2025-04-27 08:30:48 +02:00
67 changed files with 1503 additions and 731 deletions
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,9 +1,12 @@
 [defaults]
 # (string) Path to the Python interpreter to be used for module execution on remote targets, or an automatic discovery mode. Supported discovery modes are ``auto`` (the default), ``auto_silent``, ``auto_legacy``, and ``auto_legacy_silent``. All discovery modes employ a lookup table to use the included system Python (on distributions known to include one), falling back to a fixed ordered list of well-known Python interpreter locations if a platform-specific default is not available. The fallback behavior will issue a warning that the interpreter should be set explicitly (since interpreters installed later may change which one is used). This warning behavior can be disabled by setting ``auto_silent`` or ``auto_legacy_silent``. The value of ``auto_legacy`` provides all the same behavior, but for backwards-compatibility with older Ansible releases that always defaulted to ``/usr/bin/python``, will use that interpreter if present.
 interpreter_python=python3
 # (pathspec) Colon separated paths in which Ansible will search for Roles.
 roles_path=./roles
 # (pathlist) Comma separated list of Ansible inventory sources
-inventory=./inventory/production
+inventory=./production.ini
 # (path) The vault password file to use. Equivalent to --vault-password-file or --vault-id
 # If executable, it will be run and the resulting stdout will be used as the password.
--- a/group_vars/all/secrets.yml
+++ b/group_vars/all/secrets.yml
@@ -1,56 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
-34623331393561623539666362643966336661326136363431666465356535343663376236663066
+65646664663537386235383334613536393336623332363437376337323235636335363165366632
-3235363061633666626133313363373336656438633566630a383230393161323862303863656464
+3433623633393731373932306433643663333133393734370a353261353164353335356264643234
-61633861323966343263363466343130306635343539326464363637383139343033656130336464
+65376132336534306465376435303764616136646633303166336136373263346436353235343065
-3163373535613961340a643335626165306663363063656339653862393533633534366331336231
+6238353863333239330a303131623262353563323864323536313036356237653936326361366565
-63393432383731633463323164333831313535373261336166326237306230326465616239306536
+62616566396266363535653062636537383061363438303138333237643939323162336465326363
-37663863663161393130373835373062393866633864373465333937633838303130386334356566
+64323830393839386233303634326562386537373766646461376238663963376463623130303363
-64303663303862623038646235303934376230393538353466393232363764366339616633343433
+65366638666132393538336361663639303831333232336632616338396539353565663239373265
-65343730663864393766313134653335396562646135306637613031333461613965666465376532
+38323036343733303131383439323738623263383736303935636339303564343662633437626233
-32643261626665396338313836633337383932616265613662383132303539623239623965333966
+33303564373963646465306137346161656166366266663766356362636362643430393232646635
-66333638643635313262616434396164313833303065303662303736303232346535613834643435
+38363764386538613166306464336532623464343565396431643738353434313838633763663861
-32316434343231363662393163353832393166643739396165313631363539663439316133616361
+35616365383831643434316436313035366131663131373064663464393031623132366137303333
-61623830613035396333303363383332653736666231343763353666356539633433373066613330
+62333561373465323664303539353966663763613365373633373761343966656166363265313134
-65656631343764323234333161636632616130353139626362343361386535313336666566636464
+6163
 35323434656439346262336335383366626565333765343562633236636132636532333761663535
 31383565313436633438633336306430343733663539666631386532313836623166356332626664
 39653762353265643861633237326662383466373539633732323833376238383963393837636466
 66656631666131623166393731643537393161303636353932653062363137376334356238643064
 34303666656638396263336639636135393536623037666137653132633264316431656438386432
 34333632616265343435306365373039653036353337633563393739653632656163316636363336
 32346638393364353634386231616639386164326531353134366639653837653236333030666139
 64656334336231636337656233383834343763393738643362626665333362353335656131653165
 35376330336433383262653039643131313437643265343663626363373439643932643063646439
 37663630363839643263373630646430386536346132383564396463376361343661346661333636
 39643961643031626462363537633263393838363262626439313838313039373035373634633462
 38363938343932626131343966616638323632303636383034383536616164393539343635666166
 39383434313863356434383961383139623436636230323866396366326665623863336438623335
 33346634303639643131333933363838666336306438646335343931366437326462376438663837
 34353938343837663930356464373332356530643231653166616331376335643832316365303164
 32393062313638393936393863613731363233376537323834623164613231393133353635623866
 35626337336562653265613730363961633662653331663966333430343462666535306133663835
 64663539303765366331613666653632313233626231313264346332323266653230323332373836
 33303564633464333064613431383230383535633362373839323334353162623433646230393838
 33306162613739393338373361616634396636313765326465393332396537613263383339626666
 63613162616363363138323965373966353366323463313934356530663931653565656164346363
 37633862366436623030303233396639393434336438623433383530393836626164353064366432
 35303532393437316162346366346636633135383938323631316563323935383561326335323438
 30613266643232656138663431666162663330643133643263343237663565323231316239633037
 39323732386236396136633539383335646634306139643533666636633131623566333137376236
 39616134306463613864353135313636343365643437323465643862303137663937376233306261
 31383862356535646563383438396363323838613237623034656561396163376433663262366137
 63323562346633303162666530616534386539383238366139376263326265343138373139393432
 35643335363139373139666230626363386232316536306431653964376333366235303763336135
 65623231336638643034373932376263636336653561646664366138643031316438316465353363
 38386539363631393433313664323135646562313537376236653635303263633230383866653039
 66636534336234363438363139366531653237323137613961383831376665626365393462363834
 36333965366463636233643433616431376436323535396238363933326363333661326462353161
 66626435373938633832393662313161663336613862343332643766333633653866316464653735
 31356135363662633961386264613836323435323836386635336338353663333137336666323531
 36663731336664633763633634613136663866363530613264356431326539316530326161313362
 62616539356537353261343464356334636134396664353463623163313765633432653932346136
 32326239373333643461333733646264353238356134613037663836643131316664653539643839
 30613235623933356565336630323939633266613164306262386666363137666661666131613962
 61623930663536646462343264336535353634373833316537613839396566376466653736333830
 33376663613063326230346439626237373232656665633832373364653931663361666432303166
 663564323132383864336332363139393534
--- a/group_vars/docker/docker.yml
+++ b/group_vars/docker/docker.yml
@@ -0,0 +1,526 @@
 docker:
  url: "https://download.docker.com/linux"
  apt_release_channel: "stable"
  directories:
    local: "/opt/local/"
    config: "/opt/docker/config/"
    compose: "/opt/docker/compose/"
 services:
  - name: syncthing
    vm:
      - docker-host00
    container_name: syncthing
    image: syncthing/syncthing:1.29
    volumes:
      - name: "Data"
        internal: /var/syncthing/
        external: /media/docker/data/syncthing/
    ports:
      - name: "http"
        internal: 8384
        external: "{{ services_external_http.syncthing }}"
      - name: ""
        internal: 22000
        external: 22000
      - name: ""
        internal: 22000
        external: 22000
      - name: ""
        internal: 21027
        external: 21027
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
  - name: status
    vm:
      - docker-host00
    container_name: kuma
    image: louislam/uptime-kuma:1.23.16
    volumes:
      - name: "Data"
        internal: /app/data
        external: "{{ docker.directories.local }}/kuma/"
    ports:
      - name: "http"
        internal: 3001
        external: "{{ services_external_http.kuma }}"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
  - name: plex
    vm:
      - docker-host00
    container_name: plex
    image: lscr.io/linuxserver/plex:1.41.5
    volumes:
      - name: "Configuration"
        internal: /config
        external: "{{ docker.directories.local }}/plex/config/"
      - name: "TV Series"
        internal: /tv:ro
        external: /media/series
      - name: "Movies"
        internal: /movies:ro
        external: /media/movies
      - name: "Music"
        internal: /music:ro
        external: /media/songs
    devices:
      - name: "Graphics Card"
        internal: /dev/dri
        external: /dev/dri
    ports:
      - name: "http"
        internal: 32400
        external: "{{ services_external_http.plex }}"
      - name: ""
        internal: 1900
        external: 1900
      - name: ""
        internal: 3005
        external: 3005
      - name: ""
        internal: 5353
        external: 5353
      - name: ""
        internal: 32410
        external: 32410
      - name: ""
        internal: 8324
        external: 8324
      - name: ""
        internal: 32412
        external: 32412
      - name: ""
        internal: 32469
        external: 32469
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - VERSION=docker
  - name: jellyfin
    vm:
      - docker-host01
    container_name: jellyfin
    image: jellyfin/jellyfin:10.10
    volumes:
      - name: "Configuration"
        internal: /config
        external: "{{ docker.directories.local }}/jellyfin/config"
      - name: "Cache"
        internal: /cache
        external: "{{ docker.directories.config }}/jellyfin/cache"
      - name: "Tv Series"
        internal: /tv:ro
        external: /media/series
      - name: "Music"
        internal: /movies:ro
        external: /media/movies
      - name: "Music"
        internal: /music:ro
        external: /media/songs
    devices:
      - name: "Graphics Card"
        internal: /dev/dri
        external: /dev/dri
    ports:
      - name: "http"
        internal: 8096
        external: "{{ services_external_http.jellyfin }}"
    environment:
  - name: hass
    vm:
      - docker-host01
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    privileged: true
    volumes:
      - name: "Configuration"
        internal: /config/
        external: "{{ docker.directories.local }}/home-assistant/config/"
      - name: "Local Time"
        internal: /etc/localtime:ro
        external: /etc/localtime
    ports:
      - name: "http"
        internal: 8123
        external: "{{ services_external_http.hass }}"
      - name: ""
        internal: 4357
        external: 4357
      - name: ""
        internal: 5683
        external: 5683
      - name: ""
        internal: 5683
        external: 5683
  - name: ddns
    vm:
      - docker-host00
    container_name: ddns-updater
    image: qmcgaw/ddns-updater:2
    volumes:
      - name: "Configuration"
        internal: /updater/data/"
        external: "{{ docker.directories.config }}/ddns-updater/data/"
    ports:
      - name: "http"
        internal: 8000
        external: "{{ services_external_http.ddns }}"
  - name: sonarr
    vm:
      - docker-host00
    container_name: sonarr
    image: linuxserver/sonarr:4.0.14
    volumes:
      - name: "Configuration"
        internal: /config
        external: "{{ docker.directories.local }}/sonarr/config"
      - name: "Tv Series"
        internal: /tv
        external: /media/series
      - name: "Torrent Downloads"
        internal: /downloads
        external: /media/docker/data/arr_downloads/sonarr
    ports:
      - name: "http"
        internal: 8989
        external: "{{ services_external_http.sonarr }}"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
  - name: radarr
    vm:
      - docker-host00
    container_name: radarr
    image: linuxserver/radarr:5.21.1
    volumes:
      - name: "Configuration"
        internal: /config
        external: "{{ docker.directories.local }}/radarr/config"
      - name: "Movies"
        internal: /movies
        external: /media/movies
      - name: "Torrent Downloads"
        internal: /downloads
        external: /media/docker/data/arr_downloads/radarr
    ports:
      - name: "http"
        internal: 7878
        external: "{{ services_external_http.radarr }}"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
  - name: lidarr
    vm:
      - docker-host00
    container_name: lidarr
    image: linuxserver/lidarr:2.10.3
    volumes:
      - name: "Configuration"
        internal: /config
        external: "{{ docker.directories.local }}/lidarr/config"
      - name: "Music"
        internal: /music
        external: /media/songs
      - name: "Torrent Downloads"
        internal: /downloads
        external: /media/docker/data/arr_downloads/lidarr
    ports:
      - name: "http"
        internal: 8686
        external: "{{ services_external_http.lidarr }}"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
  - name: prowlarr
    vm:
      - docker-host00
    container_name: prowlarr
    image: linuxserver/prowlarr:1.32.2
    volumes:
      - name: "Configuration"
        internal: /config
        external: "{{ docker.directories.local }}/prowlarr/config"
    ports:
      - name: "http"
        internal: 9696
        external: "{{ services_external_http.prowlarr }}"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
  - name: paperless
    vm:
      - docker-host00
    container_name: paperless
    image: ghcr.io/paperless-ngx/paperless-ngx:2.14
    depends_on:
      - paperless-postgres
      - paperless-redis
    volumes:
      - name: "Configuration"
        internal: /usr/src/paperless/data
        external: "{{ docker.directories.local }}/paperless/data/data"
      - name: "Media"
        internal: /usr/src/paperless/media
        external: "{{ docker.directories.local }}/paperless/data/media"
      - name: "Document Export"
        internal: /usr/src/paperless/export
        external: "{{ docker.directories.local }}/paperless/data/export"
      - name: "Document Consume"
        internal: /usr/src/paperless/consume
        external: "{{ docker.directories.local }}/paperless/data/consume"
    environment:
      - "PAPERLESS_REDIS=redis://paperless-redis:6379"
      - "PAPERLESS_DBHOST=paperless-postgres"
      - "PAPERLESS_DBUSER=paperless"
      - "PAPERLESS_DBPASS={{ vault.docker.paperless.dbpass }}"
      - "USERMAP_UID=1000"
      - "USERMAP_GID=1000"
      - "PAPERLESS_URL=https://paperless.{{ domain }}"
      - "PAPERLESS_TIME_ZONE=Europe/Berlin"
      - "PAPERLESS_OCR_LANGUAGE=deu"
    ports:
      - name: "http"
        internal: 8000
        external: "{{ services_external_http.paperless }}"
    sub_service:
      - name: postgres
        version: 15
        username: paperless
        password: "{{ vault.docker.paperless.dbpass }}"
      - name: redis
        version: 7
  - name: pdf
    vm:
      - docker-host00
    container_name: stirling
    image: frooodle/s-pdf:0.45.0
    ports:
      - name: "http"
        internal: 8080
        external: "{{ services_external_http.pdf }}"
  - name: git
    vm:
      - docker-host01
    container_name: gitea
    image: gitea/gitea:1.23-rootless
    volumes:
      - name: "Configuration"
        internal: /etc/gitea
        external: "{{ docker.directories.local }}/gitea/config"
      - name: "Data"
        internal: /var/lib/gitea
        external: "{{ docker.directories.local }}/gitea/data"
      - name: "Time Zone"
        internal: /etc/timezone:ro
        external: /etc/timezone
      - name: "Local Time"
        internal: /etc/localtime:ro
        external: /etc/localtime
    ports:
      - name: "http"
        internal: 3000
        external: "{{ services_external_http.git }}"
      - name: "ssh"
        internal: 2222
        external: 2222
    environment:
      - USER_UID=1000
      - USER_GID=1000
  - name: changedetection
    vm:
      - docker-host00
    container_name: changedetection
    image: dgtlmoon/changedetection.io:0.49
    volumes:
      - name: "Data"
        internal: /datastore
        external: "{{ docker.directories.config }}/changedetection/data/"
    ports:
      - name: "http"
        internal: 5000
        external: "{{ services_external_http.changedetection }}"
  - name: gluetun
    vm:
      - docker-host00
    container_name: gluetun
    image: qmcgaw/gluetun:v3.40
    cap_add:
      - NET_ADMIN
    devices:
      - name: "Tunnel"
        internal: /dev/net/tun
        external: /dev/net/tun
    volumes:
      - name: "Configuration"
        internal: /gluetun
        external: "{{ docker.directories.config }}/gluetun/config"
    ports:
      - name: "Qbit Client"
        internal: 8082
        external: 8082
      - name: "Torrentleech Client"
        internal: 8083
        external: 8083
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - VPN_SERVICE_PROVIDER=protonvpn
      - UPDATER_VPN_SERVICE_PROVIDERS=protonvpn
      - UPDATER_PERIOD=24h
      - "SERVER_COUNTRIES={{ vault.docker.proton.country }}"
      - "OPENVPN_USER={{ vault.docker.proton.openvpn_user }}"
      - "OPENVPN_PASSWORD={{ vault.docker.proton.openvpn_password }}"
  - name: torrentleech
    vm:
      - docker-host00
    container_name: torrentleech
    image: qbittorrentofficial/qbittorrent-nox
    depends_on:
      - gluetun
    network_mode: "container:gluetun"
    volumes:
      - name: "Configuration"
        internal: /config
        external: "{{ docker.directories.config }}/torrentleech/config"
      - name: "Downloads"
        internal: /downloads
        external: /media/docker/data/arr_downloads
    ports:
      - name: "http"
        internal: proxy_only
        external: 8083
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - QBT_EULA="accept"
      - QBT_WEBUI_PORT="8083"
  - name: qbit
    vm:
      - docker-host00
    container_name: qbit
    image: qbittorrentofficial/qbittorrent-nox:5.0.4-1
    depends_on:
      - gluetun
    network_mode: "container:gluetun"
    volumes:
      - name: "Configuration"
        internal: /config
        external: "{{ docker.directories.config }}/qbit/config"
      - name: "Downloads"
        internal: /downloads
        external: /media/docker/data/arr_downloads
    ports:
      - name: "http"
        internal: proxy_only
        external: 8082
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - QBT_EULA="accept"
      - QBT_WEBUI_PORT="8082"
  - name: cadvisor
    vm:
      - docker-host00
      - docker-host01
    container_name: cadvisor
    image: gcr.io/cadvisor/cadvisor:v0.52.1
    ports:
      - name: ""
        internal: 8080
        external: 8081
    volumes:
      - name: "Root"
        internal: /rootfs:ro
        external: /
      - name: "Run"
        internal: /var/run:rw
        external: /var/run
      - name: "System"
        internal: /sys:ro
        external: /sys
      - name: "Docker"
        internal: /var/lib/docker:ro
        external: /var/lib/docker
  - name: karakeep
    vm:
      - docker-host01
    container_name: karakeep
    image: ghcr.io/karakeep-app/karakeep:0.23.2
    ports:
      - name: "http"
        internal: 3000
        external: "{{ services_external_http.karakeep }}"
    volumes:
      - name: "Data"
        internal: /data
        external: "{{ docker.directories.local }}/karakeep/config"
    environment:
      - MEILI_ADDR=http://karakeep-meilisearch:7700
      - BROWSER_WEB_URL=http://karakeep-chrome:9222
      - NEXTAUTH_SECRET={{ vault.docker.karakeep.nextauth_secret }}
      - MEILI_MASTER_KEY={{ vault.docker.karakeep.meili_master_key }}
      - NEXTAUTH_URL=https://karakeep.tudattr.dev/
      - OPENAI_API_KEY={{ vault.docker.karakeep.openai_key }}
      - DATA_DIR=/data
      - DISABLE_SIGNUPS=true
    sub_service:
      - name: meilisearch
        version: v1.11.1
        nextauth_secret: "{{ vault.docker.karakeep.nextauth_secret }}"
        meili_master_key: "{{ vault.docker.karakeep.meili_master_key }}"
        openai_key: "{{ vault.docker.karakeep.openai_key }}"
      - name: chrome
        version: 123
  - name: keycloak
    vm:
      - docker-host01
    container_name: keycloak
    image: quay.io/keycloak/keycloak:26.2
    depends_on:
      - keycloak-postgres
    ports:
      - name: "http"
        internal: 8080
        external: "{{ services_external_http.keycloak }}"
    volumes:
      - name: "config"
        internal: /opt/keycloak/data/import/homelab-realm.json
        external: "{{ docker.directories.local }}/keycloak/homelab-realm.json"
      - name: "config"
        internal: /opt/keycloak/data/import/master-realm.json
        external: "{{ docker.directories.local }}/keycloak/master-realm.json"
    command:
      - "start"
      - "--import-realm"
    environment:
      - KC_DB=postgres
      - KC_DB_URL=jdbc:postgresql://keycloak-postgres:5432/keycloak
      - KC_DB_USERNAME={{ keycloak_config.database.username }}
      - KC_DB_PASSWORD={{ keycloak_config.database.password }}
      - KC_HOSTNAME=keycloak.{{ internal_domain }}
      - KC_HTTP_ENABLED=true
      - KC_HTTP_RELATIVE_PATH=/
      - KC_PROXY=edge
      - KC_PROXY_HEADERS=xforwarded
      - KC_HOSTNAME_URL=https://keycloak.{{ internal_domain }}
      - KC_HOSTNAME_ADMIN_URL=https://keycloak.{{ internal_domain }}
      - KC_BOOTSTRAP_ADMIN_USERNAME=serviceadmin-{{ keycloak_admin_hash }}
      - KC_BOOTSTRAP_ADMIN_PASSWORD={{ vault.docker.keycloak.admin.password }}
    sub_service:
      - name: postgres
        version: 17
        username: "{{ keycloak_config.database.username }}"
        password: "{{ keycloak_config.database.password }}"
--- a/group_vars/docker/keycloak.yml
+++ b/group_vars/docker/keycloak.yml
@@ -0,0 +1,61 @@
 keycloak_admin_hash: "{{ vault.docker.keycloak.admin.hash }}"
 keycloak_realms: "{{ keycloak_config.realms }}"
 keycloak_config:
  database:
    db_name: keycloak
    username: keycloak
    password: "{{ vault.docker.keycloak.database.password }}"
  realms:
    - realm: homelab
      display_name: "Homelab Realm"
      users:
        - username: tudattr
          password: "{{ vault.docker.keycloak.user.password }}"
          realm_roles:
            - offline_access
            - uma_authorization
          client_roles:
            account:
              - view-profile
              - manage-account
      admin:
        username: "serviceadmin-{{ keycloak_admin_hash }}"
        password: "{{ vault.docker.keycloak.admin.password }}"
        realm_roles:
          - offline_access
          - uma_authorization
          - admin
        client_roles:
          realm_management:
            - realm-admin
          account:
            - view-profile
            - manage-account
      roles:
        realm:
          - name: admin
            description: "Administrator role for the homelab realm"
        default_roles:
          - offline_access
          - uma_authorization
    - realm: master
      display_name: "master"
      admin:
        username: "serviceadmin-{{ keycloak_admin_hash }}"
        password: "{{ vault.docker.keycloak.admin.password }}"
        realm_roles:
          - offline_access
          - uma_authorization
          - create-realm
          - admin
        client_roles:
          realm_management:
            - realm-admin
          account:
            - view-profile
            - manage-account
      roles:
        realm: []
        default_roles: []
--- a/group_vars/docker/port_mapping.yml
+++ b/group_vars/docker/port_mapping.yml
@@ -0,0 +1,19 @@
 services_external_http:
  syncthing: 8384
  kuma: 3001
  plex: 32400
  jellyfin: 8096
  hass: 8123
  ddns: 8001
  sonarr: 8989
  radarr: 7878
  lidarr: 8686
  prowlarr: 9696
  paperless: 8000
  pdf: 8080
  git: 3000
  changedetection: 5000
  torrentleech: 8083
  qbit: 8082
  karakeep: 3002
  keycloak: 3003
--- a/group_vars/docker/secrets.yml
+++ b/group_vars/docker/secrets.yml
@@ -0,0 +1,56 @@
 $ANSIBLE_VAULT;1.1;AES256
 32623863646365383136636631383936353032333935623162386465643139663835303063666138
 3336626338376466386265663737383062653236383430310a633138323038626134636362616166
 37383831323239366338333038326665643932643237656265316361323466376636373662343761
 6234366130373535330a343432663638393566613963303530653937613139366330653933376137
 65356265306139326361336632323332663135373735626539376565313466323236323862623531
 65623932633936666338653164646661373937376133333937336434613264393637363065353462
 31376333336433643432626531373731656238336431376630653832363437646665353333313764
 63656565326636383537373736303933636264633939323262656363346639376439383632386530
 64373230623135316634323565623736386263613630383038643636323965326464333533333136
 30346132616237356662626462363266376261333434663634353330613137626538376433333235
 63346434386538663335333262386536663330653835343335323636363233333135626434356131
 61346465643231646338346435396662323834373634613834393231326531666637636566316434
 66663737643037336332313338663739653939333866383835663835386165373664623433623237
 35353734616431666561656231336463336234656362623265356361626161383136653064616664
 35623638653935643465646538653931643935313638366133343233616565623433376435323739
 31376236626131623765303761396666346330633734373137366366336265663361613337366236
 35356239373361666337663661333834623039323639373131363638393435303161636336316639
 35376231366162626536396130666631323337313034363066303737613764336232383235613764
 66356530333733363030396633626438326134356535653538363561643837303462653732376462
 64663034653135386364643434653162343338343437323062396565643466643264653165393064
 32333561303035626463363461303866316465323966636166376432616532353438656633346363
 62656464303165646463336636386630333561373537386330663531616466643164623865393233
 66356337633238316235636632626234313938386338363164613231336434396566666666616538
 32396235383930306362343466656535393036303931663063626465373831636134346237346530
 64396464323538333433636461303231306538373861393932636336313061383032323662633432
 39376265353734333339313266353964383830373665373234633236613830636432326636353933
 65656238393438633862366363366665643364313534623833656634393035336634663837656661
 33643338393330376464356232633638303732626336383936626662313430303338373438653865
 62613765626332396636636433623364386135316265643163326534646138663930306363353737
 33353537396135386637313132393365616638323330313966323461383666326664303231353734
 34336663333865346538386663316638306239343832616231323730393363353933393365653830
 31393933313963396236653234383564376264616332373230663961313638343933336261646435
 35386437336130376139646563383137666466356361386366323735346130613866313330306631
 62383566363832333633653564313936363564346166663931653831616634633135353565306464
 64613863343766613764623461633335643137363065643864313337653665346230363331626434
 30306235343661393336656434666637623930333038393865653865643836613235366562386232
 39653336633034646233353633323135336639653062356233643131346666376664356262343938
 32396335356532323231646330383734666435666164643731323634326134393732316131353836
 65633631326133663633376361373631653739613633313161313935323066643530356337613835
 64316431653437653163626234386164303465353731616530623863323937343565666339323639
 31343562373433303535626465333936373433323834363965323732336535333565616231316235
 39663431356633326466393862383133313030656431333839396333326461323130366533306139
 31316338323333356334623332663166323035373864313739363335356162633937613164373637
 62643538323066363734353136323537613263306138613761643865383062343934313666316530
 65666166303263643163633666323861633765626438343739613164386333316335323963326334
 31663433653534383866666639353036616565363230626136626330303061623936363531333139
 65376333616331316637633461623836663965633462383830633165376631356631396564323330
 66346561613133353438653365333361643166393535393466373330316136376263643163666139
 64656233326333656438613235303937653363323761636666373633623938656134366262323931
 35323133373163393964323962346433366434623636383133323535363632363465663862306439
 33633564643030306638343430313831376333613363643839303330343338393964623038343165
 39346233303864393537316531396333356363373565626530633237653337393434653034633263
 32386431613462363430623761333961393834353664626238653063336536653531626266613463
 30623438313430663165303064336532613637613566623864643730633232353538336131666566
 366331336161363266613532653336343131
--- a/group_vars/docker/vars.yml
+++ b/group_vars/docker/vars.yml
@@ -1,548 +1,4 @@
 docker:
  url: "https://download.docker.com/linux"
  apt_release_channel: "stable"
  directories:
    opt: "/opt/docker/"
    compose: "/opt/docker/compose"
 caddy:
  admin_email: me+acme@tudattr.dev
 domain: "seyshiro.de"
 services:
  - name: syncthing
    vm:
      - docker-host00
    container_name: syncthing
    image: syncthing/syncthing
    restart: unless-stopped
    volumes:
      - name: "Data"
        internal: /var/syncthing/
        external: /media/docker/data/syncthing/
    ports:
      - name: "http"
        internal: 8384
        external: 8384
      - name: ""
        internal: 22000
        external: 22000
      - name: ""
        internal: 22000
        external: 22000
      - name: ""
        internal: 21027
        external: 21027
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
  - name: status
    vm:
      - docker-host00
    container_name: kuma
    image: louislam/uptime-kuma:1
    restart: unless-stopped
    volumes:
      - name: "Data"
        internal: /app/data
        external: /opt/local/kuma/
    ports:
      - name: "http"
        internal: 3001
        external: 3001
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
  - name: plex
    vm:
      - docker-host00
    container_name: plex
    image: lscr.io/linuxserver/plex:latest
    restart: unless-stopped
    volumes:
      - name: "Configuration"
        internal: /config
        external: /opt/local/plex/config/
      - name: "TV Series"
        internal: /tv:ro
        external: /media/series
      - name: "Movies"
        internal: /movies:ro
        external: /media/movies
      - name: "Music"
        internal: /music:ro
        external: /media/songs
    devices:
      - name: "Graphics Card"
        internal: /dev/dri
        external: /dev/dri
    ports:
      - name: "http"
        internal: 32400
        external: 32400
      - name: ""
        internal: 1900
        external: 1900
      - name: ""
        internal: 3005
        external: 3005
      - name: ""
        internal: 5353
        external: 5353
      - name: ""
        internal: 32410
        external: 32410
      - name: ""
        internal: 8324
        external: 8324
      - name: ""
        internal: 32412
        external: 32412
      - name: ""
        internal: 32469
        external: 32469
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - VERSION=docker
  - name: jellyfin
    vm:
      - docker-host02
    container_name: jellyfin
    image: jellyfin/jellyfin
    restart: "unless-stopped"
    volumes:
      - name: "Configuration"
        internal: /config
        external: /opt/local/jellyfin/config
      - name: "Cache"
        internal: /cache
        external: /opt/docker/config/jellyfin/cache
      - name: "Tv Series"
        internal: /tv:ro
        external: /media/series
      - name: "Music"
        internal: /movies:ro
        external: /media/movies
      - name: "Music"
        internal: /music:ro
        external: /media/songs
    devices:
      - name: "Graphics Card"
        internal: /dev/dri
        external: /dev/dri
    ports:
      - name: "http"
        internal: 8096
        external: 8096
    environment:
  - name: hass
    vm:
      - docker-host02
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    restart: unless-stopped
    privileged: true
    volumes:
      - name: "Configuration"
        internal: /config/
        external: /opt/local/home-assistant/config/
      - name: "Local Time"
        internal: /etc/localtime:ro
        external: /etc/localtime
    ports:
      - name: "http"
        internal: 8123
        external: 8123
      - name: ""
        internal: 4357
        external: 4357
      - name: ""
        internal: 5683
        external: 5683
      - name: ""
        internal: 5683
        external: 5683
  - name: ddns
    vm:
      - docker-host00
    container_name: ddns-updater
    image: ghcr.io/qdm12/ddns-updater
    restart: unless-stopped
    volumes:
      - name: "Configuration"
        internal: /updater/data/"
        external: /opt/docker/config/ddns-updater/data/
    ports:
      - name: "http"
        internal: 8000
        external: 8001
  - name: sonarr
    vm:
      - docker-host00
    container_name: sonarr
    image: lscr.io/linuxserver/sonarr:latest
    restart: unless-stopped
    volumes:
      - name: "Configuration"
        internal: /config
        external: /opt/local/sonarr/config
      - name: "Tv Series"
        internal: /tv
        external: /media/series
      - name: "Torrent Downloads"
        internal: /downloads
        external: /media/docker/data/arr_downloads/sonarr
    ports:
      - name: "http"
        internal: 8989
        external: 8989
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
  - name: radarr
    vm:
      - docker-host00
    container_name: radarr
    image: lscr.io/linuxserver/radarr:latest
    restart: unless-stopped
    volumes:
      - name: "Configuration"
        internal: /config
        external: /opt/local/radarr/config
      - name: "Movies"
        internal: /movies
        external: /media/movies
      - name: "Torrent Downloads"
        internal: /downloads
        external: /media/docker/data/arr_downloads/radarr
    ports:
      - name: "http"
        internal: 7878
        external: 7878
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
  - name: lidarr
    vm:
      - docker-host00
    container_name: lidarr
    image: lscr.io/linuxserver/lidarr:latest
    restart: unless-stopped
    volumes:
      - name: "Configuration"
        internal: /config
        external: /opt/local/lidarr/config
      - name: "Music"
        internal: /music
        external: /media/songs
      - name: "Torrent Downloads"
        internal: /downloads
        external: /media/docker/data/arr_downloads/lidarr
    ports:
      - name: "http"
        internal: 8686
        external: 8686
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
  - name: prowlarr
    vm:
      - docker-host00
    container_name: prowlarr
    image: lscr.io/linuxserver/prowlarr:latest
    restart: unless-stopped
    volumes:
      - name: "Configuration"
        internal: /config
        external: /opt/local/prowlarr/config
    ports:
      - name: "http"
        internal: 9696
        external: 9696
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
  - name: paperless
    vm:
      - docker-host00
    container_name: paperless
    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    restart: unless-stopped
    depends_on:
      - paperless-postgres
      - paperless-broker
    volumes:
      - name: "Configuration"
        internal: /usr/src/paperless/data
        external: /opt/local/paperless/data/data
      - name: "Media"
        internal: /usr/src/paperless/media
        external: /opt/local/paperless/data/media
      - name: "Document Export"
        internal: /usr/src/paperless/export
        external: /opt/local/paperless/data/export
      - name: "Document Consume"
        internal: /usr/src/paperless/consume
        external: /opt/local/paperless/data/consume
    environment:
      - "PAPERLESS_REDIS=redis://paperless-broker:6379"
      - "PAPERLESS_DBHOST=paperless-postgres"
      - "PAPERLESS_DBUSER=paperless"
      - "PAPERLESS_DBPASS={{ vault.docker.paperless.dbpass }}"
      - "USERMAP_UID=1000"
      - "USERMAP_GID=1000"
      - "PAPERLESS_URL=https://paperless.{{ domain }}"
      - "PAPERLESS_TIME_ZONE=Europe/Berlin"
      - "PAPERLESS_OCR_LANGUAGE=deu"
    ports:
      - name: "http"
        internal: 8000
        external: 8000
  - name: pdf
    vm:
      - docker-host00
    container_name: stirling
    image: frooodle/s-pdf:latest
    restart: unless-stopped
    ports:
      - name: "http"
        internal: 8080
        external: 8080
  - name: git
    vm:
      - docker-host02
    container_name: gitea
    image: gitea/gitea:1.23.1-rootless
    restart: unless-stopped
    volumes:
      - name: "Configuration"
        internal: /etc/gitea
        external: /opt/local/gitea/config
      - name: "Data"
        internal: /var/lib/gitea
        external: /opt/local/gitea/data
      - name: "Time Zone"
        internal: /etc/timezone:ro
        external: /etc/timezone
      - name: "Local Time"
        internal: /etc/localtime:ro
        external: /etc/localtime
    ports:
      - name: "http"
        internal: 3000
        external: 3000
      - name: "ssh"
        internal: 2222
        external: 2222
    environment:
      - USER_UID=1000
      - USER_GID=1000
  - name: changedetection
    vm:
      - docker-host00
    container_name: changedetection
    image: dgtlmoon/changedetection.io
    restart: unless-stopped
    volumes:
      - name: "Data"
        internal: /datastore
        external: /opt/docker/config/changedetection/data/
    ports:
      - name: "http"
        internal: 5000
        external: 5000
  - name: gluetun
    vm:
      - docker-host00
    container_name: gluetun
    image: qmcgaw/gluetun
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    devices:
      - name: "Tunnel"
        internal: /dev/net/tun
        external: /dev/net/tun
    volumes:
      - name: "Configuration"
        internal: /gluetun
        external: /opt/docker/config/gluetun/config
    ports:
      - name: "Qbit Client"
        internal: 8082
        external: 8082
      - name: "Torrentleech Client"
        internal: 8083
        external: 8083
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - VPN_SERVICE_PROVIDER=protonvpn
      - UPDATER_VPN_SERVICE_PROVIDERS=protonvpn
      - UPDATER_PERIOD=24h
      - "SERVER_COUNTRIES={{ vault.docker.proton.country }}"
      - "OPENVPN_USER={{ vault.docker.proton.openvpn_user }}"
      - "OPENVPN_PASSWORD={{ vault.docker.proton.openvpn_password }}"
  - name: torrentleech
    vm:
      - docker-host00
    container_name: torrentleech
    image: qbittorrentofficial/qbittorrent-nox
    restart: unless-stopped
    depends_on:
      - gluetun
    network_mode: "container:gluetun"
    volumes:
      - name: "Configuration"
        internal: /config
        external: /opt/docker/config/torrentleech/config
      - name: "Downloads"
        internal: /downloads
        external: /media/docker/data/arr_downloads
    ports:
      - name: "http"
        internal: proxy_only
        external: 8083
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - QBT_EULA="accept"
      - QBT_WEBUI_PORT="8083"
  - name: qbit
    vm:
      - docker-host00
    container_name: qbit
    image: qbittorrentofficial/qbittorrent-nox
    restart: unless-stopped
    depends_on:
      - gluetun
    network_mode: "container:gluetun"
    volumes:
      - name: "Configuration"
        internal: /config
        external: /opt/docker/config/qbit/config
      - name: "Downloads"
        internal: /downloads
        external: /media/docker/data/arr_downloads
    ports:
      - name: "http"
        internal: proxy_only
        external: 8082
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - QBT_EULA="accept"
      - QBT_WEBUI_PORT="8082"
  - name: cadvisor
    vm:
      - docker-host00
      - docker-host01
      - docker-host02
    container_name: cadvisor
    image: gcr.io/cadvisor/cadvisor:latest
    restart: unless-stopped
    ports:
      - name: ""
        internal: 8080
        external: 8081
    volumes:
      - name: "Root"
        internal: /rootfs:ro
        external: /
      - name: "Run"
        internal: /var/run:rw
        external: /var/run
      - name: "System"
        internal: /sys:ro
        external: /sys
      - name: "Docker"
        internal: /var/lib/docker:ro
        external: /var/lib/docker
  # - name: template
  #   vm:
  #     -
  #   container_name:
  #   image:
  #   restart:
  #   volumes:
  #     - name:
  #       internal:
  #       external:
  #   ports:
  #     - name:
  #       internal:
  #       external:
  #   environment:
  #     -
  # - name: calibre
  #   vm:
  #     - docker-host00
  #   container_name: calibre
  #   image: lscr.io/linuxserver/calibre-web:latest
  #   restart: unless-stopped
  #   volumes:
  #     - name: "Configuration"
  #       internal: /config"
  #       external: /opt/local/calibre/
  #     - name: "Books"
  #       internal: /books"
  #       external: /media/docker/data/calibre/
  #   ports:
  #     - name: "http"
  #       internal: 5000
  #       external: 5000
  #   environment:
  #     - PUID=1000
  #     - PGID=1000
  #     - TZ=Europe/Berlin
  #     - DOCKER_MODS=linuxserver/mods:universal-calibre
  # - name: grafana
  #   vm:
  #   container_name: grafana
  #   image: grafana/grafana-oss
  #   restart: unless-stopped
  #   volumes:
  #     - name: "Configuration"
  #       internal: /etc/grafana/
  #       external: /opt/docker/config/grafana/config/
  #     - name: "Data"
  #       internal: /var/lib/grafana/
  #       external: /media/docker/data/grafana/
  #   ports:
  #   environment:
  #     - PUID=472
  #     - PGID=472
  #     - TZ=Europe/Berlin
  # - name: prometheus
  #   vm:
  #     - docker-host00
  #   container_name: prometheus
  #   image: prom/prometheus
  #   restart: unless-stopped
  #   volumes:
  #     - name: "Configuration"
  #       internal: /etc/prometheus/
  #       external: /opt/docker/config/prometheus/
  #     - name: "Data"
  #       internal: /prometheus/
  #       external: prometheus_data
  #   ports:
  #     - name: "http"
  #       internal: 5000
  #       external: 5000
  #   environment:
  #     - PUID=65534
  #     - PGID=65534
  #     - TZ=Europe/Berlin
--- a/group_vars/k3s/secrets.yml
+++ b/group_vars/k3s/secrets.yml
@@ -0,0 +1,26 @@
 $ANSIBLE_VAULT;1.1;AES256
 66323965326561656434636164616434353663633933346332373537663136323465323461306337
 3733663066623866333534366430663761653262646662650a323938306636653965656361646330
 66313965376537643033666165366435653862663231383366636166373238666334313836313138
 6164353263323136300a653236636334643832396534623735316465623133373838353163313136
 33303331313037376336623637356633383734343338386634646335616632646366366138643539
 37303531346430323330396637316632643065346537386433663431373437376261366263306264
 63323235303632356661373463383565613764323733343839653139613766633036346234316432
 37626432333935613566386631346161623133366438343630316237363730626234336462303132
 38323132363631653432643462306133323266333637346139343961623430363436663763383234
 66343232386263646633653739343963333364386630376638396261326563333935643437646638
 63656664633838336535613963393434336264656265356238306237626361336533643363323838
 30376236613236386133383130633164306632323630383932383432353439646266386239383834
 32346431306662346166653738333138643733623739623536303639663136336533373230643533
 64323037303161306435316662653237356161393239656362383261306366336134353438326233
 62363532396336616261383735386535396363386339333962623233383534393033306662666266
 66316237616137366639333439613732666638376163373235306663323762613466363636346337
 38393762653537316134316234363066363439623164356237313566626533326332646663313838
 38383633616538353833353634376236656433383464303538613663383838633538616136313365
 64643438316638333433366137656634353039663763353734616432306465386563353665666136
 63383739323038333537396433303332343235383562376438633237663465396366643438353862
 32646637323530356432386662613366323234323639653139306665623865613666623133656465
 31636334666638623939393366663935363434613731386365303130343439376430613331663561
 30353738346138343563383738393666333761333231303366386563303165363039313263343563
 36303533353165323461376461623665313938356535363462663737643265636137613366616639
 38383761343161336462373563383338393435326331353132333336666330306638
--- a/group_vars/k3s/vars.yml
+++ b/group_vars/k3s/vars.yml
@@ -3,7 +3,7 @@ db:
    user: "postgres"
  name: "k3s"
  user: "k3s"
-  password: "{{ vault.k3s.postgres.db.password }}"
+  password: "{{ vault_k3s.postgres.db.password }}"
  listen_address: "{{ k3s.db.ip }}"
 k3s:
--- a/group_vars/proxmox/secrets.yml
+++ b/group_vars/proxmox/secrets.yml
@@ -0,0 +1,15 @@
 $ANSIBLE_VAULT;1.1;AES256
 35333866323538343132373761316430616539643436646637633131366232346566656438303438
 3539333661363964633834613161626134323533653737650a613832323436663739663162303066
 31333130646631306539356233346632636132346539343734393065353033613865363466646632
 6565343937666530330a326130393934326435643837323631653862313232363466643534306131
 62376132383137336230366538326364663362346137613930633161663834393835623935373164
 65623564633765653137623361376130623363613263313835366464313039613532323661363461
 37366438616566643537656639316665363339633737363539636364316335663639303364663366
 62653734343364663830633534643931656439313763366138323663373464303137323864313637
 65316135343464393031343166366338323839326631623533343931353833643232643339386231
 38623735386465383964653663346631376531376261353933346661666131353533633331353437
 63336366623333653732306130316264393865633338653238303861646535343837396232366134
 63343037636361323239376436326431623165326366383561323832323730636532623039383734
 66663139656262643038303435346666323762343661336234663131343531636161636536646465
 6530333864323262363536393562346362306161653162346132
--- a/group_vars/proxmox/secrets_vm.yml
+++ b/group_vars/proxmox/secrets_vm.yml
@@ -0,0 +1,8 @@
 $ANSIBLE_VAULT;1.1;AES256
 62653436363035633565383636383931353765663136646362366439306635306430313763323331
 3533346430316564356463613664366261336139636331320a636532633836303161396238663163
 39643765613162346261643662333633323133373830313365326534626161326235363038383462
 6531643136646464610a383532316434383264326665613436623331333730633035316530663031
 63343539393062383065396638363064613932363164346632366134333637343337353033346131
 30613162303536313366656137306165303032636366376362656137343235313838356463306532
 653164653834613431633563633739313936
--- a/group_vars/proxmox/vars.yml
+++ b/group_vars/proxmox/vars.yml
@@ -0,0 +1,19 @@
 proxmox_api_user: root
 proxmox_api_host: 192.168.20.12
 proxmox_api_password: "{{ vault.pve.aya01.root.sudo }}"
 vms:
  - name: "test-vm-00"
    node: "inko"
    vmid: 950
    cores: 2
    memory: 8192 # in MiB
    net:
      net0: "virtio,bridge=vmbr0,firewall=1"
    boot_image: "{{ proxmox_cloud_init_images.ubuntu.name }}"
    ciuser: "{{ user }}"
    sshkeys: "{{ pubkey }}"
    disk_size: 32 # in Gb
 lxcs:
  - name: "test-lxc-00"
--- a/host_vars/aya01.yml
+++ b/host_vars/aya01.yml
@@ -1,10 +1,10 @@
 ---
-ansible_user: "root"
+# ansible_user: "root"
-ansible_host: 192.168.20.12
+# ansible_host: 192.168.20.12
-ansible_port: 22
+# ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
+# ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.pve.aya01.root.sudo }}"
+# ansible_become_pass: "{{ vault.pve.aya01.root.sudo }}"
-
+#
-host:
+# host:
-  hostname: "aya01"
+#   hostname: "aya01"
-  ip: "{{ ansible_host }}"
+#   ip: "{{ ansible_host }}"
--- a/host_vars/docker-host00.yml
+++ b/host_vars/docker-host00.yml
@@ -1,10 +1,10 @@
 ---
-ansible_user: "{{ user }}"
+# Configure this in ~/.ssh/config*
-ansible_host: 192.168.20.34
+# ansible_user: "{{ user }}"
-ansible_port: 22
+# ansible_host: 192.168.20.34
-ansible_ssh_private_key_file: "{{ pk_path }}"
+# ansible_port: 22
 # ansible_ssh_private_key_file: "{{ pk_path }}"
 ansible_become_pass: "{{ vault.docker.host00.sudo }}"
-
+# host:
-host:
+#   hostname: "docker-host00"
-  hostname: "docker-host00"
+#   ip: "192.168.20.34"
  ip: "{{ ansible_host }}"
--- a/host_vars/docker-host01.yml
+++ b/host_vars/docker-host01.yml
@@ -1,10 +1,11 @@
 ---
-ansible_user: "{{ user }}"
+# Configure this in ~/.ssh/config*
-ansible_host: 192.168.20.35
+# ansible_user: "{{ user }}"
-ansible_port: 22
+# ansible_host: 192.168.20.35
-ansible_ssh_private_key_file: "{{ pk_path }}"
+# ansible_port: 22
 # ansible_ssh_private_key_file: "{{ pk_path }}"
 ansible_become_pass: "{{ vault.docker.host01.sudo }}"
-
+#
-host:
+# host:
-  hostname: "docker-host01"
+#   hostname: "docker-host01"
-  ip: "{{ ansible_host }}"
+#   ip: "192.168.20.35"
--- a/host_vars/docker-host02.yml
+++ b/host_vars/docker-host02.yml
@@ -1,10 +1,10 @@
 ---
-ansible_user: "{{ user }}"
+# Configure this in ~/.ssh/config*
-ansible_host: 192.168.20.36
+# ansible_user: "{{ user }}"
-ansible_port: 22
+# ansible_host: 192.168.20.36
-ansible_ssh_private_key_file: "{{ pk_path }}"
+# ansible_port: 22
 # ansible_ssh_private_key_file: "{{ pk_path }}"
 ansible_become_pass: "{{ vault.docker.host02.sudo }}"
-
+# host:
-host:
+#   hostname: "docker-host02"
-  hostname: "docker-host02"
+#   ip: "192.168.20.36"
  ip: "{{ ansible_host }}"
--- a/host_vars/docker-lb.yml
+++ b/host_vars/docker-lb.yml
@@ -1,10 +1,9 @@
 ---
-ansible_user: "{{ user }}"
+# ansible_user: "{{ user }}"
-ansible_host: 192.168.20.37
+# ansible_host: 192.168.20.37
-ansible_port: 22
+# ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
+# ansible_ssh_private_key_file: "{{ pk_path }}"
 ansible_become_pass: "{{ vault.docker.lb.sudo }}"
-
+# host:
-host:
+#   hostname: "docker-lb"
-  hostname: "docker-lb"
+#   ip: "192.168.20.37"
  ip: "{{ ansible_host }}"
--- a/host_vars/inko.yml
+++ b/host_vars/inko.yml
@@ -1,10 +1,10 @@
 ---
-ansible_user: "root"
+# ansible_user: "root"
-ansible_host: 192.168.20.14
+# ansible_host: 192.168.20.14
-ansible_port: 22
+# ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
+# ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.pve.inko.root.sudo }}"
+# ansible_become_pass: "{{ vault.pve.inko.root.sudo }}"
-
+#
-host:
+# host:
-  hostname: "inko"
+#   hostname: "inko"
-  ip: "{{ ansible_host }}"
+#   ip: "{{ ansible_host }}"
--- a/host_vars/k3s-agent00.yml
+++ b/host_vars/k3s-agent00.yml
@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.25
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.agent00.sudo }}"
+ansible_become_pass: "{{ vault_k3s.agent00.sudo }}"
 host:
  hostname: "k3s-agent00"
--- a/host_vars/k3s-agent01.yml
+++ b/host_vars/k3s-agent01.yml
@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.26
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.agent01.sudo }}"
+ansible_become_pass: "{{ vault_k3s.agent01.sudo }}"
 host:
  hostname: "k3s-agent01"
--- a/host_vars/k3s-agent02.yml
+++ b/host_vars/k3s-agent02.yml
@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.27
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.agent02.sudo }}"
+ansible_become_pass: "{{ vault_k3s.agent02.sudo }}"
 host:
  hostname: "k3s-agent02"
--- a/host_vars/k3s-loadbalancer.yml
+++ b/host_vars/k3s-loadbalancer.yml
@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.22
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.loadbalancer.sudo }}"
+ansible_become_pass: "{{ vault_k3s.loadbalancer.sudo }}"
 host:
  hostname: "k3s-loadbalancer"
  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-longhorn00.yml
+++ b/host_vars/k3s-longhorn00.yml
@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.32
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.longhorn00.sudo }}"
+ansible_become_pass: "{{ vault_k3s.longhorn00.sudo }}"
 host:
  hostname: "k3s-longhorn00"
--- a/host_vars/k3s-longhorn01.yml
+++ b/host_vars/k3s-longhorn01.yml
@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.33
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.longhorn01.sudo }}"
+ansible_become_pass: "{{ vault_k3s.longhorn01.sudo }}"
 host:
  hostname: "k3s-longhorn01"
--- a/host_vars/k3s-longhorn02.yml
+++ b/host_vars/k3s-longhorn02.yml
@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.31
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.longhorn02.sudo }}"
+ansible_become_pass: "{{ vault_k3s.longhorn02.sudo }}"
 host:
  hostname: "k3s-longhorn02"
--- a/host_vars/k3s-postgres.yml
+++ b/host_vars/k3s-postgres.yml
@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.23
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.postgres.sudo }}"
+ansible_become_pass: "{{ vault_k3s.postgres.sudo }}"
 host:
  hostname: "k3s-postgres"
  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-server00.yml
+++ b/host_vars/k3s-server00.yml
@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.21
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.server00.sudo }}"
+ansible_become_pass: "{{ vault_k3s.server00.sudo }}"
 host:
  hostname: "k3s-server00"
  ip: "{{ ansible_host }}"
--- a/host_vars/k3s-server01.yml
+++ b/host_vars/k3s-server01.yml
@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.24
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.server01.sudo }}"
+ansible_become_pass: "{{ vault_k3s.server01.sudo }}"
 host:
  hostname: "k3s-server01"
--- a/host_vars/k3s-server02.yml
+++ b/host_vars/k3s-server02.yml
@@ -3,7 +3,7 @@ ansible_user: "{{ user }}"
 ansible_host: 192.168.20.30
 ansible_port: 22
 ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.k3s.server02.sudo }}"
+ansible_become_pass: "{{ vault_k3s.server02.sudo }}"
 host:
  hostname: "k3s-server02"
--- a/host_vars/lulu.yml
+++ b/host_vars/lulu.yml
@@ -1,10 +1,10 @@
 ---
-ansible_user: "root"
+# ansible_user: "root"
-ansible_host: 192.168.20.28
+# ansible_host: 192.168.20.28
-ansible_port: 22
+# ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
+# ansible_ssh_private_key_file: "{{ pk_path }}"
-ansible_become_pass: "{{ vault.pve.lulu.root.sudo }}"
+# ansible_become_pass: "{{ vault.pve.lulu.root.sudo }}"
-
+#
-host:
+# host:
-  hostname: "lulu"
+#   hostname: "lulu"
-  ip: "{{ ansible_host }}"
+#   ip: "{{ ansible_host }}"
--- a/playbooks/docker-host.yml
+++ b/playbooks/docker-host.yml
@@ -1,7 +1,7 @@
 ---
 - name: Set up Servers
  hosts: docker_host
-  gather_facts: yes
+  gather_facts: true
  vars_files:
    - secrets.yml
  roles:
--- a/playbooks/docker-lb.yml
+++ b/playbooks/docker-lb.yml
@@ -1,7 +1,7 @@
 ---
 - name: Set up reverse proxy for docker
  hosts: docker_lb
-  gather_facts: yes
+  gather_facts: true
  vars_files:
    - secrets.yml
  roles:
--- a/playbooks/docker.yml
+++ b/playbooks/docker.yml
@@ -0,0 +1,5 @@
 ---
 - name: Setup Docker Hosts
  ansible.builtin.import_playbook: docker-host.yml
 - name: Setup Docker load balancer
  ansible.builtin.import_playbook: docker-lb.yml
--- a/playbooks/proxmox.yml
+++ b/playbooks/proxmox.yml
@@ -0,0 +1,13 @@
 ---
 - name: Run proxmox vm playbook
  hosts: proxmox
  gather_facts: true
  vars_files:
    - secrets.yml
  vars:
    is_localhost: "{{ inventory_hostname == '127.0.0.1' }}"
    is_proxmox_node: "{{ 'proxmox_nodes' in group_names }}"
  roles:
    - role: proxmox
      tags:
        - proxmox
--- a/inventory/production
+++ b/inventory/production
@@ -1,4 +1,10 @@
 [proxmox]
 127.0.0.1 ansible_connection=local
 [proxmox:children]
 proxmox_nodes
 [proxmox_nodes]
 aya01
 lulu
 inko
@@ -16,7 +22,7 @@ k3s-loadbalancer
 k3s-agent[00:02]
 k3s-server[00:02]
 k3s-longhorn[00:02]
-docker-host[00:02]
+docker-host[00:01]
 [k3s_nodes]
 k3s-server[00:02]
@@ -24,7 +30,7 @@ k3s-agent[00:02]
 k3s-longhorn[00:02]
 [docker]
-docker-host[00:02]
+docker-host[00:01]
 docker-lb
 [vps]
@@ -46,10 +52,7 @@ k3s-postgres
 k3s-loadbalancer
 [docker_host]
-docker-host[00:02]
+docker-host[00:01]
 [docker_lb]
 docker-lb
 [vm:vars]
 ansible_ssh_common_args='-o ProxyCommand="ssh -p 22 -W %h:%p -q aya01"'
--- a/requirements.txt
+++ b/requirements.txt
@@ -0,0 +1,6 @@
 certifi==2025.1.31
 charset-normalizer==3.4.1
 idna==3.10
 proxmoxer==2.2.0
 requests==2.32.3
 urllib3==2.3.0
--- a/roles/common/files/ssh/vault-ca.pub
+++ b/roles/common/files/ssh/vault-ca.pub
@@ -0,0 +1 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxIbkko72kVSfYDjJpiMH9SjHUGqBn3MbBvmotsPQhybFgnnkBpX/3fM9olP+Z6PGsmbOEs0fOjPS6uY5hjKcKsyHdZfS6cA4wjY/DL8fwATAW5FCDBtMpdg2/sb8j9jutHHs4sQeRBolVwKcv+ZAaJNnOzNHwxVUfT9bNwShthnAFjkY7oZo657FRomlkDJjmGQuratP0veKA8jYzqqPWwWidTGQerLYTyJ3Z8pbQa5eN7svrvabjjDLbVTDESE8st9WEmwvAwoj7Kz+WovCy0Uz7LRFVmaRiapM8SXtPPUC0xfyzAB3NxwBtxizdUMlShvLcL6cujcUBMulVMpsqEaOESTpmVTrMJhnJPZG/3j9ziGoYIa6hMj1J9/qLQ5dDNVVXMxw99G31x0LJoy12IE90P4Cahux8iN0Cp4oB4+B6/qledxs1fcRzsnQY/ickjKhqcJwgHzsnwjDkeYRaYte5x4f/gJ77kA20nPto7mxr2mhWot/i9B1KlMURVXOH/q4nrzhJ0hPJpM0UtzQ58TmzE4Osf/B5yoe8V//6XnelbmG/nKCIzg12d7PvaLjbFMn8IgOwDMRlip+vpyadRr/+pCawrfo4vLF7BsnJ84aoByIpbwaysgaYHtjfZWImorMVkgviC4O6Hn9/ZiLNze2A9DaNUnLVJ0nYNbmv9Q==
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@@ -10,8 +10,7 @@
 - name: Copy pubkey
  ansible.builtin.copy:
-    content: "{{ pubkey }}"
+    src: files/ssh/vault-ca.pub
-    dest: "/home/{{ user }}/.ssh/authorized_keys"
+    dest: "/etc/ssh/vault-ca.pub"
    owner: "{{ user }}"
    group: "{{ user }}"
    mode: "644"
  become: true
--- a/roles/common/templates/ssh/sshd_config
+++ b/roles/common/templates/ssh/sshd_config
@@ -1,4 +1,3 @@
 Include /etc/ssh/sshd_config.d/*.conf
 Protocol 2
 PermitRootLogin no
 MaxAuthTries 3
@@ -13,6 +12,7 @@ X11Forwarding no
 PrintMotd no
 TCPKeepAlive no
 ClientAliveCountMax 2
 TrustedUserCAKeys /etc/ssh/vault-ca.pub
 UseDNS yes
 AcceptEnv LANG LC_*
 Subsystem	sftp	/usr/lib/openssh/sftp-server
--- a/roles/docker_host/handlers/main.yml
+++ b/roles/docker_host/handlers/main.yml
@@ -8,4 +8,6 @@
 - name: Restart compose
  community.docker.docker_compose_v2:
    project_src: "{{ docker.directories.compose }}"
-    state: restarted
+    state: present
  retries: 3
  delay: 5
--- a/roles/docker_host/tasks/directory_setup.yml
+++ b/roles/docker_host/tasks/directory_setup.yml
@@ -9,9 +9,9 @@
    - /media/series
    - /media/movies
    - /media/songs
-    - "{{ docker.directories.opt }}"
+    - "{{ docker.directories.local }}"
    - "{{ docker.directories.config }}"
    - "{{ docker.directories.compose }}"
    - /opt/local
  become: true
 - name: Set ownership to {{ user }}
@@ -20,8 +20,9 @@
    owner: "{{ user }}"
    group: "{{ user }}"
  loop:
-    - "{{ docker.directories.opt }}"
+    - "{{ docker.directories.local }}"
-    - /opt/local
+    - "{{ docker.directories.config }}"
    - "{{ docker.directories.compose }}"
    - /media
  become: true
--- a/roles/docker_host/tasks/main.yml
+++ b/roles/docker_host/tasks/main.yml
@@ -11,6 +11,9 @@
 - name: Setup directory structure for docker
  ansible.builtin.include_tasks: directory_setup.yml
 - name: Deploy configs
  ansible.builtin.include_tasks: provision.yml
 - name: Deploy docker compose
  ansible.builtin.include_tasks: deploy_compose.yml
--- a/roles/docker_host/tasks/provision.yml
+++ b/roles/docker_host/tasks/provision.yml
@@ -0,0 +1,31 @@
 ---
 - name: Set fact if this host should run Keycloak
  ansible.builtin.set_fact:
    is_keycloak_host: "{{ inventory_hostname in (services | selectattr('name', 'equalto', 'keycloak') | map(attribute='vm') | first) }}"
 - name: Run Keycloak tasks
  ansible.builtin.file:
    path: "{{ docker.directories.local }}/keycloak/"
    owner: "{{ user }}"
    group: "{{ user }}"
    state: directory
    mode: "0755"
  when: is_keycloak_host | bool
  become: true
 - name: Run Keycloak tasks
  ansible.builtin.template:
    src: "templates/keycloak/realm.json.j2"
    dest: "{{ docker.directories.local }}/keycloak/{{ keycloak.realm }}-realm.json"
    owner: "{{ user }}"
    group: "{{ user }}"
    mode: "644"
    backup: true
  when: is_keycloak_host | bool
  loop: "{{ keycloak_config.realms }}"
  loop_control:
    loop_var: keycloak
  notify:
    - Restart docker
    - Restart compose
  become: true
--- a/roles/docker_host/tasks/setup.yml
+++ b/roles/docker_host/tasks/setup.yml
@@ -1,9 +1,8 @@
 ---
- name: Enable HW accelerate for VM
+- name: Setup VM Packages
  ansible.builtin.apt:
    name: "{{ item }}"
    state: present
-  loop:
+    update_cache: true
-    - firmware-misc-nonfree
+  loop: "{{ docker_host_package_common_dependencies }}"
    - nfs-common
  become: true
--- a/roles/docker_host/templates/compose.yaml.j2
+++ b/roles/docker_host/templates/compose.yaml.j2
@@ -1,12 +1,13 @@
 services:
 {% for service in services %}
 {% if inventory_hostname in service.vm %}
-  {{service.name}}:
+
  {{ service.name }}:
    container_name: {{ service.container_name }}
    image: {{ service.image }}
-    restart: {{ service.restart }}
+    restart: unless-stopped
 {% if service.network_mode is not defined %}
-    hostname: {{service.name}}
+    hostname: {{ service.name }}
    networks:
      - net
 {% endif %}
@@ -15,11 +16,32 @@ services:
    ports:
 {% for port in service.ports %}
 {% if port.internal != 'proxy_only' %}
-      - {{port.external}}:{{port.internal}}
+      - {{ port.external }}:{{ port.internal }}
 {% endif %}
 {% endfor %}
 {% endif %}
 {% endif %}
 {% if service.ports is defined and service.ports is iterable %}
 {% set first_http_port = service.ports | default([]) | selectattr('name', 'defined') | selectattr('name', 'search', 'http') | first %}
 {% set chosen_http_port_value = none %}
 {% if first_http_port is not none %}
 {% if first_http_port.internal is defined and first_http_port.internal == 'proxy_only' %}
 {% if first_http_port.external is defined %}
 {% set chosen_http_port_value = first_http_port.external %}
 {% endif %}
 {% else %}
 {% set chosen_http_port_value = first_http_port.internal %}
 {% endif %}
 {% if chosen_http_port_value is defined %}
    healthcheck:
      test: ["CMD-SHELL", "wget --quiet --spider --timeout=5 http://localhost:{{ chosen_http_port_value }}/ || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 20s
 {% endif %}
 {% endif %}
 {% endif %}
 {% if service.cap_add is defined and service.cap_add is iterable %}
    cap_add:
 {% for cap in service.cap_add %}
@@ -41,46 +63,88 @@ services:
 {% if service.volumes is defined and service.volumes is iterable %}
    volumes:
 {% for volume in service.volumes %}
-      - {{volume.external}}:{{volume.internal}}
+      - {{ volume.external }}:{{ volume.internal }}
 {% endfor %}
 {% endif %}
 {% if service.environment is defined and service.environment is iterable %}
    environment:
 {% for env in service.environment %}
-      - {{env}}
+      - {{ env }}
 {% endfor %}
 {% endif %}
 {% if service.devices is defined and service.devices is iterable  %}
    devices:
 {% for device in service.devices %}
-      - {{device.external}}:{{device.internal}}
+      - {{ device.external }}:{{ device.internal }}
 {% endfor %}
 {% endif %}
-{% if service.name == 'paperless' %}
+{% if service.command is defined and service.command is iterable  %}
-
+    command:
-  {{service.name}}-broker:
+{% for command in service.command %}
-    container_name: paperless-broker
+      - {{ command }}
-    image: docker.io/library/redis:7
+{% endfor %}
-    restart: unless-stopped
+{% endif %}
-    networks:
+{% if service.sub_service is defined and service.sub_service is iterable %}
-      - net
+{% for sub in service.sub_service %}
-    volumes:
+{% if sub.name is defined and sub.name == "postgres" %}
-      - /opt/local/paperless/redis/data:/data
+  {{ service.name }}-postgres:
-
+    container_name: {{ service.name }}-postgres
-  {{service.name}}-postgres:
+    image: docker.io/library/postgres:{{ sub.version }}
-    container_name: paperless-postgres
+    restart: unless-stopped
-    image: docker.io/library/postgres:15
+    hostname: {{ service.name }}-postgres
-    restart: unless-stopped
+    networks:
-    networks:
+      - net
-      - net
+    volumes:
-    volumes:
+      - /opt/local/{{ service.name }}/postgres/data:/var/lib/postgresql/data
-      - /opt/local/paperless/db/data:/var/lib/postgresql/data
+    environment:
-    environment:
+      POSTGRES_DB: {{ service.name }}
-      POSTGRES_DB: paperless
+      POSTGRES_USER: {{ sub.username }}
-      POSTGRES_USER: paperless
+      POSTGRES_PASSWORD: {{ sub.password }}
-      POSTGRES_PASSWORD: 5fnhn%u2YWY3paNvMAjdoufYPQ2Hf3Yi
+{% endif %}
 {% if sub.name is defined and sub.name == "redis" %}
  {{ service.name }}-redis:
    container_name: {{ service.name }}-redis
    image: docker.io/library/redis:{{ sub.version }}
    restart: unless-stopped
    hostname: {{ service.name }}-redis
    networks:
      - net
    volumes:
      - /opt/local/{{ service.name }}/redis/data:/data
 {% endif %}
 {% if sub.name is defined and sub.name == "chrome" %}
  {{ service.name }}-chrome:
    image: gcr.io/zenika-hub/alpine-chrome:{{ sub.version }}
    container_name: {{ service.name }}-chrome
    restart: unless-stopped
    networks:
      - net
    command:
      - --no-sandbox
      - --disable-gpu
      - --disable-dev-shm-usage
      - --remote-debugging-address=0.0.0.0
      - --remote-debugging-port=9222
      - --hide-scrollbars
 {% endif %}
 {% if sub.name is defined and sub.name == "meilisearch" %}
  {{ service.name }}-meilisearch:
    container_name: {{ service.name }}-meilisearch
    image: getmeili/meilisearch:{{ sub.version }}
    restart: unless-stopped
    hostname: {{ service.name }}-meilisearch
    networks:
      - net
    volumes:
      - /opt/local/{{ service.name }}/mailisearch/data:/meili_data
    environment:
      - MEILI_NO_ANALYTICS=true
      - NEXTAUTH_SECRET={{ sub.nextauth_secret }}
      - MEILI_MASTER_KEY={{ sub.meili_master_key }}
      - OPENAI_API_KEY="{{ sub.openai_key }}"
 {% endif %}
 {% endfor %}
 {% endif %}
 {% endif %}
 {% endfor %}
 networks:
@@ -90,6 +154,3 @@ networks:
      driver: default
      config:
        - subnet: 172.16.69.0/24
 volumes:
  prometheus_data: {}
--- a/roles/docker_host/templates/keycloak/realm.json.j2
+++ b/roles/docker_host/templates/keycloak/realm.json.j2
@@ -0,0 +1,79 @@
 {
  "realm": "{{ keycloak.realm }}",
  "enabled": true,
  "displayName": "{{ keycloak.display_name }}",
  "displayNameHtml": "<div class=\"kc-logo-text\">{{keycloak.display_name}}</div>",
  "bruteForceProtected": true,
  "users": [
 {% if keycloak.users is defined and keycloak.users is iterable %}
 {% for user in keycloak.users %}
    {
      "username": "{{ user.username }}",
      "enabled": true,
      "credentials": [
        {
          "type": "password",
          "value": "{{ user.password }}",
          "temporary": false
        }
      ],
      "realmRoles": [
 {% for realm_role in user.realm_roles %}
        "{{ realm_role }}"{%- if not loop.last %},{% endif %}{{''}}
 {% endfor %}
      ],
      "clientRoles": {
        "account": [
 {% for account in user.client_roles.account %}
          "{{ account }}"{%- if not loop.last %},{% endif %}{{''}}
 {% endfor %}
        ]
      }
    },{% if not loop.last %}{% endif %}
 {% endfor %}
 {% endif %}
    {
      "username": "{{ keycloak.admin.username }}",
      "enabled": true,
      "credentials": [
        {
          "type": "password",
          "value": "{{ keycloak.admin.password }}",
          "temporary": false
        }
      ],
      "realmRoles": [
 {% for realm_role in keycloak.admin.realm_roles %}
        "{{ realm_role }}"{% if not loop.last %},{% endif %}{{''}}
 {% endfor %}
      ],
      "clientRoles": {
        "realm-management": [
 {% for realm_management in keycloak.admin.client_roles.realm_management %}
          "{{ realm_management }}"{%- if not loop.last %},{% endif %}{{''}}
 {% endfor %}
        ],
        "account": [
 {% for account in keycloak.admin.client_roles.account %}
          "{{ account }}"{%- if not loop.last %},{% endif %}{{''}}
 {% endfor %}
        ]
      }
    }
  ],
  "roles": {
    "realm": [
 {% for role in keycloak.roles.realm %}
      {
        "name": "{{ role.name }}",
        "description": "{{ role.name }}"
      }{% if not loop.last %},{% endif %}
 {% endfor %}
    ]
  },
  "defaultRoles": [
 {% for role in keycloak.roles.default_roles %}
      "{{ role }}"{% if not loop.last %},{% endif %}{{''}}
 {% endfor %}
  ]
 }
--- a/roles/docker_host/vars/main.yml
+++ b/roles/docker_host/vars/main.yml
@@ -0,0 +1,2 @@
 docker_host_package_common_dependencies:
  - nfs-common
--- a/roles/postgres_exporter/templates/postgres_exporter.service.j2
+++ b/roles/postgres_exporter/templates/postgres_exporter.service.j2
@@ -4,7 +4,7 @@ Description=PostgresExporter
 [Service]
 TimeoutStartSec=0
 User={{ bin_name }}
-ExecStart={{ bin_path }} --web.listen-address={{ host.ip }}:{{ bind_port }} {{ options }}
+ExecStart={{ bin_path }} --web.listen-address={{ ansible_host }}:{{ bind_port }} {{ options }}
 Environment="DATA_SOURCE_URI=localhost:5432/postgres?sslmode=disable"
 Environment="DATA_SOURCE_USER={{ db.user }}"
 Environment="DATA_SOURCE_PASS={{ db.password }}"
--- a/roles/proxmox/files/check_proxmox_vm.sh
+++ b/roles/proxmox/files/check_proxmox_vm.sh
@@ -0,0 +1,83 @@
 #!/bin/bash
 # Configuration
 VM_ID=303
 TARGET_IP="192.168.20.36" # Replace with the IP of your VM
 PORT=22
 CHECK_INTERVAL=300 # 5 minutes in seconds
 LOG_FILE="/var/log/vm_monitor.log"
 # Function to log messages
 log_message() {
 	echo "$(date): $1" | tee -a $LOG_FILE
 }
 # Check if running on a Proxmox host
 if ! command -v qm &>/dev/null; then
 	log_message "qm command not found. This script must run on a Proxmox host."
 	exit 1
 fi
 # Function to check port
 check_port() {
 	# Try nc first if available
 	if command -v nc &>/dev/null; then
 		if nc -z -w 5 $TARGET_IP $PORT 2>/dev/null; then
 			return 0 # Port is open
 		else
 			return 1 # Port is closed
 		fi
 	# Fall back to nmap if nc is not available
 	elif command -v nmap &>/dev/null; then
 		if nmap -p $PORT $TARGET_IP | grep -q "$PORT/tcp.*open"; then
 			return 0 # Port is open
 		else
 			return 1 # Port is closed
 		fi
 	else
 		log_message "Neither nc nor nmap found. Please install one of them."
 		exit 1
 	fi
 }
 # Function to restart the VM
 restart_vm() {
 	log_message "Port $PORT is not reachable. Restarting VM $VM_ID..."
 	# Stop the VM
 	qm stop $VM_ID
 	if [ $? -ne 0 ]; then
 		log_message "Failed to stop VM $VM_ID. Trying force stop..."
 		qm stop $VM_ID --force
 	fi
 	# Wait for VM to fully stop
 	log_message "Waiting for VM to stop..."
 	sleep 10
 	# Start the VM
 	qm start $VM_ID
 	if [ $? -ne 0 ]; then
 		log_message "Failed to start VM $VM_ID. Manual intervention required."
 		exit 1
 	fi
 	log_message "VM $VM_ID has been restarted."
 }
 # Main loop
 log_message "Starting monitoring of VM $VM_ID on port $PORT..."
 log_message "Press Ctrl+C to exit."
 while true; do
 	# Check if port 22 is open
 	if ! check_port; then
 		restart_vm
 	else
 		log_message "Port $PORT is reachable. VM is running normally."
 	fi
 	# Wait for the next check
 	log_message "Sleeping for $CHECK_INTERVAL seconds..."
 	sleep $CHECK_INTERVAL
 done
--- a/roles/proxmox/handlers/node.yml
+++ b/roles/proxmox/handlers/node.yml
@@ -0,0 +1,6 @@
 ---
 - name: Reboot Node
  ansible.builtin.reboot:
    connect_timeout: 5
    reboot_timeout: 600
    test_command: whoami
--- a/roles/proxmox/tasks/00_setup_machines.yml
+++ b/roles/proxmox/tasks/00_setup_machines.yml
@@ -0,0 +1,8 @@
 ---
 - name: Prepare Localhost
  ansible.builtin.include_tasks: ./01_setup_localhost.yml
  when: is_localhost
 - name: Prepare Localhost
  ansible.builtin.include_tasks: ./05_setup_node.yml
  when: is_proxmox_node
--- a/roles/proxmox/tasks/01_setup_localhost.yml
+++ b/roles/proxmox/tasks/01_setup_localhost.yml
@@ -0,0 +1,7 @@
 ---
 - name: Install dependencies
  ansible.builtin.apt:
    name: "{{ item }}"
    update_cache: true
    state: present
  loop: "{{ proxmox_localhost_dependencies }}"
--- a/roles/proxmox/tasks/05_setup_node.yml
+++ b/roles/proxmox/tasks/05_setup_node.yml
@@ -0,0 +1,7 @@
 ---
 - name: Install dependencies
  ansible.builtin.apt:
    name: "{{ item }}"
    update_cache: true
    state: present
  loop: "{{ proxmox_node_dependencies }}"
--- a/roles/proxmox/tasks/06_hardware_acceleration.yml
+++ b/roles/proxmox/tasks/06_hardware_acceleration.yml
@@ -0,0 +1,25 @@
 ---
 - name: Set GRUB_CMDLINE_LINUX_DEFAULT for PCI passthrough
  ansible.builtin.lineinfile:
    path: /etc/default/grub
    regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
    line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt pcie_acs_override=downstream,multifunction initcall_blacklist=sysfb_init video=simplefb:off video=vesafb:off video=efifb:off video=vesa:off disable_vga=1 vfio_iommu_type1.allow_unsafe_interrupts=1 kvm.ignore_msrs=1 modprobe.blacklist=radeon,nouveau,nvidia,nvidiafb,nvidia-gpu,snd_hda_intel,snd_hda_codec_hdmi,i915"'
    backup: true
  # notify:
  #   - Reboot Node
 - name: Ensure VFIO modules are listed in /etc/modules
  ansible.builtin.blockinfile:
    path: /etc/modules
    marker: "# {mark} VFIO Modules"
    block: |
      vfio
      vfio_iommu_type1
      vfio_pci
      vfio_virqfd
    create: true
 - name: Update initramfs
  ansible.builtin.command: update-initramfs -u -k all
  args:
    warn: false
--- a/roles/proxmox/tasks/10_create_secrets.yml
+++ b/roles/proxmox/tasks/10_create_secrets.yml
@@ -0,0 +1,33 @@
 ---
 - name: Ensure Vault file exists
  ansible.builtin.file:
    path: "{{ proxmox_vault_file }}"
    state: touch
    mode: "0600"
 - name: Decrypt vm vault file
  ansible.builtin.shell: cd ../; ansible-vault decrypt "./playbooks/{{ proxmox_vault_file }}"
  ignore_errors: true
  no_log: true
 - name: Load existing vault content
  ansible.builtin.slurp:
    src: "{{ proxmox_vault_file }}"
  register: vault_content
  no_log: true
 - name: Parse vault content as YAML
  ansible.builtin.set_fact:
    vault_data: "{{ (vault_content['content'] | b64decode | from_yaml) if (vault_content['content'] | length > 0) else {} }}"
  no_log: true
 - name: Update Vault data
  ansible.builtin.include_tasks: 15_create_secret.yml
  loop: "{{ vms | map(attribute='name') }}"
  loop_control:
    loop_var: "vm_name"
 - name: Encrypt vm vault file
  ansible.builtin.shell: cd ../; ansible-vault encrypt "./playbooks/{{ proxmox_vault_file }}"
  ignore_errors: true
  no_log: true
--- a/roles/proxmox/tasks/15_create_secret.yml
+++ b/roles/proxmox/tasks/15_create_secret.yml
@@ -0,0 +1,26 @@
 ---
 - name: Setup secret name
  ansible.builtin.set_fact:
    vm_name_secret: "{{ proxmox_secrets_prefix }}_{{ vm_name | replace('-','_') }}"
 - name: Check if variable is in vault
  ansible.builtin.set_fact:
    variable_exists: "{{ vm_name_secret in vault_data }}"
 - name: Set new secret
  ansible.builtin.set_fact:
    cipassword: "{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}"
  when: not variable_exists
 - name: Set new secret
  ansible.builtin.set_fact:
    new_vault_data: "{{ vault_data | combine({ vm_name_secret: cipassword }) }}"
  when: not variable_exists
 - name: Write updated Vault content to file (temporary plaintext)
  ansible.builtin.copy:
    content: "{{ new_vault_data | to_nice_yaml }}"
    dest: "{{ proxmox_vault_file }}"
    mode: "0600"
  when: not variable_exists
  no_log: true
--- a/roles/proxmox/tasks/40_prepare_vm_creation.yml
+++ b/roles/proxmox/tasks/40_prepare_vm_creation.yml
@@ -0,0 +1,6 @@
 ---
 - name: Download Cloud Init Isos
  ansible.builtin.include_tasks: 42_download_isos.yml
  loop: "{{ proxmox_cloud_init_images | dict2items | map(attribute='value') }}"
  loop_control:
    loop_var: distro
--- a/roles/proxmox/tasks/42_download_isos.yml
+++ b/roles/proxmox/tasks/42_download_isos.yml
@@ -0,0 +1,12 @@
 ---
 - name: Check if file exists
  ansible.builtin.stat:
    path: "{{ proxmox_dirs.isos }}/{{ distro.name }}"
  register: image_stat
 - name: Download image if missing
  ansible.builtin.get_url:
    url: "{{ distro.url }}"
    dest: "{{ proxmox_dirs.isos }}/{{ distro.name }}"
    mode: "0644"
  when: not image_stat.stat.exists
--- a/roles/proxmox/tasks/50_create_vms.yml
+++ b/roles/proxmox/tasks/50_create_vms.yml
@@ -0,0 +1,17 @@
 ---
 - name: Load vault variables
  ansible.builtin.include_vars:
    file: "{{ proxmox_vault_file }}"
    name: vm_secrets
 - name: Destroy vms (Only during rapid testing)
  ansible.builtin.include_tasks: 54_destroy_vm.yml
  loop: "{{ vms }}"
  loop_control:
    loop_var: "vm"
 - name: Create vms
  ansible.builtin.include_tasks: 55_create_vm.yml
  loop: "{{ vms }}"
  loop_control:
    loop_var: "vm"
--- a/roles/proxmox/tasks/54_destroy_vm.yml
+++ b/roles/proxmox/tasks/54_destroy_vm.yml
@@ -0,0 +1,30 @@
 ---
 - name: Gather info about VM
  community.general.proxmox_vm_info:
    api_user: root@pam
    api_password: "{{ vault.pve.aya01.root.sudo }}"
    api_host: "192.168.20.12"
    vmid: "{{ vm.vmid }}"
  register: vm_info
 - name: Stop VM
  community.general.proxmox_kvm:
    api_user: root@pam
    api_password: "{{ vault.pve.aya01.root.sudo }}"
    api_host: "192.168.20.12"
    node: "{{ vm.node }}"
    vmid: "{{ vm.vmid }}"
    state: stopped
    force: true
  when: vm_info.proxmox_vms | length > 0
 - name: Destroy VM
  community.general.proxmox_kvm:
    api_user: root@pam
    api_password: "{{ vault.pve.aya01.root.sudo }}"
    api_host: "192.168.20.12"
    node: "{{ vm.node }}"
    vmid: "{{ vm.vmid }}"
    state: absent
    force: true
  when: vm_info.proxmox_vms | length > 0
--- a/roles/proxmox/tasks/55_create_vm.yml
+++ b/roles/proxmox/tasks/55_create_vm.yml
@@ -0,0 +1,29 @@
 ---
 - name: Create VM
  community.general.proxmox_kvm:
    api_user: root@pam
    api_password: "{{ vault.pve.aya01.root.sudo }}"
    api_host: "192.168.20.12"
    agent: true
    name: "{{ vm.name }}"
    vmid: "{{ vm.vmid }}"
    node: "{{ vm.node }}"
    cores: "{{ vm.cores }}"
    memory: "{{ vm.memory }}"
    net: "{{ vm.net }}"
    scsihw: "virtio-scsi-pci"
    ostype: "l26"
    tags: "{{ proxmox_tags }}"
    description: "Created via Ansible with cloud-init"
    boot: "order=scsi0"
    cpu: "x86-64-v2-AES"
    ciuser: "{{ vm.ciuser }}"
    cipassword: "{{ vm_secrets[proxmox_secrets_prefix + '_' + vm.name.replace('-', '_')] }}"
    ipconfig:
      ipconfig0: "ip=dhcp"
    sshkeys: "{{ vm.sshkeys }}"
  register: proxmox_deploy_info
 - name: Provision created VM
  ansible.builtin.include_tasks: 56_provision_new_vm.yml
  when: proxmox_deploy_info.changed
--- a/roles/proxmox/tasks/56_provision_new_vm.yml
+++ b/roles/proxmox/tasks/56_provision_new_vm.yml
@@ -0,0 +1,72 @@
 ---
 - name: Debug proxmox_deploy_info
  ansible.builtin.debug:
    msg: "{{ proxmox_deploy_info }}"
 - name: Get MAC Address of new machine
  ansible.builtin.set_fact:
    mac_address: "{{ proxmox_deploy_info.mac.net0 }}"
 - name: Import disk
  ansible.builtin.shell: |
    qm importdisk {{ vm.vmid }} {{ proxmox_dirs.isos }}/{{ vm.boot_image }} {{ proxmox_storage }}
  delegate_to: "{{ vm.node }}"
  when: proxmox_deploy_info.changed
 - name: Attach disk and cloud-init
  ansible.builtin.shell: |
    qm set {{ vm.vmid }} --scsi0 {{ proxmox_storage }}:{{ vm.vmid }}/vm-{{ vm.vmid }}-disk-0.raw --ide2 {{ proxmox_storage }}:cloudinit --boot order=scsi0
  delegate_to: "{{ vm.node }}"
 - name: Resize scsi0 disk if needed
  ansible.builtin.shell: |
    qm resize {{ vm.vmid }} scsi0 {{ vm.disk_size }}G
  delegate_to: "{{ vm.node }}"
 - name: Start VM
  community.general.proxmox_kvm:
    api_user: root@pam
    api_password: "{{ vault.pve.aya01.root.sudo }}"
    api_host: "192.168.20.12"
    node: "{{ vm.node }}"
    vmid: "{{ vm.vmid }}"
    state: started
 - name: Wait for VM to appear on network
  ansible.builtin.shell: |
    nmap -sn -n -PR 192.168.20.0/24 | grep -B2 "{{ mac_address }}" | grep "Nmap scan report for"
  register: vm_nmap_scan
  retries: 30
  delay: 5
  until: vm_nmap_scan.stdout != ""
  delegate_to: "{{ vm.node }}"
 - name: Extract the IP address from Nmap output
  ansible.builtin.set_fact:
    vm_found_ip: "{{ vm_nmap_scan.stdout | regex_search('Nmap scan report for ([0-9\\.]+)', '\\1') | first }}"
 - name: Define SSH config block
  ansible.builtin.set_fact:
    ssh_entry: |
      Host {{ vm.name }}
          HostName {{ vm_found_ip }}
          Port 22
          User tudattr
          IdentityFile /media/veracrypt1/genesis
          ProxyJump {{ vm.node }}
 - name: Append new VM to SSH config
  ansible.builtin.blockinfile:
    path: "{{ ansible_env.HOME }}/.ssh/config_homelab"
    marker: "# {mark} HOMELAB VMS BLOCK"
    block: |
      {{ ssh_entry }}
 - name: Add VM to homelab_vms group in production.ini
  ansible.builtin.lineinfile:
    path: "{{ inventory_file }}"
    line: "{{ vm.name }}"
    insertafter: '^\[vms\]'
    create: true
    state: present
  delegate_to: localhost
--- a/roles/proxmox/tasks/60_create_containers.yml
+++ b/roles/proxmox/tasks/60_create_containers.yml
@@ -0,0 +1,11 @@
 ---
 - name: Load vault variables
  ansible.builtin.include_vars:
    file: "{{ proxmox_vault_file }}"
    name: vm_secrets
 - name: Create vms
  ansible.builtin.include_tasks: 65_create_container.yml
  loop: "{{ lxcs }}"
  loop_control:
    loop_var: "container"
--- a/roles/proxmox/tasks/65_create_container.yml
+++ b/roles/proxmox/tasks/65_create_container.yml
@@ -0,0 +1,4 @@
 ---
 - name: Create Container
  ansible.builtin.debug:
    msg: "{{ container.name }}"
--- a/roles/proxmox/tasks/main.yml
+++ b/roles/proxmox/tasks/main.yml
@@ -0,0 +1,18 @@
 ---
 - name: Prepare Machines
  ansible.builtin.include_tasks: 00_setup_machines.yml
 - name: Create VM vault
  ansible.builtin.include_tasks: 10_create_secrets.yml
  when: is_localhost
 - name: Prime node for VM
  ansible.builtin.include_tasks: 40_prepare_vm_creation.yml
  when: is_proxmox_node
 - name: Create VMs
  ansible.builtin.include_tasks: 50_create_vms.yml
  when: is_localhost
 - name: Create LXC containers
  ansible.builtin.include_tasks: 60_create_containers.yml
  when: is_localhost
--- a/roles/proxmox/vars/main.yml
+++ b/roles/proxmox/vars/main.yml
@@ -0,0 +1,26 @@
 proxmox_author: tuan-dat.tran@tudattr.dev
 proxmox_creator: ansible
 proxmox_storage: proxmox
 proxmox_vault_file: ../group_vars/proxmox/secrets_vm.yml
 proxmox_secrets_prefix: secrets_vm
 proxmox_cloud_init_images:
  debian:
    name: debian-12-genericcloud-amd64.qcow2
    url: https://cdimage.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2
  ubuntu:
    name: noble-server-cloudimg-amd64.img
    url: https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img
 proxmox_dirs:
  isos: /opt/proxmox/template/iso/
 proxmox_tags:
  - "{{ proxmox_creator }}"
 proxmox_node_dependencies:
  - libguestfs-tools
  - nmap
  - firmware-misc-nonfree
 proxmox_localhost_dependencies: []
--- a/roles/reverse_proxy/templates/Caddyfile.j2
+++ b/roles/reverse_proxy/templates/Caddyfile.j2
@@ -18,9 +18,9 @@
    }
 	tls {
 		dns netcup {
-			customer_number {{ vault.netcup.customer_number }}
+			customer_number {{ vault_netcup.customer_number }}
-			api_key {{ vault.netcup.api_key}}
+			api_key {{ vault_netcup.api_key }}
-			api_password {{ vault.netcup.api_password }}
+			api_password {{ vault_netcup.api_password }}
 		}
    propagation_timeout 900s
 		propagation_delay 600s
		`@@ -0,0 +1 @@`
							ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxIbkko72kVSfYDjJpiMH9SjHUGqBn3MbBvmotsPQhybFgnnkBpX/3fM9olP+Z6PGsmbOEs0fOjPS6uY5hjKcKsyHdZfS6cA4wjY/DL8fwATAW5FCDBtMpdg2/sb8j9jutHHs4sQeRBolVwKcv+ZAaJNnOzNHwxVUfT9bNwShthnAFjkY7oZo657FRomlkDJjmGQuratP0veKA8jYzqqPWwWidTGQerLYTyJ3Z8pbQa5eN7svrvabjjDLbVTDESE8st9WEmwvAwoj7Kz+WovCy0Uz7LRFVmaRiapM8SXtPPUC0xfyzAB3NxwBtxizdUMlShvLcL6cujcUBMulVMpsqEaOESTpmVTrMJhnJPZG/3j9ziGoYIa6hMj1J9/qLQ5dDNVVXMxw99G31x0LJoy12IE90P4Cahux8iN0Cp4oB4+B6/qledxs1fcRzsnQY/ickjKhqcJwgHzsnwjDkeYRaYte5x4f/gJ77kA20nPto7mxr2mhWot/i9B1KlMURVXOH/q4nrzhJ0hPJpM0UtzQ58TmzE4Osf/B5yoe8V//6XnelbmG/nKCIzg12d7PvaLjbFMn8IgOwDMRlip+vpyadRr/+pCawrfo4vLF7BsnJ84aoByIpbwaysgaYHtjfZWImorMVkgviC4O6Hn9/ZiLNze2A9DaNUnLVJ0nYNbmv9Q==
		`@@ -0,0 +1,2 @@`
							`docker_host_package_common_dependencies:`
							`- nfs-common`