy .bashrc
+- name: Copy bash-configs
-  template:
+  ansible.builtin.template:
-    src: files/bash/bashrc
+    src: "files/bash/{{ item }}"
-    dest: "/home/{{ user }}/.bashrc"
+    dest: "/home/{{ user }}/.{{ item }}"
     owner: "{{ user }}"
     group: "{{ user }}"
-    mode: 0644
+    mode: "644"
-  become: yes
+  loop:
+    - bashrc
+    - bash_aliases
+  become: true

roles/common/tasks/extra_packages.yml

@@ -0,0 +1,95 @@
+---
+- name: Ensure /etc/apt/keyrings directory exists
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: "0755"
+  become: true
+
+- name: Download and save Gierens repository GPG key
+  ansible.builtin.get_url:
+    url: https://raw.githubusercontent.com/eza-community/eza/main/deb.asc
+    dest: /etc/apt/keyrings/gierens.asc
+    mode: "0644"
+  register: gpg_key_result
+  become: true
+
+- name: Add Gierens repository to apt sources
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by=/etc/apt/keyrings/gierens.asc] http://deb.gierens.de stable main"
+    state: present
+    update_cache: true
+  become: true
+
+- name: Install eza package
+  ansible.builtin.apt:
+    name: eza
+    state: present
+  become: true
+
+- name: Install bottom package
+  ansible.builtin.apt:
+    deb: https://github.com/ClementTsang/bottom/releases/download/0.9.6/bottom_0.9.6_amd64.deb
+    state: present
+  become: true
+
+- name: Check if Neovim is already installed
+  ansible.builtin.command: "which nvim"
+  register: neovim_installed
+  changed_when: false
+  ignore_errors: true
+
+- name: Download Neovim AppImage
+  ansible.builtin.get_url:
+    url: https://github.com/neovim/neovim/releases/download/v0.10.0/nvim.appimage
+    dest: /tmp/nvim.appimage
+    mode: "0755"
+  when: neovim_installed.rc != 0
+  register: download_result
+
+- name: Extract Neovim AppImage
+  ansible.builtin.command:
+    cmd: "./nvim.appimage --appimage-extract"
+    chdir: /tmp
+  when: download_result.changed
+  register: extract_result
+
+- name: Copy extracted Neovim files to /usr
+  ansible.builtin.copy:
+    src: /tmp/squashfs-root/usr/
+    dest: /usr/
+    remote_src: true
+    mode: "0755"
+  become: true
+  when: extract_result.changed
+
+- name: Clean up extracted Neovim files
+  ansible.builtin.file:
+    path: /tmp/squashfs-root
+    state: absent
+  when: extract_result.changed
+
+- name: Remove Neovim AppImage
+  ansible.builtin.file:
+    path: /tmp/nvim.appimage
+    state: absent
+  when: download_result.changed
+
+- name: Check if Neovim config directory already exists
+  ansible.builtin.stat:
+    path: ~/.config/nvim
+  register: nvim_config
+
+- name: Clone LazyVim starter to Neovim config directory
+  ansible.builtin.git:
+    repo: https://github.com/LazyVim/starter
+    dest: ~/.config/nvim
+    clone: true
+    update: false
+  when: not nvim_config.stat.exists
+
+- name: Remove .git directory from Neovim config
+  ansible.builtin.file:
+    path: ~/.config/nvim/.git
+    state: absent
+  when: not nvim_config.stat.exists

roles/common/tasks/hostname.yml

@@ -5,10 +5,10 @@
   become: true
 
 - name: Update /etc/hosts to reflect the new hostname
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: /etc/hosts
     regexp: '^127\.0\.1\.1'
     line: "127.0.1.1 {{ host.hostname }}"
     state: present
-    backup: yes
+    backup: true
   become: true

roles/common/tasks/main.yml

@@ -1,6 +1,13 @@
 ---
-- include_tasks: time.yml
+- name: Configure Time
-- include_tasks: hostname.yml
+  ansible.builtin.include_tasks: time.yml
-- include_tasks: packages.yml
+- name: Configure Hostname
-- include_tasks: bash.yml
+  ansible.builtin.include_tasks: hostname.yml
-- include_tasks: sshd.yml
+- name: Configure Packages
+  ansible.builtin.include_tasks: packages.yml
+- name: Configure Extra-Packages
+  ansible.builtin.include_tasks: extra_packages.yml
+- name: Configure Bash
+  ansible.builtin.include_tasks: bash.yml
+- name: Configure SSH
+  ansible.builtin.include_tasks: sshd.yml

roles/common/tasks/packages.yml

@@ -1,13 +1,13 @@
 ---
 - name: Update and upgrade packages
-  apt:
+  ansible.builtin.apt:
-    update_cache: yes
+    update_cache: true
-    upgrade: yes
+    upgrade: true
-    autoremove: yes
+    autoremove: true
-  become: yes
+  become: true
 
-- name: Install extra packages
+- name: Install base packages
-  apt:
+  ansible.builtin.apt:
     name: "{{ common_packages }}"
     state: present
-  become: yes
+  become: true

roles/common/tasks/sshd.yml

@@ -1,15 +1,15 @@
 ---
 - name: Copy sshd_config
-  template:
+  ansible.builtin.template:
     src: templates/ssh/sshd_config
     dest: /etc/ssh/sshd_config
-    mode: 0644
+    mode: "644"
   notify:
     - Restart sshd
-  become: yes
+  become: true
 
 - name: Copy pubkey
-  copy:
+  ansible.builtin.copy:
     content: "{{ pubkey }}"
     dest: "/home/{{ user }}/.ssh/authorized_keys"
     owner: "{{ user }}"

roles/common/templates/ssh/sshd_config

@@ -1,124 +1,18 @@
-#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
 Include /etc/ssh/sshd_config.d/*.conf
-
 Protocol 2
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
 PermitRootLogin no
-#StrictModes yes
 MaxAuthTries 3
-#MaxSessions 10
-
 PubkeyAuthentication yes
-
-# Expect .ssh/authorized_keys2 to be disregarded by default in future.
-#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication no
 PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
 ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
-
 AllowAgentForwarding no
 AllowTcpForwarding no
-#GatewayPorts no
 X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
 PrintMotd no
-#PrintLastLog yes
 TCPKeepAlive no
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
 ClientAliveCountMax 2
 UseDNS yes
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
-
-# override default of no subsystems
 Subsystem	sftp	/usr/lib/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server

roles/docker_host/files/daemon.json

@@ -0,0 +1,3 @@
+{
+  "metrics-addr": "0.0.0.0:9323"
+}

roles/docker_host/files/sysctl.conf

@@ -0,0 +1 @@
+vm.max_map_count = 262144

roles/docker_host/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Restart docker
+  ansible.builtin.service:
+    name: docker
+    state: restarted
+  become: true
+
+- name: Restart compose
+  community.docker.docker_compose_v2:
+    project_src: "{{ docker.directories.compose }}"
+    state: restarted

roles/docker_host/tasks/deploy_compose.yml

@@ -0,0 +1,13 @@
+---
+- name: Copy docker compose file to target
+  ansible.builtin.template:
+    src: "templates/compose.yaml.j2"
+    dest: "{{ docker.directories.compose }}/compose.yaml"
+    owner: "{{ user }}"
+    group: "{{ user }}"
+    mode: "644"
+    backup: true
+  notify:
+    - Restart docker
+    - Restart compose
+  become: true

roles/docker_host/tasks/directory_setup.yml

@@ -0,0 +1,40 @@
+---
+- name: Create directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+  loop:
+    - /media/docker
+    - /media/series
+    - /media/movies
+    - /media/songs
+    - "{{ docker.directories.opt }}"
+    - "{{ docker.directories.compose }}"
+    - /opt/local
+  become: true
+
+- name: Set ownership to {{ user }}
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "{{ user }}"
+    group: "{{ user }}"
+  loop:
+    - "{{ docker.directories.opt }}"
+    - /opt/local
+    - /media
+  become: true
+
+- name: Ensure NFS mounts
+  ansible.posix.mount:
+    path: "{{ item }}"
+    src: "192.168.20.12:{{ item }}"
+    fstype: nfs
+    opts: defaults,nolock,_netdev,auto,bg
+    state: mounted
+  loop:
+    - /media/docker
+    - /media/series
+    - /media/movies
+    - /media/songs
+  become: true

roles/docker_host/tasks/export.yml

@@ -0,0 +1,11 @@
+---
+- name: Copy exporter config to host
+  ansible.builtin.copy:
+    src: files/daemon.json
+    dest: /etc/docker/daemon.json
+    owner: "{{ root }}"
+    group: "{{ root }}"
+    mode: "0644"
+  notify:
+    - Restart docker
+  become: true

roles/docker_host/tasks/installation.yml

@@ -0,0 +1,59 @@
+---
+- name: Uninstall old versions
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: absent
+    purge: true
+  loop:
+    - docker
+    - docker-engine
+    - docker.io
+    - containerd
+    - runc
+  become: true
+
+- name: Update cache
+  ansible.builtin.apt:
+    update_cache: true
+  become: true
+
+- name: Install dependencies for apt to use repositories over HTTPS
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - ca-certificates
+    - curl
+    - gnupg
+    - lsb-release
+  become: true
+
+- name: Add Docker apt key.
+  ansible.builtin.get_url:
+    url: "{{ docker.url }}/{{ ansible_distribution | lower }}/gpg"
+    dest: /etc/apt/trusted.gpg.d/docker.asc
+    mode: "0664"
+    force: true
+  become: true
+
+- name: Add Docker repository.
+  ansible.builtin.apt_repository:
+    repo: "deb [arch={{ arch }}] {{ docker.url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker.apt_release_channel }}"
+    state: present
+  become: true
+
+- name: Update cache
+  ansible.builtin.apt:
+    update_cache: true
+  become: true
+
+- name: Install Docker Engine, containerd, and Docker Compose.
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - docker-ce
+    - docker-ce-cli
+    - docker-compose-plugin
+    - containerd.io
+  become: true

roles/docker_host/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Setup VM
+  ansible.builtin.include_tasks: setup.yml
+
+- name: Install docker
+  ansible.builtin.include_tasks: installation.yml
+
+- name: Setup user and group for docker
+  ansible.builtin.include_tasks: user_group_setup.yml
+
+- name: Setup directory structure for docker
+  ansible.builtin.include_tasks: directory_setup.yml
+
+- name: Deploy docker compose
+  ansible.builtin.include_tasks: deploy_compose.yml
+
+- name: Publish metrics
+  ansible.builtin.include_tasks: export.yml

roles/docker_host/tasks/setup.yml

@@ -0,0 +1,9 @@
+---
+- name: Enable HW accelerate for VM
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - firmware-misc-nonfree
+    - nfs-common
+  become: true

roles/docker_host/tasks/user_group_setup.yml

@@ -0,0 +1,14 @@
+---
+- name: Ensure group "docker" exists
+  ansible.builtin.group:
+    name: docker
+    state: present
+  become: true
+
+- name: Append the group docker to "{{ user }}"
+  ansible.builtin.user:
+    name: "{{ user }}"
+    shell: /bin/bash
+    groups: docker
+    append: true
+  become: true

roles/docker_host/templates/compose.yaml.j2

@@ -0,0 +1,95 @@
+services:
+{% for service in services %}
+{% if inventory_hostname in service.vm %}
+  {{service.name}}:
+    container_name: {{ service.container_name }}
+    image: {{ service.image }}
+    restart: {{ service.restart }}
+{% if service.network_mode is not defined %}
+    hostname: {{service.name}}
+    networks:
+      - net
+{% endif %}
+{% if service.ports is defined and service.ports is iterable %}
+{% if service.ports[0].internal != 'proxy_only' %}
+    ports:
+{% for port in service.ports %}
+{% if port.internal != 'proxy_only' %}
+      - {{port.external}}:{{port.internal}}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% if service.cap_add is defined and service.cap_add is iterable %}
+    cap_add:
+{% for cap in service.cap_add %}
+      - {{ cap }}
+{% endfor %}
+{% endif %}
+{% if service.depends_on is defined and service.depends_on is iterable %}
+    depends_on:
+{% for dependency in service.depends_on %}
+      - {{ dependency }}
+{% endfor %}
+{% endif %}
+{% if service.network_mode is defined %}
+    network_mode: {{ service.network_mode }}
+{% endif %}
+{% if service.privileged is defined %}
+    privileged: {{ service.privileged }}
+{% endif %}
+{% if service.volumes is defined and service.volumes is iterable %}
+    volumes:
+{% for volume in service.volumes %}
+      - {{volume.external}}:{{volume.internal}}
+{% endfor %}
+{% endif %}
+{% if service.environment is defined and service.environment is iterable %}
+    environment:
+{% for env in service.environment %}
+      - {{env}}
+{% endfor %}
+{% endif %}
+{% if service.devices is defined and service.devices is iterable  %}
+    devices:
+{% for device in service.devices %}
+      - {{device.external}}:{{device.internal}}
+{% endfor %}
+{% endif %}
+{% if service.name == 'paperless' %}
+
+  {{service.name}}-broker:
+    container_name: paperless-broker
+    image: docker.io/library/redis:7
+    restart: unless-stopped
+    networks:
+      - net
+    volumes:
+      - /opt/local/paperless/redis/data:/data
+
+  {{service.name}}-postgres:
+    container_name: paperless-postgres
+    image: docker.io/library/postgres:15
+    restart: unless-stopped
+    networks:
+      - net
+    volumes:
+      - /opt/local/paperless/db/data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: paperless
+      POSTGRES_USER: paperless
+      POSTGRES_PASSWORD: 5fnhn%u2YWY3paNvMAjdoufYPQ2Hf3Yi
+{% endif %}
+
+{% endif %}
+{% endfor %}
+networks:
+  net:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.16.69.0/24
+
+volumes:
+  prometheus_data: {}

roles/k3s_agent/tasks/installation.yml

@@ -1,6 +1,6 @@
 ---
 - name: See if k3s file exists
-  stat:
+  ansible.builtin.stat:
     path: /usr/local/bin/k3s
   register: k3s_status
 
@@ -13,9 +13,9 @@
 
 - name: Install K3s on the secondary servers
   when: not k3s_status.stat.exists
-  command: |
+  ansible.builtin.command: |
     /tmp/k3s_install.sh
   environment:
-    K3S_URL: "https://{{ k3s.loadbalancer.ip }}:{{k3s.loadbalancer.default_port}}"
+    K3S_URL: "https://{{ k3s.loadbalancer.ip }}:{{ k3s.loadbalancer.default_port }}"
     K3S_TOKEN: "{{ k3s_token }}"
   become: true

roles/k3s_server/tasks/installation.yml

@@ -1,6 +1,6 @@
 ---
 - name: See if k3s file exists
-  stat:
+  ansible.builtin.stat:
     path: /usr/local/bin/k3s
   register: k3s_status
 
@@ -13,7 +13,7 @@
 
 - name: Install K3s server with node taint and TLS SAN
   when: (host.ip == k3s.server.ips[0] and (not k3s_status.stat.exists))
-  command: |
+  ansible.builtin.command: |
     /tmp/k3s_install.sh server \
     --node-taint CriticalAddonsOnly=true:NoExecute \
     --tls-san {{ k3s.loadbalancer.ip }}
@@ -26,7 +26,7 @@
 
 - name: Wait for K3s to be installed
   when: (host.ip == k3s.server.ips[0] and (not k3s_status.stat.exists))
-  async_status:
+  ansible.builtin.async_status:
     jid: "{{ k3s_primary_install.ansible_job_id }}"
   register: k3s_primary_install_status
   until: k3s_primary_install_status.finished
@@ -36,18 +36,19 @@
 
 - name: Get K3s token from the first server
   when: host.ip == k3s.server.ips[0]
-  slurp:
+  ansible.builtin.slurp:
     src: /var/lib/rancher/k3s/server/node-token
   register: k3s_token
   become: true
 
 - name: Set fact on k3s.server.ips[0]
   when: host.ip == k3s.server.ips[0]
-  set_fact: k3s_token="{{ k3s_token['content'] | b64decode | trim }}"
+  ansible.builtin.set_fact:
+    k3s_token: "{{ k3s_token['content'] | b64decode | trim }}"
 
 - name: Install K3s on the secondary servers
   when: (host.ip != k3s.server.ips[0] and (not k3s_status.stat.exists))
-  command: |
+  ansible.builtin.command: |
     /tmp/k3s_install.sh server \
     --node-taint CriticalAddonsOnly=true:NoExecute \
     --tls-san {{ k3s.loadbalancer.ip }}

roles/k3s_storage/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart k3s
+  service:
+    name: k3s
+    state: restarted
+  become: yes

roles/k3s_storage/tasks/installation.yml

@@ -0,0 +1,23 @@
+---
+- name: See if k3s file exists
+  ansible.builtin.stat:
+    path: /usr/local/bin/k3s
+  register: k3s_status
+
+- name: Download K3s install script to /tmp/
+  when: not k3s_status.stat.exists
+  ansible.builtin.get_url:
+    url: https://get.k3s.io
+    dest: /tmp/k3s_install.sh
+    mode: "0755"
+
+- name: Install K3s on the secondary servers with longhorn affinity
+  when: not k3s_status.stat.exists
+  ansible.builtin.command: |
+    /tmp/k3s_install.sh \
+    --node-taint storage=true:NoExecute \
+    --node-label longhorn=true
+  environment:
+    K3S_URL: "https://{{ k3s.loadbalancer.ip }}:{{ k3s.loadbalancer.default_port }}"
+    K3S_TOKEN: "{{ k3s_token }}"
+  become: true

roles/k3s_storage/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Install dependencies
+  ansible.builtin.include_tasks: requirements.yml
+- name: Install k3s
+  ansible.builtin.include_tasks: installation.yml

roles/k3s_storage/tasks/requirements.yml

@@ -0,0 +1,19 @@
+---
+- name: Update and upgrade packages
+  ansible.builtin.apt:
+    update_cache: true
+    upgrade: true
+    autoremove: true
+  become: true
+
+- name: Install extra packages
+  ansible.builtin.apt:
+    name: "open-iscsi"
+    state: present
+  become: true
+
+- name: Install extra packages
+  ansible.builtin.apt:
+    name: "nfs-common"
+    state: present
+  become: true

roles/loadbalancer/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Restart nginx
-  systemd:
+  ansible.builtin.systemd:
     name: nginx
     state: restarted
   become: true

roles/loadbalancer/tasks/configuration.yml

@@ -1,6 +1,6 @@
 ---
 - name: Template the nginx config file with dynamic upstreams
-  template:
+  ansible.builtin.template:
     src: templates/nginx.conf.j2
     dest: "{{ nginx_config_path }}"
     owner: root
@@ -13,7 +13,7 @@
     k3s_server_ips: "{{ k3s.server.ips }}"
 
 - name: Enable nginx
-  systemd:
+  ansible.builtin.systemd:
     name: nginx
     daemon_reload: true
     enabled: true

roles/loadbalancer/tasks/installation.yml

@@ -1,11 +1,11 @@
 ---
 - name: Update apt cache
-  apt:
+  ansible.builtin.apt:
-    update_cache: yes
+    update_cache: true
   become: true
 
 - name: Install Nginx
-  apt:
+  ansible.builtin.apt:
     name:
       - nginx-full
     state: present

roles/loadbalancer/tasks/main.yml

@@ -1,3 +1,5 @@
 ---
-- include_tasks: installation.yml
+- name: Installation
-- include_tasks: configuration.yml
+  ansible.builtin.include_tasks: installation.yml
+- name: Configure
+  ansible.builtin.include_tasks: configuration.yml

roles/loadbalancer/templates/nginx.conf.j2

@@ -2,8 +2,8 @@ include /etc/nginx/modules-enabled/*.conf;
 
 events {}
 
-# TCP Load Balancing for the K3s API
 stream {
+# TCP Load Balancing for the K3s API
   upstream k3s_servers {
     {% for ip in k3s_server_ips %}
     server {{ ip }}:{{k3s.loadbalancer.default_port}};
@@ -14,6 +14,17 @@ stream {
     listen {{k3s.loadbalancer.default_port}};
     proxy_pass k3s_servers;
   }
+
+  upstream dns_servers {
+    {% for ip in k3s_server_ips %}
+    server {{ ip }}:53;
+    {% endfor %}
+  }
+
+  server {
+    listen 53 udp;
+    proxy_pass dns_servers;
+  }
 }
 
 http {
@@ -43,9 +54,9 @@ http {
   }
 
   server {
-    listen 443;
+    listen 443 ssl;
 
-    server_name staging.k3s.seyshiro.de *.staging.k3s.seyshiro.de
+    server_name staging.k3s.seyshiro.de *.staging.k3s.seyshiro.de;
 
     ssl_certificate /etc/nginx/ssl/staging_tls.crt;
     ssl_certificate_key /etc/nginx/ssl/staging_tls.key;
@@ -59,9 +70,9 @@ http {
   }
 
   server {
-    listen 443;
+    listen 443 ssl;
 
-    server_name production.k3s.seyshiro.de *.production.k3s.seyshiro.de
+    server_name k3s.seyshiro.de *.k3s.seyshiro.de;
 
     ssl_certificate /etc/nginx/ssl/production_tls.crt;
     ssl_certificate_key /etc/nginx/ssl/production_tls.key;
@@ -74,3 +85,5 @@ http {
     }
   }
 }
+
+

roles/node_exporter/tasks/get_version.yml

@@ -1,7 +1,7 @@
 ---
 - name: Determine latest GitHub release (local)
   delegate_to: localhost
-  uri:
+  ansible.builtin.uri:
     url: "https://api.github.com/repos/prometheus/node_exporter/releases/{{ version }}"
     body_format: json
   register: _github_release
@@ -9,10 +9,10 @@
   retries: 3
 
 - name: Set version
-  set_fact:
+  ansible.builtin.set_fact:
-    version: "{{ _github_release.json.tag_name
+    tag: "{{ _github_release.json.tag_name
       | regex_replace('^v?([0-9\\.]+)$', '\\1') }}"
 
 - name: Set download_url
-  set_fact:
+  ansible.builtin.set_fact:
-    download_url: "https://github.com/prometheus/node_exporter/releases/download/v{{ version }}/node_exporter-{{ version }}.linux-{{ go_arch }}.tar.gz"
+    download_url: "https://github.com/prometheus/node_exporter/releases/download/v{{ tag }}/node_exporter-{{ tag }}.linux-{{ go_arch }}.tar.gz"

roles/node_exporter/tasks/install.yml

@@ -1,29 +1,29 @@
 ---
 - name: Download/Extract "{{ download_url }}"
-  unarchive:
+  ansible.builtin.unarchive:
     src: "{{ download_url }}"
     dest: /tmp/
     remote_src: true
-    mode: 755
+    mode: "755"
 
 - name: Move node_exporter into path
-  copy:
+  ansible.builtin.copy:
-    src: "/tmp/node_exporter-{{ version }}.linux-{{ go_arch }}/node_exporter"
+    src: "/tmp/node_exporter-{{ tag }}.linux-{{ go_arch }}/node_exporter"
     dest: "{{ bin_path }}"
-    mode: 755
+    mode: "755"
     remote_src: true
   become: true
 
 - name: Create node_exporter user.
-  user:
+  ansible.builtin.user:
     name: node_exporter
     shell: /sbin/nologin
     state: present
   become: true
 
 - name: Copy the node_exporter systemd unit file.
-  template:
+  ansible.builtin.template:
     src: node_exporter.service.j2
     dest: /etc/systemd/system/node_exporter.service
-    mode: 0644
+    mode: "644"
   become: true

roles/node_exporter/tasks/main.yml

@@ -1,3 +1,6 @@
-- include_tasks: get_version.yml
+- name: Get Version
-- include_tasks: install.yml
+  ansible.builtin.include_tasks: get_version.yml
-- include_tasks: systemd.yml
+- name: Install
+  ansible.builtin.include_tasks: install.yml
+- name: Setup Service
+  ansible.builtin.include_tasks: systemd.yml

roles/node_exporter/tasks/systemd.yml

@@ -1,6 +1,6 @@
 ---
 - name: Ensure node_exporter is running and enabled at boot.
-  service:
+  ansible.builtin.service:
     name: node_exporter
     state: started
     daemon_reload: true

roles/postgres/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Restart postgres
-  systemd:
+  ansible.builtin.systemd:
     name: postgresql
     state: restarted
   become: true

roles/postgres/tasks/ansible_deps.yml

@@ -1,10 +1,10 @@
 ---
 - name: Update apt cache
-  apt:
+  ansible.builtin.apt:
-    update_cache: yes
+    update_cache: true
   become: true
 
 - name: Install ansible dependencies
-  apt:
+  ansible.builtin.apt:
     name: "{{ ansible_dependencies }}"
   become: true

roles/postgres/tasks/configuration.yml

@@ -16,18 +16,18 @@
     encoding: UTF8
     lc_collate: "en_US.UTF-8"
     lc_ctype: "en_US.UTF-8"
-  become: yes
+  become: true
   become_user: postgres
   vars:
     ansible_remote_temp: "/tmp/"
 
-- name: "Grant all privileges on database {{ db.name }} to {{ db.user }};"
+- name: "Grant privileges to {{ db.user }}"
   community.postgresql.postgresql_privs:
     db: "{{ db.name }}"
     privs: ALL
     type: database
     roles: "{{ db.user }}"
-  become: yes
+  become: true
   become_user: postgres
   vars:
     ansible_remote_temp: "/tmp/"
@@ -39,13 +39,13 @@
     type: schema
     obj: "public"
     roles: "{{ db.user }}"
-  become: yes
+  become: true
   become_user: postgres
   vars:
     ansible_remote_temp: "/tmp/"
 
-- name: "Allow md5 connection for the {{ db.user }} user"
+- name: "Allow md5 connection for the user {{ db.user }}"
-  postgresql_pg_hba:
+  community.postgresql.postgresql_pg_hba:
     dest: "/etc/postgresql/15/main/pg_hba.conf"
     contype: host
     databases: all
@@ -53,16 +53,17 @@
     address: "{{ k3s.net }}"
     users: "{{ db.user }}"
     create: false
-  become: yes
+  become: true
   notify:
     - Restart postgres
 
 - name: "Set public listen address"
   become: true
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "/etc/postgresql/15/main/conf.d/listen.conf"
     regexp: "^#?listen_addresses="
     line: "listen_addresses='{{ db.listen_address | default('localhost') }}'"
     state: present
-    create: yes
+    mode: "644"
+    create: true
   notify: "Restart postgres"

roles/postgres/tasks/installation.yml

@@ -1,12 +1,12 @@
 ---
 - name: Install postgres
-  apt:
+  ansible.builtin.apt:
     name: "{{ postgres_packages }}"
     state: present
   become: true
 
 - name: Start and enable the service
-  systemd:
+  ansible.builtin.systemd:
     name: postgresql
     state: started
     daemon_reload: true

roles/postgres/tasks/main.yml

@@ -1,4 +1,7 @@
 ---
-- include_tasks: ansible_deps.yml
+- name: Install ansible dependencies for this role
-- include_tasks: installation.yml
+  ansible.builtin.include_tasks: ansible_deps.yml
-- include_tasks: configuration.yml
+- name: Install postgres
+  ansible.builtin.include_tasks: installation.yml
+- name: Configure Database
+  ansible.builtin.include_tasks: configuration.yml

roles/postgres_exporter/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: "Restart {{ bin_name }}"
+  ansible.builtin.service:
+    name: "{{ bin_name }}"
+    state: restarted
+  become: true

roles/postgres_exporter/tasks/get_version.yml

@@ -0,0 +1,18 @@
+---
+- name: Determine latest GitHub release (local)
+  delegate_to: localhost
+  ansible.builtin.uri:
+    url: "https://api.github.com/repos/{{ repository }}/releases/{{ version }}"
+    body_format: json
+  register: _github_release
+  until: _github_release.status == 200
+  retries: 3
+
+- name: Set version
+  ansible.builtin.set_fact:
+    tag: "{{ _github_release.json.tag_name
+      | regex_replace('^v?([0-9\\.]+)$', '\\1') }}"
+
+- name: Set download_url
+  ansible.builtin.set_fact:
+    download_url: "https://github.com/{{ repository }}/releases/download/v{{ tag }}/{{ bin_name }}-{{ tag }}.linux-{{ go_arch }}.tar.gz"

roles/postgres_exporter/tasks/install.yml

@@ -0,0 +1,29 @@
+---
+- name: Download/Extract "{{ download_url }}"
+  ansible.builtin.unarchive:
+    src: "{{ download_url }}"
+    dest: /tmp/
+    remote_src: true
+    mode: "755"
+
+- name: "Move binary into path: {{ bin_path }}"
+  ansible.builtin.copy:
+    src: "/tmp/{{ bin_name }}-{{ tag }}.linux-{{ go_arch }}/{{ bin_name }}"
+    dest: "{{ bin_path }}"
+    mode: "755"
+    remote_src: true
+  become: true
+
+- name: "Create user: {{ bin_name }}"
+  ansible.builtin.user:
+    name: "{{ bin_name }}"
+    shell: /sbin/nologin
+    state: present
+  become: true
+
+- name: Copy the node_exporter systemd unit file.
+  ansible.builtin.template:
+    src: "{{ bin_name }}.service.j2"
+    dest: "/etc/systemd/system/{{ bin_name }}.service"
+    mode: "644"
+  become: true

roles/postgres_exporter/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Get Version
+  ansible.builtin.include_tasks: get_version.yml
+- name: Install exporter
+  ansible.builtin.include_tasks: install.yml
+- name: Create service
+  ansible.builtin.include_tasks: systemd.yml

roles/postgres_exporter/tasks/systemd.yml

@@ -0,0 +1,10 @@
+---
+- name: "Ensure service is running and enabled: {{ bin_name }}"
+  ansible.builtin.service:
+    name: "{{ bin_name }}"
+    state: started
+    daemon_reload: true
+    enabled: true
+  notify:
+    - Restart "{{ bin_name }}"
+  become: true

roles/postgres_exporter/templates/postgres_exporter.service.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=PostgresExporter
+
+[Service]
+TimeoutStartSec=0
+User={{ bin_name }}
+ExecStart={{ bin_path }} --web.listen-address={{ host.ip }}:{{ bind_port }} {{ options }}
+Environment="DATA_SOURCE_URI=localhost:5432/postgres?sslmode=disable"
+Environment="DATA_SOURCE_USER={{ db.user }}"
+Environment="DATA_SOURCE_PASS={{ db.password }}"
+
+[Install]
+WantedBy=multi-user.target
+

roles/postgres_exporter/vars/main.yml

@@ -0,0 +1,16 @@
+go_arch_map:
+  i386: "386"
+  x86_64: "amd64"
+  aarch64: "arm64"
+  armv7l: "armv7"
+  armv6l: "armv6"
+
+go_arch: "{{ go_arch_map[ansible_architecture] | default(ansible_architecture) }}"
+
+repository: "prometheus-community/postgres_exporter"
+bind_port: 9187
+version: "latest"
+serve: "localhost"
+options: ""
+bin_name: postgres_exporter
+bin_path: "/usr/local/bin/{{ bin_name }}"

roles/reverse_proxy/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+caddy_version: latest
+caddy_config_path: /etc/caddy/Caddyfile
+caddy_binary: ./caddy
+
+go_version: 1.23.4

roles/reverse_proxy/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Restart Caddy
+  ansible.builtin.command: "{{ caddy_binary }} reload --config {{ caddy_config_path  }}"
+  become: true

roles/reverse_proxy/tasks/configure.yml

@@ -0,0 +1,16 @@
+---
+- name: Ensure Caddy configuration directory exists
+  ansible.builtin.file:
+    path: /etc/caddy
+    state: directory
+    mode: "0755"
+  become: true
+
+- name: Deploy Caddy configuration file
+  ansible.builtin.template:
+    src: Caddyfile.j2
+    dest: "{{ caddy_config_path }}"
+    mode: "0644"
+    backup: true
+  become: true
+  notify: Restart Caddy

roles/reverse_proxy/tasks/install.yml

@@ -0,0 +1,32 @@
+---
+- name: Download xCaddy GPG key
+  ansible.builtin.get_url:
+    url: "https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key"
+    dest: /etc/apt/keyrings/caddy-xcaddy.asc
+    mode: "0644"
+  become: true
+
+- name: Add xCaddy repository to apt sources
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by=/etc/apt/keyrings/caddy-xcaddy.asc] https://dl.cloudsmith.io/public/caddy/xcaddy/deb/debian any-version main"
+    state: present
+    update_cache: true
+  become: true
+
+- name: Update apt cache
+  ansible.builtin.apt:
+    update_cache: true
+  become: true
+
+- name: Install xCaddy
+  ansible.builtin.apt:
+    name: xcaddy
+    state: present
+  become: true
+
+- name: Install Caddy
+  ansible.builtin.command: xcaddy build --with github.com/caddy-dns/netcup
+  environment:
+    PATH: "{{ ansible_env.PATH }}:/usr/local/go/bin"
+  register: xcaddy_build
+  failed_when: xcaddy_build.rc != 0

roles/reverse_proxy/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Install Prerequisites
+  ansible.builtin.include_tasks: prereq.yml
+- name: Install Caddy
+  ansible.builtin.include_tasks: install.yml
+- name: Configure Caddy
+  ansible.builtin.include_tasks: configure.yml
+- name: Start Caddy
+  ansible.builtin.include_tasks: start.yml

roles/reverse_proxy/tasks/prereq.yml

@@ -0,0 +1,44 @@
+---
+- name: Install prerequisites for Caddy
+  ansible.builtin.apt:
+    name:
+      - debian-keyring
+      - debian-archive-keyring
+      - apt-transport-https
+      - curl
+    state: present
+    update_cache: true
+  become: true
+
+- name: Remove existing Go installation
+  ansible.builtin.file:
+    path: /usr/local/go
+    state: absent
+  become: true
+
+- name: Download Go tarball
+  ansible.builtin.get_url:
+    url: "https://go.dev/dl/go{{ go_version }}.linux-amd64.tar.gz"
+    dest: "/tmp/go{{ go_version }}.linux-amd64.tar.gz"
+    mode: "0755"
+
+- name: Extract Go tarball to /usr/local
+  ansible.builtin.unarchive:
+    src: /tmp/go1.23.4.linux-amd64.tar.gz
+    dest: /usr/local
+    remote_src: true
+  become: true
+  register: go_install
+
+- name: Ensure Go binary path is added to /etc/profile
+  ansible.builtin.lineinfile:
+    path: /etc/profile
+    line: "PATH=$PATH:/usr/local/go/bin"
+    state: present
+    regexp: "^PATH=.*:/usr/local/go/bin$"
+  become: true
+
+- name: Source /etc/profile to update PATH for the current session
+  ansible.builtin.shell: "source /etc/profile"
+  args:
+    executable: /bin/bash

roles/reverse_proxy/tasks/start.yml

@@ -0,0 +1,4 @@
+---
+- name: Ensure Caddy service is running
+  ansible.builtin.command: "{{ caddy_binary }} start --config {{ caddy_config_path }}"
+  become: true

roles/reverse_proxy/templates/Caddyfile.j2

@@ -0,0 +1,34 @@
+{
+    email {{ caddy.admin_email | default('admin@example.com') }}
+    acme_ca {{ caddy.acme_ca | default('https://acme-v02.api.letsencrypt.org/directory') }}
+}
+
+{% for service in services %}
+{% if service.ports is defined %}
+{% if service.ports is iterable %}
+{% set http_port = service.ports | selectattr('name', 'equalto', 'http') | map(attribute='external') | list %}
+{% if http_port %}
+{{ service.name }}.{{ domain }} {
+    {% for vm in service.vm %}
+    reverse_proxy {{ hostvars[vm].ansible_host }}:{{ http_port[0] }}
+    {% endfor %}
+    log {
+        output file /var/log/caddy/{{ service.name }}.log
+        format json
+    }
+	tls {
+		dns netcup {
+			customer_number {{ vault.netcup.customer_number }}
+			api_key {{ vault.netcup.api_key}}
+			api_password {{ vault.netcup.api_password }}
+		}
+    propagation_timeout 900s
+		propagation_delay 600s
+		resolvers 1.1.1.1
+	}
+}
+
+{% endif %}
+{% endif %}
+{% endif %}
+{% endfor %}

roles/ubuntu/tasks/apt.yml

@@ -0,0 +1,16 @@
+---
+- name: Install dependencies
+  ansible.builtin.apt:
+    name: "{{ apt_dependencies }}"
+    state: present
+    update_cache: true
+  become: true
+
+- name: Install tools
+  ansible.builtin.apt:
+    name: "{{ apt_tools }}"
+    state: present
+  become: true
+
+- name: Update tldr database
+  ansible.builtin.command: tldr --update

roles/ubuntu/tasks/curl.yml

@@ -0,0 +1,19 @@
+---
+- name: Install starship
+  ansible.builtin.shell: set -o pipefail && curl -fsSL https://starship.rs/install.sh | sh -s -- --yes
+  args:
+    executable: /usr/bin/bash
+    creates: "{{ ansible_env.HOME }}/.config/starship.toml"
+
+- name: Install Pacstall
+  ansible.builtin.shell: yes | bash -c "$(curl -fsSL https://pacstall.dev/q/install)"
+  args:
+    executable: /usr/bin/bash
+    creates: /usr/local/bin/pacstall
+  become: true
+
+- name: Install atuin
+  ansible.builtin.shell: set -o pipefail && curl -fsSL https://setup.atuin.sh | sh -s -- --yes
+  args:
+    executable: /usr/bin/bash
+    creates: "{{ ansible_env.HOME }}/.config/atuin"

roles/ubuntu/tasks/docker.yml

@@ -0,0 +1,51 @@
+---
+- name: Update cache
+  ansible.builtin.apt:
+    update_cache: true
+  become: true
+
+- name: Install dependencies for apt to use repositories over HTTPS
+  ansible.builtin.apt:
+    name:
+      - ca-certificates
+      - curl
+      - gnupg
+      - lsb-release
+    state: present
+  become: true
+
+- name: Add Docker apt key.
+  ansible.builtin.get_url:
+    url: "{{ docker.url }}/{{ ansible_distribution | lower }}/gpg"
+    dest: /etc/apt/trusted.gpg.d/docker.asc
+    mode: "0664"
+    force: true
+  become: true
+
+- name: Add Docker repository.
+  ansible.builtin.apt_repository:
+    repo: "deb [arch={{ aarch }}] {{ docker.url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker.apt_release_channel }}"
+    state: present
+  become: true
+
+- name: Update cache
+  ansible.builtin.apt:
+    update_cache: true
+  become: true
+
+- name: Install Docker Engine, containerd, and Docker Compose.
+  ansible.builtin.apt:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - docker-compose-plugin
+      - containerd.io
+    state: present
+  become: true
+
+- name: Add current user to docker group
+  ansible.builtin.user:
+    name: "{{ ansible_user_id }}"
+    groups: docker
+    append: true
+  become: true

roles/ubuntu/tasks/fira_code_fonts.yml

@@ -0,0 +1,26 @@
+---
+- name: Create fonts directory
+  ansible.builtin.file:
+    path: "{{ ansible_env.HOME }}/.fonts"
+    state: directory
+    mode: "0755"
+
+- name: Download FiraCode Nerd Font zip
+  ansible.builtin.get_url:
+    url: https://github.com/ryanoasis/nerd-fonts/releases/download/v3.3.0/FiraMono.zip
+    dest: "/tmp/FiraMono.zip"
+    mode: "0600"
+
+- name: Extract FiraCode from zip
+  ansible.builtin.unarchive:
+    src: "/tmp/FiraMono.zip"
+    dest: "{{ ansible_env.HOME }}/.fonts"
+    remote_src: true
+
+- name: Remove FiraMono.zip
+  ansible.builtin.file:
+    path: "/tmp/FiraMono.zip"
+    state: absent
+
+- name: Refresh font cache
+  ansible.builtin.shell: fc-cache -fv

roles/ubuntu/tasks/git_deb.yml

@@ -0,0 +1,35 @@
+---
+- name: "Get latest version: {{ project.name }}"
+  ansible.builtin.shell: |
+    set -o pipefail && curl -s "https://api.github.com/repos/{{ project.repo }}/releases/latest" |
+    grep -Po '"tag_name": *"(VeraCrypt_|v)?\K[^"]*'
+  args:
+    executable: /usr/bin/bash
+  register: project_version
+  changed_when: false
+  when: (project.repo | length > 0) and not item.skip
+
+- name: "Set version: {{ project_version }}"
+  ansible.builtin.set_fact:
+    project_version: "{{ project_version.stdout }}"
+  when: (project.repo | length > 0)  and not item.skip
+
+- name: "Download deb: {{ project.name }}"
+  ansible.builtin.get_url:
+    url: "{{ project.url | replace(project_version_placeholder, project_version) }}"
+    dest: "/tmp/{{ project.name }}.deb"
+    mode: "0666"
+  when: not item.skip
+
+- name: Install {{ project.name }}
+  ansible.builtin.apt:
+    deb: "/tmp/{{ project.name }}.deb"
+    state: present
+  become: true
+  when: not item.skip
+
+- name: Remove deb
+  ansible.builtin.file:
+    path: "/tmp/{{ project.name }}.deb"
+    state: absent
+  when: not item.skip

roles/ubuntu/tasks/github_releases.yml

@@ -0,0 +1,43 @@
+---
+- name: "Get latest version: {{ project.name }}"
+  ansible.builtin.shell: |
+    set -o pipefail && curl -s "https://api.github.com/repos/{{ project.repo }}/releases/latest" |
+    grep -Po '"tag_name": *"v?\K[^"]*'
+  args:
+    executable: /usr/bin/bash
+  register: project_version
+  changed_when: false
+
+- name: "Set version: {{ project_version }}"
+  ansible.builtin.set_fact:
+    project_version: "{{ project_version.stdout }}"
+
+- name: "Download: {{ project.name }}"
+  ansible.builtin.get_url:
+    url: "https://github.com/{{ project.repo }}/releases/download/v{{ project_version }}/{{ project.name }}_{{ project_version }}_Linux_x86_64.tar.gz"
+    dest: "/tmp/{{ project.name }}.tar.gz"
+    mode: "0666"
+
+- name: "Extract binary: {{ project.name }}"
+  ansible.builtin.unarchive:
+    src: "/tmp/{{ project.name }}.tar.gz"
+    dest: "/tmp"
+    creates: "/tmp/{{ project.name }}"
+    remote_src: true
+
+- name: "Install: {{ project.name }}"
+  ansible.builtin.copy:
+    src: "/tmp/{{ project.name }}"
+    dest: "/usr/local/bin/{{ project.name }}"
+    mode: "0755"
+  become: true
+
+- name: Remove tar.gz and binary
+  ansible.builtin.file:
+    path: "{{ loop_file_name }}"
+    state: absent
+  loop:
+    - "/tmp/{{ project.name }}.tar.gz"
+    - "/tmp/{{ project.name }}"
+  loop_control:
+    loop_var: loop_file_name

roles/ubuntu/tasks/hashicorp_vagrant.yml

@@ -0,0 +1,45 @@
+---
+- name: Download Hashicorp GPG key
+  ansible.builtin.get_url:
+    url: https://apt.releases.hashicorp.com/gpg
+    dest: /tmp/hashicorp_gpg
+    mode: "0644"
+  register: hashicorp_gpg_download
+
+- name: Dearmor Hashicorp GPG key
+  ansible.builtin.command:
+    cmd: gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg /tmp/hashicorp_gpg
+  args:
+    creates: /usr/share/keyrings/hashicorp-archive-keyring.gpg
+  when: hashicorp_gpg_download.changed
+  become: true
+
+- name: Remove temporary Hashicorp GPG key file
+  ansible.builtin.file:
+    path: /tmp/hashicorp_gpg
+    state: absent
+  when: hashicorp_gpg_download.changed
+
+- name: Add Hashicorp APT repository
+  ansible.builtin.apt_repository:
+    repo: "deb [arch={{ ansible_architecture }} signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com {{ ansible_lsb.codename }} main"
+    filename: hashicorp
+    state: present
+  vars:
+    ansible_lsb:
+      codename: "{{ ansible_facts['lsb']['codename'] }}"
+    ansible_architecture: "{{ ansible_facts['architecture'] }}"
+  when: hashicorp_gpg_download.changed
+  become: true
+
+- name: Update apt cache after adding Hashicorp repository
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600 # Cache validity in seconds
+  become: true
+
+- name: Install Vagrant
+  ansible.builtin.apt:
+    name: vagrant
+    state: present
+  become: true

roles/ubuntu/tasks/ledger_cli.yml

@@ -0,0 +1,40 @@
+---
+- name: Clone Ledger repository
+  ansible.builtin.git:
+    repo: "{{ ledger_repo }}"
+    dest: "{{ ledger_clone_dir }}"
+    version: master
+    update: true
+  register: git_clone
+  become: true
+
+- name: Run acprep update to configure and build Ledger
+  ansible.builtin.command: ./acprep update
+  args:
+    chdir: "{{ ledger_clone_dir }}"
+  when: git_clone.changed
+  become: true
+
+- name: Move the built ledger binary to /usr/bin
+  ansible.builtin.copy:
+    src: "{{ ledger_clone_dir }}/ledger"
+    dest: "{{ ledger_binary_path }}"
+    mode: "0755"
+    force: true
+  become: true
+
+- name: Ensure the ledger binary is executable
+  ansible.builtin.file:
+    path: "{{ ledger_binary_path }}"
+    mode: "0755"
+    state: file
+  become: true
+
+- name: Verify Ledger installation
+  ansible.builtin.command: ledger --version
+  register: ledger_version
+  changed_when: false
+
+- name: Display Ledger version
+  ansible.builtin.debug:
+    msg: "Ledger version installed: {{ ledger_version.stdout }}"

roles/ubuntu/tasks/main.yml

@@ -0,0 +1,33 @@
+---
+- name: Install apt packages
+  ansible.builtin.import_tasks: apt.yml
+- name: Install snap packages
+  ansible.builtin.import_tasks: snap.yml
+- name: Curl Installations
+  ansible.builtin.import_tasks: curl.yml
+- name: Github .deb installations
+  ansible.builtin.include_tasks: git_deb.yml
+  vars:
+    project: "{{ item }}"
+  loop: "{{ github_deb }}"
+- name: "Install {{ item }}"
+  ansible.builtin.include_tasks: github_releases.yml
+  vars:
+    project: "{{ item }}"
+  loop: "{{ github_releases }}"
+- name: Install nvim
+  ansible.builtin.import_tasks: nvim.yml
+- name: Install Rust
+  ansible.builtin.import_tasks: rust.yml
+- name: Install ledger
+  ansible.builtin.import_tasks: ledger_cli.yml
+- name: Install FiraCode
+  ansible.builtin.import_tasks: fira_code_fonts.yml
+- name: Remove Ubuntu Pro Banner
+  ansible.builtin.import_tasks: remove_ubuntu_banner.yml
+- name: Install ProtonVPN
+  ansible.builtin.import_tasks: protonvpn.yml
+- name: Install Docker
+  ansible.builtin.import_tasks: docker.yml
+- name: Install Vagrant
+  ansible.builtin.import_tasks: hashicorp_vagrant.yml