Vendor Galaxy Roles and Collections

ansible_collections/debops/debops/MANIFEST.json

@@ -0,0 +1,50 @@
+{
+ "collection_info": {
+  "namespace": "debops",
+  "name": "debops",
+  "version": "1.0.0",
+  "authors": [
+   "Maciej Delmanowski <drybjed@gmail.com>",
+   "DebOps Developers <debops-users@lists.debops.org>"
+  ],
+  "readme": "README.md",
+  "tags": [
+   "debian",
+   "ubuntu",
+   "linux",
+   "infrastructure",
+   "debops",
+   "sysadmin",
+   "cluster",
+   "datacenter"
+  ],
+  "description": "Your Debian-based data center in a box",
+  "license": [
+   "GPL-3.0-or-later"
+  ],
+  "license_file": null,
+  "dependencies": {
+   "ansible.posix": "*",
+   "ansible.utils": "*",
+   "community.crypto": "*",
+   "community.docker": "*",
+   "community.general": "*",
+   "community.libvirt": "*",
+   "community.mysql": "*",
+   "community.postgresql": "*",
+   "community.rabbitmq": "*"
+  },
+  "repository": "https://github.com/debops/debops",
+  "documentation": "https://docs.debops.org/en/master/ansible/role-index.html",
+  "homepage": "https://debops.org/",
+  "issues": "https://github.com/debops/debops/issues"
+ },
+ "file_manifest_file": {
+  "name": "FILES.json",
+  "ftype": "file",
+  "chksum_type": "sha256",
+  "chksum_sha256": "aade0f4576395cb597f1f5e697f6d8087dfa924603ef01436b5489962583d844",
+  "format": 1
+ },
+ "format": 1
+}

ansible_collections/debops/debops/collections/ansible_collections/debops/debops/CHANGELOG.rst

@@ -0,0 +1,10 @@
+DebOps Collection Changelog
+===========================
+
+Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2023 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This is a "stub" changelog meant for the "ansible-lint" tool which complains if
+a changelog file is not found in an Ansible Collection. The real changelog is
+located in the root of the DebOps repository.

ansible_collections/debops/debops/collections/ansible_collections/debops/debops/galaxy.yml

@@ -0,0 +1,47 @@
+---
+# Copyright (C) 2021-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# A "stub" configuration file for the 'ansible-galaxy' command which ensures
+# that the DebOps monorepo is recognized as an Ansible Collection.
+# Don't use this file to create real Ansible Collections with DebOps content.
+
+namespace: "debops"
+name: "debops"
+version: "1.0.0"
+description: "Your Debian-based data center in a box"
+
+authors:
+  - "Maciej Delmanowski <drybjed@gmail.com>"
+  - "DebOps Developers <debops-users@lists.debops.org>"
+
+repository: "https://github.com/debops/debops"
+documentation: "https://docs.debops.org/en/master/ansible/role-index.html"
+homepage: "https://debops.org/"
+issues: "https://github.com/debops/debops/issues"
+
+readme: "README.md"
+license:
+  - "GPL-3.0-or-later"
+
+tags:
+  - "debian"
+  - "ubuntu"
+  - "linux"
+  - "infrastructure"
+  - "debops"
+  - "sysadmin"
+  - "cluster"
+  - "datacenter"
+
+dependencies:
+  "ansible.posix": "*"
+  "ansible.utils": "*"
+  "community.crypto": "*"
+  "community.docker": "*"
+  "community.general": "*"
+  "community.libvirt": "*"
+  "community.mysql": "*"
+  "community.postgresql": "*"
+  "community.rabbitmq": "*"

ansible_collections/debops/debops/collections/ansible_collections/debops/debops/meta/runtime.yml

@@ -0,0 +1,8 @@
+---
+# Copyright (C) 2023-2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023-2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# The version of ansible-core required to use this collection
+# Ref: https://docs.ansible.com/ansible/latest/dev_guide/developing_collections_structure.html#meta-directory-and-runtime-yml
+requires_ansible: '>=2.16.0'

ansible_collections/debops/debops/collections/ansible_collections/debops/debops/playbooks

@@ -0,0 +1 @@
+../../../../playbooks

ansible_collections/debops/debops/collections/ansible_collections/debops/debops/plugins

@@ -0,0 +1 @@
+../../../../plugins

ansible_collections/debops/debops/collections/ansible_collections/debops/debops/roles

@@ -0,0 +1 @@
+../../../../roles

ansible_collections/debops/debops/debops-contrib-playbooks/README.rst

@@ -0,0 +1,70 @@
+.. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017-2018 Maciej Delmanowski <drybjed@gmail.com>
+.. Copyright (C) 2015-2022 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+|debops_logo| DebOps Contrib playbooks
+======================================
+
+Ansible playbooks to run `DebOps Contrib <https://github.com/debops-contrib/debops-contrib>`_ roles.
+
+Here are a few services that are available
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+**DNS and Networking**
+
++-------------+----------+------+
+| apt_cacher_ | dnsmasq_ | tor_ |
++-------------+----------+------+
+
+**Fully loaded ready to go applications**
+
++-----------+-----------+----------------+-------+---------------+
+| bitcoind_ | foodsoft_ | homeassistant_ | kodi_ | volkszaehler_ |
++-----------+-----------+----------------+-------+---------------+
+
+**Security**
+
++-----------+
+| Firejail_ |
++-----------+
+
+**Service monitoring and logging**
+
++-------------------+
+| `CheckMK agent`_ |
++-------------------+
+
+**System**
+
++--------+-------+---------------------+
+| BTRFS_ | FUSE_ | `snapshot snapper`_ |
++--------+-------+---------------------+
+
+**Workstations and clients**
+
++----------------+
+| `X2Go Server`_ |
++----------------+
+
+.. |debops_logo| image:: http://debops.org/images/debops-small.png
+
+.. _apt_cacher: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/apt_cacher.yml
+.. _tor: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/tor.yml
+.. _dnsmasq: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/dnsmasq.yml
+
+.. _bitcoind: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/bitcoind.yml
+.. _foodsoft: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/foodsoft.yml
+.. _homeassistant: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/homeassistant.yml
+.. _kodi: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/kodi.yml
+.. _volkszaehler: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/volkszaehler.yml
+
+.. _Firejail: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/firejail.yml
+
+.. _`CheckMK agent`: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/checkmk_agent.yml
+
+.. _BTRFS: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/btrfs.yml
+.. _FUSE: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/fuse.yml
+.. _`snapshot snapper`: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/snapshot_snapper.yml
+
+.. _X2Go Server: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/x2go_server.yml

ansible_collections/debops/debops/debops-contrib-playbooks/service/all.yml

@@ -0,0 +1,43 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Configure APT Cacher NG with AppArmor
+  import_playbook: apt_cacher_ng.yml
+
+- name: Configure Bitcoin Daemon
+  import_playbook: bitcoind.yml
+
+- name: Configure brtfs filesystem
+  import_playbook: btrfs.yml
+
+- name: Configure DNSmasq with AppArmor
+  import_playbook: dnsmasq.yml
+
+- name: Configure Firejail service
+  import_playbook: firejail.yml
+
+- name: Configure Foodsoft application
+  import_playbook: foodsoft.yml
+
+- name: Configure FUSE service
+  import_playbook: fuse.yml
+
+- name: Configure HomeAssistant
+  import_playbook: homeassistant.yml
+
+- name: Configure Kodi application
+  import_playbook: kodi.yml
+
+- name: Configure snapshot-snapper for btrfs
+  import_playbook: snapshot_snapper.yml
+
+- name: Configure Tor Relay
+  import_playbook: tor.yml
+
+- name: Configure Volkszaehler application
+  import_playbook: volkszaehler.yml
+
+- name: Configure X2Go Server
+  import_playbook: x2go_server.yml

ansible_collections/debops/debops/debops-contrib-playbooks/service/apt_cacher_ng.yml

@@ -0,0 +1,51 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+## Basically the same playbook as the one in DebOps core with the difference
+## that this playbook also uses the debops-contrib.apparmor role to configure
+## AppArmor.
+- name: Install and manage the caching HTTP proxy Apt-Cacher NG.
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_contrib_service_apt_cacher_ng' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ apt_cacher_ng__etc_services__dependent_list }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ apt_cacher_ng__apt_preferences__dependent_list }}'
+        - '{{ nginx_apt_preferences_dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ apt_cacher_ng__ferm__dependent_rules }}'
+        - '{{ nginx_ferm_dependent_rules }}'
+
+    - role: nginx
+      tags: [ 'role::nginx' ]
+      nginx_servers:
+        - '{{ apt_cacher_ng__nginx__servers }}'
+      nginx_upstreams:
+        - '{{ apt_cacher_ng__nginx__upstream }}'
+
+    - role: apparmor
+      tags: [ 'role::apparmor' ]
+      apparmor__local_dependent_config: '{{ apt_cacher_ng__apparmor__dependent_config }}'
+      apparmor__tunables_dependent: '{{ apt_cacher_ng__apparmor__tunables_dependent }}'
+
+    - role: apt_cacher_ng
+      tags: [ 'role::apt_cacher_ng' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/bitcoind.yml

@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and manage bitcoind
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_bitcoind' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ bitcoind__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ bitcoind__ferm__dependent_rules }}'
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::bitcoind' ]
+      keyring__dependent_apt_keys:
+        - '{{ bitcoind__keyring__dependent_apt_keys }}'
+
+    - role: bitcoind
+      tags: [ 'role::bitcoind' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/btrfs.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage Btrfs
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_btrfs' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: btrfs
+      tags: [ 'role::btrfs' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/dnsmasq.yml

@@ -0,0 +1,46 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+## Basically the same playbook as the one in DebOps core with the difference
+## that this playbook also uses the debops-contrib.apparmor role to configure
+## AppArmor.
+
+- name: Configure dnsmasq
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_contrib_service_dnsmasq' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare dnsmasq environment
+      ansible.builtin.import_role:
+        name: 'dnsmasq'
+        tasks_from: 'main_env'
+      tags: [ 'role::dnsmasq', 'role::ferm', 'role::tcpwrappers' ]
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ dnsmasq__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ dnsmasq__env_tcpwrappers__dependent_allow }}'
+
+    - role: apparmor
+      tags: [ 'role::apparmor' ]
+      apparmor__local_dependent_config: '{{ dnsmasq__apparmor__local_dependent_config }}'
+
+    - role: dnsmasq
+      tags: [ 'role::dnsmasq', 'skip::dnsmasq' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/firejail.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and configure Firejail
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_firejail' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: firejail
+      tags: [ 'role::firejail' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/foodsoft-nginx.yml

@@ -0,0 +1,43 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and manage Foodsoft with Nginx as webserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_foodsoft_nginx' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb' ]
+      mariadb__dependent_databases: '{{ foodsoft__mariadb__dependent_databases }}'
+      mariadb__dependent_users: '{{ foodsoft__mariadb__dependent_users }}'
+      when: (foodsoft__database == 'mariadb')
+
+    - role: ruby
+      tags: [ 'role::ruby' ]
+
+    - role: nginx
+      tags: [ 'role::nginx' ]
+      nginx__dependent_servers:
+        - '{{ foodsoft__nginx__dependent_servers }}'
+
+    - role: foodsoft
+      tags: [ 'role::foodsoft' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/foodsoft.yml

@@ -0,0 +1,7 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install and configure Foodsoft
+  import_playbook: foodsoft-nginx.yml

ansible_collections/debops/debops/debops-contrib-playbooks/service/fuse.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install and configure Filesystem in Userspace (FUSE)
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_fuse' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: fuse
+      tags: [ 'role::fuse' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/homeassistant-nginx.yml

@@ -0,0 +1,59 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and manage Home Assistant with Nginx as reverse proxy
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_homeassistant_nginx' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare homeassistant environment
+      ansible.builtin.import_role:
+        name: 'homeassistant'
+        tasks_from: 'main_env'
+      tags: [ 'role::homeassistant', 'role::nginx' ]
+
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx' ]
+      nginx__dependent_upstreams:
+        - '{{ homeassistant__nginx__dependent_upstreams }}'
+      nginx__dependent_htpasswd:
+        - '{{ homeassistant__nginx__dependent_htpasswd }}'
+      nginx__dependent_servers:
+        - '{{ homeassistant__nginx__dependent_servers }}'
+
+    - role: homeassistant
+      tags: [ 'role::homeassistant' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/homeassistant-plain.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and manage Home Assistant
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_homeassistant' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: homeassistant
+      tags: [ 'role::homeassistant' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/homeassistant.yml

@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup HomeAssistant as standalone
+  import_playbook: homeassistant-plain.yml
+
+- name: Setup HomeAssistant behind nginx
+  import_playbook: homeassistant-nginx.yml

ansible_collections/debops/debops/debops-contrib-playbooks/service/kodi.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and manage Kodi
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_kodi' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: kodi
+      tags: [ 'role::kodi' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/snapshot_snapper.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Configure volume snapshots with snapper
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_snapshot_snapper' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: snapshot_snapper
+      tags: [ 'role::snapshot_snapper' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/tor.yml

@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage Tor relay
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_tor' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::tor' ]
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ tor__ferm__dependent_rules }}'
+
+    - role: unattended_upgrades
+      tags: [ 'role::unattended_upgrades' ]
+      unattended_upgrades__dependent_origins: '{{ tor__unattended_upgrades__dependent_origins }}'
+
+    - role: tor
+      tags: [ 'role::tor' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/volkszaehler-apache.yml

@@ -0,0 +1,72 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and manage volkszaehler with Apache as webserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_volkszaehler_apache' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare volkszaehler environment
+      ansible.builtin.import_role:
+        name: 'volkszaehler'
+        tasks_from: 'main_env'
+      tags: [ 'role::volkszaehler', 'role::volkszaehler:env', 'role::mariadb' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+    - name: Prepare apache environment
+      ansible.builtin.import_role:
+        name: 'apache'
+        tasks_from: 'main_env'
+      tags: [ 'role::apache', 'role::apache:env' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ php__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ apache__ferm__dependent_rules }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb' ]
+      mariadb__dependent_databases: '{{ volkszaehler__mariadb__dependent_databases }}'
+      mariadb__dependent_users: '{{ volkszaehler__mariadb__dependent_users }}'
+      when: (volkszaehler__database == 'mariadb')
+
+    - role: php
+      tags: [ 'role::php' ]
+      php__dependent_packages:
+        - '{{ volkszaehler__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ volkszaehler__php__dependent_pools }}'
+
+    - role: logrotate
+      tags: [ 'role::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: apache
+      tags: [ 'role::apache' ]
+      apache__dependent_vhosts:
+        - '{{ volkszaehler__apache__dependent_vhosts }}'
+
+    - role: volkszaehler
+      tags: [ 'role::volkszaehler' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/volkszaehler-nginx.yml

@@ -0,0 +1,69 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and manage volkszaehler with Nginx as webserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_volkszaehler_nginx' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare volkszaehler environment
+      ansible.builtin.import_role:
+        name: 'volkszaehler'
+        tasks_from: 'main_env'
+      tags: [ 'role::volkszaehler', 'role::volkszaehler:env', 'role::mariadb' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+        - '{{ php__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb' ]
+      mariadb__dependent_databases: '{{ volkszaehler__mariadb__dependent_databases }}'
+      mariadb__dependent_users: '{{ volkszaehler__mariadb__dependent_users }}'
+      when: (volkszaehler__database == 'mariadb')
+
+    - role: php
+      tags: [ 'role::php' ]
+      php__dependent_packages:
+        - '{{ volkszaehler__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ volkszaehler__php__dependent_pools }}'
+
+    - role: logrotate
+      tags: [ 'role::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: nginx
+      tags: [ 'role::nginx' ]
+      nginx__dependent_upstreams:
+        - '{{ volkszaehler__nginx__dependent_upstreams }}'
+      nginx__dependent_servers:
+        - '{{ volkszaehler__nginx__dependent_servers }}'
+
+    - role: volkszaehler
+      tags: [ 'role::volkszaehler' ]

ansible_collections/debops/debops/debops-contrib-playbooks/service/volkszaehler.yml

@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Deploy volkszaehler with Apache
+  import_playbook: volkszaehler-apache.yml
+
+- name: Deploy volkszehler with nginx
+  import_playbook: volkszaehler-nginx.yml

ansible_collections/debops/debops/debops-contrib-playbooks/service/x2go_server.yml

@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and manage the server-side of X2Go
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_x2go_server' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::x2go_server' ]
+      keyring__dependent_apt_keys:
+        - '{{ x2go_server__keyring__dependent_apt_keys }}'
+
+    - role: x2go_server
+      tags: [ 'role::x2go_server' ]

ansible_collections/debops/debops/playbooks/COPYRIGHT

@@ -0,0 +1,20 @@
+debops-playbooks - Set of Ansible playbooks for DebOps Project
+
+Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.

ansible_collections/debops/debops/playbooks/bootstrap-ldap.yml

@@ -0,0 +1,202 @@
+---
+# Copyright (C) 2019-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This playbook can be used to bootstrap new Debian/Ubuntu host to be used with
+# LDAP environment. It will automatically enable LDAP support and prepare
+# secure access to the LDAP directory, including PAM/NSS and SSH key lookups.
+#
+# The configuration applied by this playbook is minimal, just enough to be able
+# to login via SSH using information gathered from LDAP. You should apply the
+# DebOps 'common.yml' playbook on a host afterwards to complete the initial
+# configuration, for example firewall/TCP Wrappers setup.
+#
+# Note that an alternative is provided by bootstrap-sss which relies on the
+# sssd daemon rather than the nslcd/nscd daemons.
+#
+# Usage:
+# To connect directly as root, run:
+#
+#     debops bootstrap-ldap -u root -k --limit host
+#
+# To connect as normal user and switch to sudo, run:
+#
+#     debops bootstrap-ldap --become --limit host
+
+
+- name: Bootstrap Python support on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  strategy: linear
+  gather_facts: False
+  become: True
+
+  tasks:
+
+    - name: Initialize Ansible support via raw tasks
+      ansible.builtin.import_role:
+        name: 'python'
+        tasks_from: 'main_raw'
+      tags: [ 'role::python_raw', 'skip::python_raw', 'role::python' ]
+
+
+- name: Bootstrap APT configuration on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_proxy
+      tags: [ 'role::apt_proxy', 'skip::apt_proxy' ]
+
+    - role: apt
+      tags: [ 'role::apt', 'skip::apt' ]
+
+
+- name: Apply core configuration
+  import_playbook: 'service/core.yml'
+
+
+- name: Bootstrap host for Ansible management with LDAP
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+
+    # Automatically enable LDAP support on new hosts
+    ldap__enabled: True
+
+  pre_tasks:
+
+    - name: Prepare pki environment
+      ansible.builtin.import_role:
+        name: 'pki'
+        tasks_from: 'main_env'
+      tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
+
+    - name: Prepare sshd environment
+      ansible.builtin.import_role:
+        name: 'sshd'
+        tasks_from: 'main_env'
+      tags: [ 'role::sshd', 'role::ldap' ]
+
+  roles:
+
+    - role: resolved
+      tags: [ 'role::resolved', 'skip::resolved' ]
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::netbase', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ netbase__python__dependent_packages3 }}'
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ netbase__python__dependent_packages2 }}'
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: netbase
+      tags: [ 'role::netbase', 'skip::netbase' ]
+
+    - role: secret
+      tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
+      secret_directories:
+        - '{{ pki_env_secret_directories }}'
+
+    - role: fhs
+      tags: [ 'role::fhs', 'skip::fhs' ]
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ etckeeper__apt_preferences__dependent_list }}'
+        - '{{ yadm__apt_preferences__dependent_list }}'
+
+    - role: etckeeper
+      tags: [ 'role::etckeeper', 'skip::etckeeper' ]
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: atd
+      tags: [ 'role::atd', 'skip::atd' ]
+
+    - role: dhparam
+      tags: [ 'role::dhparam', 'skip::dhparam' ]
+
+    - role: pki
+      tags: [ 'role::pki', 'skip::pki' ]
+
+    - role: machine
+      tags: [ 'role::machine', 'skip::machine' ]
+
+    # LDAP client initialization should be done separately to prepare local
+    # facts for other roles to use in configuration.
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ nslcd__ldap__dependent_tasks }}'
+        - '{{ sudo__ldap__dependent_tasks }}'
+        - '{{ sshd__ldap__dependent_tasks }}'
+
+    - role: nslcd
+      tags: [ 'role::nslcd', 'skip::nslcd' ]
+      when: (ansible_local.ldap.posix_enabled | d()) | bool
+
+    - role: nscd
+      tags: [ 'role::nscd', 'skip::nscd' ]
+      when: (ansible_local.ldap.posix_enabled | d()) | bool
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]
+      keyring__dependent_gpg_keys:
+        - '{{ yadm__keyring__dependent_gpg_keys }}'
+
+    - role: yadm
+      tags: [ 'role::yadm', 'skip::yadm' ]
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo', 'role::system_groups' ]
+      sudo__dependent_sudoers:
+        - '{{ sshd__sudo__dependent_sudoers }}'
+
+    # The 'sudo' APT package modifies '/etc/nsswitch.conf' by itself, running
+    # this role after 'debops.sudo' role skips additional changes done in the
+    # configuration later on.
+    - role: nsswitch
+      tags: [ 'role::nsswitch', 'skip::nsswitch' ]
+      nsswitch__dependent_services:
+        - '{{ nslcd__nsswitch__dependent_services }}'
+
+    - role: libuser
+      tags: [ 'role::libuser', 'skip::libuser' ]
+
+    - role: system_groups
+      tags: [ 'role::system_groups', 'skip::system_groups' ]
+
+    - role: system_users
+      tags: [ 'role::system_users', 'skip::system_users' ]
+
+    - role: pam_access
+      tags: [ 'role::pam_access', 'skip::pam_access' ]
+      pam_access__dependent_rules:
+        - '{{ sshd__pam_access__dependent_rules }}'
+
+    - role: sshd
+      tags: [ 'role::sshd', 'skip::sshd' ]

ansible_collections/debops/debops/playbooks/bootstrap-sss.yml

@@ -0,0 +1,200 @@
+---
+# Copyright (C) 2019-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2019-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This playbook can be used to bootstrap new Debian/Ubuntu host to be used with
+# LDAP environment. It will automatically enable LDAP support and prepare
+# secure access to the LDAP directory, including PAM/NSS and SSH key lookups.
+#
+# The configuration applied by this playbook is minimal, just enough to be able
+# to login via SSH using information gathered from LDAP. You should apply the
+# DebOps 'common.yml' playbook on a host afterwards to complete the initial
+# configuration, for example firewall/TCP Wrappers setup.
+#
+# Note that this playbook is an alternative to the bootstrap-ldap playbook,
+# which sets up the target system with nslcd/nscd integration, whereas this
+# playbook instead relies on sssd (but should otherwise be identical).
+#
+# Usage:
+# To connect directly as root, run:
+#
+#     debops bootstrap-sss -u root -k --limit host
+#
+# To connect as normal user and switch to sudo, run:
+#
+#     debops bootstrap-sss --become --limit host
+
+
+- name: Bootstrap Python support on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  strategy: linear
+  gather_facts: False
+  become: True
+
+  tasks:
+
+    - name: Initialize Ansible support via raw tasks
+      ansible.builtin.import_role:
+        name: 'python'
+        tasks_from: 'main_raw'
+      tags: [ 'role::python_raw', 'skip::python_raw', 'role::python' ]
+
+
+- name: Bootstrap APT configuration on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_proxy
+      tags: [ 'role::apt_proxy', 'skip::apt_proxy' ]
+
+    - role: apt
+      tags: [ 'role::apt', 'skip::apt' ]
+
+
+- name: Apply core configuration
+  import_playbook: 'service/core.yml'
+
+
+- name: Bootstrap host for Ansible management with LDAP
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+
+    # Automatically enable LDAP support on new hosts
+    ldap__enabled: True
+
+  pre_tasks:
+
+    - name: Prepare pki environment
+      ansible.builtin.import_role:
+        name: 'pki'
+        tasks_from: 'main_env'
+      tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
+
+    - name: Prepare sshd environment
+      ansible.builtin.import_role:
+        name: 'sshd'
+        tasks_from: 'main_env'
+      tags: [ 'role::sshd', 'role::ldap' ]
+
+  roles:
+
+    - role: resolved
+      tags: [ 'role::resolved', 'skip::resolved' ]
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::netbase', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ netbase__python__dependent_packages3 }}'
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ netbase__python__dependent_packages2 }}'
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: netbase
+      tags: [ 'role::netbase', 'skip::netbase' ]
+
+    - role: secret
+      tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
+      secret_directories:
+        - '{{ pki_env_secret_directories }}'
+
+    - role: fhs
+      tags: [ 'role::fhs', 'skip::fhs' ]
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ etckeeper__apt_preferences__dependent_list }}'
+        - '{{ yadm__apt_preferences__dependent_list }}'
+
+    - role: etckeeper
+      tags: [ 'role::etckeeper', 'skip::etckeeper' ]
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: atd
+      tags: [ 'role::atd', 'skip::atd' ]
+
+    - role: dhparam
+      tags: [ 'role::dhparam', 'skip::dhparam' ]
+
+    - role: pki
+      tags: [ 'role::pki', 'skip::pki' ]
+
+    - role: machine
+      tags: [ 'role::machine', 'skip::machine' ]
+
+    # LDAP client initialization should be done separately to prepare local
+    # facts for other roles to use in configuration.
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ sudo__ldap__dependent_tasks }}'
+        - '{{ sshd__ldap__dependent_tasks }}'
+        - '{{ sssd__ldap__dependent_tasks }}'
+
+    - role: sssd
+      tags: [ 'role::sssd', 'skip::sssd' ]
+      when: ansible_local.ldap.posix_enabled | d() | bool
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]
+      keyring__dependent_gpg_keys:
+        - '{{ yadm__keyring__dependent_gpg_keys }}'
+
+    - role: yadm
+      tags: [ 'role::yadm', 'skip::yadm' ]
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo', 'role::system_groups' ]
+      sudo__dependent_sudoers:
+        - '{{ sshd__sudo__dependent_sudoers }}'
+
+    # The 'sudo' APT package modifies '/etc/nsswitch.conf' by itself, running
+    # this role after 'debops.sudo' role skips additional changes done in the
+    # configuration later on.
+    - role: nsswitch
+      tags: [ 'role::nsswitch', 'skip::nsswitch' ]
+      nsswitch__dependent_services:
+        - '{{ sssd__nsswitch__dependent_services }}'
+
+    - role: libuser
+      tags: [ 'role::libuser', 'skip::libuser' ]
+
+    - role: system_groups
+      tags: [ 'role::system_groups', 'skip::system_groups' ]
+
+    - role: system_users
+      tags: [ 'role::system_users', 'skip::system_users' ]
+
+    - role: pam_access
+      tags: [ 'role::pam_access', 'skip::pam_access' ]
+      pam_access__dependent_rules:
+        - '{{ sshd__pam_access__dependent_rules }}'
+
+    - role: sshd
+      tags: [ 'role::sshd', 'skip::sshd' ]

ansible_collections/debops/debops/playbooks/bootstrap.yml

@@ -0,0 +1,113 @@
+---
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This playbook can be used to bootstrap freshly installed minimal Debian
+# system for Ansible management. The expected state the host:
+#   - host is already configured in Ansible inventory/hosts file;
+#   - local user has prepared SSH key pair in RSA format;
+#   - host has OpenSSH server installed;
+#
+# Modifications that will be made on the host:
+#   - playbook will install Python support with some essential software;
+#   - a system 'admins' group will be created for users who have administrator
+#     privileges (full sudo permissions);
+#   - a system administrator account will be created and added to the 'admins'
+#     group; If you are connecting directly as root, this account will be named
+#     after your local user account, otherwise it will be named after the user
+#     you are connecting as (option `-u` or ansible_ssh_user from some config- or
+#     inventory-file).
+#   - no passwords are set or modified on any account;
+#   - if set, playbook will configure hostname and domain on the host using
+#     'inventory_hostname' and 'netbase__domain' variables;
+#
+# Usage:
+# To connect directly as root, run:
+#
+#     debops bootstrap -u root -k --limit host
+#
+# To connect as normal user and switch to sudo, run:
+#
+#     debops bootstrap --become --limit host
+
+
+- name: Bootstrap Python support on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  strategy: linear
+  gather_facts: False
+  become: True
+
+  tasks:
+
+    - name: Initialize Ansible support via raw tasks
+      ansible.builtin.import_role:
+        name: 'python'
+        tasks_from: 'main_raw'
+      tags: [ 'role::python_raw', 'skip::python_raw', 'role::python' ]
+
+
+- name: Bootstrap APT configuration on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_proxy
+      tags: [ 'role::apt_proxy', 'skip::apt_proxy' ]
+
+    - role: apt
+      tags: [ 'role::apt', 'skip::apt' ]
+
+
+- name: Apply core configuration
+  import_playbook: 'service/core.yml'
+
+
+- name: Bootstrap host for Ansible management
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: resolved
+      tags: [ 'role::resolved', 'skip::resolved' ]
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::netbase' ]
+      python__dependent_packages3:
+        - '{{ netbase__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ netbase__python__dependent_packages2 }}'
+
+    - role: netbase
+      tags: [ 'role::netbase', 'skip::netbase' ]
+
+    - role: fhs
+      tags: [ 'role::fhs', 'skip::fhs' ]
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo', 'role::system_groups' ]
+
+    - role: libuser
+      tags: [ 'role::libuser', 'skip::libuser' ]
+
+    - role: system_groups
+      tags: [ 'role::system_groups', 'skip::system_groups' ]
+
+    - role: system_users
+      tags: [ 'role::system_users', 'skip::system_users' ]

ansible_collections/debops/debops/playbooks/common.yml

@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This is a stub playbook to allow execution of the common playbook directly,
+# for backwards compatibility.
+- name: Apply common configuration on hosts
+  import_playbook: 'layer/common.yml'

ansible_collections/debops/debops/playbooks/layer/agent.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2019-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Filebeat service
+  import_playbook: '../service/filebeat.yml'
+
+- name: Configure Metricbeat service
+  import_playbook: '../service/metricbeat.yml'
+
+- name: Configure GitLab Runner service
+  import_playbook: '../service/gitlab_runner.yml'
+
+- name: Configure Telegraf service
+  import_playbook: '../service/telegraf.yml'
+
+- name: Configure Zabbix Agent
+  import_playbook: '../service/zabbix_agent.yml'

ansible_collections/debops/debops/playbooks/layer/app.yml

@@ -0,0 +1,67 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure SKS Keyserver service
+  import_playbook: '../service/sks.yml'
+
+- name: Configure iPXE service
+  import_playbook: '../service/ipxe.yml'
+
+- name: Configure backup2l service
+  import_playbook: '../service/backup2l.yml'
+
+- name: Configure rsnapshot service
+  import_playbook: '../service/rsnapshot.yml'
+
+- name: Configure Mailman service
+  import_playbook: '../service/mailman.yml'
+
+- name: Configure Miniflux service
+  import_playbook: '../service/miniflux.yml'
+
+- name: Configure LibreNMS application
+  import_playbook: '../service/librenms.yml'
+
+- name: Configure DokuWiki application
+  import_playbook: '../service/dokuwiki.yml'
+
+- name: Configure NetBox application
+  import_playbook: '../service/netbox.yml'
+
+- name: Configure Etherpad application
+  import_playbook: '../service/etherpad.yml'
+
+- name: Configure Debian Preseed service
+  import_playbook: '../service/preseed.yml'
+
+- name: Configure ownCloud/Nextcloud application
+  import_playbook: '../service/owncloud.yml'
+
+- name: Configure phpMyAdmin application
+  import_playbook: '../service/phpmyadmin.yml'
+
+- name: Configure phpIPAM application
+  import_playbook: '../service/phpipam.yml'
+
+- name: Configure RStudio Server service
+  import_playbook: '../service/rstudio_server.yml'
+
+- name: Configure GitLab Omnibus application
+  import_playbook: '../service/gitlab.yml'
+
+- name: Configure Ansible tool
+  import_playbook: '../service/ansible.yml'
+
+- name: Configure Ansible Controller environment
+  import_playbook: '../service/controller.yml'
+
+- name: Configure Roundcube application
+  import_playbook: '../service/roundcube.yml'
+
+- name: Configure IMAP Proxy service
+  import_playbook: '../service/imapproxy.yml'
+
+- name: Configure Debconf-based application packages
+  import_playbook: '../service/debconf.yml'

ansible_collections/debops/debops/playbooks/layer/common.yml

@@ -0,0 +1,273 @@
+---
+# Copyright (C) 2013-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Security assertions
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'all' ]
+  tags: [ 'play::security-assertions' ]
+  gather_facts: False
+  become: False
+
+  tasks:
+
+    - name: Check for Ansible version without known vulnerabilities
+      ansible.builtin.assert:
+        that:
+          - 'ansible_version.full is version_compare("2.1.5.0", ">=")'
+          - '((ansible_version.minor == 2) and
+              (ansible_version.full is version_compare("2.2.2.0", ">="))) or
+             (ansible_version.minor != 2)'
+        msg: |
+          VULNERABLE or unsupported Ansible version DETECTED, please update to
+          Ansible >= v2.1.5 or a newer Ansible release >= v2.2.2! To skip, add
+          "--skip-tags play::security-assertions" parameter. Check the
+          debops-playbook changelog for details. Exiting.
+      run_once: True
+      delegate_to: 'localhost'
+
+- name: Prepare APT configuration on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', '!debops_no_common' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_proxy
+      tags: [ 'role::apt_proxy', 'skip::apt_proxy' ]
+
+    - role: apt
+      tags: [ 'role::apt', 'skip::apt' ]
+
+
+- name: Apply core configuration
+  import_playbook: '../service/core.yml'
+
+
+- name: Common configuration for all hosts
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', '!debops_no_common' ]
+  gather_facts: True
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare nullmailer environment
+      ansible.builtin.import_role:
+        name: 'nullmailer'
+        tasks_from: 'main_env'
+      tags: [ 'role::nullmailer', 'role::ferm', 'role::tcpwrappers' ]
+
+    - name: Prepare pki environment
+      ansible.builtin.import_role:
+        name: 'pki'
+        tasks_from: 'main_env'
+      tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
+
+    - name: Prepare sshd environment
+      ansible.builtin.import_role:
+        name: 'sshd'
+        tasks_from: 'main_env'
+      tags: [ 'role::sshd', 'role::ldap' ]
+
+  roles:
+
+    - role: debops_fact
+      tags: [ 'role::debops_fact', 'skip::debops_fact' ]
+
+    - role: environment
+      tags: [ 'role::environment', 'skip::environment' ]
+
+    - role: resolved
+      tags: [ 'role::resolved', 'skip::resolved' ]
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::netbase', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ netbase__python__dependent_packages3 }}'
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ netbase__python__dependent_packages2 }}'
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: netbase
+      tags: [ 'role::netbase', 'skip::netbase' ]
+
+    - role: secret
+      tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
+      secret_directories:
+        - '{{ pki_env_secret_directories }}'
+
+    - role: fhs
+      tags: [ 'role::fhs', 'skip::fhs' ]
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ etckeeper__apt_preferences__dependent_list }}'
+        - '{{ apt_install__apt_preferences__dependent_list }}'
+        - '{{ yadm__apt_preferences__dependent_list }}'
+
+    - role: tzdata
+      tags: [ 'role::tzdata', 'skip::tzdata' ]
+
+    - role: etckeeper
+      tags: [ 'role::etckeeper', 'skip::etckeeper' ]
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: atd
+      tags: [ 'role::atd', 'skip::atd' ]
+
+    - role: dhparam
+      tags: [ 'role::dhparam', 'skip::dhparam' ]
+
+    - role: pki
+      tags: [ 'role::pki', 'skip::pki' ]
+
+    - role: machine
+      tags: [ 'role::machine', 'skip::machine' ]
+
+    - role: lldpd
+      tags: [ 'role::lldpd', 'skip::lldpd' ]
+
+    # LDAP client initialization should be done separately to prepare local
+    # facts for other roles to use in configuration.
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ nullmailer__ldap__dependent_tasks }}'
+        - '{{ sudo__ldap__dependent_tasks }}'
+        - '{{ sshd__ldap__dependent_tasks }}'
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]
+      keyring__dependent_gpg_keys:
+        - '{{ yadm__keyring__dependent_gpg_keys }}'
+
+    - role: yadm
+      tags: [ 'role::yadm', 'skip::yadm' ]
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo' ]
+      sudo__dependent_sudoers:
+        - '{{ sshd__sudo__dependent_sudoers }}'
+
+    # The 'sudo' APT package modifies '/etc/nsswitch.conf' by itself, running
+    # this role after 'debops.sudo' role skips additional changes done in the
+    # configuration later on.
+    - role: nsswitch
+      tags: [ 'role::nsswitch', 'skip::nsswitch' ]
+
+    - role: root_account
+      tags: [ 'role::root_account', 'skip::root_account' ]
+
+    - role: libuser
+      tags: [ 'role::libuser', 'skip::libuser' ]
+
+    - role: system_groups
+      tags: [ 'role::system_groups', 'skip::system_groups' ]
+
+    - role: system_users
+      tags: [ 'role::system_users', 'skip::system_users' ]
+
+    - role: pam_access
+      tags: [ 'role::pam_access', 'skip::pam_access' ]
+      pam_access__dependent_rules:
+        - '{{ sshd__pam_access__dependent_rules }}'
+
+    - role: apt_listchanges
+      tags: [ 'role::apt_listchanges', 'skip::apt_listchanges' ]
+
+    - role: apt_install
+      tags: [ 'role::apt_install', 'skip::apt_install' ]
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ resolved__etc_services__dependent_list }}'
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ rsyslog__logrotate__dependent_config }}'
+
+    - role: auth
+      tags: [ 'role::auth', 'skip::auth' ]
+
+    - role: users
+      tags: [ 'role::users', 'skip::users' ]
+
+    - role: mount
+      tags: [ 'role::mount', 'skip::mount' ]
+
+    - role: resources
+      tags: [ 'role::resources', 'skip::resources' ]
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nullmailer__ferm__dependent_rules }}'
+        - '{{ rsyslog__ferm__dependent_rules }}'
+        - '{{ sshd__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers_dependent_allow:
+        - '{{ nullmailer__tcpwrappers__dependent_allow }}'
+        - '{{ sshd__tcpwrappers__dependent_allow }}'
+
+    - role: locales
+      tags: [ 'role::locales', 'skip::locales' ]
+
+    - role: proc_hidepid
+      tags: [ 'role::proc_hidepid', 'skip::proc_hidepid' ]
+
+    - role: console
+      tags: [ 'role::console', 'skip::console' ]
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
+
+    - role: nullmailer
+      tags: [ 'role::nullmailer', 'skip::nullmailer' ]
+
+    - role: systemd
+      tags: [ 'role::systemd', 'skip::systemd' ]
+
+    - role: timesyncd
+      tags: [ 'role::timesyncd', 'skip::timesyncd' ]
+
+    - role: journald
+      tags: [ 'role::journald', 'skip::journald' ]
+
+    - role: rsyslog
+      tags: [ 'role::rsyslog', 'skip::rsyslog' ]
+
+    - role: unattended_upgrades
+      tags: [ 'role::unattended_upgrades', 'skip::unattended_upgrades' ]
+
+    - role: authorized_keys
+      tags: [ 'role::authorized_keys', 'skip::authorized_keys' ]
+
+    - role: sshd
+      tags: [ 'role::sshd', 'skip::sshd' ]
+
+    - role: apt_mark
+      tags: [ 'role::apt_mark', 'skip::apt_mark' ]

ansible_collections/debops/debops/playbooks/layer/env.yml

@@ -0,0 +1,28 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage NodeJS environment
+  import_playbook: '../service/nodejs.yml'
+
+- name: Manage Ruby environment
+  import_playbook: '../service/ruby.yml'
+
+- name: Manage Go language environment
+  import_playbook: '../service/golang.yml'
+
+- name: Manage Java environment
+  import_playbook: '../service/java.yml'
+
+- name: Manage CRAN APT repositories
+  import_playbook: '../service/cran.yml'
+
+- name: Manage PHP environment
+  import_playbook: '../service/php.yml'
+
+- name: Manage fcgiwrap service
+  import_playbook: '../service/fcgiwrap.yml'
+
+- name: Manage WordPress CLI tool
+  import_playbook: '../service/wpcli.yml'

ansible_collections/debops/debops/playbooks/layer/hw.yml

@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Hardware RAID monitoring
+  import_playbook: '../service/hwraid.yml'
+
+- name: Configure GRUB bootloader
+  import_playbook: '../service/grub.yml'

ansible_collections/debops/debops/playbooks/layer/net.yml

@@ -0,0 +1,43 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure network interfaces via networkd
+  import_playbook: '../service/networkd.yml'
+
+- name: Configure network interfaces via ifupdown
+  import_playbook: '../service/ifupdown.yml'
+
+- name: Configure IPv6 Router Advertisement daemon
+  import_playbook: '../service/radvd.yml'
+
+- name: Configure ISC DHCP daemon
+  import_playbook: '../service/dhcpd.yml'
+
+- name: Configure NTP service
+  import_playbook: '../service/ntp.yml'
+
+- name: Configure unbound service
+  import_playbook: '../service/unbound.yml'
+
+- name: Configure DNSmasq service
+  import_playbook: '../service/dnsmasq.yml'
+
+- name: Configure Tinc VPN service
+  import_playbook: '../service/tinc.yml'
+
+- name: Configure ISC DHCP Relay service
+  import_playbook: '../service/dhcrelay.yml'
+
+- name: Configure DHCP Probe service
+  import_playbook: '../service/dhcp_probe.yml'
+
+- name: Configure SSL Tunnel service
+  import_playbook: '../service/stunnel.yml'
+
+- name: Configure keepalived service
+  import_playbook: '../service/keepalived.yml'
+
+- name: Configure Avahi service
+  import_playbook: '../service/avahi.yml'

ansible_collections/debops/debops/playbooks/layer/srv.yml

@@ -0,0 +1,175 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure /etc/aliases database
+  import_playbook: '../service/etc_aliases.yml'
+
+- name: Configure etesync service
+  import_playbook: '../service/etesync.yml'
+
+- name: Install HashiCorp applications
+  import_playbook: '../service/hashicorp.yml'
+
+- name: Configure APT-Cacher-NG service
+  import_playbook: '../service/apt_cacher_ng.yml'
+
+- name: Configure APT mirror service
+  import_playbook: '../service/apt_mirror.yml'
+
+- name: Configure docker-gen service
+  import_playbook: '../service/docker_gen.yml'
+
+- name: Configure gunicorn service
+  import_playbook: '../service/gunicorn.yml'
+
+- name: Configure Postfix SMTP server
+  import_playbook: '../service/postfix.yml'
+
+- name: Configure saslauthd service
+  import_playbook: '../service/saslauthd.yml'
+
+- name: Configure Dovecot IMAP/POP3 server
+  import_playbook: '../service/dovecot.yml'
+
+- name: Configure postscreen Postfix service
+  import_playbook: '../service/postscreen.yml'
+
+- name: Configure Postwhite Postfix service
+  import_playbook: '../service/postwhite.yml'
+
+- name: Manage Postfix service configuration
+  import_playbook: '../service/postconf.yml'
+
+- name: Configure Postfix LDAP support
+  import_playbook: '../service/postldap.yml'
+
+- name: Configure OpenDKIM service
+  import_playbook: '../service/opendkim.yml'
+
+- name: Configure Apache webserver
+  import_playbook: '../service/apache.yml'
+
+- name: Configure nginx webserver
+  import_playbook: '../service/nginx.yml'
+
+- name: Configure Mosquitto service
+  import_playbook: '../service/mosquitto.yml'
+
+- name: Configure SNMP daemon
+  import_playbook: '../service/snmpd.yml'
+
+- name: Configure Monit service
+  import_playbook: '../service/monit.yml'
+
+- name: Configure TFTP daemon
+  import_playbook: '../service/tftpd.yml'
+
+- name: Configure Samba service
+  import_playbook: '../service/samba.yml'
+
+- name: Configure TGT, userspace iSCSI client
+  import_playbook: '../service/tgt.yml'
+
+- name: Configure MariaDB/MySQL database
+  import_playbook: '../service/mariadb_server.yml'
+
+- name: Configure MariaDB/MySQL client
+  import_playbook: '../service/mariadb.yml'
+
+- name: Configure PostgreSQL service
+  import_playbook: '../service/postgresql_server.yml'
+
+- name: Configure PostgreSQL client
+  import_playbook: '../service/postgresql.yml'
+
+- name: Configure Elastic APT repositories
+  import_playbook: '../service/elastic_co.yml'
+
+- name: Configure Elasticsearch database
+  import_playbook: '../service/elasticsearch.yml'
+
+- name: Configure Kibana service
+  import_playbook: '../service/kibana.yml'
+
+- name: Configure InfluxData APT repositories
+  import_playbook: '../service/influxdata.yml'
+
+- name: Configure InfluxDB database
+  import_playbook: '../service/influxdb_server.yml'
+
+- name: Configure InfluxDB client
+  import_playbook: '../service/influxdb.yml'
+
+- name: Configure Icinga 2 service
+  import_playbook: '../service/icinga.yml'
+
+- name: Configure Icinga 2 database
+  import_playbook: '../service/icinga_db.yml'
+
+- name: Configure Icinga 2 Web frontend
+  import_playbook: '../service/icinga_web.yml'
+
+- name: Configure RabbitMQ service
+  import_playbook: '../service/rabbitmq_server.yml'
+
+- name: Configure RabbitMQ management webconsole
+  import_playbook: '../service/rabbitmq_management.yml'
+
+- name: Configure memcached service
+  import_playbook: '../service/memcached.yml'
+
+- name: Configure Redis database
+  import_playbook: '../service/redis_server.yml'
+
+- name: Configure Redis Sentinel service
+  import_playbook: '../service/redis_sentinel.yml'
+
+- name: Configure MinIO service
+  import_playbook: '../service/minio.yml'
+
+- name: Configure MinIO Client
+  import_playbook: '../service/mcli.yml'
+
+- name: Configure Docker Registry service
+  import_playbook: '../service/docker_registry.yml'
+
+- name: Configure reprepro APT repository
+  import_playbook: '../service/reprepro.yml'
+
+- name: Configure SMS Gateway service
+  import_playbook: '../service/smstools.yml'
+
+- name: Install Salt Master service
+  import_playbook: '../service/salt.yml'
+
+- name: Configure Fail2ban service
+  import_playbook: '../service/fail2ban.yml'
+
+- name: Configure Prosody XMPP server
+  import_playbook: '../service/prosody.yml'
+
+- name: Configure FreeRADIUS service
+  import_playbook: '../service/freeradius.yml'
+
+- name: Configure Tinyproxy service
+  import_playbook: '../service/tinyproxy.yml'
+
+- name: Configure libuser library
+  import_playbook: '../service/libuser.yml'
+
+- name: Configure MiniDLNA service
+  import_playbook: '../service/minidlna.yml'
+
+- name: Configure PowerDNS service
+  import_playbook: '../service/pdns.yml'
+
+- name: Configure BIND DNS server
+  import_playbook: '../service/bind.yml'
+
+- name: Configure rspamd service
+  import_playbook: '../service/rspamd.yml'
+
+- name: Configure OpenSearch database
+  import_playbook: '../service/opensearch.yml'

ansible_collections/debops/debops/playbooks/layer/sys.yml

@@ -0,0 +1,64 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure mount points
+  import_playbook: '../service/mount.yml'
+
+- name: Configure network information database
+  import_playbook: '../service/netbase.yml'
+
+- name: Configure sysnews service
+  import_playbook: '../service/sysnews.yml'
+
+- name: Configure kernel modules
+  import_playbook: '../service/kmod.yml'
+
+- name: Configure sysfs attributes
+  import_playbook: '../service/sysfs.yml'
+
+- name: Configure swap files
+  import_playbook: '../service/swapfile.yml'
+
+- name: Configure LVM subsystem
+  import_playbook: '../service/lvm.yml'
+
+- name: Configure NFS server service
+  import_playbook: '../service/nfs_server.yml'
+
+- name: Configure NFS client service
+  import_playbook: '../service/nfs.yml'
+
+- name: Configure gitusers environment
+  import_playbook: '../service/gitusers.yml'
+
+- name: Configure OpenLDAP service
+  import_playbook: '../service/slapd.yml'
+
+- name: Configure nslcd service
+  import_playbook: '../service/nslcd.yml'
+
+- name: Configure nscd service
+  import_playbook: '../service/nscd.yml'
+
+- name: Configure sssd service
+  import_playbook: '../service/sssd.yml'
+
+- name: Configure iSCSI devices
+  import_playbook: '../service/iscsi.yml'
+
+- name: Configure cryptsetup subsystem
+  import_playbook: '../service/cryptsetup.yml'
+
+- name: Configure QubesOS persistent paths
+  import_playbook: '../service/persistent_paths.yml'
+
+- name: Configure external APT repositories
+  import_playbook: '../service/extrepo.yml'
+
+- name: Configure NeuroDebian APT repository
+  import_playbook: '../service/neurodebian.yml'
+
+- name: Configure dropbear SSH server in initramfs
+  import_playbook: '../service/dropbear_initramfs.yml'

ansible_collections/debops/debops/playbooks/layer/systemd.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure system and service manager
+  import_playbook: '../service/systemd.yml'
+
+- name: Configure system journal and log service
+  import_playbook: '../service/journald.yml'
+
+- name: Configure network manager service
+  import_playbook: '../service/networkd.yml'
+
+- name: Configure time synchronization service
+  import_playbook: '../service/timesyncd.yml'
+
+- name: Configure system resolver
+  import_playbook: '../service/resolved.yml'

ansible_collections/debops/debops/playbooks/layer/virt.yml

@@ -0,0 +1,22 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure LXC service
+  import_playbook: '../service/lxc.yml'
+
+- name: Configure LXD service
+  import_playbook: '../service/lxd.yml'
+
+- name: Configure Docker Engine service
+  import_playbook: '../service/docker_server.yml'
+
+- name: Configure libvirt daemon service
+  import_playbook: '../service/libvirtd.yml'
+
+- name: Configure libvirt qemu support
+  import_playbook: '../service/libvirtd_qemu.yml'
+
+- name: Configure libvirt client environment
+  import_playbook: '../service/libvirt.yml'

ansible_collections/debops/debops/playbooks/ldap/get-uuid.yml

@@ -0,0 +1,75 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# DebOps uses the "to_uuid" Ansible filter to convert LDAP Distinguished Names
+# to UUID strings that are safe to use in shell and store in the filesystem.
+# This playbook can be used to convert Distinguished Names to UUID strings to
+# help locate specific data about a particular Distinguished Name, for example
+# a password stored in the 'secret/ldap/credentials/' directory or in the
+# 'pass' database.
+#
+# To use this playbook, it is best to apply it against a specific host that is
+# configured to use LDAP via the 'ldap' Ansible role. If that's not the case,
+# the playbook will still work, however the resulting UUIDs might not be
+# correct.
+#
+# Remember to specify Distinguished Name attributes separated by commas,
+# without spaces between them. For example, don't use:
+#
+#     uid=user, ou=People, dc=example, dc=org
+#
+# Specify the DN as:
+#
+#     uid=user,ou=People,dc=example,dc=org
+#
+# Usage: debops ldap/get-uuid -l ldap-host
+
+
+- name: Convert LDAP Distinguished Name to UUID
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'all' ]
+  serial: '1'
+  gather_subset: [ '!all' ]
+
+  vars:
+
+    # LDAP base Distinguished Name
+    ldap_base_dn: '{{ ansible_local.ldap.base_dn
+                      if (ansible_local.ldap.base_dn | d())
+                      else (ansible_domain.split(".")
+                            | map("regex_replace", "^(.*)$", "dc=\1")
+                            | list) }}'
+
+    # Relative Distinguished Name of the LDAP object that contains the personal
+    # user accounts
+    ldap_people_rdn: '{{ ansible_local.ldap.people_rdn | d("ou=People") }}'
+
+    # Relative Distinguished Name of an user account to convert to an UUID
+    person_rdn: 'uid={{ person_uid.user_input }}'
+
+    # Distinguished Name of an LDAP object to convert to an UUID
+    object_dn: '{{ (([ person_rdn, ldap_people_rdn ] + ldap_base_dn) | join(","))
+                   if person_uid.user_input | d()
+                   else object_dn_string.user_input }}'
+
+  tasks:
+
+    - name: Get the UUID of an user account based on uid
+      ansible.builtin.pause:
+        prompt: 'uid (case-sensitive)'
+      register: person_uid
+
+    - name: Get the UUID of a Distinguished Name
+      ansible.builtin.pause:
+        prompt: 'dn (case-sensitive)'
+      register: object_dn_string
+      when: not person_uid.user_input | d()
+
+    - name: LDAP object information
+      ansible.builtin.debug:
+        msg: '{{ {"DN:": object_dn,
+                  "UUID:": (object_dn | to_uuid)} }}'
+      when: object_dn | d()

ansible_collections/debops/debops/playbooks/ldap/init-directory.yml

@@ -0,0 +1,155 @@
+---
+# Copyright (C) 2019-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Initialize new LDAP directory
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_slapd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars_prompt:
+
+    - name: 'admin_input_plaintext_password'
+      prompt: 'New password for your LDAP user account (enter=random)'
+      default: ''
+      private: True
+
+    - name: 'admin_use_password_store'
+      default: 'yes'
+      prompt: 'Use Password Store? (default=yes)'
+
+  vars:
+
+    # Username of the current Ansible user on the Ansible Controller
+    admin_user: '{{ lookup("env", "USER") }}'
+
+    # Information from the 'passwd' database for the current user on the
+    # Ansible Controller
+    admin_gecos: '{{ getent_passwd[admin_user][3] | d() }}'
+
+    # SSH public keys in the 'ssh-agent'
+    admin_sshkeys: '{{ lookup("pipe", "ssh-add -L | grep ^\\\(sk-\\\)\\\?ssh || cat ~/.ssh/*.pub || true").split("\n") }}'
+
+    # Plaintext administrator password. If no password has been provided,
+    # a random password will be generated and stored either in a file or
+    # in the Password Store on the Ansible Controller. If a password has
+    # been provided and the Password Store is not used, the password will
+    # not be stored.
+    admin_plaintext_password: '{{ admin_input_plaintext_password
+                                  if admin_input_plaintext_password | d()
+                                  else (lookup("password", "/dev/null length=32")
+                                        if admin_use_password_store | d(True) | bool
+                                        else
+                                        lookup("password",
+                                               secret + "/ldap/credentials/"
+                                               + admin_dn | to_uuid
+                                               + ".password length=32")) }}'
+
+    # This variable is used to store the administrator password in the Password
+    # Store on the Ansible Controller, if requested
+    admin_saved_password: '{{ lookup("passwordstore",
+                                     ldap__admin_passwordstore_path
+                                     + "/" + admin_dn | to_uuid
+                                     + " create=true overwrite=true userpass="
+                                     + admin_plaintext_password) }}'
+
+    # The Relative Distinguished Name of the administrator account in the LDAP
+    # directory
+    admin_rdn: 'uid={{ admin_user }}'
+
+    # The Distinguished Name of the administrator account
+    admin_dn: '{{ ([ admin_rdn, ldap__people_rdn ] + ldap__base_dn) | join(",") }}'
+
+    # Override the check if the LDAP support is enabled on the host, we don't
+    # care at this point
+    ldap__enabled: True
+
+    # Override the check if the LDAP support is configured on the host, we
+    # don't care at this point
+    ldap__configured: True
+
+    # Run the 'ldap' role in dependent mode; don't configure anything related
+    # to LDAP on the host itself, perform only LDAP tasks
+    ldap__dependent_play: True
+
+    # Override the list of LDAP servers detected automatically by the role
+    ldap__servers: [ '{{ ansible_fqdn }}' ]
+
+    # Use the RootDN credential to access the LDAP directory directly via the
+    # superuser account
+    ldap__admin_binddn: '{{ ([ "cn=admin" ] + ldap__base_dn) | join(",") }}'
+
+    # Use the RootPW credential generated by the 'debops.slapd' role to
+    # authenticate to the LDAP directory
+    ldap__admin_bindpw: '{{ lookup("password", secret + "/slapd/credentials/"
+                                   + ldap__admin_binddn | to_uuid
+                                   + ".password").split()[0] }}'
+
+    ldap__dependent_tasks:
+
+      - name: 'Create personal account for {{ admin_user }}'
+        dn: '{{ [ admin_rdn, ldap__people_rdn ] + ldap__base_dn }}'
+        objectClass: [ 'inetOrgPerson', 'posixAccount', 'shadowAccount',
+                       'posixGroup', 'posixGroupId', 'ldapPublicKey',
+                       'authorizedServiceObject', 'hostObject' ]
+        attributes:
+
+          # inetOrgPerson attributes
+          commonName:   '{{ admin_gecos.split(",")[0] if admin_gecos | d() else (admin_user | capitalize) }}'
+          givenName:    '{{ (admin_gecos.split(",")[0].split()[0]) if (admin_gecos | d() and " " in admin_gecos) else (admin_user | capitalize) }}'
+          surname:      '{{ (admin_gecos.split(",")[0].split()[1]) if (admin_gecos | d() and " " in admin_gecos) else "AdminUser" }}'
+          userPassword: '{{ admin_plaintext_password }}'
+
+          # POSIX attributes
+          uid:           '{{ admin_rdn.split("=")[1] }}'
+          gid:           '{{ admin_rdn.split("=")[1] }}'
+          uidNumber:     '{{ ldap__groupid_max | int + 1 }}'
+          gidNumber:     '{{ ldap__groupid_max | int + 1 }}'
+          homeDirectory: '{{ ldap__home + "/" + admin_user }}'
+          loginShell:    '{{ ldap__shell }}'
+
+          # Other attributes
+          authorizedService: 'all'
+          host: 'posix:all'
+          sshPublicKey: '{{ admin_sshkeys }}'
+
+      - name: 'Add admin account to cn=LDAP Administrator role'
+        dn: '{{ [ "cn=LDAP Administrator", ldap__roles_rdn ] + ldap__base_dn }}'
+        attributes:
+          roleOccupant: '{{ admin_dn }}'
+
+      - name: 'Add admin account to cn=UNIX Administrators group'
+        dn: '{{ [ "cn=UNIX Administrators", ldap__groups_rdn ] + ldap__base_dn }}'
+        attributes:
+          member: '{{ admin_dn }}'
+          owner: '{{ admin_dn }}'
+
+  pre_tasks:
+
+    - name: Check local user information
+      ansible.builtin.getent:
+        database: 'passwd'
+        key: '{{ admin_user }}'
+      delegate_to: 'localhost'
+      become: False
+      failed_when: False
+
+    - name: Save admin credential in the password store
+      ansible.builtin.set_fact:
+        admin_stored_password: '{{ admin_saved_password }}'
+      when: admin_use_password_store | d(True) | bool
+      no_log: '{{ debops__no_log | d(True) }}'
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+  roles:
+
+    - role: 'ldap'
+      tags: [ 'role::ldap', 'skip::ldap' ]

ansible_collections/debops/debops/playbooks/ldap/save-credential.yml

@@ -0,0 +1,116 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This playbook can be used to save the LDAP password in the password store
+# (encrypted with user's GPG key). The password can then be used later by the
+# 'ldap' role to perform LDAP tasks on behalf of the user.
+#
+# Check the documentation of the 'ldap' Ansible role for more details.
+
+- name: Save personal credential in the password store
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_slapd' ]
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+
+    # Don't make any changes related to LDAP on the host against which this
+    # playbook is executed. The playbook relies on the role default variables
+    # (or their inventory overrides) to find the full DN of the user account.
+    ldap__enabled: False
+
+    # The username of the credential owner
+    person_rdn: 'uid={{ person_uid.user_input }}'
+
+    # The LDAP Distinguished Name of the credential owner
+    person_dn: '{{ object_dn.user_input
+                   if object_dn.user_input | d()
+                   else ((([ person_rdn, ldap__people_rdn ] + ldap__base_dn) | join(","))
+                         if person_uid.user_input | d()
+                         else "") }}'
+
+    # This variable defines the lookup plugin command that will be executed by
+    # the 'set_fact' task later on to trigger the 'passwordstore' lookup plugin
+    # to save the new password given by the user.
+    person_store_password: '{{ lookup("passwordstore", ldap__admin_passwordstore_path
+                                      + "/" + (person_dn | to_uuid)
+                                      + " create=true overwrite=true userpass="
+                                      + person_password) }}'
+
+  pre_tasks:
+
+    - name: 'Specify username'
+      ansible.builtin.pause:
+        prompt: 'LDAP username (uid=%s,{{ ([ldap__people_rdn] + ldap__base_dn) | join(",") }})'
+      register: person_uid
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+    - name: 'Username not provided, specify DN'
+      ansible.builtin.pause:
+        prompt: 'LDAP Distinguished Name'
+      register: object_dn
+      when: person_uid is undefined or not person_uid.user_input | d()
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+    - name: Make sure that we have a Distinguished Name
+      ansible.builtin.assert:
+        that:
+          - person_dn | d()
+        fail_msg: 'No Distinguished Name provided, aborting'
+        success_msg: 'dn: {{ person_dn }} | UUID: {{ person_dn | to_uuid }}'
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+    - name: 'Specify password'
+      ansible.builtin.pause:
+        prompt: 'LDAP password [random]'
+        echo: False
+      register: person_plaintext_password
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+    - name: Generate random password if not specified
+      ansible.builtin.set_fact:
+        person_password: '{{ person_plaintext_password.user_input
+                             if person_plaintext_password.user_input | d()
+                             else lookup("password", "/dev/null length=42") }}'
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+    - name: Save credential in the password store
+      ansible.builtin.set_fact:
+        person_saved_password: '{{ person_store_password }}'
+      no_log: '{{ debops__no_log | d(True) }}'
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+  post_tasks:
+
+    - name: Display randomly generated password
+      ansible.builtin.debug:
+        msg: '{{ {"Distinguished Name": person_dn,
+                  "UUID": (person_dn | to_uuid),
+                  "Stored password": person_password} }}'
+      when: not person_plaintext_password.user_input | d()
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+  roles:
+
+    - role: 'ldap'
+      tags: [ 'role::ldap', 'skip::ldap' ]

ansible_collections/debops/debops/playbooks/reboot.yml

@@ -0,0 +1,23 @@
+---
+# Copyright (C) 2020 Nicolas Quiniou-Briand <nqb@azyx.fr>
+# Copyright (C) 2022 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# This playbook will reboot all DebOps hosts (use with caution)
+# if required, or if forced.
+
+- name: Reboot DebOps hosts
+  hosts: [ 'debops_all_hosts' ]
+  become: True
+
+  gather_facts: False
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: reboot
+      tags: [ 'role::reboot', 'skip::reboot' ]

ansible_collections/debops/debops/playbooks/service/ansible.yml

@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and configure Ansible
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_ansible' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::ansible' ]
+      keyring__dependent_apt_keys:
+        - '{{ ansible__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ ansible__apt_preferences__dependent_list }}'
+
+    - role: ansible
+      tags: [ 'role::ansible', 'skip::ansible' ]

ansible_collections/debops/debops/playbooks/service/apache.yml

@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage and configure the Apache HTTP Server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_apache' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare apache environment
+      ansible.builtin.import_role:
+        name: 'apache'
+        tasks_from: 'main_env'
+      tags: [ 'role::apache', 'role::apache:env' ]
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ apache__ferm__dependent_rules }}'
+
+    - role: apache
+      tags: [ 'role::apache', 'skip::apache' ]

ansible_collections/debops/debops/playbooks/service/apparmor.yml

@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install and configure AppArmor
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apparmor' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apparmor
+      tags: [ 'role::apparmor', 'skip::apparmor' ]

ansible_collections/debops/debops/playbooks/service/apt.yml

@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Advanced Package Manager
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apt' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt
+      tags: [ 'role::apt', 'skip::apt' ]

ansible_collections/debops/debops/playbooks/service/apt_cacher_ng.yml

@@ -0,0 +1,55 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and manage the caching HTTP proxy Apt-Cacher NG.
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_apt_cacher_ng' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ apt_cacher_ng__etc_services__dependent_list }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ apt_cacher_ng__apt_preferences__dependent_list }}'
+        - '{{ nginx_apt_preferences_dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ apt_cacher_ng__ferm__dependent_rules }}'
+        - '{{ nginx_ferm_dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx_servers:
+        - '{{ apt_cacher_ng__nginx__servers }}'
+      nginx_upstreams:
+        - '{{ apt_cacher_ng__nginx__upstream }}'
+
+    - role: apt_cacher_ng
+      tags: [ 'role::apt_cacher_ng', 'skip::apt_cacher_ng' ]

ansible_collections/debops/debops/playbooks/service/apt_install.yml

@@ -0,0 +1,25 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install APT packages
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apt_install' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ apt_install__apt_preferences__dependent_list }}'
+
+    - role: apt_install
+      tags: [ 'role::apt_install', 'skip::apt_install' ]

ansible_collections/debops/debops/playbooks/service/apt_listchanges.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure apt-listchanges
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apt_listchanges' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_listchanges
+      tags: [ 'role::apt_listchanges', 'skip::apt_listchanges' ]

ansible_collections/debops/debops/playbooks/service/apt_mark.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Mark APT package state
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apt_mark' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_mark
+      tags: [ 'role::apt_mark', 'skip::apt_mark' ]

ansible_collections/debops/debops/playbooks/service/apt_mirror.yml

@@ -0,0 +1,46 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure APT mirroring service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_apt_mirror' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ apt_mirror__nginx__dependent_servers }}'
+
+    - role: apt_mirror
+      tags: [ 'role::apt_mirror', 'skip::apt_mirror' ]

ansible_collections/debops/debops/playbooks/service/apt_preferences.yml

@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage APT preferences
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apt_preferences' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]

ansible_collections/debops/debops/playbooks/service/apt_proxy.yml

@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure APT proxy
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apt_proxy' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_proxy
+      tags: [ 'role::apt_proxy', 'skip::apt_proxy' ]

ansible_collections/debops/debops/playbooks/service/atd.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage at service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_atd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: atd
+      tags: [ 'role::atd', 'skip::atd' ]

ansible_collections/debops/debops/playbooks/service/auth.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage authentication and authorization
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_auth' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: auth
+      tags: [ 'role::auth', 'skip::auth' ]

ansible_collections/debops/debops/playbooks/service/authorized_keys.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage SSH public keys
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_authorized_keys' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: authorized_keys
+      tags: [ 'role::authorized_keys', 'skip::authorized_keys' ]

ansible_collections/debops/debops/playbooks/service/avahi.yml

@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Avahi service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_avahi' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::avahi' ]
+      python__dependent_packages3:
+        - '{{ avahi__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ avahi__python__dependent_packages2 }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ avahi__ferm__dependent_rules }}'
+
+    - role: avahi
+      tags: [ 'role::avahi', 'skip::avahi' ]
+
+    - role: nsswitch
+      tags: [ 'role::nsswitch', 'skip::nsswitch' ]

ansible_collections/debops/debops/playbooks/service/backup2l.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure backup2l service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_backup2l' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: backup2l
+      tags: [ 'role::backup2l', 'skip::backup2l' ]

ansible_collections/debops/debops/playbooks/service/bind.yml

@@ -0,0 +1,58 @@
+---
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage BIND servers
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_bind' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences',
+              'role::nginx' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+        - '{{ bind__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm', 'role::nginx' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+        - '{{ bind__ferm__dependent_rules }}'
+
+    - role: resolvconf
+      tags: [ 'role::resolvconf', 'skip::resolvconf' ]
+      resolvconf__dependent_services:
+        - 'bind'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ slapd__logrotate__dependent_config }}'
+      when:
+        - '"dnssec" in bind__features'
+        - bind__dnssec_script_enabled | d(False)
+
+    - role: bind
+      tags: [ 'role::bind', 'skip::bind' ]
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ bind__nginx__dependent_servers }}'
+      # Run the role even if it is not being used by any
+      # BIND features so that the BIND-specific server can be disabled,
+      # if appropriate.
+      when: ansible_local.nginx.enabled | d(False) or
+            bind__features | intersect([ "doh_proxy", "stats_proxy" ]) | length > 0

ansible_collections/debops/debops/playbooks/service/boxbackup.yml

@@ -0,0 +1,136 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage BoxBackup service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_boxbackup' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: pki
+      when: boxbackup_server is defined and boxbackup_server == ansible_fqdn
+
+      pki_private_groups_present: [ 'bbstored' ]
+
+      pki_realms:
+
+        - source: 'boxbackup-{{ boxbackup_server }}-server'
+          destination: 'boxbackup-server'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-server'
+          private_group: 'bbstored'
+          default: '{{ ansible_fqdn }}'
+          default_ca: 'CA/boxbackup-{{ boxbackup_server }}-client-CA.crt'
+          default_crl: 'revoked/boxbackup-{{ boxbackup_server }}-client-CA.crl'
+          ca: [ 'boxbackup-{{ boxbackup_server }}-client' ]
+
+      pki_authorities:
+
+        - name: 'root/boxbackup-{{ boxbackup_server }}-server'
+          grants: 'server'
+          filename: 'boxbackup-{{ boxbackup_server }}-server-CA'
+          policy: 'custom'
+          default_dn: False
+          cn: 'Backup system server root'
+          lock: False
+
+        - name: 'root/boxbackup-{{ boxbackup_server }}-client'
+          grants: 'client'
+          filename: 'boxbackup-{{ boxbackup_server }}-client-CA'
+          policy: 'custom'
+          default_dn: False
+          cn: 'Backup system client root'
+          lock: False
+
+      pki_routes:
+
+        - name: 'boxbackup-{{ boxbackup_server }}-client-ca'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-client'
+          realm: 'boxbackup-{{ boxbackup_server }}-server/CA'
+          readlink: 'CA.crt'
+
+        - name: 'boxbackup-{{ boxbackup_server }}-client-crl'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-client'
+          realm: 'boxbackup-{{ boxbackup_server }}-server/revoked'
+          readlink: 'default.crl'
+
+        - name: 'boxbackup-{{ ansible_fqdn }}-server-cert'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-server/certs'
+          realm: 'boxbackup-{{ boxbackup_server }}-server/certs'
+          file: '{{ ansible_fqdn }}.crt'
+
+      pki_certificates:
+
+        - source: 'boxbackup-{{ boxbackup_server }}-server'
+          destination: 'boxbackup-server'
+          default_dn: False
+          cn: '{{ ansible_fqdn }}'
+
+    - role: pki
+      when: boxbackup_server is defined and boxbackup_server != ansible_fqdn
+
+      pki_realms:
+
+        - source: 'boxbackup-{{ ansible_fqdn }}-client'
+          destination: 'boxbackup-client'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-client'
+          private_group: 'root'
+          default: '{{ ansible_fqdn + "-" + boxbackup_account }}'
+          default_ca: 'CA/boxbackup-{{ boxbackup_server }}-server-CA.crt'
+          default_crl: 'revoked/boxbackup-{{ boxbackup_server }}-server-CA.crl'
+          ca: [ 'boxbackup-{{ boxbackup_server }}-server' ]
+
+      pki_routes:
+
+        - name: 'boxbackup-{{ ansible_fqdn }}-server-ca'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-server'
+          realm: 'boxbackup-{{ ansible_fqdn }}-client/CA'
+          readlink: 'CA.crt'
+
+        - name: 'boxbackup-{{ ansible_fqdn }}-server-crl'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-server'
+          realm: 'boxbackup-{{ ansible_fqdn }}-client/revoked'
+          readlink: 'default.crl'
+
+        - name: 'boxbackup-{{ ansible_fqdn }}-client-cert'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-client/certs'
+          realm: 'boxbackup-{{ ansible_fqdn }}-client/certs'
+          file: '{{ ansible_fqdn + "-" + boxbackup_account }}.crt'
+
+      pki_authorities: []
+
+      pki_certificates:
+        - source: 'boxbackup-{{ ansible_fqdn }}-client'
+          destination: 'boxbackup-client'
+          default_dn: False
+          filename: '{{ ansible_fqdn + "-" + boxbackup_account }}'
+          cn: 'BACKUP-{{ boxbackup_account }}'
+
+    - role: etc_services
+      etc_services_dependency_list:
+
+        - name: 'boxbackup'
+          protocols: [ 'tcp' ]
+          port: '2201'
+          comment: 'BoxBackup server'
+
+    - role: ferm
+      when: boxbackup_server is defined and boxbackup_server == ansible_fqdn
+      ferm_input_list:
+
+        - type: 'dport_accept'
+          dport: [ 'boxbackup' ]
+          saddr: '{{ boxbackup_allow }}'
+          accept_any: True
+          filename: 'boxbackup_dependency_accept'
+          weight: '20'
+
+    - role: boxbackup
+      tags: [ 'role::boxbackup', 'skip::boxbackup' ]

ansible_collections/debops/debops/playbooks/service/console.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage console configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_console' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: console
+      tags: [ 'role::console', 'skip::console' ]

ansible_collections/debops/debops/playbooks/service/controller.yml

@@ -0,0 +1,39 @@
+---
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare host to be used as Ansible Controller
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_controller' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::ansible' ]
+      keyring__dependent_apt_keys:
+        - '{{ ansible__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ ansible__apt_preferences__dependent_list }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::controller' ]
+      python__dependent_packages3:
+        - '{{ controller__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ controller__python__dependent_packages2 }}'
+
+    - role: ansible
+      tags: [ 'role::ansible', 'skip::ansible' ]
+
+    - role: controller
+      tags: [ 'role::controller', 'skip::controller' ]

ansible_collections/debops/debops/playbooks/service/core.yml

@@ -0,0 +1,21 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare core environment
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_core',
+           'debops_service_bootstrap' ]
+  become: False
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: core
+      tags: [ 'role::core', 'skip::core' ]
+      become: True

ansible_collections/debops/debops/playbooks/service/cran.yml

@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage the Comprehensive R Archive Network packages
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_cran' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::cran' ]
+      keyring__dependent_apt_keys:
+        - '{{ cran__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ cran__apt_preferences__dependent_list }}'
+
+    - role: java
+      tags: [ 'role::java', 'skip::java' ]
+      java__install_jdk: True
+      when: cran__java_integration | bool
+
+    - role: cran
+      tags: [ 'role::cran', 'skip::cran' ]

ansible_collections/debops/debops/playbooks/service/cron.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage cron jobs
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_cron' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]

ansible_collections/debops/debops/playbooks/service/cryptsetup-persistent_paths.yml

@@ -0,0 +1,23 @@
+---
+# Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and manage encrypted filesystems and ensure persistence
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_cryptsetup_persistent_paths' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: cryptsetup
+      tags: [ 'role::cryptsetup', 'skip::cryptsetup' ]
+
+    - role: persistent_paths
+      tags: [ 'role::persistent_paths', 'skip::persistent_paths' ]
+      persistent_paths__dependent_paths: '{{ cryptsetup__persistent_paths__dependent_paths }}'

ansible_collections/debops/debops/playbooks/service/cryptsetup-plain.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and manage encrypted filesystems
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_cryptsetup' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: cryptsetup
+      tags: [ 'role::cryptsetup', 'skip::cryptsetup' ]

ansible_collections/debops/debops/playbooks/service/cryptsetup.yml

@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage regular cryptsetup installation
+  import_playbook: 'cryptsetup-plain.yml'
+
+- name: Manage cryptsetup on QbesOS
+  import_playbook: 'cryptsetup-persistent_paths.yml'

ansible_collections/debops/debops/playbooks/service/debconf.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage debconf-based services
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_debconf' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: debconf
+      tags: [ 'role::debconf', 'skip::debconf' ]

ansible_collections/debops/debops/playbooks/service/debops_fact.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Ansible local facts for other roles
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_debops_fact' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: debops_fact
+      tags: [ 'role::debops_fact', 'skip::debops_fact' ]

ansible_collections/debops/debops/playbooks/service/debops_legacy.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Clean up legacy configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: debops_legacy
+      tags: [ 'role::debops_legacy', 'skip::debops_legacy' ]

ansible_collections/debops/debops/playbooks/service/dhcp_probe.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage dhcp_probe service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dhcp_probe' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: dhcp_probe
+      tags: [ 'role::dhcp_probe', 'skip::dhcp_probe' ]

ansible_collections/debops/debops/playbooks/service/dhcpd.yml

@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2014-2018, 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage ISC DHCP server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dhcpd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ dhcpd__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ dhcpd__ferm__dependent_rules }}'
+
+    - role: dhcpd
+      tags: [ 'role::dhcpd', 'skip::dhcpd' ]

ansible_collections/debops/debops/playbooks/service/dhcrelay.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage ISC DHCP relay
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dhcrelay' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: dhcrelay
+      tags: [ 'role::dhcrelay', 'skip::dhcrelay' ]

ansible_collections/debops/debops/playbooks/service/dhparam.yml

@@ -0,0 +1,23 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Diffie-Hellman parameters
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_dhparam' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: dhparam
+      tags: [ 'role::dhparam', 'skip::dhparam' ]

ansible_collections/debops/debops/playbooks/service/dnsmasq-persistent_paths.yml

@@ -0,0 +1,47 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure dnsmasq and ensure persistence
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dnsmasq_persistent_paths' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare dnsmasq environment
+      ansible.builtin.import_role:
+        name: 'dnsmasq'
+        tasks_from: 'main_env'
+      tags: [ 'role::dnsmasq', 'role::ferm', 'role::tcpwrappers' ]
+
+  roles:
+
+    - role: resolvconf
+      tags: [ 'role::resolvconf', 'skip::resolvconf' ]
+      resolvconf__dependent_services:
+        - 'dnsmasq'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ dnsmasq__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ dnsmasq__env_tcpwrappers__dependent_allow }}'
+
+    - role: dnsmasq
+      tags: [ 'role::dnsmasq', 'skip::dnsmasq' ]
+
+    - role: persistent_paths
+      tags: [ 'role::persistent_paths', 'skip::persistent_paths' ]
+      persistent_paths__dependent_paths: '{{ dnsmasq__persistent_paths__dependent_paths }}'

ansible_collections/debops/debops/playbooks/service/dnsmasq-plain.yml

@@ -0,0 +1,43 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure dnsmasq
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dnsmasq' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare dnsmasq environment
+      ansible.builtin.import_role:
+        name: 'dnsmasq'
+        tasks_from: 'main_env'
+      tags: [ 'role::dnsmasq', 'role::ferm', 'role::tcpwrappers' ]
+
+  roles:
+
+    - role: resolvconf
+      tags: [ 'role::resolvconf', 'skip::resolvconf' ]
+      resolvconf__dependent_services:
+        - 'dnsmasq'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ dnsmasq__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ dnsmasq__env_tcpwrappers__dependent_allow }}'
+
+    - role: dnsmasq
+      tags: [ 'role::dnsmasq', 'skip::dnsmasq' ]

ansible_collections/debops/debops/playbooks/service/dnsmasq.yml

@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage regular dnsmasq installation
+  import_playbook: 'dnsmasq-plain.yml'
+
+- name: Manage dnsmasq installation on QbesOS
+  import_playbook: 'dnsmasq-persistent_paths.yml'

ansible_collections/debops/debops/playbooks/service/docker_gen.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage docker-gen service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_docker_gen' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: docker_gen
+      tags: [ 'role::docker_gen', 'skip::docker_gen' ]

ansible_collections/debops/debops/playbooks/service/docker_registry.yml

@@ -0,0 +1,77 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Docker Registry
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_docker_registry' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring',
+              'role::nginx', 'role::docker_registry' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+      keyring__dependent_gpg_keys:
+        - '{{ docker_registry__keyring__dependent_gpg_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ golang__apt_preferences__dependent_list | d([]) }}'
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ docker_registry__etc_services__dependent_list }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap', 'role::docker_registry' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+        - '{{ docker_registry__python__dependent_packages3 }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+        - '{{ docker_registry__python__dependent_packages2 }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ sudo__ldap__dependent_tasks }}'
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo' ]
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_maps:
+        - '{{ docker_registry__nginx__dependent_maps }}'
+      nginx__dependent_upstreams:
+        - '{{ docker_registry__nginx__dependent_upstreams }}'
+      nginx__dependent_htpasswd:
+        - '{{ docker_registry__nginx__dependent_htpasswd }}'
+      nginx__dependent_servers:
+        - '{{ docker_registry__nginx__dependent_servers }}'
+
+    - role: golang
+      tags: [ 'role::golang', 'skip::golang' ]
+      when: docker_registry__upstream | bool
+
+    - role: docker_registry
+      tags: [ 'role::docker_registry', 'skip::docker_registry' ]

ansible_collections/debops/debops/playbooks/service/docker_server.yml

@@ -0,0 +1,40 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Imre Jonk <mail@imrejonk.nl>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Docker server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_docker_server' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: extrepo
+      tags: [ 'role::extrepo', 'skip::extrepo' ]
+      extrepo__dependent_sources:
+        - '{{ docker_server__extrepo__dependent_sources }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services', 'role::ferm' ]
+      etc_services__dependent_list:
+        - '{{ docker_server__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ docker_server__ferm__dependent_rules }}'
+
+    - role: docker_server
+      tags: [ 'role::docker_server', 'skip::docker_server' ]
+
+    - role: systemd
+      tags: [ 'role::systemd', 'skip::systemd' ]
+      systemd__dependent_units:
+        - '{{ docker_server__systemd__dependent_units }}'

ansible_collections/debops/debops/playbooks/service/dokuwiki.yml

@@ -0,0 +1,83 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage DokuWiki
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dokuwiki' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Apply keyring configuration for php environment
+      ansible.builtin.import_role:
+        name: 'keyring'
+      vars:
+        keyring__dependent_apt_keys:
+          - '{{ php__keyring__dependent_apt_keys }}'
+          - '{{ nginx__keyring__dependent_apt_keys }}'
+      tags: [ 'role::keyring', 'skip::keyring', 'role::php', 'role::nginx' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ php__apt_preferences__dependent_list }}'
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: php
+      tags: [ 'role::php', 'skip::php' ]
+      php__dependent_packages:
+        - '{{ dokuwiki__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ dokuwiki__php__dependent_pools }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ dokuwiki__ldap__dependent_tasks }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_upstreams:
+        - '{{ dokuwiki__nginx__dependent_upstreams }}'
+      nginx__dependent_servers:
+        - '{{ dokuwiki__nginx__dependent_servers }}'
+
+    - role: dokuwiki
+      tags: [ 'role::dokuwiki', 'skip::dokuwiki' ]

ansible_collections/debops/debops/playbooks/service/dovecot.yml

@@ -0,0 +1,77 @@
+---
+# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Dovecot service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dovecot' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare dovecot environment
+      ansible.builtin.import_role:
+        name: 'dovecot'
+        tasks_from: 'main_env'
+      tags: [ 'role::dovecot', 'role::secret', 'role::ferm' ]
+
+    - name: Prepare postfix environment
+      ansible.builtin.import_role:
+        name: 'postfix'
+        tasks_from: 'main_env'
+      vars:
+        postfix__dependent_maincf:
+          - role: 'dovecot'
+            config: '{{ dovecot__postfix__dependent_maincf }}'
+        postfix__dependent_mastercf:
+          - role: 'dovecot'
+            config: '{{ dovecot__postfix__dependent_mastercf }}'
+      tags: [ 'role::postfix', 'role::secret', 'role::ferm' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::postfix' ]
+      secret__directories:
+        - '{{ postfix__secret__directories }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ dovecot__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ dovecot__ferm__dependent_rules }}'
+
+    - role: postfix
+      tags: [ 'role::postfix', 'skip::postfix' ]
+      postfix__dependent_maincf:
+        - role: 'dovecot'
+          config: '{{ dovecot__postfix__dependent_maincf }}'
+      postfix__dependent_mastercf:
+        - role: 'dovecot'
+          config: '{{ dovecot__postfix__dependent_mastercf }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ dovecot__ldap__dependent_tasks }}'
+
+    - role: dovecot
+      tags: [ 'role::dovecot', 'skip::dovecot' ]

ansible_collections/debops/debops/playbooks/service/dropbear_initramfs.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup the dropbear ssh server in initramfs
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dropbear_initramfs' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: dropbear_initramfs
+      tags: [ 'role::dropbear_initramfs', 'skip::dropbear_initramfs' ]

ansible_collections/debops/debops/playbooks/service/elastic_co.yml

@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Elastic APT repositories
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_elastic_co' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::elastic_co' ]
+      keyring__dependent_apt_keys:
+        - '{{ elastic_co__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ elastic_co__apt_preferences__dependent_list }}'
+
+    - role: elastic_co
+      tags: [ 'role::elastic_co', 'skip::elastic_co' ]

ansible_collections/debops/debops/playbooks/service/elasticsearch.yml

@@ -0,0 +1,61 @@
+---
+# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Elasticsearch cluster
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_elasticsearch',
+           'debops_service_elasticsearch_master',
+           'debops_service_elasticsearch_data',
+           'debops_service_elasticsearch_ingest',
+           'debops_service_elasticsearch_lb' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare elasticsearch environment
+      ansible.builtin.import_role:
+        name: 'elasticsearch'
+        tasks_from: 'main_env'
+      tags: [ 'role::elasticsearch', 'role::secret', 'role::elasticsearch:config' ]
+
+  roles:
+
+    - role: extrepo
+      tags: [ 'role::extrepo', 'skip::extrepo', 'role::elasticsearch' ]
+      extrepo__dependent_sources:
+        - '{{ elasticsearch__extrepo__dependent_sources }}'
+
+    - role: secret
+      tags: [ 'role::secret', 'role::elasticsearch', 'role::elasticsearch:config' ]
+      secret__directories:
+        - '{{ elasticsearch__secret__directories }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ elasticsearch__etc_services__dependent_list }}'
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
+      sysctl__dependent_parameters:
+        - '{{ elasticsearch__sysctl__dependent_parameters }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ elasticsearch__ferm__dependent_rules }}'
+
+    - role: java
+      tags: [ 'role::java', 'skip::java' ]
+
+    - role: elasticsearch
+      tags: [ 'role::elasticsearch', 'skip::elasticsearch' ]

ansible_collections/debops/debops/playbooks/service/environment.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage system environment variables
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_environment' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: environment
+      tags: [ 'role::environment', 'skip::environment' ]

ansible_collections/debops/debops/playbooks/service/etc_aliases.yml

@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage /etc/aliases database
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_etc_aliases' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare etc_aliases environment
+      ansible.builtin.import_role:
+        name: 'etc_aliases'
+        tasks_from: 'main_env'
+      tags: [ 'role::etc_aliases', 'role::secret' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::etc_aliases' ]
+      secret__directories:
+        - '{{ etc_aliases__secret__directories }}'
+
+    - role: etc_aliases
+      tags: [ 'role::etc_aliases', 'skip::etc_aliases' ]

ansible_collections/debops/debops/playbooks/service/etc_services.yml

@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage /etc/services database
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_etc_services' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]

ansible_collections/debops/debops/playbooks/service/etckeeper.yml

@@ -0,0 +1,25 @@
+---
+# Copyright (C) 2016-2018 Robin Schneider <ypid@riseup.net>
+# Copyright (C)      2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Put /etc under version control using etckeeper
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_etckeeper' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ etckeeper__apt_preferences__dependent_list }}'
+
+    - role: etckeeper
+      tags: [ 'role::etckeeper', 'skip::etckeeper' ]

ansible_collections/debops/debops/playbooks/service/etesync.yml

@@ -0,0 +1,67 @@
+---
+# Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Deploy and manage the EteSync server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_etesync' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring',
+              'role::nginx', 'role::etesync' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+      keyring__dependent_gpg_keys:
+        - '{{ etesync__keyring__dependent_gpg_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ gunicorn__logrotate__dependent_config }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::gunicorn', 'role::etesync' ]
+      python__dependent_packages3:
+        - '{{ gunicorn__python__dependent_packages3 }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+        - '{{ etesync__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ gunicorn__python__dependent_packages2 }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: gunicorn
+      tags: [ 'role::gunicorn', 'skip::gunicorn' ]
+      gunicorn__dependent_applications:
+        - '{{ etesync__gunicorn__dependent_applications }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_upstreams:
+        - '{{ etesync__nginx__dependent_upstreams }}'
+      nginx__dependent_servers:
+        - '{{ etesync__nginx__dependent_servers }}'
+
+    - role: etesync
+      tags: [ 'role::etesync', 'skip::etesync' ]

ansible_collections/debops/debops/playbooks/service/etherpad.yml

@@ -0,0 +1,91 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Etherpad service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_etherpad' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring',
+              'role::nodejs', 'role::mariadb', 'role::postgresql', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nodejs__keyring__dependent_apt_keys }}'
+        - '{{ mariadb__keyring__dependent_apt_keys if (etherpad__database == "mysql") else [] }}'
+        - '{{ postgresql__keyring__dependent_apt_keys if (etherpad__database == "postgresql") else [] }}'
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ etherpad__etc_services__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ etherpad__logrotate__dependent_config }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+        - '{{ nodejs__apt_preferences__dependent_list }}'
+
+    - role: nodejs
+      tags: [ 'role::nodejs', 'skip::nodejs' ]
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::mariadb', 'role::postgresql' ]
+      python__dependent_packages3:
+        - '{{ postgresql__python__dependent_packages3 if etherpad__database == "postgres" else [] }}'
+        - '{{ mariadb__python__dependent_packages3 if etherpad__database == "mysql" else [] }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ postgresql__python__dependent_packages2 if etherpad__database == "postgres" else [] }}'
+        - '{{ mariadb__python__dependent_packages2 if etherpad__database == "mysql" else [] }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb', 'skip::mariadb' ]
+      mariadb__dependent_users:
+        - '{{ etherpad__mariadb__dependent_users }}'
+      mariadb__dependent_databases:
+        - '{{ etherpad__mariadb__dependent_databases }}'
+      when: etherpad__database == 'mysql'
+
+    - role: postgresql
+      tags: [ 'role::postgresql', 'skip::postgresql' ]
+      postgresql__dependent_roles:
+        - '{{ etherpad__postgresql__dependent_roles }}'
+      postgresql__dependent_databases:
+        - '{{ etherpad__postgresql__dependent_databases }}'
+      when: etherpad__database == 'postgres'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ etherpad__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ etherpad__nginx__dependent_upstreams }}'
+
+    - role: etherpad
+      tags: [ 'role::etherpad', 'skip::etherpad' ]

ansible_collections/debops/debops/playbooks/service/extrepo.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage external APT sources
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_extrepo' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: extrepo
+      tags: [ 'role::extrepo', 'skip::extrepo' ]

ansible_collections/debops/debops/playbooks/service/fail2ban.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage fail2ban service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_fail2ban' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: fail2ban
+      tags: [ 'role::fail2ban', 'skip::fail2ban' ]

ansible_collections/debops/debops/playbooks/service/fcgiwrap.yml

@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage fcgiwrap instances
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_fcgiwrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: fcgiwrap
+      tags: [ 'role::fcgiwrap', 'skip::fcgiwrap' ]